ENCOR 350-401 (350-401) — Questions 451525

2015 questions total · 27pages · All types, answers revealed

Page 6

Page 7 of 27

Page 8
451
Multi-Selectmedium

Which three statements about DHCP relay are true? (Choose three.)

Select 3 answers
A.The ip helper-address command is used on a router interface to forward DHCP broadcasts to a DHCP server on a different subnet.
B.DHCP relay changes the source IP address of the DHCP packet to the IP address of the relay agent's outgoing interface.
C.The ip helper-address command forwards only DHCP traffic by default.
D.DHCP relay inserts the gateway IP address (giaddr) field in the DHCP packet to indicate the subnet of the client.
E.DHCP relay is required only when the DHCP server is on the same VLAN as the client.
AnswersA, B, D

Correct because ip helper-address converts DHCP broadcast to unicast and forwards it to the specified server.

Why this answer

This question tests understanding of DHCP relay operation, including the use of ip helper-address, UDP port forwarding, and configuration requirements.

452
MCQmedium

A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?

A.The switch lacks 'aaa new-model' configuration.
B.The switch is not configured to send EAP-Request/Identity packets; the 'dot1x timeout tx-period' is too long or missing.
C.The switchport is configured as 'switchport mode trunk' instead of 'switchport mode access'.
D.The RADIUS server is not configured with the correct shared secret.
AnswerB

Correct because without proper EAP initiation, the supplicant may not respond, leading to authentication failure.

Why this answer

The scenario describes a common issue where 802.1X is configured but the switch is not sending EAP requests because it is waiting for a trigger. Without 'dot1x timeout tx-period', the switch sends EAP-Request/Identity only once every 30 seconds by default. The laptop's supplicant may not initiate the process if it doesn't receive a prompt.

Option B is correct because the switch must be configured to send EAP requests to start the authentication. Option A is incorrect because 'aaa new-model' is required for AAA but not the direct cause of the failure. Option C is incorrect because the switchport mode is not specified; 'switchport mode access' is typical but not the issue.

Option D is incorrect because the RADIUS server is reachable per the engineer's verification.

453
MCQmedium

A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin IP Address: 10.1.1.100 Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe IP Address: 10.1.1.101 Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL Based on this output, what can be concluded?

A.All users are authenticated via RADIUS.
B.User jdoe authenticated using local authentication.
C.The RADIUS server is unreachable for all users.
D.Both sessions are using TACACS+ for authorization.
AnswerB

The 'Method: LOCAL' for session 2 confirms local authentication.

Why this answer

The output shows two active AAA sessions. The first session (admin) uses RADIUS authentication, while the second (jdoe) uses local authentication. This indicates that the router is configured to fall back to local authentication when RADIUS is unavailable or for certain users.

The idle time for jdoe is 120 seconds, meaning the session has been idle for that long, but no timeout is configured.

454
MCQmedium

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

A.The default maximum number of secure MAC addresses is 1, so the second MAC address triggers a violation.
B.The sticky keyword requires the engineer to first manually configure a maximum number of MAC addresses.
C.The violation mode is set to 'restrict' by default, which causes the port to error-disable after one violation.
D.The port security aging type is set to 'absolute' by default, causing the sticky address to expire immediately.
AnswerA

Correct because the default maximum is 1, and sticky learning does not change that.

Why this answer

The sticky command learns MAC addresses dynamically and stores them in the running configuration. By default, the maximum number of secure MAC addresses is 1. When a new device is connected, its MAC address is different, causing a violation.

The default violation mode is 'shutdown', which error-disables the port. Option A is correct because the sticky feature does not change the default maximum count. Option B is incorrect because sticky does not require a specific maximum; it uses the default.

Option C is incorrect because the violation mode is shutdown by default, not restrict. Option D is incorrect because aging is not configured and does not cause this behavior.

455
Multi-Selectmedium

Which three statements about LACP (Link Aggregation Control Protocol) are true? (Choose three.)

Select 3 answers
A.LACP packets are exchanged using multicast destination MAC address 01-80-c2-00-00-02.
B.LACP can place up to 8 links in the active state and an additional 8 links in hot-standby mode.
C.When using LACP, both sides must be configured with the same system priority to form a channel.
D.LACP automatically detects speed and duplex mismatches and prevents the channel from forming.
E.LACP operates only in Layer 3 mode and cannot be used for Layer 2 EtherChannels.
AnswersA, B, D

Correct because LACP uses the Slow Protocols multicast address 0180.c200.0002.

Why this answer

LACP is an IEEE standard (802.3ad) that allows dynamic formation of EtherChannels. It uses LACPDUs to negotiate parameters, supports up to 16 links (8 active, 8 standby), and can detect mismatched parameters like speed or duplex. The 'active' mode initiates negotiation, while 'passive' waits.

456
MCQhard

A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?

A.The SXP version mismatch between the switch and ISE.
B.The switch is not configured to assign SGTs to users via 802.1X or static mapping.
C.The ISE is configured as an SXP speaker instead of a listener.
D.The SXP connection is using the wrong TCP port.
AnswerB

Correct because SXP propagates existing SGTs; if the switch has no mappings, nothing is sent.

Why this answer

SXP propagates SGTs from a speaker to a listener. If the switch is the speaker, it must have SGT mappings from authentication. If the switch does not have the mappings, it cannot propagate them.

Option B is correct because the switch must first learn SGTs via 802.1X or manual configuration. Option A is incorrect because SXP does not require a specific version. Option C is incorrect because the listener is ISE, which is correct.

Option D is incorrect because the peers are established.

457
Matchingmedium

Drag and drop each Cisco DNA Center workflow on the left to its matching component on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Creates network profiles, site hierarchy, and IP address pools

Defines SGTs, scalable groups, and access contracts

Deploys configurations and fabric settings to network devices

Monitors network health, client experience, and application performance

Automates device onboarding, software image management, and compliance checks

Why these pairings

Design creates network profiles and site hierarchy, Policy defines SGTs and access contracts, Provision deploys configurations to devices, Assurance monitors network health, and Automation runs workflows like PnP and SWIM.

458
MCQmedium

A network engineer runs the following command on Router R7: R7# show vrf brief Name Default RD Protocols Interfaces Mgmt-intf <not set> ipv4,ipv6 GigabitEthernet0/0 CUSTOMER-A 65001:100 ipv4 GigabitEthernet0/1.10 CUSTOMER-B 65001:200 ipv4 GigabitEthernet0/1.20 Based on this output, what can be concluded?

A.VRF CUSTOMER-A is using IPv6.
B.VRF Mgmt-intf has a route distinguisher set.
C.VRF CUSTOMER-B is associated with subinterface GigabitEthernet0/1.20.
D.All VRFs are using the same route distinguisher.
AnswerC

The output shows CUSTOMER-B with interface GigabitEthernet0/1.20.

Why this answer

The output shows VRFs with route distinguishers and associated interfaces. VRF CUSTOMER-A and CUSTOMER-B are configured with specific RDs and interfaces.

459
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure VLAN hosts: switches gather_facts: no tasks: - name: Create VLAN 100 ios_vlan: vlan_id: 100 name: Engineering state: present Which statement is true about this playbook?

A.It creates VLAN 100 with name Engineering if it does not exist.
B.It only checks if VLAN 100 exists and reports its status.
C.It deletes VLAN 100 if it exists.
D.It fails because 'name' is not a valid parameter for ios_vlan.
AnswerA

Correct. The module idempotently creates the VLAN with the specified name.

Why this answer

The ios_vlan module is used to manage VLANs on Cisco IOS switches. The 'state: present' ensures the VLAN exists. The module will create VLAN 100 with the name 'Engineering' if it does not already exist.

460
MCQeasy

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary | include 10.0.1.5 10.0.1.5 4 65005 3456 3457 15 0 0 00:15:22 5 Based on this output, what can be concluded?

