Which three statements about DHCP relay are true? (Choose three.)
Correct because ip helper-address converts DHCP broadcast to unicast and forwards it to the specified server.
2015 questions total · 27pages · All types, answers revealed
Which three statements about DHCP relay are true? (Choose three.)
Correct because ip helper-address converts DHCP broadcast to unicast and forwards it to the specified server.
A network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?
Correct because without proper EAP initiation, the supplicant may not respond, leading to authentication failure.
Why this answer
The scenario describes a common issue where 802.1X is configured but the switch is not sending EAP requests because it is waiting for a trigger. Without 'dot1x timeout tx-period', the switch sends EAP-Request/Identity only once every 30 seconds by default. The laptop's supplicant may not initiate the process if it doesn't receive a prompt.
Option B is correct because the switch must be configured to send EAP requests to start the authentication. Option A is incorrect because 'aaa new-model' is required for AAA but not the direct cause of the failure. Option C is incorrect because the switchport mode is not specified; 'switchport mode access' is typical but not the issue.
Option D is incorrect because the RADIUS server is reachable per the engineer's verification.
A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reload: 5 Session Id: 1 Unique Id: 1 User Name: admin IP Address: 10.1.1.100 Idle Time: 0 Timeout: 0 Type: Login Method: RADIUS Session Id: 2 Unique Id: 2 User Name: jdoe IP Address: 10.1.1.101 Idle Time: 120 Timeout: 0 Type: Login Method: LOCAL Based on this output, what can be concluded?
The 'Method: LOCAL' for session 2 confirms local authentication.
Why this answer
The output shows two active AAA sessions. The first session (admin) uses RADIUS authentication, while the second (jdoe) uses local authentication. This indicates that the router is configured to fall back to local authentication when RADIUS is unavailable or for certain users.
The idle time for jdoe is 120 seconds, meaning the session has been idle for that long, but no timeout is configured.
A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?
Correct because the default maximum is 1, and sticky learning does not change that.
Why this answer
The sticky command learns MAC addresses dynamically and stores them in the running configuration. By default, the maximum number of secure MAC addresses is 1. When a new device is connected, its MAC address is different, causing a violation.
The default violation mode is 'shutdown', which error-disables the port. Option A is correct because the sticky feature does not change the default maximum count. Option B is incorrect because sticky does not require a specific maximum; it uses the default.
Option C is incorrect because the violation mode is shutdown by default, not restrict. Option D is incorrect because aging is not configured and does not cause this behavior.
Which three statements about LACP (Link Aggregation Control Protocol) are true? (Choose three.)
Correct because LACP uses the Slow Protocols multicast address 0180.c200.0002.
Why this answer
LACP is an IEEE standard (802.3ad) that allows dynamic formation of EtherChannels. It uses LACPDUs to negotiate parameters, supports up to 16 links (8 active, 8 standby), and can detect mismatched parameters like speed or duplex. The 'active' mode initiates negotiation, while 'passive' waits.
A network engineer is implementing Cisco TrustSec (CTS) with Security Group Tags (SGTs) using SXP (SGT Exchange Protocol). The engineer configures the switch as an SXP speaker and the Cisco ISE as an SXP listener. The engineer verifies that SXP peers are established. However, when the engineer checks 'show cts role-based sgt map', the SGT mappings for users are not present. What is the most likely cause?
Correct because SXP propagates existing SGTs; if the switch has no mappings, nothing is sent.
Why this answer
SXP propagates SGTs from a speaker to a listener. If the switch is the speaker, it must have SGT mappings from authentication. If the switch does not have the mappings, it cannot propagate them.
Option B is correct because the switch must first learn SGTs via 802.1X or manual configuration. Option A is incorrect because SXP does not require a specific version. Option C is incorrect because the listener is ISE, which is correct.
Option D is incorrect because the peers are established.
Drag and drop each Cisco DNA Center workflow on the left to its matching component on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Creates network profiles, site hierarchy, and IP address pools
Defines SGTs, scalable groups, and access contracts
Deploys configurations and fabric settings to network devices
Monitors network health, client experience, and application performance
Automates device onboarding, software image management, and compliance checks
Why these pairings
Design creates network profiles and site hierarchy, Policy defines SGTs and access contracts, Provision deploys configurations to devices, Assurance monitors network health, and Automation runs workflows like PnP and SWIM.
A network engineer runs the following command on Router R7: R7# show vrf brief Name Default RD Protocols Interfaces Mgmt-intf <not set> ipv4,ipv6 GigabitEthernet0/0 CUSTOMER-A 65001:100 ipv4 GigabitEthernet0/1.10 CUSTOMER-B 65001:200 ipv4 GigabitEthernet0/1.20 Based on this output, what can be concluded?
The output shows CUSTOMER-B with interface GigabitEthernet0/1.20.
Why this answer
The output shows VRFs with route distinguishers and associated interfaces. VRF CUSTOMER-A and CUSTOMER-B are configured with specific RDs and interfaces.
Given the following Ansible playbook snippet: --- - name: Configure VLAN hosts: switches gather_facts: no tasks: - name: Create VLAN 100 ios_vlan: vlan_id: 100 name: Engineering state: present Which statement is true about this playbook?
Correct. The module idempotently creates the VLAN with the specified name.
Why this answer
The ios_vlan module is used to manage VLANs on Cisco IOS switches. The 'state: present' ensures the VLAN exists. The module will create VLAN 100 with the name 'Engineering' if it does not already exist.
A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary | include 10.0.1.5 10.0.1.5 4 65005 3456 3457 15 0 0 00:15:22 5 Based on this output, what can be concluded?
The number 5 in the State/PfxRcd column indicates 5 prefixes received, and the lack of a state word means the session is established.
