ENCOR 350-401 (350-401) — Questions 13511425

2015 questions total · 27pages · All types, answers revealed

Page 18

Page 19 of 27

Page 20
1351
Multi-Selecthard

Which three statements about classification and marking in a QoS architecture are true? (Choose three.)

Select 3 answers
A.Classification can be based on the source IP address, destination port, or protocol type using an access control list.
B.Marking at Layer 3 uses the DSCP field, which provides 64 possible values, while IP Precedence provides only 8.
C.The MPLS EXP field is used to mark packets only at the ingress of an MPLS network and is never changed within the core.
D.Marking should be performed as close to the source as possible to ensure consistent treatment across the network.
E.NBAR (Network Based Application Recognition) can classify traffic by inspecting the payload up to Layer 7.
AnswersA, B, D

Correct. ACLs are a common method to classify traffic based on Layer 3 and Layer 4 information such as IP addresses, ports, and protocols.

Why this answer

Classification identifies traffic based on criteria like ACLs or NBAR, while marking sets QoS fields. Marking can be done at multiple layers (Layer 2 CoS, Layer 3 DSCP/IP Precedence) and should be performed as close to the source as possible. DSCP is preferred over IP Precedence due to its finer granularity.

MPLS EXP is used in MPLS networks.

1352
Drag & Dropmedium

Drag and drop the steps of SD-Access underlay provisioning via LAN Automation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LAN Automation begins with the seed device discovering new switches via CDP, then the new switches are automatically configured with the underlay template, including PnP and DHCP. After configuration, the switches join the fabric underlay, and finally, the automation process verifies connectivity and updates the inventory.

1353
Drag & Dropmedium

Drag and drop the steps of KVM VM provisioning via virsh CLI into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

KVM provisioning via virsh begins with defining the VM XML configuration. Then, the VM is started using virsh start. Next, the VM's console is accessed to complete OS installation.

After that, the VM is shut down gracefully. Finally, the VM is restarted for production use.

1354
Drag & Drophard

Drag and drop the steps of troubleshooting a failed EtherChannel bundle into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify that the port-channel interface exists. Then check that physical ports are in the same VLAN and have matching configurations. Next, confirm that the channel-group mode is compatible on all ports.

After that, inspect LACP or PAgP counters for errors. Finally, check for hardware or cabling issues if all else fails. This systematic approach isolates configuration errors before hardware faults.

1355
MCQeasy

What is the default CoS-to-queue mapping on a Cisco switch that supports QoS?

A.CoS 0-1 to queue 1, CoS 2-3 to queue 2, CoS 4-5 to queue 3, CoS 6-7 to queue 4
B.CoS 0-2 to queue 1, CoS 3-5 to queue 2, CoS 6-7 to queue 3
C.CoS 0 to queue 1, CoS 1 to queue 2, CoS 2 to queue 3, CoS 3 to queue 4
D.All CoS values are mapped to a single queue by default.
AnswerA

This is the default mapping for many Cisco switches.

Why this answer

On Cisco switches that support QoS, the default Class of Service (CoS) to queue mapping distributes CoS values across four egress queues. CoS 0 and 1 are mapped to queue 1 (best effort), CoS 2 and 3 to queue 2, CoS 4 and 5 to queue 3, and CoS 6 and 7 to queue 4 (highest priority). This mapping is defined by the default trust state and is used to prioritize traffic based on the 802.1p priority bits in the VLAN tag.

Exam trap

Cisco often tests the default CoS-to-queue mapping as a memorization point, and the trap here is that candidates confuse the default mapping with a custom or logical grouping, such as assuming CoS 5 is always in the highest queue or that each CoS gets its own queue.

How to eliminate wrong answers

Option B is wrong because it maps CoS 0-2 to queue 1, CoS 3-5 to queue 2, and CoS 6-7 to queue 3, which is a three-queue mapping that does not match the standard four-queue default on Cisco switches. Option C is wrong because it assigns each CoS value (0, 1, 2, 3) to a separate queue, which is not the default; the default groups CoS values into pairs per queue. Option D is wrong because Cisco switches do not map all CoS values to a single queue by default; they use multiple queues to provide differentiated QoS based on CoS markings.

1356
MCQmedium

Consider the following configuration: policy-map QUEUE_POLICY class VOICE priority level 1 police cir 1000000 class VIDEO priority level 2 police cir 2000000 class class-default fair-queue What is the effect of using priority level 1 and priority level 2?

A.VOICE traffic (level 1) is always sent before VIDEO traffic (level 2), and both are policed.
B.VOICE and VIDEO traffic are treated equally and share the priority bandwidth.
C.VIDEO traffic (level 2) is sent before VOICE traffic (level 1) because it has a higher police rate.
D.This configuration is invalid because only one priority level is allowed.
AnswerA

Priority levels allow multiple strict priority queues with a hierarchy.

Why this answer

The 'priority level' command under a class in a policy-map allows multiple priority queues with different levels. Level 1 is the highest priority, so VOICE traffic (level 1) is always scheduled before VIDEO traffic (level 2). Both classes are also subject to policing, which enforces a maximum rate (CIR) and drops or remarks excess traffic.

This ensures low-latency treatment for VOICE while still providing priority queuing for VIDEO, but with a lower scheduling preference.

Exam trap

The trap here is that candidates often assume only one priority queue is allowed per policy-map, but Cisco tests the 'priority level' feature which permits multiple priority queues with hierarchical strict scheduling.

How to eliminate wrong answers

Option B is wrong because VOICE and VIDEO are not treated equally; priority level 1 (VOICE) is strictly scheduled before priority level 2 (VIDEO), creating a hierarchical priority structure. Option C is wrong because a higher police rate does not affect scheduling priority; priority level determines scheduling order, not the policing rate. Option D is wrong because the configuration is valid; Cisco IOS supports multiple priority levels (up to 16 in some platforms) using the 'priority level' command, allowing differentiated priority queuing.

1357
Drag & Dropmedium

Drag and drop the steps of OSPF neighbor adjacency formation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OSPF neighbors transition through Down, Init, 2-Way, ExStart, Exchange, Loading, and Full states. The correct order begins with the router sending Hello packets (Down to Init), then receiving a Hello reply (Init to 2-Way), electing DR/BDR if needed (2-Way to ExStart), exchanging database description packets (ExStart to Exchange), and finally synchronizing databases (Loading to Full).

1358
MCQmedium

A network engineer is using the Cisco IOS-XE REST API to configure a static route. The engineer sends a PATCH request to 'https://device/restconf/data/Cisco-IOS-XE-native:native/ip/route/ip-route-interface-forwarding-list=192.168.1.0,255.255.255.0,GigabitEthernet1' with a JSON payload containing the route details. The device responds with a 204 No Content status. What does this response indicate?

A.The request was successful, and the static route has been configured.
B.The request failed because the route already exists; the engineer must use PUT instead.
C.The device does not support PATCH; the engineer must use POST to update the route.
D.The payload was empty; the engineer must include the route parameters in the body.
AnswerA

Correct because 204 No Content indicates success with no response body; the route is configured.

Why this answer

A 204 No Content response indicates that the request was successful, but there is no content to return. In RESTCONF, a successful PATCH request that updates an existing resource typically returns 204 No Content. The engineer should verify that the route was applied by retrieving the configuration.

1359
MCQeasy

What is the maximum hop count for EIGRP?

A.100
B.255
C.15
D.Unlimited
AnswerB

EIGRP supports a maximum hop count of 255.

Why this answer

EIGRP uses a maximum hop count of 255, but the default is 100.

1360
Drag & Dropmedium

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Sequence numbers allow editing named ACLs without re-entering all entries. The correct order is: view current entries, insert a new entry at a specific sequence, then verify the updated ACL.

1361
Drag & Dropmedium

Drag and drop the steps of IP SLA scheduling with frequency and lifetime into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the IP SLA operation is created. Then the frequency (how often to run) is configured. The lifetime (how long to run) is set.

The operation is scheduled to start. Finally, the schedule is verified.

1362
MCQhard

A network team is using Ansible with the iosxr_config module to push configuration changes to a Cisco IOS-XR router. The playbook uses the REST API via the 'ansible_connection: restconf' setting. The engineer notices that the changes are applied but the playbook reports 'changed: false' even when changes were made. What is the most likely reason for this behavior?