A.The BGP session with 10.0.1.5 has been down for 15 minutes and 22 seconds.
B.The BGP session with 10.0.1.5 is up and has received 5 prefixes.
C.The BGP session with 10.0.1.5 is in the 'Active' state.
D.The BGP session with 10.0.1.5 has sent 5 prefixes.
AnswerB

The number 5 in the State/PfxRcd column indicates 5 prefixes received, and the lack of a state word means the session is established.

Why this answer

The 'show bgp ipv4 unicast summary' output displays BGP neighbor status. The column 'Up/Down' shows '00:15:22', indicating the session has been established for 15 minutes and 22 seconds, not down. The last column shows '5', which under the 'PfxRcd' (Prefixes Received) column indicates the number of prefixes received from the neighbor.

Therefore, the session is up and has received 5 prefixes.

Exam trap

Cisco often tests the misinterpretation of the 'Up/Down' column, where candidates mistakenly read it as downtime instead of uptime, and the confusion between prefixes received (PfxRcd) and prefixes sent (PfxSent), which is not shown in this output.

How to eliminate wrong answers

Option A is wrong because the 'Up/Down' column value '00:15:22' represents the duration the session has been up, not down; a down session would show a different state or 'never'. Option C is wrong because the output shows a valid neighbor IP, AS number, and uptime, indicating the session is in the Established state, not Active; the Active state would not show prefixes received. Option D is wrong because the '5' in the output corresponds to prefixes received (PfxRcd), not sent; sent prefixes are not displayed in this summary output.

461
Matchingeasy

Drag and drop each leased line technology on the left to its matching speed on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1.544 Mbps

2.048 Mbps

44.736 Mbps

155.52 Mbps

44.736 Mbps

Why these pairings

T1 runs at 1.544 Mbps, E1 at 2.048 Mbps, DS3 at 44.736 Mbps, and OC-3 at 155.52 Mbps. T3 is 44.736 Mbps (same as DS3).

462
MCQhard

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The engineer creates a class-map that matches traffic with a specific ACL that permits TCP port 22 (SSH) from a management subnet (192.168.1.0/24) and denies all other traffic. The CoPP policy applies a police rate of 1 Mbps to this class. After applying the policy, the engineer notices that SSH sessions from the management subnet are being dropped intermittently. The engineer checks the CoPP statistics and sees that the traffic rate is 500 kbps. What is the most likely cause?

A.The CoPP policy has a conform-action of drop, which drops all traffic matching the class.
B.The police rate is too low, and the traffic is being dropped due to exceeding the rate.
C.The ACL is denying SSH traffic from the management subnet.
D.The CoPP policy is applied to the wrong interface, so it is not affecting SSH traffic.
AnswerA

Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.

Why this answer

The correct answer is that the CoPP policy has a conform-action of drop, which drops all traffic matching the class, regardless of rate. Option B is incorrect because the traffic rate is below the police rate. Option C is incorrect because the ACL permits SSH from the management subnet.

Option D is incorrect because the CoPP policy is applied to the control plane, not an interface.

463
MCQeasy

What is the maximum number of SPAN sessions that can be configured on a Cisco Catalyst 9300 switch?

A.34
B.16
C.64
D.8
AnswerA

The Catalyst 9300 supports a maximum of 34 SPAN sessions.

Why this answer

The Cisco Catalyst 9300 switch supports up to 34 SPAN sessions (including local SPAN, RSPAN, and ERSPAN).

464
Drag & Dropmedium

Drag and drop the steps of AAA method list fallback from RADIUS to local into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When a RADIUS server is unreachable, the device first tries the primary RADIUS server, then any backup RADIUS servers. If all RADIUS servers fail, the device falls back to the local database for authentication. This ensures redundancy.

465
Matchingmedium

Drag and drop each STP port role on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best path from a non-root bridge to the root bridge

Best path for a LAN segment, forwards traffic

Alternate path to the root bridge (discarding in RSTP)

Backup path to a shared segment (discarding in RSTP)

Administratively shut down or not running STP

Why these pairings

Root port is the best path to the root bridge; Designated port is the best path for a segment; Alternate port provides an alternative path to the root bridge; Backup port provides a backup path to a shared segment.

466
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.5 seconds
B.10 seconds
C.30 seconds
D.40 seconds
AnswerB

The default OSPF hello interval on Ethernet (broadcast) links is 10 seconds.

Why this answer

OSPF uses a default hello interval of 10 seconds on broadcast and point-to-point links like Ethernet.

467
Matchinghard

Drag and drop each OMP attribute on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indicates whether the route was learned from OMP, connected, static, or BGP/OSPF

Uniquely identifies the WAN edge site within the overlay

Defines the transport tunnel type (e.g., mpls, public-internet, biz-internet)

Used for path selection; higher preference is preferred over lower

Administrative label that can be used for policy matching and route filtering

Why these pairings

OMP uses attributes like origin, site-id, color, and preference to influence route selection and TLOC reachability.

468
MCQmedium

A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, what can be concluded?

A.The LDP session is down due to a TCP connection issue.
B.The LDP session is established over the GigabitEthernet0/0 interface.
C.The peer is not sending any LDP messages.
D.The local router has only one label binding for the peer.
AnswerB

The discovery source shows GigabitEthernet0/0, confirming the session is via that interface.

Why this answer

The LDP session is operational (State: Oper) with a peer at 10.0.0.2. The discovery source is GigabitEthernet0/0, indicating the session is established over that interface. The peer has two addresses bound.

469
Drag & Dropmedium

Drag and drop the steps of EIGRP stub configuration for hub-and-spoke into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order ensures that the spoke router first enters EIGRP configuration, then configures the stub feature, optionally restricts stub types, and finally applies the configuration. The hub router does not need stub configuration.

470
MCQhard

An engineer is configuring multicast on a Cisco router running IOS-XE. The network uses PIM sparse mode with a static RP at 10.1.1.1. The engineer enters the command 'ip pim rp-address 10.1.1.1' but multicast traffic is not being forwarded. Upon verification, the engineer sees that the RP is reachable via OSPF, but the 'show ip pim rp mapping' command does not list any RP for the group. What is the most likely cause?

A.The RP address is not reachable via the unicast routing table.
B.The command 'ip pim rp-address 10.1.1.1' must include an access-list to define the group range.
C.PIM sparse mode must be enabled on all interfaces first.
D.The router must be configured as a candidate RP using 'ip pim send-rp-announce'.
AnswerB

Correct because the RP mapping requires an access-list to specify the groups; without it, the RP is not associated with any group.

Why this answer

The 'ip pim rp-address' command requires an access-list to specify which groups the RP serves. Without the access-list, the command is incomplete and the RP mapping is not applied, even though the RP is reachable.

471
MCQhard

A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?

A.The ACL denies all other BGP traffic, so CoPP does not match it, and it falls through to the default class, which permits it.
B.The ACL is applied in the wrong order; the deny statement should be before the permit statement.
C.BGP uses UDP port 179, not TCP, so the ACL does not match BGP traffic.
D.CoPP does not affect BGP sessions because they are established before the policy is applied.
AnswerA

Correct because CoPP only applies to traffic matched by the class-map; if the ACL denies traffic, it is not matched, and the default class (often permit) allows it.

Why this answer

The correct answer is that the ACL only matches traffic from the specific peer, but CoPP class-maps match traffic based on the ACL; if the ACL denies other BGP traffic, CoPP will not match it, and it will be processed by the default class, which may permit it. Option B is incorrect because the ACL order is not the issue. Option C is incorrect because BGP uses TCP port 179, not UDP.

Option D is incorrect because CoPP does not affect routing protocol sessions directly; it only polices traffic to the control plane.

472
MCQmedium

Given the following configuration: policy-map MARKING_POLICY class CRITICAL_DATA set dscp af31 class BULK_DATA set dscp af11 class class-default set dscp default What is the effect of the set dscp default command in the class-default?

