CCNA Virtualization Questions

22 questions · Virtualization topic · All types, answers revealed

1
Multi-Selecteasy

Which TWO of the following are benefits of using network virtualization with VXLAN? (Choose two.)

Select 2 answers
A.Enables Layer 2 extension across Layer 3 boundaries.
B.Eliminates the need for STP by using a centralized controller.
C.Uses only multicast for control plane learning.
D.Supports up to 16 million logical networks.
E.Provides native encryption for data in transit.
AnswersA, D

VXLAN tunnels Layer 2 over Layer 3.

Why this answer

VXLAN encapsulates Layer 2 frames in UDP packets over IP, allowing Layer 2 segments to be stretched across Layer 3 networks. This enables virtual machine mobility and multi-tenant environments without being constrained by physical network boundaries.

Exam trap

Cisco often tests the misconception that VXLAN eliminates STP or provides native encryption, but VXLAN is an overlay technology that still relies on the underlay network's STP and does not include encryption by default.

2
MCQmedium

A network engineer is troubleshooting connectivity issues in a multi-tenant environment where each tenant's traffic is isolated using VRF-Lite. The engineer notices that tenants in the same VRF cannot communicate with each other across different access switches. Which design change should be implemented to enable inter-switch VRF communication?

A.Use the same VLAN for all tenants and rely on VLAN ACLs.
B.Create trunk links with 802.1Q subinterfaces on each switch and assign each subinterface to the appropriate VRF.
C.Configure static routes on each switch pointing to the next-hop IP in the global routing table.
D.Enable OSPF with a single area on all switches and redistribute between VRFs.
AnswerB

This allows per-VRF routing across switches.

Why this answer

Option B is correct because VRF-Lite requires 802.1Q trunking to extend Layer 3 VRF boundaries across switches. By creating subinterfaces on trunk links and assigning each subinterface to the appropriate VRF, traffic from the same VRF on different switches can be routed through the VRF-specific routing table, enabling inter-switch communication while maintaining isolation.

Exam trap

Cisco often tests the misconception that VRF-Lite can use the global routing table for inter-switch communication, but the trap here is that VRF-Lite requires explicit Layer 3 subinterfaces on trunk links to extend VRF boundaries, not just VLANs or static routes in the global table.

How to eliminate wrong answers

Option A is wrong because using the same VLAN for all tenants with VLAN ACLs does not provide Layer 3 VRF isolation; it only filters at Layer 2/3 within the global routing table, breaking the multi-tenant separation required. Option C is wrong because static routes in the global routing table would bypass VRF isolation, mixing tenant traffic and defeating the purpose of VRF-Lite. Option D is wrong because OSPF with redistribution between VRFs is complex and not supported in VRF-Lite without additional protocols like MP-BGP; VRF-Lite relies on static or connected routes within each VRF, not dynamic routing redistribution.

3
MCQhard

An organization is migrating from a traditional three-tier architecture to a leaf-spine fabric using VXLAN EVPN. The design requires that virtual machines can move between racks without IP address changes. Which technology must be enabled at the leaf switches to support this mobility?

A.Overlay Transport Virtualization (OTV).
B.VXLAN with EVPN control plane.
C.VRF-Lite with route redistribution.
D.MPLS L3VPN with BGP.
AnswerB

Provides Layer 2 overlay over Layer 3 underlay, enabling VM mobility.

Why this answer

VXLAN with EVPN control plane (B) is correct because it provides a Layer 2 overlay network that extends VLANs across the leaf-spine fabric, enabling virtual machine mobility without IP address changes. EVPN uses BGP to distribute MAC and IP address information, allowing the leaf switches to learn and forward traffic to VMs regardless of their physical location, which is essential for seamless VM migration between racks.

Exam trap

Cisco often tests the distinction between Layer 2 extension technologies (VXLAN EVPN) and Layer 3 VPNs (MPLS L3VPN), leading candidates to mistakenly choose MPLS L3VPN because it also uses BGP, but it cannot support Layer 2 mobility without IP changes.

