ENCOR 350-401 (350-401) — Questions 15011575

2015 questions total · 27pages · All types, answers revealed

Page 20

Page 21 of 27

Page 22
1501
MCQhard

An engineer is configuring RSPAN to monitor traffic from multiple switches in a data center. The monitoring station is connected to a central switch. The engineer has configured an RSPAN VLAN (VLAN 999) on all switches and set up the source sessions on the remote switches. However, the monitoring station receives no traffic. On the central switch, the engineer verifies that the RSPAN VLAN is active and that the destination session is configured. What is a likely missing configuration?

A.The trunk ports between the switches do not have the RSPAN VLAN (999) in their allowed VLAN list.
B.The destination session on the central switch is configured with 'monitor session 2 destination remote vlan 999' instead of 'monitor session 2 destination interface Gi1/0/1'.
C.The source sessions on the remote switches are configured with 'monitor session 1 source vlan 100' but the destination is not set to 'remote vlan 999'.
D.The RSPAN VLAN is not created as a remote SPAN VLAN; it must be configured with 'remote-span' command.
AnswerA

Correct; the RSPAN VLAN must be allowed on all trunk links to transport the mirrored traffic to the destination switch.

Why this answer

For RSPAN to work, the RSPAN VLAN must be allowed on all trunk links between the source switches and the destination switch. If the trunk ports do not have the RSPAN VLAN in their allowed list, the traffic will be dropped. Also, the RSPAN VLAN must not be pruned by VTP.

The correct answer is that the trunk ports between the switches are not configured to allow the RSPAN VLAN. Option B is incorrect because the destination session is already configured. Option C is incorrect because the source session is already configured.

Option D is incorrect because the RSPAN VLAN is active.

1502
Drag & Dropmedium

Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IP Source Guard relies on the DHCP snooping binding table. It is enabled on an interface, and then the switch creates a PVACL based on the binding. When a packet arrives, the source IP is checked against the binding; if it matches, the packet is forwarded; otherwise, it is dropped.

1503
Multi-Selectmedium

Which two statements about NFV performance considerations are true? (Choose two.)

Select 2 answers
A.SR-IOV allows a virtual function (VF) to be directly assigned to a VM, providing near-native network performance.
B.NUMA awareness is the primary technique to improve NFV packet processing performance.
C.DPDK provides a set of libraries and drivers for fast packet processing in user space, bypassing the kernel network stack.
D.Using a virtual switch with multiple bonded uplinks eliminates the need for any performance optimization.
E.NFV performance is inherently lower than physical appliances and cannot be improved.
AnswersA, C

Correct because SR-IOV enables direct assignment of PCIe functions to VMs, bypassing the hypervisor virtual switch and reducing latency.

Why this answer

NFV performance can be improved using various acceleration techniques. Single Root I/O Virtualization (SR-IOV) allows a physical NIC to be directly assigned to a VM, bypassing the hypervisor's virtual switch for better performance. Data Plane Development Kit (DPDK) provides a set of libraries for fast packet processing in user space.

Option A is correct because SR-IOV provides near-native performance. Option C is correct because DPDK accelerates packet processing. Option B is incorrect because NUMA awareness helps but is not the primary technique.

Option D is incorrect because vSwitch bonding does not eliminate the vSwitch overhead. Option E is incorrect because NFV performance can be optimized with software techniques.

1504
Matchingmedium

Drag and drop each OSPF router role on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Generates the Network LSA and maintains full adjacencies with all routers on the segment

Monitors the DR and assumes the DR role if the DR fails

Forms full adjacencies only with the DR and BDR

Connects multiple areas and advertises inter-area routes

Redistributes external routes into OSPF

Why these pairings

The DR (Designated Router) generates the Network LSA and manages LSDB synchronization on multiaccess networks. The BDR (Backup Designated Router) monitors the DR and takes over if the DR fails. DROTHERs form full adjacencies only with the DR and BDR, not with each other.

1505
Multi-Selecthard

Which three statements about Ansible modules for Cisco IOS-XE are true? (Choose three.)

Select 3 answers
A.The ios_config module supports idempotent configuration changes by comparing the desired state with the running configuration.
B.The ios_command module can be used to execute show commands and capture output for parsing.
C.The ios_facts module gathers only interface statistics from the device.
D.The ios_vlan module is used to create and delete VLANs on Cisco IOS devices.
E.The ios_lldp module can only enable LLDP globally, not on specific interfaces.
AnswersA, B, D

Correct: ios_config uses the 'lines' parameter and compares with running config to avoid unnecessary changes.

Why this answer

The ios_config module manages configuration snippets and supports idempotency via the 'lines' parameter. The ios_command module sends show commands and returns output. The ios_facts module gathers device facts.

The ios_vlan module is a dedicated resource module for VLANs. The ios_lldp module manages LLDP settings. Idempotency means applying the same config multiple times yields the same result.

1506
MCQmedium

A network engineer is troubleshooting a DHCP issue where a client is not receiving an IP address from a Cisco router configured as a DHCP server. The engineer checks the DHCP pool configuration and sees that the network command is configured with the correct subnet. The engineer also verifies that the ip dhcp excluded-address command is not blocking any addresses. However, the client's DHCP discover message is not reaching the router. What is the most likely cause?

A.The router's interface is configured with the no ip forward-protocol udp bootps command.
B.The router's interface is not in the same VLAN as the client, and no ip helper-address is configured.
C.The DHCP pool is configured with the wrong default-router option.
D.The router's DHCP server is disabled globally with the no service dhcp command.
AnswerB

Correct because if the router is not directly connected to the client's VLAN, the DHCP broadcast will not reach the router unless a DHCP relay (ip helper-address) is configured on the client's VLAN interface.

Why this answer

DHCP uses broadcast messages. If the router's interface is not configured to receive broadcasts (e.g., due to a switched network with VLANs), the DHCP server may not see the client's request. However, the most common issue is that the interface is not configured with the ip dhcp server command or the interface is in a different VLAN without a helper address.

1507
Drag & Dropmedium

Drag and drop the steps of Wireless client IP address assignment via DHCP bridging into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DHCP bridging, the AP bridges the client's DHCP request to the wired network. The client first associates and sends a DHCP Discover broadcast. The AP bridges this frame to the wired VLAN.

The DHCP server responds with a DHCP Offer, which the AP bridges back to the client. The client then sends a DHCP Request, and the server sends a DHCP Ack to complete the assignment.

1508
MCQmedium

Consider the following DHCP snooping configuration on a Cisco IOS-XE switch: ``` ip dhcp snooping ip dhcp snooping vlan 10 interface GigabitEthernet0/1 ip dhcp snooping trust ! interface GigabitEthernet0/2 ip dhcp snooping limit rate 10 ``` Which statement is true?

A.Gi0/1 is trusted for DHCP snooping, and Gi0/2 will drop DHCP packets exceeding 10 per second.
B.Gi0/2 is trusted and will forward all DHCP packets without rate limiting.
C.The switch will only snoop DHCP on VLAN 10, but rate limiting applies to all VLANs.
D.Gi0/1 will rate-limit DHCP packets to 10 per second.
AnswerA

Correct. Trusted ports are typically for DHCP servers; rate limit applies to untrusted ports.

Why this answer

DHCP snooping is enabled globally and for VLAN 10. Gi0/1 is trusted (typically uplink to DHCP server). Gi0/2 is untrusted and has a rate limit of 10 packets per second to prevent DHCP starvation.

1509
MCQmedium

A network team is designing an SD-WAN overlay for a multinational enterprise with 500+ branch sites. The design must ensure that control plane traffic (e.g., OMP updates) is encrypted and authenticated between all vSmart controllers and vEdge routers, while allowing data plane traffic to use IPsec tunnels between branch sites directly. Which architectural element is responsible for orchestrating the initial authentication and certificate enrollment of all SD-WAN devices?

A.vManage
B.vSmart
C.vBond
D.vEdge
AnswerC

vBond acts as the orchestrator, authenticating devices and enabling them to join the SD-WAN overlay securely.

Why this answer

C is correct because the vBond orchestrator is the sole component responsible for initial authentication and certificate enrollment in Cisco SD-WAN. It acts as a trusted certificate authority (CA) proxy, validating the serial numbers and certificates of all vSmart controllers and vEdge routers before they join the overlay network. Without vBond, devices cannot establish trust or receive the authorized list of vSmart and vManage IP addresses.