A.It sets the DSCP value to 0, which is the default best-effort marking.
B.It sets the DSCP value to the original value of the packet, effectively not changing it.
C.It sets the DSCP value to 46, which is the default for voice.
D.It is invalid because class-default cannot have a set action.
AnswerA

DSCP default is 0, used for best-effort traffic.

Why this answer

The 'set dscp default' command explicitly sets the DSCP field to a value of 0, which corresponds to the default best-effort per-hop behavior (PHB) as defined in RFC 2474. This ensures that any traffic not matching the user-defined classes (CRITICAL_DATA or BULK_DATA) is marked with the lowest priority, which is the standard behavior for class-default in a marking policy.

Exam trap

Cisco often tests the misconception that 'default' means 'leave the original value unchanged' or that it refers to a specific high-priority default like voice, rather than the actual DSCP value of 0 for best-effort traffic.

How to eliminate wrong answers

Option B is wrong because 'set dscp default' does not preserve the original packet value; it overwrites the DSCP field with a fixed value of 0. Option C is wrong because DSCP 46 (EF) is the default for voice traffic, not the 'default' keyword, which maps to DSCP 0. Option D is wrong because class-default can indeed have a set action; it is a valid and common practice to mark all unmatched traffic with a specific DSCP value.

473
Multi-Selectmedium

Which TWO STP features are used to improve convergence time after a topology change?

Select 2 answers
A.UplinkFast
B.BackboneFast
C.Root Guard
D.BPDU Guard
E.PortFast
AnswersA, B

UplinkFast accelerates convergence after a direct link failure.

Why this answer

UplinkFast is correct because it enables a switch to immediately use an alternate root port when its current root port fails, bypassing the usual 30-second listening and learning delay. This is achieved by artificially lowering the bridge priority of the switch to trigger a topology change notification, allowing the backup port to transition directly to forwarding. BackboneFast is correct because it reduces convergence time by detecting indirect link failures in the backbone and allowing a switch to expire its Max Age timer (default 20 seconds) immediately, rather than waiting for the full timer to expire, thus speeding up the transition to a new root port.

Exam trap

Cisco often tests the distinction between features that improve convergence (UplinkFast, BackboneFast) versus features that provide security or edge-port behavior (Root Guard, BPDU Guard, PortFast), leading candidates to mistakenly select PortFast because it also speeds up initial port transition, but it does not react to topology changes.

474
MCQmedium

A data center architect is designing a virtualized environment to host critical applications. The design must maximize performance by allowing virtual machines (VMs) to directly access physical CPU cores and memory without hypervisor overhead for latency-sensitive workloads. Which hypervisor configuration should be used?

A.Enable hyper-threading and overcommit CPU resources
B.Use a Type 2 hypervisor (e.g., VMware Workstation) for better isolation
C.Configure NUMA pinning and CPU pinning for each VM to dedicated cores and memory nodes
D.Enable memory ballooning to reclaim unused memory from VMs
AnswerC

NUMA pinning and CPU pinning reduce latency by ensuring VMs use local memory and dedicated cores, avoiding hypervisor scheduling delays.

Why this answer

Option C is correct because CPU pinning and NUMA pinning allow virtual machines to directly access dedicated physical CPU cores and memory nodes, eliminating hypervisor scheduling overhead and ensuring low-latency access to local memory. This configuration is essential for latency-sensitive workloads in a virtualized data center, as it provides near-bare-metal performance by avoiding resource contention and cross-NUMA memory access penalties.

Exam trap

Cisco often tests the misconception that hyper-threading or memory ballooning can improve performance for latency-sensitive workloads, when in fact these features are designed for resource efficiency and can introduce unpredictability or overhead.

How to eliminate wrong answers

Option A is wrong because enabling hyper-threading and overcommitting CPU resources increases contention for physical cores and introduces hypervisor scheduling overhead, which degrades performance for latency-sensitive workloads. Option B is wrong because a Type 2 hypervisor (e.g., VMware Workstation) runs on top of a host operating system, adding extra layers of abstraction and overhead that reduce performance and are unsuitable for data center critical applications. Option D is wrong because memory ballooning is a technique for reclaiming unused memory from VMs to allow overcommitment, but it does not provide direct memory access and can cause performance degradation due to balloon driver overhead and potential swapping.

475
MCQeasy

A small business has a single router connected to the internet and a switch for the LAN. They want to implement VLANs to separate guest and corporate traffic. The router has only one physical interface to the switch. The network engineer proposes using subinterfaces with 802.1Q trunking on the router interface. Which configuration step is required on the switch port connected to the router?

A.Configure the port as a routed port.
B.Configure the port as an access port in VLAN 1.
C.Configure the port as a trunk port.
D.Configure the port as a dynamic desirable port.
AnswerC

A trunk port allows multiple VLANs via 802.1Q tagging, enabling the router subinterfaces to work.

Why this answer

The router uses subinterfaces with 802.1Q trunking to carry multiple VLANs over a single physical link. For this to work, the switch port connected to the router must be configured as a trunk port, which tags frames with VLAN IDs as they traverse the link. This allows the router to route between VLANs using its subinterfaces, each associated with a specific VLAN.

Exam trap

Cisco often tests the misconception that a switch port connecting to a router can remain as an access port or use DTP, but the key is that the router's subinterface requires 802.1Q-tagged frames, which only a statically configured trunk port can provide.

How to eliminate wrong answers

Option A is wrong because a routed port is a Layer 3 interface on a switch, used for routing between networks, not for carrying multiple VLANs over a single link; it would not support 802.1Q trunking. Option B is wrong because an access port belongs to a single VLAN and strips VLAN tags, which would prevent the router from receiving tagged frames for multiple VLANs, breaking the subinterface design. Option D is wrong because dynamic desirable is a DTP (Dynamic Trunking Protocol) mode used to negotiate trunking between Cisco switches, but it is not required or recommended for a router-to-switch connection; the router interface does not participate in DTP, so the switch port must be statically set as a trunk.

476
Drag & Dropmedium

Drag and drop the steps of gRPC dial-in telemetry session from collector into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The collector initiates the connection, authenticates, subscribes to specific YANG paths, receives streaming updates, and then processes the data.

477
Multi-Selecthard

Which three statements about RSPAN are true? (Choose three.)

Select 3 answers
A.RSPAN uses a dedicated VLAN that is trunked between switches to carry mirrored traffic.
B.The RSPAN VLAN can also be used for regular user data traffic if needed.
C.The RSPAN VLAN must be allowed on all trunk links between the source and destination switches.
D.The RSPAN destination port can be a regular access port in the RSPAN VLAN.
E.RSPAN requires that all switches in the path support the RSPAN feature.
AnswersA, C, E

Correct because the RSPAN VLAN is a special VLAN used exclusively for transporting mirrored packets across switches.

Why this answer

RSPAN uses a dedicated VLAN to transport mirrored traffic across switches. The RSPAN VLAN must be created on all switches in the path and should not be used for user traffic. Trunk ports carry the RSPAN VLAN, and the destination switch receives the traffic on an RSPAN destination port.

The RSPAN VLAN must not be pruned from trunks.

478
Drag & Dropmedium

Drag and drop the steps of EtherChannel troubleshooting and verification into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting begins with checking physical layer, then verifying protocol negotiation, inspecting bundle state, checking load balancing, and finally reviewing logs.

479
Matchingmedium

Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attribute 1

Attribute 4

Attribute 6

Attribute 8

Attribute 5

Why these pairings

RADIUS attribute numbers are standardized: User-Name is 1, NAS-IP-Address is 4, Service-Type is 6, Framed-IP-Address is 8, and NAS-Port is 5.

