ENCOR 350-401 (350-401) — Questions 12761350

2015 questions total · 27pages · All types, answers revealed

Page 17

Page 18 of 27

Page 19
1276
MCQmedium

A network engineer is deploying a new WLAN and needs to ensure that client traffic is encrypted using AES with a pre-shared key. Which security configuration should be applied to the wireless SSID?

A.WPA2-PSK with AES
B.WPA3-PSK with AES
C.WPA2-PSK with TKIP
D.WEP with AES
AnswerA

WPA2-PSK with AES meets the requirements.

Why this answer

WPA2-PSK with AES is the correct choice because the requirement specifies AES encryption with a pre-shared key. WPA2-PSK (Wi-Fi Protected Access 2 – Pre-Shared Key) mandates AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) as the encryption protocol, providing strong, standards-compliant security for client traffic. This configuration directly satisfies the need for both AES encryption and PSK authentication.

Exam trap

Cisco often tests the distinction between encryption protocols (AES vs. TKIP) and authentication methods (PSK vs. Enterprise), so the trap here is that candidates may confuse WPA3-PSK as the only option for AES, overlooking that WPA2-PSK with AES is a valid and commonly deployed configuration that meets the same requirement.

How to eliminate wrong answers

Option B is wrong because WPA3-PSK uses AES encryption but introduces Simultaneous Authentication of Equals (SAE) instead of a traditional pre-shared key handshake; while it supports PSK, the question explicitly asks for a configuration that ensures AES with a pre-shared key, and WPA3-PSK is not the only or most direct answer given the options. Option C is wrong because WPA2-PSK with TKIP uses the RC4-based Temporal Key Integrity Protocol, not AES, which violates the requirement for AES encryption. Option D is wrong because WEP (Wired Equivalent Privacy) does not support AES; it uses RC4 encryption and is deprecated due to severe security vulnerabilities, making it incompatible with the AES requirement.

1277
MCQhard

A network engineer issues the following command on Router R6: R6# debug ip ospf hello OSPF: Send hello to 224.0.0.5 via GigabitEthernet0/0 (192.168.1.6) OSPF: Rcv hello from 1.1.1.1, GigabitEthernet0/0, area 0.0.0.0 Neighbor state is 2WAY, options 0x2 OSPF: End of hello processing Based on this output, what can be concluded?

A.R6 has formed a full adjacency with neighbor 1.1.1.1.
B.The hello packet was sent to the DR/BDR multicast address 224.0.0.6.
C.R6 and 1.1.1.1 are neighbors, but a full adjacency may not yet be formed.
D.The OSPF network type is point-to-point.
AnswerC

2WAY is a valid neighbor state indicating two-way communication, but full adjacency requires further exchange (e.g., on broadcast networks, only with DR/BDR).

Why this answer

The debug output shows the neighbor state is 2WAY, which indicates that R6 has received a hello from 1.1.1.1 and bidirectional communication is established, but a full adjacency has not yet been formed. In OSPF, the 2WAY state is a prerequisite for advancing to the ExStart state and eventually to FULL, but on multiaccess networks, the router must also wait for the Designated Router (DR) and Backup Designated Router (BDR) election process to complete before proceeding. Therefore, option C correctly states that R6 and 1.1.1.1 are neighbors, but a full adjacency may not yet be formed.

Exam trap

Cisco often tests the distinction between the 2WAY and FULL states, and the trap here is that candidates mistakenly assume that receiving a hello packet means a full adjacency has been formed, ignoring the multi-step OSPF neighbor state machine and the role of DR/BDR elections on broadcast networks.

How to eliminate wrong answers

Option A is wrong because the neighbor state is 2WAY, not FULL; a full adjacency is only achieved after the database description (DBD), LSR, LSU, and LSAck exchanges in the ExStart, Exchange, Loading, and FULL states. Option B is wrong because the hello packet was sent to 224.0.0.5, which is the AllSPFRouters multicast address used for OSPF hello packets on broadcast and point-to-point networks, not the DR/BDR multicast address 224.0.0.6. Option D is wrong because the use of multicast address 224.0.0.5 and the presence of a 2WAY state (which implies a DR/BDR election process) strongly suggest a broadcast network type, not point-to-point; on a point-to-point link, neighbors typically transition directly to FULL without a 2WAY state.

1278
Drag & Dropmedium

Drag and drop the steps of the TACACS+ authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ uses TCP and encrypts the entire packet. It separates authentication, authorization, and accounting. The server sends a GETUSERNAME prompt first, then GETPASSWORD, and finally an ACCEPT or REJECT.

1279
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

EIGRP supports up to 255 hops, configurable with the 'metric maximum-hops' command.

Why this answer

EIGRP uses a maximum hop count of 255, which is a hard limit encoded in the protocol's metric structure. This high limit allows EIGRP to scale in large enterprise networks without the hop-count restrictions of distance-vector protocols like RIP.

Exam trap

Cisco often tests the EIGRP hop count limit of 255 to catch candidates who confuse it with RIP's 15-hop limit or who assume all distance-vector protocols have the same constraints.

How to eliminate wrong answers

Option B (100) is wrong because EIGRP's maximum hop count is 255, not 100; 100 is not a standard limit in any major routing protocol. Option C (15) is wrong because that is the maximum hop count for RIP version 1 and 2, not EIGRP. Option D (16) is wrong because 16 represents 'infinite' or unreachable in RIP, but EIGRP uses a different metric system and a hop count of 255.

1280
Matchingmedium

Drag and drop each BGP attribute on the left to its matching type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Well-known mandatory

Well-known mandatory

Well-known discretionary

Optional non-transitive

Optional transitive

Why these pairings

AS_PATH and NEXT_HOP are well-known mandatory; LOCAL_PREF is well-known discretionary; MED is optional non-transitive; COMMUNITY is optional transitive.

1281
MCQeasy

What is the default lease time for a DHCP pool in Cisco IOS?

A.1 day
B.12 hours
C.2 days
D.Infinite
AnswerA

Correct. The default lease is 1 day.

Why this answer

The default DHCP lease time on Cisco IOS is 1 day (24 hours).

1282
Drag & Dropmedium

Drag and drop the steps of DNA Center site hierarchy creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Site hierarchy creation begins with defining the top-level area (e.g., continent), then building down to building, floor, and finally assigning devices to the floor.

1283
Matchingmedium

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hub-and-spoke with NHRP registration

Spoke-to-spoke dynamic tunnel via NHRP resolution request/reply

NHRP with prefix-based spoke-to-spoke shortcut

NHRP with BGP for routing

NHRP with OSPF for routing

Why these pairings

Phase 1 uses NHRP for hub registration only; Phase 2 uses NHRP for spoke-to-spoke shortcut; Phase 3 uses NHRP with prefix-based resolution; Phase 4 uses NHRP with BGP; Phase 5 uses NHRP with OSPF.

1284
Multi-Selectmedium

Which two statements about EtherChannel load balancing are true? (Choose two.)

Select 2 answers
A.The load-balancing method can be configured globally or per EtherChannel interface.
B.The default load-balancing method on Catalyst 9000 switches is src-dst-ip.
C.When using src-dst-ip load balancing, packets between the same source and destination IP addresses always use the same physical link.
D.EtherChannel load balancing can use Layer 4 port numbers only when the switch is in routed mode.
E.Changing the load-balancing method causes a temporary interruption in traffic forwarding.
AnswersA, C

Correct because the 'port-channel load-balance' command is applied globally, but some platforms allow per-interface override.

Why this answer

EtherChannel load balancing can use source/destination MAC, IP, or TCP/UDP port information. The default method varies by platform but is often src-dst-mac. The hash is computed per frame, and all frames in a flow use the same link to avoid reordering.

1285
MCQmedium

A network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?

A.switchport port-security maximum 2 switchport port-security violation err-disable
B.switchport port-security maximum 2 switchport port-security violation shutdown
C.switchport port-security maximum 2 switchport port-security violation protect
D.switchport port-security maximum 2 switchport port-security violation restrict
AnswerB

Correct: sets max to 2 and violation shutdown disables interface.