A.The REST API on the router does not return a proper response, so Ansible cannot determine if a change occurred.
B.The engineer should use the 'uri' module with the REST API instead of the 'iosxr_config' module.
C.The playbook is missing the 'gather_facts: no' directive, causing Ansible to skip change detection.
D.The router requires a commit operation after configuration changes, and Ansible does not perform that.
AnswerB

Correct because 'iosxr_config' is for CLI-based connections; for RESTCONF, the 'uri' module or a dedicated RESTCONF module should be used.

Why this answer

When using RESTCONF, the Ansible module may not detect changes if the module does not properly parse the response from the device. However, in this scenario, the issue is that the 'iosxr_config' module is designed for CLI-based connections, not RESTCONF. The correct approach is to use a module like 'iosxr_restconf' or a generic 'uri' module.

The 'ansible_connection: restconf' is not a valid connection type for Ansible; Ansible uses 'network_cli' or 'ansible.netcommon.restconf' connection plugin. The engineer should use the 'uri' module or a dedicated RESTCONF module.

1363
MCQmedium

A network engineer runs the following command on Router R6: R6# show ip pim rp 239.3.3.3 RP 10.0.0.4 Info source: 10.0.0.4, via bootstrap, priority 192, holdtime 150, expires in 00:02:30 Based on this output, what can be concluded?

A.The RP was learned via Auto-RP.
B.The RP was learned via BSR.
C.The RP was statically configured.
D.The RP is 10.0.0.5.
AnswerB

The output explicitly states 'via bootstrap'.

Why this answer

The 'show ip pim rp' command shows the RP for group 239.3.3.3 is 10.0.0.4, learned via bootstrap (BSR). The priority is 192, holdtime 150 seconds, and it expires in 2 minutes 30 seconds. This indicates that BSR is the mechanism used to learn the RP.

The correct answer is that the RP was learned via BSR.

1364
MCQmedium

A network engineer is configuring OSPF on a router that connects to two different ISPs. The engineer wants to prefer one ISP for all external routes unless that ISP's link fails, in which case the other ISP should be used. Which OSPF feature should be used to influence the path selection for external routes?

A.Configure the OSPF cost on the interface connecting to the preferred ISP to a lower value.
B.Use the 'distance ospf external' command to set a higher administrative distance for external routes from the less preferred ISP.
C.Use the 'max-metric' command on the router connecting to the less preferred ISP.
D.Configure the OSPF network type to point-to-point on both interfaces.
AnswerB

Correct because by setting a higher administrative distance for external routes from one ISP, the router will prefer routes with lower administrative distance from the other ISP.

Why this answer

Option B is correct because the 'distance ospf external' command allows you to set a higher administrative distance for external OSPF routes learned from a specific neighbor or source, making the routes from the less preferred ISP less trustworthy. When the preferred ISP's link fails, those routes are removed, and the router will then use the external routes from the backup ISP due to their lower administrative distance (or default distance if not changed). This directly influences path selection for external routes without altering OSPF metrics or interface costs.

Exam trap

The trap here is that candidates often confuse OSPF cost (metric) with administrative distance, thinking that lowering the interface cost will make external routes from that ISP preferred, but OSPF cost only affects internal path selection, not the preference between different routing sources for external routes.

How to eliminate wrong answers

Option A is wrong because OSPF cost influences intra-area and inter-area route selection, but external routes (type 5 or 7 LSAs) are selected based on the forwarding address and metric type (E1/E2); changing interface cost does not directly control preference between two ISPs for external routes. Option C is wrong because the 'max-metric' command sets the router's own link-state metrics to a high value (like 65535) to avoid being a transit router, but it does not influence the selection of external routes learned from different ISPs. Option D is wrong because configuring the OSPF network type to point-to-point affects neighbor discovery and LSA flooding behavior, not the administrative distance or preference for external routes.

1365
MCQmedium

A Python script uses the requests library to interact with Cisco DNA Center's REST API: import requests url = "https://dna-center/api/v1/network-device" headers = { "X-Auth-Token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." } response = requests.get(url, headers=headers, verify=False) print(response.json()) What is a security concern with this script?

A.The script uses a hardcoded token, which is a security risk.
B.The script disables SSL certificate verification, making it vulnerable to man-in-the-middle attacks.
C.The script does not handle HTTP errors, which could expose sensitive information.
D.The script uses an incorrect URL; the path should be /dna/intent/api/v1/network-device.
AnswerB

verify=False should only be used in test environments; in production, proper certificates should be used.

Why this answer

The script disables SSL certificate verification with verify=False, which makes it vulnerable to man-in-the-middle attacks. The correct answer identifies this security issue.

1366
Multi-Selecthard

Which three statements about NFV and its relationship with SDN are true? (Choose three.)

Select 3 answers
A.NFV can leverage SDN to dynamically create and manage network paths between VNFs.
B.SDN can provide the network abstraction that allows NFV to decouple network functions from underlying hardware.
C.NFV and SDN are independent technologies that can be deployed separately or together.
D.SDN is a prerequisite for implementing NFV in any network environment.
E.NFV requires SDN to perform service function chaining.
AnswersA, B, C

Correct because SDN provides programmable network control, enabling automated connectivity between VNFs.

Why this answer

NFV and SDN are complementary but independent technologies. NFV focuses on virtualizing network functions, while SDN separates the control and data planes for centralized network control. They can be used together to enhance flexibility and automation.

Option A is correct because NFV can use SDN to provide dynamic network connectivity between VNFs. Option B is correct because SDN can provide the network abstraction needed for NFV. Option C is correct because they are independent; one can be deployed without the other.

Option D is incorrect because SDN is not a requirement for NFV; NFV can work with traditional networking. Option E is incorrect because NFV does not require SDN for service chaining; it can use other methods like policy-based routing.

1367
MCQmedium

A network engineer is troubleshooting a wireless network where clients in a conference room experience intermittent connectivity. The engineer notices that the access point in that room is showing a high number of CRC errors on its uplink interface. The AP is connected to a Cisco 9300 switch via a copper cable. What is the most likely cause of the CRC errors?

A.The AP is overloaded with too many clients.
B.The Ethernet cable is faulty or of poor quality.
C.The switch port is configured with a duplex mismatch.
D.The AP is not receiving enough power from Power over Ethernet (PoE).
AnswerB

Correct because CRC errors on a copper link are usually due to physical layer problems like faulty cables, bad connectors, or interference.

Why this answer

CRC errors typically indicate physical layer issues such as faulty cabling, bad connectors, or electromagnetic interference. Since the AP is connected via copper, a faulty cable is the most likely cause. Duplex mismatch would cause alignment errors, not just CRC.

AP overload would not cause CRC errors on the uplink. PoE issues would cause power problems, not CRC errors.

1368
MCQhard

An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?

A.The switch is not configured for 802.1X on the interface.
B.The 'cts manual' command is incorrect; 'cts dot1x' should be used instead.
C.The SGTs are not being propagated to the switch; the switch lacks SGT mappings for the hosts.
D.The 'show cts role-based counters' command shows no drops, indicating the ACLs are not configured.
AnswerC

Correct because without SGTs, the switch cannot enforce role-based policies.

Why this answer

CTS role-based enforcement requires SGTs to be assigned to packets. If the switch does not have SGT information for the source or destination, it cannot enforce policies. Option C is correct because without SGTs, the switch treats traffic as untagged and does not apply SGACLs.

Option A is incorrect because CTS does not require 802.1X; it can use manual or SXP. Option B is incorrect because 'cts manual' is a valid configuration for trusted interfaces. Option D is incorrect because 'show cts role-based counters' shows drops only if enforcement is active; no drops indicate no enforcement.

1369
MCQhard

A network engineer configures SNMPv3 on a Cisco router with the following: 'snmp-server group GRP v3 priv', 'snmp-server user usr GRP v3 auth sha pass1 priv aes 128 pass2'. The NMS is configured with the same credentials. However, the NMS cannot perform SNMP walks. The engineer notices that the router's SNMP agent is responding to queries from other devices. What is the most likely cause?

A.The user's authentication key is too short.
B.The group 'GRP' is not associated with a view that allows read access to the MIB tree.
C.The NMS is using SNMPv2c community strings instead of SNMPv3.
D.The router's SNMP engine ID has changed since the user was created.
AnswerB

Correct because without a view, the group may have no access; 'snmp-server group GRP v3 priv read VIEW' is needed.

