ENCOR 350-401 (350-401) — Questions 76150

2015 questions total · 27pages · All types, answers revealed

Page 1

Page 2 of 27

Page 3
76
Matchingmedium

Drag and drop each IP SLA schedule parameter on the left to its function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines when the operation begins

Sets the interval between probes

Sets the total duration of the operation

Removes the operation after inactivity

Sets the value that triggers a reaction

Why these pairings

Start-time defines when the operation begins; frequency sets the interval between probes; life sets the total duration of the operation.

77
Drag & Dropmedium

Drag and drop the steps of the 802.1X/EAP authentication process for a wireless client into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.1X/EAP process begins with the client sending an EAPoL-Start to the AP, which triggers the AP to send an EAP-Request Identity. The client responds with an EAP-Response Identity, which the AP forwards to the RADIUS server. The RADIUS server then sends EAP-Request credentials (e.g., password) to the client via the AP, and the client replies with EAP-Response credentials.

78
MCQmedium

Examine this configuration for a site-to-site VPN on a Cisco router: crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 Which statement about this configuration is true?

A.The crypto map uses IKEv2 for key exchange because the transform set uses SHA-256.
B.The access-list 101 defines the traffic that will be encrypted; traffic from 192.168.10.0/24 to 192.168.20.0/24 will be protected.
C.The ISAKMP policy lifetime of 86400 seconds is too long and will cause the tunnel to fail.
D.The crypto map should be applied to the tunnel interface, not the physical interface.
AnswerB

The 'match address 101' in the crypto map references ACL 101, which permits the specified source and destination networks. Only matching traffic triggers IPsec encryption.

Why this answer

This is a classic crypto map-based site-to-site IPsec VPN. The ISAKMP policy defines phase 1 parameters, the transform set defines phase 2, and the crypto map binds them together with the peer and interesting traffic ACL. The ACL 101 specifies traffic from 192.168.10.0/24 to 192.168.20.0/24 to be encrypted.

79
MCQmedium

A network engineer configures VRF-lite on a router with the following snippet: vrf definition GREEN rd 200:1 ! interface GigabitEthernet0/3 vrf forwarding GREEN ip address 172.16.1.1 255.255.255.0 ! router ospf 10 vrf GREEN network 172.16.1.0 0.0.0.255 area 0 What is missing from this configuration to enable proper OSPF routing within VRF GREEN?

A.The configuration is complete and OSPF will operate correctly within VRF GREEN.
B.The 'network' command should specify the interface instead of the subnet.
C.The 'vrf definition GREEN' must include a 'route-target' command.
D.The OSPF process must be configured under the global VRF context, not using 'vrf GREEN'.
AnswerA

Correct. OSPF will run in VRF GREEN with the given commands; router-id can be auto-selected.

Why this answer

Option A is correct because the configuration is complete for VRF-lite OSPF routing. In VRF-lite, the 'vrf definition GREEN' with an RD, the interface assignment via 'vrf forwarding GREEN', and the OSPF process with 'vrf GREEN' and the network statement are all that is required. OSPF will operate correctly within VRF GREEN using the specified network in area 0.

Exam trap

Cisco often tests the misconception that VRF-lite requires 'route-target' commands, which are actually only necessary for MPLS VPNs, not for simple VRF-lite configurations.

How to eliminate wrong answers

Option B is wrong because the 'network' command in OSPF can specify a subnet with a wildcard mask, which is the standard method; it does not need to specify the interface directly. Option C is wrong because 'route-target' commands are required for MPLS VPN (VRF-lite does not use MPLS), not for VRF-lite where only the RD is needed for route distinguishment. Option D is wrong because the OSPF process can be configured under the global VRF context using the 'vrf GREEN' keyword after the process ID, which is the correct syntax for associating an OSPF process with a VRF.

80
Matchingmedium

Drag and drop each MQC command on the left to its matching configuration level on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines a traffic class using match criteria

Associates a traffic class with QoS actions (e.g., bandwidth, priority, police)

Applies a policy-map to an interface (input or output) or globally

Used inside a class-map to specify classification criteria

Used inside a policy-map class to allocate minimum bandwidth

Why these pairings

class-map defines traffic classes; policy-map associates actions with classes; service-policy applies the policy to an interface or globally.

81
MCQmedium

A network engineer configures IP SLA 1 to monitor HTTP server availability at 10.1.1.1 using HTTP GET. The operation is used as a track object for a backup static route. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 200 ms', but the track object shows 'Track 1: up' even though the HTTP server returns a 404 error. What is the cause?

A.The IP SLA HTTP operation must be configured with a 'url' that includes the full path, otherwise it defaults to the root and returns 404.
B.The IP SLA HTTP operation does not interpret HTTP status codes by default; it only checks if a TCP connection is established.
C.The track object must be configured with a 'down' threshold to trigger when the HTTP response time exceeds a value.
D.The HTTP server is responding, so the IP SLA operation correctly shows success; the engineer must use a different type of probe, like TCP connect, to detect the 404.
AnswerB

Correct. IP SLA HTTP probe by default only verifies that the TCP handshake succeeds and a response is received. It does not parse the HTTP status code unless a 'status-code' match is configured.

Why this answer

By default, IP SLA HTTP operations consider a successful HTTP response (any status code) as a success. The operation does not fail on 404 unless a specific status code match is configured.

82
Multi-Selectmedium

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

Select 2 answers
A.CoPP applies QoS policy-map logic to traffic that is destined to the control plane of the router.
B.CoPP is configured under the 'control-plane' global configuration mode.
C.CoPP can be applied to both IPv4 and IPv6 traffic in a single policy-map.
D.CoPP is applied to traffic transiting the router, not to traffic originated by the router.
E.The default action for CoPP is to permit all control-plane traffic.
AnswersA, B

Correct because CoPP uses MQC (Modular QoS CLI) to classify and police control-plane-bound traffic.

Why this answer

CoPP protects the control plane by policing traffic destined to it. The correct answers describe its location and default behavior. The incorrect options confuse CoPP with data-plane ACLs or misstate the default action.

83
Multi-Selecthard

Which three statements about using Python for interacting with Cisco IOS-XE devices via NETCONF and RESTCONF are true? (Choose three.)

Select 3 answers
A.The ncclient Python library can be used to establish a NETCONF session with a Cisco IOS-XE device and retrieve YANG-modeled data.
B.RESTCONF uses HTTP methods such as GET, POST, PUT, and DELETE to access YANG-defined data on a network device.
C.YANG models define the structure and constraints of data that can be accessed via NETCONF or RESTCONF.
D.RESTCONF only supports data encoding in YAML format.
E.NETCONF is always faster than RESTCONF for retrieving large amounts of data because it uses a binary encoding.
AnswersA, B, C

Correct because ncclient is a widely used Python library that implements NETCONF client functionality, allowing retrieval and manipulation of YANG-defined data on devices that support NETCONF.

Why this answer

The correct answers cover key aspects: ncclient is the standard Python library for NETCONF, RESTCONF uses HTTP methods like PUT for creating resources, and YANG models define the data structures. The incorrect options misrepresent RESTCONF's data format (it uses JSON/XML, not YAML), incorrectly state that NETCONF is always faster (it is XML-based and can be slower), and wrongly claim that ncclient is deprecated.