Why this answer

Option B is correct because the 'shutdown' violation mode places the interface into an err-disabled state when a port security violation occurs, which matches the requirement to disable the interface. The 'maximum 2' command limits the number of allowed MAC addresses to two, and the first two learned MAC addresses are dynamically secured. This combination ensures that any additional MAC address triggers a violation and disables the port.

Exam trap

Cisco often tests the distinction between 'shutdown' (disables the interface) and 'restrict' (drops traffic but keeps the interface up), leading candidates to confuse the two when the requirement explicitly calls for disabling the interface.

How to eliminate wrong answers

Option A is wrong because 'err-disable' is not a valid violation mode; the correct keyword is 'shutdown' to disable the interface. Option C is wrong because 'protect' drops packets from unknown MAC addresses but does not disable the interface or generate a syslog message, failing the requirement to disable the interface. Option D is wrong because 'restrict' drops packets from unknown MAC addresses and generates a syslog message but does not disable the interface, also failing the requirement.

1286
Drag & Dropmedium

Drag and drop the steps of MPLS FRR (Fast Reroute) backup tunnel activation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MPLS FRR begins with pre-configuring backup tunnel, protecting the primary LSP, detecting link/node failure via BFD or interface down, switching traffic to backup tunnel, and then signaling a new LSP for restoration.

1287
Multi-Selectmedium

Which two statements about using Python for network automation with Cisco devices are true? (Choose two.)

Select 2 answers
A.Netmiko is a Python library that simplifies SSH connections to network devices by handling authentication and session establishment.
B.NAPALM can be used to retrieve operational state data from network devices using a vendor-agnostic API.
C.Python scripts for network automation are compiled into native machine code for faster execution.
D.The netmiko library can only be used with Cisco IOS devices.
E.Paramiko is a higher-level library than Netmiko and provides additional automation features.
AnswersA, B

Correct because Netmiko is built on Paramiko and provides a higher-level interface for SSH connections, including automatic handling of device prompts and authentication.

Why this answer

The correct answers highlight key aspects of Python automation: Netmiko simplifies SSH management by handling authentication and connection, and NAPALM provides a vendor-agnostic API for retrieving operational data. The incorrect options misrepresent Python's role: Python does not compile to native machine code (it is interpreted), netmiko is not limited to Cisco (it supports many vendors), and paramiko is lower-level than Netmiko, not the other way around.

1288
MCQeasy

What is the default OSPF hello interval on an Ethernet broadcast network?

A.10 seconds
B.30 seconds
C.40 seconds
D.20 seconds
AnswerA

Correct. The default hello interval for broadcast networks is 10 seconds.

Why this answer

On Ethernet broadcast networks, OSPF uses a default hello interval of 10 seconds.

1289
MCQmedium

A network engineer runs the following command on Router R5: R5# show queueing interface GigabitEthernet0/1 Interface GigabitEthernet0/1 queueing strategy: weighted fair Queueing on output: Weighted Fair Queueing Current fair queue configuration: Number of queues: 256 Dynamic queues: 256 Reserved queues: 0 Current WFQ global configuration: Total dynamic queues: 256 Total reserved queues: 0 Class based weighted fair queueing: enabled Queueing on input: FIFO Based on this output, what can be concluded?

A.The interface uses FIFO queuing for output.
B.The interface uses Weighted Fair Queueing for output with 256 queues.
C.The interface uses Class-Based Weighted Fair Queueing (CBWFQ).
D.The interface uses Priority Queuing.
AnswerB

The output clearly states 'Weighted Fair Queueing' and 'Number of queues: 256'.

Why this answer

The output shows that the output queueing strategy is Weighted Fair Queueing (WFQ) with 256 queues. Input queueing is FIFO. WFQ is a flow-based queuing method that provides fair bandwidth allocation among flows.

1290
MCQmedium

A multinational enterprise is deploying Cisco SD-WAN to interconnect 500 branch sites with two data centers. The network architect must ensure that the control plane remains operational even if the vSmart controllers become unreachable. Which design approach should the architect choose to meet this requirement?

A.Deploy redundant vSmart controllers in active/standby mode and configure WAN edge routers to use both for OMP sessions.
B.Enable OMP graceful restart on all WAN edge routers so that routes are preserved for a configurable period after vSmart loss.
C.Configure local policies on WAN edge routers to allow forwarding based on the last known OMP routes and locally originated routes.
D.Use static routes on the WAN edge routers as a backup for all OMP-learned routes.
AnswerC

This approach allows the data plane to continue forwarding using cached routes and local routes even when vSmart is unreachable, maintaining site-to-site connectivity.

Why this answer

Option C is correct because Cisco SD-WAN WAN edge routers can continue forwarding traffic using locally originated routes and the last known OMP routes even when vSmart controllers are unreachable. This is achieved through local policies that allow the router to maintain forwarding decisions based on cached OMP information, ensuring the control plane remains operational without requiring vSmart reachability.

Exam trap

The trap here is that candidates often assume redundant vSmart controllers or OMP graceful restart are the solutions for control plane resilience, but Cisco SD-WAN does not support OMP graceful restart, and vSmart redundancy alone does not protect against complete loss of reachability to all vSmart controllers.

How to eliminate wrong answers

Option A is wrong because deploying redundant vSmart controllers in active/standby mode does not help if all vSmart controllers become unreachable; the WAN edge routers would still lose OMP sessions and control plane updates. Option B is wrong because OMP graceful restart is not a feature in Cisco SD-WAN; OMP does not support graceful restart, and routes are not preserved for a configurable period after vSmart loss. Option D is wrong because using static routes as a backup for all OMP-learned routes is not scalable for 500 branch sites and two data centers, and it bypasses the dynamic, policy-based control plane that SD-WAN provides.

1291
Matchingmedium

Drag and drop each IGMP version on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No leave message; querier elected by lowest IP address on subnet

Supports explicit leave message and querier election using lowest IP address

Supports source-specific group membership (include/exclude lists) and SSM

Why these pairings

IGMPv1 has no leave message and uses a querier election based on IP address; IGMPv2 adds explicit leave and querier election using lowest IP; IGMPv3 adds source filtering (include/exclude) and supports SSM.

1292
Multi-Selecteasy

Which two statements about OSPF neighbor states are true? (Choose two.)

Select 2 answers
A.The 2-Way state indicates that both routers have seen their own router ID in the neighbor's hello packet.
B.The Full state indicates that the routers have synchronized their LSDBs and are fully adjacent.
C.In the ExStart state, routers exchange Database Description packets containing LSA headers.
D.In the Exchange state, routers send Link State Requests and receive Link State Updates.
E.The Down state is the final state when a neighbor is unreachable.
AnswersA, B

Correct because 2-Way confirms bidirectional communication, which is required before proceeding to database synchronization.

Why this answer

Option A is correct because the 2-Way state indicates that both routers have received each other's hello packets, confirming bidirectional communication. Option B is correct because the Full state means that the routers have exchanged all LSAs and their databases are synchronized. Option C is incorrect because the ExStart state is where the master/slave relationship is established, not where LSAs are exchanged.

Option D is incorrect because the Loading state is where LSRs and LSUs are exchanged, not the Exchange state. Option E is incorrect because the Down state is the initial state before any hello packets are received.

1293
Matchingmedium

Drag and drop each ERSPAN version on the left to its correct header format on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

GRE header with 6-byte header containing session ID.

GRE header with 8-byte header containing session ID and timestamp.

4-byte field identifying the ERSPAN session.

4-byte field providing precise packet arrival time.

4-byte field used for packet ordering and deduplication.

Why these pairings

ERSPAN Type II (v1) uses a 6-byte GRE header with a 4-byte session ID; ERSPAN Type III (v2) uses an 8-byte GRE header with a 4-byte session ID and a 4-byte timestamp/index.

1294
MCQmedium

A network engineer runs the following command on Router R4: R4# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.0.0.10 0063.6973.636f.2d30. Mar 01 2025 12:00 PM Automatic 3030.302e.3030.3030. 2e30.3030.312d.4574. 30 10.0.0.11 0063.6973.636f.2d30. Mar 01 2025 12:05 PM Automatic 3030.302e.3030.3030. 2e30.3030.312d.4574. 31 Based on this output, what can be concluded?

