350-401 · topic practice

VRF and Path Isolation practice questions

Practise 350-401 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: VRF and Path Isolation

What the exam tests

What to know about VRF and Path Isolation

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Why learners struggle

Why VRF and Path Isolation questions are commonly missed

NAT questions are missed when learners confuse the four address types (inside local, inside global, outside local, outside global) or misapply the interface direction. A translation rule can look correct but still fail if the ACL, interface, or direction is wrong.

  • ·Inside local vs inside global — inside local is the private source, inside global is the translated public address
  • ·PAT overloads — many sources share one public IP using unique port numbers
  • ·Interface direction — ip nat inside and ip nat outside must be on the correct interfaces
  • ·Static NAT vs dynamic NAT vs PAT — each serves a different use case
  • ·The NAT ACL identifies traffic to translate, not traffic to permit or deny
  • ·A missing translation can look like a routing problem if the interfaces are misconfigured

Watch out for

Common VRF and Path Isolation exam traps

  • PAT allows many inside hosts to share one public address by using port numbers.
  • NAT rules depend on correct inside and outside interface configuration.
  • The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
  • Static NAT maps one private address to one public address, while PAT overloads translations.

Practice set

VRF and Path Isolation questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Open the full BGP breakdown →

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?

Question 2hardmultiple choice
Open the full VLAN trunking answer →

An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?

Question 3hardmultiple choice
Read the full MPLS explanation →

A service provider uses MPLS L3VPN with multiple VRFs on a Cisco ASR 1000 PE router. One customer VRF (RED) has overlapping IP addresses with another VRF (BLUE). The engineer configures route-target import/export as 100:1 for RED and 200:2 for BLUE. Both VRFs have a static default route pointing to the CE. The PE receives VPNv4 routes from the route reflector for both VRFs. However, traffic from RED to its CE is working, but traffic from BLUE to its CE is intermittently failing. What is the most likely cause?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting a VRF-lite deployment on a Cisco Nexus 9000 switch. Two VRFs, PROD and DEV, are configured. The switch has an SVI for VLAN 10 in VRF PROD and VLAN 20 in VRF DEV. A firewall is connected to a Layer 3 port in VRF PROD for internet access. The engineer needs to allow the DEV VRF to reach the internet through the same firewall, but without using a separate physical interface. What should the engineer configure?

Question 5mediummultiple choice
Open the full BGP breakdown →

An engineer is configuring MPLS L3VPN on a Cisco IOS-XR router. The VRF CUSTOMER_B is configured with route-target import 100:1 and export 100:1. The engineer notices that the VRF routes are not being advertised to the route reflector. The BGP session to the route reflector is established and the VPNv4 address family is activated. What is the missing configuration?

Question 6easymultiple choice
Read the full VRF explanation →

A company uses VRF-lite to separate management traffic (VRF MGMT) from user traffic (VRF USER) on a Cisco Catalyst 3850 stack. The management network is 10.0.0.0/24, and the user network is 192.168.1.0/24. The engineer wants to allow SSH access from the user network to the management network for device administration. The switch has an SVI for each VRF. What is the simplest way to achieve this while maintaining VRF isolation?

Question 7mediummultiple choice
Read the full MPLS explanation →

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE router. The VRF CUSTOMER_C has route-target import 300:1 and export 300:1. The PE receives VPNv4 routes from the route reflector, but the CE router connected to the PE cannot ping any remote site IP addresses. The PE can ping the remote site IP addresses from the VRF. What is the most likely cause?

Question 8hardmultiple choice
Read the full DHCP explanation →

An enterprise uses VRF-lite on a Cisco Catalyst 9300 to isolate a guest network (VRF GUEST) from the corporate network (VRF CORP). The guest network uses DHCP from a server in the corporate network. The engineer configures a DHCP relay on the guest SVI pointing to the corporate DHCP server. The DHCP server is in VRF CORP. The guest clients are not receiving IP addresses. What is the issue?

Question 9easymultiple choice
Open the full BGP breakdown →

A service provider is migrating a customer from a global routing table to a VRF on a Cisco ASR 1000. The customer has a BGP session with the provider for internet access. After moving the customer's interface to VRF CUSTOMER_D, the BGP session goes down. The engineer verifies that the VRF is configured with the correct route-target and that the BGP neighbor is configured under address-family ipv4 vrf CUSTOMER_D. What else is missing?

Question 10mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip route vrf CUSTOMER-A

VRF CUSTOMER-A: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.0.0.0/30 is directly connected, GigabitEthernet0/0.100
L        10.0.0.1/32 is directly connected, GigabitEthernet0/0.100
B        10.0.2.0/24 [200/0] via 192.168.1.2, 00:12:34

Based on this output, what can be concluded?