Why this answer
The 'show bgp ipv4 unicast summary' output displays BGP neighbor status. The column 'Up/Down' shows '00:15:22', indicating the session has been established for 15 minutes and 22 seconds, not down. The last column shows '5', which under the 'PfxRcd' (Prefixes Received) column indicates the number of prefixes received from the neighbor.
Therefore, the session is up and has received 5 prefixes.
Exam trap
Cisco often tests the misinterpretation of the 'Up/Down' column, where candidates mistakenly read it as downtime instead of uptime, and the confusion between prefixes received (PfxRcd) and prefixes sent (PfxSent), which is not shown in this output.
How to eliminate wrong answers
Option A is wrong because the 'Up/Down' column value '00:15:22' represents the duration the session has been up, not down; a down session would show a different state or 'never'. Option C is wrong because the output shows a valid neighbor IP, AS number, and uptime, indicating the session is in the Established state, not Active; the Active state would not show prefixes received. Option D is wrong because the '5' in the output corresponds to prefixes received (PfxRcd), not sent; sent prefixes are not displayed in this summary output.
Drag and drop each leased line technology on the left to its matching speed on the right.
Drag a concept onto its matching description — or click a concept then click the description.
1.544 Mbps
2.048 Mbps
44.736 Mbps
155.52 Mbps
44.736 Mbps
Why these pairings
T1 runs at 1.544 Mbps, E1 at 2.048 Mbps, DS3 at 44.736 Mbps, and OC-3 at 155.52 Mbps. T3 is 44.736 Mbps (same as DS3).
A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The engineer creates a class-map that matches traffic with a specific ACL that permits TCP port 22 (SSH) from a management subnet (192.168.1.0/24) and denies all other traffic. The CoPP policy applies a police rate of 1 Mbps to this class. After applying the policy, the engineer notices that SSH sessions from the management subnet are being dropped intermittently. The engineer checks the CoPP statistics and sees that the traffic rate is 500 kbps. What is the most likely cause?
Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.
Why this answer
The correct answer is that the CoPP policy has a conform-action of drop, which drops all traffic matching the class, regardless of rate. Option B is incorrect because the traffic rate is below the police rate. Option C is incorrect because the ACL permits SSH from the management subnet.
Option D is incorrect because the CoPP policy is applied to the control plane, not an interface.
What is the maximum number of SPAN sessions that can be configured on a Cisco Catalyst 9300 switch?
The Catalyst 9300 supports a maximum of 34 SPAN sessions.
Why this answer
The Cisco Catalyst 9300 switch supports up to 34 SPAN sessions (including local SPAN, RSPAN, and ERSPAN).
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
When a RADIUS server is unreachable, the device first tries the primary RADIUS server, then any backup RADIUS servers. If all RADIUS servers fail, the device falls back to the local database for authentication. This ensures redundancy.
Drag and drop each STP port role on the left to its matching definition on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Best path from a non-root bridge to the root bridge
Best path for a LAN segment, forwards traffic
Alternate path to the root bridge (discarding in RSTP)
Backup path to a shared segment (discarding in RSTP)
Administratively shut down or not running STP
Why these pairings
Root port is the best path to the root bridge; Designated port is the best path for a segment; Alternate port provides an alternative path to the root bridge; Backup port provides a backup path to a shared segment.
What is the default OSPF hello interval on an Ethernet link?
The default OSPF hello interval on Ethernet (broadcast) links is 10 seconds.
Why this answer
OSPF uses a default hello interval of 10 seconds on broadcast and point-to-point links like Ethernet.
Drag and drop each OMP attribute on the left to its matching behavior on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Indicates whether the route was learned from OMP, connected, static, or BGP/OSPF
Uniquely identifies the WAN edge site within the overlay
Defines the transport tunnel type (e.g., mpls, public-internet, biz-internet)
Used for path selection; higher preference is preferred over lower
Administrative label that can be used for policy matching and route filtering
Why these pairings
OMP uses attributes like origin, site-id, color, and preference to influence route selection and TLOC reachability.
A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, what can be concluded?
The discovery source shows GigabitEthernet0/0, confirming the session is via that interface.
Why this answer
The LDP session is operational (State: Oper) with a peer at 10.0.0.2. The discovery source is GigabitEthernet0/0, indicating the session is established over that interface. The peer has two addresses bound.
Drag and drop the steps of EIGRP stub configuration for hub-and-spoke into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct order ensures that the spoke router first enters EIGRP configuration, then configures the stub feature, optionally restricts stub types, and finally applies the configuration. The hub router does not need stub configuration.
An engineer is configuring multicast on a Cisco router running IOS-XE. The network uses PIM sparse mode with a static RP at 10.1.1.1. The engineer enters the command 'ip pim rp-address 10.1.1.1' but multicast traffic is not being forwarded. Upon verification, the engineer sees that the RP is reachable via OSPF, but the 'show ip pim rp mapping' command does not list any RP for the group. What is the most likely cause?
Correct because the RP mapping requires an access-list to specify the groups; without it, the RP is not associated with any group.
Why this answer
The 'ip pim rp-address' command requires an access-list to specify which groups the RP serves. Without the access-list, the command is incomplete and the RP mapping is not applied, even though the RP is reachable.
A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?
Correct because CoPP only applies to traffic matched by the class-map; if the ACL denies traffic, it is not matched, and the default class (often permit) allows it.
Why this answer
The correct answer is that the ACL only matches traffic from the specific peer, but CoPP class-maps match traffic based on the ACL; if the ACL denies other BGP traffic, CoPP will not match it, and it will be processed by the default class, which may permit it. Option B is incorrect because the ACL order is not the issue. Option C is incorrect because BGP uses TCP port 179, not UDP.
Option D is incorrect because CoPP does not affect routing protocol sessions directly; it only polices traffic to the control plane.