Exam trap

Cisco often tests the misconception that vManage handles all management functions including authentication, but the trap here is that vBond is the dedicated orchestrator for initial trust and certificate enrollment, while vManage only manages the devices after they have been authenticated.

How to eliminate wrong answers

Option A is wrong because vManage is the management and monitoring plane, handling configuration templates, policies, and analytics, but it does not perform initial authentication or certificate enrollment. Option B is wrong because vSmart is the control plane controller that distributes OMP routes and policies, but it relies on vBond for initial trust and does not handle certificate issuance. Option D is wrong because vEdge is a data plane router that terminates IPsec tunnels and forwards traffic; it is a client in the authentication process, not the orchestrator of it.

1510
Drag & Dropmedium

Drag and drop the steps of STP path cost manipulation for load balancing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Path cost manipulation adjusts the cost of a port to influence root port selection and load balance traffic. The process starts by identifying the VLANs to load balance, then entering interface configuration, setting the port priority or cost, and verifying the new root port. Finally, traffic is distributed across multiple links.

1511
Multi-Selectmedium

Which two statements about Cisco SD-Access fabric wireless integration are true? (Choose two.)

Select 2 answers
A.Wireless clients are assigned to the same virtual network (VN) as wired clients for consistent policy.
B.The wireless LAN controller in SD-Access must be a dedicated fabric role separate from the fabric edge.
C.CAPWAP tunnels are used between the access point and the fabric edge for data traffic.
D.The fabric uses a separate wireless overlay network for wireless traffic.
E.The access point encapsulates wireless traffic directly into VXLAN when the WLC is fabric-enabled.
AnswersA, E

Correct because SD-Access unifies wired and wireless policy by placing both types of endpoints into the same VN.

Why this answer

In SD-Access, wireless clients are mapped to the same virtual network (VN) as wired clients, enabling consistent policy. The wireless controller (WLC) can be deployed as a fabric edge or border, not as a separate dedicated role. The CAPWAP tunnel is only used between the AP and the WLC in the underlay; once the WLC is fabric-enabled, it uses VXLAN to the fabric edge.

The fabric does not require a separate wireless overlay; it uses the same VXLAN data plane. The AP does not encapsulate traffic directly into VXLAN; that is done by the fabric edge or the WLC.

1512
MCQmedium

A company is deploying a virtualized router (CSR1000v) on VMware vSphere. The VNF must support high throughput and low latency. Which vSphere configuration option should the architect select to optimize network performance?

A.Use the default e1000 NIC driver.
B.Enable SR-IOV on the physical NIC and assign virtual functions to the VM.
C.Use VMXNET3 paravirtualized NIC.
D.Configure the VM with multiple vCPUs and large memory.
AnswerB

SR-IOV provides near-native performance by direct hardware access.

Why this answer

SR-IOV (Single Root I/O Virtualization) allows a physical NIC to present multiple virtual functions (VFs) directly to a VM, bypassing the hypervisor's virtual switch. This reduces latency and CPU overhead, making it ideal for high-throughput, low-latency VNFs like the CSR1000v. Option B is correct because SR-IOV provides near-native performance by allowing the VM to directly access the NIC hardware.

Exam trap

Cisco often tests the misconception that VMXNET3 is the best performance option for all VNFs, but the trap here is that SR-IOV is required when the question explicitly demands 'high throughput and low latency' because it eliminates hypervisor overhead.

How to eliminate wrong answers

Option A is wrong because the default e1000 NIC driver is a fully emulated, legacy driver that introduces significant CPU overhead and poor performance, unsuitable for high-throughput VNFs. Option C is wrong because while VMXNET3 is a paravirtualized NIC that offers better performance than e1000, it still passes through the hypervisor's virtual switch, adding latency compared to SR-IOV's direct hardware access. Option D is wrong because simply adding more vCPUs and memory does not optimize network performance; it can even cause contention or scheduling overhead without addressing the I/O path bottleneck.

1513
Drag & Dropmedium

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Reflexive ACLs work by evaluating outbound traffic to create dynamic entries that allow return traffic. The order is: define extended ACL, apply outbound, define reflexive ACL, apply inbound, then the reflexive entry is created dynamically.

1514
MCQeasy

What is the default native VLAN on a Cisco switch trunk port?

A.VLAN 1
B.VLAN 0
C.VLAN 1002
D.VLAN 4095
AnswerA

Correct. The default native VLAN is VLAN 1.

Why this answer

The default native VLAN on a Cisco switch trunk port is VLAN 1. The native VLAN is the VLAN that carries untagged traffic over a trunk link, and by default, all switch ports (including trunk ports) belong to VLAN 1. This is defined in the IEEE 802.1Q standard, which specifies that frames on the native VLAN are not tagged with a VLAN ID.

Exam trap

Cisco often tests the misconception that the native VLAN is always VLAN 1 by default, but the trap is that candidates may confuse it with the management VLAN (also often VLAN 1) or assume that changing the native VLAN is required for trunking to work.

How to eliminate wrong answers

Option B is wrong because VLAN 0 is not a valid VLAN number; VLAN IDs range from 1 to 4094, with 0 and 4095 reserved for internal use (e.g., 802.1p priority tagging). Option C is wrong because VLAN 1002 is one of the default VLANs (1002-1005) reserved for legacy Token Ring and FDDI networks, not the native VLAN. Option D is wrong because VLAN 4095 is reserved for implementation-specific use (e.g., 'all VLANs' in some Cisco configurations) and is not a valid native VLAN.

1515
Matchingmedium

Drag and drop each OSPF network type on the left to its matching DR election behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Elects DR and BDR; uses multicast Hello to 224.0.0.5

Elects DR and BDR; uses unicast Hello to configured neighbors

No DR/BDR election; uses multicast 224.0.0.5

No DR/BDR election; uses multicast 224.0.0.5

Always advertised as a /32 host route; no DR election

Why these pairings

Broadcast network type elects DR/BDR and uses multicast 224.0.0.5/6; Non-broadcast (NBMA) also elects DR/BDR but uses unicast; Point-to-point does not elect DR/BDR; Point-to-multipoint does not elect DR/BDR and uses multicast; Loopback interface is always advertised as a /32 host route regardless of configured mask.

1516
Matchingmedium

Drag and drop each authentication mode on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows traffic before authentication completes

Blocks all traffic until authentication succeeds

Permits traffic but logs authentication failures

Allows traffic when RADIUS server is unreachable

Supports one voice and one data device per port

Why these pairings

Open mode allows traffic before authentication, closed mode blocks until success, monitor mode logs but does not enforce.

1517
MCQhard

A network engineer runs the following command on Router R3: R3# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D Based on this output, what can be concluded?

A.This router is a spoke in the DMVPN network.
B.There are two active spoke routers connected to this hub.
C.The tunnel interface is down because no peers are listed.
D.The router is using static NHRP mappings for all peers.
AnswerB

Two peers are listed with UP state, both dynamically registered, indicating two active spokes.

Why this answer

The output shows a DMVPN hub with two spoke peers (10.0.0.1 and 10.0.0.2) both in UP state. The 'D' attribute indicates they are dynamically learned, which is normal for spokes. The hub has two active NHRP peers.

1518
MCQmedium

Consider the following partial configuration for QoS on a Cisco IOS-XE router: class-map match-all VOICE match ip dscp ef ! policy-map QOS_POLICY class VOICE priority 1000 class class-default fair-queue ! interface GigabitEthernet0/0 service-policy output QOS_POLICY What is the effect of the 'priority 1000' command under class VOICE?

A.Voice traffic is placed in a strict priority queue with a bandwidth limit of 1000 kbps.
B.Voice traffic is given a minimum bandwidth guarantee of 1000 kbps but no priority.
C.Voice traffic is dropped if it exceeds 1000 kbps.
D.Voice traffic is shaped to 1000 kbps.
AnswerA

The priority command creates a low-latency queue with a rate limit.

Why this answer

The 'priority' command in a policy-map provides strict priority queuing (low-latency queue) for the matching traffic, with a bandwidth guarantee of 1000 kbps. This ensures that voice traffic (marked with DSCP EF) is serviced before other traffic, up to the specified rate.