How to eliminate wrong answers

Option A is wrong because Overlay Transport Virtualization (OTV) is a Cisco proprietary technology designed for interconnecting data centers over Layer 3 networks, not for intra-fabric VM mobility within a single leaf-spine architecture. Option C is wrong because VRF-Lite with route redistribution provides Layer 3 segmentation and routing but does not support Layer 2 extension or MAC mobility required for VM migration without IP changes. Option D is wrong because MPLS L3VPN with BGP is a Layer 3 VPN technology that operates at Layer 3 and cannot extend Layer 2 domains, making it unsuitable for preserving IP addresses during VM moves.

4
Multi-Selecteasy

Which THREE of the following are components of a Cisco ACI fabric? (Choose three.)

Select 3 answers
B.Spine switch
C.Router
D.APIC controller
E.Leaf switch
AnswersB, D, E

Spine switches form the fabric backbone.

Why this answer

The spine switch is a core component of a Cisco ACI fabric, forming the spine-leaf topology. Spine switches provide high-speed, non-blocking connectivity between leaf switches and handle all east-west traffic, relying on IS-IS as the routing protocol for fabric discovery and forwarding.

Exam trap

Cisco often tests the distinction between native fabric components (spine, leaf, APIC) and external devices (firewall, router) that can be integrated but are not part of the fabric itself, leading candidates to mistakenly include them as fabric components.

5
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration starts with enabling the OSPF process, then defining networks and areas.

6
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup requires IKE phase 1, then phase 2 (transform set and crypto map).

7
MCQeasy

An enterprise uses VMware vSphere to host multiple virtual machines (VMs). The network team wants to implement a virtual firewall on the hypervisor to inspect traffic between VMs on the same ESXi host. Which technology should be used?

A.Use VXLAN to encapsulate traffic and send it to a firewall.
B.Deploy a virtual firewall on a vSphere Distributed Switch with a private VLAN.
C.Use a vSphere Standard Switch and configure port mirroring.
D.Deploy a physical firewall and route all VM traffic through it.
AnswerB

Private VLAN can redirect traffic to the virtual firewall.

Why this answer

Option B is correct because deploying a virtual firewall on a vSphere Distributed Switch (VDS) with a private VLAN (PVLAN) allows the firewall to inspect east-west traffic between VMs on the same ESXi host without sending traffic off the host. The VDS supports PVLANs to isolate VM traffic and redirect it to the virtual firewall for inspection, enabling granular security within the hypervisor.

Exam trap

Cisco often tests the distinction between monitoring tools (port mirroring) and inline security appliances (virtual firewalls), leading candidates to mistakenly choose port mirroring for traffic inspection instead of a solution that can actually enforce policies.

How to eliminate wrong answers

Option A is wrong because VXLAN is an overlay encapsulation protocol used for network virtualization and extending Layer 2 segments across Layer 3 boundaries, not for directing intra-host VM traffic to a firewall; it adds unnecessary overhead and complexity for local inspection. Option C is wrong because port mirroring on a vSphere Standard Switch copies traffic to a monitoring port but does not allow inline inspection or filtering; it is used for monitoring, not for enforcing firewall policies. Option D is wrong because deploying a physical firewall requires all VM traffic to be routed off the host, which defeats the purpose of hypervisor-level inspection and introduces latency and bandwidth constraints for east-west traffic.

8
MCQhard

An engineer configures VXLAN EVPN on a Nexus 9000 switch. The configuration is shown. The switch does not advertise any EVPN routes for VNI 10100. Which configuration change is required to fix this issue?

A.Configure "evpn" and "vni 10100 l2" under the BGP address-family l2vpn evpn.
B.Remove the mcast-group from the NVE member, because EVPN uses BGP for control plane.
C.Change the source-interface to a physical interface.
D.Add an IP address to the VLAN 100 interface in the default VRF.
AnswerA

The VNI must be activated under evpn for route advertisement.