Given the following configuration: policy-map MARKING_POLICY class CRITICAL_DATA set dscp af31 class BULK_DATA set dscp af11 class class-default set dscp default What is the effect of the set dscp default command in the class-default?
DSCP default is 0, used for best-effort traffic.
Why this answer
The 'set dscp default' command explicitly sets the DSCP field to a value of 0, which corresponds to the default best-effort per-hop behavior (PHB) as defined in RFC 2474. This ensures that any traffic not matching the user-defined classes (CRITICAL_DATA or BULK_DATA) is marked with the lowest priority, which is the standard behavior for class-default in a marking policy.
Exam trap
Cisco often tests the misconception that 'default' means 'leave the original value unchanged' or that it refers to a specific high-priority default like voice, rather than the actual DSCP value of 0 for best-effort traffic.
How to eliminate wrong answers
Option B is wrong because 'set dscp default' does not preserve the original packet value; it overwrites the DSCP field with a fixed value of 0. Option C is wrong because DSCP 46 (EF) is the default for voice traffic, not the 'default' keyword, which maps to DSCP 0. Option D is wrong because class-default can indeed have a set action; it is a valid and common practice to mark all unmatched traffic with a specific DSCP value.
Which TWO STP features are used to improve convergence time after a topology change?
UplinkFast accelerates convergence after a direct link failure.
Why this answer
UplinkFast is correct because it enables a switch to immediately use an alternate root port when its current root port fails, bypassing the usual 30-second listening and learning delay. This is achieved by artificially lowering the bridge priority of the switch to trigger a topology change notification, allowing the backup port to transition directly to forwarding. BackboneFast is correct because it reduces convergence time by detecting indirect link failures in the backbone and allowing a switch to expire its Max Age timer (default 20 seconds) immediately, rather than waiting for the full timer to expire, thus speeding up the transition to a new root port.
Exam trap
Cisco often tests the distinction between features that improve convergence (UplinkFast, BackboneFast) versus features that provide security or edge-port behavior (Root Guard, BPDU Guard, PortFast), leading candidates to mistakenly select PortFast because it also speeds up initial port transition, but it does not react to topology changes.
A data center architect is designing a virtualized environment to host critical applications. The design must maximize performance by allowing virtual machines (VMs) to directly access physical CPU cores and memory without hypervisor overhead for latency-sensitive workloads. Which hypervisor configuration should be used?
NUMA pinning and CPU pinning reduce latency by ensuring VMs use local memory and dedicated cores, avoiding hypervisor scheduling delays.
Why this answer
Option C is correct because CPU pinning and NUMA pinning allow virtual machines to directly access dedicated physical CPU cores and memory nodes, eliminating hypervisor scheduling overhead and ensuring low-latency access to local memory. This configuration is essential for latency-sensitive workloads in a virtualized data center, as it provides near-bare-metal performance by avoiding resource contention and cross-NUMA memory access penalties.
Exam trap
Cisco often tests the misconception that hyper-threading or memory ballooning can improve performance for latency-sensitive workloads, when in fact these features are designed for resource efficiency and can introduce unpredictability or overhead.
How to eliminate wrong answers
Option A is wrong because enabling hyper-threading and overcommitting CPU resources increases contention for physical cores and introduces hypervisor scheduling overhead, which degrades performance for latency-sensitive workloads. Option B is wrong because a Type 2 hypervisor (e.g., VMware Workstation) runs on top of a host operating system, adding extra layers of abstraction and overhead that reduce performance and are unsuitable for data center critical applications. Option D is wrong because memory ballooning is a technique for reclaiming unused memory from VMs to allow overcommitment, but it does not provide direct memory access and can cause performance degradation due to balloon driver overhead and potential swapping.
A small business has a single router connected to the internet and a switch for the LAN. They want to implement VLANs to separate guest and corporate traffic. The router has only one physical interface to the switch. The network engineer proposes using subinterfaces with 802.1Q trunking on the router interface. Which configuration step is required on the switch port connected to the router?
A trunk port allows multiple VLANs via 802.1Q tagging, enabling the router subinterfaces to work.
Why this answer
The router uses subinterfaces with 802.1Q trunking to carry multiple VLANs over a single physical link. For this to work, the switch port connected to the router must be configured as a trunk port, which tags frames with VLAN IDs as they traverse the link. This allows the router to route between VLANs using its subinterfaces, each associated with a specific VLAN.
Exam trap
Cisco often tests the misconception that a switch port connecting to a router can remain as an access port or use DTP, but the key is that the router's subinterface requires 802.1Q-tagged frames, which only a statically configured trunk port can provide.
How to eliminate wrong answers
Option A is wrong because a routed port is a Layer 3 interface on a switch, used for routing between networks, not for carrying multiple VLANs over a single link; it would not support 802.1Q trunking. Option B is wrong because an access port belongs to a single VLAN and strips VLAN tags, which would prevent the router from receiving tagged frames for multiple VLANs, breaking the subinterface design. Option D is wrong because dynamic desirable is a DTP (Dynamic Trunking Protocol) mode used to negotiate trunking between Cisco switches, but it is not required or recommended for a router-to-switch connection; the router interface does not participate in DTP, so the switch port must be statically set as a trunk.
Drag and drop the steps of gRPC dial-in telemetry session from collector into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The collector initiates the connection, authenticates, subscribes to specific YANG paths, receives streaming updates, and then processes the data.
Which three statements about RSPAN are true? (Choose three.)
Correct because the RSPAN VLAN is a special VLAN used exclusively for transporting mirrored packets across switches.
Why this answer
RSPAN uses a dedicated VLAN to transport mirrored traffic across switches. The RSPAN VLAN must be created on all switches in the path and should not be used for user traffic. Trunk ports carry the RSPAN VLAN, and the destination switch receives the traffic on an RSPAN destination port.