1519
MCQmedium

An enterprise is replacing its legacy Frame Relay WAN with MPLS L3VPN. The new MPLS provider assigns a single VRF to the customer. The customer's CE routers are running BGP with the provider's PE routers. The engineer notices that the CE routers can ping the PE loopback addresses but cannot reach remote CE loopbacks. The BGP sessions are established and routes are received. What is the most likely cause?

A.The CE router is not configured with 'no bgp default ipv4-unicast'.
B.The PE router is not sending the customer routes to the remote CE because the next-hop is set to the local PE's loopback, which is reachable, but the remote PE is not advertising the routes due to route-target mismatch.
C.The CE router is not advertising its own loopback into BGP, so the remote CE does not have a route to it.
D.The PE router is not disabling BGP next-hop-self for the VRF, so the routes advertised to the CE have the remote CE's IP as the next-hop, which is not reachable from the local CE.
AnswerD

Correct. In MPLS L3VPN, the PE should set next-hop-self when advertising routes to the CE so that the CE uses the PE as the next hop. If not, the CE will try to reach the remote CE directly, which is not possible over the MPLS network.

Why this answer

In MPLS L3VPN, the PE router must advertise the customer routes with the correct next-hop (usually the PE's own address) and the MPLS labels must be properly distributed. However, the most common issue when CE can ping PE but not remote CE is that the PE is not advertising the customer routes back to the remote CE because of BGP next-hop processing or route-target filtering.

1520
Drag & Dropmedium

Drag and drop the steps of EIGRP DUAL route computation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EIGRP DUAL first identifies feasible successors via reported distance, then selects the best path as successor. If the successor fails, it checks feasible successors; if none exist, it goes active and queries neighbors. After replies, it computes a new successor.

1521
Drag & Dropmedium

Drag and drop the steps of DSCP-to-CoS mapping at LAN boundary into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

At the LAN boundary (switch port), DSCP is mapped to CoS for 802.1Q trunking. The order ensures proper trust, mapping, and queuing for consistent QoS across the campus network.

1522
Multi-Selectmedium

Which two statements about DTP (Dynamic Trunking Protocol) are true? (Choose two.)

Select 2 answers
A.DTP is a Cisco proprietary protocol.
B.The default switchport mode on a Cisco Catalyst switch is dynamic desirable.
C.DTP frames are sent continuously on a trunk port to maintain the trunk.
D.The 'switchport nonegotiate' command enables DTP on an interface.
E.DTP supports both 802.1Q and ISL trunking encapsulation.
AnswersA, B

DTP is indeed Cisco proprietary and is not standardized in IEEE 802.1Q.

Why this answer

DTP is a Cisco proprietary protocol used to negotiate trunking between switches. The default mode on Cisco switches is dynamic desirable, which will actively try to form a trunk. DTP frames are sent only over access ports when trunking is being negotiated, but not over trunk ports once the trunk is established.

The 'switchport nonegotiate' command disables DTP, and trunk formation then relies on manual configuration.

1523
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 3 spoke-to-spoke shortcut creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 3, when a spoke needs to reach another spoke, it first sends traffic to the hub. The hub forwards the packet with an NHRP redirect. The source spoke then sends an NHRP resolution request to the hub to get the destination spoke's NBMA address.

The hub replies with the mapping, and the source spoke dynamically builds a direct mGRE tunnel to the destination spoke.

1524
Multi-Selecthard

Which three statements about RSPAN are true? (Choose three.)

Select 3 answers
A.The RSPAN VLAN must be allowed on all trunk links between the source and destination switches.
B.The RSPAN VLAN can be used for normal data traffic if needed.
C.On the destination switch, the RSPAN destination port is placed into the RSPAN VLAN.
D.RSPAN supports egress mirroring on the source switch.
E.The RSPAN VLAN must be configured on all switches in the path between source and destination.
AnswersA, C, E

Correct because the RSPAN VLAN carries mirrored traffic across the network and must be permitted on all intermediate trunks.

Why this answer

RSPAN uses a dedicated VLAN that must be allowed on trunk links between switches. The RSPAN VLAN should not be used for any other traffic. The destination port on the remote switch is placed in the RSPAN VLAN.

RSPAN does not support egress mirroring on the source switch (only ingress). The RSPAN VLAN does not participate in STP normally, but it can be configured to do so.

1525
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65000 ! Which statement about this configuration is true?

A.This is an iBGP session because the remote AS matches the local AS.
B.This is an eBGP session because the neighbor IP is in a different subnet.
C.The router will automatically set next-hop-self for routes sent to this neighbor.
D.The configuration is invalid because iBGP requires a loopback interface.
AnswerA

Correct. When remote-as equals the local AS, it is iBGP.

Why this answer

This configuration establishes an iBGP session because the local AS number (65000) matches the remote AS number (65000). In BGP, when both routers share the same AS, the session is classified as internal BGP (iBGP), regardless of the IP addressing scheme used.

Exam trap

Cisco often tests the distinction between iBGP and eBGP based solely on AS numbers, leading candidates to mistakenly think subnet differences or interface types determine the session type.

How to eliminate wrong answers

Option B is wrong because eBGP is defined by different AS numbers, not by subnet differences; iBGP can operate between neighbors in different subnets. Option C is wrong because next-hop-self is not automatically set for iBGP neighbors; it must be explicitly configured with the 'neighbor x.x.x.x next-hop-self' command. Option D is wrong because iBGP does not require a loopback interface; while loopbacks are commonly used for stability, the configuration is valid with any interface IP.

1526
MCQmedium

Review the following configuration: vrf definition CUSTOMER_A rd 65000:100 route-target export 65000:100 route-target import 65000:100 ! interface GigabitEthernet0/4 vrf forwarding CUSTOMER_A ip address 192.168.100.1 255.255.255.0 ! router bgp 65000 address-family ipv4 vrf CUSTOMER_A redistribute connected What is the purpose of the 'redistribute connected' command under the VRF address-family?

A.It advertises the directly connected network of GigabitEthernet0/4 into BGP for VRF CUSTOMER_A.
B.It redistributes all BGP routes into the VRF's routing table.
C.It enables BGP to exchange routes with other VRFs on the same router.
D.It is used to leak routes between VRF CUSTOMER_A and the global routing table.
AnswerA

Correct. This redistributes the connected subnet into BGP for the VRF.

Why this answer

The 'redistribute connected' command under the BGP address-family for VRF CUSTOMER_A injects the directly connected network on GigabitEthernet0/4 (192.168.100.0/24) into the BGP table for that VRF. This allows BGP to advertise that subnet to BGP peers within the VRF, enabling reachability to the VRF's local interface network.

Exam trap

Cisco often tests the misconception that 'redistribute connected' in a VRF context applies to all connected interfaces globally, when in fact it only applies to interfaces assigned to that specific VRF.

How to eliminate wrong answers

Option B is wrong because 'redistribute connected' injects directly connected routes into BGP, not the other way around; BGP routes are not redistributed into the VRF routing table by this command. Option C is wrong because BGP does not exchange routes between VRFs on the same router unless explicit route leaking (e.g., using import/export RTs or VRF-lite) is configured, and this command does not enable inter-VRF exchange. Option D is wrong because leaking routes between a VRF and the global routing table requires additional configuration (e.g., route-target import/export between VRF and global, or using 'network' commands with a route-map), not simply redistributing connected routes under the VRF address-family.

1527
MCQmedium

A network engineer runs the following command on switch SW5: SW5# show cts sxp connections SXP Connections: Peer IP Source IP Conn Status Duration 10.1.1.1 10.1.1.2 Up 2d3h 10.1.1.3 10.1.1.2 Down 0d0h Based on this output, what can be concluded?

A.Both SXP connections are operational.
B.The SXP connection to 10.1.1.1 has been up for 2 days and 3 hours.
C.The switch is using 802.1X for authentication.
D.The SXP connection to 10.1.1.3 is up.
AnswerB

The output shows Up and duration 2d3h for peer 10.1.1.1.

Why this answer

The output shows SXP connections. One connection to 10.1.1.1 is up for 2 days and 3 hours, while another to 10.1.1.3 is down. This indicates that SGT mapping exchange is active with 10.1.1.1 but not with 10.1.1.3.

1528
Drag & Dropmedium

Drag and drop the steps of Wireless client IP address assignment via DHCP bridging into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DHCP bridging, the client first associates and authenticates. The AP then bridges the DHCP Discover from the client to the wired network. The DHCP server replies with Offer, the client sends Request, and the server sends Ack, completing the process.