Why this answer

Option A is correct because for VXLAN EVPN on a Nexus 9000, the BGP address-family l2vpn evpn must explicitly contain the 'evpn' keyword and the 'vni 10100 l2' command to advertise Layer 2 VNI routes. Without this configuration, BGP does not know to inject the VNI's MAC/VTEP information into the EVPN route table, so no EVPN routes are advertised for VNI 10100.

Exam trap

Cisco often tests the distinction between the NVE interface configuration (which enables VXLAN encapsulation) and the BGP EVPN address-family configuration (which enables route advertisement), leading candidates to mistakenly focus on NVE or interface settings instead of the missing BGP VNI injection.

How to eliminate wrong answers

Option B is wrong because removing the mcast-group from the NVE member would break BUM traffic replication in multicast mode, but the issue is about EVPN route advertisement, not data-plane flooding; EVPN uses BGP for control plane, but the mcast-group is still needed for multicast-based BUM traffic. Option C is wrong because changing the source-interface to a physical interface is not required; a loopback interface is the recommended source for NVE to ensure stability and is not the cause of missing EVPN routes. Option D is wrong because adding an IP address to VLAN 100 interface in the default VRF is unrelated to EVPN route advertisement; VLAN 100 is the Layer 2 VLAN associated with VNI 10100, but its SVI IP is only needed for Layer 3 VNI or gateway functionality, not for advertising EVPN routes.

9
MCQmedium

A network engineer is troubleshooting a Cisco IOS-XE router that hosts multiple virtual routing and forwarding (VRF) instances. Users in VRF-A report they cannot reach a server in VRF-B. The engineer verifies that both VRFs have the correct routes and that the router has a route leaking configuration using route-target import/export. However, connectivity still fails. What is the most likely cause?

A.The router does not have iBGP configured between the VRFs.
B.The route-target export is not configured in VRF-A.
C.The router is using VRF-lite, which does not support route leaking.
D.The import map is missing in VRF-B.
AnswerD

An import map is required to selectively import routes from VRF-A into VRF-B.

Why this answer

Option D is correct because route leaking between VRFs using route-target import/export requires both an export configuration on the source VRF and an import configuration on the destination VRF. If VRF-B lacks an import map (or the route-target import statement), it will not accept the routes exported from VRF-A, even if VRF-A has the correct export configuration. This is a common misconfiguration in MPLS L3VPN or VRF-lite route leaking scenarios.

Exam trap

Cisco often tests the misconception that route-target export alone is sufficient for route leaking, but the import configuration on the receiving VRF is equally mandatory.

How to eliminate wrong answers

Option A is wrong because iBGP is not required for VRF route leaking; route leaking can be achieved via static routes, route-replicate, or route-target import/export without any BGP session between VRFs. Option B is wrong because the issue is that VRF-B cannot receive the routes; if VRF-A had no export configuration, the routes would not be advertised at all, but the engineer verified correct routes in both VRFs, implying export is present. Option C is wrong because VRF-lite fully supports route leaking using route-target import/export or other methods like route-replicate; the statement that VRF-lite does not support route leaking is false.

10
MCQhard

A network engineer configured VRF TENANT_A and moved the subinterfaces into the VRF. After the change, the CEF table shows the prefixes but the next-hop addresses are unreachable. What is the most likely cause?

A.LISP is not configured to map the virtual network.
B.The next-hop IP addresses are in the global routing table, not in the VRF.
C.OSPF is not redistributing the routes into the VRF.
D.The physical interface is not configured as a trunk.
AnswerB

Next-hops must be in the same VRF to be reachable.

Why this answer

When subinterfaces are moved into a VRF, the CEF table for that VRF will contain the learned prefixes, but the next-hop addresses must also be reachable within the same VRF. If the next-hop IP addresses reside in the global routing table instead of the VRF, the VRF will have no route to those next hops, causing them to be marked as unreachable. This is a common misconfiguration where the next-hop adjacency is not established within the VRF context.