The RSPAN VLAN must not be pruned from trunks.
Drag and drop the steps of EtherChannel troubleshooting and verification into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Troubleshooting begins with checking physical layer, then verifying protocol negotiation, inspecting bundle state, checking load balancing, and finally reviewing logs.
Drag and drop each RADIUS attribute on the left to its correct attribute number on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Attribute 1
Attribute 4
Attribute 6
Attribute 8
Attribute 5
Why these pairings
RADIUS attribute numbers are standardized: User-Name is 1, NAS-IP-Address is 4, Service-Type is 6, Framed-IP-Address is 8, and NAS-Port is 5.
A network engineer runs the following command on Router R3: R3# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks O IA 10.1.1.0/24 [110/20] via 192.168.1.1, 00:12:34, GigabitEthernet0/0 O 10.2.2.0/24 [110/10] via 192.168.1.2, 00:15:22, GigabitEthernet0/0 O E2 10.3.3.0/24 [110/20] via 192.168.1.3, 00:08:11, GigabitEthernet0/0 Based on this output, what can be concluded?
O E2 indicates an OSPF external route of type 2, typically redistributed from another routing protocol.
Why this answer
The route to 10.3.3.0/24 is marked as 'O E2' in the output, which stands for OSPF external type 2. This indicates that the route was redistributed into OSPF from another routing protocol or a different OSPF process, making it an external route. The 'E2' designation confirms it is an external route with a fixed metric that does not include the internal cost to the ASBR.
Exam trap
Cisco often tests the difference between OSPF external type 1 (E1) and type 2 (E2) routes, specifically that E2 routes do not include the internal cost to the ASBR, which is a common misconception that leads candidates to incorrectly select option C.
How to eliminate wrong answers
Option B is wrong because the route to 10.1.1.0/24 is marked as 'O IA' (OSPF inter-area), which means it originates from a different OSPF area than R3, not the same area. Option C is wrong because for an OSPF external type 2 (E2) route, the metric shown (20) is the external metric only and does not include the internal cost to the ASBR; that behavior is specific to external type 1 (E1) routes. Option D is wrong because R3 is simply receiving these OSPF routes; there is no indication in the output that R3 is redistributing routes into OSPF, which would be required for it to be an ASBR.
A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source list 100 interface GigabitEthernet0/0 overload, where access list 100 permits only the 10.0.0.0/8 network. After testing, hosts in the 10.0.0.0/8 network can access the internet, but hosts in the 172.16.0.0/16 network cannot. The engineer verifies that the 172.16.0.0/16 hosts have connectivity to the router. What is the most likely cause?
Correct because the NAT configuration only translates traffic that matches the access list; hosts not in the list are not translated.
Why this answer
The access list used in the NAT command determines which inside local addresses are eligible for translation. If the access list does not include the 172.16.0.0/16 network, those hosts will not be translated and will not be able to reach the internet.
A company is deploying an SD-Access fabric with multiple sites connected via a WAN. The design must allow inter-site traffic to be forwarded without requiring a full mesh of VXLAN tunnels between all edge nodes. Which fabric role should be used to interconnect the sites?
Border nodes act as the gateway between the fabric and external networks, enabling inter-site connectivity.
Why this answer
A Fabric Border Node is the correct role because it acts as the gateway between the SD-Access fabric and external networks, including WAN connections. It performs Network-to-Network Interconnection (NNI) by translating VXLAN-encapsulated traffic into the appropriate WAN transport (e.g., IPsec, MPLS) and handles inter-site routing without requiring a full mesh of VXLAN tunnels between all Edge Nodes. This design leverages the Border Node to aggregate traffic and forward it over the WAN, reducing tunnel overhead and simplifying the fabric architecture.
Exam trap
Cisco often tests the misconception that a Fabric Edge Node can directly forward traffic between sites, but the trap here is that Edge Nodes only handle intra-site VXLAN tunnels and rely on Border Nodes for any traffic leaving the fabric site.
How to eliminate wrong answers
Option B is wrong because a Fabric Control Plane Node (using LISP/Map-Server) manages endpoint-to-location mappings and registration within a single fabric site; it does not forward data traffic or interconnect sites over a WAN. Option C is wrong because a Fabric Edge Node is responsible for attaching endpoints (wired/wireless) and encapsulating traffic into VXLAN tunnels within the same fabric site; it cannot directly forward traffic between different sites without a Border Node. Option D is wrong because there is no official 'Fabric WAN Controller' role in Cisco SD-Access; WAN integration is handled by the Fabric Border Node, which can be paired with external WAN controllers (e.g., vManage) but is not a separate fabric role.
A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?
Correct because without this command, the PE does not redistribute VRF routes into VPNv4 or import VPNv4 routes into the VRF.
Why this answer
The CE router can ping the PE's VRF interface IP, confirming Layer 2 and VRF interface configuration are correct. However, the CE cannot reach remote VPNv4 routes, which indicates that the PE is not advertising or installing those routes into the VRF. The most likely cause is that the VRF CUSTOMER_A has not been activated under BGP using the 'address-family ipv4 vrf CUSTOMER_A' command, which is required to exchange IPv4 routes between the PE and CE within the VRF context and to redistribute them into MP-BGP for VPNv4 propagation.
Exam trap
Cisco often tests the misconception that a working BGP session to the route reflector and correct route-target values alone are sufficient for VPNv4 route exchange, when in fact the VRF must be explicitly activated under BGP to enable route advertisement and import.
