ENCOR 350-401 (350-401) — Questions 16511725

2015 questions total · 27pages · All types, answers revealed

Page 22

Page 23 of 27

Page 24
1651
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap stats ap-name AP-1 AP Statistics for AP-1 ---------------------- Channel Utilization: 45% Interference: 10% Noise Floor: -95 dBm Total Packets Received: 15000 Total Packets Sent: 12000 Total Errors: 200 Based on this output, what can be concluded?

A.The channel is heavily congested with utilization above 80%.
B.The noise floor is high, indicating potential interference.
C.The AP is experiencing a significant number of errors relative to packets received.
D.The channel utilization is moderate and the noise floor is low.
AnswerD

45% utilization is moderate, and -95 dBm noise floor is low, indicating a relatively clean channel.

Why this answer

The output shows channel utilization at 45%, which is moderate but not extremely high. The noise floor is -95 dBm, which is good (low noise). The error rate is 200 out of 15000 received, which is about 1.3%, acceptable.

1652
Matchingmedium

Drag and drop each ACL type on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters based on source IP address only

Filters based on source/destination IP, protocol, and port numbers

Allows alphanumeric naming for easier identification

Applies time-of-day restrictions to permit or deny traffic

Opens temporary holes for user authentication

Why these pairings

Standard ACLs filter only source IP; Extended ACLs filter source/dest IP, protocol, and ports; Named ACLs allow alphanumeric naming; Time-based ACLs restrict based on time of day.

1653
Drag & Dropmedium

Drag and drop the steps of Layer 3 EtherChannel (routed port-channel) setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Layer 3 EtherChannel setup requires creating the port-channel interface, assigning an IP address, adding member ports as L3 ports, enabling the interface, and verifying routing.

1654
Drag & Dropmedium

Drag and drop the steps of MSDP peering for inter-domain multicast into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MSDP allows RPs in different domains to share information about active sources. When an RP learns of a new source, it sends a Source-Active (SA) message to its MSDP peers. The peer RP then creates an (S,G) state and can join the source if there are interested receivers.

1655
Matchinghard

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Downloadable ACL applied to the port

Assigns the endpoint to a specific VLAN

Assigns a security group tag to the session

Redirects HTTP traffic to a captive portal

Sets maximum duration for the authenticated session

Why these pairings

DACL filters traffic, VLAN assigns network segment, SGT tags traffic for TrustSec, URL redirect forces web authentication.

1656
MCQeasy

A network engineer is designing a campus network and needs to ensure high availability for the core layer. Which design best practice should be implemented?

A.Use a single distribution switch to simplify management.
B.Deploy two core switches configured with VSS or StackWise.
C.Configure the core layer for Layer 2 switching only.
D.Use spanning-tree PortFast on all core switch ports.
AnswerB

Dual core switches with VSS or StackWise provide redundancy and sub-second failover.

Why this answer

Option B is correct because deploying two core switches with VSS (Virtual Switching System) or StackWise provides both redundancy and active-active load balancing at the core layer. VSS virtualizes two physical switches into a single logical switch, eliminating the need for Spanning Tree Protocol (STP) on inter-switch links and enabling sub-second failover. This design ensures high availability by removing single points of failure and maximizing throughput between distribution and core layers.

Exam trap

Cisco often tests the misconception that the core layer should remain Layer 2 for simplicity, but in modern campus designs, the core must route at Layer 3 to avoid STP convergence delays and support ECMP load balancing.

How to eliminate wrong answers

Option A is wrong because using a single distribution switch creates a single point of failure, violating high-availability requirements for the core layer. Option C is wrong because the core layer should route traffic at Layer 3 to enable fast convergence and load balancing; restricting it to Layer 2 switching forces STP dependency and suboptimal path utilization. Option D is wrong because PortFast is an access-layer feature designed to bypass STP listening/learning on end-host ports; applying it to core switch ports (which connect to other switches) would risk bridging loops and network instability.

1657
MCQhard

A network engineer checks the AAA server status: R1# show aaa servers RADIUS: id 1, priority 1, host 10.1.1.10, auth-port 1812, acct-port 1813 State: current DEAD, duration 0s, previous duration 500s Dead: total 1, retransmit 3 RADIUS: id 2, priority 2, host 10.1.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 200s, previous duration 0s Dead: total 0, retransmit 0 Based on this output, what can be concluded?

A.Both RADIUS servers are operational.
B.The backup server is currently handling authentication.
C.The primary server has never failed before.
D.TACACS+ is also configured on these servers.
AnswerB

The primary is dead, so the backup (UP) is being used.

Why this answer

The primary RADIUS server (10.1.1.10) is currently DEAD with 1 dead event and 3 retransmissions. The backup server (10.1.1.20) is UP and has been for 200 seconds. This indicates the primary server failed and the backup is now handling requests.

1658
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Based on this output, what can be concluded?

A.The local switch is the root bridge for VLAN 10
B.The local switch is not the root bridge for VLAN 10
C.Interface Gi0/2 is in a forwarding state
D.The spanning-tree mode is Rapid PVST+
AnswerB

The root ID shows a different MAC address than the bridge ID of the local switch, indicating the local switch is not the root.

Why this answer

The output shows spanning-tree information for VLAN 10. The root bridge has priority 32778 and address 0011.2233.4455. The local switch has a different bridge ID (0011.2233.4466), so it is not the root.

Interface Gi0/1 is the root port (Root, FWD), and Gi0/2 is an alternate port (Altn, BLK). The correct answer is that the local switch is not the root bridge for VLAN 10.

1659
MCQmedium

A network architect is designing QoS for a Cisco SD-WAN deployment that uses a mix of MPLS and broadband Internet transports. The design must ensure that interactive video traffic is not delayed by large file transfers, even when the Internet link experiences congestion. Which SD-WAN policy type should the architect use to enforce this behavior?

A.Configure a localized QoS policy on the WAN edge routers that matches video traffic and applies a priority queue.
B.Use a centralized data policy to steer video traffic to the MPLS link only.
C.Implement a centralized application-aware routing policy to prefer the MPLS link for video.
D.Configure a VPN membership policy to isolate video traffic in a separate VPN.
AnswerA

Localized policies are applied per device and can prioritize video over bulk traffic on each link.

Why this answer

Option A is correct because a localized QoS policy on the WAN edge router can classify interactive video traffic and place it into a priority queue, ensuring low-latency treatment even when the Internet link is congested. This policy operates locally on the router, directly controlling queuing and scheduling behavior on the specific interface, which is essential for protecting real-time traffic from bulk file transfers.

Exam trap

Cisco often tests the distinction between traffic-steering policies (centralized data or app-aware routing) and local queuing mechanisms (QoS policies), leading candidates to mistakenly choose a path-selection solution when the question explicitly asks about preventing delay on a congested link.

How to eliminate wrong answers

Option B is wrong because a centralized data policy steers traffic based on routing decisions but does not provide per-hop queuing or congestion management; it cannot guarantee that video traffic is not delayed by file transfers on the same link. Option C is wrong because an application-aware routing policy selects the best path (e.g., MPLS) but does not enforce local queuing behavior; if the Internet link is the only available path or is chosen, video traffic can still be delayed without a priority queue. Option D is wrong because a VPN membership policy isolates traffic into separate logical networks but does not affect queuing or scheduling on the physical interface; congestion on the Internet link would still affect all traffic in that VPN.

1660
MCQmedium

Consider the following EIGRP configuration: router eigrp 100 metric weights 0 1 0 1 0 0 What does this configuration accomplish?

A.It sets the EIGRP metric to use bandwidth and delay only, which is the default behavior.
B.It disables the use of bandwidth in the metric calculation.
C.It enables the use of load and reliability in the metric calculation.
D.It changes the metric to use only delay.
AnswerA

Correct. The default K values are k1=1, k2=0, k3=1, k4=0, k5=0, so this command explicitly sets them to the default.