Why this answer

SNMPv3 walks require proper view configuration. By default, the group may not have access to the entire MIB tree. The correct answer is that the group needs a view that includes the OIDs being walked.

1370
Multi-Selectmedium

Which three statements about FlexVPN are true? (Choose three.)

Select 3 answers
A.FlexVPN uses IKEv2 as its underlying key exchange protocol.
B.FlexVPN supports both site-to-site and remote access VPN topologies.
C.FlexVPN requires a dedicated AAA server for all authentication functions.
D.FlexVPN can use digital certificates or pre-shared keys for authentication.
E.FlexVPN uses NHRP to dynamically discover spoke routers and establish direct tunnels.
AnswersA, B, D

Correct because FlexVPN is built on IKEv2, leveraging its features like EAP, mobility, and NAT traversal.

Why this answer

FlexVPN is a Cisco implementation based on IKEv2, supporting hub-and-spoke, spoke-to-spoke, and remote access VPNs with centralized key management.

1371
MCQeasy

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 15 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 65050, (received & used) 10.0.1.2 from 10.0.1.2 (10.0.0.2) Origin IGP, metric 0, localpref 100, weight 0, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, what can be concluded?

A.The route was learned from an internal BGP peer.
B.The route is from AS 65050 and is the best path.
C.The route has a local preference of 0.
D.The route is not valid because it is external.
AnswerB

The AS_PATH shows 65050, and the path is marked as 'best'.

Why this answer

The output shows the BGP table entry for 192.168.1.0/24 with path 65050, and the line 'valid, external, best' confirms that this route is from AS 65050 and is selected as the best path. The 'best' keyword in the status flags directly indicates that this path is the best among all available paths for this prefix.

Exam trap

Cisco often tests the distinction between 'valid' and 'best' — candidates may incorrectly assume that an external route is automatically invalid or that 'external' implies a problem, but the output clearly shows the route is both valid and best.

How to eliminate wrong answers

Option A is wrong because the route is learned from an external BGP peer (indicated by 'external' in the status flags and the neighbor IP 10.0.1.2, which is not in the same AS as the router's BGP configuration). Option C is wrong because the output explicitly shows 'localpref 100', not 0; local preference defaults to 100 for routes from external peers unless modified. Option D is wrong because the route is explicitly marked as 'valid' in the output, and being external does not make it invalid; external routes are valid if they pass BGP path validation.

1372
Matchingmedium

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port security

DHCP snooping

Dynamic ARP Inspection

BPDU guard

Disable Dynamic Trunking Protocol

Why these pairings

MAC flooding is mitigated by port security; DHCP starvation by DHCP snooping; ARP spoofing by DAI; STP manipulation by BPDU guard; VLAN hopping by disabling DTP.

1373
Matchingmedium

Drag and drop each Ansible connection type on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SSH-based CLI connection to network devices

SSH-based NETCONF session for XML configuration

HTTP/HTTPS-based API connection (e.g., NX-API, RESTCONF)

Runs modules on the Ansible control node without SSH to target

Pure Python SSH implementation (fallback when native SSH is unavailable)

Why these pairings

network_cli uses SSH for CLI commands, netconf uses SSH for NETCONF XML, httpapi uses HTTP/HTTPS for REST APIs (e.g., NX-API).

1374
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy output: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 15625 be 15625 conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 10000 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/10000 Based on this output, what can be concluded?

A.Voice traffic is being marked with DSCP EF and is being policed at 1 Mbps.
B.Voice traffic is not being classified because no packets match the VOICE class.
C.All traffic is being dropped due to the police action.
D.The policy-map is applied in the input direction.
AnswerB

The VOICE class has 0 packets, meaning no traffic matched the DSCP EF criteria.

Why this answer

The output shows that the VOICE class is matching DSCP EF (46) and has a police command with a CIR of 1 Mbps. Since no packets have been matched (0 packets, 0 bytes), the voice traffic is not being classified. This indicates that either no voice traffic is present or the DSCP marking is not EF.

The class-default is handling all traffic.

1375
Drag & Dropmedium

Drag and drop the steps of DNA Center network discovery and device sync into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Discovery starts with defining the discovery scope, running the discovery, adding discovered devices to inventory, syncing device details, and finally assigning devices to a site.

1376
MCQeasy

A company is deploying a virtual WAN optimizer (vWAAS) on a Cisco NFVIS host. The engineer needs to ensure that the vWAAS can intercept traffic between two VNFs running on the same host. The traffic currently flows directly between the VNFs without passing through the vWAAS. What should the engineer configure to redirect the traffic?

A.Create a service chain in NFVIS that places the vWAAS between the two VNFs.
B.Configure a static route on each VNF pointing to the vWAAS.
C.Enable WCCP on the vWAAS and configure the VNFs to use WCCP.
D.Use policy-based routing on the VNFs to forward traffic to the vWAAS.
AnswerA

Correct because service chaining allows traffic to be steered through VNFs in a specified order.

Why this answer

Option A is correct because NFVIS supports service chaining, which allows an administrator to define a sequence of VNFs that traffic must traverse. By creating a service chain that places the vWAAS between the two VNFs, NFVIS will automatically redirect the traffic through the vWAAS using internal bridging or vSwitch forwarding rules, without requiring any configuration changes on the VNFs themselves.

Exam trap

The trap here is that candidates often assume traffic redirection between VNFs must be done at Layer 3 (routing) using static routes or PBR, but Cisco tests the understanding that NFVIS service chaining operates at Layer 2 within the hypervisor, providing transparent interception without modifying the VNFs.

How to eliminate wrong answers

Option B is wrong because static routes on the VNFs would only affect traffic destined for specific subnets, not intercept all traffic between them; moreover, the VNFs would need to know the vWAAS as a next hop, which does not solve the problem of redirecting traffic that currently flows directly. Option C is wrong because WCCP (Web Cache Communication Protocol) is designed for redirecting traffic to a cache engine or WAN optimizer in a network, but it requires WCCP support on the routers or switches, not on VNFs running on the same NFVIS host, and the VNFs themselves typically do not run WCCP. Option D is wrong because policy-based routing (PBR) on the VNFs would require modifying the routing configuration of each VNF, which is complex, not scalable, and defeats the purpose of using NFVIS service chaining to handle traffic redirection transparently at the hypervisor level.

1377
MCQmedium

A network engineer is troubleshooting an Ansible playbook that uses the ios_config module to apply ACLs. The playbook runs without errors, but the ACLs are not applied to the device. The engineer verifies that the device is reachable and the credentials are correct. What is the most likely cause?

A.The device is in a different VRF and not reachable
B.The playbook is missing the connection parameter set to 'network_cli'
C.The ACL syntax in the playbook is incorrect
D.The ios_config module requires the netmiko library to be installed on the control node
AnswerB

Ansible network modules require the connection: network_cli setting.

Why this answer

The ios_config module requires the connection parameter to be set to 'network_cli' (or 'ansible.netcommon.network_cli') to use the CLI transport for sending configuration commands to network devices. Without this, Ansible defaults to the 'smart' connection, which may not properly interact with network device CLIs, causing the playbook to run without errors but not apply the ACLs.

Exam trap

Cisco often tests the misconception that Ansible modules automatically handle network device connections, but in reality, the 'connection: network_cli' parameter is mandatory for network modules to function correctly.

How to eliminate wrong answers

Option A is wrong because the engineer already verified the device is reachable, so a VRF mismatch would cause unreachability, not silent failure. Option C is wrong because incorrect ACL syntax would typically cause an error from the device, not a silent failure; the playbook runs without errors, indicating the syntax is accepted. Option D is wrong because the ios_config module uses the built-in ansible.netcommon collection and does not require netmiko; netmiko is used by other modules like ios_command with the 'ansible.netcommon.network_cli' connection, but ios_config relies on the Ansible network connection framework.

1378
MCQeasy

A network engineer executes the following command on Router R2: R2# show ip sla configuration 1 IP SLAs Infrastructure Engine-II Entry number: 1 Owner: admin Tag: Type of operation to perform: icmp-echo Target address: 192.168.2.10 Source address: 192.168.2.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday, Starting Time: 00:00:01) Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: Based on this output, what is the frequency of the IP SLA operation?