480
MCQmedium

A network engineer runs the following command on Router R3: R3# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks O IA 10.1.1.0/24 [110/20] via 192.168.1.1, 00:12:34, GigabitEthernet0/0 O 10.2.2.0/24 [110/10] via 192.168.1.2, 00:15:22, GigabitEthernet0/0 O E2 10.3.3.0/24 [110/20] via 192.168.1.3, 00:08:11, GigabitEthernet0/0 Based on this output, what can be concluded?

A.The route to 10.3.3.0/24 is an external route redistributed into OSPF.
B.The route to 10.1.1.0/24 is in the same OSPF area as R3.
C.The metric for 10.3.3.0/24 includes the internal cost to the ASBR.
D.R3 is an ASBR.
AnswerA

O E2 indicates an OSPF external route of type 2, typically redistributed from another routing protocol.

Why this answer

The route to 10.3.3.0/24 is marked as 'O E2' in the output, which stands for OSPF external type 2. This indicates that the route was redistributed into OSPF from another routing protocol or a different OSPF process, making it an external route. The 'E2' designation confirms it is an external route with a fixed metric that does not include the internal cost to the ASBR.

Exam trap

Cisco often tests the difference between OSPF external type 1 (E1) and type 2 (E2) routes, specifically that E2 routes do not include the internal cost to the ASBR, which is a common misconception that leads candidates to incorrectly select option C.

How to eliminate wrong answers

Option B is wrong because the route to 10.1.1.0/24 is marked as 'O IA' (OSPF inter-area), which means it originates from a different OSPF area than R3, not the same area. Option C is wrong because for an OSPF external type 2 (E2) route, the metric shown (20) is the external metric only and does not include the internal cost to the ASBR; that behavior is specific to external type 1 (E1) routes. Option D is wrong because R3 is simply receiving these OSPF routes; there is no indication in the output that R3 is redistributing routes into OSPF, which would be required for it to be an ASBR.

481
MCQeasy

A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source list 100 interface GigabitEthernet0/0 overload, where access list 100 permits only the 10.0.0.0/8 network. After testing, hosts in the 10.0.0.0/8 network can access the internet, but hosts in the 172.16.0.0/16 network cannot. The engineer verifies that the 172.16.0.0/16 hosts have connectivity to the router. What is the most likely cause?

A.The access list 100 does not permit the 172.16.0.0/16 network.
B.The router's interface GigabitEthernet0/0 is not configured with ip nat outside.
C.The 172.16.0.0/16 hosts have a default gateway pointing to a different router.
D.The NAT pool is exhausted for the 172.16.0.0/16 network.
AnswerA

Correct because the NAT configuration only translates traffic that matches the access list; hosts not in the list are not translated.

Why this answer

The access list used in the NAT command determines which inside local addresses are eligible for translation. If the access list does not include the 172.16.0.0/16 network, those hosts will not be translated and will not be able to reach the internet.

482
MCQmedium

A company is deploying an SD-Access fabric with multiple sites connected via a WAN. The design must allow inter-site traffic to be forwarded without requiring a full mesh of VXLAN tunnels between all edge nodes. Which fabric role should be used to interconnect the sites?

A.Fabric border node
B.Fabric control plane node
C.Fabric edge node
D.Fabric WAN controller
AnswerA

Border nodes act as the gateway between the fabric and external networks, enabling inter-site connectivity.

Why this answer

A Fabric Border Node is the correct role because it acts as the gateway between the SD-Access fabric and external networks, including WAN connections. It performs Network-to-Network Interconnection (NNI) by translating VXLAN-encapsulated traffic into the appropriate WAN transport (e.g., IPsec, MPLS) and handles inter-site routing without requiring a full mesh of VXLAN tunnels between all Edge Nodes. This design leverages the Border Node to aggregate traffic and forward it over the WAN, reducing tunnel overhead and simplifying the fabric architecture.

Exam trap

Cisco often tests the misconception that a Fabric Edge Node can directly forward traffic between sites, but the trap here is that Edge Nodes only handle intra-site VXLAN tunnels and rely on Border Nodes for any traffic leaving the fabric site.

How to eliminate wrong answers

Option B is wrong because a Fabric Control Plane Node (using LISP/Map-Server) manages endpoint-to-location mappings and registration within a single fabric site; it does not forward data traffic or interconnect sites over a WAN. Option C is wrong because a Fabric Edge Node is responsible for attaching endpoints (wired/wireless) and encapsulating traffic into VXLAN tunnels within the same fabric site; it cannot directly forward traffic between different sites without a Border Node. Option D is wrong because there is no official 'Fabric WAN Controller' role in Cisco SD-Access; WAN integration is handled by the Fabric Border Node, which can be paired with external WAN controllers (e.g., vManage) but is not a separate fabric role.

483
MCQmedium

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?

A.The route-target import/export values are mismatched with the route reflector's configuration.
B.The VRF is not activated under BGP using the address-family ipv4 vrf CUSTOMER_A command.
C.The CE router is not configured with a default route pointing to the PE.
D.The PE router needs the mpls ip command on the interface facing the CE router.
AnswerB

Correct because without this command, the PE does not redistribute VRF routes into VPNv4 or import VPNv4 routes into the VRF.

Why this answer

The CE router can ping the PE's VRF interface IP, confirming Layer 2 and VRF interface configuration are correct. However, the CE cannot reach remote VPNv4 routes, which indicates that the PE is not advertising or installing those routes into the VRF. The most likely cause is that the VRF CUSTOMER_A has not been activated under BGP using the 'address-family ipv4 vrf CUSTOMER_A' command, which is required to exchange IPv4 routes between the PE and CE within the VRF context and to redistribute them into MP-BGP for VPNv4 propagation.

Exam trap

Cisco often tests the misconception that a working BGP session to the route reflector and correct route-target values alone are sufficient for VPNv4 route exchange, when in fact the VRF must be explicitly activated under BGP to enable route advertisement and import.

How to eliminate wrong answers

Option A is wrong because the route-target import/export values (100:1) are configured on the PE, and the route reflector does not need matching route-targets; it only reflects VPNv4 routes based on the RTs attached to the routes, and the PE's import RT must match the export RT of the remote PE, not the route reflector. Option C is wrong because the CE router not having a default route pointing to the PE would affect reachability to remote networks from the CE, but the symptom is that the CE cannot reach remote VPNv4 routes at all, which is a routing advertisement issue on the PE, not a missing default route on the CE. Option D is wrong because the 'mpls ip' command is required on the PE's core-facing interfaces to enable MPLS forwarding, not on the interface facing the CE, which is a Layer 3 VRF interface that does not require MPLS encapsulation.

484
MCQmedium

Review the ACL configuration: ip access-list extended TEST permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 deny ip any any ! interface GigabitEthernet0/3 ip access-group TEST in What is missing or incorrect?

A.The ACL should use a wildcard mask of 255.255.255.0 instead of 0.0.0.255.
B.The deny ip any any is redundant because ACLs have an implicit deny at the end.
C.The ACL must be applied outbound to filter incoming traffic.
D.The ACL should use the keyword 'established' to allow return traffic.
AnswerB

The explicit deny is unnecessary but not incorrect; the implicit deny already blocks all other traffic.

Why this answer

The ACL permits HTTP and HTTPS from 192.168.1.0/24 to any destination, but denies all other traffic. The configuration is syntactically correct.

485
MCQmedium

interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/0 overload What is the effect of this configuration?

A.All traffic from 192.168.1.0/24 will be translated to the IP address of GigabitEthernet0/0 using PAT.
B.Only one host from 192.168.1.0/24 can access the internet at a time.
C.Traffic from the outside interface will be translated to 192.168.1.0/24.
D.The configuration will fail because the access list must be applied to an interface.
AnswerA

Correct. The 'overload' keyword enables PAT, translating multiple inside hosts to a single outside IP.

Why this answer

This is a standard NAT overload (PAT) configuration. The inside network 192.168.1.0/24 is translated to the IP address of the outside interface (GigabitEthernet0/0) using port address translation. All inside hosts share the outside interface IP address.

