ENCOR 350-401 (350-401) — Questions 17261800

2015 questions total · 27pages · All types, answers revealed

Page 23

Page 24 of 27

Page 25
1726
MCQmedium

A company is migrating its legacy firewall services to a virtualized environment using Cisco NFV. The network engineer deploys a virtual firewall (vFW) on an NFVIS-enabled UCS platform. After the deployment, traffic through the vFW is intermittent and performance monitoring shows high CPU usage on the host. Which action should the engineer take to improve performance?

A.Enable SR-IOV on the physical NICs and assign VFs to the vFW.
B.Increase the number of vCPUs allocated to the vFW VM.
C.Configure QoS policies on the vFW to prioritize traffic.
D.Disable hyperthreading on the host CPU.
AnswerA

Correct because SR-IOV allows the vFW to directly access the physical NIC, reducing CPU overhead and improving throughput.

Why this answer

SR-IOV (Single Root I/O Virtualization) allows a physical NIC to present multiple virtual functions (VFs) directly to a VM, bypassing the hypervisor's virtual switch and reducing CPU overhead for packet processing. In an NFVIS environment, high host CPU usage with intermittent traffic indicates that the vFW is consuming excessive CPU cycles due to software-based I/O. Assigning VFs to the vFW offloads packet handling to the NIC hardware, lowering host CPU utilization and stabilizing traffic.

Exam trap

The trap here is that candidates often assume adding more vCPUs (Option B) will solve performance issues, but Cisco tests the understanding that I/O bottlenecks in NFV are typically resolved by hardware offload techniques like SR-IOV, not by increasing compute resources.

How to eliminate wrong answers

Option B is wrong because increasing vCPUs can actually worsen CPU contention and overhead in a virtualized environment, especially if the bottleneck is I/O processing rather than compute capacity. Option C is wrong because QoS policies manage traffic prioritization but do not reduce the underlying CPU overhead caused by inefficient I/O virtualization; they may even add additional processing load. Option D is wrong because disabling hyperthreading reduces logical CPU cores, which can decrease overall throughput and increase latency, contrary to the goal of improving performance.

1727
Matchingmedium

Drag and drop each WAN encapsulation on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Default serial encapsulation on Cisco routers

Supports PAP/CHAP authentication and multilink

Used for DSL broadband connections

Legacy Layer 2 VPN using DLCIs

Bonding multiple PPP links for higher bandwidth

Why these pairings

HDLC is default synchronous serial encapsulation. PPP supports authentication and multilink. PPPoE is used over DSL.

Frame Relay is legacy L2 VPN. MLPPP bonds multiple links.

1728
MCQmedium

An engineer is using a Python script to configure a new VLAN on a Cisco Nexus 9000 switch using the NX-API REST API. The script sends a POST request to 'https://switch/api/mo/org.json' with a JSON payload containing the VLAN configuration. The switch responds with a 403 Forbidden error. What is the most likely cause?

A.The payload format is incorrect; the engineer must use XML instead of JSON.
B.The user account does not have the required RBAC privileges to configure VLANs.
C.The switch does not support NX-API; the engineer must use NETCONF instead.
D.The URI is incorrect; the correct URI should be 'https://switch/api/node/mo/org.json'.
AnswerB

Correct because 403 indicates authorization failure; the user needs appropriate privileges.

Why this answer

A 403 Forbidden error indicates that the server understood the request but refuses to authorize it. In NX-API, this often occurs when the user does not have sufficient privileges to perform the operation. The engineer should check that the user account used for authentication has the necessary RBAC roles to configure VLANs.

1729
Matchingmedium

Drag and drop each EIGRP state on the left to its matching DUAL stage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Route is stable and no DUAL computation is in progress

DUAL is actively querying neighbors for an alternate path

Query has not been replied to within the active timer

Router sends queries to all neighbors for a lost route

Router has received all replies to its queries

Why these pairings

Passive is the stable state; Active is when DUAL is actively searching for a new route; Stuck in Active occurs when a query is not answered within the active timer.

1730
MCQmedium

An engineer is developing a script to automate the backup of running configurations from multiple Cisco IOS-XE devices using RESTCONF. The script sends a GET request to 'https://device/restconf/data/Cisco-IOS-XE-native:native/configuration' and receives a 501 Not Implemented error. What is the most likely cause?

A.The device does not support RESTCONF; the engineer must use NETCONF for configuration backup.
B.The URI is incorrect; the running configuration is under 'ietf-netconf-monitoring:netconf-state/capabilities'.
C.The URI is incorrect; the running configuration is accessed via the 'Cisco-IOS-XE-native:native' module without the '/configuration' suffix.
D.The request must use the POST method instead of GET to retrieve the running configuration.
AnswerC

Correct because the native model does not have a 'configuration' container; the correct URI is '/restconf/data/Cisco-IOS-XE-native:native'.

Why this answer

The 501 error indicates that the server does not support the functionality required to fulfill the request. In this case, the URI is incorrect because the running configuration is typically accessed via the 'ietf-netconf-monitoring' module or a specific Cisco module like 'Cisco-IOS-XE-native:native' but the path should be '/restconf/data/Cisco-IOS-XE-native:native' without '/configuration'. However, the more common issue is that the running configuration is not directly available via RESTCONF; it is available via NETCONF or via the 'operational' datastore.

The correct approach is to use the 'ietf-netconf-monitoring' module or the 'cisco-native' module with the correct path.

1731
MCQhard

A service provider uses Cisco IOS XE routers with NETCONF/YANG for configuration management. They have a centralized automation system that pushes configuration changes via NETCONF. Recently, after a maintenance window, several routers lost connectivity to the NETCONF server. The automation system can still SSH to the routers and execute CLI commands. The engineer suspects that the NETCONF server's SSH key changed, causing the routers to reject the connection. However, checking the routers' configuration, the engineer finds that the 'netconf ssh' command is present and the SSH server is enabled. The engineer also notices that the routers have an 'ip ssh server algorithm publickey' configuration specifying a list of allowed public keys. What is the most likely cause of the NETCONF connectivity loss?

A.The NETCONF server is using a non-standard port
B.The routers have reached the maximum number of SSH sessions
C.The NETCONF server's SSH public key is not in the allowed list on the routers
D.The 'netconf ssh' command was removed from the router configuration
AnswerC

The public key algorithm filter may be blocking the server's key.

Why this answer

The routers have an 'ip ssh server algorithm publickey' configuration that explicitly lists allowed public keys. If the NETCONF server's SSH key was changed during the maintenance window, its new public key would not match any entry in this allowed list, causing the routers to reject the SSH connection for NETCONF even though SSH itself is enabled and the 'netconf ssh' command is present. This is a common security hardening practice that restricts which SSH clients can connect.

Exam trap

Cisco often tests the distinction between SSH being enabled (via 'ip ssh server' or 'netconf ssh') and SSH authentication being blocked by a public key allowlist, leading candidates to overlook the 'ip ssh server algorithm publickey' restriction as the root cause.

How to eliminate wrong answers

Option A is wrong because the question states the automation system can still SSH to the routers, which would also fail if a non-standard port were used unless the port was changed only for NETCONF, but there is no evidence of that; the core issue is key-based authentication failure, not port mismatch. Option B is wrong because the engineer can still SSH to the routers and execute CLI commands, indicating that SSH sessions are not exhausted; the maximum session limit would affect all SSH connections, not just NETCONF. Option D is wrong because the engineer explicitly verified that the 'netconf ssh' command is present in the router configuration, so it was not removed.

1732
MCQmedium

Given the following configuration: interface GigabitEthernet0/1 service-policy output QOS_POLICY Which statement is true about applying a service-policy in the output direction?

A.The policy-map is applied to traffic exiting the interface, allowing queuing and scheduling decisions.
B.The policy-map is applied to traffic entering the interface, performing classification and marking.
C.The policy-map can only be applied if the interface is in a shutdown state.
D.The policy-map must contain a class-default with a shape command to be valid.
AnswerA

Output service-policy controls how traffic is queued and transmitted out of the interface.

Why this answer

When a service-policy is applied in the output direction, the policy-map inspects and acts on packets as they leave the interface. This allows the policy to perform queuing and scheduling decisions (e.g., CBWFQ, LLQ, shaping) on outbound traffic, which is the correct behavior for managing bandwidth and latency on egress.

Exam trap

Cisco often tests the distinction between input and output service-policies, where candidates mistakenly assume that output policies are used for marking or classification, when in fact those actions are typically performed on ingress.