A.30 seconds
B.60 seconds
C.120 seconds
D.5000 milliseconds
AnswerB

The output shows 'Frequency (seconds): 60'.

Why this answer

The 'Frequency (seconds): 60' line indicates that the IP SLA operation runs every 60 seconds.

1379
MCQeasy

Which LACP mode must be configured on at least one side of an EtherChannel for the channel to establish?

A.Active
B.Passive
C.Desirable
D.On
AnswerA

Correct. Active mode initiates LACP negotiation.

Why this answer

LACP requires at least one side to be in active mode to initiate negotiation. If both sides are passive, the channel will not form because neither side sends LACP packets.

1380
Drag & Dropmedium

Drag and drop the steps of OSPF virtual link configuration across area 0 into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, ensure the transit area (non-backbone) has full connectivity and at least one ABR. Then, identify the router IDs of the two ABRs that will form the virtual link. On each ABR, configure the virtual link using the 'area transit-area-id virtual-link router-id' command.

Verify the virtual link state using 'show ip ospf virtual-links'. Finally, confirm that routes from the backbone area are now reachable across the virtual link.

1381
MCQhard

A network engineer is configuring a Cisco router to use TACACS+ for command authorization. The engineer configures 'aaa authorization commands 15 default group tacacs+ local'. When a user with privilege level 15 tries to execute the 'reload' command, the router sends an authorization request to the TACACS+ server. The server responds with an 'Access-Accept' but the command is still denied. The engineer checks the router's configuration and sees that 'aaa accounting commands 15 default start-stop group tacacs+' is also configured. What could be the issue?

A.The TACACS+ server's 'Access-Accept' response does not include the necessary authorization attributes to permit the 'reload' command, so the router denies it.
B.The 'aaa accounting commands 15' command is causing the router to send accounting records before authorization, which delays the response and causes a timeout.
C.The router's 'aaa authorization commands 15' should use 'group tacacs+' without 'local' to ensure only TACACS+ is used.
D.The user's privilege level on the router is not actually 15, despite the configuration.
AnswerA

Correct because TACACS+ command authorization requires the server to explicitly permit each command or use a 'permit all' attribute; an 'Access-Accept' without proper attributes results in denial.

Why this answer

The TACACS+ server response for command authorization includes attributes that specify which commands are allowed. If the server responds with an 'Access-Accept' but does not include the necessary authorization data (e.g., a list of permitted commands or a 'permit all' attribute), the router may deny the command. Alternatively, the accounting configuration might be interfering, but that is less likely.

The most common cause is that the TACACS+ server's response does not include the required authorization information for the specific command.

1382
Matchinghard

Drag and drop each AAA method list type on the left to its correct fallback order (from first to last) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

local, line

enable, none

local, none

local, if-authenticated

local, none

Why these pairings

The default method list for login authentication tries local first, then fallback to line password. The default for enable authentication uses enable password, then none. The default for PPP authentication uses local, then none.

The default for command authorization uses local, then if-authenticated. The default for exec authorization uses local, then none.

1383
MCQmedium

Examine the CoPP configuration: class-map match-any COPP_SSH match access-group name SSH_ACL ! policy-map COPP_POLICY class COPP_SSH police 10000 conform-action transmit exceed-action drop class class-default police 5000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY Which statement is true?

A.SSH traffic is limited to 10 kbps; all other control plane traffic is limited to 5 kbps.
B.All control plane traffic is limited to 10 kbps.
C.The class-default police rate is ignored because it is not explicitly matched.
D.The policy-map should be applied to an interface, not the control plane.
AnswerA

Class COPP_SSH has a police rate of 10000 bps, class-default has 5000 bps.

Why this answer

The policy applies two police rates: 10 kbps for SSH traffic and 5 kbps for all other control plane traffic.

1384
MCQmedium

A network engineer writes the following Ansible playbook to configure an interface on a Cisco IOS-XE device: --- - hosts: routers gather_facts: no tasks: - name: Configure interface cisco.ios.ios_config: lines: - ip address 192.168.1.1 255.255.255.0 parents: interface GigabitEthernet0/1 What is the issue with this playbook?

A.The playbook will fail because the 'cisco.ios.ios_config' module requires the 'connection: network_cli' parameter in the play or inventory.
B.The playbook will work correctly because the module automatically detects the device type.
C.The playbook will fail because 'cisco.ios.ios_config' is not a valid module name.
D.The playbook will work but only if the device is running IOS-XE 16.9 or later.
AnswerA

Without setting connection to network_cli, Ansible defaults to 'smart' which may not work for network devices.

Why this answer

The playbook uses the cisco.ios.ios_config module but does not specify the provider or connection details. In Ansible 2.9+, the connection type must be set to 'network_cli' or the module will fail. The correct answer identifies this missing connection parameter.

1385
MCQmedium

Consider this VLAN configuration on a Cisco switch: vlan 10 name Sales vlan 20 name Engineering interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 What is missing if the switch needs to carry VLAN 30 traffic on this trunk?

A.VLAN 30 must be created and added to the allowed VLAN list on the trunk.
B.The trunk must be configured as an access port for VLAN 30.
C.The native VLAN must be changed to VLAN 30.
D.The switchport mode must be changed to dynamic desirable.
AnswerA

Without VLAN 30 created and allowed on the trunk, traffic for VLAN 30 will not be forwarded.

Why this answer

Option A is correct because a trunk port only forwards traffic for VLANs that exist in the switch's VLAN database and are explicitly permitted in the allowed VLAN list. VLAN 30 is neither created (no 'vlan 30' command) nor added to the trunk's allowed list (missing 'switchport trunk allowed vlan add 30'), so the switch will drop any frames tagged with VLAN 30. Creating the VLAN and updating the allowed list ensures the trunk can forward VLAN 30 traffic.

Exam trap

Cisco often tests the misconception that simply creating a VLAN on the switch is enough for trunk traffic, but the allowed VLAN list must also be explicitly updated, or the trunk will drop frames for that VLAN.

How to eliminate wrong answers

Option B is wrong because an access port cannot carry multiple VLANs; it belongs to a single VLAN and strips the 802.1Q tag, which would break trunking for VLANs 10 and 20. Option C is wrong because changing the native VLAN to 30 does not allow VLAN 30 traffic on the trunk; the native VLAN is used for untagged frames on a trunk and does not add a new VLAN to the allowed list. Option D is wrong because dynamic desirable mode uses DTP to negotiate trunking but does not create VLANs or modify the allowed VLAN list; the issue is missing VLAN creation and allowed list configuration, not trunk mode negotiation.

1386
MCQmedium

Consider the following configuration snippet from a Cisco IOS-XE router: router eigrp 100 network 10.0.0.0 network 192.168.1.0 passive-interface default no passive-interface GigabitEthernet0/0 What is the effect of the passive-interface commands?

A.EIGRP hellos are suppressed on all interfaces except GigabitEthernet0/0.
B.EIGRP hellos are sent on all interfaces, but updates are blocked.
C.EIGRP adjacency is formed on all interfaces except GigabitEthernet0/0.
D.EIGRP is disabled on all interfaces.
AnswerA

The default passive suppresses hellos on all interfaces, and the no passive allows them on G0/0.

Why this answer

The command 'passive-interface default' makes all interfaces passive by default, meaning they will not send or receive EIGRP hellos. The subsequent 'no passive-interface GigabitEthernet0/0' overrides this for that specific interface, allowing EIGRP adjacency formation on it.

1387
MCQeasy

A network engineer runs the following command on Router R1: R1# show vrf brief Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1 Based on this output, what can be concluded?

A.All VRFs are using the same route distinguisher.
B.The MANAGEMENT VRF is used for customer traffic.
C.CUSTOMER_A and CUSTOMER_B are on the same physical interface but different subinterfaces.
D.The router is running MPLS L3VPN.
AnswerC

Both are on Gi0/0 with different subinterfaces (.100 and .200), indicating they share the same physical port.

Why this answer

The output shows three VRFs: CUSTOMER_A, CUSTOMER_B, and MANAGEMENT. Each has a route distinguisher and is associated with specific interfaces. The CUSTOMER_A and CUSTOMER_B VRFs are on subinterfaces of GigabitEthernet0/0, while MANAGEMENT is on a separate physical interface.