A.Both clients have static DHCP reservations.
B.The DHCP server has two active leases.
C.The DHCP server is out of addresses.
D.The clients are using DHCPv6.
AnswerB

Two bindings are listed, both with future lease expiration times.

Why this answer

The output shows two DHCP bindings with automatic type, meaning they were dynamically assigned. The client-ID is a hex string representing the client identifier. Lease expiration times are shown.

1295
Multi-Selectmedium

Which two statements about Cisco TrustSec security group tags (SGTs) are true? (Choose two.)

Select 2 answers
A.Security group tags are 16-bit values used to identify groups of users or devices.
B.Security group tags are equivalent to VLAN IDs and are used for Layer 2 segmentation.
C.Security group tags are assigned to endpoints by the RADIUS server during 802.1X authentication.
D.Security group tags can be propagated between network devices using the SXP protocol.
E.Security group tags are used to encrypt traffic between endpoints in the same group.
AnswersA, D

Correct because SGTs are 16-bit identifiers in Cisco TrustSec.

Why this answer

SGTs are 16-bit values used to classify traffic for policy enforcement, and they can be propagated via SXP or inline tagging. Option A is correct because SGTs are indeed 16-bit. Option D is correct because SXP is a common method for SGT propagation without hardware modification.

Option B is incorrect because SGTs are not VLAN IDs (VLANs use 12-bit IDs). Option C is incorrect because SGTs are not assigned by RADIUS during 802.1X authentication (that is for dACLs or VLAN assignment). Option E is incorrect because SGTs are not used for encryption; they are for policy enforcement.

1296
Drag & Dropmedium

Drag and drop the steps of YANG push periodic vs on-change subscription into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the subscription parameters, then configuring the push method (periodic or on-change), followed by establishing the telemetry session, sending updates, and finally the collector processing the data.

1297
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast neighbors 10.0.1.2 received-routes Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0/24 10.0.1.2 0 100 0 65050 i *> 192.168.2.0/24 10.0.1.2 0 100 0 65050 i *> 10.10.10.0/24 10.0.1.2 0 100 0 65050 65100 i Total number of prefixes 3 Based on this output, what can be concluded?

A.All three routes are installed in the routing table of R1.
B.R1 has received 3 prefixes from neighbor 10.0.1.2.
C.R1 is advertising these three routes to neighbor 10.0.1.2.
D.The route 10.10.10.0/24 has a weight of 0, meaning it is not preferred.
AnswerB

The command shows all routes received from the neighbor, and the total is 3 prefixes.

Why this answer

The command `show bgp ipv4 unicast neighbors 10.0.1.2 received-routes` displays all BGP routes that have been received from the specified neighbor, regardless of whether they are installed in the routing table. The output shows three prefixes, confirming that R1 has received exactly three routes from neighbor 10.0.1.2. The asterisk (*) and greater-than (>) symbols indicate the route is valid and best, but this does not guarantee installation in the routing table if a better administrative distance route exists.

Exam trap

Cisco often tests the distinction between `received-routes`, `routes`, and `advertised-routes` in BGP show commands, and the trap here is that candidates assume the asterisk and greater-than symbols guarantee the route is in the routing table, when they only indicate BGP best-path selection within the BGP table.

How to eliminate wrong answers

Option A is wrong because the received-routes output shows prefixes that are valid and best within BGP, but they may not be installed in the routing table if a route with a lower administrative distance (e.g., an OSPF or static route) is present; the command does not confirm routing table installation. Option C is wrong because the command specifically shows routes received from the neighbor, not routes advertised to the neighbor; to see advertised routes, one would use `show bgp ipv4 unicast neighbors 10.0.1.2 advertised-routes`. Option D is wrong because a weight of 0 is the default value for routes learned from eBGP neighbors and does not indicate that the route is not preferred; BGP best-path selection uses weight as the first criterion, but a weight of 0 simply means no local preference was manually assigned, and the route can still be the best path if no higher-weight route exists.

1298
Matchingmedium

Drag and drop each IPsec mode on the left to its matching header usage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

New IP header + ESP header + original IP packet + ESP trailer

Original IP header + ESP header + payload + ESP trailer

New IP header + AH header + original IP packet

Original IP header + AH header + payload

UDP encapsulation of ESP packet

Why these pairings

Tunnel mode encrypts original IP header and adds new IP header; transport mode encrypts only payload; ESP tunnel adds ESP header between new and original IP; AH transport authenticates payload and original header; AH tunnel authenticates entire new packet.

1299
MCQmedium

An architect is designing an SD-Access fabric for a campus that requires high availability. The design must ensure that if one fabric edge node fails, endpoints can be re-homed to another edge node without manual intervention. Which feature should be implemented?

A.Anycast Layer 2 gateway
B.HSRP
C.VRRP
D.GLBP
AnswerA

Anycast L2 gateway provides high availability by allowing multiple edge nodes to serve the same gateway.

Why this answer

Anycast Layer 2 gateway is the correct feature because it allows multiple fabric edge nodes to share the same anycast IP and MAC address for a given VLAN. If one edge node fails, endpoints simply continue using the same gateway address, and their traffic is automatically forwarded to a surviving edge node via the fabric's underlay routing, requiring no manual intervention or protocol convergence.

Exam trap

Cisco often tests the misconception that traditional FHRPs like HSRP or VRRP are sufficient for high availability in SD-Access, but the trap is that these protocols introduce failover delays and active/standby limitations, whereas SD-Access requires anycast Layer 2 gateway for instantaneous, protocol-free re-homing across multiple active edge nodes.

How to eliminate wrong answers

Option B (HSRP) is wrong because HSRP is a First Hop Redundancy Protocol that relies on a single active/standby pair with a virtual IP and MAC; failure of the active node triggers a failover that can take seconds and requires endpoints to wait for ARP updates or gratuitous ARP, which is not automatic re-homing without manual intervention in an SD-Access fabric. Option C (VRRP) is wrong for the same reason as HSRP—it is an open-standard FHRP with similar active/standby behavior and failover delays, not designed for the anycast-based, seamless mobility of SD-Access. Option D (GLBP) is wrong because GLBP provides load balancing across multiple gateways but still uses a virtual IP and MAC per group; it does not provide the anycast Layer 2 gateway functionality that allows endpoints to be re-homed to any edge node without address changes or protocol state transitions.

1300
Drag & Dropmedium

Drag and drop the steps of using a Python REST API call to retrieve device configuration via Cisco DNA Center into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process begins with authenticating to the DNA Center API to obtain a token. Then, the device UUID is retrieved using a GET request to the device list endpoint. Next, a GET request is sent to fetch the running configuration for that device.

The JSON response is parsed to extract the configuration text. Finally, the configuration is saved to a local file.

1301
Drag & Dropmedium

Drag and drop the steps of 802.11r Fast BSS Transition (FT) roaming steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

802.11r FT roaming uses a key hierarchy to reduce latency. The client first discovers the target AP via scanning. The client sends an FT Authentication request containing a Mobility Domain Identifier (MDIE) and R0KH-ID.

The target AP responds with an FT Authentication response with key data. The client then sends an FT Association request, and the AP completes the process with an FT Association response.

1302
MCQmedium

A network engineer is configuring OSPF in a multi-area design. The engineer wants to reduce the amount of LSA flooding and the size of the LSDB in area 0. Which OSPF feature should be implemented on the ABR to achieve this goal?

A.Configure area 0 as a stub area.
B.Configure the ABR with an area filter-list to filter type 3 LSAs.
C.Configure OSPF database overflow protection.
D.Configure the ABR as an ASBR.
AnswerB

Correct because area filter-list can be used on an ABR to filter type 3 LSAs between areas, reducing LSDB size in area 0.

Why this answer

Option B is correct because configuring an area filter-list on the ABR allows the engineer to filter Type 3 summary LSAs entering or leaving area 0. This directly reduces LSA flooding and shrinks the LSDB in area 0 by preventing specific inter-area prefixes from being advertised into the backbone, without altering the area type or requiring additional redistribution.