How to eliminate wrong answers

Option B is wrong because applying a service-policy in the output direction does not affect traffic entering the interface; input direction (service-policy input) is used for classification and marking on ingress. Option C is wrong because a service-policy can be applied to an interface regardless of its operational state; it does not require the interface to be in a shutdown state. Option D is wrong because a policy-map applied in the output direction does not require a class-default with a shape command; shaping is optional, and the policy can contain other actions like bandwidth, priority, or queue-limit without a shape statement.

1733
Multi-Selecthard

Which two statements about configuring SPAN on Cisco IOS-XE switches are true? (Choose two.)

Select 2 answers
A.A SPAN source can be a physical port or an EtherChannel interface.
B.A SPAN destination port can also be configured as a SPAN source port.
C.Only one source port can be configured per SPAN session.
D.The SPAN destination port must belong to the same VLAN as the source port.
E.A SPAN destination port cannot be a routed port.
AnswersA, E

Correct because SPAN supports both physical ports and port-channel interfaces as sources.

Why this answer

A SPAN source can be a single port or an EtherChannel. A SPAN destination port cannot be a source port simultaneously. The destination port must be in the same VLAN as the source for local SPAN? Actually, the destination port can be in any VLAN, but it is placed in a special SPAN mode.

The correct statements: source can be an EtherChannel; destination port cannot be a source port. The others are false: you can have multiple source ports; the destination port does not need to be in the same VLAN; you cannot use a routed port as a SPAN destination.

1734
Drag & Dropmedium

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IPv6 ACLs are created in global config, then applied to an interface in the inbound or outbound direction. The order follows standard Cisco IOS configuration sequence: create the ACL, then apply it.

1735
Matchingmedium

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DoS attack on control plane

IP spoofing attack

Rogue DHCP server attack

ARP cache poisoning attack

IP spoofing on access ports

Why these pairings

CoPP protects against DoS attacks on the control plane, uRPF against IP spoofing, DHCP snooping against rogue DHCP servers, DAI against ARP cache poisoning, and IP Source Guard against IP spoofing at Layer 2.

1736
Multi-Selecthard

A data center uses Cisco Nexus 9000 switches with VXLAN EVPN to provide network virtualization. The operations team notices that VLAN 100 (mapped to VNI 10100) is not reachable across the fabric, although other VLANs work fine. The NVE interface is up, and the EVPN address-family is configured. Which two actions should the engineer take to isolate the issue?

Select 2 answers
A.Check if EVPN type-3 routes are being advertised for VNI 10100.
B.Confirm that multicast group 239.1.1.1 is reachable across the underlay.
C.Verify that VLAN 100 is mapped to VNI 10100 consistently on all VTEPs.
D.Ensure that VNI 10100 is added under the NVE interface.
E.Check if the MTU on the underlay is set to at least 1550 bytes.
AnswersC, D

Inconsistent mapping breaks VXLAN bridging.

Why this answer

Option C is correct because VXLAN EVPN requires consistent VLAN-to-VNI mapping across all VTEPs in the fabric. If VLAN 100 is mapped to VNI 10100 on some switches but not others, traffic for that VNI will not be forwarded correctly, as the mapping is used to associate local VLANs with the VXLAN segment. Option D is correct because the VNI must be explicitly enabled under the NVE interface to participate in VXLAN tunnel termination; without it, the VTEP will not encapsulate or decapsulate traffic for VNI 10100.

Exam trap

Cisco often tests the distinction between control-plane (BGP EVPN) and data-plane (multicast) VXLAN, leading candidates to incorrectly check multicast reachability (Option B) when the issue is a missing or inconsistent VNI configuration.

1737
Matchingmedium

Drag and drop each LACP port mode on the left to its matching negotiation behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends LACP packets and responds to LACP packets

Responds to LACP packets but does not initiate

Both sides send LACP packets, forms channel

One side initiates, other responds, forms channel

Neither side initiates, no channel formed

Why these pairings

Active initiates negotiation; passive waits for partner. Both must have at least one active side to form EtherChannel.

1738
MCQeasy

Which BGP attribute is used to indicate the degree of preference for a route within an AS and is propagated to all iBGP peers?

A.Local preference
B.MED
C.Weight
D.AS-path
AnswerA

Correct. Local preference is used within an AS and is propagated to iBGP peers.

Why this answer

Local preference is a well-known mandatory BGP attribute that indicates the degree of preference for a route within an AS. It is propagated to all iBGP peers and, by default, is set to 100. A higher local preference value is preferred when selecting the best path for outbound traffic from the AS.

Exam trap

Cisco often tests the distinction between attributes that are propagated within an AS (local preference) versus those that are not (weight), or those that influence inbound versus outbound traffic (MED vs. local preference).

How to eliminate wrong answers

Option B (MED) is wrong because MED (Multi-Exit Discriminator) is a metric used to influence inbound traffic from neighboring ASes and is not propagated to iBGP peers; it is exchanged only between eBGP peers. Option C (Weight) is wrong because weight is a Cisco-proprietary attribute that is local to the router and is not propagated to any BGP peers, iBGP or eBGP. Option D (AS-path) is wrong because AS-path is a well-known mandatory attribute used for loop prevention and path selection, but it is not used to indicate preference within an AS; it is propagated to all BGP peers but does not serve the described function.

1739
MCQhard

A company is deploying a virtualized firewall on a VMware ESXi host. The firewall VM requires high network throughput and low latency. The engineer decides to use SR-IOV to assign a virtual function (VF) from a physical NIC to the VM. After configuration, the VM can communicate, but the host's management network becomes unreachable. What is the most likely cause?

A.The physical NIC's PF is also used for the host management network, and SR-IOV configuration disrupted it.
B.The VM's VF is using the same MAC address as the host management interface.
C.The ESXi host requires a dedicated physical NIC for management when using SR-IOV.
D.The VM's VF is consuming all available bandwidth on the NIC.
AnswerA

Correct because SR-IOV can interfere with the PF if the management network is on the same port.

Why this answer

When SR-IOV is enabled on a physical NIC, the Physical Function (PF) is shared between the host management network and the Virtual Functions (VFs). If the PF is used for the host management network, enabling SR-IOV can disrupt the PF's driver or configuration, causing the management network to become unreachable. This is a common misconfiguration where the same NIC is used for both management and SR-IOV VFs.

Exam trap

Cisco often tests the misconception that SR-IOV requires a dedicated management NIC, but the real issue is that the same PF cannot serve both management and SR-IOV VFs without disruption.

How to eliminate wrong answers

Option B is wrong because SR-IOV VFs are assigned unique MAC addresses by the hypervisor, and a MAC address conflict would cause connectivity issues for the VM, not the host management network. Option C is wrong because ESXi does not require a dedicated physical NIC for management when using SR-IOV; it only requires that the PF used for management is not also used for SR-IOV VFs. Option D is wrong because bandwidth consumption by the VM's VF would degrade performance but would not make the host management network unreachable; the management network would still be accessible, albeit potentially slower.

1740
Matchingmedium

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2

Layer 3

Layer 3/4

Layer 4-7

Layer 2

Why these pairings

Port security operates at Layer 2; ACL at Layer 3; zone-based firewall at Layer 3/4; IPS at Layer 4-7; MACsec at Layer 2.

1741
MCQhard

A network engineer is implementing QoS on a Cisco router that connects to a service provider. The provider uses MPLS and expects the MPLS EXP bits to be set for voice traffic. The engineer configures a policy-map that sets the MPLS EXP to 5. However, the provider reports that the EXP bits are not being set. What is the most likely reason?

A.The policy-map is applied to the incoming interface, but MPLS EXP marking must be done on the outgoing interface.
B.The router does not support setting MPLS EXP bits.
C.The MPLS EXP bits are set automatically based on the IP precedence.
D.The policy-map must use 'set mpls experimental imposition 5' instead of 'set mpls experimental 5'.
AnswerA

Correct because the MPLS label is added when the packet is forwarded; the marking must be applied on the outgoing interface to set the EXP bits on the label.

Why this answer

The most likely reason is that the policy-map is applied to the incoming interface, but MPLS EXP marking must be applied on the outgoing interface. MPLS EXP bits are set at the imposition (ingress) of the MPLS label stack, which occurs when the packet is forwarded out of an interface that has MPLS enabled. If the policy-map is applied inbound, it marks the IP packet before MPLS encapsulation, and the EXP bits are not set on the MPLS label.

The correct approach is to apply the policy-map outbound on the interface facing the service provider, so that the 'set mpls experimental' command marks the EXP bits on the imposed label.

Exam trap

Cisco often tests the concept that MPLS EXP marking must be applied on the outgoing interface (where MPLS encapsulation occurs), not on the incoming interface, leading candidates to incorrectly assume that inbound marking is sufficient.