1529
MCQmedium

A network architect is designing an SD-Access fabric for a large enterprise campus. The design must support segmentation at Layer 2 and Layer 3 across the fabric, using a centralized control plane and policy enforcement. Which two protocols are essential for the SD-Access overlay to meet these requirements?

A.LISP and VXLAN
B.MP-BGP and MPLS
C.OSPF and GRE
D.IS-IS and NVGRE
AnswerA

LISP provides the control plane and VXLAN provides the data plane encapsulation for the overlay.

Why this answer

LISP (Locator/ID Separation Protocol) provides the centralized control plane for endpoint identity-to-location mapping and policy-based forwarding, while VXLAN (Virtual Extensible LAN) supplies the data-plane encapsulation needed for Layer 2 and Layer 3 segmentation across the underlay. Together, they enable scalable overlay segmentation with a centralized policy enforcement point in SD-Access.

Exam trap

Cisco often tests the misconception that MPLS or EVPN is the required overlay for SD-Access, but the exam specifically expects LISP and VXLAN as the essential protocols for the fabric overlay.

How to eliminate wrong answers

Option B is wrong because MP-BGP and MPLS are used in MPLS VPN architectures (e.g., L3VPN/EVPN) but are not the essential overlay protocols for Cisco SD-Access; SD-Access uses LISP for control plane and VXLAN for data plane, not MPLS. Option C is wrong because OSPF and GRE provide only basic routing and tunneling without the centralized control plane or segmentation capabilities required; GRE lacks the multi-tenant VNI-based segmentation that VXLAN offers. Option D is wrong because IS-IS is an underlay routing protocol and NVGRE is a Microsoft-proprietary overlay that does not integrate with Cisco’s SD-Access fabric; SD-Access specifically requires LISP and VXLAN.

1530
MCQmedium

Examine the following partial Cisco IOS-XE configuration: interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 ip access-group ACL_IN in spanning-tree portfast What is the effect of this configuration?

A.The port will immediately transition to forwarding state, reducing STP convergence time for end hosts.
B.The port will become a trunk port and participate in VLAN trunking.
C.The port will use Rapid PVST+ and immediately forward after a link failure.
D.The port will block all inbound traffic due to the ACL.
AnswerA

spanning-tree portfast on an access port causes immediate forwarding, as intended for host ports.

Why this answer

The configuration enables PortFast on an access port, allowing it to transition directly to forwarding state, bypassing the listening and learning phases. This is commonly used for end-host ports to avoid delays caused by spanning-tree convergence.

1531
MCQeasy

What is the default IKEv1 (ISAKMP) lifetime in seconds on Cisco IOS routers?

A.3600 seconds
B.86400 seconds
C.28800 seconds
D.7200 seconds
AnswerB

The default ISAKMP lifetime is 86400 seconds (24 hours).

Why this answer

The default IKEv1 lifetime is 86400 seconds (1 day). This can be changed with the 'lifetime' command under the ISAKMP policy.

1532
Drag & Dropmedium

Drag and drop the steps of adding a new VLAN to a trunk link into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, create the VLAN globally on the switch. Then, verify the VLAN exists. Next, ensure the trunk allows that VLAN.

After that, check the trunk's allowed VLAN list. Finally, test connectivity for hosts in the new VLAN.

1533
Matchingmedium

Drag and drop each congestion avoidance mechanism on the left to its method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Drops all packets when queue is full

Random early detection based on average queue depth

Weighted random early detection using IP precedence or DSCP

No selective drop before congestion

Drops packets with lower priority more aggressively

Why these pairings

Tail-drop drops all packets when queue is full. RED randomly drops packets before congestion. WRED uses IP precedence or DSCP to vary drop probability.

1534
MCQmedium

A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?

A.The RADIUS server is not configured to accept MAC addresses in the format sent by the switch (e.g., with dots or colons).
B.The switch is not configured with 'dot1x timeout tx-period' to initiate MAB.
C.The interface is configured as 'switchport mode trunk', which does not support MAB.
D.The printer is not responding to EAP-Request/Identity packets.
AnswerA

Correct because MAB uses the MAC address as credentials; format mismatch causes failure.

Why this answer

MAB requires the switch to send a MAC address as the username and password. If the RADIUS server does not accept the format, authentication fails. Option A is correct because the RADIUS server must be configured to accept MAC addresses in the format sent by the switch (e.g., 'aaaa.bbbb.cccc').

Option B is incorrect because MAB does not require EAP. Option C is incorrect because the switchport mode does not affect MAB. Option D is incorrect because the printer does not support 802.1X, so it cannot respond to EAP.

1535
MCQmedium

An engineer is troubleshooting an EIGRP convergence issue in a network with redundant links. The engineer notices that when a primary link fails, the backup link takes over immediately, but the routing table shows the route with a higher metric. The engineer wants to ensure that the backup link is used only when the primary fails, and that traffic is not load-balanced. The engineer has configured 'variance 2' on all routers. What is the most likely effect of this configuration?

A.The variance 2 command causes EIGRP to install only the best metric route, so the backup link is not used.
B.The variance 2 command causes EIGRP to install both the primary and backup routes, resulting in unequal-cost load balancing.
C.The variance 2 command has no effect on route installation; it only affects the feasible successor selection.
D.The variance 2 command is used for equal-cost load balancing only.
AnswerB

Correct. With variance 2, if the backup route's metric is within twice the best metric, it will be installed and used for load balancing, which the engineer does not want.

Why this answer

The 'variance 2' command in EIGRP allows the router to install multiple routes to the same destination network in the routing table, even if their metrics are not equal, as long as the metric of the alternate route is within the variance multiplier (2x) of the best metric (the feasible distance). Since the backup link has a higher metric but is within the variance, EIGRP installs both routes, causing unequal-cost load balancing. This explains why the backup link is actively used for traffic, contrary to the engineer's desire to use it only as a failover.

Exam trap

Cisco often tests the misconception that 'variance' only affects feasible successor selection or that it is used for equal-cost load balancing, when in fact it directly controls the installation of multiple unequal-cost paths into the routing table.

How to eliminate wrong answers

Option A is wrong because the 'variance 2' command does not restrict EIGRP to only the best metric route; it explicitly allows additional routes with higher metrics to be installed. Option C is wrong because the variance command directly affects route installation by allowing multiple routes into the routing table, not just feasible successor selection (which is controlled by the feasibility condition and the 'metric' command). Option D is wrong because the variance command is specifically designed for unequal-cost load balancing, not equal-cost load balancing (which is the default behavior without variance).

1536
Matchingmedium

Drag and drop each SPAN type on the left to its correct scope description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Mirrors traffic on the same switch where the source and destination ports reside.

Mirrors traffic to a destination on a different switch using a dedicated VLAN.

Mirrors traffic to a destination reachable via Layer 3 using GRE encapsulation.

Receives the mirrored traffic and should be configured as a monitor session port.

The port whose traffic is being copied for monitoring.

Why these pairings

Local SPAN mirrors traffic on the same switch; RSPAN extends mirroring across switches using a dedicated VLAN; ERSPAN encapsulates mirrored packets in GRE for routing over Layer 3 networks.

1537
Drag & Dropmedium

Drag and drop the steps of IP SLA with threshold and reaction configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the IP SLA operation with a type and target. Then set the threshold values for the monitored metric. Next, configure the reaction to trigger on threshold violation.

After that, schedule the operation to start. Finally, verify the configuration to ensure it works.

1538
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp traffic EIGRP-IPv4 Traffic Statistics for AS(100) Hellos sent/received: 1000/950 Updates sent/received: 45/40 Queries sent/received: 2/3 Replies sent/received: 3/2 Acks sent/received: 50/48 Input queue high water mark: 1 Input queue depth: 0 Total packets sent: 1100 Total packets received: 1043 Based on this output, what can be concluded?

A.The router has experienced many route flaps.
B.The network is stable with few topology changes.
C.The router is using EIGRP stub to suppress queries.
D.There is a high packet loss on the network.
AnswerB

Low query and reply counts indicate stable topology.

Why this answer

The output shows a very low number of EIGRP Queries (2 sent, 3 received) and Replies (3 sent, 2 received), which indicates that the network has experienced very few topology changes. A stable EIGRP network with minimal route flaps will have a high ratio of Hellos to Updates/Queries, as seen here (1000 Hellos vs. 45 Updates). Therefore, the network is stable with few topology changes, making option B correct.