Exam trap

The trap here is that candidates often assume area 0 can be made a stub area to reduce LSAs, but Cisco tests the fact that area 0 is a transit area and cannot be a stub, making the filter-list the correct tool for this specific goal.

How to eliminate wrong answers

Option A is wrong because area 0 cannot be configured as a stub area; OSPF requires area 0 to be a transit area and stub areas cannot have virtual links or ASBRs, making this configuration invalid. Option C is wrong because OSPF database overflow protection limits the total number of LSAs in the LSDB to prevent memory exhaustion, but it does not selectively reduce LSA flooding or the LSDB size in area 0 as requested. Option D is wrong because configuring the ABR as an ASBR would introduce external LSAs (Type 5) into the OSPF domain, increasing the LSDB size and flooding, which is the opposite of the goal.

1303
Drag & Dropmedium

Drag and drop the steps of using Ansible to push a new VLAN configuration to a Cisco IOS switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the VLAN ID and name in a variable file. Then, write a playbook task using ios_vlan module. Next, specify the connection parameters (ansible_network_os, ansible_user, etc.) in the inventory.

After that, run the playbook to apply the configuration. Finally, verify the VLAN on the switch using show vlan.

1304
Multi-Selecthard

Which three statements about QoS trust boundaries and marking are true? (Choose three.)

Select 3 answers
A.By default, Cisco Catalyst switches trust the CoS value received from connected devices.
B.The 'mls qos trust cos' command configures the switch to trust the CoS marking on incoming packets.
C.The trust boundary can be extended to an IP phone using CDP, allowing the phone to mark traffic.
D.Marking at Layer 2 uses DSCP values in the IP header.
E.A switch can re-mark packets by using a policy map with the 'set' command applied to an interface.
AnswersB, C, E

Correct because this command sets the trust state to CoS on a switch port.

Why this answer

The trust boundary defines where the device trusts or re-marks QoS markings. Typically, the boundary is at the access layer switch. The 'mls qos trust' command sets trust.

By default, Cisco switches do not trust CoS or DSCP; they must be configured. Trust can be extended to IP phones via CDP. Marking can be done at Layer 2 (CoS) or Layer 3 (DSCP).

1305
Drag & Dropmedium

Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Policy creation starts with defining the policy in vManage GUI, then attaching it to a specific topology or group, committing the configuration, which triggers vManage to push the policy to vSmart, and finally vSmart distributes the policy to the edge devices.

1306
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a routing issue. The route for 10.0.0.0/8 is learned via EIGRP with metric 2560512. Which change would most likely cause the metric to increase?

A.Increase the bandwidth on GigabitEthernet0/0.
B.Add a redistribute static command under EIGRP.
C.Change the administrative distance to 90.
D.Increase the delay on GigabitEthernet0/0.
AnswerD

Correct.

Why this answer

The EIGRP metric is calculated using the formula: metric = (K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay) * 256, with default K values (K1=1, K3=1, others=0). Increasing the delay on the outgoing interface (GigabitEthernet0/0) directly increases the delay component in the composite metric, causing the overall metric to increase. Option D is correct because delay is a key variable in the EIGRP metric calculation.

Exam trap

Cisco often tests the misconception that increasing bandwidth increases the EIGRP metric, but the trap is that bandwidth is inversely proportional in the formula, so increasing bandwidth actually decreases the metric, while increasing delay directly increases it.

How to eliminate wrong answers

Option A is wrong because increasing bandwidth on GigabitEthernet0/0 would decrease the bandwidth component (since bandwidth is inversely proportional in the formula), thus decreasing the metric, not increasing it. Option B is wrong because adding a redistribute static command under EIGRP does not affect the metric of an already learned EIGRP route; it only influences redistribution of static routes into EIGRP, which is unrelated to the existing route's metric. Option C is wrong because changing the administrative distance to 90 (which is the default for EIGRP internal routes) does not alter the metric; administrative distance is a trustworthiness value used for route selection between different protocols, not a component of the EIGRP metric calculation.

1307
Matchingmedium

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

interface range GigabitEthernet0/1-24 ; shutdown

banner login ^C Authorized access only ^C

ip ssh version 2

no cdp run

service password-encryption

Why these pairings

Disable unused ports with 'interface range ... shutdown'; set login banner with 'banner login'; enable SSH with 'ip ssh version 2'; disable CDP with 'no cdp run'; set password encryption with 'service password-encryption'.

1308
Drag & Dropmedium

Drag and drop the steps for the Spanning Tree Protocol (STP) convergence process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

STP elects a root bridge, then selects root and designated ports, blocking others to prevent loops.

1309
Drag & Dropmedium

Drag and drop the steps of OpenConfig interface counters subscription and decode into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process begins by subscribing to the OpenConfig path, receiving the encoded data, decoding it using the YANG model, extracting counters, and then analyzing the results.

1310
Drag & Dropmedium

Drag and drop the steps of SPAN session on EtherChannel member ports into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SPAN on EtherChannel requires configuring the session, specifying source ports (member or port-channel), setting destination, and enabling.

1311
Drag & Dropmedium

Drag and drop the steps of IP SLA HTTP operation for application monitoring into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the HTTP operation is defined with the target URL. Then optional parameters like HTTP method or version are set. The operation is configured to monitor HTTP response.

Next, the operation is scheduled. Finally, verification is done to confirm the operation is active.

1312
Matchingmedium

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards packets between different networks

Forwards frames within the same network

Controls traffic based on security policies

Manages access points centrally

Distributes traffic across multiple servers

Why these pairings

Each device plays a distinct role in network infrastructure.

1313
Matchingmedium

Match each Cisco switch security feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits MAC addresses on a port

Filters untrusted DHCP messages

Validates ARP packets

Prevents IP spoofing

Limits broadcast/multicast traffic

Why these pairings

These features enhance switch security against various attacks.

1314
MCQeasy

A network engineer is configuring a Cisco SD-WAN solution for a multinational corporation. The engineer wants to use a centralized data policy to steer all traffic from the Finance department (VPN 10) to a specific WAN link (MPLS) for security reasons. The engineer creates a policy that matches traffic from VPN 10 and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that traffic from VPN 10 is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason?

A.The vEdge routers have not rebooted after the policy was applied.
B.The policy is not attached to the correct site list or VPN list.
C.The data policy was applied on the vEdge instead of the vSmart.
D.The preferred color is not configured correctly in the policy.
AnswerB

Correct because the policy must be associated with the specific site and VPN to be applied.

Why this answer

The most likely reason is that the centralized data policy was not attached to the correct site list or VPN list. In Cisco SD-WAN, a centralized data policy must be explicitly associated with the sites (via site list) and VPNs (via VPN list) where it should be applied. Even if the policy is received and active on the vEdge routers, without proper attachment to the VPN 10 site list, the policy will not enforce the preferred color 'mpls' for Finance traffic, leaving it to use the default Internet link.

Exam trap

Cisco often tests the distinction between policy definition and policy attachment, where candidates assume that simply creating and applying a policy globally is sufficient, but the policy must be explicitly linked to the correct site list and VPN list to take effect.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for centralized data policies to take effect; policies are applied dynamically via the vSmart controller. Option C is wrong because centralized data policies are designed to be applied on the vSmart controller, not directly on the vEdge; applying on the vEdge would be a local policy, which is a different mechanism. Option D is wrong because the preferred color 'mpls' is a valid configuration in a centralized data policy; the issue is not with the color value but with the policy attachment scope.

1315
MCQhard

An engineer is using the Cisco pyATS framework to test the configuration of a new QoS policy on a router. The engineer writes a testbed file and a test script that logs into the router, applies the configuration, and then verifies the output of 'show policy-map interface'. The test script fails because the verification step cannot find the expected output. The engineer confirms that the configuration was applied successfully. What is the most likely cause of the failure?