How to eliminate wrong answers

Option B is wrong because modern Cisco routers that support MPLS (e.g., ISR, ASR series) fully support setting MPLS EXP bits via policy-maps; this is a standard QoS feature. Option C is wrong because MPLS EXP bits are not automatically set based on IP precedence; they must be explicitly configured using a policy-map or can be copied from IP precedence if the 'mpls ip' command with 'mpls experimental' is configured, but this is not automatic and requires specific configuration. Option D is wrong because 'set mpls experimental 5' is the correct command for marking the EXP bits on the imposed label; 'set mpls experimental imposition 5' is not a valid Cisco IOS command.

1742
MCQeasy

A network engineer runs the following command on Switch SW8: SW8# show spanning-tree vlan 80 VLAN0080 Spanning tree enabled protocol ieee Root ID Priority 24656 Address aabb.cc00.0e00 Cost 12 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 (priority 32768 sys-id-ext 80) Address aabb.cc00.0f00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 12 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Gi0/4 Altn BLK 4 128.4 P2p Based on this output, what is the cost of the root port?

A.4
B.8
C.12
D.16
AnswerC

Correct. The root port Gi0/1 has a cost of 12.

Why this answer

The root port is Gi0/1, and its cost is shown as 12 in the interface table.

1743
Matchingmedium

Match each QoS feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifying traffic based on specific fields

Setting the DSCP or CoS value in a packet

Dropping packets that exceed a configured rate

Buffering packets to maintain a configured rate

Managing packet order during congestion

Why these pairings

These are fundamental QoS mechanisms used in Cisco networks.

1744
Drag & Dropmedium

Drag and drop the steps of ERSPAN (Encapsulated RSPAN) session configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ERSPAN configuration requires first defining the source, then the destination with encapsulation, optionally filtering VLANs, and finally activating the session.

1745
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ip ospf hello-interval 10 ip ospf dead-interval 40 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 What is the effect of this configuration?

A.OSPF adjacency will form with a neighbor using hello/dead intervals of 10/40 seconds.
B.OSPF adjacency will not form because the hello interval is too low for point-to-point.
C.The network command under router ospf will be ignored because the interface has an explicit network type.
D.OSPF will use the default broadcast network type because the point-to-point keyword is misspelled.
AnswerA

The point-to-point network type with explicit hello/dead intervals of 10/40 matches the default for point-to-point, so adjacency forms normally.

Why this answer

The configuration sets the OSPF network type to point-to-point on the interface, which allows OSPF to form an adjacency with a neighbor using the configured hello interval of 10 seconds and dead interval of 40 seconds. These intervals are valid for point-to-point networks, and the network command under router ospf correctly enables OSPF on the interface. Therefore, an adjacency will form as long as the neighbor's intervals match.

Exam trap

Cisco often tests the misconception that the network command is ignored when an explicit ip ospf network type is configured, but in reality both work together—the network command enables OSPF on the interface, and the ip ospf network command only changes the OSPF network type.

How to eliminate wrong answers

Option B is wrong because a hello interval of 10 seconds is not too low for point-to-point; the default hello interval for point-to-point is 10 seconds, and it can be set lower (e.g., 1 second) without preventing adjacency formation as long as the neighbor matches. Option C is wrong because the network command under router ospf is not ignored; it is still used to determine which interfaces participate in OSPF, and the explicit network type on the interface only overrides the default network type, not the network command. Option D is wrong because the keyword 'point-to-point' is correctly spelled in the configuration snippet, and OSPF will use the point-to-point network type, not the default broadcast type.

1746
Matchingmedium

Drag and drop each EIGRP packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers and maintains neighbors

Carries routing information

Asks for successor information

Responds to a query

Acknowledges receipt of a reliable packet

Why these pairings

Hello packets discover and maintain neighbors; Update packets carry routing information; Query packets ask for successor information; Reply packets respond to queries; ACK packets acknowledge reliable packets.

1747
Drag & Dropmedium

Drag and drop the steps of EtherChannel load-balancing hash configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Configuration starts with selecting the global load-balancing method, applying it, verifying with show commands, then optionally overriding per-interface, and finally testing with traffic.

1748
Multi-Selectmedium

Which two statements about Ansible automation in a Cisco environment are true? (Choose two.)

Select 2 answers
A.Ansible uses a push-based model to configure network devices.
B.Ansible requires an agent to be installed on managed Cisco devices.
C.Ansible Tower provides a web-based GUI and role-based access control.
D.The default Ansible inventory file is written in YAML format.
E.Ansible playbooks are written in Python.
AnswersA, C

Correct: Ansible pushes configurations from the control node to managed nodes using SSH or APIs.

Why this answer

Ansible uses a push-based model where the control node pushes modules to managed nodes. It is agentless, relying on SSH or API connections. Ansible Tower provides a web UI and RBAC, while the default inventory is INI-based.

Playbooks are written in YAML, not Python. Ansible Galaxy is a community hub for roles.

1749
Drag & Dropmedium

Drag and drop the steps of CBWFQ and LLQ queue servicing order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LLQ is serviced first to guarantee low-latency traffic, then CBWFQ queues are serviced in a weighted round-robin manner based on configured bandwidths. This order ensures strict priority for voice/video while providing fair sharing for other classes.

1750
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric border node configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Configuration starts with enabling LISP on the border node, then configuring the EID-to-RLOC mapping and border services. Next, the border is connected to external networks (e.g., WAN), followed by applying VRF and SGT policies, and finally verifying the border operation.

1751
MCQeasy

What is the default update interval for a Cisco IOS-XE telemetry subscription when using update-policy periodic without specifying a value?

A.1000 milliseconds
B.10000 milliseconds
C.5000 milliseconds
D.The command requires a value; there is no default.
AnswerB

The default periodic interval is 10 seconds (10000 ms).

Why this answer

The default periodic interval is 10000 milliseconds (10 seconds) if not explicitly configured.

1752
MCQmedium

Consider the following SD-WAN configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0 tunnel-interface encapsulation ipsec color biz-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp ! What is the effect of this configuration?

A.The interface is configured as an SD-WAN tunnel interface with color biz-internet, allowing DHCP, DNS, and ICMP traffic but blocking BGP.
B.The interface is configured as a standard WAN interface with IPsec encryption, allowing all services including BGP.
C.The configuration enables the interface as a loopback tunnel for OMP traffic only, blocking all other services.
D.The interface is configured for SD-WAN with color biz-internet, but the 'no allow-service bgp' command is invalid on a tunnel interface.
AnswerA

This accurately describes the configuration: tunnel-interface enables SD-WAN, color sets the transport, and allow-service controls permitted protocols.

Why this answer

The configuration applies to a GigabitEthernet interface that is placed into SD-WAN tunnel mode using the 'tunnel-interface' command. The 'color biz-internet' assigns the transport color, and the 'allow-service' and 'no allow-service' commands explicitly control which control-plane services are permitted over the tunnel. DHCP, DNS, and ICMP are allowed, while BGP is explicitly denied, making option A correct.

Exam trap

Cisco often tests the misconception that 'no allow-service bgp' is invalid or that the tunnel-interface configuration only applies to loopback interfaces, when in fact it is a valid command applied to physical interfaces to filter control-plane traffic per transport color.

How to eliminate wrong answers

Option B is wrong because the interface is not a standard WAN interface; it is an SD-WAN tunnel interface, and the 'no allow-service bgp' command blocks BGP rather than allowing all services. Option C is wrong because the interface is not a loopback tunnel for OMP traffic only; it is a physical interface acting as an SD-WAN transport tunnel that can carry multiple services, not just OMP. Option D is wrong because the 'no allow-service bgp' command is perfectly valid on an SD-WAN tunnel interface; it is used to explicitly deny BGP control-plane traffic over that specific transport tunnel.

1753
Drag & Drophard

Drag and drop the steps of SNMPv3 secure agent configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you must enable the SNMP agent with snmp-server. Then define the SNMPv3 group and associate it with a security model. Next, create the user and assign authentication and privacy passwords.

Finally, restrict access using an ACL to limit which NMS can poll the agent.

1754
Multi-Selecthard

Which three statements about using Python for device inventory and data serialization in network automation are true? (Choose three.)

Select 3 answers
A.A Python script can read a YAML file containing device hostnames and IP addresses, then use that data to connect to each device and gather inventory information.
B.The json module in Python can be used to serialize a dictionary containing device inventory data into a JSON string for storage or transmission.
C.CSV files can be parsed using Python's csv module to import device inventory data, such as hostname, IP, and credentials, into a script.
D.YAML files in Python cannot contain comments, so all inventory data must be described without explanatory text.
E.JSON is always more human-readable than YAML for complex inventory structures.
AnswersA, B, C

Correct because this is a common pattern: use PyYAML to load a YAML inventory file, iterate over devices, and use Netmiko or NAPALM to collect facts.