How to eliminate wrong answers
Option A is wrong because the route-target import/export values (100:1) are configured on the PE, and the route reflector does not need matching route-targets; it only reflects VPNv4 routes based on the RTs attached to the routes, and the PE's import RT must match the export RT of the remote PE, not the route reflector. Option C is wrong because the CE router not having a default route pointing to the PE would affect reachability to remote networks from the CE, but the symptom is that the CE cannot reach remote VPNv4 routes at all, which is a routing advertisement issue on the PE, not a missing default route on the CE. Option D is wrong because the 'mpls ip' command is required on the PE's core-facing interfaces to enable MPLS forwarding, not on the interface facing the CE, which is a Layer 3 VRF interface that does not require MPLS encapsulation.
The explicit deny is unnecessary but not incorrect; the implicit deny already blocks all other traffic.
interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/0 overload What is the effect of this configuration?
Correct. The 'overload' keyword enables PAT, translating multiple inside hosts to a single outside IP.
A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp host 10.1.1.1 host 192.168.1.100 eq 80 (4 matches) 20 deny tcp any host 192.168.1.100 eq 80 (12 matches) 30 permit ip any any (8 matches) Based on this output, what can be concluded?
The first entry permits HTTP from 10.1.1.1 to 192.168.1.100, and the second denies all other HTTP to that host. The third entry permits all other traffic, but it does not override the deny for HTTP because ACLs are processed top-down until a match is found.
Why this answer
ACL 101 has three entries. The first permits HTTP from a specific host, the second denies HTTP from any source to that host, and the third permits all other IP traffic. The match counts show that 4 packets matched the permit, 12 matched the deny, and 8 matched the final permit.
The correct answer is that HTTP traffic from 10.1.1.1 to 192.168.1.100 is permitted, but all other HTTP traffic to that host is denied.
A network engineer issues the following command on Router R5: R5# show ip pim interface Interface PIM Nbrs Hello DR DR Count Intvl Prior GigabitEthernet0/0 on 2 30 1 10.1.1.1 GigabitEthernet0/1 on 1 30 1 10.2.2.2 Loopback0 on 0 30 1 10.3.3.3 Based on this output, what can be concluded?
The DR column shows 10.1.1.1 for that interface.
Why this answer
The 'show ip pim interface' output shows that GigabitEthernet0/0 has 2 PIM neighbors, a hello interval of 30 seconds, DR priority of 1, and the DR is 10.1.1.1. GigabitEthernet0/1 has 1 neighbor and its DR is 10.2.2.2. Loopback0 has no neighbors and its DR is the router's own IP.
The correct answer is that the DR on GigabitEthernet0/0 is 10.1.1.1, which is not the local router (since the local router's IP is not shown, but it is likely different).
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
First, you create the prefix-list or AS-path ACL to match routes. Then you define the route-map with match and set clauses. Next, you apply the route-map to a neighbor under the BGP address-family.
After that, you clear the BGP session to apply the policy. Finally, you verify the policy effect with show ip bgp.
What is the purpose of the 'police' command in a QoS policy-map?
Policing enforces a rate limit by dropping or remarking excess traffic.
Why this answer
The 'police' command in a Cisco QoS policy-map implements traffic policing, which enforces a rate limit by measuring traffic flow and taking immediate action—typically dropping or remarking packets—when the traffic exceeds the configured rate. Unlike shaping, policing does not buffer excess traffic; it acts on packets in real time, making it ideal for marking down or discarding non-compliant traffic at the ingress or egress of an interface.
Exam trap
Cisco often tests the distinction between policing and shaping—the trap here is that candidates confuse 'police' with 'shape' because both limit traffic rates, but policing drops/remarks without buffering, while shaping queues and delays excess traffic.
How to eliminate wrong answers
Option A is wrong because shaping (not policing) buffers excess packets to smooth traffic to a specific rate; the 'police' command drops or remarks, not buffers. Option C is wrong because strict priority queuing is configured with the 'priority' command within a class, not with 'police'; policing controls rate, not queue scheduling. Option D is wrong because traffic classification based on IP precedence or DSCP is done with the 'class-map' and 'match' commands, not with the 'police' action; policing is applied after classification.
Which two statements about 802.1X authentication process are true? (Choose two.)
Correct because the supplicant (client) typically initiates 802.1X by sending an EAPOL-Start frame to the authenticator.
Why this answer
In 802.1X, the supplicant (client) initiates the session by sending an EAPOL-Start, or the authenticator (switch) can send an EAP-Request/Identity to prompt the client. The RADIUS server is the authentication server that validates credentials and sends an EAP-Success or EAP-Failure. The authenticator does not perform the actual authentication; it only relays EAP frames.
Drag and drop each DHCP option on the left to its matching purpose on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Provides vendor-specific information such as TFTP server address
Identifies the vendor class of the DHCP client
Carries relay agent information for DHCP snooping
Specifies the TFTP server name
Specifies the TFTP server IP address for Cisco phones
Why these pairings
Option 43 provides vendor-specific info; Option 60 identifies vendor class; Option 82 is relay agent information.
An engineer configures IP SLA 50 to monitor the response time of a TCP connection to a server at 10.1.1.1 on port 80. The operation is used to trigger a backup path. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 100 ms', but the server is actually down and not responding to TCP SYN packets. What is the most likely reason?
Correct. If a network device intercepts the TCP handshake and responds, the IP SLA probe will consider the connection successful even if the actual server is down.
Why this answer
The TCP connect probe only checks if the TCP three-way handshake completes. If the server is down but a stateful firewall or load balancer responds to the SYN with a SYN-ACK, the probe will succeed even if the server is down.
Drag and drop the steps of Ansible Tower (AWX) job template execution steps into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Ansible Tower job template execution starts with launching the job template; then, Tower provisions an isolated execution environment; next, it checks out the project from the source control; after that, it runs the playbook against the specified inventory; finally, it collects and displays job results and logs.
Which three statements about virtual machine (VM) resource allocation and overcommitment are true? (Choose three.)
Correct because hypervisors can use techniques like ballooning to overcommit memory.