Exam trap

Cisco often tests the concept that VRF creates a completely isolated routing table, and the trap here is that candidates assume CEF showing the prefix means the route is fully functional, overlooking that the next-hop must also be in the same VRF.

How to eliminate wrong answers

Option A is wrong because LISP (Locator/ID Separation Protocol) is not required for basic VRF operation; it is used for overlay network virtualization and mobility, not for resolving next-hop reachability within a VRF. Option C is wrong because OSPF redistribution is not the root cause; the issue is that the next-hop addresses are not present in the VRF's routing table, not that routes are missing from OSPF. Option D is wrong because trunk configuration on the physical interface is irrelevant to VRF next-hop reachability; subinterfaces can be placed into a VRF regardless of whether the parent interface is a trunk or access port.

11
MCQhard

A cloud provider uses Cisco ACI to automate provisioning of tenant networks. A new tenant requires a Layer 2 bridge domain that extends to an external Layer 2 network via a VPC. The engineer creates a bridge domain with the settings: Type: Regular, L2 Unknown Unicast: Flood, L3 Unknown Multicast Flood: Flood, and Multi-Destination Flooding: Flood. The VPC is configured as a virtual port channel. The tenant reports that broadcast traffic is not reaching the external network. What is the most likely cause?

A.The VPC configuration does not support L2 extension.
B.The bridge domain is configured as proxy mode for L2 unknown unicast.
C.The L2Out is not configured to flood BUM traffic.
D.The bridge domain type should be set to 'L2 Only'.
AnswerC

L2Out must be configured with flood settings to extend flooding.

Why this answer

The correct answer is C because the bridge domain is configured to flood BUM (Broadcast, Unknown Unicast, and Multicast) traffic internally, but the L2Out (Layer 2 external connection) must also be explicitly configured to flood BUM traffic to the external network. Without this configuration on the L2Out, the ACI fabric will not forward broadcast or multicast frames across the VPC to the external Layer 2 network, even though the bridge domain itself permits flooding.

Exam trap

Cisco often tests the distinction between bridge domain flood settings and L2Out flood settings, trapping candidates who assume that enabling flooding in the bridge domain automatically allows BUM traffic to reach external networks.

How to eliminate wrong answers

Option A is wrong because a VPC (Virtual Port Channel) in ACI is specifically designed to support Layer 2 extension by providing a loop-free, redundant connection to external switches, and it does not inherently block L2 traffic. Option B is wrong because the bridge domain is explicitly configured with 'L2 Unknown Unicast: Flood', not proxy mode; proxy mode would be 'L2 Unknown Unicast: Proxy', which is not the case here. Option D is wrong because the bridge domain type 'Regular' is appropriate for a Layer 2 bridge domain that extends to an external network; setting it to 'L2 Only' would disable Layer 3 forwarding but would not affect the flooding of BUM traffic to the external network via the L2Out.

12
Multi-Selecteasy

Which TWO statements correctly describe characteristics of virtual device contexts (VDCs) in Cisco Nexus switches?

Select 2 answers
A.VDCs allow overlapping VLAN IDs across different VDCs only if using different VNIs.
B.VDCs provide Layer 3 routing isolation by default across all VDCs.
C.Each VDC can have its own admin account and separate management interface.
D.VDCs are supported on all Cisco IOS-XE switches.
E.VDCs enable partitioning of a single physical switch into multiple logical switches.
AnswersC, E

Correct: VDCs provide administrative and management isolation.

Why this answer

Option C is correct because each VDC in a Cisco Nexus switch can be configured with its own administrative credentials and a dedicated management interface (e.g., mgmt0). This allows separate administrative domains and management access per VDC, which is a key feature for multi-tenant environments.

Exam trap

Cisco often tests the misconception that VDCs automatically provide Layer 3 routing isolation, but in reality, routing isolation requires explicit VRF configuration per VDC.

13
Matchingmedium

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards packets between different networks

Forwards frames within the same network

Controls traffic based on security policies

Manages access points centrally

Distributes traffic across multiple servers

Why these pairings

Each device plays a distinct role in network infrastructure.