Why this answer

The correct answers describe practical uses of Python for inventory management and data handling. The incorrect options either misattribute YAML's features (it does not support comments natively in all parsers) or incorrectly state that JSON is always more human-readable than YAML (YAML is often considered more readable).

1755
MCQmedium

A campus network uses a collapsed core design with two distribution switches and multiple access switches. The engineer wants to ensure that if one distribution switch fails, the access switches can still reach the core. The access switches are connected to both distribution switches. What additional configuration is required on the access switches?

A.Configure the access switches with VPC (Virtual Port Channel) to the distribution switches.
B.Enable STP on the access switches and set the root bridge priority to 0.
C.Configure the access switches with HSRP to the distribution switches.
D.Use static routing with equal-cost paths from the access switches to the distribution switches.
AnswerA

Correct because VPC allows both uplinks to be active simultaneously, providing redundancy and load balancing without STP blocking.

Why this answer

Option A is correct because VPC allows the access switches to form a single logical link to the pair of distribution switches, enabling active-active forwarding and seamless failover. If one distribution switch fails, the access switch continues to reach the core through the surviving distribution switch without requiring STP convergence or routing protocol changes.

Exam trap

Cisco often tests the misconception that STP or FHRP alone can solve distribution switch failure scenarios, but the key is that VPC provides active-active Layer 2 uplinks with fast failover, whereas STP blocks one link and FHRP only handles gateway redundancy, not uplink connectivity.

How to eliminate wrong answers

Option B is wrong because enabling STP and setting root bridge priority to 0 only influences the Layer 2 spanning-tree topology, but it does not provide active-active uplink utilization or fast failover; STP would still block one uplink, and convergence delays would occur. Option C is wrong because HSRP is a First Hop Redundancy Protocol (FHRP) used for default gateway redundancy on the distribution switches themselves, not on the access switches; configuring HSRP on access switches does not solve the uplink failure scenario. Option D is wrong because static routing with equal-cost paths requires Layer 3 connectivity between the access and distribution switches, but in a typical collapsed core design, access switches are Layer 2 devices; even if they were Layer 3, static routes would not provide the fast, deterministic failover that VPC offers at Layer 2.

1756
MCQmedium

interface GigabitEthernet0/4 spanning-tree vlan 20 cost 100 end What is the effect of this configuration?

A.The port cost for VLAN 20 is set to 100, making it more likely to be selected as root port if lower than other paths.
B.The port cost for all VLANs is set to 100.
C.The port will become a designated port for VLAN 20.
D.The port will have a higher priority in the spanning-tree algorithm.
AnswerA

Lower cost is preferred; 100 is lower than default for GigabitEthernet (4).

Why this answer

This sets the STP path cost for VLAN 20 on this interface to 100, influencing the root port selection.

1757
Matchingeasy

Drag and drop each HTTP status code on the left to its meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Request succeeded

Resource created

Malformed request syntax

Authentication required or failed

Requested resource not found

Why these pairings

Correct pairings: 200 OK for success; 201 Created for resource creation; 400 Bad Request for client error; 401 Unauthorized for missing/invalid credentials; 404 Not Found for missing resource; 500 Internal Server Error for server-side failure.

1758
Matchingmedium

Drag and drop each IP SLA operation type on the left to its measured metric on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Round-trip time and packet loss

Delay, jitter, and packet loss

Connection establishment time

Page load time and success

DNS resolution time

Why these pairings

ICMP echo measures round-trip time and packet loss; UDP jitter measures delay, jitter, and packet loss; TCP connect measures connection establishment time; HTTP measures page load time and success; DNS measures DNS resolution time.

1759
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Based on this output, what can be concluded?

A.The interface is configured as an access port.
B.DTP is enabled on this interface.
C.The native VLAN is tagged with 802.1Q.
D.All VLANs except 2-1001 are pruned.
AnswerB

'Negotiation of Trunking: On' indicates DTP is enabled.

Why this answer

The output shows 'Negotiation of Trunking: On', which indicates that Dynamic Trunking Protocol (DTP) is enabled on the interface. DTP is a Cisco proprietary protocol used to negotiate trunking between switches. Since the interface is in trunk mode and DTP is on, option B is correct.

Exam trap

Cisco often tests the distinction between 'Pruning VLANs Enabled' and 'Trunking VLANs Enabled', where candidates mistakenly think that VLANs listed under pruning are actively removed from the trunk, when in fact they are only eligible for pruning if VTP pruning is enabled.

How to eliminate wrong answers

Option A is wrong because the 'Administrative Mode: trunk' and 'Operational Mode: trunk' clearly indicate the port is configured as a trunk, not an access port. Option C is wrong because 'Administrative Native VLAN tagging: enabled' means the switch will tag frames on the native VLAN with an 802.1Q header, but the native VLAN itself (VLAN 1) is not tagged by default; tagging is an additional configuration that forces tagging of native VLAN frames, not that the native VLAN is inherently tagged. Option D is wrong because 'Trunking VLANs Enabled: ALL' shows all VLANs are allowed on the trunk, while 'Pruning VLANs Enabled: 2-1001' indicates VLANs 2-1001 are eligible for pruning by VTP, not that they are currently pruned.

1760
Matchingmedium

Drag and drop each IGMP version on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses a query/response model with no leave group message

Adds leave group messages and querier election

Adds source filtering (include/exclude lists)

Why these pairings

IGMPv1 uses a query/response model; IGMPv2 adds leave group messages and querier election; IGMPv3 adds source filtering (include/exclude).

1761
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p Based on this output, what can be concluded?

A.SW1 is the root bridge for VLAN 10.
B.Gi0/2 is in blocking state due to loop prevention.
C.Gi0/3 is a root port.
D.The root bridge has a higher priority than SW1.
AnswerB

Gi0/2 is an alternate port in blocking state, which is normal STP behavior to prevent loops.

Why this answer

The output shows that the root bridge has address 0011.2233.4455, and SW1's bridge ID is 0011.2233.4466. Since the root bridge has a lower MAC address (and same priority), SW1 is not the root. Gi0/1 is the root port, Gi0/2 is an alternate port (blocking), and Gi0/3 is a designated port.

This indicates a redundant topology with a loop, and STP is blocking Gi0/2 to prevent it.

1762
Drag & Dropmedium

Drag and drop the steps of MPLS FRR (Fast Reroute) backup tunnel activation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MPLS FRR begins with configuring the backup tunnel on the PLR. The PLR then merges the backup tunnel with the protected LSP. When a link or node failure is detected, the PLR immediately switches traffic to the backup tunnel.

After the failure is repaired, traffic reverts to the primary LSP via make-before-break.

1763
Drag & Dropmedium

Drag and drop the steps of OSPFv3 IPv6 neighbor adjacency formation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OSPFv3 neighbor formation follows the same state machine as OSPFv2: Down, Init, 2-Way, ExStart, Exchange, Loading, Full. The steps reflect the key actions at each state.

1764
MCQhard

A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

A.The switch has IP Source Guard enabled, blocking valid DHCP traffic.
B.The interface GigabitEthernet0/1 is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet and the switch lacks an IP helper address.
D.The DHCP server is sending offers too quickly, exceeding the rate-limit on the switch.
AnswerB

Correct: Untrusted ports drop DHCP server messages; the server port must be trusted.

Why this answer

Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.

Exam trap

Cisco often tests the distinction between trusted and untrusted ports in DHCP snooping, and the trap here is that candidates assume enabling DHCP snooping globally and on the VLAN is sufficient, forgetting that the server-facing interface must be explicitly trusted to allow DHCP server responses.

How to eliminate wrong answers

Option A is wrong because IP Source Guard (IPSG) is typically used to filter traffic based on the IP-to-MAC binding learned from DHCP snooping, but it does not block valid DHCP traffic itself; it blocks IP spoofing after the lease is assigned. Option C is wrong because the question states the DHCP server is connected directly to GigabitEthernet0/1, implying it is on the same VLAN, so an IP helper address is not needed; if the server were on a different subnet, the helper address would be required, but that is not the scenario described. Option D is wrong because DHCP snooping rate-limiting is applied on untrusted ports (client-facing) to prevent DHCP starvation attacks, not on the trusted port connected to the server; the trusted port has no rate-limit by default.

