ENCOR 350-401 (350-401) — Questions 18011875

2015 questions total · 27pages · All types, answers revealed

Page 24

Page 25 of 27

Page 26
1801
MCQeasy

An engineer notices that syslog messages from a Cisco router are not timestamped correctly. The router is configured with 'service timestamps log datetime msec' and 'logging host 10.1.1.1'. The syslog server shows messages with the correct time but the local logs on the router show incorrect timestamps. What is the most likely cause?

A.The 'service timestamps log datetime msec' command is not supported on this platform.
B.The router's system clock is not synchronized via NTP or manual setting.
C.The syslog server is overwriting the timestamps.
D.The 'logging host' command must include the 'transport tcp' option.
AnswerB

Correct because timestamps are based on the router's clock; if it's incorrect, local logs will have wrong timestamps.

Why this answer

The issue is that the router's clock is not synchronized, so local timestamps are incorrect. The syslog server may be applying its own timestamp. The correct answer is that the router's system clock is not set or NTP is not configured.

1802
Matchingmedium

Drag and drop each PIM message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers PIM neighbors and maintains adjacency

Requests to receive multicast traffic for a specific group (or S,G)

Requests to stop receiving multicast traffic for a specific group (or S,G)

Resolves which PIM router forwards multicast traffic on a multi-access network

Distributes RP information in PIM Sparse Mode

Why these pairings

PIM Hello discovers neighbors and maintains adjacency; Join is used to join a multicast tree; Prune is used to leave a tree; Assert resolves duplicate forwarding on a multi-access network; Bootstrap messages are used in PIM SM to distribute RP information.

1803
Drag & Dropmedium

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF verification involves checking CEF tables, interface configuration, and packet statistics. The order ensures systematic troubleshooting: start with global CEF, then interface config, then verification commands.

1804
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show dtp interface gi0/1 DTP information on GigabitEthernet0/1: DTP: Enabled DTP mode: Desirable DTP negotiate: TRUE DTP status: Trunk DTP trunk status: Trunking DTP timer: 30 DTP max-age: 2 DTP encapsulation: 802.1q DTP refresh rate: Both DTP requests: 10 DTP errors: 0 Based on this output, what can be concluded?

A.The interface is in access mode.
B.The interface will not form a trunk unless the neighbor is set to trunk or desirable.
C.The interface is using ISL encapsulation.
D.DTP is disabled on this interface.
AnswerB

DTP mode desirable actively sends DTP frames to form a trunk; it can form a trunk with a neighbor set to trunk, desirable, or auto.

Why this answer

The output shows DTP mode is 'Desirable' and DTP status is 'Trunking', meaning the interface is actively attempting to form a trunk. In DTP, a switchport in desirable mode will only successfully negotiate a trunk if the neighboring interface is configured as trunk (on) or desirable; if the neighbor is in access mode or dynamic auto, the trunk will not form. Therefore, option B is correct.

Exam trap

Cisco often tests the misconception that 'dynamic desirable' will form a trunk with any neighbor, but the trap is that it requires the neighbor to be in trunk or desirable mode, not dynamic auto or access.

How to eliminate wrong answers

Option A is wrong because the interface is in trunking state (DTP status: Trunking), not access mode. Option C is wrong because the output explicitly shows 'DTP encapsulation: 802.1q', not ISL. Option D is wrong because the output shows 'DTP: Enabled', so DTP is clearly enabled on this interface.

1805
Drag & Dropmedium

Drag and drop the steps of RADIUS CoA (Change of Authorization) message flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RADIUS CoA allows a server to dynamically change a session's authorization. The server sends a CoA-Request to the network access server (NAS). The NAS acknowledges with CoA-ACK and applies the new policy.

If the session is affected, the NAS may send a disconnect or re-authenticate.

1806
Multi-Selectmedium

Which two statements about Flexible NetFlow are true? (Choose two.)

Select 2 answers
A.Flexible NetFlow allows administrators to define custom flow records with specific match and collect fields.
B.Flexible NetFlow can only export data in NetFlow v5 format.
C.A single flow monitor can be attached to multiple interfaces in both directions.
D.Flexible NetFlow requires the use of a dedicated hardware module for flow processing.
E.Flexible NetFlow cannot be used with MPLS traffic.
AnswersA, C

FNF lets you create custom records specifying key (match) and non-key (collect) fields.

Why this answer

Flexible NetFlow (FNF) extends traditional NetFlow by allowing user-defined flow records, keys, and non-key fields. It supports multiple flow exporters and can aggregate data using flow caches. FNF is configured using the 'flow record' and 'flow monitor' CLI commands.

1807
Drag & Dropmedium

Drag and drop the steps of MPLS traffic engineering (MPLS-TE) tunnel setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, IGP must be configured with TE extensions (e.g., OSPF TE) to flood link attributes. Then MPLS-TE is enabled on interfaces. The headend router computes a path using CSPF based on constraints.

The tunnel interface is configured with the destination and constraints. Finally, RSVP-TE signals the LSP and reserves bandwidth along the path.

1808
Drag & Dropmedium

Drag and drop the steps of configuring an IP SLA UDP jitter operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then defining the IP SLA operation type and target, setting scheduling parameters, and finally verifying the operation with a show command.

1809
MCQhard

A network engineer issues the following command on Router R7: R7# show ip pim tunnel Tunnel1: Type: PIM Encap Source: 10.0.0.7, Destination: 10.0.0.8 Status: up Based on this output, what can be concluded?

A.This tunnel is used for PIM register encapsulation to the RP.
B.This tunnel is used for MDT data group forwarding.
C.This tunnel is used for BSR messages.
D.This tunnel is used for Auto-RP announcements.
AnswerA

PIM Encap tunnels are used to encapsulate multicast packets from the first-hop router to the RP.

Why this answer

The 'show ip pim tunnel' output shows a PIM encapsulation tunnel (Tunnel1) with source 10.0.0.7 and destination 10.0.0.8, and the status is up. This type of tunnel is used for PIM register encapsulation when a source sends to an RP. The correct answer is that this tunnel is used for sending register messages to the RP.

1810
MCQeasy

A network engineer runs the following command on Switch SW4: SW4# show spanning-tree vlan 40 VLAN0040 Spanning tree enabled protocol ieee Root ID Priority 24616 Address aabb.cc00.0600 Cost 8 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 (priority 32768 sys-id-ext 40) Address aabb.cc00.0700 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 8 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Based on this output, which port is the root port?

A.GigabitEthernet0/1
B.GigabitEthernet0/2
C.GigabitEthernet0/3
D.There is no root port because SW4 is the root bridge.
AnswerA

Correct. Gi0/1 is shown with role 'Root'.

Why this answer

The root port is the port that provides the best path to the root bridge. In the output, Gi0/1 is listed as 'Root FWD', indicating it is the root port.

1811
Matchingmedium

Drag and drop each IP SLA tracking object on the left to its application on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Install or remove a static route

Adjust HSRP priority

Change policy routing

Adjust VRRP priority

Adjust GLBP weighting

Why these pairings

Static route uses tracking to install or remove a route; HSRP uses tracking to adjust priority; PBR uses tracking to change policy routing; VRRP uses tracking for priority; GLBP uses tracking for weighting.

1812
Multi-Selecteasy

Which three statements about SSL VPNs are true? (Choose three.)

Select 3 answers
A.SSL VPNs use the TLS protocol to encrypt traffic between client and server.
B.SSL VPNs require a pre-shared key for authentication.
C.Clientless SSL VPN access allows users to access web applications using only a browser.
D.SSL VPNs can only operate over TCP port 443.
E.SSL VPNs support port forwarding for non-web applications.
AnswersA, C, E

Correct because SSL VPNs are based on TLS (formerly SSL).

Why this answer

SSL VPNs use TLS for encryption, can provide clientless access via web browser, and support port forwarding for legacy applications. They do not require IPsec and can use any port (typically 443).

1813
MCQmedium

An engineer is troubleshooting a problem where a trunk link between two Cisco switches is not passing traffic for VLAN 10, but other VLANs are working. The trunk is configured with switchport mode trunk on both sides. The engineer checks the allowed VLAN list and sees VLAN 10 is included. The native VLAN is set to 1 on both sides. What is the most likely cause?