A.The pyATS library requires Python 3.8 or later, and the engineer is using an older version.
B.The testbed file has incorrect credentials for the router.
C.The test script does not include a sleep or wait mechanism after applying the configuration.
D.The test script uses the 'genie' library instead of 'pyats' for parsing.
AnswerC

Correct because QoS policies may take a few seconds to be reflected in the output; the script should wait before verifying.

Why this answer

The correct answer is that the test script is not waiting long enough for the QoS policy to take effect. Option A is incorrect because pyATS does not require a specific Python version. Option B is incorrect because the testbed file is correct.

Option D is incorrect because the script is using the correct library.

1316
Multi-Selecthard

Which three statements about IP SLA UDP jitter operation are true? (Choose three.)

Select 3 answers
A.UDP jitter operation measures one-way delay, jitter, and packet loss between source and destination.
B.The IP SLA responder must be enabled on the destination device for UDP jitter to function correctly.
C.The UDP jitter operation can be configured with a codec type (e.g., G.711) to simulate specific voice traffic patterns.
D.The 'num-packets' command in UDP jitter configuration sets the total number of probes to be sent over the entire operation lifetime.
E.UDP jitter operation can measure TCP window scaling and throughput.
AnswersA, B, C

Correct because the UDP jitter operation calculates these metrics using timestamps in the probe packets.

Why this answer

UDP jitter operation measures one-way delay, jitter, and packet loss by sending timestamped UDP packets. It requires the IP SLA responder on the destination. The operation can be configured with a codec type to simulate voice traffic.

The 'num-packets' command sets the number of packets in each probe. The operation does not measure TCP throughput.

1317
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip pim neighbor PIM Neighbor Table Neighbor Address Interface Uptime Expires Mode 10.1.1.2 GigabitEthernet0/0 2w0d 00:01:25 DR 10.1.1.3 GigabitEthernet0/0 2w0d 00:01:20 B Based on this output, what can be concluded?

A.PIM sparse mode is operating on this interface.
B.PIM Bidir mode is configured on this interface.
C.PIM dense mode is in use on this interface.
D.PIM SSM is enabled on this interface.
AnswerB

The B flag in the Mode column indicates Bidir capability, and the DR flag is also present, which is consistent with Bidir operation.

Why this answer

The 'show ip pim neighbor' output shows two neighbors on the same interface. The 'Mode' column indicates the PIM neighbor role: 'DR' means Designated Router, 'B' means Bidir-capable. The presence of both DR and B on the same interface suggests that PIM Bidir mode is enabled, as Bidir uses a different DR election and the B flag indicates Bidir capability.

The correct answer is that PIM Bidir is configured.

1318
Drag & Dropmedium

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP configuration requires defining class-maps first, then policy-map with police statements, then applying to control-plane. The order ensures proper traffic classification and rate-limiting.

1319
Drag & Dropmedium

Drag and drop the steps of Docker container networking with bridge mode into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order reflects the default bridge network creation, container attachment, IP assignment, and then communication with the outside world via NAT.

1320
Multi-Selectmedium

Which two statements about SD-WAN control plane components are true? (Choose two.)

Select 2 answers
A.The vSmart controller is responsible for distributing OMP routes and policies to all edge devices in the SD-WAN fabric.
B.The vBond orchestrator is responsible for authenticating and onboarding vEdge and cEdge routers into the SD-WAN overlay.
C.The vManage controller is the primary control plane component that establishes OMP sessions with all edge routers.
D.vEdge and cEdge routers are both control plane devices that participate in OMP route exchange.
E.The OMP protocol runs between vManage and vSmart to exchange routing information and policy updates.
AnswersA, B

Correct because vSmart is the centralized control plane that uses OMP to advertise routes and apply policies.

Why this answer

The vSmart controller is the centralized control plane that distributes OMP routes and policies, while the vBond orchestrator handles authentication and NAT traversal. vManage is the management plane, not a control plane component. vEdge and cEdge are data plane devices. The OMP protocol runs between vSmart and edge devices, not between vManage and vSmart.

1321
Drag & Dropmedium

Drag and drop the steps of IP SLA DNS lookup operation setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the IP SLA operation with type dns. Then specify the target DNS server and the domain name to resolve. Optionally set the DNS source interface or timeout.

Next, schedule the operation. Finally, verify the DNS resolution success and response time.

1322
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors detail EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/0 13 00:12:34 12 100 0 45 Version 2.0/2.0, Retrans: 0, Retry: 0, Maxseq: 0 Prefixes: 3 Topology ids: 0 Authentication: None Topology: base (0x0) Based on this output, what can be concluded?

A.The neighbor is using EIGRP version 1.
B.The neighbor has advertised 3 prefixes to R1.
C.There is a high number of retransmissions indicating packet loss.
D.The neighbor is using MD5 authentication.
AnswerB

The 'Prefixes: 3' field indicates the number of prefixes learned from this neighbor.

Why this answer

The output shows 'Prefixes: 3' under the neighbor details, which indicates that the neighbor has advertised exactly three prefixes to R1. This is a direct interpretation of the 'show ip eigrp neighbors detail' command, where the 'Prefixes' field lists the number of routes learned from that neighbor.

Exam trap

Cisco often tests the ability to read the 'show ip eigrp neighbors detail' output carefully, where candidates may confuse the 'Prefixes' field with the number of interfaces or ignore the 'Retrans' and 'Authentication' fields, leading them to select incorrect options based on assumptions rather than the explicit data shown.

How to eliminate wrong answers

Option A is wrong because the output shows 'Version 2.0/2.0', meaning both R1 and the neighbor are running EIGRP version 2, not version 1. Option C is wrong because the 'Retrans: 0' and 'Retry: 0' fields indicate zero retransmissions and retries, which means no packet loss is occurring. Option D is wrong because the output explicitly states 'Authentication: None', so MD5 authentication is not configured.

1323
MCQmedium

A company is deploying a new data center and needs to choose between a three-tier (core, aggregation, access) and a spine-leaf architecture. The network engineer is concerned about east-west traffic patterns for server virtualization. Which architecture is most suitable and why?

A.Spine-leaf, because it provides equal-cost multipath (ECMP) for all leaf-to-leaf traffic.
B.Three-tier, because it offers more redundancy with multiple aggregation layers.
C.Spine-leaf, because it supports legacy spanning tree protocols.
D.Three-tier, because it is easier to manage with traditional VLANs.
AnswerA

Correct because spine-leaf uses ECMP to forward traffic between any two leaf switches with predictable latency, supporting east-west traffic efficiently.

Why this answer

Spine-leaf architecture is most suitable for east-west traffic patterns because it provides a full mesh of connections between leaf switches and spine switches, enabling equal-cost multipath (ECMP) routing. This allows all leaf-to-leaf traffic to traverse multiple parallel paths with equal cost, maximizing bandwidth utilization and minimizing latency, which is critical for server virtualization traffic that often moves between hypervisors.

Exam trap

Cisco often tests the misconception that three-tier architecture is more redundant or easier to manage, but the key trap here is that candidates may overlook how east-west traffic patterns require non-blocking, low-latency paths that only a spine-leaf design with ECMP can provide.

How to eliminate wrong answers

Option B is wrong because three-tier architecture introduces a bottleneck at the aggregation layer for east-west traffic, as traffic between access switches must traverse the aggregation layer, which does not provide the same level of ECMP as spine-leaf. Option C is wrong because spine-leaf architecture does not support legacy spanning tree protocols; in fact, it relies on routing protocols like OSPF or BGP to avoid STP, and STP would block redundant links in a spine-leaf design. Option D is wrong because three-tier architecture is not easier to manage with traditional VLANs for east-west traffic; VLANs in a three-tier design often require complex STP configurations and can lead to suboptimal traffic flows, whereas spine-leaf simplifies VLAN management with VXLAN or EVPN overlays.

1324
MCQhard

A network engineer is troubleshooting an STP issue in a network that uses Rapid PVST+. The network has a root bridge (SW1) and a secondary root bridge (SW2). The engineer notices that after a link failure between SW1 and SW2, the network takes longer than expected to converge. The engineer checks the configuration and finds that SW2 has the 'spanning-tree uplinkfast' command enabled. The engineer also notices that SW2 has a lower priority than SW1. What is the most likely cause of the slow convergence?