Why this answer

The `metric weights` command in EIGRP allows you to modify the K values used in the composite metric calculation. The default K values are K1=1, K2=0, K3=1, K4=0, K5=0, which means only bandwidth (K1) and delay (K3) are used. The configuration `metric weights 0 1 0 1 0 0` explicitly sets K1=1, K2=0, K3=1, K4=0, K5=0, which matches the default behavior.

Therefore, option A is correct.

Exam trap

Cisco often tests the misconception that the `metric weights` command changes the metric calculation from the default, when in fact the given values exactly match the default K values (1,0,1,0,0).

How to eliminate wrong answers

Option B is wrong because the configuration sets K1=1, which enables the use of bandwidth in the metric calculation, not disables it. Option C is wrong because the configuration sets K2=0 and K4=0, which disables load and reliability, respectively; enabling them would require K2=1 and K4=1. Option D is wrong because the configuration sets K1=1, so bandwidth is still included; to use only delay, you would need K1=0 and K3=1.

1661
Drag & Dropmedium

Drag and drop the steps of LACP EtherChannel negotiation and bundle formation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LACP first exchanges system priority to determine which side is active, then exchanges port priorities to select which ports bundle, next negotiates the operational key, then forms the bundle by synchronizing parameters, and finally the port channel interface becomes operational. This order follows the LACP state machine as defined in IEEE 802.3ad.

1662
MCQhard

A company is deploying Cisco CSR1000v virtual routers in a KVM environment. The architect needs to ensure high availability by allowing VMs to move between physical hosts without service interruption. Which feature must be supported by the hypervisor and storage?

A.Live migration with shared storage (e.g., NFS or iSCSI).
B.Cold migration with local storage only.
C.Storage vMotion without shared storage.
D.Using a distributed virtual switch without shared storage.
AnswerA

This allows the VM to move while preserving memory state and disk access.

Why this answer

Live migration (also known as VM migration) allows a running virtual machine to move between physical hosts with zero downtime. For this to work in a KVM environment with Cisco CSR1000v routers, the hypervisor must support live migration, and the storage must be shared (e.g., NFS or iSCSI) so that the VM's disk image remains accessible from both source and destination hosts. Without shared storage, the VM's disk state cannot be preserved during migration, causing service interruption.

Exam trap

Cisco often tests the distinction between live migration (requires shared storage) and vMotion/Storage vMotion (VMware-specific terms), leading candidates to confuse cross-hypervisor features or assume distributed virtual switches solve storage issues.

How to eliminate wrong answers

Option B is wrong because cold migration requires the VM to be powered off, which causes service interruption, contradicting the requirement for high availability without service interruption. Option C is wrong because Storage vMotion is a VMware-specific feature that allows migration without shared storage, but the question specifies a KVM environment, and even in VMware, it requires shared storage for live migration; without shared storage, the VM's disk must be copied, causing downtime. Option D is wrong because a distributed virtual switch (DVS) is a networking abstraction that does not address storage requirements; without shared storage, the VM's disk is inaccessible on the destination host, preventing live migration.

1663
Drag & Dropmedium

Drag and drop the steps of telemetry path validation using YANG DevKit into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation starts by loading the YANG model, parsing the path, checking it against the schema, testing it on a device, and then confirming the output.

1664
Matchingeasy

Drag and drop each VNF category on the left to its matching example on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco CSR 1000v

Cisco ASAv

Citrix ADC VPX

Cisco vWAAS

Cisco Nexus 1000V

Why these pairings

Virtual routers, firewalls, and load balancers are common VNF categories.

1665
Drag & Dropmedium

Drag and drop the steps of a RESTCONF PUT transaction on IOS-XE into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order ensures the RESTCONF PUT request is properly authenticated, targeted, and validated before the device applies the configuration. First, the client must authenticate with the device. Then it constructs the PUT request with the target URI.

The device validates the request, applies the configuration, and finally sends a success response.

1666
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, the spoke sends an NHRP Resolution Request to the hub to learn the destination spoke's NBMA address. The hub forwards the request to the destination spoke, which replies with an NHRP Resolution Reply. The hub relays this reply back to the originating spoke.

Finally, the originating spoke installs the NHRP shortcut entry and can initiate a direct tunnel to the destination spoke.

1667
Matchingmedium

Drag and drop each EIGRP DUAL state on the left to its matching stage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Route is stable and no queries are pending

Router is querying neighbors for a new route

Router uses a feasible successor without querying

Router queries all neighbors for a new route

Router that first sends a query for a lost route

Why these pairings

Passive state indicates a stable route; Active state indicates the router is querying neighbors; Local Computation occurs when a feasible successor exists; Diffusing Computation occurs when no feasible successor exists; Query Origin is the router that starts the query process.

1668
Multi-Selectmedium

Which two statements about Cisco FlexConnect are true? (Choose two.)

Select 2 answers
A.FlexConnect APs can locally switch client data traffic at the remote site without tunneling it to the WLC.
B.FlexConnect APs always maintain a control and data tunnel to the WLC, even in standalone mode.
C.FlexConnect supports all encryption methods including CCKM and 802.11r in local switching mode.
D.FlexConnect APs can perform rogue detection and containment even when disconnected from the WLC.
E.FlexConnect APs can authenticate clients locally using a local RADIUS server or a local user database when the WLC is unreachable.
AnswersA, E

Correct because FlexConnect local switching mode allows client traffic to be bridged locally at the AP, reducing WAN bandwidth usage.

Why this answer

FlexConnect allows APs to locally switch client traffic and to function independently when the WLC is unreachable, but it does not support all encryption methods (e.g., CCKM is not supported in FlexConnect local switching mode) and it does not support rogue detection in standalone mode.

1669
MCQhard

A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?

A.The RADIUS server is configured to use a different source IP address for RADIUS responses than the IP address configured on the WLC, causing the WLC to drop the responses.
B.The WLC is configured with the wrong authentication port; RADIUS uses port 1645, not 1812.
C.The WLC's RADIUS server configuration has the wrong shared secret, causing the server to reject requests.
D.The WLC is not configured with a valid management interface IP address to reach the RADIUS server.
AnswerA

Correct because the WLC typically expects RADIUS responses to come from the same IP address as the configured server; if the server uses a different source IP (e.g., a loopback or secondary IP), the WLC may not recognize the response and logs 'server not responding'.

Why this answer

The WLC is interpreting the 'Access-Reject' as a non-response because the RADIUS server is using a different source port for the response, or the WLC is not configured to accept responses from the server's source IP. However, the most common cause is that the RADIUS server is sending the response from a different IP address than the one configured on the WLC, or the WLC has a mismatch in the shared secret. But since the server logs show requests are received and rejected, the shared secret is likely correct.

The issue is that the WLC might be expecting the response on a different port or from a different IP, but the scenario says 'RADIUS server not responding' which typically means the WLC did not receive a response. This could be due to the RADIUS server sending the response from a different source IP (e.g., a secondary IP) than the one configured on the WLC, or a firewall blocking the response. However, the most plausible cause is that the RADIUS server is configured to use a different source IP for RADIUS traffic than the one the WLC expects.

1670
MCQmedium

An engineer is deploying a Linux virtual machine on a KVM hypervisor. The VM needs to be connected to a virtual network that provides isolation from other VMs on the same host but allows communication with the host and external networks. The engineer creates a Linux bridge and attaches the VM's tap interface to it. However, the VM cannot reach the external network. The host has a physical NIC (eth0) connected to the corporate network. What is the missing configuration step?

A.Add the physical NIC (eth0) as a port to the Linux bridge.
B.Configure a default gateway on the VM's network interface.
C.Assign an IP address to the Linux bridge interface.
D.Enable IP forwarding and configure NAT on the host.
AnswerA

Correct because the bridge must include the physical NIC to forward traffic to the external network.

Why this answer

A Linux bridge acts like a virtual switch. To allow the VM to reach the external network, the physical NIC (eth0) must be added as a port to the bridge. This bridges the VM's tap interface with the host's physical network, enabling Layer 2 connectivity to the corporate network and upstream routing.