84
Drag & Dropmedium

Drag and drop the steps of OSPF virtual link configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

A virtual link connects a non-backbone area to Area 0 through a transit area. First, identify the ABR with the transit area, then configure the virtual link on both ABRs using the router ID of the neighbor, ensure the transit area has full OSPF adjacency, and finally verify the virtual link is operational.

85
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 3 spoke-to-spoke shortcut creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 3, when a spoke needs to send traffic to another spoke, it first sends data through the hub, the hub forwards the packet with a redirect, the spoke then sends an NHRP resolution request to the hub, the hub replies with the destination spoke's NBMA address, and finally the source spoke builds a direct mGRE tunnel to the destination spoke. The correct order is: spoke sends data through hub, hub sends redirect with NHRP trigger, spoke sends NHRP resolution request to hub, hub replies with destination spoke NBMA address, source spoke builds direct mGRE tunnel to destination spoke.

86
MCQmedium

Examine the following configuration on a Cisco 9800 WLC: ap profile default-ap-profile description "Default AP Profile" country US management-user admin Which statement is true about this configuration?

A.This profile configures the SSID for the AP.
B.The country code is set to the United States, affecting allowed channels and transmit power.
C.This profile enables 802.11r fast roaming.
D.The management user 'admin' is used for client authentication.
AnswerB

The country code determines regulatory compliance for radio operation.

Why this answer

The 'country US' command sets the regulatory domain for the APs using this profile, which is required for proper channel and power settings.

87
MCQmedium

A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?

A.The router's SSH service is not enabled.
B.The RADIUS server is rejecting the authentication because the user is not defined on the server, and the 'local' fallback only applies if the server is unreachable.
C.The 'aaa new-model' command must be followed by a 'aaa authentication login default local' command to use local authentication.
D.The router's VTY lines are not configured to use the default authentication list.
AnswerB

Correct because the 'group radius local' method list tries RADIUS first; if RADIUS responds with a reject (user not found), the router does not fall back to local. The fallback only occurs if the RADIUS server does not respond.

Why this answer

The RADIUS server is not configured to authenticate the user, or the RADIUS server is not responding correctly. The 'local' fallback is only used if the RADIUS server does not respond, not if it rejects the authentication. The issue is that the RADIUS server is rejecting the authentication, possibly because the user is not defined on the server or the server's configuration does not match the router's request.

88
MCQeasy

A network engineer runs the following command on Router R4: R4# show ip sla monitor statistics 3 Round Trip Time (RTT) for Index 3 Latest RTT: 25 ms Latest Operation Start Time: 14:30:00.000 UTC Mon Mar 1 2021 Latest Operation Return Code: OK Number of successes: 100 Number of failures: 0 Over thresholds: 0 Based on this output, what can be concluded about the IP SLA operation?

A.The operation has experienced failures.
B.The operation is currently failing.
C.The operation is working correctly with no failures.
D.The round-trip time exceeds the threshold.
AnswerC

100 successes and 0 failures confirm proper operation.

Why this answer

The return code 'OK' and zero failures indicate that the operation is functioning correctly and the target is reachable.

89
MCQeasy

A network engineer runs the following command on Switch SW5: SW5# show spanning-tree vlan 50 VLAN0050 Spanning tree enabled protocol ieee Root ID Priority 24626 Address aabb.cc00.0800 Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 (priority 32768 sys-id-ext 50) Address aabb.cc00.0900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Gi0/4 Altn BLK 4 128.4 P2p Based on this output, how many ports are in the Forwarding state?

A.1
B.2
C.3
D.4
AnswerC

Correct. Gi0/1, Gi0/2, and Gi0/3 are all in FWD state.

Why this answer

The output shows three ports in Forwarding state: Gi0/1 (Root FWD), Gi0/2 (Desg FWD), and Gi0/3 (Desg FWD). Gi0/4 is in Blocking state (Altn BLK).

90
Drag & Dropmedium

Drag and drop the steps of VRF-aware NAT configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order first defines the VRF, then configures the NAT inside and outside interfaces under the VRF, defines the NAT pool or ACL for translation, applies the NAT rule referencing the VRF, and finally verifies the translation with show ip nat translations vrf.

91
MCQmedium

Examine the following configuration snippet on a Cisco IOS switch: interface GigabitEthernet0/2 switchport mode access switchport access vlan 50 spanning-tree portfast Which statement is true about this interface?

A.The interface will immediately forward traffic without any spanning-tree delay.
B.The interface will participate in trunking and forward multiple VLANs.
C.The interface will still go through listening and learning states before forwarding.
D.The interface will only forward traffic for VLAN 1.
AnswerA

Correct. PortFast enables immediate forwarding, reducing the initial delay.

Why this answer

The `spanning-tree portfast` command on an access port configured with `switchport mode access` and `switchport access vlan 50` causes the interface to bypass the normal spanning-tree listening and learning states. This allows the port to transition directly to the forwarding state, enabling immediate traffic forwarding without the usual 30-second delay (15 seconds for listening, 15 seconds for learning) associated with Rapid Spanning Tree Protocol (RSTP) or the 50-second delay with classic STP (802.1D).

Exam trap

Cisco often tests the misconception that `spanning-tree portfast` only applies to trunk ports or that it still requires the listening/learning states, when in fact it is designed specifically to bypass those states on access ports (or trunk ports with the `spanning-tree portfast trunk` variant).

How to eliminate wrong answers

Option B is wrong because the interface is configured as an access port (`switchport mode access`), which does not participate in trunking and only forwards traffic for a single VLAN (VLAN 50), not multiple VLANs. Option C is wrong because `spanning-tree portfast` specifically causes the interface to skip the listening and learning states and immediately enter the forwarding state, contradicting the claim that it will still go through those states. Option D is wrong because the `switchport access vlan 50` command assigns the interface to VLAN 50, not VLAN 1; the default VLAN for access ports is VLAN 1 only if no explicit access VLAN is configured.

92
MCQeasy

Which SNMP version introduced the use of a username and authentication/password framework, without encryption?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv2u
AnswerC

SNMPv3 introduced usernames and authentication, with options for noAuthNoPriv, authNoPriv, and authPriv.

Why this answer

SNMPv3 introduced a security model with usernames, authentication, and privacy, but SNMPv3 noAuthNoPriv provides authentication without encryption.

93
MCQmedium

Given the following Ansible playbook snippet: --- - name: Backup running config hosts: routers gather_facts: no tasks: - name: Save config ios_config: backup: yes backup_options: dir_path: /backup/ What is the purpose of the 'backup_options' parameter?

A.It specifies the directory where the backup file will be saved.
B.It specifies the filename for the backup.
C.It enables compression of the backup file.
D.It is ignored because backup: yes is already set.
AnswerA

Correct. 'dir_path' sets the directory for the backup file.

Why this answer

The 'backup_options' parameter in ios_config allows specifying a custom directory path for the backup file. Without it, the backup is saved in the playbook's directory with a timestamped filename.

94
Matchinghard

Drag and drop each VRF-Lite or MPLS VPN characteristic on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses trunk ports and subinterfaces to separate traffic without MPLS

Employs MPLS labels and MP-BGP to isolate paths across multiple routers

Why these pairings

VRF-Lite uses only local VRFs without MPLS or MP-BGP, requiring trunk links; MPLS VPN uses MPLS labels and MP-BGP for scalable path isolation; VRF-Lite is simpler but limited to a single router or switch; MPLS VPN scales across an entire provider network; VRF-Lite does not support overlapping address spaces between sites without NAT.