Exam trap

Cisco often tests the misconception that a high number of Hellos indicates instability or that a small difference between sent and received packets automatically means packet loss, when in fact EIGRP Hellos are sent unreliably (multicast) and may be lost without retransmission, so a small discrepancy is normal.

How to eliminate wrong answers

Option A is wrong because route flaps would generate a high number of Updates and Queries, but the output shows only 45 Updates sent and 2 Queries sent, which is very low. Option C is wrong because the output does not show any evidence of EIGRP stub configuration; stub routers suppress queries entirely, but here queries are still being sent and received (2 sent, 3 received), indicating stub is not in use. Option D is wrong because packet loss would be reflected in a mismatch between sent and received packets (e.g., Hellos sent 1000 vs. received 950 is a 5% difference, which is normal for EIGRP due to timing and multicast delivery, not indicative of high loss; total sent 1100 vs. received 1043 is a 5.2% difference, which is typical in a healthy network).

1539
MCQmedium

An engineer is troubleshooting multicast performance issues. The network uses PIM sparse mode with a static RP. The engineer notices that the multicast traffic from a source to a group is taking a suboptimal path, causing high latency. The engineer checks the multicast routing table on the last-hop router and sees that the (S,G) entry has an incoming interface that is not the shortest path to the source. What is the most likely reason for this suboptimal path?

A.The last-hop router has not yet switched to the SPT.
B.The RP is not configured as the DR on its segment.
C.The multicast source is using a different group address.
D.The last-hop router has a higher metric to the source than to the RP.
AnswerA

Correct because the default behavior is to switch to the SPT after the first packet, but if disabled or delayed, the shared tree is used.

Why this answer

In PIM sparse mode, the last-hop router initially joins the shared tree toward the RP. After receiving the first packet, it can optionally switch to the shortest path tree (SPT) by sending a join toward the source. If the SPT switchover is disabled or delayed, the traffic continues to use the shared tree, which may be suboptimal.

1540
MCQmedium

In BGP best path selection, which of the following is compared first?

A.Highest weight
B.Highest local preference
C.Shortest AS-path
D.Lowest MED
AnswerA

Correct. Weight is the first attribute compared in BGP best path selection.

Why this answer

BGP best path selection begins by comparing the weight attribute, which is Cisco-proprietary and local to the router. The path with the highest weight is preferred first, making option A correct. Weight is evaluated before any other BGP attribute, including local preference, AS-path length, and MED.

Exam trap

Cisco often tests the exact order of BGP path selection attributes, and the trap here is that candidates mistakenly think local preference or AS-path length is the first comparison, because those are more commonly discussed in multi-AS designs, but weight always comes first in Cisco's implementation.

How to eliminate wrong answers

Option B is wrong because highest local preference is compared after weight, not first. Option C is wrong because shortest AS-path is the third attribute compared, after weight and local preference. Option D is wrong because lowest MED is compared after AS-path length (and other attributes like origin type) in the BGP decision process.

1541
Multi-Selecthard

Which three statements about Cisco TrustSec SGT propagation and enforcement are true? (Choose three.)

Select 3 answers
A.SGTs can be propagated between network devices using the SXP protocol over a TCP connection.
B.Inline tagging inserts the SGT into the Ethernet frame header between the source and destination MAC addresses.
C.The enforcement device uses the SGT to make forwarding decisions based on the destination IP address.
D.When a packet traverses a TrustSec domain, the SGT can be rewritten by intermediate devices.
E.SGTs allow the enforcement of security policies based on the identity of the source, regardless of IP address.
AnswersA, B, E

Correct because SXP (SGT Exchange Protocol) uses TCP (port 64999) to exchange SGT-to-IP mappings between devices that do not support inline tagging.

Why this answer

SGTs can be propagated via SXP (a TCP-based protocol) or inline tagging. SXP uses a TCP connection to exchange SGT-to-IP mappings. Inline tagging inserts the SGT into the Ethernet frame.

The enforcement device (e.g., a firewall or switch) uses the SGT to apply policy, not to rewrite the tag. SGTs are not used for routing decisions.

1542
Matchingmedium

Drag and drop each YANG module on the left to its matching data category on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OpenConfig interface model

Cisco native device configuration

IETF standard interface model

OpenConfig BGP model

Cisco native BGP configuration

Why these pairings

OpenConfig modules provide vendor-neutral models, Cisco-IOS-XE-native provides Cisco-specific native config, and ietf-interfaces is an IETF standard.

1543
Matchingmedium

Drag and drop each container technology on the left to its matching orchestration tool on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Kubernetes

OpenShift

Multi-container local orchestration

HashiCorp orchestrator

Container runtime used by Kubernetes

Why these pairings

Docker containers are orchestrated by Docker Swarm or Kubernetes (Kubernetes is the most common). Kubernetes is itself an orchestration tool for containers (including Docker). OpenShift is Red Hat’s Kubernetes-based platform.

Docker Compose is used for multi-container local development. Nomad is HashiCorp’s orchestrator for containers and other workloads.

1544
MCQmedium

Given the configuration: interface Port-channel1 switchport mode trunk switchport trunk allowed vlan 10-20 ! interface GigabitEthernet0/1 switchport mode trunk channel-group 1 mode passive ! interface GigabitEthernet0/2 switchport mode trunk channel-group 1 mode passive What is missing for this EtherChannel to form with a neighbor that uses LACP active?

A.The member interfaces must also have the 'switchport trunk allowed vlan 10-20' command.
B.The port-channel interface must be configured with 'channel-group 1' to associate the member ports.
C.Nothing is missing; the configuration is valid and the EtherChannel will form with the neighbor.
D.The member interfaces must use LACP active mode to form the channel.
AnswerC

Correct. The configuration is complete and consistent.

Why this answer

The configuration uses LACP passive on both member interfaces. For LACP to negotiate, one side must be active. The neighbor is active, so that is fine.

However, the port-channel interface does not have the 'switchport trunk allowed vlan' command applied; it is only on the port-channel. That is actually correct—the port-channel configuration applies to the channel. But the question asks what is missing; the answer is that the port-channel interface itself must have the allowed VLAN list, which it does.

Actually, the configuration is complete. The trick is that the port-channel interface already has the allowed VLAN list. So nothing is missing.

But the options might include a common mistake. Let's re-evaluate: The configuration shows the port-channel with allowed VLANs, and the member ports without. That is correct.

So the answer is that nothing is missing. However, a common issue is that the member ports must also have the same allowed VLAN list if configured individually, but here they are not configured, so they inherit from the port-channel. This is fine.

So the correct answer is that the configuration is valid.

1545
Multi-Selectmedium

Which two statements about EtherChannel load balancing are true? (Choose two.)

Select 2 answers
A.The default load-balancing method on Cisco switches is typically based on source MAC address.
B.Load balancing is performed on a per-packet basis to evenly distribute traffic across all links.
C.The load-balancing algorithm can be changed to use both source and destination IP addresses.
D.The load-balancing method applies only to inbound traffic on the EtherChannel.
E.Load balancing can be based on Layer 4 port numbers without also using IP addresses.
AnswersA, C

Correct because many Cisco switches default to src-mac for Layer 2 EtherChannels.

Why this answer

EtherChannel load balancing can use source and/or destination MAC or IP addresses to determine which physical link to use for a given frame. The default method varies by platform but often uses source MAC. The hash is computed per frame, not per packet, and the algorithm is deterministic for a given flow to prevent reordering.

1546
MCQeasy

A network engineer configures IP SLA 40 to monitor the reachability of a server at 10.1.1.1 using ICMP echo. The operation is used as a track object for a static route. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 10 ms', but the track object shows 'Track 40: down'. The engineer checks the track configuration and sees 'track 40 ip sla 40 reachability'. What is the most likely cause?

A.The IP SLA operation has a threshold configured that is lower than the RTT, causing the operation to be marked as 'down'.
B.The track object must be configured with 'ip sla 40 state' instead of 'reachability' to match the operation state.
C.The IP SLA operation is not configured with a 'frequency', so it only runs once and then goes down.
D.The static route is configured with a higher administrative distance, causing the track object to go down.
AnswerA

Correct. If a threshold is configured and the RTT exceeds it, the IP SLA operation transitions to a 'down' state, which then causes the track object to go down.