Exam trap

The trap here is that candidates confuse bridging with NAT or routing, assuming that IP forwarding or NAT is required for external access, when in fact a bridged setup simply needs the physical NIC as a bridge port to extend Layer 2 connectivity.

How to eliminate wrong answers

Option B is wrong because a default gateway on the VM is necessary for routing beyond the local subnet, but it is not the missing step—the VM cannot even reach the host or external network without the bridge being connected to the physical NIC. Option C is wrong because assigning an IP to the bridge interface is required for the host to communicate on the bridged network, but the VM's inability to reach the external network is due to the lack of physical connectivity, not the bridge's IP. Option D is wrong because enabling IP forwarding and NAT is only needed if the host is acting as a router for the VM (e.g., in a routed or NAT-based setup), but the scenario describes a bridged network where the VM should be on the same Layer 2 segment as the host's physical network, not NAT'd.

1671
Drag & Dropmedium

Drag and drop the steps of ISE RADIUS policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco ISE evaluates RADIUS policies in a specific order: first authentication policies, then authorization policies (based on conditions), and finally the default rule if no match is found. This ensures proper access control.

1672
Multi-Selecteasy

Which three statements about NFV use cases and deployment models are true? (Choose three.)

Select 3 answers
A.Virtual CPE (vCPE) is a common NFV use case that replaces physical routers and firewalls at customer sites with software-based functions.
B.Virtual Evolved Packet Core (vEPC) virtualizes mobile core network functions such as MME, SGW, and PGW.
C.NFV can be deployed on-premises, in a private cloud, or in a public cloud infrastructure.
D.NFV requires dedicated hardware appliances for each virtualized network function.
E.NFV deployments are limited to static, non-scalable configurations.
AnswersA, B, C

Correct because vCPE is a well-known NFV application where network functions like routing and firewall run as VNFs on standard hardware at the customer premises or in the cloud.

Why this answer

NFV is used to virtualize various network functions. Virtual CPE (vCPE) replaces physical customer premises equipment with software running on standard hardware. Virtual Evolved Packet Core (vEPC) is a key use case in mobile networks.

NFV can be deployed on-premises or in the cloud. Option A is correct because vCPE is a common NFV use case. Option B is correct because vEPC virtualizes mobile core functions.

Option C is correct because NFV supports both on-prem and cloud deployment. Option D is incorrect because NFV does not require dedicated hardware; it uses standard servers. Option E is incorrect because NFV can scale dynamically, not just statically.

1673
MCQhard

An engineer is configuring BGP on a router that will act as a route reflector to reduce iBGP peering requirements. The router has several iBGP peers. The engineer wants to ensure that the route reflector does not modify the next-hop attribute of routes it reflects to its clients. Which configuration command should the engineer use?

A.Configure 'neighbor next-hop-unchanged' under the BGP address family for the route reflector clients.
B.Configure 'no bgp next-hop-self' under the BGP address family for the route reflector clients.
C.Configure 'bgp route-reflector' under the BGP address family.
D.Configure 'neighbor next-hop-self' on the route reflector for its clients.
AnswerA

Correct because this command explicitly instructs the router to not modify the next-hop attribute when sending routes to the specified neighbor, preserving the original next-hop.

Why this answer

Option A is correct because the 'neighbor next-hop-unchanged' command under the BGP address family instructs the route reflector to preserve the original next-hop attribute when reflecting routes to its clients. By default, a route reflector may modify the next-hop to its own address, but this command overrides that behavior, ensuring the next-hop remains as received from the non-client iBGP peer. This is essential in designs where clients must see the original next-hop for optimal path selection or to avoid unnecessary routing hops.

Exam trap

Cisco often tests the distinction between 'neighbor next-hop-unchanged' and 'neighbor next-hop-self', where candidates mistakenly think that disabling 'next-hop-self' (option B) is sufficient to preserve the next-hop, but the correct command is the explicit 'next-hop-unchanged' to override any default or configured modifications.

How to eliminate wrong answers

Option B is wrong because 'no bgp next-hop-self' removes the default next-hop-self behavior for eBGP-learned routes, but it does not specifically control the next-hop attribute for routes reflected by a route reflector; it is a global or address-family command that affects all iBGP peers, not just clients. Option C is wrong because 'bgp route-reflector' is not a valid Cisco IOS command; the correct command to enable route reflection is 'neighbor route-reflector-client' under the BGP address family. Option D is wrong because 'neighbor next-hop-self' on the route reflector for its clients would force the next-hop to be changed to the route reflector's own IP address, which is the opposite of what the engineer wants (to leave the next-hop unchanged).

1674
MCQhard

A network engineer runs the following command on Switch SW9: SW9# show etherchannel 4 port-channel Port-channels in the group: --------------------------- Port-channel: Po4 (Primary Aggregator) Age of the Port-channel = 0d:00h:20m:10s Logical slot/port = 16/4 Number of ports = 3 HotStandby port = null Port state = Port-channel Ag-Inuse Protocol = LACP Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+----------------+---------- 0 00 Gi0/0 Active 4 1 00 Gi0/1 Active 4 2 00 Gi0/2 Standby 4 Time since last port bundled: 0d:00h:15m:00s Gi0/1 Based on this output, what can be concluded?

A.All three ports are actively forwarding traffic in the EtherChannel.
B.Gi0/2 is in standby mode because it is not receiving LACP packets from the neighbor.
C.The EtherChannel has a maximum bundle size of 2, so Gi0/2 is a hot-standby port.
D.The port-channel is not in use because the load is zero.
AnswerC

The standby state indicates that the maximum number of active ports has been reached, and Gi0/2 is ready to replace a failed port.

Why this answer

The output shows that Gi0/0 and Gi0/1 are in 'Active' state, while Gi0/2 is in 'Standby' state. In LACP, a standby port is a hot-standby port that becomes active if an active port fails. This is configured using the 'lacp max-bundle' command or when the number of ports exceeds the maximum allowed.

The correct answer is that Gi0/2 is a hot-standby port ready to take over if an active port fails.

1675
Multi-Selecthard

Which three statements about error handling and debugging in Python network automation scripts are true? (Choose three.)

Select 3 answers
A.Using 'pass' in an except block is a best practice to ignore errors in production scripts.
B.The try-except block allows a script to handle connection timeouts without crashing.
C.Using the logging module helps record errors and debug information to a file.
D.Print statements can be used to debug variable values during script development.
E.The continue statement is used to handle exceptions in Python.
AnswersB, C, D

Correct because try-except catches exceptions like timeouts, allowing the script to take alternative actions or retry.

Why this answer

Correct answers: B, C, and D. B is correct because try-except blocks allow the script to handle exceptions gracefully without crashing. C is correct because logging provides a structured way to record events and errors for later analysis.

D is correct because print statements are a simple debugging technique to output variable values during development. A is incorrect because 'pass' is a no-op statement that silently ignores exceptions, which is not recommended for production code. E is incorrect because the continue statement is used in loops to skip to the next iteration, not for error handling.

1676
Drag & Dropmedium

Drag and drop the steps of the RADIUS authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS uses UDP and encrypts only the password in the Access-Request. The server checks credentials and responds with Access-Accept or Access-Reject. Accounting-Start is sent after authentication succeeds.

1677
Drag & Dropmedium

Drag and drop the steps of EIGRP neighbor establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EIGRP neighbor formation begins with sending Hello packets, then exchanging full routing tables via Update packets, acknowledging with ACK packets, and finally entering the Established state where incremental updates are sent.

1678
MCQmedium

A network engineer runs the following command on Switch SW6: SW6# show spanning-tree vlan 60 VLAN0060 Spanning tree enabled protocol ieee Root ID Priority 24636 Address aabb.cc00.0a00 Cost 8 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 (priority 32768 sys-id-ext 60) Address aabb.cc00.0b00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 8 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Altn BLK 4 128.3 P2p Gi0/4 Desg FWD 4 128.4 P2p Based on this output, what is the bridge priority of the root bridge for VLAN 60?