95
MCQmedium

An enterprise is implementing MPLS L3VPN to connect multiple branch offices. The PE routers are using eBGP to exchange VPNv4 routes. The engineer notices that some VPN routes are not being advertised to the remote PE. The 'show bgp vpnv4 unicast all' on the local PE shows the routes as valid but not best. What is the most likely reason?

A.The route has a higher local preference than the best path.
B.The route is not valid due to a missing label.
C.The route is not in the BGP table.
D.The route has a higher MED value than the best path.
AnswerA

Correct because BGP selects the best path based on local preference; a higher local preference makes a route less preferred.

Why this answer

In BGP, only the best path is advertised to peers. If a route is valid but not best, it may be due to a higher local preference or other BGP path selection criteria. Option A is correct.

Option B is wrong because the route is valid; Option C is wrong because the route is present; Option D is wrong because MED is not typically set by default.

96
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/0 | include access list Inbound access list is 101 Outbound access list is not set R1# show access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 80 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?

A.HTTP traffic from sources outside 192.168.1.0/24 is denied.
B.All HTTP traffic is permitted.
C.The ACL is applied outbound on the interface.
D.The ACL permits all traffic from 192.168.1.0/24.
AnswerA

Entry 20 denies all HTTP traffic not matching entry 10, so any HTTP from other subnets is denied.

Why this answer

ACL 101 is applied inbound on GigabitEthernet0/0. It permits HTTP from subnet 192.168.1.0/24 to any destination, denies all other HTTP, and permits all other IP traffic. The match counts show 100 HTTP packets from the subnet, 50 denied HTTP packets from other sources, and 200 other packets permitted.

The correct answer is that HTTP traffic from sources outside 192.168.1.0/24 is denied.

97
Drag & Dropmedium

Drag and drop the steps of WRED configuration for TCP congestion avoidance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WRED configuration starts by enabling the feature globally, then defining a class map for TCP traffic, creating a policy map with random-detect, applying it to an interface, and verifying the drop thresholds. WRED proactively drops packets to avoid TCP global synchronization.

98
MCQhard

An engineer is writing an Ansible playbook to configure OSPF on a fleet of Cisco Nexus 9000 switches. The playbook uses the nxos_ospf module. When executed, the playbook reports 'changed' for every switch, even on subsequent runs when no configuration changes are made. The engineer wants to achieve idempotent behavior. What is the most likely cause of the non-idempotent results?

A.The Ansible control node is using an outdated version of the nxos_ospf module that does not support idempotency.
B.The playbook does not specify all OSPF parameters, such as 'router-id', causing the module to detect a difference with the running configuration.
C.The switches have different NX-OS versions, causing the module to behave inconsistently.
D.The engineer forgot to use the '--check' flag to verify idempotency.
AnswerB

If the playbook omits parameters that the module manages (e.g., router-id defaults to a loopback IP), the module sees a change and marks it as 'changed'.

Why this answer

The nxos_ospf module may report changes if the OSPF process configuration includes parameters that are not fully idempotent, such as the 'router-id' being set dynamically. However, a common cause is that the module compares the current state with the desired state, and if the switch returns extra default parameters (like 'log-adjacency-changes' or 'auto-cost') that are not specified in the playbook, the module may see a difference and report 'changed'. The most direct cause here is that the playbook does not specify all parameters that the module manages, leading to a mismatch.

99
Drag & Dropmedium

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When a method list specifies RADIUS then local, the device first attempts RADIUS authentication. If the RADIUS server is unreachable (timeout), the device falls back to the next method in the list, which is local authentication using the local user database.

100
Drag & Dropmedium

Drag and drop the steps of NAT64 IPv6-to-IPv4 translation flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NAT64 allows IPv6-only hosts to reach IPv4 servers. The IPv6 host sends a packet to a synthesized IPv6 address representing the IPv4 destination. The NAT64 router receives the packet and extracts the embedded IPv4 destination address.

It translates the packet header from IPv6 to IPv4, including source and destination addresses. The translated IPv4 packet is forwarded to the IPv4 network. When the reply comes back, the router performs reverse translation and sends the IPv6 packet to the host.

101
MCQhard

A network engineer is troubleshooting an OSPF issue where a router is not learning a route to a network that is advertised via a type 5 LSA from an ASBR. The engineer checks the OSPF database and sees the type 5 LSA, but the route is not in the routing table. The forwarding address in the LSA is 0.0.0.0. What is the most likely cause?

A.The ASBR is not reachable via an OSPF internal route.
B.The type 5 LSA has a metric of 16777215.
C.The OSPF process ID on the ASBR is different from the other routers.
D.The type 5 LSA is being filtered by an outbound route filter.
AnswerA

Correct because OSPF requires the ASBR to be reachable via an intra-area or inter-area route for the type 5 LSA to be installed.

Why this answer

When a Type 5 LSA has a forwarding address of 0.0.0.0, OSPF routers will use the ASBR as the next hop for the external route. For the route to be installed in the routing table, the ASBR must be reachable via an OSPF intra-area or inter-area route. If the ASBR is not reachable (e.g., no valid OSPF route to the ASBR's router ID), the Type 5 LSA is considered unreachable and is not installed, even though it exists in the OSPF database.

Exam trap

Cisco often tests the misconception that a Type 5 LSA present in the database automatically guarantees the route is installed, but the trap here is that the forwarding address of 0.0.0.0 requires the ASBR to be reachable via an OSPF internal route, which is a common oversight.

How to eliminate wrong answers

Option B is wrong because a metric of 16777215 (the maximum OSPF metric) would cause the route to be considered unreachable, but the question states the LSA is present in the database and the forwarding address is 0.0.0.0, not that the metric is invalid. Option C is wrong because OSPF process IDs are locally significant and do not affect the exchange of LSAs or route installation between routers; different process IDs on different routers do not prevent route learning. Option D is wrong because an outbound route filter would prevent the LSA from being sent or received, but the engineer confirms the Type 5 LSA is present in the database, meaning it was not filtered.

102
MCQhard

A network engineer is configuring MPLS TE (Traffic Engineering) in an MPLS core to optimize bandwidth utilization. After enabling MPLS TE on all core routers and configuring tunnels, the engineer notices that traffic is not being rerouted when a link fails. The 'show mpls traffic-eng tunnels' shows the tunnels are up but not using the backup path. What is the most likely missing configuration?

A.MPLS TE FRR (Fast Reroute) is not configured on the tunnels.
B.LDP is not enabled on the core interfaces.
C.RSVP is not configured on the core routers.
D.OSPF is not configured with MPLS TE extensions.
AnswerA

Correct because FRR provides backup paths for link failures in MPLS TE.

Why this answer

MPLS TE requires explicit backup path configuration, such as FRR (Fast Reroute) or backup tunnels, to provide protection. Without it, traffic will not be rerouted automatically. Option A is correct.

Option B is wrong because LDP is not required for TE; Option C is wrong because RSVP is the signaling protocol, not the issue; Option D is wrong because link-state routing is fine.

103
Multi-Selecthard

Which three statements about extended ACLs on Cisco IOS are true? (Choose three.)