14
Matchingmedium

Match each Cisco switch security feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits MAC addresses on a port

Filters untrusted DHCP messages

Validates ARP packets

Prevents IP spoofing

Limits broadcast/multicast traffic

Why these pairings

These features enhance switch security against various attacks.

15
MCQmedium

Refer to the exhibit. A network engineer has configured VRFs on a router. A packet arrives on Gi0/1/0 with destination IP 10.1.1.2. Which VRF is used for routing this packet?

A.Global routing table
B.Mgmt-intf
C.CUSTOMER-B
D.CUSTOMER-A
AnswerD

Correct. The packet arrives on Gi0/1/0 which belongs to VRF CUSTOMER-A, so routing occurs within that VRF.

Why this answer

The packet arrives on interface Gi0/1/0, which is configured under VRF CUSTOMER-A (as shown in the exhibit with 'ip vrf forwarding CUSTOMER-A'). When a VRF is applied to an ingress interface, the router uses that VRF's routing table (not the global table) to perform the destination IP lookup. Therefore, the packet with destination 10.1.1.2 is routed using the CUSTOMER-A VRF.

Exam trap

Cisco often tests the concept that the VRF used for routing is determined by the ingress interface's VRF assignment, not by the destination IP address or any other packet attribute, leading candidates to mistakenly assume the global table is used when no VRF is explicitly mentioned in the routing lookup.

How to eliminate wrong answers

Option A is wrong because the global routing table is used only when the ingress interface is not associated with any VRF, or when the VRF is explicitly bypassed (e.g., via 'ip route vrf' commands); here Gi0/1/0 is VRF-aware. Option B is wrong because 'Mgmt-intf' is a special VRF used exclusively for management traffic (e.g., SSH, SNMP) on the management interface, not for data-plane forwarding on Gi0/1/0. Option C is wrong because CUSTOMER-B is a different VRF; the interface Gi0/1/0 is bound to CUSTOMER-A, not CUSTOMER-B, so the router will not use CUSTOMER-B's routing table for this packet.

16
MCQhard

A financial services company has deployed Cisco UCS servers with VMware vSphere 7.0 to host critical trading applications. The network uses Cisco Nexus 9000 switches in a VXLAN EVPN fabric with BGP as the underlay. The environment includes 50 ESXi hosts, each connected via two 40G interfaces to two different leaf switches in a VPC. The VMs are spread across multiple hosts and communicate over VXLAN. Recently, the operations team migrated a set of VMs from an old VLAN-based network to a new VXLAN segment (VNI 50000). After the migration, users report intermittent connectivity issues and packet loss. The engineering team captures traffic and notices that some VMs send ARP requests that are not being replied to, even though the target VM is active. Further analysis shows that the ARP requests are being flooded to all VTEPs, but the replies are not reaching the source. The team checks the underlay and finds no issues with BGP or routing. The NVE interfaces are up, and the VNI is configured. Which of the following is the most likely cause of the issue?

A.The ingress replication list is missing some VTEPs.
B.The symmetric routing configuration is missing on the leaf switches.
C.The VPC configuration between the leaf switches and ESXi hosts is incorrect.
D.The MAC address of the target VM is not being advertised in EVPN type-2 routes because the VM's MAC is learned on a different leaf switch than expected.
AnswerD

If the MAC is not advertised, the source VTEP will flood ARP requests but not receive replies due to unknown unicast flooding.

Why this answer

The issue is that the target VM's MAC address is not being advertised via EVPN Type-2 routes from the leaf switch where it resides. When the source VM sends an ARP request, the ingress VTEP floods it to all VTEPs in the VNI's ingress replication list, but the reply from the target VM must be unicast back. If the target's MAC is not in the EVPN control plane (e.g., because it was learned on a different leaf than expected due to asymmetric MAC learning or stale entries), the reply cannot be forwarded correctly, causing intermittent connectivity.