A.24576
B.24636
C.32768
D.32828
AnswerB

Correct. The Root ID priority is 24636.

Why this answer

The root bridge priority is shown in the Root ID section as 24636. This includes the system ID extension of 60, so the base priority is 24576 (24636 - 60 = 24576).

1679
Drag & Dropmedium

Drag and drop the steps of sFlow agent sampling and forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The sFlow agent samples packets, encapsulates them with headers, sends to collector, which decodes and analyzes, and the agent maintains counters for periodic export.

1680
Matchingmedium

Drag and drop each DNA Center package on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides network analytics, health scores, and troubleshooting insights

Automates device onboarding, configuration templates, and software image management

Creates hierarchical network designs, sites, and global network settings

Defines and enforces access control, segmentation, and QoS policies

Orchestrates workflows for device replacement and network changes

Why these pairings

Cisco DNA Center packages: Assurance provides analytics and troubleshooting; Provision automates device configuration; Design creates network hierarchy and settings; Policy manages access and segmentation.

1681
Drag & Dropmedium

Drag and drop the steps of Netmiko multi-threaded device polling workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The workflow begins by importing necessary modules (threading and Netmiko), then defining a function that connects and sends a show command. After that, a list of devices is created, threads are started for each device, and finally all threads are joined to collect results.

1682
MCQmedium

A network engineer configures SNMPv2c on a Cisco switch to send traps to an NMS at 192.168.1.100 with community 'monitor'. The engineer also configures 'snmp-server enable traps snmp linkdown linkup'. The NMS receives link traps but not authentication failure traps. The engineer has not configured any access control. What is the most likely reason?

A.Authentication failure traps are disabled by default and must be explicitly enabled.
B.The NMS is not configured to receive authentication failure traps.
C.The community string 'monitor' has read-write access, which suppresses authentication traps.
D.The switch must be configured with 'snmp-server trap-source' to send authentication traps.
AnswerA

Correct because 'snmp-server enable traps snmp authentication' is needed to send authentication failure traps.

Why this answer

Authentication failure traps are generated when an SNMP request is received with an invalid community string. However, by default, these traps are not enabled. The engineer must explicitly enable them with 'snmp-server enable traps snmp authentication'.

The scenario shows only link traps enabled.

1683
Multi-Selectmedium

Which two statements about SNMP MIB objects and OIDs are true? (Choose two.)

Select 2 answers
A.The MIB defines the structure of managed objects and their OIDs.
B.OIDs are always numeric and follow a hierarchical tree structure.
C.The GetBulk operation is supported in SNMPv1.
D.The sysDescr OID (1.3.6.1.2.1.1.1.0) is a read-write object.
E.A single MIB object can have multiple OIDs.
AnswersA, B

Correct: The MIB is a database that defines the structure and OIDs of managed objects.

Why this answer

MIB (Management Information Base) is a hierarchical database of managed objects. Each object is identified by an OID (Object Identifier). OIDs are structured as a tree; for example, 1.3.6.1.2.1.1.1.0 is the sysDescr OID.

The MIB defines the structure and allowed operations (get, set, etc.) for each object. SNMPv2c and SNMPv3 support GetBulk, which retrieves large tables efficiently. SNMPv1 does not support GetBulk.

1684
MCQhard

A financial company runs a critical trading application in a virtualized environment on VMware vSphere. The application consists of two VMs: App-1 (web server) and App-2 (database server). Both VMs are on the same ESXi host. Recently, users report intermittent slowness during peak trading hours. Monitoring shows that App-1 experiences high CPU ready time (up to 15%) and App-2 has high disk latency (average 50 ms). The ESXi host has 16 vCPUs total (2 sockets, 8 cores each) and 128 GB RAM. The host runs 10 VMs total. App-1 has 4 vCPUs and 16 GB RAM; App-2 has 8 vCPUs and 32 GB RAM. The storage is a shared NFS datastore connected via 1 Gbps Ethernet. The network is 10 Gbps. What is the MOST effective course of action to resolve the performance issues?

A.Enable vNUMA for both VMs to improve memory access, and set CPU affinity to dedicate specific cores.
B.Increase the RAM for both VMs to reduce disk swapping, and enable Hyperthreading on the ESXi host.
C.Reduce the number of vCPUs assigned to App-2 from 8 to 4, and configure Storage I/O Control on the datastore.
D.Migrate the VMs to another ESXi host with faster CPUs, and upgrade the storage network to 10 Gbps.
AnswerC

Correct. Reducing vCPUs decreases CPU ready time; Storage I/O Control manages disk latency.

Why this answer

Option C is correct because App-2's 8 vCPUs exceed the number of physical cores per socket (8), causing CPU scheduling contention and high ready time on App-1, while reducing vCPUs to 4 aligns with the host's core-per-socket count and reduces co-scheduling overhead. Additionally, Storage I/O Control (SIOC) on the NFS datastore can prioritize disk access and mitigate the high disk latency (50 ms) by enforcing shares and limits during congestion, addressing both performance issues without requiring hardware upgrades.

Exam trap

Cisco often tests the misconception that adding more vCPUs always improves performance, but the trap here is that over-provisioning vCPUs beyond the physical core count per socket increases CPU ready time and co-scheduling overhead, degrading performance instead of improving it.

How to eliminate wrong answers

Option A is wrong because enabling vNUMA is beneficial for VMs with many vCPUs to optimize memory locality, but it does not address CPU ready time caused by over-provisioning vCPUs, and setting CPU affinity can reduce scheduler flexibility and cause imbalance on a host with 10 VMs. Option B is wrong because increasing RAM does not reduce disk swapping if the VMs already have sufficient memory (App-1 has 16 GB, App-2 has 32 GB), and enabling Hyperthreading on the ESXi host would increase logical CPUs but not resolve the root cause of vCPU over-provisioning or high disk latency. Option D is wrong because migrating to another host with faster CPUs does not fix the vCPU over-provisioning issue (App-2 still has 8 vCPUs), and upgrading the storage network to 10 Gbps does not address the high disk latency if the bottleneck is at the NFS datastore or storage array, not the network link.

1685
Matchingmedium

Drag and drop each telemetry model on the left to its matching push type (dial-in or dial-out) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collector connects to device, device listens

Collector initiates SSH session to device

Device connects to collector, collector listens

Device pushes data to collector

Collector requests data from device

Why these pairings

Dial-in: collector initiates connection to the network device (e.g., gRPC dial-in, NETCONF). Dial-out: device initiates connection to the collector (e.g., gRPC dial-out, model-driven telemetry).

1686
Drag & Dropmedium

Drag and drop the steps of PIM-SM join and source registration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In PIM-SM, a receiver's DR sends a (*,G) Join toward the RP. The RP then sends a (S,G) Join toward the source. The source's DR registers the source with the RP via a unicast Register message.

The RP de-encapsulates the Register and sends a Register-Stop back to the source's DR to stop the registration process.

1687
MCQmedium

A network engineer notices intermittent connectivity issues between two switches connected via a trunk link. The trunk is configured with DTP in dynamic desirable mode on one side and trunk mode on the other. Which action should the engineer take to resolve the issue?

A.Configure both sides with switchport mode trunk.
B.Set both sides to access mode.
C.Disable DTP on both sides using switchport nonegotiate.
D.Change one side to dynamic auto.
AnswerA

Option A is correct because it ensures both ends are unconditionally set to trunk mode, avoiding negotiation issues.

Why this answer

The correct answer is A because Dynamic Trunking Protocol (DTP) in dynamic desirable mode actively attempts to negotiate a trunk, but when the other side is set to trunk mode (which is a static trunk configuration), DTP negotiation can still cause intermittent issues due to mismatched DTP frames or timing. Configuring both sides with switchport mode trunk disables DTP negotiation entirely, ensuring a stable, static trunk link without negotiation delays or failures.