Why this answer

The track object is configured to track reachability, which means it checks if the IP SLA operation is in a 'down' state. However, if the IP SLA operation is active, the track object should be up. The most likely cause is that the IP SLA operation is configured with a threshold that is being exceeded, causing the operation to be considered 'down' even though it is active.

1547
Matchinghard

Drag and drop each RESTCONF method on the left to its equivalent NETCONF operation on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

get-config (retrieves data)

edit-config with operation create

edit-config with operation replace

edit-config with operation merge

edit-config with operation delete

Why these pairings

Correct pairings: GET retrieves data (like get-config); POST creates a resource (like edit-config with operation create); PUT replaces a resource (like edit-config with operation replace); PATCH partially updates (like edit-config with operation merge); DELETE removes a resource (like edit-config with operation delete).

1548
Drag & Dropmedium

Drag and drop the steps of STP portfast and BPDU guard configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PortFast is configured on an access port to immediately transition to forwarding. BPDU guard is then enabled to protect against rogue BPDUs. The configuration is applied at the interface level, and verification ensures the port is in forwarding state.

If a BPDU is received, BPDU guard errdisables the port.

1549
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip sla summary IPSLAs Latest Operation Summary Codes: * active, ^ inactive, ~ pending ID Type Destination Stats Return Code Last 1 icmp-echo 192.168.1.10 Success OK 1 2 icmp-echo 192.168.1.20 Success OK 2 3 udp-jitter 192.168.1.30 Success OK 3 *4 icmp-echo 192.168.1.40 Success OK 10 Based on this output, what can be concluded?

A.All IP SLA operations are active.
B.IP SLA operation 4 is currently active.
C.IP SLA operation 3 has failed.
D.IP SLA operation 1 has the highest round-trip time.
AnswerB

The asterisk next to ID 4 indicates it is active.

Why this answer

The asterisk (*) next to ID 4 indicates that this IP SLA operation is currently active. The other operations are not marked as active, meaning they are either configured but not running or have been stopped.

1550
Drag & Dropmedium

Drag and drop the steps of Syslog severity filtering and rate-limiting configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enable logging, then set severity, then configure rate-limiting, then buffer, and finally verify.

1551
Matchingmedium

Drag and drop each IP SLA operation type on the left to its measured metric on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Round-trip time

Delay, jitter, and packet loss

Connection setup time

Page load time

Resolution time

Why these pairings

ICMP echo measures round-trip time; UDP jitter measures delay, jitter, and packet loss; TCP connect measures connection setup time; HTTP measures page load time; DNS measures resolution time.

1552
Drag & Dropmedium

Drag and drop the steps of Ansible Vault encryption and decryption steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To use Ansible Vault, you first create a password file, then encrypt a plaintext file, optionally edit it while encrypted, and finally decrypt it when needed, with the playbook referencing the vault password at runtime.

1553
Multi-Selectmedium

Which two statements about the Cisco QoS trust boundary are true? (Choose two.)

Select 2 answers
A.The trust boundary can be set at the access layer switch port connected to an IP phone.
B.The 'mls qos trust cos' command configures the interface to trust the Layer 2 CoS value.
C.By default, all Cisco switch interfaces trust the incoming CoS or DSCP marking.
D.The trust boundary is always located at the distribution layer switch.
E.When a PC is connected to a switch port, the switch automatically trusts the DSCP value from the PC.
AnswersA, B

Correct because the trust boundary is typically configured at the access layer, and can be extended to the IP phone to mark traffic from the PC.

Why this answer

The trust boundary defines where the device accepts or overwrites Layer 2 CoS or Layer 3 DSCP markings. By default, Cisco switches trust the CoS value on trunk ports and set DSCP to 0 on access ports. The 'mls qos trust cos' command forces the switch to trust CoS, and 'mls qos trust dscp' forces trust of DSCP.

The trust boundary can be extended to an IP phone, which then re-marks traffic from the PC. Option C is incorrect because trust is not automatically applied to all interfaces; it must be configured. Option D is incorrect because the trust boundary is at the access layer, not the core.

Option E is incorrect because the switch does not automatically trust DSCP from a PC; it typically sets it to 0 unless configured otherwise.

1554
Matchingmedium

Drag and drop each STP port state on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discards frames and listens for BPDUs

Listens for BPDUs only, no MAC learning

Learns MAC addresses but does not forward frames

Forwards frames and learns MAC addresses

Administratively shut down, no participation

Why these pairings

Blocking discards frames and listens for BPDUs; Listening listens for BPDUs only; Learning learns MAC addresses but does not forward; Forwarding sends and receives frames; Disabled is administratively down.

1555
Matchingmedium

Drag and drop each PIM mode on the left to its matching traffic distribution method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses explicit join messages to build a shared tree

Floods multicast traffic on all interfaces, then prunes unwanted branches

Builds shortest path trees from source to receivers

Uses a shared tree with no source-specific state

Operates in sparse mode by default, but allows dense mode per group

Why these pairings

PIM Sparse Mode uses explicit join to build a shared tree; Dense Mode floods initially then prunes; Source-Specific Mode uses shortest path trees from source; Bidirectional PIM uses a shared tree with no source-specific state.

1556
MCQhard

A network engineer runs the following command on Switch SW7: SW7# show interfaces port-channel 1 Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc) Description: Link to Core Internet address is 192.168.1.1/30 MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 500 bits/sec, 1 packets/sec 12345 packets input, 1234567 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 67890 packets output, 9876543 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Based on this output, what can be concluded?

A.The port-channel is a Layer 2 interface because it has an IP address.
B.The bandwidth of 2 Gbps suggests that two 1 Gbps links are aggregated.
C.The interface is experiencing input errors due to CRC errors.
D.The port-channel is operating at half-duplex.
AnswerB

The bandwidth is 2000000 Kbit/sec, which is 2 Gbps, typical for two 1 Gbps links.

Why this answer

The output shows that Port-channel1 is up with an IP address (192.168.1.1/30), indicating it is a Layer 3 interface. The bandwidth is 2 Gbps (2000000 Kbit/sec), which suggests that two 1 Gbps links are aggregated. The interface has no errors and low utilization.

The correct answer is that the port-channel is a Layer 3 interface with an aggregated bandwidth of 2 Gbps.

1557
MCQmedium

An architect is designing an SD-Access fabric for a campus network that must support dynamic endpoint grouping based on user identity and device type. The design must minimize manual policy configuration and allow the fabric to enforce access policies at the edge. Which combination of components and protocols is required to meet these requirements?

A.Cisco ISE for policy management, LISP for control plane, VXLAN for data plane, and Cisco TrustSec for SGT-based enforcement
B.Cisco ISE for policy management, OSPF for control plane, GRE for data plane, and ACLs for enforcement
C.Cisco ISE for policy management, BGP for control plane, MPLS for data plane, and VLANs for enforcement
D.Cisco ISE for policy management, LISP for data plane, VXLAN for control plane, and 802.1X for enforcement
AnswerA

This combination provides identity-based policy, scalable overlay, and dynamic group-based enforcement at the edge.

Why this answer

Option A is correct because SD-Access uses Cisco ISE as the policy engine to define user/device-based policies, LISP as the control plane for endpoint-to-location mapping and mobility, VXLAN as the data plane for overlay encapsulation, and Cisco TrustSec for SGT-based enforcement at the edge. This combination enables dynamic endpoint grouping without manual ACLs, as SGTs are propagated via VXLAN Group Policy Option (GPO) and enforced by the fabric edge switches.

Exam trap

Cisco often tests the specific roles of LISP (control plane) and VXLAN (data plane) in SD-Access, and the trap here is confusing their functions or assuming that traditional protocols like OSPF/BGP or ACLs/VLANs can replace the overlay control and policy enforcement mechanisms.

How to eliminate wrong answers

Option B is wrong because OSPF is a routing protocol used in the underlay, not the SD-Access control plane; GRE lacks the scalability and group-based policy support of VXLAN, and ACLs require manual configuration, contradicting the requirement to minimize manual policy. Option C is wrong because BGP is not the SD-Access control plane (LISP is), MPLS is not used as the data plane in SD-Access (VXLAN is), and VLANs enforce segmentation at Layer 2, not dynamic SGT-based policies. Option D is wrong because LISP is the control plane, not the data plane; VXLAN is the data plane, not the control plane; and 802.1X provides authentication but not the enforcement mechanism for SGT-based policies—TrustSec or SGT tagging is required for enforcement.