Exam trap

Cisco often tests the distinction between data-plane flooding (which works) and control-plane advertisement (which fails), leading candidates to incorrectly blame replication lists or VPC issues instead of identifying the missing EVPN Type-2 route.

How to eliminate wrong answers

Option A is wrong because if the ingress replication list were missing some VTEPs, the ARP requests would not reach those VTEPs at all, but the problem states the ARP requests are flooded to all VTEPs, so the list is complete. Option B is wrong because symmetric routing is a design choice for inter-VNI routing (e.g., between different VNIs), not for intra-VNI ARP handling within the same VNI; the issue is about MAC/IP advertisement, not routing asymmetry. Option C is wrong because the VPC configuration between leaf switches and ESXi hosts affects link-level redundancy and loop prevention, but the underlay is healthy and NVE interfaces are up, so VPC misconfiguration would cause connectivity issues unrelated to ARP reply forwarding.

17
MCQhard

A financial company runs a critical trading application in a virtualized environment on VMware vSphere. The application consists of two VMs: App-1 (web server) and App-2 (database server). Both VMs are on the same ESXi host. Recently, users report intermittent slowness during peak trading hours. Monitoring shows that App-1 experiences high CPU ready time (up to 15%) and App-2 has high disk latency (average 50 ms). The ESXi host has 16 vCPUs total (2 sockets, 8 cores each) and 128 GB RAM. The host runs 10 VMs total. App-1 has 4 vCPUs and 16 GB RAM; App-2 has 8 vCPUs and 32 GB RAM. The storage is a shared NFS datastore connected via 1 Gbps Ethernet. The network is 10 Gbps. What is the MOST effective course of action to resolve the performance issues?

A.Enable vNUMA for both VMs to improve memory access, and set CPU affinity to dedicate specific cores.
B.Increase the RAM for both VMs to reduce disk swapping, and enable Hyperthreading on the ESXi host.
C.Reduce the number of vCPUs assigned to App-2 from 8 to 4, and configure Storage I/O Control on the datastore.
D.Migrate the VMs to another ESXi host with faster CPUs, and upgrade the storage network to 10 Gbps.
AnswerC

Correct. Reducing vCPUs decreases CPU ready time; Storage I/O Control manages disk latency.

Why this answer

Option C is correct because App-2's 8 vCPUs exceed the number of physical cores per socket (8), causing CPU scheduling contention and high ready time on App-1, while reducing vCPUs to 4 aligns with the host's core-per-socket count and reduces co-scheduling overhead. Additionally, Storage I/O Control (SIOC) on the NFS datastore can prioritize disk access and mitigate the high disk latency (50 ms) by enforcing shares and limits during congestion, addressing both performance issues without requiring hardware upgrades.

Exam trap

Cisco often tests the misconception that adding more vCPUs always improves performance, but the trap here is that over-provisioning vCPUs beyond the physical core count per socket increases CPU ready time and co-scheduling overhead, degrading performance instead of improving it.

How to eliminate wrong answers

Option A is wrong because enabling vNUMA is beneficial for VMs with many vCPUs to optimize memory locality, but it does not address CPU ready time caused by over-provisioning vCPUs, and setting CPU affinity can reduce scheduler flexibility and cause imbalance on a host with 10 VMs. Option B is wrong because increasing RAM does not reduce disk swapping if the VMs already have sufficient memory (App-1 has 16 GB, App-2 has 32 GB), and enabling Hyperthreading on the ESXi host would increase logical CPUs but not resolve the root cause of vCPU over-provisioning or high disk latency. Option D is wrong because migrating to another host with faster CPUs does not fix the vCPU over-provisioning issue (App-2 still has 8 vCPUs), and upgrading the storage network to 10 Gbps does not address the high disk latency if the bottleneck is at the NFS datastore or storage array, not the network link.

18
MCQmedium

A network engineer configured three interfaces on a switch as shown. A host connected to Ethernet1/2 sends an untagged frame. Which VLAN will this frame be placed into when it reaches Ethernet1/3?