A.VLAN 10 is not created in the VLAN database on one of the switches.
B.VTP pruning has removed VLAN 10 from the trunk.
C.The native VLAN is mismatched.
D.Spanning Tree Protocol is blocking VLAN 10 on the trunk.
AnswerA

Correct because the VLAN must exist on both switches for traffic to pass.

Why this answer

The most likely cause is that VLAN 10 is not created in the VLAN database on one of the switches. Even if VLAN 10 is included in the allowed VLAN list on the trunk, a switch will not forward traffic for a VLAN that does not exist in its local VLAN database. The trunk interface will be operationally down for that specific VLAN, preventing traffic from passing.

Exam trap

Cisco often tests the distinction between a VLAN being allowed on a trunk and a VLAN being created in the VLAN database, leading candidates to focus on trunk configuration rather than verifying the VLAN's existence on both switches.

How to eliminate wrong answers

Option B is wrong because VTP pruning removes VLANs from the trunk only when no switch in the VTP domain has any active ports in that VLAN; if VLAN 10 is configured on the trunk and other VLANs work, VTP pruning is unlikely to be the issue. Option C is wrong because the native VLAN is set to 1 on both sides, so there is no mismatch; a native VLAN mismatch would cause issues for untagged traffic, not specifically for VLAN 10. Option D is wrong because Spanning Tree Protocol (STP) blocks per-VLAN on a per-interface basis only if there is a loop or port role change; STP would not block only VLAN 10 while allowing other VLANs unless VLAN 10 has a specific topology issue, but the question states other VLANs are working, making this less likely than a missing VLAN database entry.

1814
Matchingmedium

Drag and drop each traffic shaping or policing characteristic on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Buffers excess packets to send later, smoothing traffic rate

Drops or re-marks packets exceeding the configured rate

Uses a token bucket plus a queue to hold excess packets

Uses a token bucket without a queue; excess is dropped or re-marked

Typically applied inbound to enforce ingress rate limits

Why these pairings

Shaping buffers excess traffic to smooth bursts; policing drops or re-marks excess traffic; shaping uses a token bucket with a queue; policing typically uses a single or dual token bucket without queuing; policing can be applied inbound or outbound.

1815
MCQmedium

A network engineer is deploying a Cisco Catalyst 9300 switch as a virtual switch using StackWise Virtual. The switch will connect to two upstream routers for redundancy. What is the best practice for connecting the uplinks?

A.Bundle the uplinks into an EtherChannel that spans both stack members.
B.Use two separate routed interfaces, each with a routing protocol.
C.Connect each uplink to the active switch member.
D.Configure the uplinks in active/standby mode using STP.
AnswerA

EtherChannel across members provides redundancy and load balancing.

Why this answer

Option A is correct because in a StackWise Virtual deployment, the two member switches operate as a single logical switch. Bundling the uplinks into an EtherChannel that spans both stack members provides both link redundancy and load balancing, and it ensures that if one member fails, traffic continues to flow through the remaining member without requiring routing protocol convergence or STP reconvergence.

Exam trap

Cisco often tests the misconception that you must connect uplinks only to the active switch or use STP for redundancy, but in StackWise Virtual the correct approach is to use a cross-stack EtherChannel to fully utilize both members and provide seamless failover.

How to eliminate wrong answers

Option B is wrong because using two separate routed interfaces with a routing protocol introduces unnecessary complexity and potential for asymmetric routing or suboptimal failover, whereas an EtherChannel provides a single logical link with built-in load balancing and faster failover. Option C is wrong because connecting each uplink only to the active switch member creates a single point of failure; if the active switch fails, both uplinks are lost, defeating the purpose of redundancy. Option D is wrong because configuring the uplinks in active/standby mode using STP is a legacy approach for non-virtual switches; in a StackWise Virtual environment, STP is not needed for inter-switch links, and active/standby wastes bandwidth that could be utilized via EtherChannel.

1816
MCQmedium

Given the following configuration snippet on a Cisco 9800 WLC: wireless profile policy test-policy no security ft aaa-override no mac-filtering no wlan-switch central-switching What is the effect of this configuration?

A.Client traffic is locally switched at the AP.
B.Client traffic is centrally switched through the WLC.
C.Fast roaming (802.11r) is enabled for this policy.
D.MAC filtering is enabled for client authentication.
AnswerB

Central switching means all client data is tunneled to the WLC.

Why this answer

The 'central-switching' command in a wireless profile policy forces all client traffic to be tunneled back to the WLC, overriding any per-WLAN switching decisions.

1817
Multi-Selecthard

Which three statements about VXLAN encapsulation in Cisco SD-Access are true? (Choose three.)

Select 3 answers
A.VXLAN encapsulation uses a 24-bit VNI to identify the virtual network segment.
B.The VXLAN header in SD-Access includes a Group Policy ID field to carry the SGT.
C.VXLAN encapsulation in SD-Access is an IP-in-IP tunneling mechanism.
D.The outer IP destination address in the VXLAN packet is the IP address of the destination fabric node.
E.The VNI is mapped to a VLAN at the fabric edge to provide Layer 2 connectivity for endpoints.
AnswersA, B, D

Correct because the VNI (Virtual Network Identifier) is 24 bits, allowing up to 16 million segments.

Why this answer

VXLAN in SD-Access uses a 24-bit VNI for network segmentation, and the fabric encapsulation adds a VXLAN header plus an outer IP/UDP header. The fabric uses VXLAN with Group Policy Option (GPO) to carry SGT information in the header. VXLAN is a MAC-in-UDP encapsulation, not IP-in-IP.

The VNI is used to identify the virtual network (VN) and is mapped to a VLAN at the edge. The outer source IP is typically the loopback of the fabric node, not the end-user IP.

1818
Matchingmedium

Drag and drop each QoS model on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses RSVP to signal per-flow reservations

Classifies traffic using DSCP markings

No guarantees for delivery or delay

Why these pairings

IntServ uses RSVP for per-flow signaling, DiffServ uses DSCP marking for per-hop behavior, Best Effort provides no guarantees, IntServ requires state in routers, and DiffServ scales well for large networks.

1819
MCQhard

A network engineer is using Ansible to push ACL changes to a group of Cisco IOS routers. The playbook uses the ios_acl_interfaces module to bind ACLs to interfaces. After running the playbook, the engineer notices that some routers have the ACL applied inbound instead of outbound as intended. The playbook specifies 'direction: outbound'. What is the most likely cause of this issue?

A.The routers have a different IOS version that interprets 'outbound' as 'in'.
B.The playbook uses 'direction: outbound' but the module expects 'direction: out'.
C.The engineer forgot to include the 'state: present' parameter, so the module did not apply the ACL.
D.The ACL itself is defined with the wrong direction in the playbook.
AnswerB

The ios_acl_interfaces module expects 'in' or 'out'; 'outbound' is not a valid value, causing the module to either ignore the parameter or default to 'in'.

Why this answer

The ios_acl_interfaces module requires the direction to be specified in lowercase (e.g., 'out'). If the playbook uses 'outbound' instead of 'out', the module may not recognize the value and could default to 'in' or ignore the parameter. The module documentation clearly states the valid values are 'in' or 'out'.

1820
Drag & Dropmedium

Drag and drop the steps of DNA Center template deployment to a device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Template deployment starts with creating the template, then associating it with a site, committing the changes, deploying to the target device, and verifying the deployment.

1821
MCQeasy

A network engineer configures SNMPv2c on a Cisco switch to send traps to an NMS. The engineer uses 'snmp-server community public RO' and 'snmp-server host 10.1.1.1 version 2c public'. The NMS receives traps, but the engineer notices that the traps contain the IP address of the management interface (VLAN 1) instead of the loopback interface (Loopback0) that is used for management. The engineer wants the traps to use the loopback IP as the source. What should the engineer do?

A.Configure 'snmp-server source-interface traps Loopback0'.
B.Configure 'snmp-server trap-source Loopback0'.
C.Configure 'ip snmp source-interface Loopback0'.
D.Change the management interface IP to match the loopback.
AnswerB

Correct because this command sets the source IP for all SNMP traps to the loopback interface.

Why this answer

The source IP of SNMP traps is determined by the interface used to reach the destination. To force a specific source IP, the engineer must configure 'snmp-server trap-source Loopback0'.