1388
MCQmedium

Consider the following configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ip igmp version 3 ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 ! What is the effect of this configuration?

A.The interface will participate in PIM sparse-mode and IGMPv3, but PIM sparse-mode requires an RP to be configured or learned.
B.The interface will operate in PIM dense-mode because no RP is configured.
C.IGMPv3 is incompatible with PIM sparse-mode and will be ignored.
D.The router will automatically use dense-mode because OSPF is enabled.
AnswerA

Correct. PIM sparse-mode requires an RP. IGMPv3 is supported but the RP must be defined for sparse-mode to work.

Why this answer

The interface is configured with PIM sparse-mode and IGMPv3. PIM sparse-mode requires a rendezvous point (RP) to be known, either statically or via Auto-RP/BSR. IGMPv3 allows source-specific multicast (SSM) with the SSM range (232.0.0.0/8).

OSPF is enabled on the interface for unicast routing. The configuration is valid but missing an RP definition for sparse-mode to function correctly.

1389
MCQmedium

Refer to the exhibit. A network engineer has configured VRFs on a router. A packet arrives on Gi0/1/0 with destination IP 10.1.1.2. Which VRF is used for routing this packet?

A.Global routing table
B.Mgmt-intf
C.CUSTOMER-B
D.CUSTOMER-A
AnswerD

Correct. The packet arrives on Gi0/1/0 which belongs to VRF CUSTOMER-A, so routing occurs within that VRF.

Why this answer

The packet arrives on interface Gi0/1/0, which is configured under VRF CUSTOMER-A (as shown in the exhibit with 'ip vrf forwarding CUSTOMER-A'). When a VRF is applied to an ingress interface, the router uses that VRF's routing table (not the global table) to perform the destination IP lookup. Therefore, the packet with destination 10.1.1.2 is routed using the CUSTOMER-A VRF.

Exam trap

Cisco often tests the concept that the VRF used for routing is determined by the ingress interface's VRF assignment, not by the destination IP address or any other packet attribute, leading candidates to mistakenly assume the global table is used when no VRF is explicitly mentioned in the routing lookup.

How to eliminate wrong answers

Option A is wrong because the global routing table is used only when the ingress interface is not associated with any VRF, or when the VRF is explicitly bypassed (e.g., via 'ip route vrf' commands); here Gi0/1/0 is VRF-aware. Option B is wrong because 'Mgmt-intf' is a special VRF used exclusively for management traffic (e.g., SSH, SNMP) on the management interface, not for data-plane forwarding on Gi0/1/0. Option C is wrong because CUSTOMER-B is a different VRF; the interface Gi0/1/0 is bound to CUSTOMER-A, not CUSTOMER-B, so the router will not use CUSTOMER-B's routing table for this packet.

1390
MCQhard

A network engineer runs the following command on Router R8: R8# show mpls ldp traffic LDP Traffic Statistics: Hellos sent: 5000, Hellos received: 4998 Initialization messages sent: 2, received: 2 Keepalive messages sent: 15000, received: 14995 Label mapping messages sent: 100, received: 95 Label withdraw messages sent: 5, received: 3 Label release messages sent: 2, received: 1 Label abort messages sent: 0, received: 0 Notification messages sent: 1, received: 2 Address messages sent: 10, received: 9 Address withdraw messages sent: 1, received: 0 Based on this output, what is a likely issue?

A.The LDP session is experiencing packet loss because the number of hellos sent and received are not equal.
B.There is a problem with label distribution because label withdraw messages are significantly higher than label release messages.
C.The router has sent 100 label mapping messages but received 95, indicating that 5 mapping messages were lost.
D.The router has sent 1 notification message and received 2, indicating errors in the LDP session.
AnswerB

Label withdraw (5) vs label release (2) suggests that some labels are being withdrawn but not released, which could indicate a problem.

Why this answer

The statistics show a mismatch between sent and received messages for several types, especially label withdraw (5 sent, 3 received) and label release (2 sent, 1 received). This may indicate packet loss or a problem with the LDP session. However, the most notable discrepancy is in label mapping messages (100 sent, 95 received), suggesting some mapping messages were lost.

But the question asks for a likely issue; the high number of label withdraws relative to releases could indicate instability.

1391
Matchingmedium

Drag and drop each EIGRP timer on the left to its matching default value on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

5 seconds

15 seconds

3 minutes

60 seconds

180 seconds

Why these pairings

Hello timer default is 5 seconds on LAN; Hold timer default is 15 seconds; Active timer default is 3 minutes.

1392
MCQeasy

A network engineer is configuring EtherChannel between two Cisco switches using LACP. The engineer wants to ensure that if fewer than two links are operational, the EtherChannel does not come up. Which command should be configured?

A.Configure 'port-channel min-links 2' under the port-channel interface.
B.Configure 'lacp min-bundle 2' under the port-channel interface.
C.Configure 'channel-group 1 mode active' on the physical ports.
D.Configure 'port-channel max-links 2' under the port-channel interface.
AnswerA

Correct because min-links specifies the minimum number of active links needed for the channel to be up.

Why this answer

The correct answer is 'port-channel min-links 2', which sets the minimum number of active links required. The wrong answers either set maximum links or are unrelated.

1393
Drag & Dropmedium

Drag and drop the steps of SNMPv3 authentication and privacy negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SNMPv3 first discovers the engine ID, then the manager and agent agree on security parameters, authenticate, and finally encrypt the payload.

1394
Multi-Selectmedium

Which two statements about MPLS VPN (Layer 3 VPN) are true? (Choose two.)

Select 2 answers
A.PE routers maintain separate VRF tables for each VPN customer.
B.P routers must maintain a full routing table for each VPN customer.
C.MP-BGP is used to exchange VPNv4 routes between PE routers.
D.CE routers run MPLS and participate in label distribution with the PE.
E.The VPN label is used by P routers to forward traffic across the MPLS core.
AnswersA, C

Correct because VRF (Virtual Routing and Forwarding) instances isolate customer routes on the PE.

Why this answer

In MPLS Layer 3 VPNs, the PE router maintains separate VRF tables per customer and uses MP-BGP to exchange VPNv4 routes (including the route distinguisher and VPN label). The P router does not need to know customer routes; it only swaps labels. The CE router does not participate in MPLS; it runs standard IP routing with the PE.

1395
MCQmedium

An Ansible playbook uses the cisco.dnac.site module to create a new building site. The playbook is: - name: Create building site cisco.dnac.site: host: "{{ dnac_host }}" username: "{{ dnac_username }}" password: "{{ dnac_password }}" validate_certs: no state: present site: name: Building-B type: building parentName: Area-1 address: "123 Main St" latitude: 37.7749 longitude: -122.4194 register: result What is the purpose of the 'parentName' parameter?

A.It specifies the name of the building's parent in the hierarchy, such as an area or global site.
B.It defines the DNS domain name for the building.
C.It sets the name of the network profile associated with the building.
D.It is used to specify the building's primary IP address.
AnswerA

Correct. The parentName defines where in the site hierarchy the building is placed.

Why this answer

The 'parentName' parameter specifies the name of the parent site (area or global) under which the building is created. This is necessary for building the site hierarchy.

1396
MCQmedium

An Ansible playbook uses the uri module to make a REST API call to Cisco DNA Center: --- - hosts: localhost gather_facts: no tasks: - name: Get devices uri: url: "https://dna-center/api/v1/network-device" method: GET headers: X-Auth-Token: "{{ token }}" return_content: yes register: result - debug: var: result.json What is missing from this playbook?

A.The playbook is missing a task to authenticate and obtain the X-Auth-Token before making the API call.
B.The playbook will work if the token is defined in the inventory file.
C.The playbook should use the 'cisco.dnac' collection instead of the uri module.
D.The playbook is missing the 'validate_certs: no' parameter to ignore SSL errors.
AnswerA

DNA Center requires a token obtained via POST /dna/system/api/v1/auth/token.

Why this answer

The playbook does not include a task to obtain the authentication token. The token variable is used but never defined. The correct answer identifies the missing authentication step.

1397
Matchingmedium

Drag and drop each IP SLA reaction action on the left to its corresponding behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Send a log message

Send an SNMP notification

Start another IP SLA operation

Disable reaction

Trigger on probe timeout

Why these pairings

Syslog sends a log message; SNMP trap sends an SNMP notification; trigger starts another IP SLA operation; none disables reaction; timeout triggers on probe timeout.