A.UplinkFast is enabled, which is incompatible with Rapid PVST+ and causes the switch to use legacy STP convergence.
B.SW2 has a lower priority than SW1, so it takes longer to become the root bridge after failure.
C.BPDU Guard is enabled on the uplink ports, which prevents BPDU exchange.
D.Loop Guard is enabled on the uplink ports, which delays port transition.
AnswerA

Correct because UplinkFast is not needed with Rapid PVST+ and can actually degrade performance by forcing the switch to use slower convergence mechanisms.

Why this answer

UplinkFast is a legacy STP feature that is incompatible with Rapid PVST+. When enabled on a switch running Rapid PVST+, it forces the switch to revert to 802.1D STP convergence behavior on the affected ports, disabling the rapid transition mechanisms (such as proposal/agreement and sync). This causes the network to take longer to converge after a link failure, as the switch falls back to the slower listening and learning states.

Exam trap

Cisco often tests the misconception that UplinkFast is a harmless optimization that can be combined with Rapid PVST+, when in fact it forces a fallback to legacy STP behavior, causing slow convergence.

How to eliminate wrong answers

Option B is wrong because SW2 having a lower priority than SW1 means SW2 is less likely to become the root bridge; after a failure, the switch with the lowest priority becomes root, so a lower priority (higher numerical value) does not cause slower convergence. Option C is wrong because BPDU Guard would disable a port upon receiving a BPDU, preventing BPDU exchange entirely, which would cause a different failure mode (port errdisable) rather than slow convergence. Option D is wrong because Loop Guard prevents alternate/backup ports from transitioning to forwarding when BPDUs stop, which can cause a blocking state but does not inherently delay port transition in a way that explains longer-than-expected convergence after a link failure.

1325
Drag & Dropmedium

Drag and drop the steps of QoS policing with two-rate three-color marker (RFC 2698) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RFC 2698 uses committed and peak rates to mark packets as green, yellow, or red. The order follows the token bucket algorithm: first check committed bucket, then peak bucket, and finally mark or drop accordingly.

1326
MCQmedium

An enterprise is deploying a virtual router (vRouter) as part of its NFV infrastructure. The engineer needs to ensure that the vRouter can handle a sudden spike in traffic without dropping packets. The vRouter is running on a KVM hypervisor. What should the engineer configure to guarantee CPU resources for the vRouter during peak demand?

A.Enable memory ballooning on the vRouter VM.
B.Configure CPU pinning and CPU reservation for the vRouter VM.
C.Enable DPDK on the vRouter's virtual NICs.
D.Set the vRouter VM to use NUMA node pinning.
AnswerB

Correct because CPU pinning dedicates specific cores to the VM and reservation guarantees minimum CPU, preventing contention.

Why this answer

CPU pinning binds the vRouter's virtual CPUs to specific physical cores, preventing other processes from using them, while CPU reservation guarantees a minimum amount of CPU capacity. Together, they ensure deterministic CPU availability during traffic spikes, preventing packet drops due to resource contention on the KVM hypervisor.

Exam trap

Cisco often tests the distinction between resource optimization (DPDK, NUMA) and resource guarantee (pinning, reservation), leading candidates to pick DPDK because it is associated with high performance, even though it does not guarantee CPU availability under contention.

How to eliminate wrong answers

Option A is wrong because memory ballooning adjusts VM memory dynamically, not CPU resources, and can actually degrade performance by reclaiming memory under pressure. Option C is wrong because DPDK accelerates packet processing by bypassing the kernel network stack, but it does not guarantee CPU resources; it requires CPU isolation (like pinning) to work effectively. Option D is wrong because NUMA node pinning optimizes memory locality and latency but does not guarantee CPU capacity; it is a topology-aware placement, not a resource reservation mechanism.

1327
MCQmedium

What is the maximum hop count for EIGRP?

A.15
B.100
C.255
D.Unlimited
AnswerB

EIGRP's default maximum hop count is 100, configurable up to 255.

Why this answer

EIGRP has a default maximum hop count of 100, but it can be configured up to 255.

1328
Multi-Selecthard

Which two statements about IP Source Guard are true? (Choose two.)

Select 2 answers
A.IP Source Guard uses the DHCP snooping binding table to validate the source IP address of packets received on a port.
B.IP Source Guard can be configured with port security to provide additional MAC address filtering.
C.IP Source Guard only works with DHCP-assigned IP addresses, not static IP addresses.
D.IP Source Guard filters traffic based on the destination MAC address.
E.IP Source Guard requires 802.1X authentication to be enabled on the port.
AnswersA, B

Correct because IPSG relies on the DHCP snooping database to determine allowed source IPs.

Why this answer

IP Source Guard (IPSG) is a security feature that filters IP traffic on untrusted Layer 2 ports based on the DHCP snooping binding table or static IP source bindings. It can be configured with or without port security. IPSG is typically applied on access ports facing end devices.

Option C is incorrect because IPSG can be used with both static and DHCP-assigned IP addresses. Option D is incorrect because IPSG filters traffic at Layer 3 (IP), not Layer 2. Option E is incorrect because IPSG does not require 802.1X authentication; it can operate independently.

1329
Drag & Dropmedium

Drag and drop the steps of Cisco DNA Center software image update (SWIM) process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The SWIM process starts with the administrator importing the new image into the Cisco DNA Center image repository. Next, the image is distributed to the target devices. A pre-check verifies device compatibility and available storage.

Then the device is rebooted with the new image. Finally, a post-check confirms the device is running the desired image and operational.

1330
Matchingmedium

Drag and drop each PPDIOO phase on the left to its matching activity on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish organizational requirements and high-level architecture

Assess existing network and identify gaps for new requirements

Create detailed network design and configuration templates

Deploy the design using change management and verification

Maintain network health through monitoring and troubleshooting

Why these pairings

Prepare establishes requirements; Plan identifies network needs; Design creates the detailed design; Implement deploys the design; Operate manages day-to-day; Optimize improves performance.

1331
MCQeasy

A network engineer is automating the deployment of a new VLAN configuration across 100 Cisco IOS-XE switches using Ansible. The engineer writes a playbook that uses the 'ios_config' module. The playbook runs, but the engineer notices that the configuration is applied to only 50 switches before the playbook stops with an error. The error message indicates that one switch is unreachable. The engineer wants to ensure that the playbook continues with the remaining switches even if some are unreachable. What Ansible configuration should the engineer use?

A.Set 'timeout: 60' in the playbook to allow more time for connections.
B.Set 'gather_facts: no' to speed up the playbook and avoid timeouts.
C.Set 'ignore_errors: yes' on the task that configures the VLAN.
D.Set 'serial: 10' to run the playbook on 10 switches at a time.
AnswerC

Correct because this tells Ansible to continue even if the task fails on a host.

Why this answer

The correct answer is to set 'ignore_errors: yes' on the task or use 'max_fail_percentage'. Option A is incorrect because increasing the timeout does not prevent the playbook from stopping. Option B is incorrect because 'gather_facts: no' is unrelated.

Option D is incorrect because 'serial' controls batch size, not error handling.

1332
Drag & Dropmedium

Drag and drop the steps of micro-segmentation via SGT policy application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Micro-segmentation starts with classifying endpoints into SGTs based on identity, then defining SGT-to-SGT policies (permit/deny). The policies are enforced at the fabric edge, where the SGT is propagated in the VXLAN header, and traffic is filtered accordingly. Finally, monitoring ensures compliance.

1333
MCQeasy

A network engineer is configuring BGP on a router that will be used for BGP route summarization. The router receives multiple more-specific prefixes from its eBGP peers. The engineer wants to advertise a summary route to the iBGP peers without advertising the more-specific routes. Which command should the engineer use to suppress the more-specific routes while still installing them in the local routing table?

A.Use the 'aggregate-address' command with the 'summary-only' keyword.
B.Use the 'network' command to advertise the summary route.
C.Use the 'summary-address' command under the BGP address family.
D.Use the 'redistribute' command to inject the summary route into BGP.
AnswerA

Correct because this command creates an aggregate route and suppresses the advertisement of more-specific routes to BGP peers.