486
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp host 10.1.1.1 host 192.168.1.100 eq 80 (4 matches) 20 deny tcp any host 192.168.1.100 eq 80 (12 matches) 30 permit ip any any (8 matches) Based on this output, what can be concluded?

A.HTTP traffic from 10.1.1.1 to 192.168.1.100 is permitted, but all other HTTP traffic to that host is denied.
B.All HTTP traffic to 192.168.1.100 is denied.
C.All traffic from 10.1.1.1 to 192.168.1.100 is permitted.
D.The ACL is applied inbound on an interface.
AnswerA

The first entry permits HTTP from 10.1.1.1 to 192.168.1.100, and the second denies all other HTTP to that host. The third entry permits all other traffic, but it does not override the deny for HTTP because ACLs are processed top-down until a match is found.

Why this answer

ACL 101 has three entries. The first permits HTTP from a specific host, the second denies HTTP from any source to that host, and the third permits all other IP traffic. The match counts show that 4 packets matched the permit, 12 matched the deny, and 8 matched the final permit.

The correct answer is that HTTP traffic from 10.1.1.1 to 192.168.1.100 is permitted, but all other HTTP traffic to that host is denied.

487
MCQmedium

A network engineer issues the following command on Router R5: R5# show ip pim interface Interface PIM Nbrs Hello DR DR Count Intvl Prior GigabitEthernet0/0 on 2 30 1 10.1.1.1 GigabitEthernet0/1 on 1 30 1 10.2.2.2 Loopback0 on 0 30 1 10.3.3.3 Based on this output, what can be concluded?

A.The DR on GigabitEthernet0/0 is 10.1.1.1.
B.The DR on GigabitEthernet0/1 is the local router.
C.PIM is disabled on Loopback0.
D.The hello interval on GigabitEthernet0/0 is 60 seconds.
AnswerA

The DR column shows 10.1.1.1 for that interface.

Why this answer

The 'show ip pim interface' output shows that GigabitEthernet0/0 has 2 PIM neighbors, a hello interval of 30 seconds, DR priority of 1, and the DR is 10.1.1.1. GigabitEthernet0/1 has 1 neighbor and its DR is 10.2.2.2. Loopback0 has no neighbors and its DR is the router's own IP.

The correct answer is that the DR on GigabitEthernet0/0 is 10.1.1.1, which is not the local router (since the local router's IP is not shown, but it is likely different).

488
Drag & Dropmedium

Drag and drop the steps of BGP policy application (route-map, prefix-list, AS-path ACL) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you create the prefix-list or AS-path ACL to match routes. Then you define the route-map with match and set clauses. Next, you apply the route-map to a neighbor under the BGP address-family.

After that, you clear the BGP session to apply the policy. Finally, you verify the policy effect with show ip bgp.

489
MCQeasy

What is the purpose of the 'police' command in a QoS policy-map?

A.To shape traffic to a specific rate by buffering excess packets.
B.To limit the rate of traffic and take action (drop or remark) on packets that exceed the rate.
C.To prioritize traffic by assigning it to a strict priority queue.
D.To classify traffic based on IP precedence or DSCP values.
AnswerB

Policing enforces a rate limit by dropping or remarking excess traffic.

Why this answer

The 'police' command in a Cisco QoS policy-map implements traffic policing, which enforces a rate limit by measuring traffic flow and taking immediate action—typically dropping or remarking packets—when the traffic exceeds the configured rate. Unlike shaping, policing does not buffer excess traffic; it acts on packets in real time, making it ideal for marking down or discarding non-compliant traffic at the ingress or egress of an interface.

Exam trap

Cisco often tests the distinction between policing and shaping—the trap here is that candidates confuse 'police' with 'shape' because both limit traffic rates, but policing drops/remarks without buffering, while shaping queues and delays excess traffic.

How to eliminate wrong answers

Option A is wrong because shaping (not policing) buffers excess packets to smooth traffic to a specific rate; the 'police' command drops or remarks, not buffers. Option C is wrong because strict priority queuing is configured with the 'priority' command within a class, not with 'police'; policing controls rate, not queue scheduling. Option D is wrong because traffic classification based on IP precedence or DSCP is done with the 'class-map' and 'match' commands, not with the 'police' action; policing is applied after classification.

490
Multi-Selectmedium

Which two statements about 802.1X authentication process are true? (Choose two.)

Select 2 answers
A.The supplicant sends an EAPOL-Start frame to begin the authentication process.
B.The authenticator (switch) performs the actual authentication of the supplicant credentials.
C.The authentication server (RADIUS) sends an EAP-Success message after successful validation of credentials.
D.EAPOL frames are used only between the authentication server and the authenticator.
E.The authenticator places the port in the unauthorized state before authentication completes.
AnswersA, C

Correct because the supplicant (client) typically initiates 802.1X by sending an EAPOL-Start frame to the authenticator.

Why this answer

In 802.1X, the supplicant (client) initiates the session by sending an EAPOL-Start, or the authenticator (switch) can send an EAP-Request/Identity to prompt the client. The RADIUS server is the authentication server that validates credentials and sends an EAP-Success or EAP-Failure. The authenticator does not perform the actual authentication; it only relays EAP frames.

491
Matchingmedium

Drag and drop each DHCP option on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides vendor-specific information such as TFTP server address

Identifies the vendor class of the DHCP client

Carries relay agent information for DHCP snooping

Specifies the TFTP server name

Specifies the TFTP server IP address for Cisco phones

Why these pairings

Option 43 provides vendor-specific info; Option 60 identifies vendor class; Option 82 is relay agent information.

492
MCQeasy

An engineer configures IP SLA 50 to monitor the response time of a TCP connection to a server at 10.1.1.1 on port 80. The operation is used to trigger a backup path. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 100 ms', but the server is actually down and not responding to TCP SYN packets. What is the most likely reason?

A.A stateful firewall or load balancer is responding to the TCP SYN on behalf of the server, causing the probe to succeed.
B.The IP SLA TCP connect probe does not actually verify that the server responds; it only checks if the port is open.
C.The IP SLA operation must be configured with a 'timeout' value lower than 100 ms to detect the failure.
D.The server is actually responding to the probe but not to other traffic because the probe uses a different source IP.
AnswerA

Correct. If a network device intercepts the TCP handshake and responds, the IP SLA probe will consider the connection successful even if the actual server is down.

Why this answer

The TCP connect probe only checks if the TCP three-way handshake completes. If the server is down but a stateful firewall or load balancer responds to the SYN with a SYN-ACK, the probe will succeed even if the server is down.

493
Drag & Dropmedium

Drag and drop the steps of Ansible Tower (AWX) job template execution steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible Tower job template execution starts with launching the job template; then, Tower provisions an isolated execution environment; next, it checks out the project from the source control; after that, it runs the playbook against the specified inventory; finally, it collects and displays job results and logs.

494
Multi-Selecthard

Which three statements about virtual machine (VM) resource allocation and overcommitment are true? (Choose three.)

Select 3 answers
A.Memory overcommitment allows the sum of all virtual machine memory allocations to exceed the physical RAM of the host.
B.CPU overcommitment is achieved by scheduling virtual CPUs onto physical cores, often with a ratio greater than 1:1.
C.Overcommitment always guarantees better performance for all virtual machines.
D.Storage overcommitment is supported by thin provisioning, where virtual disks consume only the space actually used.
E.A hypervisor cannot overcommit CPU resources because each vCPU must be pinned to a dedicated physical core.
AnswersA, B, D

Correct because hypervisors can use techniques like ballooning to overcommit memory.

Why this answer

Memory overcommitment allows more total vRAM than physical RAM. CPU overcommitment is common and can be managed. Overcommitment can cause performance issues if resources are oversubscribed.

Storage is not typically overcommitted in the same manner as CPU/memory.