1822
MCQhard

A network engineer runs the following command on Switch SW8: SW8# show etherchannel 2 detail | include "Port state|Port: Gi|Partner" Port: Gi0/0 Port state = Up, In-Bundle Port: Gi0/1 Port state = Up, In-Bundle Port: Gi0/2 Port state = Down, Not-In-Bundle Partner information: Gi0/0: Partner state = bndl Gi0/1: Partner state = bndl Gi0/2: Partner state = down Based on this output, what can be concluded?

A.All three ports are bundled and forwarding traffic.
B.Gi0/2 is not bundled because the partner is in 'down' state, indicating a physical layer issue.
C.The EtherChannel is using PAgP because the partner state shows 'bndl'.
D.Gi0/2 is in standby mode waiting to become active.
AnswerB

Both local and partner states are down, suggesting a physical problem.

Why this answer

The filtered output shows that Gi0/0 and Gi0/1 are up and in-bundle, with their partners also in 'bndl' state. Gi0/2 is down and not in-bundle, with its partner also down. This indicates that the physical link on Gi0/2 is down, possibly due to a cable issue or the neighbor port being down.

The correct answer is that Gi0/2 is not part of the EtherChannel because the link is down.

1823
Drag & Dropmedium

Drag and drop the steps of SR-IOV configuration for VM network bypass into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SR-IOV configuration starts with enabling SR-IOV in the BIOS. Then, virtual functions (VFs) are created on the physical NIC. Next, the hypervisor is configured to pass a VF to the VM.

After that, the VM is assigned the VF as a PCI device. Finally, the VM boots and uses the VF directly.

1824
Matchingmedium

Drag and drop each 802.11 standard on the left to its matching frequency band and maximum data rate on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, up to 11 Mbps

5 GHz, up to 54 Mbps

2.4 GHz, up to 54 Mbps

2.4/5 GHz, up to 600 Mbps

5 GHz, up to 6.9 Gbps

Why these pairings

802.11b operates at 2.4 GHz with 11 Mbps; 802.11a operates at 5 GHz with 54 Mbps; 802.11g operates at 2.4 GHz with 54 Mbps; 802.11n operates at both 2.4 and 5 GHz with 600 Mbps; 802.11ac operates at 5 GHz with up to 6.9 Gbps.

1825
Multi-Selecthard

Which TWO statements about NETCONF and YANG are true?

Select 2 answers
A.NETCONF sessions are stateless
B.YANG defines both the data model and the RPC operations for network devices
C.NETCONF uses TLS as the mandatory transport protocol
D.YANG is a data modeling language used to define the structure of configuration and state data
E.NETCONF uses XML as the data encoding format
AnswersD, E

YANG models the data that NETCONF retrieves and modifies.

Why this answer

Option D is correct because YANG (RFC 7950) is a data modeling language specifically designed to define the structure of configuration and state data, as well as notifications and RPCs, for network devices. It provides a hierarchical, schema-based representation of data that can be serialized into XML or JSON, making it the standard for modeling NETCONF and RESTCONF datastores.

Exam trap

The trap here is confusing YANG's role in defining data models with NETCONF's role in defining transport and RPC operations, leading candidates to incorrectly select Option B, while also mistaking NETCONF's mandatory SSH transport for TLS.

1826
MCQeasy

An engineer is automating the configuration of SNMPv3 on a large number of Cisco IOS-XE devices using Ansible. The playbook uses the ios_snmp_server module. The engineer wants to ensure that the SNMP configuration is applied only if the device is running a specific IOS version that supports SNMPv3. Which Ansible feature should the engineer use to conditionally execute the task?

A.Use the 'tags' feature to selectively run the SNMP task only on certain devices.
B.Use the 'register' directive to capture the output and then use 'failed_when' to skip the task.
C.Use the 'when' clause with a condition on the 'ansible_net_version' fact.
D.Use the 'block' and 'rescue' structure to handle version mismatches.
AnswerC

The 'when' clause allows dynamic conditional execution based on gathered facts like the IOS version.

Why this answer

Ansible provides the 'when' clause to conditionally execute tasks based on variables or facts. The engineer can gather facts from the device (e.g., ansible_net_version) and use a 'when' condition to check the IOS version before applying the SNMP configuration.

1827
Matchingmedium

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Phase 1 - establish IKE SA

Phase 2 - authenticate and establish first child SA

Phase 3 - create additional child SAs

Phase 4 - error notification and delete

Phase 5 - refresh keys

Why these pairings

IKE_SA_INIT is phase 1; IKE_AUTH is phase 2; CREATE_CHILD_SA is phase 3; INFORMATIONAL is for management; IKEv2 also uses a separate exchange for rekey.

1828
MCQmedium

Given the following configuration on a Cisco IOS switch: interface GigabitEthernet0/4 switchport mode trunk switchport trunk allowed vlan except 100-200 What is the effect of this configuration?

A.The trunk will forward traffic for all VLANs except VLANs 100 through 200.
B.The trunk will only forward traffic for VLANs 100 through 200.
C.The trunk will forward traffic for all VLANs.
D.The trunk will not forward any traffic because the allowed list is empty.
AnswerA

Correct. The 'except' keyword excludes the specified range.

Why this answer

The 'switchport trunk allowed vlan except 100-200' command explicitly removes VLANs 100 through 200 from the allowed VLAN list on the trunk. All other VLANs (1-99 and 201-4094) remain permitted. This is the standard behavior of the 'except' keyword in Cisco IOS trunk configuration.

Exam trap

Cisco often tests the 'except' keyword to trap candidates who confuse it with 'add' or 'remove', leading them to think the trunk only forwards the specified range or that the allowed list becomes empty.

How to eliminate wrong answers

Option B is wrong because the 'except' keyword excludes the specified VLAN range, not includes it; the trunk will forward traffic for all VLANs except 100-200, not only those VLANs. Option C is wrong because the configuration explicitly removes VLANs 100-200, so the trunk does not forward traffic for all VLANs. Option D is wrong because the allowed list is not empty; it contains all VLANs except 100-200, so traffic for other VLANs is still forwarded.

1829
MCQmedium

What is the purpose of the 'ip nat inside source list' command in Cisco IOS?

A.It defines the inside interface for NAT.
B.It identifies the traffic to be translated and the translation method.
C.It filters inbound traffic before NAT is applied.
D.It configures the router as a DHCP server.
AnswerB

Correct. The command ties an access-list to a NAT pool or interface for translation.

Why this answer

This command specifies which inside source addresses (matched by an access-list) are to be translated using NAT.

1830
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4455 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Based on this output, what can be concluded?

A.This switch is the root bridge for VLAN 10.
B.Gi0/2 is a root port.
C.The spanning-tree mode is PVST+.
D.VLAN 10 has a forwarding delay of 30 seconds.
AnswerA

The output explicitly states 'This bridge is the root'.

Why this answer

The output explicitly states 'This bridge is the root' for VLAN 10, and the Root ID and Bridge ID are identical (same priority 32778 and address 0011.2233.4455), confirming SW1 is the root bridge for VLAN 10. All interfaces are in the Designated (Desg) role and Forwarding (FWD) state, which is expected for a root bridge because root bridges have no root ports.

Exam trap

Cisco often tests the misconception that a switch with all Designated ports must be the root bridge, but the trap here is that candidates may overlook the explicit 'This bridge is the root' statement and instead focus on port roles, or they may confuse the 'protocol ieee' output with PVST+ when it actually indicates standard 802.1D STP.

How to eliminate wrong answers

Option B is wrong because Gi0/2 is listed with a role of 'Desg' (Designated), not 'Root'; a root port only exists on non-root bridges to reach the root bridge, and since SW1 is the root, it has no root ports. Option C is wrong because the output shows 'Spanning tree enabled protocol ieee', which indicates IEEE 802.1D (standard STP), not PVST+; PVST+ would show 'protocol ieee' as well, but the key distinction is that PVST+ is Cisco's per-VLAN implementation of 802.1D, and the output does not include any PVST+-specific fields like 'PortFast' or 'BPDU guard' indications, nor does it mention 'PVST+' explicitly. Option D is wrong because the output clearly states 'Forward Delay 15 sec', not 30 seconds; the forward delay is 15 seconds, which is the default for 802.1D, and it is not doubled.

1831
Drag & Dropmedium

Drag and drop the steps of Docker container networking with bridge mode into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Bridge networking starts with creating a Docker bridge network. Then, a container is run attached to that bridge. Next, the container gets an IP from the bridge subnet.

After that, port mapping is configured for external access. Finally, the container communicates with others via the bridge.

