CCNA Network Questions

75 of 86 questions · Page 1/2 · Network · Answers revealed

1
Matchingmedium

Match each Cisco data center technology to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Converged network for Fibre Channel and Ethernet

Network virtualization overlay for scaling Layer 2 networks

Layer 2 extension across Layer 3 boundaries

Location/identifier separation for routing scalability

Label switching for traffic engineering and VPNs

Why these pairings

These technologies are key for data center networking and virtualization.

2
MCQeasy

Refer to the exhibit. A network engineer notices that the NVE1 interface is up but VXLAN traffic is not being encapsulated. What is the most likely cause?

A.The VNI 10000 is not mapped to a VLAN.
B.The ingress replication protocol must be static.
C.The loopback0 interface is not configured.
D.The BGP EVPN address-family is not activated.
AnswerD

EVPN requires MP-BGP with the l2vpn evpn address-family to exchange routes; without it, VXLAN encapsulation cannot function.

Why this answer

Option D is correct because VXLAN traffic encapsulation on the NVE1 interface requires the BGP EVPN address-family to be activated under the BGP configuration to exchange VNI-to-VTEP mappings. Without this address-family, the NVE interface cannot learn remote VTEPs, so VXLAN packets are never encapsulated with the outer UDP/IP header.

Exam trap

Cisco often tests the misconception that an NVE interface being up means VXLAN encapsulation is fully functional, but the control plane (BGP EVPN) must be active to provide the necessary remote VTEP information.

How to eliminate wrong answers

Option A is wrong because VNI 10000 not being mapped to a VLAN would prevent local bridging, but the NVE interface can still encapsulate VXLAN traffic if the VNI is configured under the NVE and the BGP EVPN control plane is operational. Option B is wrong because ingress replication can be configured as static or dynamic (via BGP EVPN); the protocol does not need to be static—dynamic replication via BGP EVPN is standard. Option C is wrong because the loopback0 interface is likely already configured (the exhibit shows it as the source interface under NVE1), and if it were missing, the NVE interface would not come up at all.

3
MCQhard

A network engineer notices that when a host sends a packet to a destination on a different VTEP, the packet is flooded to all VTEPs even though the destination MAC is known. What is the most likely cause?

A.The BGP EVPN route table is missing the MAC/IP route for the destination.
B.The VNI is misconfigured.
C.The MTU exceeds 1500 bytes.
D.ARP suppression is disabled.
AnswerA

Without the route, the VTEP has no forwarding information and floods.

Why this answer

In a BGP EVPN VXLAN fabric, when a host sends a packet to a known destination MAC on a different VTEP, the ingress VTEP should perform MAC/IP route lookup in the BGP EVPN route table to determine the correct remote VTEP. If the MAC/IP route for the destination is missing (e.g., not advertised or withdrawn), the ingress VTEP has no mapping to a remote VTEP and must flood the packet to all VTEPs in the VNI, causing unnecessary broadcast traffic. This is the most likely cause of the described behavior.

Exam trap

The trap here is that candidates often confuse flooding due to an unknown MAC (which is normal) with flooding due to a missing EVPN route, or they incorrectly attribute the issue to ARP suppression or MTU problems, which are unrelated to the data-plane flooding of a known MAC across VTEPs.

How to eliminate wrong answers

Option B is wrong because a misconfigured VNI would typically prevent the packet from being encapsulated or forwarded at all, or cause it to be dropped, not flooded to all VTEPs. Option C is wrong because an MTU exceeding 1500 bytes would cause fragmentation or drop issues, not flooding behavior. Option D is wrong because ARP suppression is a control-plane optimization that reduces ARP broadcast traffic within a VNI; disabling it would cause ARP requests to be flooded, but the question describes flooding of a data packet with a known destination MAC, which is unrelated to ARP suppression.

4
MCQeasy

A network engineer is configuring OSPF on a pair of Nexus 9000 switches acting as spine switches in a VXLAN fabric. The engineer needs to ensure that the spine switches do not become the DR for any VLAN. Which configuration should be applied?

A.Configure passive-interface default under OSPF.
B.Set ospf network type to point-to-multipoint.
C.Set ospf priority to 0 on the spine interfaces.
D.Set ospf priority to 255 on the spine interfaces.
AnswerC

OSPF priority 0 prevents the router from participating in DR/BDR election.