Exam trap

Cisco often tests the misconception that dynamic desirable and trunk mode are compatible because both result in a trunk, but the trap is that DTP negotiation can cause instability, and the correct solution is to use static trunk configuration on both sides to avoid reliance on DTP.

How to eliminate wrong answers

Option B is wrong because setting both sides to access mode would disable trunking entirely, preventing VLAN traffic from crossing the link, which does not resolve the trunk connectivity issue. Option C is wrong because disabling DTP with switchport nonegotiate on both sides would stop DTP frames, but if one side is in dynamic desirable mode, it still expects DTP negotiation, leading to a mismatch; the correct fix is to set both sides to static trunk mode, not just disable negotiation. Option D is wrong because changing one side to dynamic auto would make it passive, waiting for DTP frames from the other side, but the other side in dynamic desirable would still negotiate, potentially causing the same intermittent issues due to DTP state transitions.

1688
Multi-Selectmedium

Which two statements about telemetry subscription modes are true? (Choose two.)

Select 2 answers
A.In dial-out mode, the network device initiates a connection to the telemetry collector.
B.In dial-in mode, the collector subscribes to data by connecting to the network device.
C.gRPC supports only dial-out telemetry subscriptions.
D.NETCONF is exclusively used for dial-in telemetry subscriptions.
E.SNMP traps are a form of dial-out telemetry.
AnswersA, B

Correct because dial-out telemetry pushes data from the device to the collector.

Why this answer

Dial-out mode pushes data from the network device to a collector, while dial-in mode requires the collector to initiate the connection. gRPC supports both modes. NETCONF can also support both but is not limited to dial-in. SNMP is a polling-based protocol, not a telemetry subscription mode.

1689
Drag & Dropmedium

Drag and drop the steps of DNA Center assurance issue detection and root cause into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with collecting telemetry from devices, then analyzing the data to detect anomalies, then generating an issue, then identifying the root cause via guided remediation, and finally presenting the resolution steps. This aligns with Cisco's assurance workflow.

1690
Multi-Selectmedium

Which three statements about RSPAN configuration and behavior are true? (Choose three.)

Select 3 answers
A.The RSPAN VLAN must be created on all switches that participate in the RSPAN session.
B.The RSPAN destination port must be configured in access mode and assigned to the RSPAN VLAN.
C.Trunk ports between switches must allow the RSPAN VLAN and should not prune it.
D.The RSPAN source switch encapsulates the mirrored frames with the RSPAN VLAN ID.
E.RSPAN can only monitor source ports on the same switch as the destination port.
AnswersA, C, D

Correct because every switch in the path needs the RSPAN VLAN to forward the mirrored traffic.

Why this answer

RSPAN requires a dedicated VLAN that is not used for user traffic. The RSPAN VLAN must be created on all switches in the path, and the destination switch must have a destination port configured. The RSPAN VLAN should not be pruned from trunks.

The source switch sends mirrored frames into the RSPAN VLAN, and the destination switch extracts them.

1691
Drag & Dropmedium

Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BFD session establishment starts with the edge device detecting a new transport tunnel, then sending a BFD hello packet, the remote device responds with a BFD echo, the two devices negotiate parameters, and finally the session becomes Up and is used for liveliness monitoring.

1692
MCQeasy

What is the purpose of the 'aaa authorization exec default local' command?

A.It authenticates users for exec access using the local database.
B.It authorizes exec sessions using the local database, determining if a user can start a shell and their privilege level.
C.It enables accounting for exec commands to the local database.
D.It sets the privilege level for all users to 15.
AnswerB

Correct. Authorization controls what a user is allowed to do after authentication.

Why this answer

This command authorizes exec (shell) sessions using the local user database. It determines whether a user is allowed to start an exec session and what privilege level they receive.

1693
MCQhard

A network engineer runs the following command on Router R2: R2# show class-map Class Map match-any VOICE (id 1) Match ip dscp ef (46) Class Map match-any DATA (id 2) Match ip dscp af31 (26) Class Map match-any class-default (id 0) Match any R2# show policy-map Policy Map QOS_POLICY Class VOICE priority level 1 police cir 1000000 bc 15625 be 15625 Class DATA bandwidth remaining percent 50 Class class-default bandwidth remaining percent 50 R2# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy output: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing strict priority queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 15625 be 15625 conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: DATA (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth remaining percent 50 (0 kbps) Class-map: class-default (match-any) 100 packets, 10000 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/10000 bandwidth remaining percent 50 (0 kbps) Based on this output, what can be concluded?

A.Voice traffic is being prioritized with strict priority queuing and policed at 1 Mbps.
B.Data traffic is being guaranteed 50% of the remaining bandwidth.
C.All traffic is being handled by class-default, which gets 100% of the bandwidth.
D.The police command on VOICE is causing drops for voice traffic.
AnswerC

Only class-default has traffic (100 packets), and since it is the only class with traffic, it uses all bandwidth.

Why this answer

The VOICE class uses strict priority queuing (priority level 1). However, with 0 packets matched, no voice traffic is being classified. The DATA class also shows 0 packets.

All traffic falls into class-default. The bandwidth remaining percent commands allocate remaining bandwidth, but since only class-default has traffic, it effectively gets 100% of the bandwidth. The police command on VOICE is not affecting anything because no packets match.

1694
MCQmedium

Given the following policy-map: policy-map QOS_POLICY class VOICE priority percent 30 class VIDEO bandwidth percent 20 queue-limit 100 packets class class-default fair-queue What is the effect of the 'priority percent 30' command in the VOICE class?

A.Voice traffic is placed in a strict priority queue with a guaranteed bandwidth of 30% of the interface bandwidth.
B.Voice traffic is limited to 30% of the interface bandwidth and will be dropped if exceeded.
C.Voice traffic is given a weight of 30 in the weighted fair queueing algorithm.
D.Voice traffic is re-marked with IP precedence 30.
AnswerA

The priority command provides a low-latency queue with a bandwidth guarantee.

Why this answer

The 'priority percent 30' command in the VOICE class configures a strict priority queue (LLQ) that guarantees voice traffic up to 30% of the interface bandwidth. During congestion, voice packets are always transmitted before other traffic, but they are policed to ensure they do not exceed the allocated 30%, preventing starvation of other queues.

Exam trap

Cisco often tests the misconception that 'priority percent' simply limits bandwidth like a policer, but the key trap is that it also provides strict priority queuing, which guarantees low latency for voice traffic, not just a bandwidth cap.

How to eliminate wrong answers

Option B is wrong because the priority percent command does not simply drop traffic that exceeds 30%; it polices the traffic, but during congestion, excess packets are dropped, while under no congestion, voice can burst above the percentage. Option C is wrong because the priority command creates a strict priority queue, not a weighted fair queue; weighted fair queueing uses weights for bandwidth allocation, not for priority queuing. Option D is wrong because the priority percent command does not re-mark packets; it only affects queuing and policing behavior, while marking is done by a separate 'set' command in a policy-map.

1695
Drag & Dropmedium

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MAB is a fallback method when 802.1X fails: the switch detects the host MAC, sends a RADIUS Access-Request with the MAC as username/password, ISE checks the MAC against its database, and then either grants access (placing the port in the authorized VLAN) or denies it.

1696
Matchingmedium

Drag and drop each STP timer on the left to its matching default value on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 seconds

15 seconds

20 seconds

32768

4

Why these pairings

Hello time default is 2 seconds; Forward delay default is 15 seconds; Max age default is 20 seconds.

1697
MCQhard

A network engineer is troubleshooting an EtherChannel between two Cisco switches. The show etherchannel summary command shows the port-channel is up, but the show interfaces trunk command shows that the trunk is not passing traffic for VLAN 100. The allowed VLAN list on the port-channel interface includes VLAN 100. What is the most likely cause?

A.One of the physical ports in the EtherChannel has VLAN 100 removed from its allowed list.
B.The native VLAN is configured as VLAN 100 on one side.
C.The port-channel is configured with 'switchport trunk allowed vlan add 100' but the physical ports have 'switchport trunk allowed vlan except 100'.
D.The VLAN 100 does not exist on the switch.
AnswerA

Correct because the allowed VLAN list on physical ports must match; if one port does not allow VLAN 100, the trunk may not pass that VLAN.