Select 3 answers
A.Extended ACLs can filter based on source and destination IP addresses.
B.Extended ACLs can filter based on TCP or UDP port numbers.
C.Extended ACLs are processed in order until a matching permit or deny statement is found.
D.Extended ACLs can filter based on source MAC addresses.
E.Extended ACLs only filter traffic based on the source IP address.
AnswersA, B, C

Correct because extended ACLs evaluate both source and destination addresses.

Why this answer

Extended ACLs can filter based on source and destination IP addresses, protocol, and port numbers. They are processed sequentially until a match is found, and an implicit deny any is at the end. They can be applied to interfaces using the 'ip access-group' command.

Extended ACLs cannot filter based on MAC addresses; that is done by MAC ACLs. They are not limited to source-only filtering.

104
MCQmedium

Consider the following configuration: router eigrp TEST network 10.0.0.0 0.255.255.255 metric weights 0 1 0 1 0 0 What is the effect of the 'metric weights' command?

A.It changes the EIGRP metric calculation to use only bandwidth and delay, which is the default behavior.
B.It changes the EIGRP metric calculation to use bandwidth, delay, and reliability.
C.It changes the EIGRP metric calculation to use only delay.
D.It disables the EIGRP metric calculation, causing all routes to have the same metric.
AnswerA

Correct. K1=1 (bandwidth) and K3=1 (delay) are used; K2, K4, K5 are zero, matching the default EIGRP metric.

Why this answer

The 'metric weights' command in EIGRP allows you to modify the K values used in the composite metric formula. The default K values are K1=1, K2=0, K3=1, K4=0, K5=0, which means only bandwidth (K1) and delay (K3) are used. The command 'metric weights 0 1 0 1 0 0' explicitly sets K1=1, K3=1, and all others to 0, which matches the default behavior and does not change the metric calculation.

Exam trap

Cisco often tests the misconception that changing K values from their defaults always alters the metric calculation, but here the specific values '0 1 0 1 0 0' exactly replicate the default K values (K1=1, K3=1), so the command has no net effect.

How to eliminate wrong answers

Option B is wrong because setting K4=0 (the fourth parameter) means reliability is not used in the metric calculation; to include reliability, K4 must be set to 1. Option C is wrong because while delay (K3) is used, bandwidth (K1) is also set to 1, so the metric uses both bandwidth and delay, not only delay. Option D is wrong because the 'metric weights' command does not disable metric calculation; it simply defines which K values are non-zero, and with K1 and K3 set to 1, the standard EIGRP composite metric is still computed.

105
Drag & Dropmedium

Drag and drop the steps of the 802.1X EAP-TLS authentication exchange into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.1X EAP-TLS process begins with the supplicant initiating an EAPoL-Start, then the authenticator requests identity. The supplicant responds with an EAP-Response/Identity, the authenticator forwards it to the RADIUS server, and the server requests the client certificate to start the TLS handshake.

106
Multi-Selecthard

Which three statements about Cisco TrustSec security group access control lists (SGACLs) are true? (Choose three.)

Select 3 answers
A.SGACLs define policies based on source and destination security group tags.
B.SGACLs are typically downloaded from the Cisco ISE policy server to network devices.
C.SGACLs are applied directly to switch ports using the ip access-group command.
D.SGACLs can be used to permit or deny traffic between different security groups.
E.SGACLs can rewrite the security group tag in the packet header.
AnswersA, B, D

Correct; SGACLs use SGTs to determine access rights.

Why this answer

SGACLs are applied based on source and destination SGTs, they are downloaded from the Cisco ISE, and they can be used to permit or deny traffic. Option A is correct because SGACLs are policy rules based on SGTs. Option B is correct because ISE distributes SGACLs to network devices.

Option D is correct because SGACLs enforce permit/deny decisions. Option C is incorrect because SGACLs are not applied to interfaces like traditional ACLs; they are applied to SGT pairs. Option E is incorrect because SGACLs do not modify packets; they just enforce policy.

107
Drag & Dropmedium

Drag and drop the steps of DHCP snooping and dynamic ARP inspection flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping first builds a binding table by monitoring DHCP messages. The switch validates DHCP server messages on trusted ports and discards rogue offers. For DAI, the switch intercepts ARP packets and checks the sender MAC and IP against the DHCP snooping binding table.

If the ARP packet matches, it is forwarded; otherwise, it is dropped.

108
MCQmedium

Examine the following configuration: flow exporter EXPORTER-1 destination 10.0.0.1 source Loopback0 transport udp 2055 option interface-table option application-table ! What is the purpose of the 'option interface-table' and 'option application-table' commands?

A.They cause the exporter to send interface and application metadata to the collector periodically.
B.They filter the flow data to include only traffic from the specified interfaces and applications.
C.They enable the exporter to collect interface and application statistics locally.
D.They are required only when using IPFIX, not NetFlow v9.
AnswerA

Option data records include interface names, descriptions, and application IDs.

Why this answer

These commands enable the exporter to send option data records to the collector. Option data provides metadata about the router's interfaces and applications, helping the collector interpret the flow data correctly.

109
Matchingmedium

Drag and drop each VLAN range on the left to its matching type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal VLANs

Extended VLANs

Reserved VLANs

Reserved for legacy token ring and FDDI

Normal VLANs (default range)

Why these pairings

VLANs 1–1005 are normal VLANs, 1006–4094 are extended VLANs, and 0, 4095 are reserved. VLANs 1002–1005 are reserved for legacy token ring and FDDI.

110
MCQmedium

Examine the following telemetry configuration: telemetry ietf subscription 500 encoding encode-kvgpb filter xpath /interfaces/interface/state/counters stream yang-push update-policy periodic 500 receiver ip address 10.1.1.1 50000 protocol grpc A network engineer wants to add a second receiver for redundancy. Which additional configuration is correct?

A.Add a second receiver under the same subscription: receiver ip address 10.1.1.2 50000 protocol grpc
B.Create a new subscription with the same parameters and a different receiver.
C.Modify the existing receiver to use multicast address 239.1.1.1.
D.Use the backup-receiver command under the receiver.
AnswerA

Multiple receivers can be added to a single subscription for redundancy.

Why this answer

To add a second receiver, you add another receiver line under the same subscription.

111
Drag & Dropmedium

Drag and drop the steps of SNMP community-based access control setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First define the community string, then associate it with an ACL, apply view-based access, and finally enable SNMP agent.

112
MCQmedium

A network engineer is troubleshooting connectivity issues in a multi-tenant environment where each tenant's traffic is isolated using VRF-Lite. The engineer notices that tenants in the same VRF cannot communicate with each other across different access switches. Which design change should be implemented to enable inter-switch VRF communication?

A.Use the same VLAN for all tenants and rely on VLAN ACLs.
B.Create trunk links with 802.1Q subinterfaces on each switch and assign each subinterface to the appropriate VRF.
C.Configure static routes on each switch pointing to the next-hop IP in the global routing table.
D.Enable OSPF with a single area on all switches and redistribute between VRFs.
AnswerB

This allows per-VRF routing across switches.

Why this answer

Option B is correct because VRF-Lite requires 802.1Q trunking to extend Layer 3 VRF boundaries across switches. By creating subinterfaces on trunk links and assigning each subinterface to the appropriate VRF, traffic from the same VRF on different switches can be routed through the VRF-specific routing table, enabling inter-switch communication while maintaining isolation.