495
MCQmedium

interface GigabitEthernet0/2 spanning-tree link-type point-to-point end What is the effect of this configuration?

A.The port will use RSTP fast transition mechanisms assuming a point-to-point link.
B.The port will become a designated port immediately.
C.The port will disable STP on that link.
D.The port will use shared medium behavior.
AnswerA

RSTP uses point-to-point links for rapid convergence.

Why this answer

This manually sets the link type to point-to-point, which enables Rapid Spanning Tree (RSTP) fast transitions on that port.

496
Drag & Dropmedium

Drag and drop the steps of the PPDIOO network lifecycle into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The PPDIOO lifecycle defines six phases: Prepare, Plan, Design, Implement, Operate, and Optimize. This order ensures a structured approach from initial requirements gathering through ongoing improvement.

497
Matchingmedium

Drag and drop each SNMP component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network management station that polls agents

Software running on the managed device

Database of managed objects

Unique identifier for a managed object

Authentication string for v1/v2c

Why these pairings

Manager is the NMS; agent runs on the device; MIB is the database; OID identifies a specific variable.

498
Matchinghard

Drag and drop each BGP path selection criterion on the left to its correct order of preference (1 = highest priority) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1

2

3

4

5

Why these pairings

Weight (highest) is checked first, then LOCAL_PREF (highest), then locally originated routes, then AS_PATH length (shortest), then ORIGIN (IGP > EGP > incomplete).

499
MCQeasy

An engineer is configuring MPLS L3VPN with BGP as the PE-CE protocol. The customer uses eBGP between CE and PE. The engineer notices that the CE router is not receiving any VPN routes from the PE. The 'show bgp vpnv4 unicast all' on the PE shows the routes as valid and best. What is the most likely missing configuration?

A.The 'redistribute bgp' command is missing under the VRF BGP address-family on the PE.
B.The BGP session between PE and CE is not established.
C.The route-target import is not configured on the PE.
D.The VRF is not configured on the PE.
AnswerA

Correct because without redistribution, the PE does not advertise VPN routes to the CE via eBGP.

Why this answer

In MPLS L3VPN, when using eBGP between PE and CE, the PE must redistribute BGP routes into the VRF BGP process. This is done using the 'redistribute bgp' command under the VRF address-family. Option A is correct.

Option B is wrong because the routes are already in BGP; Option C is wrong because the session is up; Option D is wrong because the VRF is configured.

500
Multi-Selectmedium

Which three statements about Cisco QoS policing and shaping are true? (Choose three.)

Select 3 answers
A.Policing can re-mark traffic that exceeds the configured rate to a lower priority.
B.Shaping buffers excess traffic and transmits it later to avoid drops.
C.Both policing and shaping use a token bucket algorithm to measure traffic rates.
D.Policing buffers traffic that exceeds the rate to reduce packet loss.
E.Shaping is typically applied on the ingress interface to control incoming traffic.
AnswersA, B, C

Correct because policing can set a new DSCP or CoS value for out-of-profile traffic.

Why this answer

Policing drops or re-marks traffic exceeding a rate, while shaping buffers excess traffic. Policing is typically applied inbound, shaping outbound. Option A is correct because policing can mark down traffic (e.g., set DSCP to 0) when the rate is exceeded.

Option B is correct because shaping buffers traffic to smooth bursts, reducing drops. Option C is correct because both use a token bucket model to measure conformance. Option D is incorrect because policing does not buffer; it drops or re-marks.

Option E is incorrect because shaping is applied on egress, not ingress.

501
Matchingmedium

Drag and drop each data encoding format on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight data interchange for REST APIs

Structured data format used in NETCONF messages

Human-readable format for configuration files

Binary serialization for high-performance systems

Why these pairings

JSON is lightweight and widely used in REST APIs, XML is verbose and used in NETCONF, YAML is human-readable for configuration files, and Protobuf is efficient for high-performance systems.

502
MCQmedium

Examine the following interface configuration on a Cisco IOS-XE switch: ``` interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky ``` What is the effect of this configuration?

A.The port will dynamically learn MAC addresses, allow up to 2 addresses, and if a third MAC is seen, it will drop the traffic but keep the port up.
B.The port will learn up to 2 MAC addresses and then shut down if a third is seen.
C.The port will allow only 2 MAC addresses and will generate a syslog message but continue forwarding traffic from the third MAC.
D.The port will learn MAC addresses dynamically and convert them to secure MAC addresses, but the maximum is 1 by default.
AnswerA

Correct. 'violation restrict' drops frames from unknown MACs without disabling the port.

Why this answer

This configuration enables port security with sticky MAC learning, allowing up to 2 MAC addresses, and sets the violation mode to restrict (drops offending traffic but does not shut down the port).

503
MCQhard

An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?

A.The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF.
B.The trunk between the switch and the router is not allowing VLAN 100.
C.The guest VRF is missing the route-target export command.
D.The captive portal server is configured with a default gateway that points to the corporate VRF.
AnswerA

Correct because if the guest wireless clients and the captive portal server are in different VLANs but both in the GUEST VRF, the switch must have an SVI for each VLAN in the GUEST VRF and routing must be enabled. Without proper VRF-aware routing, packets are dropped.

Why this answer

The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.

Exam trap

Cisco often tests the misconception that simply placing devices in the same VLAN guarantees connectivity, ignoring that VRF-lite requires explicit inter-VLAN routing configuration within each VRF, even if the VLANs are on the same switch.

How to eliminate wrong answers

Option B is wrong because the trunk must be allowing VLAN 100 for the guest devices to reach the internet through the router, which they can, so VLAN 100 is allowed. Option C is wrong because route-target export is used in MPLS VPNs for BGP route distribution, not required for VRF-lite which uses local routing and does not need route-target commands. Option D is wrong because the captive portal server's default gateway pointing to the corporate VRF would cause it to be unreachable from the guest VRF entirely, but the switch can reach it, indicating the server's gateway is correctly in the GUEST VRF.

504
Matchingmedium

Drag and drop each VNF category on the left to its matching example on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco CSR 1000v

Cisco Firepower NGFWv

F5 BIG-IP Virtual Edition

Cisco vWAAS

Cisco Firepower NGIPSv

Why these pairings

VNFs replace physical appliances; common examples include virtual routers, firewalls, and load balancers.

505
MCQhard

A network engineer runs the following command on Router R5: R5# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.20:1234 10.0.0.20:1234 203.0.113.1:53 203.0.113.1:53 tcp 192.0.2.20:5678 10.0.0.20:5678 198.51.100.1:80 198.51.100.1:80 Based on this output, what can be concluded?

A.The router is configured with static NAT for two internal hosts.
B.The router is performing Port Address Translation (PAT) for multiple sessions from the same internal host.
C.The router is performing destination NAT.
D.The inside local address 10.0.0.20 is using two different global addresses.
AnswerB

Same inside global IP with different ports indicates PAT.

Why this answer

The output shows two translations using the same inside global address (192.0.2.20) but different ports, which is characteristic of PAT. One translation is UDP (DNS) and one is TCP (HTTP).

506
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?

A.It blocks all ICMP traffic inbound on GigabitEthernet0/1.
B.It blocks inbound ICMP Echo requests on GigabitEthernet0/1.
C.It blocks all inbound traffic on GigabitEthernet0/1.
D.It blocks outbound ICMP Echo requests on GigabitEthernet0/1.
AnswerB

The deny statement matches ICMP Echo (ping request) and the permit statement allows all other traffic.

Why this answer

The ACL denies ICMP Echo (ping) inbound on GigabitEthernet0/1 while permitting all other IP traffic.

507
MCQmedium

Given the following EIGRP configuration: router eigrp 100 network 10.0.0.0 0.255.255.255 metric weights 0 1 1 1 0 0 ! What is the effect of the 'metric weights' command?