Why this answer

The correct answer is that the VLAN is not allowed on one of the physical ports. The wrong answers involve issues that would affect all VLANs or are unrelated.

1698
Matchingmedium

Drag and drop each VM network mode on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VM appears as a separate device on the physical network

VM uses host IP address for outbound traffic

VM can communicate only with the host and other VMs on the same host

VM can communicate only with other VMs on the same host

VM connects to a specific virtual switch

Why these pairings

Bridged mode shares the host's physical network, NAT uses the host's IP for outbound traffic, host-only isolates VMs from external networks, internal mode allows VM-to-VM communication only, and custom mode uses a specific virtual switch.

1699
Drag & Dropmedium

Drag and drop the steps of iBGP route reflection configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Route reflection requires first enabling BGP, then configuring the cluster ID, designating the route reflector client, and finally verifying the reflection behavior.

1700
Multi-Selectmedium

Which two statements about EIGRP feasible successors are true? (Choose two.)

Select 2 answers
A.A feasible successor must have a reported distance less than the feasible distance of the current successor.
B.A feasible successor is installed in the routing table as a backup route.
C.If a successor fails, EIGPR immediately uses a feasible successor without transitioning to active state.
D.The feasible successor must have the same metric as the successor.
E.EIGRP uses the Diffusing Update Algorithm (DUAL) to determine feasible successors.
AnswersA, C

Correct because the feasibility condition requires RD < FD for a route to be considered a feasible successor.

Why this answer

A feasible successor is a backup route that meets the feasibility condition (reported distance < feasible distance). It is stored in the topology table, not the routing table, and is used immediately if the successor fails.

1701
Multi-Selecthard

Which three statements about IP SLA threshold configuration and reaction are true? (Choose three.)

Select 3 answers
A.The 'reaction-configuration' command is used to define rising and falling threshold values for an IP SLA operation.
B.The 'reaction-trigger' command associates a threshold violation with an action such as enabling a static route.
C.When a rising threshold is exceeded, an SNMP trap can be sent to the network management system.
D.The threshold is based on the number of probes sent within a specified time interval.
E.If a threshold is violated, the IP SLA operation automatically changes its probe schedule to a higher frequency.
AnswersA, B, C

Correct because this command configures the threshold values and the action (e.g., trap) when the threshold is crossed.

Why this answer

IP SLA allows configuring rising and falling thresholds to trigger events. The 'reaction-configuration' command sets the threshold values and the action to take when a threshold is crossed. The 'reaction-trigger' command is used to associate the reaction with a specific action, such as enabling a backup route.

The threshold violation can be used to trigger an SNMP trap, which is a common method for network management systems to receive alerts. The threshold is not based on the number of probes sent, but on the measured values like delay or jitter. The reaction does not automatically change the probe schedule; it triggers an external action.

1702
Drag & Dropmedium

Drag and drop the steps of the hierarchical campus network design process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The hierarchical design process starts with access layer connectivity, then moves to distribution layer aggregation, core layer transport, and finally WAN edge integration. This layered approach optimizes scalability and performance.

1703
MCQhard

A network engineer is troubleshooting QoS on a Cisco Nexus 9000 switch. The switch is configured with a policy map that uses a class-default with a bandwidth remaining percent of 100. However, during congestion, traffic in a priority queue (class-map for EF) is experiencing drops even though the priority queue is not fully utilized. What is the most likely cause?

A.The priority queue is implicitly policed to a default rate on Nexus switches
B.The class-default bandwidth remaining percent should be set to 0
C.The priority queue is not configured with a queue-limit
D.The switch is using strict priority queuing without any shaping
AnswerA

Correct because Nexus switches enforce a default policer on the priority queue to protect other traffic, which can cause drops.

Why this answer

The correct answer is that the priority queue is policed by default on Nexus switches to prevent starvation of other queues. The priority queue has a policer that drops traffic if it exceeds a certain rate, even if the queue is not congested.

1704
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Correct. OSPF default hello interval on Ethernet is 10 seconds.

Why this answer

OSPF uses different hello intervals depending on the network type. For broadcast networks like Ethernet, the default hello interval is 10 seconds.

1705
MCQmedium

A network engineer configured three interfaces on a switch as shown. A host connected to Ethernet1/2 sends an untagged frame. Which VLAN will this frame be placed into when it reaches Ethernet1/3?

A.VLAN 999
B.VLAN 1
C.The frame is dropped because VLAN 10 is not allowed.
D.VLAN 10
AnswerC

Ethernet1/3 trunk does not allow VLAN 10.

Why this answer

The switchport on Ethernet1/3 is configured as a trunk with an allowed VLAN list that does not include VLAN 10. When the untagged frame from Ethernet1/2 enters the switch, it is assigned to the native VLAN of the access port (which is VLAN 10 by default or configuration). As the frame is switched to the trunk port Ethernet1/3, the trunk's allowed VLAN list is checked; since VLAN 10 is not permitted, the frame is dropped at the egress trunk port.

Exam trap

Cisco often tests the distinction between the native VLAN on a trunk and the access VLAN on an access port, leading candidates to mistakenly think the frame will use the trunk's native VLAN (999) instead of being dropped because the access VLAN (10) is not allowed.

How to eliminate wrong answers

Option A is wrong because VLAN 999 is not the native VLAN of the access port or the trunk; it is only the native VLAN on the trunk, but the frame is tagged with VLAN 10 (the access VLAN) before being forwarded, and VLAN 10 is not allowed on the trunk. Option B is wrong because VLAN 1 is the default VLAN, but the access port is explicitly configured with VLAN 10, so the frame is assigned to VLAN 10, not VLAN 1. Option D is wrong because although the frame is placed into VLAN 10, it is dropped at the trunk egress because VLAN 10 is not in the allowed VLAN list of Ethernet1/3.

1706
Drag & Dropmedium

Drag and drop the steps of LACP active/passive mode negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LACP negotiation begins with an active port sending LACPDUs, passive port receives and responds, they exchange system/port priorities, select active ports, and then aggregate into a bundle.

1707
MCQmedium

An architect is designing an SD-Access fabric for a campus with multiple buildings. The design must support wireless clients seamlessly roaming across fabric edge nodes. Which technology is used in the fabric to provide mobility for wireless endpoints?

A.LISP
B.VXLAN
C.OTV
D.MPLS
AnswerA

LISP handles endpoint mobility by updating the EID-to-RLOC mapping when a client roams.

Why this answer

LISP (Locator/ID Separation Protocol) is the correct technology because it decouples the endpoint identifier (EID) from its routing locator (RLOC), enabling seamless roaming across fabric edge nodes. In SD-Access, LISP maintains a mapping database that tracks wireless endpoint locations, allowing traffic to be forwarded to the correct fabric edge without re-anchoring or tunneling changes as clients move between access points.

Exam trap

Cisco often tests the misconception that VXLAN alone handles mobility, but the trap here is that VXLAN is only the data-plane encapsulation; LISP is the control-plane protocol that actually enables endpoint tracking and seamless roaming in SD-Access.

How to eliminate wrong answers

Option B (VXLAN) is wrong because VXLAN is used for network virtualization and overlay encapsulation in SD-Access, but it does not provide endpoint mobility or location tracking; LISP handles the control plane for mobility. Option C (OTV) is wrong because OTV is a Layer 2 extension technology for connecting data centers over Layer 3 networks, not designed for endpoint mobility within a campus fabric. Option D (MPLS) is wrong because MPLS is a label-switching transport technology used for traffic engineering and VPNs, lacking the endpoint identity-to-location mapping required for wireless roaming in SD-Access.

1708
MCQmedium

Examine the following configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip vrf forwarding BLUE ip address 192.168.1.1 255.255.255.0 no shutdown What is the effect of this configuration?