Exam trap

Cisco often tests the misconception that VRF-Lite can use the global routing table for inter-switch communication, but the trap here is that VRF-Lite requires explicit Layer 3 subinterfaces on trunk links to extend VRF boundaries, not just VLANs or static routes in the global table.

How to eliminate wrong answers

Option A is wrong because using the same VLAN for all tenants with VLAN ACLs does not provide Layer 3 VRF isolation; it only filters at Layer 2/3 within the global routing table, breaking the multi-tenant separation required. Option C is wrong because static routes in the global routing table would bypass VRF isolation, mixing tenant traffic and defeating the purpose of VRF-Lite. Option D is wrong because OSPF with redistribution between VRFs is complex and not supported in VRF-Lite without additional protocols like MP-BGP; VRF-Lite relies on static or connected routes within each VRF, not dynamic routing redistribution.

113
Multi-Selecthard

Which three statements about CoPP configuration and operation are true? (Choose three.)

Select 3 answers
A.CoPP uses a class map to classify traffic destined for the control plane.
B.CoPP uses the 'police' command within a policy map to rate-limit traffic.
C.The 'control-plane' command is used to enter control plane configuration mode.
D.CoPP is applied using the 'ip access-group' command on the control plane interface.
E.CoPP can only filter IPv4 traffic.
AnswersA, B, C

Correct because class maps define traffic classes using match statements, often referencing ACLs.

Why this answer

CoPP uses a class map to match traffic (often with ACLs) and a policy map to define actions. The policy map is applied to the control plane. CoPP can police traffic to a specific rate using the 'police' command.

The 'control-plane' command enters the control plane configuration mode. CoPP does not use 'ip access-group' on the control plane. CoPP can be applied to both IPv4 and IPv6 traffic.

114
Drag & Dropmedium

Drag and drop the steps of service function chaining (SFC) path setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SFC path setup begins with classifying traffic to determine which service chain to apply. Next, the classifier encapsulates packets with an NSH header. Then the SFC path is computed by the controller using the service function path identifier.

After path computation, the controller installs forwarding entries in each service function forwarder. Finally, traffic traverses the chain as SFFs forward packets between VNFs.

115
MCQmedium

An engineer is configuring SPAN on a Cisco Catalyst 3850 switch to monitor traffic from a trunk port (Gi1/0/1) that carries VLANs 10, 20, and 30. The monitoring station is on port Gi1/0/24. The engineer wants to capture only VLAN 20 traffic from the trunk. Which configuration should the engineer use?

A.Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 filter vlan 20'.
B.Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'.
C.Configure 'monitor session 1 source vlan 20' and 'monitor session 1 destination interface Gi1/0/24'.
D.Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 filter vlan 10,30'.
AnswerA

Correct; the filter vlan option limits the SPAN session to only VLAN 20 traffic on the source interface.

Why this answer

To capture traffic from a specific VLAN on a trunk port, the engineer must use the 'filter vlan' option in the SPAN session. The correct answer is to configure 'monitor session 1 source interface Gi1/0/1 both' and then 'monitor session 1 filter vlan 20'. Option B is incorrect because it captures all VLANs.

Option C is incorrect because VLAN-based SPAN would capture all traffic on VLAN 20 from all ports, not just the trunk. Option D is incorrect because it captures only VLAN 20 but from all ports.

116
MCQeasy

What is the default load-balancing method used by Cisco switches for EtherChannel?

A.Source MAC address
B.Destination MAC address
C.Source IP address
D.Source and destination IP address
AnswerA

Correct. The default is src-mac on most Cisco switches.

Why this answer

Cisco switches default to source MAC address-based load balancing for EtherChannel. This method distributes traffic based on the source MAC address of the frame, which can lead to uneven distribution if traffic patterns are not diverse.

117
MCQeasy

A network engineer is configuring an EtherChannel between two Cisco switches. The engineer wants to use PAgP and ensure that the channel forms only if the neighboring switch is also configured for PAgP. Which mode should be configured on the local switch?

A.Configure 'channel-group 1 mode desirable' on the physical ports.
B.Configure 'channel-group 1 mode auto' on the physical ports.
C.Configure 'channel-group 1 mode active' on the physical ports.
D.Configure 'channel-group 1 mode on' on the physical ports.
AnswerA

Correct because PAgP desirable mode actively negotiates with the neighbor to form the channel.

Why this answer

The correct answer is 'desirable' because it actively negotiates with the neighbor. The wrong answers either use LACP or force the channel without negotiation.

118
Drag & Dropmedium

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP evaluates packets by first classifying them into a class-map, then applying the policy-map to the control plane, which specifies the rate-limit action. The order ensures that classification happens before rate-limiting, and the final step is the action taken when the rate is exceeded.

119
MCQhard

An enterprise is deploying a new VoIP system and wants to ensure voice traffic receives priority over data traffic on a WAN link. The engineer configures a class-map to match RTP traffic using the 'match protocol rtp' command. However, the class-map does not match any packets. What is the most likely reason?

A.RTP traffic uses UDP ports, and the class-map must match on the UDP port range instead.
B.The 'match protocol rtp' command requires NBAR to be enabled globally with 'ip nbar protocol-discovery'.
C.The class-map must be configured with 'match any' to capture all traffic.
D.RTP traffic is always marked with DSCP EF, so the class-map should match on DSCP instead.
AnswerB

Correct because NBAR-based matching requires the 'ip nbar protocol-discovery' command to be enabled on the interface for the classification to work.

Why this answer

The 'match protocol rtp' command relies on Network-Based Application Recognition (NBAR) to identify RTP traffic by inspecting packet payloads and using protocol signatures. Without NBAR enabled globally via 'ip nbar protocol-discovery', the class-map cannot match any packets because the router does not have the necessary deep packet inspection capability. Enabling NBAR allows the device to recognize RTP traffic even though it uses dynamic UDP ports.

Exam trap

The trap here is that candidates assume 'match protocol rtp' works out-of-the-box like a simple port match, but Cisco tests the requirement for NBAR to be explicitly enabled for protocol-based matching that relies on deep packet inspection.

How to eliminate wrong answers

Option A is wrong because while RTP does use UDP ports, the 'match protocol rtp' command is designed to match RTP traffic without specifying port ranges, and the issue is not about port matching but about NBAR being disabled. Option C is wrong because 'match any' would match all traffic, defeating the purpose of prioritizing voice over data and not addressing the root cause of the class-map not matching RTP. Option D is wrong because although RTP traffic is often marked with DSCP EF, the class-map is configured to match on protocol, not DSCP; matching on DSCP would be a different approach and does not explain why the 'match protocol rtp' command fails.

120
MCQeasy

An engineer needs to configure a switchport to carry traffic for multiple VLANs to a router using a single physical link. Which configuration should be applied on the switchport?

A.Configure the port as a dynamic desirable port.
B.Configure the port as a trunk port.
C.Configure the port as a routed port.
D.Configure the port as an access port.
AnswerB

Trunk ports carry multiple VLANs.

Why this answer

Option B is correct because a trunk port is specifically designed to carry traffic for multiple VLANs over a single physical link using IEEE 802.1Q encapsulation. This allows the switch to tag frames with VLAN IDs, enabling the router (often configured as a router-on-a-stick) to route between VLANs.