1558
MCQhard

A network engineer runs the following command on Router R2: R2# show vrf detail VRF CUSTOMER-B (VRF Id = 1); default RD 65000:1; default VPNID <not set> Interfaces: GigabitEthernet0/0.200 GigabitEthernet0/1.200 Address family IPV4 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100 No export route-map No import route-map Address family IPV6 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100 Members: 10.0.0.0/24 Based on this output, what can be concluded?

A.The VRF is configured for IPv4 only
B.The VRF uses different route-targets for import and export
C.The VRF supports both IPv4 and IPv6 VPNs with matching route-targets
D.The VRF has no interfaces assigned
AnswerC

Both address families are present and use the same route-target for import and export.

Why this answer

The output shows both 'Address family IPV4 unicast' and 'Address family IPV6 unicast' sections, each with the same export and import route-target communities (RT:65000:100). This confirms the VRF CUSTOMER-B supports both IPv4 and IPv6 VPN address families with matching route-targets, enabling MPLS L3VPN services for both address families over the same VRF.

Exam trap

Cisco often tests the misconception that a VRF supports only one address family (IPv4) by default, but the 'show vrf detail' output clearly shows separate address family sections, and candidates may overlook the IPv6 unicast section if they focus only on the route-target values.

How to eliminate wrong answers

Option A is wrong because the VRF explicitly includes an 'Address family IPV6 unicast' section, proving it is not IPv4-only. Option B is wrong because both the export and import route-target communities are identical (RT:65000:100) for both address families, not different. Option D is wrong because the output lists two interfaces (GigabitEthernet0/0.200 and GigabitEthernet0/1.200) under 'Interfaces:', so the VRF has interfaces assigned.

1559
MCQmedium

A company is virtualizing its network functions using NFV on a KVM-based hypervisor. The design must ensure that the virtual router (CSR1000v) can handle high-throughput traffic with minimal latency. Which architectural consideration is most critical for achieving this goal?

A.Pin the vCPU of the CSR1000v to dedicated physical cores and ensure the VM memory is allocated from the same NUMA node.
B.Use a Type 2 hypervisor to allow the VNF to share resources with other VMs more efficiently.
C.Enable overcommitment of CPU resources to maximize the number of VNFs per host.
D.Place the CSR1000v on a VMware ESXi host instead of KVM for better performance.
AnswerA

CPU pinning and NUMA locality reduce latency and improve performance by avoiding cross-NUMA memory access.

Why this answer

Pinning vCPUs to dedicated physical cores and allocating memory from the same NUMA node eliminates cross-NUMA memory access and CPU scheduling contention, which are critical for reducing latency and maximizing throughput in a data-plane-intensive VNF like the CSR1000v. This ensures that the VM's memory accesses are local to the NUMA node where its vCPUs run, avoiding the performance penalty of remote memory access over the QPI/UPI interconnect.

Exam trap

Cisco often tests the misconception that simply using a Type 1 hypervisor or avoiding overcommitment is sufficient, but the trap here is that candidates overlook the critical impact of NUMA locality and vCPU pinning on latency-sensitive VNFs, assuming that any virtualization optimization will suffice.

How to eliminate wrong answers

Option B is wrong because a Type 2 hypervisor (hosted on an OS) introduces additional overhead and is less performant for high-throughput NFV workloads compared to a Type 1 hypervisor like KVM, which runs directly on hardware. Option C is wrong because CPU overcommitment allows multiple vCPUs to share physical cores, which can cause resource contention and increased latency, directly undermining the goal of minimal latency for the CSR1000v. Option D is wrong because the question specifically states the design uses KVM, and while ESXi can be performant, the architectural consideration for achieving minimal latency on KVM is NUMA-aware pinning, not switching hypervisors; the correct answer addresses the universal principle of NUMA locality regardless of hypervisor.

1560
Drag & Dropmedium

Drag and drop the steps of VRF import/export route-target policy flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order starts with configuring the export RT on the VRF, the PE advertising the VPNv4 route with that RT, the remote PE receiving the route and comparing the RT with its import RT list, if matched the route is imported into the VRF, and finally the route is installed in the VRF routing table.

1561
MCQmedium

Consider the following configuration snippet: router bgp 65000 bgp router-id 192.168.1.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 timers 10 30 ! What is the effect of the 'timers 10 30' command under the BGP neighbor?

A.It sets the keepalive interval to 10 seconds and the hold time to 30 seconds for all BGP neighbors.
B.It sets the keepalive interval to 10 seconds and the hold time to 30 seconds for neighbor 10.0.0.2 only.
C.It sets the BGP keepalive interval to 30 seconds and the hold time to 10 seconds for neighbor 10.0.0.2.
D.It configures the BGP session to use a keepalive of 10 seconds and a hold time of 30 seconds, but only if the neighbor supports it.
AnswerB

Correct. The timers command under a neighbor applies only to that neighbor.

Why this answer

Option B is correct because the 'timers 10 30' command under the BGP neighbor configuration mode sets the keepalive interval to 10 seconds and the hold time to 30 seconds specifically for that neighbor (10.0.0.2). This per-neighbor timer configuration overrides any global BGP timers set under the router bgp process, allowing granular control over individual BGP sessions.

Exam trap

Cisco often tests the distinction between global and per-neighbor BGP timer configuration, and the trap here is that candidates confuse the 'timers' command under neighbor with the global 'timers bgp' command, or misorder the keepalive and hold time values.

How to eliminate wrong answers

Option A is wrong because the command is applied under the neighbor configuration, not globally; global BGP timers are set using the 'timers bgp' command under router bgp, which affects all neighbors. Option C is wrong because it reverses the order: the first value is the keepalive interval (10 seconds), and the second is the hold time (30 seconds), not the other way around. Option D is wrong because BGP timers are unilaterally configured and advertised to the neighbor; the session will use the configured values if the neighbor accepts them, but the command does not conditionally apply only if the neighbor supports it—it is always sent in the OPEN message.

1562
Drag & Dropmedium

Drag and drop the steps of traffic shaping vs policing configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Traffic shaping and policing require first defining a class map for traffic identification, then creating a policy map with either shape or police actions, applying the policy to an interface, and finally verifying the configuration. Shaping buffers excess traffic while policing drops or re-marks it.

1563
MCQmedium

An enterprise network has two routers, R1 and R2, both running BGP. R1 is an eBGP speaker with ISP1, and R2 is an eBGP speaker with ISP2. Both routers are in the same AS 65000. The engineer wants to ensure that traffic from the enterprise to the Internet prefers the path through ISP1 when both links are up. R1 learns a default route from ISP1, and R2 learns a default route from ISP2. Which BGP attribute should the engineer modify on R1 to influence outbound traffic selection?

A.Set a higher local preference on R1 for the default route learned from ISP1.
B.Set a lower MED on R1 for the default route learned from ISP1.
C.Prepend AS 65000 multiple times on R2's updates to ISP2.
D.Configure a community on R1 to mark the default route as no-export.
AnswerA

Correct because local preference influences outbound path selection within the AS; a higher value makes the route more preferred.

Why this answer

Local preference is the BGP attribute used to influence outbound traffic from an AS. It is propagated within the AS and a higher value is preferred. By setting a higher local preference on R1 for the default route learned from ISP1, R1 will prefer that route over the default route from ISP2, ensuring traffic from the enterprise to the Internet exits via ISP1.

Exam trap

Cisco often tests the distinction between attributes that influence outbound traffic (local preference, weight) versus inbound traffic (MED, AS path prepending), and the trap here is confusing MED or AS path prepending as tools for outbound path selection.

How to eliminate wrong answers

Option B is wrong because MED (Multi-Exit Discriminator) is used to influence inbound traffic into an AS, not outbound traffic; lowering MED on R1 would affect how ISP1 selects paths to reach prefixes inside AS 65000, not how R1 chooses a default route. Option C is wrong because AS path prepending is applied to outbound updates to influence inbound traffic from ISPs, making a path less preferred by lengthening the AS_PATH; it does not affect R1's outbound traffic selection. Option D is wrong because the no-export community prevents a route from being advertised to eBGP peers, which would block the default route from being sent to ISP1 or ISP2, but does not influence R1's preference for outbound traffic.

1564
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SGT propagation via SXP starts with ISE assigning an SGT to an endpoint, the access switch mapping IP-to-SGT, then the SXP speaker sending that mapping to an SXP listener, which updates its local SGT cache, and finally the listener uses the SGT for policy enforcement.