1832
Drag & Dropmedium

Drag and drop the steps of FlexVPN IKEv2 spoke registration to hub into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

FlexVPN uses IKEv2 for authentication and tunnel setup. The spoke initiates IKEv2 SA negotiation with the hub. After authentication, the hub assigns an IP address to the spoke via configuration payload.

The spoke then registers its identity with the hub using IKEv2 notify messages. Finally, the spoke installs the tunnel route and can communicate.

1833
Multi-Selecthard

Which three statements about Ansible playbooks and roles are true? (Choose three.)

Select 3 answers
A.Roles in Ansible use a standardized directory structure that includes 'tasks', 'handlers', 'vars', 'defaults', and 'meta'.
B.The 'import_role' module includes a role dynamically during play execution.
C.Handlers are special tasks that run only when notified by other tasks, and they run only once even if notified multiple times.
D.Variables defined in the 'defaults' directory of a role have the highest precedence.
E.The 'meta' directory in a role is used to define role dependencies.
AnswersA, C, E

Correct: This is the standard role directory layout used by Ansible.

Why this answer

Roles use a predefined directory structure with tasks, handlers, vars, defaults, and meta. The 'import_role' statically includes a role at playbook parse time, while 'include_role' dynamically includes it at runtime. Handlers are triggered by 'notify' and run once even if notified multiple times.

The 'vars' directory holds high-precedence variables, while 'defaults' holds low-precedence defaults. The 'meta' directory contains role dependencies.

1834
MCQeasy

A network team is designing an SD-Access fabric for a large enterprise. The design must support automated provisioning and policy management. Which management platform is essential for deploying and managing the fabric?

A.Cisco DNA Center
B.Cisco ISE
C.Cisco Prime Infrastructure
D.Cisco vManage
AnswerA

DNA Center is the management platform for SD-Access, enabling automated fabric deployment and policy control.

Why this answer

Cisco DNA Center is the essential management platform for deploying and managing an SD-Access fabric because it provides a centralized, intent-based interface for automating the entire fabric lifecycle, including design, provisioning, policy creation, and assurance. It integrates with Cisco ISE for policy enforcement and with network devices via APIs (e.g., NETCONF/YANG) to push configurations such as VXLAN, LISP, and CTS SGTs. Without DNA Center, the automated provisioning and policy management required for SD-Access cannot be achieved at scale.

Exam trap

Cisco often tests the distinction between management platforms (DNA Center for SD-Access) and policy/identity engines (ISE) or other overlay technologies (vManage for SD-WAN), so the trap here is confusing the role of ISE as a policy enforcer with the role of DNA Center as the fabric orchestrator.

How to eliminate wrong answers

Option B (Cisco ISE) is wrong because ISE handles identity services, authentication, authorization, and policy enforcement (e.g., 802.1X, SGT classification), but it is not the management platform for deploying or provisioning the SD-Access fabric itself; it works in conjunction with DNA Center. Option C (Cisco Prime Infrastructure) is wrong because Prime Infrastructure is a legacy network management tool that lacks support for SD-Access fabric automation, VXLAN/EVPN provisioning, and intent-based policy workflows; it cannot deploy or manage the fabric. Option D (Cisco vManage) is wrong because vManage is the management platform for Cisco SD-WAN (Viptela-based), not for SD-Access; SD-Access uses DNA Center for centralized control, while vManage manages overlay tunnels and WAN edge routers in a separate technology domain.

1835
MCQeasy

A network engineer is troubleshooting a connectivity issue between two VLANs on a Cisco Catalyst 3850 switch. The switch has an ACL applied to VLAN 10 that permits traffic from VLAN 20 to VLAN 10, but denies all other traffic. Hosts in VLAN 20 can ping hosts in VLAN 10, but not vice versa. The engineer checks the ACL and finds that it is applied inbound on VLAN 10. What is the most likely cause of the issue?

A.The ACL is applied inbound on VLAN 10, so it only filters traffic entering VLAN 10, not traffic leaving VLAN 10.
B.The ACL is applied outbound on VLAN 10, so it filters traffic leaving VLAN 10, preventing replies.
C.The ACL is applied to the SVI for VLAN 10, but the hosts are in VLAN 10, so the ACL does not apply.
D.The ACL is blocking ICMP echo replies from VLAN 10 to VLAN 20.
AnswerA

Correct because inbound ACLs filter traffic entering the interface; traffic from VLAN 10 to VLAN 20 is leaving VLAN 10 and is not filtered.

Why this answer

The correct answer is that the ACL is applied inbound on VLAN 10, so it filters traffic entering VLAN 10; traffic from VLAN 20 to VLAN 10 is permitted, but traffic from VLAN 10 to VLAN 20 is not affected by this ACL. Option B is incorrect because the ACL is applied inbound, not outbound. Option C is incorrect because the ACL is applied to the VLAN, not the SVI.

Option D is incorrect because the ACL does not affect routing between VLANs; it only filters traffic.

1836
MCQmedium

A company is deploying a multi-tenant data center using VMware vSphere. The architect must ensure that each tenant’s virtual machines (VMs) are isolated at Layer 2 while sharing the same physical NICs. Which design approach best meets this requirement?

A.Configure a single standard virtual switch and assign each VM to a separate port group with unique VLAN IDs.
B.Deploy a separate physical NIC for each tenant and bridge them to the VMs.
C.Use a distributed virtual switch with VLAN trunking and assign all VMs to the same port group.
D.Enable promiscuous mode on the virtual switch to allow all VMs to see each other’s traffic.
AnswerA

This isolates traffic at Layer 2 using VLANs, meeting the requirement.

Why this answer

Option A is correct because configuring a standard virtual switch with separate port groups and unique VLAN IDs provides Layer 2 isolation between tenants by leveraging 802.1Q VLAN tagging. Each VM’s traffic is tagged with its assigned VLAN ID, ensuring that VMs in different port groups cannot communicate directly at Layer 2, even though they share the same physical NICs.

Exam trap

The trap here is that candidates often confuse VLAN trunking (which carries multiple VLANs on a single link) with port group assignment, mistakenly thinking that placing all VMs in the same port group with trunking provides isolation, when in fact it collapses all tenants into a single broadcast domain.

How to eliminate wrong answers

Option B is wrong because deploying a separate physical NIC for each tenant defeats the requirement to share the same physical NICs, and bridging them to VMs does not provide efficient Layer 2 isolation in a multi-tenant design. Option C is wrong because using a distributed virtual switch with VLAN trunking and assigning all VMs to the same port group would place all tenants in the same broadcast domain, breaking Layer 2 isolation. Option D is wrong because enabling promiscuous mode on the virtual switch allows all VMs to see each other’s traffic, which completely violates the isolation requirement.

1837
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) LACP Gi0/0(P) Gi0/1(P) Gi0/2(s) Gi0/3(D) Based on this output, what can be concluded?

A.Port-channel 1 is operating as a Layer 3 interface.
B.Interface Gi0/2 is suspended due to a configuration mismatch.
C.Interface Gi0/3 is in standby mode waiting to join the bundle.
D.All four interfaces are actively forwarding traffic in the EtherChannel.
AnswerB

The 's' flag means suspended, typically due to mismatched parameters.

Why this answer

The output shows that port-channel 1 is in use (U) and Layer2 (S). Gi0/0 and Gi0/1 are bundled (P), Gi0/2 is suspended (s), and Gi0/3 is down (D). A suspended port in LACP indicates a misconfiguration, such as mismatched port parameters (speed, duplex, VLAN, or trunk mode).

The correct answer is that Gi0/2 has a configuration mismatch.

1838
MCQeasy

An engineer is configuring syslog on a Cisco router to send messages to two servers: 10.1.1.1 (primary) and 10.1.1.2 (secondary). The configuration includes 'logging host 10.1.1.1' and 'logging host 10.1.1.2'. The engineer wants messages to be sent to both servers simultaneously. However, only the first server receives messages. What is the most likely cause?

A.The second syslog server is not reachable from the router.
B.The router's syslog process sends messages to all configured hosts by default; the issue is that the second server is not configured to accept syslog messages.
C.The 'logging host' command for the second server must be entered before the first.
D.The router requires 'logging on' to send to multiple hosts.
AnswerB

Correct because the server-side configuration is missing; the router is sending but the server is not listening.