Exam trap

The trap here is that candidates often confuse Dynamic Desirable (a DTP negotiation mode) with a trunk port configuration, thinking negotiation automatically results in trunking, but the question asks for the configuration that directly enables multi-VLAN traffic, not a negotiation protocol.

How to eliminate wrong answers

Option A is wrong because Dynamic Desirable is a Dynamic Trunking Protocol (DTP) mode that negotiates trunking with the remote device, but it does not directly configure the port to carry multiple VLANs; it is a negotiation state, not the final configuration. Option C is wrong because a routed port is a Layer 3 interface that operates like a router port, stripping all Layer 2 switching and VLAN tagging, so it cannot carry multiple VLANs on a single link. Option D is wrong because an access port belongs to only one VLAN and strips any VLAN tags from frames, making it unsuitable for carrying multiple VLANs.

121
MCQeasy

A network engineer is configuring a PPPoE client on a Cisco router for a DSL connection. The engineer configures the dialer interface with the correct PPPoE profile and authentication credentials. The PPPoE session establishes, but the router cannot ping the ISP's gateway IP address. The engineer checks the routing table and sees that a default route is present via the dialer interface. What is the most likely cause?

A.The dialer interface does not have an IP address negotiated via IPCP.
B.The physical interface is configured with 'no ip address'.
C.The default route is pointing to the wrong next-hop IP.
D.The ISP's gateway is not responding to ICMP.
AnswerA

Correct. In PPPoE, the ISP typically assigns an IP address via IPCP. If the dialer interface does not receive an IP address, the router cannot communicate with the gateway.

Why this answer

PPPoE sessions often require the use of PPPoE client configuration on the physical interface and the dialer interface. A common issue is that the physical interface (e.g., Ethernet) is not configured with the 'pppoe enable' command, or the dialer interface is not bound to the correct dialer pool. However, the session is established, so the PPPoE negotiation succeeded.

The inability to ping the gateway is often due to a missing or incorrect 'ip route' or a firewall issue, but the most common cause is that the ISP requires the use of PPP IPCP to negotiate the IP address, and the router may not have an IP address assigned.

122
Drag & Dropmedium

Drag and drop the steps of MPLS Traffic Engineering (TE) tunnel setup (RSVP) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MPLS TE tunnel setup begins with IGP extension configuration to propagate link attributes, followed by explicit path definition. RSVP-TE then signals the tunnel using PATH messages, which are processed by intermediate routers to reserve bandwidth. Finally, RESV messages confirm the reservation and establish the tunnel.

123
MCQmedium

Consider the following BGP configuration: router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 ! What is the effect of this route-map on outbound updates to neighbor 10.0.0.2?

A.It sets the MED to 50 for all routes advertised to 10.0.0.2, but only if they match a prefix-list.
B.It sets the MED to 50 for all routes advertised to 10.0.0.2.
C.It sets the local preference to 50 for routes received from 10.0.0.2.
D.It filters all routes to 10.0.0.2 because there is no match statement.
AnswerB

Correct. The route-map permits all routes and sets MED to 50.

Why this answer

The route-map SET-MED is applied to outbound updates to neighbor 10.0.0.2 with a permit sequence 10 and a set metric 50 command, but no match statement. In BGP, a route-map with a permit clause and no match condition matches all routes by default. Therefore, the MED (Multi-Exit Discriminator) attribute is set to 50 for every route advertised to that neighbor.

Exam trap

Cisco often tests the misconception that a route-map without a match statement will deny or filter all routes, but in reality, a permit clause with no match matches everything and applies the set actions.

How to eliminate wrong answers

Option A is wrong because the route-map does not reference any prefix-list, so it applies to all routes, not only those matching a prefix-list. Option C is wrong because the set metric command modifies the MED, not local preference; local preference is set with set local-preference and is an inbound attribute. Option D is wrong because a permit route-map without a match statement does not filter routes; it matches all routes and applies the set actions.

124
MCQeasy

A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?

A.The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.
B.The ACL is missing a deny statement for ICMP, so ICMP traffic is implicitly permitted.
C.The ACL permits HTTP, but ping uses ICMP, which is not HTTP, so ping should be denied.
D.The ACL is applied to the wrong interface; it should be applied to the interface connected to subnet 10.2.2.0/24.
AnswerA

Correct because if the ACL is applied outbound, it filters traffic leaving the interface; ping traffic from 10.1.1.0/24 to 10.2.2.0/24 would be leaving the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied outbound, the deny ip any any would block ping, so this might not be the issue. Actually, the most likely reason is that the ACL is applied outbound, but the scenario says inbound, so the engineer might have misapplied it.

Why this answer

The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound.

Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.

125
Multi-Selectmedium

Which two statements about local SPAN configuration are true? (Choose two.)

Select 2 answers
A.The SPAN destination port must be in STP forwarding state to forward traffic.
B.A SPAN destination port can also be used as a source port in another SPAN session.
C.A SPAN source can be a single port, a VLAN, or an EtherChannel interface.
D.When a VLAN is configured as a SPAN source, all active ports in that VLAN are monitored.
E.SPAN destination ports participate in Spanning Tree Protocol normally.
AnswersA, D

Correct because the destination port must be forwarding to send the mirrored traffic out.

Why this answer

Local SPAN copies traffic from source ports or VLANs to a destination port on the same switch. The destination port must be in STP forwarding state to forward traffic, but it does not participate in STP for the SPAN session. The source can be a port or VLAN, but not a port-channel interface directly; however, individual member ports can be sources.

The destination port cannot be used as a source port simultaneously.

126
Multi-Selecthard

Which three statements about Cisco SD-Access policy enforcement are true? (Choose three.)

Select 3 answers
A.Scalable Group Tags (SGTs) are used to enforce micro-segmentation and policy in the fabric.
B.SGTs are assigned to endpoints based on their IP address only.
C.The fabric border node enforces all policies for traffic within the fabric.
D.Cisco ISE is used to define and manage policy in SD-Access.
E.The fabric edge node applies policy based on SGTs in the VXLAN header.
AnswersA, D, E

Correct because SGTs are the foundation of group-based policy in SD-Access, allowing traffic filtering and QoS based on group membership.

Why this answer

SD-Access uses Scalable Group Tags (SGTs) to enforce micro-segmentation and policy. SGTs are assigned to endpoints based on identity (e.g., user, device type) and are carried in the VXLAN header. The fabric edge applies policy based on SGTs, not IP addresses.

The Cisco ISE provides centralized policy management and authentication. The control plane node does not enforce policy; it only maintains mappings. Policy enforcement is done at the fabric edge, not the border, for traffic within the fabric.

127
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.Origin
AnswerA

MED is a non-transitive attribute; lower values are preferred.

Why this answer

In BGP path selection, the MULTI_EXIT_DISC (MED) attribute is used to influence inbound traffic to an AS. A lower MED value is preferred over a higher one.

128
Drag & Dropmedium

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS CoA allows a RADIUS server to dynamically change an active session's authorization. The server sends a CoA-Request to the network access device (NAD), which validates the request, applies the change, and responds with a CoA-ACK or CoA-NAK.

129
MCQmedium

A network architect is designing a Cisco SD-Access fabric for a university campus that requires segmentation between student, faculty, and guest traffic. The design must use Cisco TrustSec for scalable security group tags (SGTs) and integrate with Cisco ISE for policy enforcement. Which fabric component should the architect use to enforce SGT-based policies at the access layer?