1765
MCQhard

A network engineer is implementing model-driven telemetry on a Cisco Nexus 9000 switch to monitor VLAN and STP changes. The engineer wants to use the native telemetry protocol with UDP as the transport. After configuring the telemetry subscription with the 'destination-group' and 'sensor-group', the engineer notices that the collector is not receiving any data. The collector is reachable and the UDP port is open. What is the most likely missing configuration?

A.The engineer forgot to configure a 'source-interface' under the destination-group
B.The engineer did not create a 'policy' that binds the sensor-group and destination-group
C.The YANG models for VLAN and STP are not supported in the native telemetry protocol
D.The engineer used GPB encoding instead of JSON, and the collector only accepts JSON
AnswerB

On Nexus, a telemetry policy is required to link the sensor and destination groups; without it, no data is streamed.

Why this answer

The correct answer is that the engineer must configure a 'policy' that associates the sensor-group with the destination-group and commits the configuration. On Nexus switches, model-driven telemetry requires a policy to bind the sensor and destination groups. The other options are incorrect because the source-interface is optional; the YANG models are correct; and the encoding is not the issue.

1766
MCQmedium

A network engineer is creating a Python script using the Cisco IOS XE RESTCONF API to configure a loopback interface. The script sends a PUT request to the URI /restconf/data/Cisco-IOS-XE-native:native/interface/Loopback=100 with a JSON body that includes the IP address. The API returns a 201 Created status, but the loopback interface does not appear in the running configuration. What is the most likely issue?

A.The RESTCONF API returned an error but the script ignored it
B.The loopback interface number is incorrect in the URI
C.The script is not authenticated properly
D.The PUT request should be a POST request to create a new resource
AnswerD

POST is used to create a new resource; PUT replaces an existing one.

Why this answer

D is correct because RESTCONF uses PUT to create or replace a resource only when the client specifies the entire resource URI, including the resource identifier (e.g., Loopback=100). However, for a new resource, the API may require a POST to the parent collection (e.g., /restconf/data/Cisco-IOS-XE-native:native/interface/Loopback) to trigger creation, depending on the YANG module's data model. A 201 Created response indicates the request was accepted, but if the resource was not actually created in the running configuration, it suggests the PUT was treated as a no-op or the data was not applied due to a mismatch in the expected resource state.

Exam trap

Cisco often tests the distinction between PUT and POST in RESTCONF, where candidates mistakenly assume PUT always creates a new resource, but the correct behavior depends on the YANG module's definition and whether the resource identifier is part of the URI or the payload.

How to eliminate wrong answers

Option A is wrong because the script received a 201 Created status, which is a success code, not an error; if an error had occurred, the API would return a 4xx or 5xx status. Option B is wrong because the URI includes Loopback=100, which is a valid identifier, and the 201 response confirms the resource was targeted correctly; an incorrect number would result in a 404 or 409 error. Option C is wrong because authentication failures would return a 401 Unauthorized or 403 Forbidden status, not a 201 Created.

1767
Drag & Dropmedium

Drag and drop the steps of BGP confederations setup between sub-ASes into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Confederation setup requires enabling BGP, configuring the confederation identifier and sub-AS list, then peering between sub-ASes, and finally verifying the confederation membership.

1768
Multi-Selecteasy

Which two statements about the 'ip access-group' command are true? (Choose two.)

Select 2 answers
A.The 'ip access-group' command applies an ACL to an interface in a specified direction.
B.The 'ip access-group' command can be applied to both physical interfaces and SVIs.
C.The 'ip access-group' command creates a new ACL if the named ACL does not exist.
D.The 'ip access-group' command can only filter traffic in the inbound direction.
E.The 'ip access-group' command is used to apply a CoPP policy to the control plane.
AnswersA, B

Correct because the command syntax is 'ip access-group {acl-name} {in|out}'.

Why this answer

The 'ip access-group' command is used to apply an ACL to an interface in a specific direction (in or out). It can be applied to both Layer 3 interfaces (routed ports) and SVIs. The ACL must already exist in the configuration.

The command does not create the ACL; it only applies it. The 'in' direction filters traffic entering the interface, and 'out' filters traffic leaving.

1769
MCQmedium

A company is deploying a new campus network with a hierarchical design (core, distribution, access). The QoS design must ensure that voice traffic is prioritized end-to-end, and that marking is trusted only on access ports connected to IP phones. Which architectural approach should the architect take for classification and marking?

A.Configure the access switches to trust DSCP on ports connected to IP phones, and apply queuing policies on distribution and core switches that match the trusted markings.
B.Remark all traffic to a single DSCP value at the access layer and apply priority queuing at the core.
C.Apply QoS policies only at the core layer, ignoring markings from the access layer.
D.Use the distribution layer to reclassify traffic based on source MAC addresses of IP phones.
AnswerA

Trusting DSCP on IP phone ports preserves the correct markings; queuing at higher layers ensures consistent treatment.

Why this answer

Option A is correct because it aligns with the Cisco QoS trust boundary model for campus networks. IP phones are trusted endpoints that mark voice traffic with the correct DSCP values (e.g., EF for voice, AF41 for video). By configuring the access switch port to trust DSCP from the IP phone, the marking is preserved end-to-end.

Distribution and core switches then apply queuing policies (e.g., LLQ) based on these trusted markings, ensuring voice traffic receives priority treatment across the entire network.

Exam trap

Cisco often tests the concept that the trust boundary must be set at the access layer, not at the distribution or core, and that trusting DSCP from IP phones is the correct method, while remarking all traffic to a single value or ignoring markings entirely are common misconceptions that break end-to-end QoS.

How to eliminate wrong answers

Option B is wrong because remarking all traffic to a single DSCP value at the access layer eliminates any differentiation between voice, video, and data, defeating the purpose of QoS and causing all traffic to be treated equally, which would starve voice of priority. Option C is wrong because applying QoS policies only at the core layer ignores the need to establish a trust boundary at the access layer; without trusting or marking at the edge, the core has no reliable markings to act upon, and the access layer may re-mark or drop priority packets. Option D is wrong because reclassifying traffic based on source MAC addresses at the distribution layer is inefficient and unscalable; classification should occur as close to the source as possible (at the access layer), and MAC-based classification does not leverage the standard DSCP markings that IP phones already set.

1770
Matchingmedium

Drag and drop each OSPF router role on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Generates Type 2 Network LSA and maintains full adjacencies with all routers on the segment

Becomes DR if the current DR fails; also maintains full adjacencies

Forms adjacencies only with DR and BDR; does not form full adjacencies with other DROTHERs

Redistributes routes from other routing protocols into OSPF

Connects two or more OSPF areas and advertises inter-area routes

Why these pairings

DR (Designated Router) generates Network LSAs and manages adjacencies on multi-access networks; BDR (Backup DR) takes over if the DR fails; DROTHER routers form full adjacencies only with DR and BDR; ASBR redistributes routes from other protocols; ABR connects multiple areas.

1771
Drag & Dropmedium

Drag and drop the steps of PIM DM (Dense Mode) flood and prune steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PIM DM initially floods multicast traffic to all PIM-enabled interfaces; downstream routers that have no interested receivers send Prune messages upstream to stop unwanted traffic.

1772
Multi-Selectmedium

Which two statements about EIGRP stub routing are true? (Choose two.)

Select 2 answers
A.A stub router advertises only connected and summary routes by default.
B.A stub router can still be used as a transit router for other EIGRP neighbors.
C.The 'eigrp stub' command is configured on the hub router in a hub-and-spoke topology.
D.EIGRP stub routing reduces query scoping and improves convergence.
E.A stub router can be configured with the 'receive-only' keyword to advertise all its routes.
AnswersA, D

Correct because the default stub setting (without keywords) advertises connected and summary routes.

Why this answer

EIGRP stub routing limits the routes a stub router advertises, preventing it from being used as a transit router. Common stub types include connected, static, summary, and receive-only.

1773
Multi-Selectmedium

Which two statements about NetFlow are true? (Choose two.)

Select 2 answers
A.NetFlow uses TCP port 2055 for exporting flow records.
B.NetFlow v9 is template-based, allowing flexible and extensible flow record formats.
C.Sampled NetFlow reduces CPU impact by analyzing only a subset of packets.
D.NetFlow records include the full payload of each packet.
E.NetFlow can be used for both IPv4 and IPv6 traffic monitoring.
AnswersB, C

NetFlow v9 introduced templates that define the format of exported data, making it extensible.

Why this answer

NetFlow is a Cisco technology that collects IP traffic statistics and can export them to a collector. Traditional NetFlow uses UDP for export, and sampled NetFlow (sFlow-like) is used to reduce CPU load. NetFlow v9 is template-based, allowing flexible field definitions.