Why this answer

Setting the OSPF priority to 0 on the spine interfaces prevents the spine switches from participating in the DR/BDR election process, ensuring they never become the Designated Router (DR) for any VLAN. This is the standard method to suppress DR election on a multi-access network segment.

Exam trap

Cisco often tests the misconception that setting OSPF priority to 0 disables OSPF on the interface entirely, when in fact it only prevents DR/BDR election while still allowing neighbor adjacency formation.

How to eliminate wrong answers

Option A is wrong because configuring passive-interface default under OSPF suppresses all OSPF hello packets on all interfaces, preventing neighbor adjacency formation entirely, which would break OSPF routing. Option B is wrong because setting the OSPF network type to point-to-multipoint does not inherently prevent a router from becoming DR; it changes the behavior to treat the network as a collection of point-to-point links but still allows DR election on multi-access segments. Option D is wrong because setting the OSPF priority to 255 (the highest possible value) makes the spine switch the most likely candidate to become the DR, which is the opposite of the desired outcome.

5
Multi-Selecteasy

A data center network uses Cisco Nexus switches with VXLAN EVPN. Which two components are essential for VXLAN EVPN operation? (Choose two.)

Select 2 answers
A.VXLAN VTEPs on leaf switches.
B.OSPF as underlay routing protocol.
C.MP-BGP EVPN control plane.
D.VPC for host-facing links.
E.PIM-SM for multicast replication.
AnswersA, C

VTEPs encapsulate and decapsulate VXLAN frames.

Why this answer

VXLAN VTEPs (VXLAN Tunnel Endpoints) on leaf switches are essential because they perform the encapsulation and decapsulation of VXLAN frames, enabling Layer 2 overlay networks over a Layer 3 underlay. Without VTEPs, there is no mechanism to create the VXLAN tunnels that carry traffic between endpoints across the IP fabric.

Exam trap

Cisco often tests the distinction between mandatory components (VTEPs and MP-BGP EVPN) and optional features (vPC, specific underlay protocols, or replication modes) to see if candidates understand that the underlay can be any IP-routed network and that multicast is not a requirement for VXLAN EVPN.

6
MCQmedium

Refer to the exhibit. An engineer configured a VXLAN tunnel endpoint (VTEP) but the VXLAN tunnel is not operational. The underlay OSPF adjacency is established. What is the missing configuration?

A.The NVE interface must be enabled with the no shutdown command.
B.The multicast group must be reachable via the underlay.
C.The loopback0 interface is not included in the OSPF process.
D.The VNI must be mapped to a VLAN.
AnswerC

The loopback0 interface, used as the NVE source, is not advertised via OSPF, so its IP is unreachable from other VTEPs.

Why this answer

Option B is correct because the loopback0 interface is the source interface for the NVE, but it is not included in the OSPF process, making its IP unreachable from other VTEPs. Option A is incorrect because NVE interfaces are typically administratively up by default. Option C is incorrect because multicast reachability is not directly related to the tunnel operational status.

Option D is incorrect because VNI-to-VLAN mapping is not shown in the exhibit and is required for Layer 2 forwarding, but the immediate issue is the unreachable source interface.

7
Multi-Selecthard

When configuring BGP EVPN on spine switches functioning as route reflectors, which two address families must be configured? (Choose two.)

Select 2 answers
A.address-family link-state
B.address-family l2vpn evpn
C.address-family ipv6 unicast
D.address-family vpnv4
E.address-family ipv4 unicast
AnswersB, E

Required for EVPN route exchange.

Why this answer

B is correct because BGP EVPN (Ethernet VPN) uses the L2VPN address family (l2vpn evpn) to carry MAC/VXLAN routing information between spine and leaf switches. This address family is mandatory for EVPN control plane operation in a VXLAN fabric, enabling MAC address learning and advertisement via MP-BGP.

Exam trap

Cisco often tests the misconception that only the EVPN address family is needed, but the ipv4 unicast family is also required on the route reflector to advertise the underlay loopback routes that serve as VXLAN tunnel endpoints.

8
MCQhard

After adding a new spine switch to a VXLAN EVPN fabric with OSPF underlay, some leaf switches experience routing instability. Which action could resolve the instability?