A.Fabric border node
B.Fabric control plane node
C.Fabric edge node
D.Wireless LAN controller
AnswerC

The fabric edge switch enforces SGT-based policies by applying SGACLs based on the SGT assigned by ISE during authentication.

Why this answer

The fabric edge node is the correct component because it is the access-layer switch in Cisco SD-Access that performs SGT-based enforcement. It receives SGT-to-SGT policy from Cisco ISE via the control plane node and applies the corresponding security ACLs (SGACLs) at the port level, ensuring segmentation between student, faculty, and guest traffic at the point of entry.

Exam trap

Cisco often tests the misconception that the fabric border node or control plane node enforces policies, when in fact the fabric edge node is the only device that applies SGT-based access control at the access layer.

How to eliminate wrong answers

Option A is wrong because the fabric border node connects the SD-Access fabric to external networks (e.g., WAN, data center) and handles SGT propagation between fabrics or to non-fabric devices, but it does not enforce SGT policies at the access layer. Option B is wrong because the fabric control plane node manages LISP overlay mappings and distributes SGT-to-IP bindings, but it does not perform inline policy enforcement on user traffic. Option D is wrong because the Wireless LAN Controller (WLC) manages CAPWAP tunnels and wireless client mobility, but in SD-Access, SGT-based enforcement at the access layer is handled by the fabric edge node (wired or wireless via the fabric-enabled WLC acting as a wireless edge), not the standalone WLC.

130
Drag & Dropmedium

Drag and drop the steps of OSPF SPF calculation steps (Dijkstra) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The Dijkstra algorithm first initializes the candidate list with the root node, then iteratively moves the lowest-cost candidate to the tree, updating neighbor costs, and finally builds the routing table from the shortest-path tree.

131
MCQmedium

A network engineer runs the following command on Router R2: R2# debug ip dhcp server events *Mar 1 00:05:23.123: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 on interface GigabitEthernet0/1 *Mar 1 00:05:23.124: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 (10.0.0.2) *Mar 1 00:05:23.125: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 *Mar 1 00:05:23.126: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 (10.0.0.2) Based on this debug output, what can be concluded?

A.The DHCP server failed to allocate an IP address to the client.
B.The client is using DHCPv6 because of the long client ID.
C.The DHCP server successfully assigned IP address 10.0.0.2 to the client.
D.The DHCP server is configured with a pool that excludes 10.0.0.2.
AnswerC

The DHCPACK sent with address 10.0.0.2 confirms successful assignment.

Why this answer

The debug shows a successful DHCP four-message exchange (DISCOVER, OFFER, REQUEST, ACK) with the client receiving IP address 10.0.0.2. The client ID is a long hex string derived from the client's MAC address.

132
Drag & Dropmedium

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexVPN, when a spoke needs to reach another spoke, it first sends an IKEv2 request to the hub. The hub redirects the spoke to the destination spoke's public address. The requesting spoke then initiates a direct IKEv2 SA with the destination spoke, and after authentication, they establish an IPsec SA for data transfer.

133
Matchingmedium

Drag and drop each PAgP port mode on the left to its matching negotiation behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends PAgP packets and responds to PAgP packets

Responds to PAgP packets but does not initiate

Both sides send PAgP, forms channel

One side initiates, other responds, forms channel

Neither side initiates, no channel formed

Why these pairings

Desirable initiates negotiation; auto waits. At least one side must be desirable to form channel.

134
MCQmedium

A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reset: 10 Session Id: 5 Unique Id: 5 User Name: admin IP Address: 192.168.1.100 Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local Session Id: 6 Unique Id: 6 User Name: neteng IP Address: 10.0.0.2 Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+ Based on this output, what can be concluded?

A.Both sessions are authenticated using TACACS+.
B.Session 5 is authenticated locally.
C.Session 6 will be disconnected due to idle timeout.
D.Both sessions are using RADIUS for authentication.
AnswerB

The Method field for session 5 is 'local', indicating local authentication.

Why this answer

The output shows two active AAA sessions. Session 5 is authenticated locally (Method: local), while session 6 uses TACACS+. Both are SSH sessions.

The idle time for session 6 is 2 minutes 30 seconds, which is approaching the timeout of 10 minutes.

135
Multi-Selecthard

Which three statements about IP SLA probe types and their characteristics are true? (Choose three.)

Select 3 answers
A.The UDP jitter operation measures one-way delay, jitter, and packet loss in both directions.
B.The ICMP echo operation measures round-trip time and can also provide jitter calculations.
C.The TCP connect operation measures the time to establish a TCP three-way handshake.
D.The HTTP operation measures the time to resolve the DNS name of the target web server.
E.The ICMP echo operation requires the IP SLA responder to be enabled on the target device.
AnswersA, B, C

Correct because UDP jitter probes timestamp packets at both ends to compute one-way metrics and can detect packet loss.

Why this answer

Different IP SLA probe types measure different network metrics. UDP jitter measures one-way delay, jitter, and packet loss. ICMP echo measures round-trip time and packet loss.

TCP connect measures the time to establish a TCP connection. HTTP probes measure the time to retrieve a web page. The probe type determines what metrics are available and how the probe is configured.

136
Matchingmedium

Drag and drop each DSCP value on the left to its matching Per-Hop Behavior (PHB) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

EF

AF11

AF21

AF31

AF41

Why these pairings

DSCP 46 maps to EF (Expedited Forwarding), DSCP 10 maps to AF11 (Assured Forwarding class 1 low drop), DSCP 18 maps to AF21 (Assured Forwarding class 2 low drop), DSCP 26 maps to AF31 (Assured Forwarding class 3 low drop), DSCP 34 maps to AF41 (Assured Forwarding class 4 low drop).

137
Drag & Dropmedium

Drag and drop the steps of configuring Control Plane Policing (CoPP) on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP protects the control plane by filtering traffic. First, define an access-list to match the traffic of interest (e.g., SSH, BGP). Second, create a class-map to reference the access-list.

Third, create a policy-map that assigns a police action (rate-limit) to the class. Fourth, apply the policy-map to the control plane in the inbound direction. Finally, verify the policy with show commands to ensure correct operation.

138
MCQmedium

Which of the following is true about the STP max age timer?

A.It is the time a port spends in the listening state.
B.It is the interval between BPDU transmissions.
C.It is the maximum time a switch stores BPDU information before discarding it.
D.It is the time a port waits before transitioning from blocking to listening.
AnswerC

Max age is 20 seconds by default; after that, BPDU info is considered stale.

Why this answer

The max age timer determines how long a switch waits before re-evaluating BPDU information if it stops receiving BPDUs from the root bridge.

139
Drag & Dropmedium

Drag and drop the steps of SNMP community-based access control setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First define the community string, then associate it with an ACL, then apply it to views or groups, and finally verify.

140
MCQmedium

A network engineer is writing a Python script to automate the backup of running configurations from a list of 50 Cisco IOS-XE devices. The script uses the netmiko library and a for loop to connect to each device, execute 'show run', and write the output to a file. After running the script, the engineer notices that the script fails on the 15th device with a timeout error, and the remaining devices are not processed. The engineer wants to ensure that if one device fails, the script continues with the next device. What is the best way to modify the script?