A.The interface is placed into VRF BLUE, and all traffic sent or received on this interface uses the routing table of VRF BLUE.
B.The interface remains in the global routing table but is allowed to communicate with VRF BLUE via route leaking.
C.The interface is placed into VRF BLUE, but the IP address is assigned from the global routing table.
D.The configuration is invalid because VRF BLUE must be created first using 'vrf definition BLUE'.
AnswerA

Correct. The interface is now in VRF BLUE and uses its separate routing table.

Why this answer

The 'ip vrf forwarding BLUE' command associates the interface with VRF BLUE, which creates a separate routing table instance. All traffic entering or exiting this interface is forwarded using the VRF BLUE routing table, not the global routing table. This isolates the interface's traffic from the global routing domain.

Exam trap

The trap here is that candidates assume the interface remains in the global routing table or that the VRF must be explicitly defined before use, but Cisco IOS-XE allows VRF creation via the interface command, and the interface is fully moved into the VRF's routing domain.

How to eliminate wrong answers

Option B is wrong because the interface is not in the global routing table; 'ip vrf forwarding' moves the interface entirely into the VRF, and route leaking is an explicit additional configuration (e.g., using 'route-map' and 'import/export' commands) not implied here. Option C is wrong because the IP address is assigned within the VRF context, not from the global routing table; the VRF must already exist or be created dynamically, and the address belongs to the VRF's address space. Option D is wrong because the configuration is valid; VRF BLUE can be created implicitly by the 'ip vrf forwarding' command on the interface, or it may have been created earlier via 'vrf definition BLUE' or 'ip vrf BLUE' (legacy), but the snippet alone does not show an error.

1709
Matchinghard

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 ACL equivalent on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Equivalent to ip access-list extended in IPv4

Equivalent to deny ip in IPv4 extended ACL

Equivalent to permit tcp in IPv4 extended ACL

Equivalent to sequence number in IPv4 named ACL

Equivalent to implicit deny ip in IPv4 ACL

Why these pairings

IPv6 ACLs use similar logic but with IPv6-specific syntax: deny/ipv6, permit/ipv6, sequence numbers, and implicit deny.

1710
MCQmedium

A network engineer writes the following Python script to retrieve the list of devices from Cisco DNA Center using the REST API: import requests import json url = "https://dna-center.local/dna/intent/api/v1/network-device" headers = { "Content-Type": "application/json", "X-Auth-Token": "valid-token-here" } response = requests.get(url, headers=headers, verify=False) if response.status_code == 200: devices = response.json() for device in devices["response"]: print(device["hostname"]) else: print("Error:", response.status_code) What is the issue with this code?

A.The code uses verify=False which is insecure but functional; the main issue is missing pagination handling.
B.The URL is incorrect; it should be /dna/intent/api/v1/network-device/list.
C.The code does not handle authentication properly; it should use Basic Auth.
D.The code fails because it does not import the json module correctly.
AnswerA

Correct. The API may return multiple pages, but the code only retrieves the first page. It should check for a 'lastIndex' field and loop to fetch all pages.

Why this answer

The code does not handle pagination. Cisco DNA Center API returns a maximum of 500 devices by default, and if more exist, the response includes a 'lastIndex' or similar field. The code only processes the first page.

1711
Matchingmedium

Drag and drop each OSPF LSA type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Describes a router's directly attached links and interfaces

Generated by the DR to list all routers on a multiaccess segment

Advertises inter-area prefixes between areas

Advertises the location of an ASBR to other areas

Advertises external routes redistributed into OSPF

Why these pairings

LSA Type 1 (Router LSA) describes a router's own interfaces and links. Type 2 (Network LSA) is generated by the DR to describe all routers on a multiaccess network. Type 3 (Summary LSA) advertises networks from one area to another.

Type 4 (ASBR Summary LSA) advertises the location of an ASBR. Type 5 (AS External LSA) advertises external routes redistributed into OSPF.

1712
MCQmedium

An organization uses Chef to manage network device configurations. A cookbook that configures SNMP community strings is applied to a group of routers. After the run, one router loses SNMP access. The cookbook uses the following resource: snmp_community 'public' do action :remove end. What is the most likely cause of the issue?

A.The router's Chef client encountered a syntax error and stopped mid-execution
B.The cookbook accidentally applied a 'private' community string instead of 'public'
C.The cookbook removed the only configured SNMP community string
D.The cookbook is not idempotent and reapplied the change multiple times
AnswerC

If 'public' was the only community, removing it disables SNMP access.

Why this answer

Option C is correct because the `snmp_community 'public' do action :remove end` resource explicitly removes the SNMP community string named 'public'. If 'public' was the only SNMP community string configured on the router, its removal would leave the router with no valid SNMP community, causing all SNMP access to be lost. Chef applies the resource as defined; the issue is not a syntax error or misapplication of a different string, but the direct consequence of removing the sole community.

Exam trap

The trap here is that candidates may assume the issue is a syntax error or a misapplied community string, but Cisco tests the understanding that Chef resources execute exactly as written, and removing the only SNMP community string will break SNMP access regardless of other factors.

How to eliminate wrong answers

Option A is wrong because a syntax error in the Chef client would typically cause the entire run to fail or produce an error in the Chef logs, not silently remove a community string and then stop mid-execution; the resource shown is syntactically correct. Option B is wrong because the cookbook explicitly targets the 'public' community string with the `:remove` action; there is no mention or evidence of a 'private' string being applied, and the issue is removal, not misapplication. Option D is wrong because idempotency is not the problem; the `:remove` action is inherently idempotent (removing an already-removed community does nothing), and reapplying the change multiple times would not cause the initial loss of access—the first removal alone is sufficient.

1713
MCQhard

A multinational organization has a BGP-based MPLS VPN network. The CE router at a branch office is connected to two PE routers (PE1 and PE2) in the service provider network. The branch uses eBGP to exchange routes with the PEs. The network administrator notices that the branch can reach some destinations but not others. The BGP table on the CE shows routes with next-hop set to the PE loopback addresses, but those loopbacks are not reachable. The CE has a default route pointing to the PEs. What is the most likely cause of the issue?

A.The next-hop addresses of the BGP routes are not reachable.
B.The default route on the CE is overriding the BGP routes.
C.The routes have an AS path that is too long.
D.The CE is not advertising its routes to the PEs.
AnswerA

Unreachable next-hop prevents route installation.

Why this answer

The CE router learns BGP routes from the PE routers with next-hop addresses set to the PE loopback interfaces. For these routes to be installed in the routing table, the CE must have a route to the next-hop IP address. Since the CE only has a default route pointing to the PEs and the PE loopbacks are not directly connected or reachable via any specific route, the BGP routes remain hidden (not installed) because the next-hop is unreachable.

This is the most likely cause of partial reachability.

Exam trap

Cisco often tests the BGP next-hop reachability rule, where candidates mistakenly think a default route satisfies the next-hop check, but BGP requires a specific route to the next-hop address (not a default route) for the route to be installed in the routing table.

How to eliminate wrong answers

Option B is wrong because a default route does not override BGP routes; BGP routes have a lower administrative distance (20 for eBGP) and would be preferred over a default route if the next-hop were reachable. Option C is wrong because a long AS path would affect route selection only if multiple paths exist, but it does not prevent routes from being installed when the next-hop is unreachable. Option D is wrong because the issue is about receiving routes from PEs, not about the CE advertising routes; the CE is receiving BGP routes but cannot install them due to next-hop unreachability.

1714
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map interface GigabitEthernet0/0 GigabitEthernet0/0 Service-policy input: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000 Based on this output, what can be concluded?

A.The policy is applied in the output direction.
B.Voice traffic is being policed at 1 Mbps and any excess is dropped.
C.All traffic is being policed at 8 kbps.
D.The policy is shaping traffic to 1 Mbps.
AnswerB

The VOICE class has a police statement with CIR 1 Mbps, and actions for exceed and violate are drop.