1774
MCQmedium

Examine this DHCP configuration: ``` ip dhcp pool POOL1 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 8.8.8.8 lease 0 12 ! ip dhcp excluded-address 10.10.10.1 10.10.10.10 ``` Which statement is true?

A.DHCP clients will receive a lease for 12 hours.
B.The router will assign IP addresses from 10.10.10.1 to 10.10.10.254.
C.The default lease is used because the lease command is incomplete.
D.The DNS server is set to 8.8.8.8, but clients will ignore it.
AnswerA

Correct. The lease command specifies 0 days, 12 hours.

Why this answer

The configuration defines a DHCP pool with a lease of 12 hours (0 days, 12 hours) and excludes the first 10 addresses.

1775
Multi-Selecteasy

Which two statements about local AAA and fallback methods are true? (Choose two.)

Select 2 answers
A.Local AAA authentication uses the username and password configured in the running configuration.
B.The 'aaa authentication login default local' command configures the device to use a RADIUS server first, then fall back to local.
C.When using a RADIUS server group, if the primary server fails to respond, the device automatically tries the next server in the group.
D.The 'aaa new-model' command is required only when using TACACS+ servers.
E.Fallback to local authentication occurs only if all remote servers explicitly reject the authentication request.
AnswersA, C

Correct because local authentication relies on the username/password stored on the device.

Why this answer

Local AAA uses the device's local database for authentication. Fallback methods define the order of servers to try. If all servers are unreachable, the local database can be used as a backup.

The 'aaa authentication login default local' command uses the local database only. The 'aaa new-model' command enables AAA globally.

1776
Matchingmedium

Drag and drop each NetFlow version on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fixed-format records with no templates

Template-based flow records with user-defined fields

Standardized version of NetFlow with variable-length fields

Why these pairings

NetFlow v5 sends fixed-format records with no user-defined fields. v9 supports templates and flexible field definitions. IPFIX is the standardized version of v9 with additional fields and variable-length support.

1777
MCQmedium

A network engineer is troubleshooting an issue where a Cisco router is not responding to SNMP polls from a network management station (NMS) at 192.168.1.50. The router has a CoPP policy that includes a class-map matching SNMP traffic (UDP port 161). The engineer checks the CoPP statistics and sees that SNMP packets from the NMS are being dropped. The engineer wants to allow SNMP from the NMS while still protecting the control plane. Which configuration change should the engineer make?

A.Modify the CoPP ACL to include a permit statement for UDP port 161 from host 192.168.1.50 before the deny statement.
B.Increase the police rate for the CoPP class that matches SNMP traffic.
C.Remove the CoPP policy from the control plane and rely on interface ACLs.
D.Change the SNMP port on the router to a non-standard port to avoid the CoPP policy.
AnswerA

Correct because this allows SNMP traffic from the NMS to be classified and permitted by the CoPP policy.

Why this answer

The correct answer is to modify the CoPP ACL to permit SNMP from the NMS before the deny statement, ensuring that the traffic is matched and permitted. Option B is incorrect because increasing the police rate might not help if the traffic is being denied by an ACL. Option C is incorrect because removing the CoPP policy removes all protection.

Option D is incorrect because changing the SNMP port would require reconfiguring the NMS.

1778
Drag & Dropmedium

Drag and drop the steps of Cisco DNA Center device onboarding via PnP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The PnP onboarding process begins with the device obtaining an IP address via DHCP and receiving the PnP server address from DHCP options. The device then discovers the Cisco DNA Center PnP server and authenticates using a certificate or credentials. After authentication, the device downloads its Day 0 configuration and image from DNA Center.

Finally, the device applies the configuration and joins the fabric or network.

1779
Multi-Selecteasy

Which two statements about NetFlow flow records and export are correct? (Choose two.)

Select 2 answers
A.NetFlow v9 uses a template-based export format.
B.IPFIX is the IETF standard version of NetFlow, based on NetFlow v9.
C.NetFlow v5 supports variable-length fields and custom flow keys.
D.NetFlow export uses TCP by default to ensure reliable delivery.
E.NetFlow v5 can export IPv6 flow information.
AnswersA, B

Correct because v9 introduces templates that define which fields are exported, allowing flexibility.

Why this answer

NetFlow v5 has a fixed format with 7 key fields, while v9 is template-based and flexible. IPFIX is the IETF standard based on v9. NetFlow export uses UDP by default (port 2055 for v5, 4729 for IPFIX).

TCP is not the default transport.

1780
Drag & Dropmedium

Drag and drop the steps of disaster recovery failover process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Failover begins with detecting the primary failure, then activating the backup path. Traffic is redirected to the secondary site, and after the primary is restored, operations are switched back in a controlled manner.

1781
Drag & Dropmedium

Drag and drop the steps of streaming telemetry sensor path subscription flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Streaming telemetry starts with the collector subscribing to a sensor path on the device, the device authenticates the subscription, then periodically collects data from the YANG model, encodes it (e.g., GPB or JSON), and pushes it to the collector via gRPC or UDP.

1782
Drag & Dropmedium

Drag and drop the steps of OSPF SPF calculation steps (Dijkstra) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The Dijkstra SPF algorithm first initializes the candidate list with the root router itself. It then examines the root's neighbors, adding them to the candidate list. The router with the lowest cost is moved from candidate to the SPF tree.

The process repeats by examining the newly added router's neighbors and updating the candidate list. Finally, when all routers are in the SPF tree, the algorithm terminates and the routing table is populated.

1783
Matchingmedium

Drag and drop each SPAN type on the left to its correct scope description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Mirrors traffic only on the source switch

Uses a dedicated VLAN to carry mirrored traffic between switches

Encapsulates mirrored traffic in GRE and routes over IP

Receives a copy of monitored traffic

The interface being monitored

Why these pairings

Local SPAN mirrors traffic on the same switch; RSPAN uses a dedicated VLAN to transport mirrored traffic across switches; ERSPAN encapsulates mirrored packets in GRE and routes them over Layer 3.

1784
Multi-Selecthard

Which three statements about virtual machine (VM) resource allocation and overcommitment are true? (Choose three.)

Select 3 answers
A.Memory overcommitment allows a hypervisor to run VMs with total allocated memory exceeding physical RAM.
B.CPU overcommitment can lead to performance degradation if the physical CPU cores are insufficient for the workload.
C.Overcommitment guarantees that each VM receives its allocated resources without interference.
D.Storage overcommitment using thin provisioning can cause performance issues if the underlying storage runs out of space.
E.Resource overcommitment is only applicable to memory, not CPU or storage.
AnswersA, B, D

Correct because hypervisors use techniques like ballooning to reclaim memory from idle VMs.

Why this answer

Resource overcommitment allows a hypervisor to allocate more virtual resources than physical resources, but careful monitoring is required to avoid performance issues. Option A is correct because memory overcommitment uses techniques like ballooning or swapping. Option B is correct because CPU overcommitment can lead to contention if many VMs compete for CPU time.

Option D is correct because storage overcommitment can cause performance degradation if thin provisioning leads to oversubscription. Option C is incorrect because overcommitment does not guarantee isolation; it can actually reduce isolation. Option E is incorrect because overcommitment is not limited to memory; it applies to CPU and storage as well.

1785
Drag & Dropmedium

Drag and drop the steps of configuring a Layer 2 EtherChannel using PAgP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, create the port-channel interface globally. Then set the channel-group mode to desirable on the first interface. Next, set the same mode on the second interface.

After that, verify the bundle forms using show commands. Finally, assign the port-channel to a VLAN to enable data forwarding. This sequence ensures PAgP negotiation completes before the bundle is used.

1786
MCQmedium

A network engineer is troubleshooting BGP peering between two routers in different autonomous systems. The peering is established over a directly connected Ethernet link. The engineer notices that the BGP session is flapping every few minutes. The configuration on both routers appears correct, and the IP connectivity is stable. The engineer checks the BGP logs and sees messages like 'BGP-3-NOTIFICATION: sent 4/0 (Hold Timer Expired)'. What is the most likely cause of this issue?

A.The hold timer values are mismatched between the two routers.
B.The MTU on the link is mismatched, causing BGP packets to be fragmented.
C.The TTL for eBGP is set to 1, and the routers are not directly connected.
D.The BGP update timer is set too high, causing delays in sending updates.
AnswerA

Correct because a hold timer mismatch causes the router with the smaller hold time to expire, leading to session flaps.

Why this answer

The BGP notification 'Hold Timer Expired' indicates that the router did not receive keepalive or update messages within the configured hold time. When hold timers are mismatched between two eBGP peers, the router with the shorter hold timer will expire first, causing the session to reset. Since the IP connectivity is stable and the configuration appears correct, a mismatch in hold timer values is the most direct cause of the flapping session.