1565
MCQeasy

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

The default hello interval for OSPF on broadcast and point-to-point networks is 10 seconds.

Why this answer

OSPF defaults to a 10-second hello interval on broadcast and point-to-point networks.

1566
Multi-Selecthard

Which three statements about SD-WAN overlay tunnels and transport are true? (Choose three.)

Select 3 answers
A.Control plane communication between vSmart and edge devices uses DTLS or TLS encryption.
B.Data plane tunnels between edge devices are encrypted using IPsec with IKEv2 key exchange.
C.A TLOC (Transport Location) is defined by the combination of system IP, color, and encapsulation type.
D.SD-WAN edge devices can only use MPLS or Internet as transport; LTE is not supported.
E.OMP is responsible for dynamically establishing IPsec tunnels between edge devices based on policy.
AnswersA, B, C

Correct because the control plane (vSmart to edge) uses DTLS by default, with TLS as an option.

Why this answer

SD-WAN uses DTLS or TLS for secure control plane tunnels, and IPsec for data plane tunnels. Each edge device builds multiple IPsec tunnels to other edge devices based on TLOC mapping. The transport can be any combination of MPLS, Internet, or LTE.

TLOC uniquely identifies a WAN attachment point. OMP manages route distribution, not tunnel establishment.

1567
MCQmedium

Consider the following configuration snippet: interface Port-channel1 switchport mode trunk switchport trunk allowed vlan 10,20,30 ! interface GigabitEthernet0/1 channel-group 1 mode active ! interface GigabitEthernet0/2 channel-group 1 mode passive What is the effect of this configuration?

A.The EtherChannel will form using LACP, and the port-channel will operate as a trunk carrying VLANs 10, 20, and 30.
B.The EtherChannel will not form because both sides must use the same LACP mode.
C.The EtherChannel will form using PAgP because the mode is not specified as lacp.
D.The EtherChannel will form but only VLAN 1 will be allowed on the trunk.
AnswerA

Correct. LACP active/passive will negotiate, and the port-channel trunk configuration applies to all member ports.

Why this answer

The configuration creates an EtherChannel using LACP with one side in active mode and the other in passive mode. The active side initiates negotiation, so the channel will form. The port-channel interface is configured as a trunk, so the channel will carry VLANs 10, 20, and 30.

1568
Drag & Dropmedium

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ISE profiling identifies the device type via DHCP/HTTP probes, matches it to a profile, then ISE downloads a dynamic ACL to the switch, which applies it to the port, and finally the switch enforces the ACL on traffic from that endpoint.

1569
Matchingmedium

Drag and drop each WAN technology on the left to its matching OSI layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2.5

Layer 2

Layer 3

Layer 3

Layer 2

Why these pairings

MPLS operates at Layer 2.5 (between Layer 2 and Layer 3). Metro Ethernet is a Layer 2 technology. SD-WAN is a Layer 3 overlay technology.

DMVPN is a Layer 3 VPN technology.

1570
Drag & Dropmedium

Drag and drop the steps of DNA Center network discovery and device sync into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the discovery range (IP/subnet), then running the discovery, then the discovered devices are added to inventory, then DNA Center syncs the device configurations, and finally the devices are assigned to sites. This ensures devices are properly discovered, inventoried, and placed in the hierarchy.

1571
Matchingmedium

Drag and drop each traffic direction on the left to the correct SPAN keyword used to monitor it on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitors only traffic received on the source port.

Monitors only traffic transmitted from the source port.

Monitors both received and transmitted traffic on the source port.

Synonym for rx, monitors only incoming traffic.

Synonym for tx, monitors only outgoing traffic.

Why these pairings

The 'rx' keyword monitors only received traffic; 'tx' monitors only transmitted traffic; 'both' monitors both directions; 'ingress' and 'egress' are alternative keywords for the same concepts.

1572
MCQeasy

Which of the following is a valid VLAN range that can be created on a Cisco IOS switch?

A.VLAN 100
B.VLAN 0
C.VLAN 4095
D.VLAN 1006
AnswerA

Correct. VLAN 100 is within the standard range of 1-1005.

Why this answer

VLAN 100 is a valid VLAN ID because Cisco IOS switches support VLANs in the range 1–1005 for normal-range VLANs, and VLAN 100 falls within this range. Normal-range VLANs are stored in the vlan.dat file and can be created on a standard IOS switch without requiring extended VLAN configuration.

Exam trap

Cisco often tests the misconception that any VLAN ID from 1 to 4094 is valid on any switch, but the trap here is that extended VLANs (1006–4094) require specific VTP modes or configuration, and VLANs 0, 1002–1005, and 4095 are reserved or not user-creatable.

How to eliminate wrong answers

Option B is wrong because VLAN 0 is reserved and cannot be used; VLAN IDs start at 1. Option C is wrong because VLAN 4095 is reserved for implementation use and is not available for user-created VLANs; the maximum usable VLAN ID is 4094. Option D is wrong because VLAN 1006 is in the extended VLAN range (1006–4094), which requires a switch running in transparent mode or with VTP version 3, and is not a valid normal-range VLAN that can be created by default on a standard IOS switch.

1573
MCQeasy

A company uses Chef to automate network device configuration. The network devices are Cisco IOS XE running in a brownfield environment. Which Chef component is used to manage the state of the devices?

A.Ohai
B.Chef client
C.Chef workstation
D.Chef server
AnswerB

The client runs on each managed device to enforce desired state.

Why this answer

In a Chef-managed brownfield environment with Cisco IOS XE devices, the Chef client is the agent that runs on each device (or on a proxy like a guest shell) and applies the desired state defined in cookbooks. It is responsible for converging the device's configuration to match the policy, making it the correct component for state management.

Exam trap

Cisco often tests the distinction between the Chef client (the agent that enforces state) and the Chef server (the repository), leading candidates to mistakenly select the server as the component that manages device state.

How to eliminate wrong answers

Option A is wrong because Ohai is a tool that collects system metadata (e.g., platform, interfaces) on the node and makes it available as attributes, but it does not manage state or apply configurations. Option C is wrong because the Chef workstation is where cookbooks are authored and uploaded to the Chef server; it does not run on the network devices or directly manage their state. Option D is wrong because the Chef server stores cookbooks, node data, and policies, but it does not execute configuration changes on devices; it acts as a central repository and API endpoint.

1574
Multi-Selectmedium

Which three statements about Cisco SD-WAN security and segmentation are true? (Choose three.)

Select 3 answers
A.Data plane traffic between vEdge routers is encrypted using IPsec tunnels.
B.Control plane traffic between vSmart and vEdge routers is secured using DTLS or TLS.
C.VPN segmentation in SD-WAN allows traffic from different tenants or departments to be isolated using separate VRFs on the vEdge routers.
D.Data plane encryption is performed between vSmart controllers and vEdge routers to protect OMP updates.
E.VPN segmentation is configured on the vSmart controller and pushed to vEdge routers via OMP.
AnswersA, B, C

Correct because IPsec is used to encrypt all data traffic traversing the overlay tunnels between WAN Edge routers.

Why this answer

Cisco SD-WAN uses IPsec for data plane encryption and supports multiple VPN segments (VRFs) for traffic isolation. Control plane encryption is also provided using DTLS or TLS. The data plane encryption is between vEdge routers, not between vSmart and vEdge.

VPN segmentation is configured on vEdge routers, not on vSmart. The vBond orchestrator does not participate in data plane encryption.

1575
Multi-Selectmedium

Which two statements about BGP path attributes are true? (Choose two.)

Select 2 answers
A.The AS_PATH attribute is well-known mandatory.
B.The LOCAL_PREF attribute is well-known discretionary.
C.The MED attribute is well-known mandatory.
D.The ORIGIN attribute is optional transitive.
E.The COMMUNITY attribute is well-known mandatory.
AnswersA, B

Correct because AS_PATH is always included in BGP updates and is well-known mandatory.

Why this answer

The AS_PATH attribute is well-known mandatory and is used for loop prevention and path selection. The LOCAL_PREF attribute is well-known discretionary and is used to influence outbound traffic from an AS. The MED attribute is optional non-transitive, not well-known.

The ORIGIN attribute is well-known mandatory. The COMMUNITY attribute is optional transitive.

Page 20

Page 21 of 27

Page 22