Why this answer
Memory overcommitment allows more total vRAM than physical RAM. CPU overcommitment is common and can be managed. Overcommitment can cause performance issues if resources are oversubscribed.
Storage is not typically overcommitted in the same manner as CPU/memory.
interface GigabitEthernet0/2 spanning-tree link-type point-to-point end What is the effect of this configuration?
RSTP uses point-to-point links for rapid convergence.
Why this answer
This manually sets the link type to point-to-point, which enables Rapid Spanning Tree (RSTP) fast transitions on that port.
Drag and drop the steps of the PPDIOO network lifecycle into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The PPDIOO lifecycle defines six phases: Prepare, Plan, Design, Implement, Operate, and Optimize. This order ensures a structured approach from initial requirements gathering through ongoing improvement.
Drag and drop each SNMP component on the left to its matching role on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Network management station that polls agents
Software running on the managed device
Database of managed objects
Unique identifier for a managed object
Authentication string for v1/v2c
Why these pairings
Manager is the NMS; agent runs on the device; MIB is the database; OID identifies a specific variable.
Drag and drop each BGP path selection criterion on the left to its correct order of preference (1 = highest priority) on the right.
Drag a concept onto its matching description — or click a concept then click the description.
1
2
3
4
5
Why these pairings
Weight (highest) is checked first, then LOCAL_PREF (highest), then locally originated routes, then AS_PATH length (shortest), then ORIGIN (IGP > EGP > incomplete).
An engineer is configuring MPLS L3VPN with BGP as the PE-CE protocol. The customer uses eBGP between CE and PE. The engineer notices that the CE router is not receiving any VPN routes from the PE. The 'show bgp vpnv4 unicast all' on the PE shows the routes as valid and best. What is the most likely missing configuration?
Correct because without redistribution, the PE does not advertise VPN routes to the CE via eBGP.
Why this answer
In MPLS L3VPN, when using eBGP between PE and CE, the PE must redistribute BGP routes into the VRF BGP process. This is done using the 'redistribute bgp' command under the VRF address-family. Option A is correct.
Option B is wrong because the routes are already in BGP; Option C is wrong because the session is up; Option D is wrong because the VRF is configured.
Which three statements about Cisco QoS policing and shaping are true? (Choose three.)
Correct because policing can set a new DSCP or CoS value for out-of-profile traffic.
Why this answer
Policing drops or re-marks traffic exceeding a rate, while shaping buffers excess traffic. Policing is typically applied inbound, shaping outbound. Option A is correct because policing can mark down traffic (e.g., set DSCP to 0) when the rate is exceeded.
Option B is correct because shaping buffers traffic to smooth bursts, reducing drops. Option C is correct because both use a token bucket model to measure conformance. Option D is incorrect because policing does not buffer; it drops or re-marks.
Option E is incorrect because shaping is applied on egress, not ingress.
Drag and drop each data encoding format on the left to its matching use case on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Lightweight data interchange for REST APIs
Structured data format used in NETCONF messages
Human-readable format for configuration files
Binary serialization for high-performance systems
Examine the following interface configuration on a Cisco IOS-XE switch: ``` interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky ``` What is the effect of this configuration?
Correct. 'violation restrict' drops frames from unknown MACs without disabling the port.
Why this answer
This configuration enables port security with sticky MAC learning, allowing up to 2 MAC addresses, and sets the violation mode to restrict (drops offending traffic but does not shut down the port).
An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?
Correct because if the guest wireless clients and the captive portal server are in different VLANs but both in the GUEST VRF, the switch must have an SVI for each VLAN in the GUEST VRF and routing must be enabled. Without proper VRF-aware routing, packets are dropped.
Why this answer
The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.
Exam trap
Cisco often tests the misconception that simply placing devices in the same VLAN guarantees connectivity, ignoring that VRF-lite requires explicit inter-VLAN routing configuration within each VRF, even if the VLANs are on the same switch.
How to eliminate wrong answers
Option B is wrong because the trunk must be allowing VLAN 100 for the guest devices to reach the internet through the router, which they can, so VLAN 100 is allowed. Option C is wrong because route-target export is used in MPLS VPNs for BGP route distribution, not required for VRF-lite which uses local routing and does not need route-target commands. Option D is wrong because the captive portal server's default gateway pointing to the corporate VRF would cause it to be unreachable from the guest VRF entirely, but the switch can reach it, indicating the server's gateway is correctly in the GUEST VRF.
Drag and drop each VNF category on the left to its matching example on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Cisco CSR 1000v
Cisco Firepower NGFWv
F5 BIG-IP Virtual Edition
Cisco vWAAS
Cisco Firepower NGIPSv
Why these pairings
VNFs replace physical appliances; common examples include virtual routers, firewalls, and load balancers.
A network engineer runs the following command on Router R5: R5# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.20:1234 10.0.0.20:1234 203.0.113.1:53 203.0.113.1:53 tcp 192.0.2.20:5678 10.0.0.20:5678 198.51.100.1:80 198.51.100.1:80 Based on this output, what can be concluded?
Same inside global IP with different ports indicates PAT.
Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?
The deny statement matches ICMP Echo (ping request) and the permit statement allows all other traffic.
Correct. K1=1 (bandwidth), K2=1 (load), K3=1 (delay), K4=0, K5=0.
Why this answer
The 'metric weights' command in EIGRP allows you to modify the K values used in the composite metric calculation. The syntax is 'metric weights tos k1 k2 k3 k4 k5'. Here, the values are 0 1 1 1 0 0, meaning k1 (bandwidth) = 1, k2 (load) = 1, k3 (delay) = 1, k4 (reliability) = 0, k5 (MTU) = 0.
This results in the metric using bandwidth, load, and delay, while ignoring reliability and MTU. Option A correctly describes this effect.