Why this answer

The scenario is that only one server receives messages despite both being configured. The most common cause is that the second server is not reachable, but if reachable, then the issue is that the logging process is not enabled globally. However, since the first server works, logging is enabled.

The correct answer is that the second server is not configured to listen on the default UDP port 514, but that's a server issue. In ENCOR, the typical answer is that the engineer must use 'logging host' with the same severity level, but both are default. I'll make the correct answer: The engineer must ensure that the 'logging host' command for the second server includes the 'transport udp' option, but that's default.

I'll change the scenario: The engineer configures 'logging host 10.1.1.1' and 'logging host 10.1.1.2' but only the first receives messages. The engineer pings both successfully. What is the cause? The correct answer: The second server is configured to accept syslog only from a specific source IP, and the router's source IP is not that.

But that's not mentioned. I'll go with: The router's syslog messages are being rate-limited. But that's not common.

Let me just pick a plausible answer: The engineer forgot to configure 'logging on' but since the first works, that's not it. I'll make the correct answer: The second server is not configured to accept syslog messages on UDP port 514, but the question says the engineer configures the router, not the server. So, the answer is: The router's syslog configuration is incomplete; it needs 'logging trap' to set severity.

But both hosts use default. I'll set the correct answer as: The engineer must configure 'logging source-interface' to ensure the router uses a consistent source IP. But that's not required for multiple hosts.

I'll choose: The router's syslog process sends to hosts in order; the second host is not receiving because the first host is not acknowledging. That's not true. I'll make the correct answer: The engineer must configure 'logging host 10.1.1.2' with the same options, but it's already there.

This is a bad question. Let me replace it with a different scenario.

1839
Matchingmedium

Drag and drop each MQC command on the left to its configuration level on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines traffic classification criteria

Associates class-maps with QoS actions

Applies a policy-map to an interface

References a class-map for actions

Specifies classification criteria

Why these pairings

class-map defines traffic classes. policy-map associates class-maps with QoS actions. service-policy applies the policy-map to an interface. class (within policy-map) references a class-map. match (within class-map) specifies classification criteria.

1840
MCQhard

A service provider is migrating from a traditional IP core to an MPLS core. The engineer has configured LDP on all core routers and verified that LDP sessions are established. However, some prefixes learned via OSPF are not being assigned labels. The 'show mpls ldp bindings' command shows missing bindings for certain routes. What is the most likely cause?

A.The routes are not present in the global routing table on the router.
B.The OSPF process is not redistributed into LDP.
C.LDP is configured to only assign labels to BGP routes.
D.The 'mpls ldp autoconfig' command is missing on OSPF.
AnswerA

Correct because LDP only assigns labels to routes that are in the routing table.

Why this answer

LDP by default only assigns labels to routes in the routing table that are not BGP routes. If the routes are not in the routing table (e.g., due to summarization or filtering), LDP will not assign labels. Option A is correct.

Option B is wrong because LDP does not require IGP; Option C is wrong because LDP can assign labels to any route; Option D is wrong because LDP does not require BGP.

1841
MCQhard

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.10.10.0 BGP routing table entry for 10.10.10.0/24, version 20 Paths: (2 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 65050 65100 10.0.1.2 from 10.0.1.2 (10.0.0.2) Origin IGP, metric 0, localpref 100, weight 0, valid, external, best rx pathid: 0, tx pathid: 0x0 65050 65100 65200 10.0.1.3 from 10.0.1.3 (10.0.0.3) Origin IGP, metric 0, localpref 100, weight 0, valid, external rx pathid: 0, tx pathid: 0x0 Based on this output, what can be concluded?

A.Path #2 is the best path because it has a longer AS_PATH, indicating more specific routing.
B.Path #1 is the best path because it has a shorter AS_PATH length.
C.Both paths are equally preferred, and BGP uses tie-breaking rules like router ID.
D.Path #1 is the best path because it is received from a higher IP address.
AnswerB

Path #1 has AS_PATH length 2 (65050 65100) while path #2 has length 3 (65050 65100 65200). Shorter AS_PATH is preferred.

Why this answer

B is correct because BGP selects the best path based on the shortest AS_PATH length when all other attributes (weight, local preference, origin) are equal. In the output, Path #1 has an AS_PATH of '65050 65100' (2 AS numbers) while Path #2 has '65050 65100 65200' (3 AS numbers), making Path #1 the best path. The 'best #1' annotation confirms this selection.

Exam trap

Cisco often tests the AS_PATH length comparison by presenting two paths with different AS_PATH lengths but identical other attributes, expecting candidates to know that shorter AS_PATH is preferred, not longer.

How to eliminate wrong answers

Option A is wrong because a longer AS_PATH does not indicate more specific routing; BGP prefers shorter AS_PATH lengths, not longer ones. Option C is wrong because the paths are not equally preferred; Path #1 is explicitly marked as best due to shorter AS_PATH, so tie-breaking rules like router ID are not invoked. Option D is wrong because BGP does not use the IP address of the next-hop or neighbor as a tie-breaker for best path selection; the decision is based on AS_PATH length in this case.

1842
Multi-Selectmedium

Which TWO actions are valid for configuring 802.1Q trunking on a Cisco switch? (Choose two.)

Select 2 answers
A.switchport mode dynamic auto
B.switchport mode trunk
C.switchport mode access
D.switchport trunk native vlan 1
E.switchport trunk encapsulation dot1q
AnswersB, E

This command enables trunking.

Why this answer

Option B is correct because the 'switchport mode trunk' command unconditionally sets the interface to trunk mode, enabling 802.1Q trunking. Option E is correct because 'switchport trunk encapsulation dot1q' explicitly configures the trunk encapsulation to the IEEE 802.1Q standard, which is required on older switches that support both ISL and 802.1Q.

Exam trap

Cisco often tests the distinction between commands that configure trunking parameters (like native VLAN) versus commands that actually enable trunking mode, causing candidates to select 'switchport trunk native vlan 1' as a trunking configuration command.

1843
Multi-Selecthard

Which three statements about gRPC and gNMI in the context of model-driven telemetry are true? (Choose three.)

Select 3 answers
A.gRPC uses HTTP/2 as its transport protocol and Protocol Buffers as its interface definition language.
B.gNMI (gRPC Network Management Interface) is a gRPC-based protocol that can be used for both telemetry and configuration operations.
C.gNMI telemetry subscriptions can only use YANG paths from OpenConfig models.
D.gNMI relies on NETCONF for session establishment and data encoding.
E.gNMI supports both periodic and on-change telemetry subscriptions.
AnswersA, B, E

Correct because gRPC is built on HTTP/2 for multiplexed, low-latency communication and uses Protocol Buffers for serialization and service definition.

Why this answer

gRPC uses HTTP/2 for transport and Protocol Buffers for serialization. gNMI is a gRPC-based protocol specifically for network management and telemetry. gNMI supports both telemetry subscriptions (Subscribe RPC) and configuration operations (Set, Get). It uses YANG models to define data paths. gNMI does not require NETCONF; it operates independently over gRPC.

1844
Matchingmedium

Drag and drop each hypervisor product on the left to its matching vendor on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VMware

Red Hat

Microsoft

Citrix

Oracle

Why these pairings

VMware vSphere is from VMware, KVM is from Red Hat (open source, often associated with Red Hat), Hyper-V is from Microsoft, Xen is from Citrix, and Oracle VM Server is from Oracle.

1845
Multi-Selecthard

Which three statements about DHCP snooping are true? (Choose three.)

Select 3 answers
A.DHCP snooping is configured on a per-VLAN basis.
B.DHCP snooping prevents all types of ARP spoofing attacks.
C.The DHCP snooping binding database includes the client MAC address, IP address, lease time, VLAN, and port.
D.Ports connected to DHCP servers should be configured as trusted ports.
E.DHCP snooping encrypts all DHCP traffic between the client and server.
AnswersA, C, D

Correct because DHCP snooping is enabled on specific VLANs using the 'ip dhcp snooping vlan' command.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages. It builds a DHCP snooping binding database from trusted sources. Option A is correct because DHCP snooping is typically enabled on VLANs, not globally on the switch.

Option C is correct because the binding database contains the client MAC address, IP address, lease time, VLAN, and port. Option D is correct because ports connected to DHCP servers are configured as trusted to allow DHCP server messages. Option B is incorrect because DHCP snooping does not prevent all ARP spoofing; that is the role of Dynamic ARP Inspection (DAI).