A.VLAN 999
B.VLAN 1
C.The frame is dropped because VLAN 10 is not allowed.
D.VLAN 10
AnswerC

Ethernet1/3 trunk does not allow VLAN 10.

Why this answer

The switchport on Ethernet1/3 is configured as a trunk with an allowed VLAN list that does not include VLAN 10. When the untagged frame from Ethernet1/2 enters the switch, it is assigned to the native VLAN of the access port (which is VLAN 10 by default or configuration). As the frame is switched to the trunk port Ethernet1/3, the trunk's allowed VLAN list is checked; since VLAN 10 is not permitted, the frame is dropped at the egress trunk port.

Exam trap

Cisco often tests the distinction between the native VLAN on a trunk and the access VLAN on an access port, leading candidates to mistakenly think the frame will use the trunk's native VLAN (999) instead of being dropped because the access VLAN (10) is not allowed.

How to eliminate wrong answers

Option A is wrong because VLAN 999 is not the native VLAN of the access port or the trunk; it is only the native VLAN on the trunk, but the frame is tagged with VLAN 10 (the access VLAN) before being forwarded, and VLAN 10 is not allowed on the trunk. Option B is wrong because VLAN 1 is the default VLAN, but the access port is explicitly configured with VLAN 10, so the frame is assigned to VLAN 10, not VLAN 1. Option D is wrong because although the frame is placed into VLAN 10, it is dropped at the trunk egress because VLAN 10 is not in the allowed VLAN list of Ethernet1/3.

19
Multi-Selecthard

A data center uses Cisco Nexus 9000 switches with VXLAN EVPN to provide network virtualization. The operations team notices that VLAN 100 (mapped to VNI 10100) is not reachable across the fabric, although other VLANs work fine. The NVE interface is up, and the EVPN address-family is configured. Which two actions should the engineer take to isolate the issue?

Select 2 answers
A.Check if EVPN type-3 routes are being advertised for VNI 10100.
B.Confirm that multicast group 239.1.1.1 is reachable across the underlay.
C.Verify that VLAN 100 is mapped to VNI 10100 consistently on all VTEPs.
D.Ensure that VNI 10100 is added under the NVE interface.
E.Check if the MTU on the underlay is set to at least 1550 bytes.
AnswersC, D

Inconsistent mapping breaks VXLAN bridging.

Why this answer

Option C is correct because VXLAN EVPN requires consistent VLAN-to-VNI mapping across all VTEPs in the fabric. If VLAN 100 is mapped to VNI 10100 on some switches but not others, traffic for that VNI will not be forwarded correctly, as the mapping is used to associate local VLANs with the VXLAN segment. Option D is correct because the VNI must be explicitly enabled under the NVE interface to participate in VXLAN tunnel termination; without it, the VTEP will not encapsulate or decapsulate traffic for VNI 10100.

Exam trap

Cisco often tests the distinction between control-plane (BGP EVPN) and data-plane (multicast) VXLAN, leading candidates to incorrectly check multicast reachability (Option B) when the issue is a missing or inconsistent VNI configuration.

20
MCQmedium

A network engineer is deploying a Cisco Catalyst 9300 switch as a virtual switch using StackWise Virtual. The switch will connect to two upstream routers for redundancy. What is the best practice for connecting the uplinks?

A.Bundle the uplinks into an EtherChannel that spans both stack members.
B.Use two separate routed interfaces, each with a routing protocol.
C.Connect each uplink to the active switch member.
D.Configure the uplinks in active/standby mode using STP.
AnswerA

EtherChannel across members provides redundancy and load balancing.

Why this answer

Option A is correct because in a StackWise Virtual deployment, the two member switches operate as a single logical switch. Bundling the uplinks into an EtherChannel that spans both stack members provides both link redundancy and load balancing, and it ensures that if one member fails, traffic continues to flow through the remaining member without requiring routing protocol convergence or STP reconvergence.