1398
MCQhard

A network engineer runs the following command on Router R5: R5# show mpls ldp discovery Local LDP Identifier: 10.5.5.5:0 Discovery Sources: Interfaces: GigabitEthernet0/0: xmit/recv LDP Id: 10.5.5.4:0, no hello (expired) GigabitEthernet0/1: xmit/recv LDP Id: 10.5.5.6:0 Based on this output, what is the state of the LDP session with neighbor 10.5.5.4?

A.The LDP session with 10.5.5.4 is operational because the interface is in xmit/recv mode.
B.The LDP session with 10.5.5.4 is not established because no hello messages have been received from that neighbor.
C.The LDP session with 10.5.5.4 is down because the interface is not operational.
D.The LDP session with 10.5.5.4 is using targeted discovery.
AnswerB

The 'no hello (expired)' indicates that the hello timer expired without receiving a hello, so the session cannot be established.

Why this answer

The output shows LDP discovery sources. For Gi0/0, the neighbor 10.5.5.4:0 has 'no hello (expired)', meaning the hello messages have not been received recently, so the neighbor is considered down or the session is not established.

1399
Drag & Dropmedium

Drag and drop the steps of RSPAN VLAN propagation across trunk links into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The RSPAN VLAN must be created, allowed on trunks, and then used in sessions to propagate traffic across switches.

1400
MCQeasy

What is the maximum hop count for EIGRP?

A.15
B.255
C.16
D.100
AnswerB

Correct. EIGRP has a maximum hop count of 255.

Why this answer

EIGRP uses a maximum hop count of 255, which is a hard limit encoded in the protocol's metric field. This allows EIGRP to scale to much larger networks than distance-vector protocols like RIP, which have a hop count limit of 15. The hop count is not used as a primary metric in EIGRP but serves as a loop-prevention mechanism, and routes with a hop count exceeding 255 are considered unreachable.

Exam trap

Cisco often tests the difference between RIP's 15-hop limit and EIGRP's 255-hop limit, and the trap here is that candidates confuse the hop count limit with the administrative distance (100) or the RIP unreachable metric (16).

How to eliminate wrong answers

Option A is wrong because 15 is the maximum hop count for RIP (Routing Information Protocol), not EIGRP; this is a classic confusion between distance-vector protocols. Option C is wrong because 16 is the 'unreachable' metric in RIP, not a valid EIGRP hop count limit. Option D is wrong because 100 is the default administrative distance for EIGRP internal routes, not the maximum hop count.

1401
Drag & Dropmedium

Drag and drop the steps of the DiffServ traffic classification and marking pipeline into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In the DiffServ QoS pipeline, traffic must first be classified using class maps, then marked with a policy map, and finally applied to an interface using a service policy. The order ensures that packets are identified, marked, and then enforced on the egress interface.

1402
MCQmedium

Given the following configuration: interface Port-channel1 no switchport ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/1 no switchport channel-group 1 mode on ! interface GigabitEthernet0/2 no switchport channel-group 1 mode on Which statement is true about this EtherChannel?

A.The EtherChannel will form only if the neighbor also uses LACP active mode.
B.The EtherChannel will form and operate as a Layer 3 routed interface.
C.The EtherChannel will not form because the interfaces are in no switchport mode.
D.The EtherChannel will form but will use PAgP negotiation.
AnswerB

Correct. 'no switchport' makes it a Layer 3 interface, and 'mode on' creates a static channel without negotiation.

Why this answer

The 'mode on' command forces the interface into an EtherChannel without any negotiation protocol (no LACP or PAgP). Both sides must be configured with 'mode on' for the channel to come up. The port-channel is a routed interface (no switchport) with an IP address.

1403
MCQmedium

Your company has a campus network with two distribution switches (DS1 and DS2) each connected to two access switches (AS1-AS4). All switches run Rapid PVST+. The root bridge for VLAN 10 is DS1. Recently, users on AS2 (VLAN 10) report intermittent connectivity. You notice that AS2's root port for VLAN 10 is flapping between two uplinks to DS1 and DS2. The link from AS2 to DS1 is a 1 Gbps fiber, and the link to DS2 is a 1 Gbps copper. The cost of both links is 4 (default for 1 Gbps). The network administrator previously configured PortFast on all access ports but did not configure any other spanning-tree parameters. Which action should you take to stabilize the topology?

A.Disable PortFast on all access ports to force proper RSTP convergence.
B.Configure spanning-tree vlan 10 priority 4096 on DS1 to ensure it remains the root and that AS2 selects the uplink to DS1 as root port.
C.Increase DS2's priority to 8192 to make it less likely to become the root.
D.Change the fiber link between AS2 and DS1 to operate at 10 Gbps to reduce its cost.
AnswerB

Correct: Lowering priority ensures DS1 is root and AS2's link to DS1 becomes the root port, stopping flapping.

Why this answer

The root port flapping occurs because both uplinks from AS2 to DS1 and DS2 have identical default costs (4 for 1 Gbps), causing Rapid PVST+ to continuously re-evaluate which port is the superior root port. By configuring `spanning-tree vlan 10 priority 4096` on DS1, you lower its bridge priority below the default 32768, ensuring DS1 remains the root bridge for VLAN 10. This makes the path through DS1 the single best root path, stabilizing AS2's root port selection.

Exam trap

Cisco often tests the misconception that changing the root bridge priority on the current root is unnecessary because it is already the root, but the trap here is that equal-cost paths cause flapping, and the correct fix is to ensure the root bridge has a lower priority so that the path cost calculation is deterministic.

How to eliminate wrong answers

Option A is wrong because PortFast is used on access ports to immediately transition them to forwarding state, bypassing the listening/learning phases; disabling it would not resolve the root port flapping issue and could actually cause longer convergence delays. Option C is wrong because increasing DS2's priority to 8192 (making it less likely to become root) does not address the core problem: both links have equal cost, so AS2 still sees two equal-cost paths to the root; the root port flapping would continue regardless of DS2's priority as long as DS1 remains the root. Option D is wrong because changing the fiber link to 10 Gbps would reduce its cost to 2 (default for 10 Gbps), which would force AS2 to select that link as root port, but this is a hardware/operational change that is less efficient and more costly than simply adjusting the bridge priority; the question asks for the most appropriate action to stabilize the topology, and a configuration change is preferable.

1404
Matchingmedium

Drag and drop each VLAN range on the left to its matching type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal range VLANs

Extended range VLANs

Reserved VLANs (cannot be used)

Default FDDI and Token Ring VLANs

Default Ethernet VLAN

Why these pairings

VLANs 1–1005 are normal range, 1006–4094 extended, 0 and 4095 reserved, 1002–1005 are default token ring/FDDI VLANs, and 1 is the default Ethernet VLAN.

1405
Multi-Selecthard

Which three statements about telemetry data collection methods are true? (Choose three.)

Select 3 answers
A.SNMP is a push-based telemetry method where agents send traps to the NMS.
B.Syslog messages can be used as a form of telemetry to report events and state changes.
C.Model-driven telemetry supports both periodic and event-driven subscriptions.
D.gNMI is a protocol used to retrieve and manipulate configuration state, and it also supports telemetry subscriptions.
E.Telemetry data can only be encoded in XML format.
AnswersB, C, D

Syslog sends event-driven data from devices to a collector, fitting the telemetry definition.

Why this answer

Telemetry can be collected via SNMP (pull), Syslog (push), and model-driven telemetry (push). SNMP polling is a classic pull method, while Syslog and MDT are push-based. MDT offers higher scale and flexibility compared to SNMP.

1406
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 (5 matches) 20 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (3 matches) 30 deny tcp any any eq 22 (2 matches) 40 permit ip any any (10 matches) Based on this output, what can be concluded?

A.SSH access from 192.168.1.0/24 would be denied.
B.SSH access from 10.0.0.0/8 is denied.
C.All SSH traffic is permitted.
D.The ACL has an implicit deny at the end.
AnswerA

Entry 30 denies SSH from any source not matching entries 10 or 20, so 192.168.1.0/24 would be denied.