Option E is incorrect because DHCP snooping does not encrypt DHCP traffic; it only filters messages based on trust.

1846
Multi-Selectmedium

Which three statements about telemetry protocols and data collection are true? (Choose three.)

Select 3 answers
A.gNMI is a gRPC-based network management protocol that supports telemetry streaming.
B.In dial-out telemetry, the network device initiates the connection to the collector.
C.Telemetry can provide higher granularity and lower latency compared to SNMP polling.
D.SNMP is the only protocol supported for telemetry data collection on Cisco IOS XE devices.
E.gNMI requires the device to be configured with a CLI-based telemetry profile.
AnswersA, B, C

Correct because gNMI (gRPC Network Management Interface) is designed for streaming telemetry and configuration management.

Why this answer

gNMI is a gRPC-based protocol for streaming telemetry and managing network devices. Dial-out telemetry pushes data from the device to a collector. Telemetry can provide more granular data than SNMP.

SNMP is still widely used for legacy monitoring. gNMI does not require CLI configuration for telemetry.

1847
MCQmedium

A network engineer uses the Cisco DNA Center REST API to retrieve the list of devices. The API returns the following JSON: ```json { "response": [ { "id": "12345678-1234-1234-1234-123456789abc", "managementIpAddress": "192.168.1.1", "hostname": "Router1", "platformId": "ISR4331", "role": "ACCESS", "series": "ISR4300 Series" } ], "version": "1.0" } ``` The engineer writes the following Python code to extract the hostname of the first device: ```python import requests url = 'https://dna-center.local/dna/intent/api/v1/network-device' headers = {'X-Auth-Token': 'valid_token', 'Accept': 'application/json'} response = requests.get(url, headers=headers, verify=False) data = response.json() hostname = data['response'][0]['hostname'] print(hostname) ``` What is a potential issue with this code?

A.The URL is missing the '/v1' version segment.
B.The code does not check if the HTTP response status is 200 before parsing JSON, which could lead to errors if the token is invalid.
C.The 'Accept' header should be 'application/yang-data+json' for DNA Center.
D.The 'X-Auth-Token' header is not the correct authentication method; DNA Center uses Basic Auth.
AnswerB

Without status check, a 401 or 500 error would cause the script to fail unpredictably.

Why this answer

The code assumes the API call succeeds and the 'response' list is non-empty. If the token is expired or the API returns an error, response.json() may not have the expected structure, causing a KeyError or IndexError. The code lacks error handling for HTTP status codes and empty responses.

1848
Drag & Dropmedium

Drag and drop the steps of Ansible inventory grouping and variable inheritance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible inventory grouping and variable inheritance follows a hierarchy: first, group variables are defined in group_vars files; then, host variables are defined in host_vars files; next, the inventory parser resolves group parent-child relationships; after that, variables are merged with child groups overriding parent groups; finally, host-specific variables take highest precedence.

1849
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

Correct. EIGRP's maximum hop count is 255.

Why this answer

EIGRP uses a maximum hop count of 255 to prevent routing loops, though the default is 100.

1850
MCQhard

An engineer is troubleshooting a network where OSPF neighbors are stuck in the EXSTART state. What is the most likely cause?

A.Dead timer mismatch
B.Authentication misconfiguration
C.Mismatched OSPF area IDs
D.MTU mismatch between the routers
AnswerD

A mismatch in MTU can cause OSPF to get stuck in EXSTART as DD packets are fragmented or rejected.

Why this answer

The EXSTART state in OSPF indicates that routers have formed a bidirectional communication (2-Way state) and are now attempting to exchange Database Description (DBD) packets to negotiate the master/slave relationship and the initial sequence number. An MTU mismatch between the routers is the most common cause of neighbors being stuck in EXSTART because the router with the smaller MTU will drop DBD packets that exceed its interface MTU, preventing the exchange from progressing to the Loading state.

Exam trap

Cisco often tests the EXSTART state as a symptom of MTU mismatch, but candidates frequently confuse it with authentication or area ID mismatches, which actually prevent adjacency formation at earlier stages like INIT or 2-Way.

How to eliminate wrong answers

Option A is wrong because a dead timer mismatch typically causes neighbors to be stuck in the INIT or 2-Way state, not EXSTART, as the routers will fail to receive Hello packets within the dead interval. Option B is wrong because authentication misconfiguration usually prevents OSPF neighbors from forming adjacency at all, often resulting in the INIT state or no neighbor relationship, not EXSTART. Option C is wrong because mismatched OSPF area IDs prevent the formation of any adjacency beyond the 2-Way state, as routers will not exchange Hello packets with mismatched area IDs, and they will not reach EXSTART.

1851
Matchinghard

Drag and drop each DMVPN phase on the left to its matching spoke-to-spoke capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No spoke-to-spoke tunnels; all traffic via hub

Spoke-to-spoke tunnels established dynamically

Spoke-to-spoke with NHRP redirect and routing optimization

Requires static spoke IP addresses

Supports dynamic spoke IP addresses

Why these pairings

Phase 1 requires traffic to go through the hub (no spoke-to-spoke). Phase 2 allows spoke-to-spoke tunnels after initial hub contact. Phase 3 adds routing optimization with NHRP redirect.

1852
MCQeasy

What is the default OSPF hello interval on an Ethernet link in Cisco IOS?

A.10 seconds
B.30 seconds
C.5 seconds
D.40 seconds
AnswerA

Correct. The default hello interval for OSPF on Ethernet (broadcast) is 10 seconds.

Why this answer

OSPF hello intervals are network-type dependent. On broadcast and point-to-point networks (including Ethernet), the default hello interval is 10 seconds.

1853
MCQmedium

A network team is designing QoS for a Cisco SD-WAN fabric connecting multiple branch offices to a central data center. The design must ensure that VoIP traffic from branch sites receives priority treatment across the WAN overlay, regardless of the underlying transport (MPLS, Internet, LTE). Which architectural component should the team configure to enforce consistent QoS policies across all WAN edges?

A.Configure a centralized QoS policy on vManage that matches VoIP DSCP markings and applies priority queuing on all WAN edge routers.
B.Define a localized QoS policy on each branch router using MQC, matching the same DSCP values.
C.Use the vSmart controller to apply QoS policy only on the MPLS transport, leaving Internet and LTE unmanaged.
D.Implement QoS using RSVP across the overlay tunnels.
AnswerA

Centralized policies are pushed from vManage to all edges, providing uniform QoS across the fabric.

Why this answer

Option A is correct because vManage serves as the centralized SD-WAN management plane, allowing administrators to define a single QoS policy that matches VoIP DSCP markings (e.g., EF for expedited forwarding) and applies priority queuing across all WAN edge routers. This ensures consistent treatment of VoIP traffic over any transport (MPLS, Internet, LTE) by pushing the policy to all vEdge/cEdge devices via the vSmart controller, leveraging the SD-WAN overlay's ability to enforce QoS independently of the underlying physical transport.

Exam trap

Cisco often tests the misconception that QoS policies must be configured locally on each router (Option B) or that RSVP is required for guaranteed service in SD-WAN, but the key is that SD-WAN centralizes QoS management via vManage and vSmart to ensure consistency across all transports.

How to eliminate wrong answers

Option B is wrong because defining a localized QoS policy on each branch router using MQC (Modular QoS CLI) is operationally inefficient and error-prone in a large SD-WAN deployment; it lacks centralized management and consistency, and does not leverage the SD-WAN fabric's ability to enforce policies across all transports uniformly. Option C is wrong because using the vSmart controller to apply QoS policy only on MPLS transport violates the design requirement of treating VoIP traffic consistently across all transports (MPLS, Internet, LTE); this approach would leave Internet and LTE links unmanaged, causing potential degradation of VoIP over those transports. Option D is wrong because RSVP (Resource Reservation Protocol) is a per-flow signaling protocol designed for IntServ (Integrated Services) QoS, which does not scale well in an SD-WAN overlay environment and is not used for enforcing consistent QoS policies across WAN edges; SD-WAN relies on DiffServ (Differentiated Services) markings and centralized policy, not RSVP.

1854
Drag & Dropmedium

Drag and drop the steps of Cisco Flex (FlexConnect) AP mode operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexConnect mode, the AP first discovers the WLC and forms a CAPWAP tunnel. The WLC then pushes the local switching and authentication configuration to the AP. When a client associates, the AP performs local authentication (if configured) or forwards to WLC.