A.It sets the EIGRP metric to use bandwidth, load, and delay, ignoring reliability and MTU.
B.It disables EIGRP metric calculation and uses a fixed metric of 1.
C.It sets the EIGRP metric to use only bandwidth and delay, ignoring load, reliability, and MTU.
D.It configures EIGRP to use the default K values (1,0,1,0,0).
AnswerA

Correct. K1=1 (bandwidth), K2=1 (load), K3=1 (delay), K4=0, K5=0.

Why this answer

The 'metric weights' command in EIGRP allows you to modify the K values used in the composite metric calculation. The syntax is 'metric weights tos k1 k2 k3 k4 k5'. Here, the values are 0 1 1 1 0 0, meaning k1 (bandwidth) = 1, k2 (load) = 1, k3 (delay) = 1, k4 (reliability) = 0, k5 (MTU) = 0.

This results in the metric using bandwidth, load, and delay, while ignoring reliability and MTU. Option A correctly describes this effect.

Exam trap

Cisco often tests the exact mapping of the 'metric weights' command arguments to K values, and the trap here is that candidates confuse the order or assume that a value of 0 disables the entire metric calculation rather than just that specific component.

How to eliminate wrong answers

Option B is wrong because the 'metric weights' command does not disable metric calculation or set a fixed metric; it customizes the K values used in the composite metric formula. Option C is wrong because it states that only bandwidth and delay are used, but the configuration includes k2=1, which includes load in the calculation. Option D is wrong because the default K values are 1,0,1,0,0 (k1=1, k2=0, k3=1, k4=0, k5=0), but the given command sets k2=1, which deviates from the default.

508
Drag & Dropmedium

Drag and drop the steps of SR-IOV configuration for VM network bypass into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The configuration begins with enabling SR-IOV in the BIOS, then creating virtual functions, assigning them to the VM, and finally installing drivers inside the VM.

509
Drag & Dropmedium

Drag and drop the steps of CBWFQ and LLQ queue servicing order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LLQ is serviced before any CBWFQ queues to ensure low-latency traffic. Within CBWFQ, queues are serviced in a weighted round-robin fashion based on bandwidth allocation. The default queue is serviced last.

510
Matchingmedium

Drag and drop each traffic direction on the left to its correct SPAN keyword on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

rx keyword

tx keyword

both keyword

rx keyword

tx keyword

Why these pairings

Ingress traffic is monitored with the 'monitor session source interface x/x rx' keyword; egress with 'tx'; both directions with 'both'.

511
MCQhard

Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?

A.HTTP and HTTPS traffic from 192.168.1.0/24
B.ICMP traffic from any source
C.FTP traffic from 192.168.1.0/24
D.SSH traffic from 192.168.1.0/24
AnswerA

The ACL permits www and https.

Why this answer

The exhibit shows an access control list (ACL) applied outbound on GigabitEthernet0/0. The ACL permits TCP traffic from source 192.168.1.0/24 to any destination with a destination port of 80 (HTTP) or 443 (HTTPS). Therefore, only HTTP and HTTPS traffic from the 192.168.1.0/24 network is permitted outbound.

Exam trap

Cisco often tests the implicit deny any at the end of an ACL, leading candidates to assume that traffic not explicitly denied is permitted, when in fact only explicitly permitted traffic is allowed.

How to eliminate wrong answers

Option B is wrong because ICMP traffic is not TCP and does not match the permit statement for TCP ports 80 and 443; ICMP would be implicitly denied by the ACL's implicit deny any at the end. Option C is wrong because FTP traffic uses TCP ports 20 and 21, which are not permitted by the ACL's permit statement for ports 80 and 443. Option D is wrong because SSH traffic uses TCP port 22, which is not permitted by the ACL's permit statement for ports 80 and 443.

512
MCQmedium

Consider the following Python script that uses the requests library to delete a VLAN via RESTCONF on a Cisco IOS-XE device: ```python import requests from requests.auth import HTTPBasicAuth url = 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/vlan=10' headers = { 'Accept': 'application/yang-data+json', 'Content-Type': 'application/yang-data+json' } auth = HTTPBasicAuth('admin', 'cisco') response = requests.delete(url, headers=headers, auth=auth, verify=False) print(response.status_code) ``` What is the expected outcome if the VLAN 10 exists?

A.It will retrieve the configuration of VLAN 10.
B.It will create VLAN 10 if it does not exist.
C.It will delete VLAN 10 from the device configuration.
D.It will return an error because the payload is missing.
AnswerC

The DELETE method removes the specified resource.

Why this answer

A DELETE request to the VLAN resource will remove VLAN 10 from the device configuration.

513
Drag & Dropmedium

Drag and drop the steps of configuring model-driven telemetry with gRPC on a Cisco IOS-XE device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable telemetry and define the destination. Then, create a subscription with a sensor path. Next, set the update policy.

Finally, verify the telemetry data is being sent.

514
Drag & Dropmedium

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

During IKEv2, if the IKE packet exceeds the MTU, the sender fragments it into smaller pieces. The receiver reassembles the fragments into the original packet. After the IKE SA is established, the peers send Dead Peer Detection (DPD) keepalives to verify connectivity.

If no response is received, the peer retransmits the DPD. After multiple failures, the peer declares the SA dead and deletes it.

515
MCQmedium

A network engineer is designing a WAN connection for a branch office that requires high availability and bandwidth aggregation. The branch has two internet connections from different ISPs. The engineer wants to use both links actively for load balancing and failover. Which design approach should be used?

A.Deploy SD-WAN to actively use both links with policy-based load balancing.
B.Configure static routes with different metrics for each link and use HSRP for failover.
C.Use BGP with both ISPs and rely on BGP best path selection for load balancing.
D.Implement a VPN tunnel between the branch and headquarters using only one link.
AnswerA

Correct because SD-WAN is designed to utilize multiple WAN links simultaneously, providing load balancing and failover based on application policies.

Why this answer

SD-WAN is the correct design because it natively supports active/active utilization of multiple WAN links with policy-based load balancing, allowing traffic to be distributed across both ISP connections based on application policies, SLA metrics, or other criteria. It also provides seamless failover by dynamically rerouting traffic if one link fails, meeting the requirements for high availability and bandwidth aggregation without relying on a single active link.

Exam trap

Cisco often tests the misconception that BGP multipath or static routes with HSRP can achieve active/active load balancing, but these methods either require complex tuning or are inherently active/passive, failing to meet the policy-based and application-aware requirements that SD-WAN uniquely addresses.

How to eliminate wrong answers

Option B is wrong because static routes with different metrics and HSRP are designed for active/passive failover, not active/active load balancing; HSRP operates at Layer 2 for gateway redundancy and does not distribute traffic across multiple WAN links. Option C is wrong because BGP best path selection selects only a single best path per prefix by default, and while BGP can be tuned for load balancing with features like multipath, it does not inherently provide policy-based load balancing or application-aware traffic steering like SD-WAN. Option D is wrong because implementing a VPN tunnel using only one link defeats the purpose of using both links for load balancing and failover, leaving the branch dependent on a single connection.

516
Drag & Dropmedium

Drag and drop the steps of Cisco IOS-XE mdt subscription via CLI configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The CLI configuration begins by entering global config, defining the receiver, setting the subscription parameters, applying the subscription, and verifying it.

517
Multi-Selectmedium

Which two statements about RESTCONF are true? (Choose two.)

Select 2 answers
A.RESTCONF uses SSH for transport security.
B.RESTCONF uses HTTP methods such as GET, PUT, POST, DELETE, and PATCH.
C.RESTCONF is designed to replace NETCONF entirely.
D.RESTCONF supports both JSON and XML encoding for data representation.
E.RESTCONF uses remote procedure calls (RPCs) for all operations.
AnswersB, D

Correct because RESTCONF maps to standard HTTP methods.

Why this answer

The correct answers are B and D. B is correct because RESTCONF uses HTTP methods like GET, PUT, POST, DELETE, and PATCH. D is correct because RESTCONF supports both JSON and XML encoding.