Exam trap

Cisco often tests the distinction between hold timer mismatch (which causes a notification and session reset) versus other common BGP issues like MTU or TTL, where candidates may incorrectly assume that any BGP flapping is due to connectivity or packet loss rather than timer negotiation.

How to eliminate wrong answers

Option B is wrong because MTU mismatch would cause packet fragmentation or loss, not a hold timer expiration; BGP uses TCP which handles fragmentation, and the issue would manifest as TCP retransmissions or connection resets, not a hold timer expiry. Option C is wrong because the peering is over a directly connected Ethernet link, so the default TTL of 1 for eBGP is appropriate and would not cause flapping; if the routers were not directly connected, the session would never establish. Option D is wrong because the BGP update timer (or advertisement interval) controls the rate of sending updates, not the receipt of keepalives; a high update timer would not cause a hold timer expiration because keepalives are sent independently every one-third of the hold time.

1787
MCQhard

A network engineer issues the following command on Router R4: R4# show ip ospf database OSPF Router with ID (4.4.4.4) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 123 0x80000002 0x00A1B2 2 2.2.2.2 2.2.2.2 456 0x80000003 0x00B2C3 3 4.4.4.4 4.4.4.4 789 0x80000001 0x00C3D4 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 192.168.1.2 2.2.2.2 234 0x80000001 0x00D4E5 Based on this output, what can be concluded?

A.Router 2.2.2.2 is the Designated Router on the segment 192.168.1.0/24.
B.Router 1.1.1.1 has three OSPF-enabled interfaces.
C.Router 4.4.4.4 is the BDR on the segment.
D.There are multiple broadcast segments in area 0.
AnswerA

The Net Link State is originated by the DR, and the ADV Router is 2.2.2.2, so it is the DR.

Why this answer

The Net Link States entry shows the link ID 192.168.1.2 (the DR's interface IP) and ADV Router 2.2.2.2, which indicates that router 2.2.2.2 is the Designated Router (DR) on the 192.168.1.0/24 segment. In OSPF, only the DR originates the Type 2 (Network LSA) for a broadcast segment, so the advertising router in the Net Link States is always the DR.

Exam trap

Cisco often tests the misconception that the ADV Router in a Net Link State is the router that owns the IP address in the Link ID field, when in fact it is always the DR on that segment.

How to eliminate wrong answers

Option B is wrong because the Router Link States show a link count of 2 for router 1.1.1.1, meaning it has exactly two OSPF-enabled interfaces, not three. Option C is wrong because the output does not include any information about the BDR; the Net Link States only identifies the DR (2.2.2.2), and there is no separate BDR field in the OSPF database output. Option D is wrong because only one Net Link State entry is present (for 192.168.1.0/24), which indicates a single broadcast segment in area 0; multiple broadcast segments would produce multiple Type 2 LSAs.

1788
MCQmedium

A network engineer is configuring 802.1X on a Cisco switch for a guest network. The engineer wants to allow guests to access the internet after authentication but restrict access to internal resources. The engineer configures the switch with 'authentication port-control auto' and a downloadable ACL (dACL) from the RADIUS server. After a guest authenticates, the engineer tests connectivity and finds that the guest can access internal servers. What is the most likely cause?

A.The switchport is configured as 'switchport mode trunk', which does not support dACLs.
B.The guest is not being authenticated; the switch is using MAB instead.
C.The switch is not configured with 'ip access-group' to apply the dACL.
D.The RADIUS server is not sending the dACL attributes in the Access-Accept message.
AnswerD

Correct because without dACL attributes, the switch applies no filter.

Why this answer

dACLs are applied to the port after authentication to filter traffic. If the dACL is not applied, the guest may have full access. Option D is correct because the RADIUS server must send the dACL name or attributes.

Option A is incorrect because the switchport mode does not affect dACL application. Option B is incorrect because the guest is authenticated. Option C is incorrect because the switch does not need a local ACL.

1789
Matchingmedium

Drag and drop each RSPAN VLAN requirement on the left to its correct restriction on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Must not be the native VLAN on any trunk

Why these pairings

The RSPAN VLAN must not be the native VLAN; it must be allowed on all trunk ports between source and destination; no other traffic should use it; it must exist on all intermediate switches; it must be configured as an RSPAN VLAN.

1790
MCQmedium

Examine the following configuration: interface Port-channel1 switchport mode trunk ! interface GigabitEthernet0/1 switchport mode trunk channel-group 1 mode desirable ! interface GigabitEthernet0/2 switchport mode access channel-group 1 mode desirable What is the problem with this configuration?

A.The channel-group mode desirable is incompatible with trunk ports.
B.The port-channel interface must also be configured as access to match Gi0/2.
C.The switchport mode mismatch between Gi0/1 (trunk) and Gi0/2 (access) will prevent the EtherChannel from forming.
D.The EtherChannel will form but only Gi0/1 will be active.
AnswerC

Correct. All member ports must have the same switchport mode.

Why this answer

EtherChannel requires all member interfaces to have the same switchport mode (all trunk or all access). Here, Gi0/1 is configured as trunk, but Gi0/2 is configured as access. This mismatch will prevent the channel from forming.

1791
MCQmedium

Examine the following HSRP configuration on a Cisco IOS-XE switch: interface Vlan10 ip address 10.0.0.2 255.255.255.0 standby 10 ip 10.0.0.1 standby 10 priority 150 standby 10 preempt What is the effect of the 'standby 10 preempt' command?

A.The router will immediately become the active router if it has a higher priority than the current active.
B.The router will become active only if the current active fails.
C.The router will send a gratuitous ARP to update the virtual MAC address.
D.The router will lower its priority to avoid becoming active.
AnswerA

Preempt enables the router to take over the active role when it has a higher priority.

Why this answer

The preempt command allows this router to become the active HSRP router if it has a higher priority than the current active router. Without preempt, the router with higher priority would not take over unless the current active fails.

1792
MCQeasy

A network engineer is troubleshooting an automated configuration change that caused a routing loop. The change was pushed via an Ansible playbook that modified OSPF cost values on multiple routers simultaneously. What is the most likely reason for the loop?

A.OSPF does not support changing costs on multiple routers at the same time
B.OSPF uses hop count as a metric, and the changes caused a count-to-infinity issue
C.The changes were applied simultaneously without allowing OSPF to converge between updates
D.The OSPF cost values were changed to non-standard values that OSPF cannot process
AnswerC

Simultaneous changes can create temporary inconsistencies leading to loops.

Why this answer

Option C is correct because applying OSPF cost changes simultaneously on multiple routers without allowing convergence between updates can cause transient routing loops. OSPF relies on the SPF algorithm to calculate loop-free paths based on consistent link-state databases across the network. When costs are changed on multiple routers at once, some routers may have outdated LSAs, leading to inconsistent forwarding tables and temporary loops until all routers reconverge.

Exam trap

Cisco often tests the misconception that OSPF can handle simultaneous changes without issue, but the trap here is that candidates overlook the need for convergence between updates, confusing protocol capability with operational best practices.

How to eliminate wrong answers

Option A is wrong because OSPF fully supports changing costs on multiple routers simultaneously; the issue is not a protocol limitation but the lack of convergence between updates. Option B is wrong because OSPF uses cost (based on bandwidth) as its metric, not hop count; hop count is used by RIP, and count-to-infinity is a RIP-specific problem. Option D is wrong because OSPF can process any positive integer cost value (1 to 65535) as defined in RFC 2328; non-standard values are not a cause of loops.

1793
MCQmedium

Which of the following is used by EIGRP to calculate the feasible distance (FD) of a route?

A.The sum of the advertised distance (AD) of the successor and the link cost to the successor.
B.The lowest hop count among all paths to the destination.
C.The highest bandwidth among all paths to the destination.
D.The sum of all delays along the path.
AnswerA

Correct. The feasible distance is the metric of the successor, which is the AD (reported distance from neighbor) plus the link cost to that neighbor.

Why this answer

EIGRP calculates the Feasible Distance (FD) as the sum of the Advertised Distance (AD) from the successor neighbor and the link cost (metric) to that neighbor. This represents the total metric from the local router to the destination network via that path. The FD is used to determine the best route (successor) and to compare against feasible successors.

Exam trap

Cisco often tests the distinction between Feasible Distance (FD) and Advertised Distance (AD), and the trap here is that candidates confuse FD with just the link cost or one metric component (like delay or bandwidth), rather than recognizing it as the sum of the AD and the cost to the successor.