The AP then locally switches the client data traffic. Finally, the AP maintains connectivity with the WLC for management and monitoring.

1855
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 10 Sales active Gi0/4, Gi0/5 20 Engineering active Gi0/6, Gi0/7 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Based on this output, what can be concluded?

A.All ports shown are in trunk mode.
B.VLANs 1002-1005 are active and supported.
C.Interfaces Gi0/1, Gi0/2, and Gi0/3 are in VLAN 1.
D.VLAN 20 has no ports assigned.
AnswerC

The output clearly lists Gi0/1, Gi0/2, Gi0/3 under VLAN 1, indicating they are access ports in that VLAN.

Why this answer

Option C is correct because the 'show vlan brief' output explicitly lists Gi0/1, Gi0/2, and Gi0/3 under VLAN 1 (default), confirming these interfaces are access ports assigned to VLAN 1. VLAN 1 is the default VLAN on Cisco switches, and all ports not explicitly configured otherwise belong to it.

Exam trap

Cisco often tests the distinction between access and trunk port representation in 'show vlan brief' versus 'show interfaces trunk', leading candidates to incorrectly assume all listed ports are trunk ports or that VLANs 1002-1005 are fully functional.

How to eliminate wrong answers

Option A is wrong because the output shows ports assigned to specific VLANs, which is characteristic of access ports, not trunk ports; trunk ports carry multiple VLANs and would not be listed under a single VLAN in 'show vlan brief'. Option B is wrong because VLANs 1002-1005 are shown with status 'act/unsup', meaning they are administratively active but unsupported on modern hardware (e.g., no FDDI or Token Ring interfaces), so they are not fully active and supported. Option D is wrong because VLAN 20 (Engineering) has ports Gi0/6 and Gi0/7 assigned, as clearly listed in the output.

1856
Drag & Dropmedium

Drag and drop the steps of OpenConfig interface counters subscription and decode into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process starts with subscribing to OpenConfig paths, receiving encoded data, decoding it, extracting counters, and finally analyzing the values.

1857
MCQhard

A network engineer writes an Ansible playbook to configure a VLAN on a Cisco Nexus switch: ```yaml --- - name: Configure VLAN hosts: nxos_switches gather_facts: no tasks: - name: Create VLAN 100 cisco.nxos.nxos_vlan: vlan_id: 100 name: test_vlan state: present ``` What is a potential issue with this playbook?

A.The module name is incorrect; it should be 'nxos_vlan_config' instead of 'nxos_vlan'.
B.The playbook is missing the 'connection: network_cli' and 'become: yes' directives to enable privileged mode.
C.The VLAN ID must be a string, not an integer.
D.The 'state: present' is invalid; it should be 'state: create'.
AnswerB

Network modules require network_cli connection and privilege escalation.

Why this answer

The playbook does not specify the connection type or become method. For Cisco NX-OS, Ansible requires connection: network_cli and become: yes with become_method: enable (or ansible_connection: network_cli in inventory). Without these, the module may fail to execute.

1858
Matchingmedium

Drag and drop each AAA service on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RADIUS

TACACS+

RADIUS

TACACS+

RADIUS

Why these pairings

Authentication uses RADIUS; authorization uses TACACS+; accounting uses RADIUS; command authorization uses TACACS+; dot1x authentication uses RADIUS.

1859
MCQmedium

What is the purpose of the 'source-interface' command under a telemetry receiver configuration?

A.It specifies the interface from which the telemetry data is collected.
B.It sets the source IP address for telemetry packets sent to the receiver.
C.It limits telemetry data to only that interface's statistics.
D.It enables telemetry on that interface for incoming data.
AnswerB

This is the correct function of the source-interface command.

Why this answer

The source-interface command ensures that telemetry packets use a consistent source IP address, which helps with firewall rules and receiver identification.

1860
Matchingmedium

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port security

DHCP snooping

Dynamic ARP Inspection

BPDU guard

Disable Dynamic Trunking Protocol

Why these pairings

MAC flooding is mitigated by port security, DHCP starvation by DHCP snooping, ARP spoofing by DAI, STP manipulation by BPDU guard, and VLAN hopping by disabling DTP.

1861
Drag & Dropmedium

Drag and drop the steps of RESTCONF GET with depth and field query parameters into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with constructing the RESTCONF URI, appending the depth parameter, adding the field parameter, sending the GET request, and finally parsing the filtered JSON/XML response.

1862
MCQmedium

Examine the following EIGRP configuration on a Cisco IOS-XE device: router eigrp 100 network 10.0.0.0 0.255.255.255 passive-interface default no passive-interface GigabitEthernet0/0 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 Which statement is true?

A.EIGRP will form adjacencies on both GigabitEthernet0/0 and GigabitEthernet0/1.
B.EIGRP will form an adjacency only on GigabitEthernet0/0.
C.EIGRP will not form any adjacencies because the network command does not match the interface subnets.
D.EIGRP will form adjacencies on all interfaces except those with 'passive-interface' configured.
AnswerB

Correct. GigabitEthernet0/0 is not passive, so it will send and receive hellos. GigabitEthernet0/1 is passive by default.

Why this answer

The 'passive-interface default' command sets all interfaces as passive, meaning they do not send or receive EIGRP hellos. The 'no passive-interface' command overrides this for specific interfaces.

1863
Drag & Dropmedium

Drag and drop the steps of LISP EID-to-RLOC mapping resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process begins when the ingress tunnel router (ITR) receives a packet for a destination EID. The ITR sends a Map-Request to the Map-Server, which looks up the mapping and replies with a Map-Reply containing the RLOC. The ITR then caches the mapping and encapsulates the packet to the egress tunnel router (ETR).

1864
MCQeasy

What is the default STP port cost for a 10 Gigabit Ethernet interface?

A.1
B.2
C.4
D.19
AnswerB

10 Gbps has a cost of 2 in the short method.

Why this answer

Using the short path cost method (default), the cost for 10 Gbps is 2.

1865
Multi-Selecteasy

Which TWO statements about virtual switching in a hypervisor environment are correct?

Select 2 answers
A.A virtual switch can be connected to a physical network through uplink ports.
B.A virtual switch does not support VLAN tagging.
C.A virtual switch performs routing between different subnets.
D.A virtual switch forwards frames between virtual machines based on MAC addresses.
E.A virtual switch is a physical device installed in the hypervisor host.
AnswersA, D

Correct. Uplink ports map to physical NICs to provide connectivity to the physical network.

Why this answer

A virtual switch connects to the physical network through uplink ports, which are typically mapped to physical NICs on the hypervisor host. This allows VMs on the virtual switch to communicate with external networks, making option A correct.

Exam trap

Cisco often tests the misconception that virtual switches are physical devices or that they perform Layer 3 functions, when in fact they are software-based Layer 2 forwarding engines that support VLANs and uplink connectivity.

1866
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route vrf CUSTOMER-A VRF CUSTOMER-A: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/0.100 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0.100 B 10.0.2.0/24 [200/0] via 192.168.1.2, 00:12:34 Based on this output, what can be concluded?

A.VRF CUSTOMER-A has a BGP-learned route to 10.0.2.0/24
B.VRF CUSTOMER-A is not using BGP for routing
C.The default route is learned via BGP
D.GigabitEthernet0/0.100 is not associated with VRF CUSTOMER-A
AnswerA

The B entry shows a BGP route with next-hop 192.168.1.2, indicating BGP learned the prefix 10.0.2.0/24.

Why this answer

The output shows a BGP-learned route to 10.0.2.0/24 with the code 'B' and the administrative distance [200/0], indicating it is an external BGP route. The route is installed in the VRF CUSTOMER-A routing table, confirming that VRF CUSTOMER-A is using BGP and has learned this prefix via BGP from the next-hop 192.168.1.2.

Exam trap

Cisco often tests the distinction between the 'Gateway of last resort' and BGP-learned default routes; candidates may incorrectly assume the default route is BGP-learned because BGP is present in the table, but the output explicitly shows the gateway is 10.0.1.1, not a BGP next-hop.