A is incorrect because RESTCONF uses HTTP, not SSH. C is incorrect because RESTCONF is not a replacement for NETCONF; they are different protocols. E is incorrect because RESTCONF does not use remote procedure calls (RPCs) in the same way as NETCONF; it uses RESTful operations.

518
MCQmedium

Examine this configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line vty 0 4 login authentication default privilege level 15 What is missing to ensure that VTY users are authenticated via TACACS+?

A.The 'aaa authentication login default' command should include 'group tacacs+' before 'local'.
B.The 'aaa authorization exec default' command should include 'group tacacs+'.
C.The 'aaa accounting exec default' command should include 'group tacacs+'.
D.The 'privilege level 15' command under VTY lines is missing.
AnswerA

Correct. To authenticate via TACACS+, the method list must specify 'group tacacs+' as the primary method.

Why this answer

The authentication method list 'default' uses local authentication. To use TACACS+, the method list must include 'group tacacs+' before 'local'. The current configuration only uses local.

519
Multi-Selectmedium

Which two statements about IPsec IKEv2 are true? (Choose two.)

Select 2 answers
A.IKEv2 uses UDP port 500 for initial negotiation and can switch to UDP 4500 for NAT traversal.
B.IKEv2 supports EAP authentication for remote access VPNs.
C.IKEv2 uses TCP port 500 for control plane messages.
D.IKEv2 requires a separate IPsec SA for each direction of traffic.
E.IKEv2 is not compatible with certificate-based authentication.
AnswersA, B

Correct because IKEv2 uses UDP 500 and 4500 for NAT-T.

Why this answer

IKEv2 uses UDP port 500 and 4500, supports EAP authentication, and is more robust than IKEv1. It does not use TCP, and it supports multiple simultaneous SAs.

520
MCQmedium

A network engineer is troubleshooting a performance issue between two hosts connected to a Cisco Catalyst 3850 switch. The engineer wants to capture all traffic sent and received by Host A (Gi1/0/1) and send it to a monitoring station connected to Gi1/0/24. The engineer configures 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'. However, the monitoring station receives only traffic sent by Host A, not traffic received. What is the most likely cause?

A.The source interface is configured as an access port, and the SPAN session cannot capture both directions on an access port.
B.The destination port is in the same VLAN as the source interface, causing the switch to drop the copied frames due to loop prevention.
C.The 'monitor session 1 destination interface Gi1/0/24' command does not support egress SPAN; only ingress SPAN is allowed.
D.The engineer must also configure 'monitor session 1 filter ip' to capture both directions.
AnswerB

Correct; when the destination port is in the same VLAN as the source, the switch may drop the replicated frames to prevent loops, especially if the destination port is also in the forwarding path.

Why this answer

The 'both' keyword should capture both directions, but on some platforms, the destination port must be explicitly configured to allow ingress traffic for received traffic to be copied. The correct answer is that the destination port is not configured with 'monitor session 1 destination interface Gi1/0/24 ingress untagged' or similar, but the question focuses on a common misconfiguration: the destination port is in the same VLAN as the source, causing loops or filtering. Actually, the most common cause is that the source interface is configured as 'both' but the switch does not support egress SPAN on that interface without additional configuration.

However, the best answer here is that the source interface is an access port and the destination port is in a different VLAN, and the SPAN session does not copy traffic from the source VLAN. But the scenario says both hosts are in the same VLAN. The correct answer is that the destination port is not configured to allow the SPAN traffic to be sent out; actually, the issue is that the destination port is in the same VLAN as the source, and the switch may drop the copied frames due to loop prevention.

The most accurate answer: The engineer must ensure the destination port is not in the same VLAN as the source, or use a remote SPAN (RSPAN) VLAN. But the question asks for the cause. The cause is that the destination port is in the same VLAN as the source, and the switch's loop detection drops the copied frames.

So the correct answer is that the destination port is in the same VLAN as the source interface, causing the switch to drop the replicated traffic.

521
Multi-Selectmedium

Which two statements about Type 1 and Type 2 hypervisors are true? (Choose two.)

Select 2 answers
A.Type 1 hypervisors have direct access to physical hardware resources.
B.Type 2 hypervisors run directly on the physical server without a host operating system.
C.Type 1 hypervisors require a host operating system for resource management.
D.Type 2 hypervisors rely on the host operating system for device drivers and resource scheduling.
E.Type 1 hypervisors can only support a single virtual machine per physical host.
AnswersA, D

Correct because Type 1 hypervisors run directly on the hardware, allowing direct resource access.

Why this answer

Type 1 hypervisors run directly on hardware and are commonly used in data centers; Type 2 hypervisors run on a host OS and are often used for testing or desktop virtualization. Option A is correct because Type 1 hypervisors have direct access to hardware resources, which improves performance. Option D is correct because Type 2 hypervisors rely on the host OS for resource management, adding overhead.

Option B is incorrect because Type 2 hypervisors do not run directly on hardware. Option C is incorrect because Type 1 hypervisors do not require a host OS. Option E is incorrect because Type 1 hypervisors can support multiple VMs, not just one.

522
Matchingmedium

Drag and drop each telemetry model on the left to its matching push type (dial-in or dial-out) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collector initiates connection to the device

Device initiates connection to the collector

Device streams data to collector

Device sends data to collector

Device sends unsolicited data to collector

Why these pairings

Dial-in models require the collector to initiate the connection (e.g., gRPC dial-in). Dial-out models let the network device push data to the collector (e.g., gRPC dial-out, NETCONF YANG-push).

523
Drag & Dropmedium

Drag and drop the steps of Ansible Vault encryption and decryption steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible Vault encryption starts with creating a password file; then, encrypting a plaintext file with ansible-vault encrypt; next, viewing the encrypted content with ansible-vault view; after that, decrypting the file for editing with ansible-vault decrypt; finally, re-encrypting after modifications.

524
MCQmedium

interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel mode ipsec ipv4 ! crypto isakmp policy 10 authentication pre-share encryption aes 256 hash sha group 14 lifetime 86400 ! crypto isakmp key cisco123 address 203.0.113.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set TSET match address 100 ! interface GigabitEthernet0/0 crypto map CMAP ! access-list 100 permit ip 10.0.0.0 0.0.0.3 10.0.0.4 0.0.0.3 What is the effect of this configuration?

A.The configuration creates an IPsec VTI that encrypts traffic between the two tunnel endpoints.
B.The configuration will fail because the crypto map must be applied to the tunnel interface, not the physical interface.
C.The configuration will only encrypt traffic from 10.0.0.0/30 to 10.0.0.4/30, but not the reverse.
D.The configuration uses IKEv2 because of the transform-set and crypto map.
AnswerA

Correct. The tunnel mode ipsec ipv4 and crypto map create a secure tunnel, and the ACL matches the tunnel subnets.

Why this answer

The configuration sets up a site-to-site IPsec VPN using a tunnel interface with IPsec protection. The crypto map is applied to the physical interface, and the access list defines interesting traffic between the two /30 subnets (10.0.0.0/30 and 10.0.0.4/30). This is a valid configuration for a DMVPN or static VTI, but note that the tunnel mode is 'ipsec ipv4' which is used for IPsec VTI (Virtual Tunnel Interface) and requires a crypto map on the physical interface to protect the tunnel.

The access list correctly matches the tunnel networks.

525
Matchingmedium

Drag and drop each SD-WAN controller on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management, monitoring, and GUI dashboard

Control plane policy distribution and OMP route propagation

First point of contact for device authentication and NAT discovery

WAN edge router running Viptela OS

WAN edge router running IOS-XE with SD-WAN features

Why these pairings

vManage provides centralized management and monitoring; vSmart distributes control plane policies and OMP routes; vBond authenticates and orchestrates initial device onboarding and NAT traversal.

Page 6

Page 7 of 27

Page 8