How to eliminate wrong answers

Option B is wrong because EIGRP does not use hop count for metric calculation; it uses a composite metric based on bandwidth, delay, load, and reliability (by default bandwidth and delay). Option C is wrong because while bandwidth is a component of the EIGRP metric, the FD is not simply the highest bandwidth; it is a calculated value using the composite metric formula. Option D is wrong because delay is only one component of the EIGRP metric, and the FD is not the sum of all delays along the path; it is the sum of the AD and the link cost, which itself is derived from the composite metric.

1794
MCQmedium

Examine the following CoPP configuration on a Cisco IOS-XE router: ``` class-map match-all CONTROL-PLANE match access-group name COPP-ACL ! policy-map COPP-POLICY class CONTROL-PLANE police 1000000 200000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` What is the effect of this configuration?

A.Traffic matching the ACL is rate-limited to 1 Mbps; traffic exceeding the rate is dropped.
B.All control plane traffic is rate-limited to 1 Mbps.
C.Traffic exceeding 1 Mbps is marked down but still transmitted.
D.The policy-map is applied to the data plane, not the control plane.
AnswerA

Correct. The police command enforces a 1 Mbps rate with drop for excess.

Why this answer

This applies a policy-map to the control plane that polices traffic matching the class-map. The police command limits traffic to 1 Mbps (1000000 bps) with a normal burst of 200000 bytes; conforming traffic is transmitted, exceeding traffic is dropped.

1795
MCQmedium

Given this configuration: aaa new-model aaa authentication login default group radius aaa authorization exec default group radius aaa accounting exec default start-stop group radius radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key radiuskey radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key radiuskey Which statement is true about the RADIUS server ports?

A.The RADIUS authentication port is 1645 and accounting port is 1646.
B.The RADIUS authentication port is 1812 and accounting port is 1813.
C.The RADIUS authentication port is 1646 and accounting port is 1645.
D.The RADIUS ports are not configurable; this command will be rejected.
AnswerA

Correct. The 'auth-port' and 'acct-port' keywords explicitly set these ports.

Why this answer

RADIUS traditionally uses UDP port 1812 for authentication and 1813 for accounting, but older implementations use 1645 and 1646. The configuration explicitly sets these ports, which is valid but non-standard.

1796
Drag & Dropmedium

Drag and drop the steps of QoS pre-classify for encrypted VPN traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

QoS pre-classify copies the original IP header before encryption, allowing classification based on original DSCP. The crypto map references the QoS pre-classify configuration.

1797
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 192.168.1.0 BGP routing table entry for 192.168.1.0/24, version 10 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.0.0.2 from 10.0.1.2 (10.0.0.2) Origin IGP, metric 0, localpref 100, valid, internal rx pathid: 0, tx pathid: 0x0 Local, (received & used) 10.0.0.3 from 10.0.1.3 (10.0.0.3) Origin IGP, metric 0, localpref 200, valid, internal, best rx pathid: 0, tx pathid: 0x0 Based on this output, what can be concluded?

A.The path from 10.0.1.2 is the best path because it is received first.
B.The path from 10.0.1.3 is preferred because of a higher local preference.
C.Both paths are from external BGP peers.
D.The path from 10.0.1.2 is marked as best because it has a lower metric.
AnswerB

Local preference is 200 for path #2 (from 10.0.1.3) versus 100 for path #1. Higher local preference is preferred in BGP best path selection.

Why this answer

The output shows two BGP paths for 192.168.1.0/24, both with Origin IGP and metric 0. The path from 10.0.1.3 has a local preference of 200, while the path from 10.0.1.2 has a local preference of 100. BGP selects the path with the highest local preference as the best path, making the path from 10.0.1.3 the best (marked as 'best' in the output).

Exam trap

Cisco often tests the BGP best path selection order, and the trap here is that candidates may confuse local preference with MED or assume that the first received route is preferred, when in fact local preference is evaluated much earlier in the decision process.

How to eliminate wrong answers

Option A is wrong because BGP does not select the best path based on which route is received first; it uses a deterministic decision process where local preference is evaluated before arrival order. Option C is wrong because both paths are marked as 'internal' (iBGP), not external (eBGP), as indicated by the 'internal' keyword in the path attributes. Option D is wrong because both paths have the same metric (0), and BGP does not use metric (MED) as a tiebreaker before local preference; the higher local preference of 200 on the path from 10.0.1.3 is the decisive factor.

1798
MCQhard

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast neighbors 10.0.1.2 BGP neighbor is 10.0.1.2, remote AS 65050, external link BGP version 4, remote router ID 10.0.0.2 BGP state = Established, up for 00:23:45 Last read 00:00:15, last write 00:00:10, hold time is 90, keepalive interval is 30 seconds Neighbor sessions: 1 active, is not multisession capable Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN: advertised and received Address family IPv4 Unicast: advertised and received Enhanced Refresh: advertised and received Multisession: advertised Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 5 3 Keepalives: 47 48 Route Refresh: 0 0 Total: 53 52 Default minimum time between advertisement runs is 30 seconds Based on this output, what can be concluded?

A.The BGP session is in the 'Idle' state because the last read was 15 seconds ago.
B.The neighbor is an internal BGP peer because the remote AS is 65050.
C.The BGP session is up and functioning normally.
D.The neighbor has sent 5 updates and received 3 updates.
AnswerC

The state is Established, messages are being exchanged, and timers are within expected ranges.

Why this answer

Option C is correct because the BGP state is 'Established', the hold time (90 seconds) and keepalive interval (30 seconds) are standard, and the last read (15 seconds ago) and last write (10 seconds ago) are well within the hold time, indicating the session is stable and functioning normally. The InQ and OutQ depths are 0, confirming no queued updates or issues.

Exam trap

Cisco often tests the misinterpretation of message statistics, where candidates incorrectly assume 'Sent' and 'Rcvd' are from the neighbor's perspective rather than the local router's, leading to option D being chosen.

How to eliminate wrong answers

Option A is wrong because the BGP state is 'Established', not 'Idle', and a last read of 15 seconds ago is within the 90-second hold time, indicating normal operation. Option B is wrong because the remote AS is 65050, which is different from the local AS (not shown but implied by 'external link'), making this an eBGP peer, not an iBGP peer. Option D is wrong because the output shows the router sent 5 updates and received 3 updates, not the neighbor; the neighbor's sent/received counts are the reverse of what is shown.

1799
MCQmedium

Consider the following configuration on a Cisco IOS-XE router: ip multicast-routing ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode ip igmp static-group 239.1.1.1 ! What is the effect of the 'ip igmp static-group 239.1.1.1' command?

A.The router will send IGMP membership reports for group 239.1.1.1 out of this interface.
B.The router will include this interface in the outgoing interface list for group 239.1.1.1, even without any IGMP hosts.
C.The router will drop all multicast traffic for group 239.1.1.1 on this interface.
D.The router will create a static multicast route for 239.1.1.1 via this interface.
AnswerB

Correct. The static-group command adds the interface to the OIL (outgoing interface list) for the group, simulating a receiver.

Why this answer

The 'ip igmp static-group' command statically adds the interface to the multicast group 239.1.1.1, meaning the router will treat the interface as if a host has joined that group. This can be used for testing or to ensure multicast traffic is forwarded to that interface even without an active IGMP member.

1800
Multi-Selecthard

Which three statements about Multiple Spanning Tree Protocol (MSTP) are true? (Choose three.)

Select 3 answers
A.MSTP allows multiple VLANs to be grouped into a single spanning-tree instance, reducing CPU and memory usage.
B.In MSTP, the Internal Spanning Tree (IST) instance is instance 0 and is always present in every MST region.
C.MSTP requires that all switches in the same MST region have the same VLAN-to-instance mapping, revision number, and region name.
D.MSTP automatically load-balances traffic across all available uplinks without any configuration.
E.MSTP requires a separate root bridge to be elected for each VLAN in the network.
AnswersA, B, C

Correct. This is the primary benefit of MSTP: mapping many VLANs to fewer STP instances.

Why this answer

MSTP (IEEE 802.1s) allows multiple VLANs to be mapped to a single spanning-tree instance (MST instance), reducing the number of STP instances needed. It uses an Internal Spanning Tree (IST) instance (instance 0) that always runs and carries BPDUs for the region. Switches in the same MST region must have identical VLAN-to-instance mappings, revision number, and region name.

MSTP interoperates with Rapid PVST+ at region boundaries by using PVST simulation mode. MSTP does not require a separate root bridge for each VLAN; instead, each MST instance has its own root bridge.

Page 23

Page 24 of 27

Page 25