Question 11hardmultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command on Router R2:

R2# show vrf detail

VRF CUSTOMER-B (VRF Id = 1); default RD 65000:1; default VPNID <not set>

Interfaces:

GigabitEthernet0/0.200 GigabitEthernet0/1.200 Address family IPV4 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100

No export route-map
    No import route-map

Address family IPV6 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100 Members:

10.0.0.0/24

Based on this output, what can be concluded?

Question 12mediummultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R3:

R3# show bgp vpnv4 unicast all summary

BGP router identifier 10.0.0.3, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 1360 bytes of memory 6/5 BGP path/bestpath attribute entries using 840 bytes of memory 4 BGP AS-PATH entries using 112 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 3752 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.1     4        65000    1000    1000       10    0    0 01:23:45        5
192.168.2.2     4        65000     800     800       10    0    0 00:45:12        3

Based on this output, what can be concluded?

Question 13hardmultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R4:

R4# show mpls ldp neighbor vrf CUSTOMER-C

Peer LDP Ident: 10.0.0.5:0; Local LDP Ident 10.0.0.4:0 TCP connection: 10.0.0.5.646 - 10.0.0.4.646 State: Oper; Msgs sent/rcvd: 500/500; Downstream Up time: 02:30:00 LDP discovery sources: GigabitEthernet0/0.300, Src IP addr: 10.0.1.2 hello sent/rcvd: 1000/1000 Addresses bound to peer LDP Ident:

10.0.1.2        10.0.2.2

Based on this output, what can be concluded?

Question 14mediummultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R5:

R5# show ip interface brief | include VRF

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0.100 10.0.0.1 YES NVRAM up up GigabitEthernet0/0.200 10.0.1.1 YES NVRAM up up GigabitEthernet0/0.300 10.0.2.1 YES NVRAM up up Loopback100 10.100.0.1 YES NVRAM up up

R5# show vrf brief

Name Default RD Protocols Interfaces CUSTOMER-A 65000:1 ipv4 Gi0/0.100 CUSTOMER-B 65000:2 ipv4 Gi0/0.200 CUSTOMER-C 65000:3 ipv4 Gi0/0.300

Based on this output, what can be concluded?

Question 15hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R6:

R6# show ip route vrf CUSTOMER-D

VRF CUSTOMER-D:

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/30 is directly connected, GigabitEthernet0/0.400
L        10.0.0.1/32 is directly connected, GigabitEthernet0/0.400
      192.168.0.0/16 is variably subnetted, 1 subnets, 1 mask
B        192.168.1.0/24 [200/0] via 10.0.0.2, 00:10:00

R6# show ip bgp vpnv4 vrf CUSTOMER-D

BGP table version is 5, local router ID is 10.0.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0/24 10.0.0.2 0 100 0 i

Based on this output, what can be concluded?

Question 16mediummultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R7:

R7# show ip ospf neighbor vrf CUSTOMER-E

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.8         1   FULL/DR         00:00:35    10.0.1.2        GigabitEthernet0/0.500
10.0.0.9         1   FULL/BDR        00:00:31    10.0.2.2        GigabitEthernet0/0.600

Based on this output, what can be concluded?

Question 17hardmultiple choice
Study the full multicast explanation →

A network engineer runs the following command on Router R8:

R8# show ip pim neighbor vrf CUSTOMER-F

Neighbor          Interface                Uptime/Expires    Ver   DR
10.0.3.2          GigabitEthernet0/0.700   02:00:00/00:01:30 v2    1/ DR
10.0.4.2          GigabitEthernet0/0.800   01:30:00/00:01:45 v2    0/ NDR (BDR)

Based on this output, what can be concluded?

Question 18hardmultiple choice
Study the full QoS explanation →

A network engineer runs the following command on Router R9:

R9# show policy-map interface GigabitEthernet0/0.900

GigabitEthernet0/0.900

Service-policy input: QOS_POLICY_VRF_G Class-map: CLASS_VOICE (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) police: cir 1000000 bps, bc 31250 bytes, be 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: CLASS_DATA (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) police: cir 2000000 bps, bc 62500 bytes, be 62500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

Based on this output, what can be concluded?

Question 19mediummultiple choice
Read the full VRF explanation →

Examine the following configuration snippet on a Cisco IOS-XE router:

interface GigabitEthernet0/1
 ip vrf forwarding BLUE
 ip address 192.168.1.1 255.255.255.0
 no shutdown

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full VRF explanation →

Consider the following configuration on a Cisco IOS-XE router:

vrf definition RED rd 100:1 route-target export 100:1 route-target import 100:1 !

interface GigabitEthernet0/2

vrf forwarding RED

ip address 10.10.10.1 255.255.255.0

Which statement is true about this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VRF and Path Isolation sessions

Start a VRF and Path Isolation only practice session

Every question in these sessions is drawn from the VRF and Path Isolation domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about VRF and Path Isolation?
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VRF and Path Isolation questions in a focused session?
Yes — the session launcher on this page draws every question from the VRF and Path Isolation domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.