Exam trap

Cisco often tests the misconception that you must connect uplinks only to the active switch or use STP for redundancy, but in StackWise Virtual the correct approach is to use a cross-stack EtherChannel to fully utilize both members and provide seamless failover.

How to eliminate wrong answers

Option B is wrong because using two separate routed interfaces with a routing protocol introduces unnecessary complexity and potential for asymmetric routing or suboptimal failover, whereas an EtherChannel provides a single logical link with built-in load balancing and faster failover. Option C is wrong because connecting each uplink only to the active switch member creates a single point of failure; if the active switch fails, both uplinks are lost, defeating the purpose of redundancy. Option D is wrong because configuring the uplinks in active/standby mode using STP is a legacy approach for non-virtual switches; in a StackWise Virtual environment, STP is not needed for inter-switch links, and active/standby wastes bandwidth that could be utilized via EtherChannel.

21
Multi-Selecteasy

Which TWO statements about virtual switching in a hypervisor environment are correct?

Select 2 answers
A.A virtual switch can be connected to a physical network through uplink ports.
B.A virtual switch does not support VLAN tagging.
C.A virtual switch performs routing between different subnets.
D.A virtual switch forwards frames between virtual machines based on MAC addresses.
E.A virtual switch is a physical device installed in the hypervisor host.
AnswersA, D

Correct. Uplink ports map to physical NICs to provide connectivity to the physical network.

Why this answer

A virtual switch connects to the physical network through uplink ports, which are typically mapped to physical NICs on the hypervisor host. This allows VMs on the virtual switch to communicate with external networks, making option A correct.

Exam trap

Cisco often tests the misconception that virtual switches are physical devices or that they perform Layer 3 functions, when in fact they are software-based Layer 2 forwarding engines that support VLANs and uplink connectivity.

22
MCQmedium

A service provider uses a Cisco ASR 1000 router to provide MPLS L3VPN services to multiple customers. Each customer has their own VRF. Recently, a new customer was added with VRF CUSTOMER_C. After configuration, the customer reports that they can reach some remote sites but not others. The network engineer checks the VRF configuration and finds that the route targets for CUSTOMER_C are correctly configured. The engineer also verifies that BGP sessions to the PE routers are up. The missing routes are from a site that uses a different PE router. Which action should the engineer take to resolve the issue?

A.Increase the MTU on the link between the PE routers.
B.Reconfigure LDP on the PE routers to establish a targeted session.
C.Check the MPLS label stack on the local PE to ensure labels are being swapped correctly.
D.Verify that the route target import/export values on the remote PE match those on the local PE for VRF CUSTOMER_C.
AnswerD

Correct: Mismatched route targets cause routes to not be imported into the VRF.

Why this answer

The issue is that the remote PE router does not have the correct route target import/export configuration for VRF CUSTOMER_C. In MPLS L3VPN, VRFs on different PEs must have matching route target values to import and export VPNv4 routes into the correct VRF. Even if the local PE is correctly configured, the remote PE must also import the routes from the local PE using the same route target.

Without this, the remote PE will not install the VPNv4 prefixes into its VRF, causing the customer to be unable to reach sites connected to that remote PE.

Exam trap

Cisco often tests the misconception that route target configuration is only needed on one PE, or that BGP session status alone guarantees route exchange, when in fact both import and export RTs must match across all PEs participating in the same VRF.

How to eliminate wrong answers

Option A is wrong because increasing the MTU on the link between PE routers would not affect route reachability; MTU issues typically cause packet fragmentation or drops, not missing routes in a VRF. Option B is wrong because LDP targeted sessions are used for MPLS label distribution between non-adjacent routers, but in this scenario the PE routers are already exchanging BGP VPNv4 routes and LDP is not the mechanism for VRF route import/export. Option C is wrong because checking the MPLS label stack on the local PE would verify label switching, but the problem is that the remote PE does not have the routes in its VRF, not that labels are being swapped incorrectly; label swapping issues would cause forwarding failures, not missing routes in the routing table.

Ready to test yourself?

Try a timed practice session using only Virtualization questions.