Exam trap
Cisco often tests the exact mapping of the 'metric weights' command arguments to K values, and the trap here is that candidates confuse the order or assume that a value of 0 disables the entire metric calculation rather than just that specific component.
How to eliminate wrong answers
Option B is wrong because the 'metric weights' command does not disable metric calculation or set a fixed metric; it customizes the K values used in the composite metric formula. Option C is wrong because it states that only bandwidth and delay are used, but the configuration includes k2=1, which includes load in the calculation. Option D is wrong because the default K values are 1,0,1,0,0 (k1=1, k2=0, k3=1, k4=0, k5=0), but the given command sets k2=1, which deviates from the default.
Drag and drop the steps of SR-IOV configuration for VM network bypass into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The configuration begins with enabling SR-IOV in the BIOS, then creating virtual functions, assigning them to the VM, and finally installing drivers inside the VM.
Drag and drop the steps of CBWFQ and LLQ queue servicing order into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
LLQ is serviced before any CBWFQ queues to ensure low-latency traffic. Within CBWFQ, queues are serviced in a weighted round-robin fashion based on bandwidth allocation. The default queue is serviced last.
Drag and drop each traffic direction on the left to its correct SPAN keyword on the right.
Drag a concept onto its matching description — or click a concept then click the description.
rx keyword
tx keyword
both keyword
rx keyword
tx keyword
Why these pairings
Ingress traffic is monitored with the 'monitor session source interface x/x rx' keyword; egress with 'tx'; both directions with 'both'.
Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?
The ACL permits www and https.
Why this answer
The exhibit shows an access control list (ACL) applied outbound on GigabitEthernet0/0. The ACL permits TCP traffic from source 192.168.1.0/24 to any destination with a destination port of 80 (HTTP) or 443 (HTTPS). Therefore, only HTTP and HTTPS traffic from the 192.168.1.0/24 network is permitted outbound.
Exam trap
Cisco often tests the implicit deny any at the end of an ACL, leading candidates to assume that traffic not explicitly denied is permitted, when in fact only explicitly permitted traffic is allowed.
How to eliminate wrong answers
Option B is wrong because ICMP traffic is not TCP and does not match the permit statement for TCP ports 80 and 443; ICMP would be implicitly denied by the ACL's implicit deny any at the end. Option C is wrong because FTP traffic uses TCP ports 20 and 21, which are not permitted by the ACL's permit statement for ports 80 and 443. Option D is wrong because SSH traffic uses TCP port 22, which is not permitted by the ACL's permit statement for ports 80 and 443.
Consider the following Python script that uses the requests library to delete a VLAN via RESTCONF on a Cisco IOS-XE device: ```python import requests from requests.auth import HTTPBasicAuth url = 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/vlan=10' headers = { 'Accept': 'application/yang-data+json', 'Content-Type': 'application/yang-data+json' } auth = HTTPBasicAuth('admin', 'cisco') response = requests.delete(url, headers=headers, auth=auth, verify=False) print(response.status_code) ``` What is the expected outcome if the VLAN 10 exists?
The DELETE method removes the specified resource.
Why this answer
A DELETE request to the VLAN resource will remove VLAN 10 from the device configuration.
Drag and drop the steps of configuring model-driven telemetry with gRPC on a Cisco IOS-XE device into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
First, enable telemetry and define the destination. Then, create a subscription with a sensor path. Next, set the update policy.
Finally, verify the telemetry data is being sent.
Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
During IKEv2, if the IKE packet exceeds the MTU, the sender fragments it into smaller pieces. The receiver reassembles the fragments into the original packet. After the IKE SA is established, the peers send Dead Peer Detection (DPD) keepalives to verify connectivity.
If no response is received, the peer retransmits the DPD. After multiple failures, the peer declares the SA dead and deletes it.
A network engineer is designing a WAN connection for a branch office that requires high availability and bandwidth aggregation. The branch has two internet connections from different ISPs. The engineer wants to use both links actively for load balancing and failover. Which design approach should be used?
Correct because SD-WAN is designed to utilize multiple WAN links simultaneously, providing load balancing and failover based on application policies.
Why this answer
SD-WAN is the correct design because it natively supports active/active utilization of multiple WAN links with policy-based load balancing, allowing traffic to be distributed across both ISP connections based on application policies, SLA metrics, or other criteria. It also provides seamless failover by dynamically rerouting traffic if one link fails, meeting the requirements for high availability and bandwidth aggregation without relying on a single active link.
Exam trap
Cisco often tests the misconception that BGP multipath or static routes with HSRP can achieve active/active load balancing, but these methods either require complex tuning or are inherently active/passive, failing to meet the policy-based and application-aware requirements that SD-WAN uniquely addresses.
How to eliminate wrong answers
Option B is wrong because static routes with different metrics and HSRP are designed for active/passive failover, not active/active load balancing; HSRP operates at Layer 2 for gateway redundancy and does not distribute traffic across multiple WAN links. Option C is wrong because BGP best path selection selects only a single best path per prefix by default, and while BGP can be tuned for load balancing with features like multipath, it does not inherently provide policy-based load balancing or application-aware traffic steering like SD-WAN. Option D is wrong because implementing a VPN tunnel using only one link defeats the purpose of using both links for load balancing and failover, leaving the branch dependent on a single connection.
Drag and drop the steps of Cisco IOS-XE mdt subscription via CLI configuration into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The CLI configuration begins by entering global config, defining the receiver, setting the subscription parameters, applying the subscription, and verifying it.
Which two statements about RESTCONF are true? (Choose two.)
Correct because RESTCONF maps to standard HTTP methods.
Why this answer
The correct answers are B and D. B is correct because RESTCONF uses HTTP methods like GET, PUT, POST, DELETE, and PATCH. D is correct because RESTCONF supports both JSON and XML encoding.