Why this answer

ACL 120 permits SSH (port 22) from 10.0.0.0/8 and 172.16.0.0/16, denies SSH from all other sources, and permits all other IP traffic. The match counts show 5 SSH packets from 10.x.x.x, 3 from 172.16.x.x, 2 denied SSH packets from other sources, and 10 other packets permitted. The correct answer is that SSH access from 192.168.1.0/24 would be denied.

1407
MCQeasy

A company is deploying a new branch office with 50 users. The branch needs to connect to the headquarters via a WAN link. The engineer wants to use a design that minimizes the need for routing protocol configuration at the branch while still providing redundancy. Which design is most appropriate?

A.Use a hub-and-spoke design with static routes on the branch router and a single WAN link.
B.Use a full mesh design with OSPF on all routers.
C.Use a point-to-point design with BGP on the branch router.
D.Use a spine-leaf design with multiple WAN links.
AnswerA

Correct because hub-and-spoke with static routes is simple and requires minimal configuration; a second link with floating static routes can be added for redundancy.

Why this answer

Option A is correct because a hub-and-spoke design with static routes on the branch router minimizes routing protocol configuration (no dynamic routing protocol needed) while still providing redundancy if the single WAN link is backed by a secondary path (e.g., a backup link or dual-homed connection) that can be handled via floating static routes. This approach keeps the branch router simple and avoids the complexity of running OSPF or BGP, which is unnecessary for a small branch with 50 users.

Exam trap

Cisco often tests the misconception that redundancy always requires a dynamic routing protocol, but static routes with floating static routes can provide simple, effective redundancy without the configuration overhead of OSPF or BGP.

How to eliminate wrong answers

Option B is wrong because a full mesh design with OSPF on all routers requires extensive routing protocol configuration on every router, including the branch, which contradicts the goal of minimizing configuration. Option C is wrong because using BGP on the branch router adds significant configuration and operational overhead (e.g., AS numbers, neighbor statements, prefix advertisement) that is not needed for a simple branch connection. Option D is wrong because a spine-leaf design is intended for data center networks with high east-west traffic and multiple paths, not for a small branch office with a single WAN link; it would introduce unnecessary complexity and cost.

1408
Drag & Dropmedium

Drag and drop the steps of multicast RP discovery using Auto-RP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Auto-RP uses a mapping agent that listens for RP announcements, then advertises the RP mapping via a well-known group; all routers learn the RP and use it for group-to-RP mapping.

1409
Multi-Selectmedium

Which two statements about NAT configuration on Cisco IOS routers are true? (Choose two.)

Select 2 answers
A.The ip nat inside source list command translates traffic from the inside interface to the outside interface.
B.Static NAT requires both ip nat inside and ip nat outside commands on the same interface.
C.The ip nat outside source list command translates the source IP of packets entering the inside interface.
D.Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis.
E.NAT overload (PAT) uses a single public IP address by mapping multiple inside hosts to different TCP/UDP ports.
AnswersA, D

Correct because ip nat inside source list translates packets sourced from the inside network when they exit the outside interface.

Why this answer

This question tests understanding of NAT configuration fundamentals, including inside/outside interface roles and NAT types.

1410
Drag & Dropmedium

Drag and drop the steps of VNF life cycle management into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the ETSI NFV lifecycle: first onboard the VNF package, then instantiate the VNF, configure the VNF, scale the VNF as needed, and finally terminate the VNF when no longer required.

1411
MCQhard

A network engineer is configuring BGP on a Cisco router that is part of an enterprise network with multiple BGP peers. The router receives routes from two different ISPs. The engineer wants to ensure that only specific prefixes from ISP-A are installed in the routing table, while all other routes from ISP-A are ignored. Additionally, the engineer wants to accept all routes from ISP-B. Which BGP feature should be used on the router for the peering with ISP-A?

A.Apply a distribute list under the BGP neighbor configuration for ISP-A.
B.Configure a network statement under BGP for the desired prefixes.
C.Use the default-information originate command under BGP.
D.Apply a route map to the neighbor using the route-map command in the inbound direction.
AnswerA

Correct because a distribute list with a prefix list can filter incoming routes based on prefix, allowing only specific prefixes.

Why this answer

A distribute list applied under the BGP neighbor configuration for ISP-A allows the engineer to filter specific prefixes using an access list or prefix list, ensuring only the desired prefixes are installed in the routing table while all others from ISP-A are ignored. This is the correct tool for inbound route filtering on a per-neighbor basis, as it directly controls which routes are accepted into the BGP table and subsequently the routing table.

Exam trap

Cisco often tests the distinction between filtering incoming routes (distribute list or route map) versus originating routes (network statement) or generating defaults (default-information originate), leading candidates to confuse route map with distribute list when both can filter, but the question explicitly asks for the feature that 'should be used' and distribute list is the precise answer for prefix-only filtering without attribute manipulation.

How to eliminate wrong answers

Option B is wrong because a network statement under BGP is used to originate a prefix into BGP, not to filter incoming routes from a neighbor. Option C is wrong because the default-information originate command is used to generate a default route into BGP, not to filter specific prefixes from a peer. Option D is wrong because while a route map can be used for inbound filtering, the question specifies a distribute list as the correct feature; a route map is more complex and typically used for attribute manipulation, but a distribute list is the simpler, direct filtering mechanism for prefix-based control.

1412
Drag & Dropmedium

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco ISE evaluates RADIUS policies in a specific order: first it checks authentication policies, then authorization policies (including exception policies), and finally applies the matched authorization profile. If no match, the default deny policy applies.

1413
MCQhard

A network engineer writes an Ansible playbook to gather facts from a Cisco IOS device using the ios_facts module: ```yaml --- - name: Gather IOS Facts hosts: ios_devices gather_facts: no tasks: - name: Collect facts cisco.ios.ios_facts: gather_subset: - hardware register: device_facts - name: Show serial number debug: msg: "Serial number is {{ device_facts['ansible_facts']['ansible_net_serialnum'] }}" ``` What is a potential issue with this playbook?

A.The 'gather_subset' parameter is misspelled; it should be 'gather_subset' (correct spelling).
B.The playbook is missing 'connection: network_cli' and 'become: yes' to enable network device access.
C.The registered variable 'device_facts' should be accessed as 'device_facts.ansible_facts.ansible_net_serialnum' using dot notation.
D.The 'hardware' subset is invalid; it should be 'all' to get serial number.
AnswerB

Network modules require these settings to function properly.

Why this answer

The playbook uses 'gather_facts: no' at the play level, which is fine. However, the ios_facts module returns facts under the key 'ansible_facts' by default, but the registered variable 'device_facts' will contain the entire response, including 'ansible_facts' as a subkey. The debug message tries to access 'device_facts['ansible_facts']['ansible_net_serialnum']', which is correct.

But there is a subtle issue: The module 'ios_facts' requires the connection to be 'network_cli' and privilege escalation. If not set, the task may fail. Also, the 'gather_subset' parameter is misspelled as 'gather_subset' instead of 'gather_subset'? Actually, it's 'gather_subset' in the module.

Wait, the correct parameter is 'gather_subset'? Let me check: In cisco.ios.ios_facts, the parameter is 'gather_subset' (with underscore). The playbook uses 'gather_subset' which is correct. Hmm.

Another common issue: The 'ansible_net_serialnum' fact might not be available if the hardware subset does not include it. But hardware subset does include serial number. The real issue might be that the playbook does not specify 'connection: network_cli' and 'become: yes', which are required for network modules.

That is the most likely problem.

1414
MCQmedium

A network engineer issues the following command on Router R6: R6# show ip sla statistics 5 Round Trip Time (RTT) for Index 5 Latest RTT: 150 ms Latest Operation Start Time: 16:00:00.000 UTC Mon Mar 1 2021 Latest Operation Return Code: OK Number of successes: 10 Number of failures: 0 Over thresholds: 8 Based on this output, what does the 'Over thresholds: 8' indicate?

A.8 probes failed to reach the target.
B.8 probes had RTT exceeding the configured threshold.
C.8 probes were sent in total.
D.The threshold is set to 150 ms.
AnswerB

Over thresholds count indicates threshold violations.

Why this answer

The 'Over thresholds' counter shows how many times the RTT exceeded the configured threshold. In this case, 8 out of 10 successful probes had RTT above the threshold, indicating high latency even though the operation succeeded.