A.Increase the global timeout value in the netmiko connection handler.
B.Use the concurrent.futures module to run each connection in a separate thread.
C.Wrap the connection and backup logic inside a try-except block within the for loop.
D.Replace the for loop with a while loop that retries the connection three times before moving on.
AnswerC

Correct because a try-except block catches the exception for the failing device and allows the loop to continue to the next device.

Why this answer

The correct answer uses a try-except block to catch exceptions and continue the loop. Option A is incorrect because removing the timeout will not prevent the script from stopping on failure. Option B is incorrect because multithreading adds complexity and does not inherently handle failures gracefully.

Option D is incorrect because a while loop does not solve the issue of handling exceptions within the loop.

141
Drag & Drophard

Drag and drop the steps of gNMI Subscribe RPC using Python gRPC library into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with generating gNMI protobuf stubs, then creating a gRPC channel and stub. Next, a SubscribeRequest is built with paths and mode, the Subscribe RPC is called, and finally responses are iterated from the stream.

142
Drag & Dropmedium

Drag and drop the steps of MPLS VPN (L3VPN) service provisioning into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the provider edge (PE) router must have IGP and LDP running in the core. Then the VRF is defined with route distinguisher and import/export RTs. The customer edge (CE) interface is placed into the VRF.

MP-BGP is configured between PEs to exchange VPNv4 routes. Finally, the CE routes are redistributed into the VRF and advertised via MP-BGP.

143
Multi-Selectmedium

Which two statements about Network Function Virtualization (NFV) architecture are true? (Choose two.)

Select 2 answers
A.NFV decouples network functions from proprietary hardware appliances.
B.NFV requires specialized ASICs to achieve line-rate performance.
C.Virtual Network Functions (VNFs) run on top of the NFV Infrastructure (NFVI).
D.The VNF Manager is solely responsible for resource orchestration across multiple VIMs.
E.NFV mandates the use of virtual machines and cannot use container-based deployments.
AnswersA, C

Correct because the core principle of NFV is to run network functions as software on standard servers, eliminating dependence on dedicated hardware.

Why this answer

NFV decouples network functions from dedicated hardware, running them as software on standard servers. The NFV Infrastructure (NFVI) includes compute, storage, and networking resources, while VNFs are the software implementations of network functions. Option A is correct because NFV indeed separates software from hardware.

Option C is correct because VNFs run on NFVI. Option B is incorrect because NFV does not require proprietary hardware; it uses standard servers. Option D is incorrect because the NFV Orchestrator handles lifecycle management, not just the VNF Manager.

Option E is incorrect because NFV can use both virtual machines and containers.

144
Multi-Selectmedium

Which two statements about Ansible inventory and variables are true? (Choose two.)

Select 2 answers
A.Variables defined in the inventory file override variables defined in group_vars/ for the same group.
B.The 'ansible_host' variable can be used to specify the IP address or FQDN for a managed node.
C.Host variables can be defined in the inventory file using the 'host_vars' directory.
D.Group variables can be stored in YAML files under the 'group_vars' directory.
E.Ansible facts are only gathered when the 'gather_facts: no' option is set in the playbook.
AnswersB, D

Correct: 'ansible_host' overrides the hostname in the inventory for connection purposes.

Why this answer

Group variables can be defined in group_vars/ files or directly in the inventory. Host variables can be set inline in the inventory or in host_vars/. The 'ansible_host' variable overrides the hostname for SSH connection.

Variables defined in playbooks override inventory variables. Ansible facts are gathered automatically unless disabled.

145
Matchingmedium

Drag and drop each ACL action on the left to its matching result on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet is allowed to pass through the ACL

Packet is discarded and not forwarded

Adds a descriptive comment to the ACL entry

Generates a syslog message when a packet matches the entry

Assigns a numeric identifier to the ACL line for insertion/deletion

Why these pairings

Permit allows the packet; Deny discards the packet; Remark adds a comment; Log generates a log message for matched packets; Sequence-number assigns a line number for editing.

146
MCQmedium

A network engineer runs the following command on switch SW3: SW3# show cts role-based permissions IPv4 Role-based permissions: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is denied.
B.Traffic from SGT 10 to SGT 30 is permitted.
C.Traffic from SGT 20 to SGT 30 is permitted.
D.Traffic from SGT 30 to SGT 10 is denied.
AnswerC

The output shows PERMIT for source 20 to dest 30.

Why this answer

The output shows the role-based access control policies between SGTs. Traffic from SGT 10 to SGT 20 is permitted, from SGT 10 to SGT 30 is denied, and from SGT 20 to SGT 30 is permitted. This is a key part of TrustSec policy enforcement.

147
MCQmedium

Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?

A.Local preference
B.AS path length
C.Origin code
D.MED
AnswerA

Correct. After weight, local preference is the next attribute compared; higher is preferred.

Why this answer

BGP uses a multi-step path selection process. After comparing weight (highest wins), the next attribute is local preference (highest wins).

148
Matchingeasy

Drag and drop each protocol number on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Internet Control Message Protocol (ICMP)

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Open Shortest Path First (OSPF)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Why these pairings

Protocol 1 is ICMP, 6 is TCP, 17 is UDP, 89 is OSPF, 88 is EIGRP.

149
Matchingeasy

Drag and drop each Ansible task return value on the left to its matching meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The task made a change to the target system

The task completed successfully without making changes

The task encountered an error and did not complete

The task was not executed due to a condition (e.g., when clause)

The target host could not be reached via the connection method

Why these pairings

changed indicates a modification was made, ok means no change but success, failed means error, skipped means condition not met, and unreachable means host could not be contacted.

150
MCQhard

A network engineer is troubleshooting an OSPF adjacency issue between two routers connected via a Frame Relay network. The adjacency is stuck in the 2WAY state. The engineer has verified that the routers are in the same area and have matching hello/dead intervals. What is the most likely cause?

A.The OSPF network type is non-broadcast and the neighbors are not manually configured.
B.The OSPF router priority is set to 0 on both routers.
C.The OSPF area ID is different.
D.The Frame Relay map is missing for the broadcast keyword.
AnswerA

Correct because in non-broadcast networks, OSPF neighbors must be manually configured; otherwise, the adjacency will remain in 2WAY.

Why this answer

In OSPF over Frame Relay, the default network type for physical interfaces is non-broadcast (NBMA). On an NBMA network, OSPF does not send multicast Hello packets; instead, neighbors must be manually configured using the 'neighbor' command. Without manual neighbor configuration, the routers will not proceed past the 2WAY state because they cannot form a full adjacency without explicit neighbor discovery.

Exam trap

The trap here is that candidates often assume the 2WAY state is normal or that it indicates a DR/BDR election issue, but in NBMA networks it specifically indicates that OSPF is not attempting to form a full adjacency because neighbors are not manually defined.

How to eliminate wrong answers

Option B is wrong because setting the router priority to 0 on both routers prevents one from becoming the DR/BDR, but the adjacency can still form and reach FULL state (it will be a 2-way adjacency with no DR/BDR election). Option C is wrong because the engineer has already verified that the routers are in the same area, so mismatched area IDs would cause the adjacency to get stuck in INIT or EXSTART, not 2WAY. Option D is wrong because the missing 'broadcast' keyword in the Frame Relay map would affect multicast forwarding, but on a non-broadcast network type, OSPF does not rely on multicast; the core issue is the lack of manual neighbor configuration, not the broadcast keyword.

Page 1

Page 2 of 27

Page 3