Why this answer

The policy-map QOS_POLICY is applied inbound on GigabitEthernet0/0. It has two classes: VOICE (matching DSCP EF) and class-default. The VOICE class has a police command with a CIR of 1 Mbps, and actions for conform (transmit) and exceed/violate (drop).

The class-default has no police. The output shows no packets matched VOICE, so no policing has occurred for that class. The class-default has 100 packets.

1715
MCQhard

An enterprise is deploying Cisco SD-WAN with a hub-and-spoke topology. The hub site has a vSmart controller and a vEdge router. The branch sites have vEdge routers. The engineer wants to ensure that all inter-branch traffic goes through the hub for security inspection. The engineer configures a centralized control policy on the vSmart to set the 'hub' as the preferred path for all routes. After the policy is applied, the engineer notices that branch-to-branch traffic is still going directly, bypassing the hub. The vEdge routers show that the control policy is received. What is the most likely issue?

A.The control policy is not attached to the correct site list.
B.The hub site is not configured with a different site ID than the branches.
C.The engineer should have used a data policy instead of a control policy.
D.The OMP admin distance is set too high on the hub.
AnswerB

Correct because the hub must have a unique site ID to be recognized as the hub in the topology.

Why this answer

In Cisco SD-WAN, a centralized control policy that sets a preferred path for routes only influences route preference within the OMP routing table. However, for branch-to-branch traffic to be forced through the hub, the hub must have a different site ID than the branches. Without a distinct site ID, the vEdge routers treat the hub as part of the same site and will attempt direct branch-to-branch tunnels (using TLOC resolution) instead of routing through the hub.

The control policy is received but cannot override the default behavior of same-site direct connectivity.

Exam trap

Cisco often tests the distinction between control policy affecting route preference and site ID affecting tunnel establishment, leading candidates to overlook the mandatory requirement for different site IDs in hub-and-spoke topologies.

How to eliminate wrong answers

Option A is wrong because the control policy being received on the vEdge routers indicates it is attached to the correct site list; if it were not, the policy would not be applied. Option B is correct as explained. Option C is wrong because a data policy could also force traffic through the hub, but the issue here is that the control policy is correctly applied yet traffic still bypasses the hub due to the site ID misconfiguration; a data policy would not fix the root cause.

Option D is wrong because OMP admin distance affects route preference between OMP and other routing protocols, not the forwarding behavior of branch-to-branch traffic within the SD-WAN fabric.

1716
Drag & Dropmedium

Drag and drop the steps of the 802.11 client association process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.11 client association process begins with the client sending a Probe Request to discover networks, followed by a Probe Response from the AP. Then the client sends an Authentication Request, the AP replies with an Authentication Response, and finally the client sends an Association Request, which the AP confirms with an Association Response.

1717
Drag & Dropmedium

Drag and drop the steps of creating a virtual machine in VMware ESXi using the vSphere Client into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Creating a VM starts with naming it and selecting a compatibility level. Then the guest OS is chosen, followed by storage. Virtual hardware (CPU, memory, disk) is configured, and the VM is finalized and powered on.

1718
Drag & Dropmedium

Drag and drop the steps of Syslog severity filtering and rate-limiting configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enable logging, then set severity, apply rate-limit, specify destination, and finally verify the configuration.

1719
Multi-Selecthard

Which three statements about VLAN configuration and verification are true? (Choose three.)

Select 3 answers
A.A VLAN can be created using the 'vlan vlan-id' command in global configuration mode.
B.The 'show vlan brief' command displays all VLANs, including the reserved VLANs 1002-1005.
C.VLAN 1 can be deleted from the switch.
D.The 'switchport access vlan' command automatically creates the VLAN if it does not already exist.
E.The 'show interfaces trunk' command shows only the trunking interfaces and their native VLAN.
AnswersA, B, D

This is the standard method to create a VLAN; the switch then enters VLAN configuration sub-mode.

Why this answer

VLANs can be created in global configuration mode or in VLAN database mode (though the latter is deprecated). The 'show vlan brief' command displays active VLANs and their ports. VLAN 1 and VLANs 1002-1005 are reserved and cannot be deleted.

The 'switchport access vlan' command assigns a port to a VLAN, but the VLAN must exist first or it will be created automatically on some platforms. The 'show interfaces trunk' command shows trunking interfaces and allowed VLAN lists.

1720
Matchingmedium

Drag and drop each Python library on the left to its matching network use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Multi-vendor SSH connection and command execution

Network automation and configuration management with vendor-agnostic API

Parallel task execution for network automation

Screen-scraping network devices with structured output

Low-level SSH protocol implementation for Python

Why these pairings

Netmiko is used for multi-vendor SSH connections, NAPALM for network automation and configuration management, Nornir for parallel task execution, Scrapli for screen-scraping network devices, and Paramiko for low-level SSH connections.

1721
MCQmedium

Consider the following configuration: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface GigabitEthernet0/2 ip access-group BLOCK_TELNET out Which statement is true?

A.Telnet traffic entering GigabitEthernet0/2 is blocked.
B.Telnet traffic leaving GigabitEthernet0/2 is blocked.
C.All outbound traffic is blocked.
D.The ACL is incorrectly applied; only named ACLs can be applied outbound.
AnswerB

The outbound ACL denies TCP port 23 (Telnet) on egress.

Why this answer

The ACL is applied outbound, so it filters traffic leaving the interface. Telnet (port 23) is denied, all other traffic permitted.

1722
Matchingmedium

Drag and drop each WAN topology type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Simple dedicated link between two sites

Central site connects to multiple remote sites

Every site directly connected to every other site

Some sites directly connected, others through intermediate

Service provider network providing any-to-any Layer 3 connectivity

Why these pairings

Point-to-point is simple and dedicated; hub-and-spoke centralizes traffic; full mesh provides high redundancy; partial mesh balances cost and redundancy; MPLS VPN offers any-to-any connectivity.

1723
MCQmedium

Examine the following configuration for a Cisco IOS-XE device: interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 ipv6 address 2001:db8::1/64 ipv6 ospf 1 area 0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:db8:1::1/64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 2.2.2.2 Which statement is true about OSPFv3 operation?

A.OSPFv3 will form adjacencies over both interfaces using the configured IPv6 addresses.
B.OSPFv3 will form adjacencies over both interfaces using link-local addresses.
C.OSPFv3 will only run on GigabitEthernet0/0 because the router-id is not configured for GigabitEthernet0/1.
D.OSPFv3 requires an explicit network command under the OSPFv3 process to enable on interfaces.
AnswerB

Correct. OSPFv3 always uses link-local addresses for neighbor communication. The global addresses are used for routing.

Why this answer

OSPFv3 runs per interface and uses link-local addresses for neighbor discovery. The router-id is required and must be unique. Both interfaces are in area 0.

1724
Multi-Selecthard

Which three statements about EIGRP route summarization are true? (Choose three.)

Select 3 answers
A.Manual summarization is configured using the 'ip summary-address eigrp <as> <prefix> <mask>' command on an interface.
B.Automatic summarization is enabled by default in EIGRP for IPv4.
C.A manual summary route is advertised with a metric equal to the best metric among the component routes.
D.Summary routes are always preferred over more specific routes in the routing table.
E.EIGRP will install a discard route (null0) for the summary prefix to prevent routing loops.
AnswersA, C, E

Correct because this is the standard command to configure a manual summary route on a specific interface.

Why this answer

EIGRP supports manual summarization on any interface and automatic summarization at classful boundaries (disabled by default in modern IOS). Summary routes are advertised with a metric based on the component routes.

1725
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.Weight
B.Local Preference
C.MED (Multi-Exit Discriminator)
D.AS Path Length
AnswerC

Correct. MED is a metric that is preferred with the lowest value.

Why this answer

BGP uses multiple attributes in its path selection algorithm. The weight attribute is Cisco-specific and is preferred with the highest value. The local preference is also preferred with the highest value.

The MED (Multi-Exit Discriminator) is preferred with the lowest value.

Page 22

Page 23 of 27

Page 24