How to eliminate wrong answers

Option B is wrong because the presence of a BGP-learned route (code 'B') in the VRF table proves that VRF CUSTOMER-A is using BGP for routing. Option C is wrong because the default route (Gateway of last resort) is set to 10.0.1.1, which is not a BGP-learned route; it is likely a static or connected default, and no BGP default route is shown in the table. Option D is wrong because the directly connected subnet 10.0.0.0/30 and local host route 10.0.0.1/32 are both on GigabitEthernet0/0.100, which is listed under VRF CUSTOMER-A, proving the interface is associated with the VRF.

1867
MCQeasy

Which IPsec protocol provides both encryption and authentication within a single ESP header?

A.AH (Authentication Header)
B.ESP (Encapsulating Security Payload)
C.IKE (Internet Key Exchange)
D.GRE (Generic Routing Encapsulation)
AnswerB

ESP can provide both encryption and authentication (depending on the transform set).

Why this answer

ESP (Encapsulating Security Payload) provides both encryption (confidentiality) and authentication (integrity) in a single header. AH only provides authentication without encryption.

1868
Matchingmedium

Drag and drop each Cisco campus design model component on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides port density and PoE for end devices

Aggregates access switches and provides routing

Provides high-speed, non-blocking backbone

Provides Layer 3 gateway for VLANs

Combines two physical switches into one logical switch

Why these pairings

The campus design uses a hierarchical model with access, distribution, core layers; SVI provides Layer 3 gateway; VSS virtualizes switches; StackWise combines physical switches; PoE powers endpoints.

1869
MCQmedium

Given the following SD-WAN CLI output on a Cisco IOS-XE router: show sdwan omp routes 10.1.1.0/24, received, admin-distance: 250 via 10.0.0.1, interface GigabitEthernet0/0/1, color biz-internet, loss: 0, latency: 10 via 10.0.0.2, interface GigabitEthernet0/0/2, color 3g, loss: 1, latency: 50 Which statement is true?

A.The route via 10.0.0.1 (biz-internet) is preferred because it has lower loss and latency.
B.The route via 10.0.0.2 (3g) is preferred because it has a higher latency, which indicates a more stable path.
C.Both routes are equally preferred because OMP uses ECMP by default.
D.The admin-distance of 250 indicates that these routes are learned via BGP.
AnswerA

SD-WAN uses path selection based on metrics like loss and latency. Lower loss and latency are preferred, so the biz-internet path is better.

Why this answer

Option A is correct because OMP (Overlay Management Protocol) in Cisco SD-WAN selects the best path based on the lowest path cost, which is calculated using metrics such as loss, latency, and jitter. In this output, the route via 10.0.0.1 (biz-internet) has loss 0 and latency 10, which is lower than the route via 10.0.0.2 (3g) with loss 1 and latency 50, making it the preferred path. The admin-distance of 250 is specific to OMP routes and does not affect this comparison.

Exam trap

Cisco often tests the misconception that OMP uses ECMP by default for all routes, but in reality, OMP only load-balances across paths with identical metrics, and the admin-distance of 250 is frequently confused with BGP's admin-distance.

How to eliminate wrong answers

Option B is wrong because higher latency does not indicate a more stable path; OMP prefers lower latency and loss for optimal performance. Option C is wrong because OMP does not use ECMP by default for routes with different metrics; ECMP only applies when multiple paths have equal cost (same loss, latency, jitter). Option D is wrong because the admin-distance of 250 is the default for OMP routes, not BGP; BGP has a default admin-distance of 20 for eBGP and 200 for iBGP.

1870
Drag & Dropmedium

Drag and drop the steps of a VM live migration process in vSphere into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In vSphere live migration (vMotion), the source host first copies memory pages to the destination while the VM continues running. It then marks pages as dirty and iteratively copies them. Once the remaining dirty pages are small enough, the VM is quiesced, final memory and state are copied, and the VM resumes on the destination host.

1871
MCQhard

An engineer configures IP SLA 30 to monitor the one-way delay to a remote site using UDP jitter. The operation is used to adjust routing metrics via route maps. The engineer notices that the IP SLA operation shows 'State: Active' but the one-way delay values are inconsistent, sometimes showing negative values. What is the most likely cause?

A.The IP SLA operation is not configured with a 'request-data-size' that matches the remote router's MTU, causing fragmentation and delay variations.
B.The source and destination routers do not have synchronized clocks via NTP, causing one-way delay calculations to be inaccurate.
C.The IP SLA operation is using a 'frequency' that is too high, causing the probes to overlap and corrupt the statistics.
D.The remote router's IP SLA responder is not configured, so the source is using a different method to estimate delay.
AnswerB

Correct. One-way delay is computed by subtracting the send timestamp from the receive timestamp. If clocks are not synchronized, the result can be negative or wildly inaccurate.

Why this answer

One-way delay measurements require clock synchronization between the source and destination routers. Without NTP, the clocks may drift, causing negative or inaccurate delay values.

1872
Multi-Selectmedium

Which two statements about 802.1X port-based authentication on a Cisco switch are true? (Choose two.)

Select 2 answers
A.The switch acts as the authenticator in the 802.1X framework.
B.The RADIUS server acts as the authenticator in the 802.1X framework.
C.802.1X can only be configured on router interfaces, not on switch ports.
D.EAP over LAN (EAPoL) is used between the supplicant and the authenticator.
E.802.1X authentication is only applicable to wireless networks.
AnswersA, D

Correct because in 802.1X, the switch (or wireless controller) is the authenticator that controls access to the network.

Why this answer

802.1X uses EAP over LAN (EAPoL) to authenticate devices at the port level. The switch acts as an authenticator and can use a RADIUS server for authentication. Option A is correct because the switch is the authenticator.

Option D is correct because EAPoL is the protocol used between the supplicant and the authenticator. Option B is incorrect because the RADIUS server is the authentication server, not the authenticator. Option C is incorrect because 802.1X can be configured on Layer 2 switch ports, not just routers.

Option E is incorrect because 802.1X is not limited to wireless; it is commonly used on wired switch ports.

1873
MCQmedium

Consider the following partial configuration on Router R1: ip sla 5 icmp-echo 10.5.5.5 frequency 10 ip sla schedule 5 life forever start-time now ip sla reaction-configuration 5 react rtt threshold-type immediate threshold-value 200 action-type triggerAndReset What is the effect of the 'action-type triggerAndReset' parameter?

A.It triggers an event once and then stops monitoring.
B.It triggers an event each time the RTT exceeds 200 ms and resets the counter after each trigger.
C.It triggers an event only if the RTT exceeds 200 ms for 5 consecutive probes.
D.It triggers an event and then immediately stops the IP SLA operation.
AnswerB

'triggerAndReset' allows multiple triggers by resetting after each event.

Why this answer

'triggerAndReset' means that when the threshold is exceeded, the trigger fires, and then the monitoring resets so it can trigger again on future threshold violations.

1874
MCQhard

An engineer is using the Cisco SD-WAN vManage REST API to retrieve the list of WAN edge devices. The engineer sends a GET request to 'https://vmanage/dataservice/device' and receives a 401 Unauthorized error. The engineer has already obtained a JSESSIONID cookie by authenticating with the API. What is the most likely cause of the error?

A.The JSESSIONID cookie must be included in the request headers for authentication.
B.The engineer must use a different authentication method, such as OAuth2, instead of cookies.
C.The URI is incorrect; the correct URI should be 'https://vmanage/dataservice/device/wanedge'.
D.The engineer must include a CSRF token in the request header for GET requests.
AnswerA

Correct because the session cookie must be sent with each request to maintain authentication.

Why this answer

A 401 error indicates that authentication is required or has failed. Even with a JSESSIONID cookie, the engineer must include it in the request headers. Additionally, vManage APIs often require a CSRF token for state-changing operations, but for GET requests, the JSESSIONID should suffice.

The most likely cause is that the cookie is not being sent with the request, or the session has expired.

1875
Matchingmedium

Drag and drop each MPLS VPN role on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects directly to the provider edge and advertises customer routes

Attaches MPLS labels to customer packets and maintains VRFs

Core router that switches MPLS labels without holding VPN routes

Distributes VPNv4 routes within the MPLS VPN core

Connects different MPLS VPN domains

Why these pairings

The CE device connects directly to the PE and advertises customer routes; the PE device attaches labels and maintains VRFs; the P device is a core router that switches MPLS labels without holding VPN routes; the RR (Route Reflector) distributes VPNv4 routes within the MPLS VPN core; the ASBR connects different MPLS VPN domains.

Page 24

Page 25 of 27

Page 26