1415
Matchingmedium

Drag and drop each telemetry protocol on the left to its matching transport on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP/2

gRPC

SSH

HTTPS

Not a standard telemetry transport

Why these pairings

gRPC uses HTTP/2, gNMI uses gRPC, NETCONF uses SSH, RESTCONF uses HTTPS, and HTTP is not a standard telemetry transport.

1416
Multi-Selectmedium

Which two statements about EIGRP feasible successors are true? (Choose two.)

Select 2 answers
A.A feasible successor must have a reported distance less than the feasible distance.
B.A feasible successor is immediately used when the successor fails, without any query process.
C.The feasible distance is the metric of the feasible successor route.
D.EIGRP will always have at least one feasible successor for every route.
E.The feasible successor is stored in the routing table as a backup route.
AnswersA, B

Correct because the feasibility condition requires the reported distance (neighbor's metric) to be strictly less than the feasible distance (the current best metric).

Why this answer

A feasible successor is a backup route that meets the feasibility condition (reported distance < feasible distance). It is stored in the topology table and can be used immediately if the successor fails, without querying neighbors. The feasible distance is the lowest metric to a destination; the successor is the route with that metric.

The reported distance is the neighbor's metric to the destination.

1417
Matchingmedium

Drag and drop each SD-WAN plane on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distributes OMP routes, TLOCs, and policy information between vSmart and WAN edges

Forwards user traffic over IPsec tunnels between WAN edge routers

Provides REST API, CLI, and web GUI for configuring and monitoring the fabric

Automates initial authentication, NAT detection, and vBond discovery

(Not a standard SD-WAN plane; used as a distractor) Handles application-level services

Why these pairings

The control plane handles routing and signaling; the data plane forwards packets; the management plane provides GUI/API access; the orchestration plane automates device onboarding and certificate management.

1418
MCQmedium

In a DMVPN phase 2 network, what is the primary advantage of using phase 2 over phase 1?

A.Phase 2 supports dynamic routing protocols over the tunnel, while phase 1 does not.
B.Phase 2 allows spoke-to-spoke direct tunnels, bypassing the hub for data traffic.
C.Phase 2 uses mGRE on both hub and spokes, while phase 1 uses p2p GRE on spokes.
D.Phase 2 supports IPsec encryption natively, while phase 1 requires additional configuration.
AnswerB

Phase 2 enables spoke-to-spoke tunnels using NHRP redirect and shortcut, so traffic between spokes goes directly.

Why this answer

DMVPN phase 2 allows spoke-to-spoke tunnels to be established dynamically without traffic having to traverse the hub. This reduces latency and hub load. Phase 1 only supports hub-and-spoke topology where all traffic goes through the hub.

1419
Matchingmedium

Drag and drop each streaming telemetry mode on the left to its matching trigger on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

data is sent at a fixed interval

data is sent when a monitored value changes

device determines when to send updates

skip sending if value unchanged

periodic keep-alive even if no change

Why these pairings

Periodic sends data at fixed intervals, on-change sends data when a value changes, and target-defined uses the device's own update policy.

1420
Matchingmedium

Drag and drop each telemetry protocol on the left to its matching transport on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP/2

gRPC (HTTP/2)

SSH

HTTPS

UDP

Why these pairings

gRPC uses HTTP/2, gNMI uses gRPC (HTTP/2), NETCONF uses SSH, and RESTCONF uses HTTPS.

1421
Drag & Dropmedium

Drag and drop the steps of MP-BGP VPNv4 route advertisement between PE routers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with the local PE learning the customer route via IGP or static, then redistributing it into MP-BGP with a route distinguisher, advertising the VPNv4 route to the remote PE, which receives and installs it into the VRF, and finally the remote PE redistributes the route into the customer-facing IGP.

1422
Matchingmedium

Drag and drop each EtherChannel protocol on the left to its matching vendor on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IEEE standard (multi-vendor)

Cisco proprietary

Why these pairings

LACP is IEEE 802.3ad standard (multi-vendor), PAgP is Cisco proprietary.

1423
MCQmedium

Consider the following BGP configuration: router bgp 65000 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 65001 neighbor 10.1.1.2 route-map SET_MED out ! route-map SET_MED permit 10 set metric 50 What is the effect of this configuration?

A.Routes advertised to 10.1.1.2 will have the MED set to 50, influencing inbound path selection in AS 65001.
B.Routes advertised to 10.1.1.2 will have the MED set to 50, influencing outbound path selection from AS 65000.
C.Routes received from 10.1.1.2 will have the MED set to 50.
D.The MED value will be set to 50 for all routes in the BGP table.
AnswerA

Correct. The route-map sets MED on outbound updates, affecting how AS 65001 selects the path to reach networks in AS 65000.

Why this answer

The route-map SET_MED is applied to outbound updates to neighbor 10.1.1.2, setting the MED (Multi-Exit Discriminator) attribute to 50. MED is a metric that influences inbound path selection in the neighboring AS (AS 65001), telling its routers which path to prefer when multiple entry points exist into AS 65000. Therefore, option A correctly describes the effect.

Exam trap

Cisco often tests the distinction between inbound and outbound route-map application, and the trap here is confusing that MED influences inbound path selection in the receiving AS, not outbound path selection from the advertising AS.

How to eliminate wrong answers

Option B is wrong because MED influences inbound path selection into the AS that advertises the routes, not outbound path selection from the advertising AS. Option C is wrong because the route-map is applied 'out' (outbound), not 'in' (inbound), so it affects routes sent to the neighbor, not received from it. Option D is wrong because the route-map only applies to routes advertised to neighbor 10.1.1.2, not to all routes in the BGP table.

1424
MCQmedium

In Cisco TrustSec, which component is responsible for assigning a Security Group Tag (SGT) to a user or device based on authentication?

A.The RADIUS server (ISE) assigns the SGT during authentication.
B.The switch dynamically assigns the SGT based on the MAC address.
C.The endpoint device sends its SGT in the EAPOL-Start message.
D.The SGT is derived from the VLAN ID assigned to the port.
AnswerA

ISE authenticates the endpoint and returns the SGT in the RADIUS Access-Accept message.

Why this answer

The Identity Services Engine (ISE) acts as the policy decision point, authenticating users/devices and assigning SGTs based on policy. The switch enforces based on the SGT.

1425
MCQmedium

Consider the following SD-WAN device configuration on a Cisco IOS-XE router: sdwan interface GigabitEthernet0/0/1 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface GigabitEthernet0/0/2 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement about this configuration is true?

A.The router will establish two separate SD-WAN tunnels, one for each color, and load balance traffic across them.
B.The router will use only the first tunnel interface (GigabitEthernet0/0/1) because the second interface has an invalid color name.
C.The 'allow-service all' command is invalid on a tunnel-interface; only specific services can be allowed.
D.The configuration will cause a conflict because both interfaces use the same encapsulation (ipsec).
AnswerA

Each tunnel-interface with a different color creates a separate transport tunnel. SD-WAN can use multiple transports for load balancing and redundancy.

Why this answer

In Cisco SD-WAN, each WAN interface configured under the `sdwan` configuration with a unique `color` creates a separate SD-WAN transport tunnel (TLOC). The router will establish two distinct IPsec tunnels—one for `public-internet` and one for `3g`—and can load balance traffic across them using ECMP or policy-based steering. This is the standard behavior for multi-homed SD-WAN edge routers.

Exam trap

Cisco often tests the misconception that `color` values are limited to a small set or that duplicate encapsulation causes a conflict, when in fact `3g` is a valid color and multiple IPsec tunnels are expected for multi-homed SD-WAN designs.

How to eliminate wrong answers

Option B is wrong because `3g` is a valid, predefined color in Cisco SD-WAN (colors include `3g`, `public-internet`, `biz-internet`, `mpls`, `lte`, `metro-ethernet`, etc.), so the second interface is not invalid. Option C is wrong because `allow-service all` is a valid command on a tunnel-interface that permits all SD-WAN control-plane services (e.g., OMP, BFD, STUN) over that tunnel; it does not refer to data-plane service ACLs. Option D is wrong because using the same encapsulation (`ipsec`) on multiple interfaces is not a conflict—it is standard; each tunnel is uniquely identified by its color and interface, and IPsec is the only supported encapsulation for SD-WAN tunnels.

Page 18

Page 19 of 27

Page 20