A is incorrect because RESTCONF uses HTTP, not SSH. C is incorrect because RESTCONF is not a replacement for NETCONF; they are different protocols. E is incorrect because RESTCONF does not use remote procedure calls (RPCs) in the same way as NETCONF; it uses RESTful operations.
Examine this configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ line vty 0 4 login authentication default privilege level 15 What is missing to ensure that VTY users are authenticated via TACACS+?
Correct. To authenticate via TACACS+, the method list must specify 'group tacacs+' as the primary method.
Why this answer
The authentication method list 'default' uses local authentication. To use TACACS+, the method list must include 'group tacacs+' before 'local'. The current configuration only uses local.
Which two statements about IPsec IKEv2 are true? (Choose two.)
Correct because IKEv2 uses UDP 500 and 4500 for NAT-T.
A network engineer is troubleshooting a performance issue between two hosts connected to a Cisco Catalyst 3850 switch. The engineer wants to capture all traffic sent and received by Host A (Gi1/0/1) and send it to a monitoring station connected to Gi1/0/24. The engineer configures 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'. However, the monitoring station receives only traffic sent by Host A, not traffic received. What is the most likely cause?
Correct; when the destination port is in the same VLAN as the source, the switch may drop the replicated frames to prevent loops, especially if the destination port is also in the forwarding path.
Why this answer
The 'both' keyword should capture both directions, but on some platforms, the destination port must be explicitly configured to allow ingress traffic for received traffic to be copied. The correct answer is that the destination port is not configured with 'monitor session 1 destination interface Gi1/0/24 ingress untagged' or similar, but the question focuses on a common misconfiguration: the destination port is in the same VLAN as the source, causing loops or filtering. Actually, the most common cause is that the source interface is configured as 'both' but the switch does not support egress SPAN on that interface without additional configuration.
However, the best answer here is that the source interface is an access port and the destination port is in a different VLAN, and the SPAN session does not copy traffic from the source VLAN. But the scenario says both hosts are in the same VLAN. The correct answer is that the destination port is not configured to allow the SPAN traffic to be sent out; actually, the issue is that the destination port is in the same VLAN as the source, and the switch may drop the copied frames due to loop prevention.
The most accurate answer: The engineer must ensure the destination port is not in the same VLAN as the source, or use a remote SPAN (RSPAN) VLAN. But the question asks for the cause. The cause is that the destination port is in the same VLAN as the source, and the switch's loop detection drops the copied frames.
So the correct answer is that the destination port is in the same VLAN as the source interface, causing the switch to drop the replicated traffic.
Which two statements about Type 1 and Type 2 hypervisors are true? (Choose two.)
Correct because Type 1 hypervisors run directly on the hardware, allowing direct resource access.
Why this answer
Type 1 hypervisors run directly on hardware and are commonly used in data centers; Type 2 hypervisors run on a host OS and are often used for testing or desktop virtualization. Option A is correct because Type 1 hypervisors have direct access to hardware resources, which improves performance. Option D is correct because Type 2 hypervisors rely on the host OS for resource management, adding overhead.
Option B is incorrect because Type 2 hypervisors do not run directly on hardware. Option C is incorrect because Type 1 hypervisors do not require a host OS. Option E is incorrect because Type 1 hypervisors can support multiple VMs, not just one.
Drag and drop each telemetry model on the left to its matching push type (dial-in or dial-out) on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Collector initiates connection to the device
Device initiates connection to the collector
Device streams data to collector
Device sends data to collector
Device sends unsolicited data to collector
Why these pairings
Dial-in models require the collector to initiate the connection (e.g., gRPC dial-in). Dial-out models let the network device push data to the collector (e.g., gRPC dial-out, NETCONF YANG-push).
Drag and drop the steps of Ansible Vault encryption and decryption steps into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Ansible Vault encryption starts with creating a password file; then, encrypting a plaintext file with ansible-vault encrypt; next, viewing the encrypted content with ansible-vault view; after that, decrypting the file for editing with ansible-vault decrypt; finally, re-encrypting after modifications.
interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel mode ipsec ipv4 ! crypto isakmp policy 10 authentication pre-share encryption aes 256 hash sha group 14 lifetime 86400 ! crypto isakmp key cisco123 address 203.0.113.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set TSET match address 100 ! interface GigabitEthernet0/0 crypto map CMAP ! access-list 100 permit ip 10.0.0.0 0.0.0.3 10.0.0.4 0.0.0.3 What is the effect of this configuration?
Correct. The tunnel mode ipsec ipv4 and crypto map create a secure tunnel, and the ACL matches the tunnel subnets.
Why this answer
The configuration sets up a site-to-site IPsec VPN using a tunnel interface with IPsec protection. The crypto map is applied to the physical interface, and the access list defines interesting traffic between the two /30 subnets (10.0.0.0/30 and 10.0.0.4/30). This is a valid configuration for a DMVPN or static VTI, but note that the tunnel mode is 'ipsec ipv4' which is used for IPsec VTI (Virtual Tunnel Interface) and requires a crypto map on the physical interface to protect the tunnel.
The access list correctly matches the tunnel networks.
Drag and drop each SD-WAN controller on the left to its matching function on the right.
Drag a concept onto its matching description — or click a concept then click the description.
Centralized management, monitoring, and GUI dashboard
Control plane policy distribution and OMP route propagation
First point of contact for device authentication and NAT discovery
WAN edge router running Viptela OS
WAN edge router running IOS-XE with SD-WAN features
Why these pairings
vManage provides centralized management and monitoring; vSmart distributes control plane policies and OMP routes; vBond authenticates and orchestrates initial device onboarding and NAT traversal.
Practice 350-401 by domain
Target a specific domain to shore up weak areas.
Study 350-401 by topic
Focused topic pages — one weak area at a time.