Why this answer

The 'aggregate-address' command with the 'summary-only' keyword in BGP creates a summary route from more-specific prefixes and suppresses the advertisement of those more-specific routes to BGP peers, while still keeping them in the local routing table. This meets the requirement of advertising only the summary to iBGP peers without removing the more-specific routes from the router's own RIB.

Exam trap

Cisco often tests the distinction between suppressing routes from advertisement versus removing them from the local table, and candidates mistakenly think 'summary-only' removes the more-specific routes from the router, but it only suppresses their advertisement to BGP peers.

How to eliminate wrong answers

Option B is wrong because the 'network' command advertises a prefix only if it exists exactly in the routing table; it does not suppress more-specific routes or create an aggregate from them. Option C is wrong because 'summary-address' is not a valid BGP command; the correct command for BGP summarization is 'aggregate-address'. Option D is wrong because 'redistribute' injects routes from another protocol into BGP but does not create a summary or suppress more-specific prefixes; it would advertise all redistributed routes, including the more-specific ones.

1334
Matchingmedium

Drag and drop each SNMPv3 security level on the left to its matching protection description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No authentication, no encryption

Authentication, no encryption

Authentication and encryption

Authentication using SHA, no encryption

Authentication and AES encryption

Why these pairings

noAuthNoPriv uses no authentication or encryption; authNoPriv uses authentication but no encryption; authPriv uses both.

1335
MCQmedium

A network engineer issues the following command on Router R8: R8# show ip ospf neighbor detail Neighbor 1.1.1.1, interface address 192.168.1.1 In the area 0 via interface GigabitEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 192.168.1.2, BDR is 192.168.1.1 Options is 0x42 (L LSR LSRR L LSR) Dead timer due in 00:00:34 Neighbor is up for 00:12:45 Index 1/1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 0, last retransmission scan time is 0 msec Based on this output, what can be concluded?

A.Router 1.1.1.1 is the Designated Router on this segment.
B.Router 1.1.1.1 is the Backup Designated Router.
C.The neighbor state is 2WAY.
D.The dead timer is 40 seconds.
AnswerB

The BDR is 192.168.1.1, which is the interface address of neighbor 1.1.1.1.

Why this answer

The output shows 'BDR is 192.168.1.1', which is the interface address of neighbor 1.1.1.1. This directly indicates that router 1.1.1.1 is the Backup Designated Router on this segment. The neighbor state is FULL, confirming adjacency is fully established.

Exam trap

Cisco often tests the distinction between the neighbor's Router ID (1.1.1.1) and its interface address (192.168.1.1), causing candidates to confuse which router is the DR or BDR based on the Router ID rather than the explicit DR/BDR fields.

How to eliminate wrong answers

Option A is wrong because the DR is 192.168.1.2, not 1.1.1.1; the neighbor's interface address is 192.168.1.1, which is the BDR. Option C is wrong because the neighbor state is explicitly shown as 'FULL', not 2WAY; 2WAY is a lower state before adjacency formation. Option D is wrong because the dead timer is shown as 00:00:34, which is 34 seconds remaining, not 40 seconds; the default dead interval is 40 seconds, but the timer counts down.

1336
Matchingmedium

Drag and drop each gRPC method on the left to its matching subscription type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

stream telemetry data from device

list supported gRPC services and methods

retrieve a single snapshot of data

create, update, or delete configuration data

retrieve a single snapshot via subscription

Why these pairings

Subscribe is used for streaming telemetry subscriptions, Capabilities retrieves supported RPCs, Get retrieves data, and Set modifies data.

1337
MCQmedium

A company has a large network of 500 Cisco IOS XE routers and switches spread across multiple sites. The network team wants to automate the collection of interface statistics every hour and store them in a central database for historical analysis. The team has a Linux server with Python 3 and access to all devices via SSH with key-based authentication. They have written a Python script using Netmiko to connect to each device, run 'show interfaces', and parse the output to extract key metrics (e.g., input/output errors, packets per second). The script works correctly when tested on a small subset of devices, but when run against all 500 devices, it takes too long (over 2 hours) and sometimes fails due to SSH connection timeouts. The team needs to reduce the execution time and improve reliability. Which approach should they take?

A.Reduce the collection frequency to every 4 hours
B.Implement multiprocessing or multithreading in the Python script to connect to devices concurrently
C.Replace Netmiko with SNMP polling using the pysnmp library
D.Use Ansible playbooks instead of a custom Python script
AnswerB

Concurrency reduces overall execution time significantly.

Why this answer

Option B is correct because the primary bottleneck is sequential SSH connections to 500 devices. By using Python's multiprocessing or multithreading (e.g., concurrent.futures.ThreadPoolExecutor), the script can open multiple SSH sessions in parallel, drastically reducing total wall-clock time. Netmiko itself is not the issue; the serial execution pattern causes the 2-hour runtime and timeouts, which concurrent connections resolve by overlapping I/O wait times.

Exam trap

Cisco often tests the misconception that switching protocols (SNMP) or tools (Ansible) automatically solves performance issues, when the real root cause is lack of concurrency in the execution model.

How to eliminate wrong answers

Option A is wrong because reducing collection frequency to every 4 hours does not solve the underlying performance or reliability problem; it merely masks the symptom by collecting data less often, which may miss hourly trends and still fail when run. Option C is wrong because replacing Netmiko with SNMP polling (pysnmp) introduces a different protocol (UDP-based, community strings) that may require re-engineering the parsing logic and does not inherently improve concurrency; the bottleneck is serial execution, not the library or protocol. Option D is wrong because using Ansible playbooks instead of a custom Python script does not automatically parallelize connections unless explicitly configured with a strategy like 'free' or 'mitogen', and Ansible's default linear strategy still serializes per-batch; the team already has a working script, so switching to Ansible adds complexity without guaranteeing speedup.

1338
MCQmedium

Given the following CoPP configuration: class-map match-all COPP_ICMP match access-group name ICMP_ACL ! policy-map COPP_POLICY class COPP_ICMP police 8000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY What is the effect?

A.All ICMP traffic to the control plane is rate-limited to 8000 bps.
B.ICMP traffic is permitted unconditionally.
C.The policy is applied to all interfaces, not just the control plane.
D.The class-map is missing a match-all statement.
AnswerA

The police command sets a rate of 8000 bps; conforming traffic passes, excess is dropped.

Why this answer

This CoPP policy polices traffic matching class COPP_ICMP to 8000 bps; conforming traffic is transmitted, exceeding traffic is dropped.

1339
Drag & Dropmedium

Drag and drop the steps of the SD-Access fabric deployment sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SD-Access deployment begins with underlay configuration for physical connectivity, then overlay setup with LISP/VXLAN, followed by policy definition and integration with DNA Center for automation and assurance.

1340
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip route 192.168.2.0 Routing entry for 192.168.2.0/24 Known via "ospf 1", distance 110, metric 20, type inter area Last update from 10.0.0.2 on GigabitEthernet0/0, 00:05:23 ago Routing Descriptor Blocks: * 10.0.0.2, via GigabitEthernet0/0, 00:05:23 ago Route metric is 20, traffic share count is 1 Based on this output, what can be concluded?

A.The route is an OSPF intra-area route
B.The route is an OSPF inter-area route
C.The route is an OSPF external route
D.The route is learned via EIGRP
AnswerB

The output explicitly states 'type inter area', indicating it is an inter-area route.

Why this answer

The output shows a specific route in the routing table. The route is learned via OSPF, with a metric of 20, and is an inter-area route (type inter area). The next hop is 10.0.0.2 via GigabitEthernet0/0.

The correct answer is that the route is an OSPF inter-area route.

1341
Matchingmedium

Match each First Hop Redundancy Protocol (FHRP) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco proprietary, active/standby

Open standard, active/standby

Cisco proprietary, active/active load balancing

Obsolete, uses ICMP advertisements

Another name for ICMP Router Discovery

Why these pairings

FHRPs provide default gateway redundancy.

1342
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure EIGRP hosts: routers gather_facts: no tasks: - name: EIGRP config ios_config: lines: - router eigrp 100 - network 192.168.1.0 parents: router eigrp 100 What is the effect of this playbook?

A.It fails because the network statement requires a wildcard mask.
B.It configures EIGRP AS 100 and advertises network 192.168.1.0/24.
C.It only enters EIGRP configuration mode without applying any network statement.
D.It works correctly because the network statement defaults to a classful mask.
AnswerA

Correct. EIGRP network statements need a wildcard mask; without it, the command is invalid.

Why this answer

Similar to the previous question, this playbook has a redundancy issue. The 'parents' parameter enters EIGRP router configuration mode, and the 'lines' include 'router eigrp 100' again, which would cause an error. Additionally, EIGRP network statements require a wildcard mask; without it, the command is incomplete.

1343
MCQmedium

An engineer is designing an MPLS L3VPN service for a customer that requires overlapping IP addresses between two sites. The customer uses OSPF as the PE-CE protocol. The engineer configures VRFs on the PE routers and assigns unique route distinguishers (RDs) and route targets (RTs). However, the customer reports that routes from one site are not being installed in the other site's VRF. What is the most likely cause?

A.The route-target export on PE1 does not match the route-target import on PE2.
B.The overlapping IP addresses cause a routing loop in OSPF.
C.OSPF cannot carry overlapping prefixes in different VRFs.
D.The route distinguisher is not unique between the two sites.
AnswerA

Correct because route targets must match for routes to be imported into the remote VRF.

Why this answer

In MPLS L3VPN, route targets control the import/export of routes between VRFs. If the RTs are not configured correctly, routes will not be exchanged. Option A is correct.

Option B is wrong because overlapping addresses are handled by VRFs; Option C is wrong because OSPF can handle overlapping addresses with proper configuration; Option D is wrong because RDs only make prefixes unique, they do not control route exchange.

1344
Drag & Dropmedium

Drag and drop the steps of EIGRP named mode configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Named mode starts with the router eigrp <virtual-name> command, then enters address-family configuration, configures the network, and optionally adjusts timers or other parameters. Finally, the configuration is verified.

1345
MCQmedium

Given the following configuration on a Cisco IOS-XE router: interface Tunnel100 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE What is the effect of this configuration?

A.It creates a GRE tunnel with IPsec encryption.
B.It creates a VTI (Virtual Tunnel Interface) that encrypts all traffic routed into the tunnel using IPsec.
C.It creates a DMVPN phase 1 tunnel with mGRE.
D.It creates a L2TPv3 tunnel for layer 2 transport.
AnswerB

The tunnel mode ipsec ipv4 creates a static VTI, which encrypts any traffic sent to the tunnel interface using the referenced IPsec profile.

Why this answer

This configuration creates a point-to-point tunnel interface that uses IPsec to encrypt traffic between the local router and the remote peer at 192.168.1.1. The tunnel mode ipsec ipv4 enables IPsec encapsulation of IPv4 packets, and the tunnel protection command applies an IPsec profile for encryption.

1346
MCQmedium

Given the following WLAN configuration on a Cisco 9800 WLC: wlan test-wlan 1 test-ssid client vlan VLAN10 no security wpa no security wpa2 security wpa3 no security ft What is a potential issue with this configuration?

A.The WLAN is missing a security key management (AKM) configuration.
B.The client VLAN is incorrectly configured.
C.WPA3 is not supported on this platform.
D.The SSID name is too long.
AnswerA

WPA3 requires an AKM (e.g., SAE) to be configured; the snippet does not show 'security wpa3 akm sae'.

Why this answer

WPA3 requires support for 802.11r (Fast Transition) for optimal roaming; disabling it may cause compatibility issues with some clients.

1347
Multi-Selecteasy

Which TWO characteristics are true about the operation of Rapid PVST+? (Choose two.)

Select 2 answers
A.It runs a single spanning-tree instance for all VLANs.
B.It eliminates the need for BPDUs.
C.It supports PortFast to enable immediate transition to forwarding.
D.It uses a separate root bridge per VLAN.
E.It provides faster convergence than PVST+.
AnswersC, E

Correct: PortFast allows edge ports to skip listening/learning.

Why this answer

Option C is correct because Rapid PVST+ supports the PortFast feature, which allows a switch port configured as an access port to transition immediately from the blocking state to the forwarding state, bypassing the listening and learning states. This is essential for ports connected to end hosts to avoid unnecessary STP convergence delays.

Exam trap

Cisco often tests the misconception that Rapid PVST+ eliminates BPDUs entirely, when in fact it uses enhanced BPDU exchanges (proposal/agreement) to achieve faster convergence, not the absence of BPDUs.

1348
MCQmedium

A network engineer runs the following command on Switch SW6: SW6# show etherchannel 3 summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 3 Po3(RU) PAgP Gi0/0(P) Gi0/1(P) Gi0/2(I) Based on this output, what can be concluded?

A.Port-channel 3 is a Layer 2 EtherChannel.
B.Interface Gi0/2 is in stand-alone mode because it is not receiving PAgP packets from the neighbor.
C.All three interfaces are bundled and forwarding traffic.
D.The EtherChannel is not in use because the 'U' flag is missing.
AnswerB

The 'I' flag means stand-alone, typically due to PAgP negotiation failure.

Why this answer

The output shows that Port-channel3 is a Layer 3 (R) port-channel in use (U) using PAgP. Two ports (Gi0/0 and Gi0/1) are bundled (P), while Gi0/2 is in stand-alone mode (I). Stand-alone mode in PAgP means the port is not part of the channel, typically because the neighbor is not configured for PAgP or there is a mismatch.

The correct answer is that Gi0/2 is not bundled and is operating as a regular interface.

1349
MCQmedium

An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?

A.The vEdge routers have not been rebooted after the policy change.
B.The control policy is not attached to the appropriate site list or VPN list.
C.The OMP graceful restart timer has expired, causing the vEdge to ignore the policy.
D.The BFD sessions between vEdge and vSmart are flapping.
AnswerB

Correct because a control policy must be associated with a list to be applied; otherwise, it is not enforced.

Why this answer

In Cisco SD-WAN, centralized control policies must be explicitly attached to a site list or VPN list to define which devices or traffic the policy applies to. If the policy is not attached to the appropriate list, the vSmart controller will not push the policy to the targeted vEdge routers, causing them to continue using the default OMP best-path selection (based on administrative distance and cost). The fact that the vEdge routers are connected to the vSmart confirms the issue is with policy application, not reachability.

Exam trap

Cisco often tests the concept that a control policy must be attached to a site list or VPN list to be effective, and candidates mistakenly assume that simply configuring the policy on the vSmart is sufficient for it to apply to all devices.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot to apply control policy changes; policies are pushed dynamically via OMP from the vSmart and take effect immediately upon activation. Option C is wrong because the OMP graceful restart timer affects route convergence during a vSmart failure, not the application of a control policy; a vEdge will not ignore a policy due to this timer expiring. Option D is wrong because BFD sessions are used for data-plane path liveliness detection between vEdge routers, not for control-plane communication between vEdge and vSmart; flapping BFD sessions would not prevent policy receipt.

1350
MCQeasy

A network engineer runs the following command on Switch SW7: SW7# show spanning-tree vlan 70 VLAN0070 Spanning tree enabled protocol ieee Root ID Priority 24646 Address aabb.cc00.0c00 Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 (priority 32768 sys-id-ext 70) Address aabb.cc00.0d00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Altn BLK 4 128.3 P2p Based on this output, which port is the alternate port?

A.GigabitEthernet0/1
B.GigabitEthernet0/2
C.GigabitEthernet0/3
D.There is no alternate port.
AnswerC

Correct. Gi0/3 is the alternate port (Altn BLK).

Why this answer

The alternate port is the port that provides an alternative path to the root bridge and is placed in blocking state. In the output, Gi0/3 is shown as 'Altn BLK'.

Page 17

Page 18 of 27

Page 19