A.Increase the OSPF cost on the leaf-to-spine links.
B.Configure OSPF neighbor authentication.
C.Decrease the OSPF hello timer.
D.Enable OSPF route summarization on the leaves.
AnswerA

Higher cost makes the new spine less preferred, stabilizing routing.

Why this answer

When a new spine switch is added to a VXLAN EVPN fabric with an OSPF underlay, the leaf switches may experience routing instability because the new spine advertises routes with a lower cost, causing traffic to shift abruptly. Increasing the OSPF cost on the leaf-to-spine links makes those paths less preferred, stabilizing the routing table by preventing flapping and ensuring a more gradual convergence.

Exam trap

Cisco often tests the misconception that routing instability is caused by security or timer issues, when in fact it is typically due to unequal cost paths causing SPF thrashing after a new device is added.

How to eliminate wrong answers

Option B is wrong because OSPF neighbor authentication secures routing updates but does not address routing instability caused by cost-based path selection changes. Option C is wrong because decreasing the OSPF hello timer would increase the frequency of hello packets, potentially exacerbating instability by causing faster neighbor state changes and more frequent SPF calculations. Option D is wrong because enabling OSPF route summarization on the leaves reduces the size of the routing table but does not prevent the instability from a new spine advertising lower-cost routes; summarization affects route propagation, not path preference.

9
MCQmedium

Refer to the exhibit. Which VLANs are allowed on the VPC peer-link?

A.VLANs 1-100 and native VLAN
B.Only VLAN 1
C.VLANs 1-100 only
D.All VLANs (1-4094)
AnswerC

The allowed VLAN range is 1-100.

Why this answer

In a vPC domain, the peer-link carries only specific VLANs that are allowed on the trunk. By default, the peer-link is configured as a trunk allowing VLANs 1-100, and the native VLAN is not included in this allowed list because the peer-link uses a dedicated VLAN for control traffic (typically VLAN 4094) and does not forward native VLAN traffic. Option C is correct because the default allowed VLAN list on a vPC peer-link is VLANs 1-100, as shown in the exhibit.

Exam trap

Cisco often tests the misconception that the vPC peer-link allows all VLANs or includes the native VLAN, when in fact it defaults to VLANs 1-100 and explicitly excludes the native VLAN to maintain control plane isolation.

How to eliminate wrong answers

Option A is wrong because the native VLAN is not allowed on the vPC peer-link; the peer-link uses a separate VLAN (often 4094) for control traffic and does not forward native VLAN frames. Option B is wrong because the peer-link allows more than just VLAN 1; it permits VLANs 1-100 by default. Option D is wrong because the peer-link does not allow all VLANs (1-4094); it is restricted to VLANs 1-100 by default to prevent unnecessary traffic and loops.

10
MCQmedium

Refer to the exhibit. A VXLAN VNI (10030) is operationally down. What is the most likely cause?

A.The source interface loopback0 is not up
B.The NVE mode should be L2VPN instead of L3VPN
C.The VLAN associated with VNI 10030 is not configured or mapped
D.The multicast group 239.1.1.1 is not reachable
AnswerC

The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; missing mapping causes operational down.

Why this answer

VXLAN VNI 10030 is operationally down because the VLAN that maps to this VNI is either not created or not associated with the VNI under the NVE interface. In Cisco NX-OS, a VNI becomes operationally up only when the corresponding VLAN exists and is properly mapped via the `member vni 10030 associate-vrf` or `member vni 10030` command under the NVE interface. Without this mapping, the NVE cannot forward traffic for that VNI, leaving it in a down state.

Exam trap

Cisco often tests the misconception that a VNI goes down due to multicast reachability or source interface issues, but the actual cause is the missing VLAN-to-VNI mapping, which is a common misconfiguration in VXLAN deployments.

How to eliminate wrong answers

Option A is wrong because if the source interface loopback0 were not up, the NVE interface itself would be down or the VXLAN tunnel would fail, but the VNI operational state would show as 'down' due to the source interface issue, not specifically because of a missing VLAN mapping. Option B is wrong because the NVE mode can be either L2VPN or L3VPN depending on the deployment; VXLAN VNI 10030 being operationally down is unrelated to the NVE mode, and L3VPN mode is correct for VXLAN EVPN with Layer 3 VNI. Option D is wrong because the multicast group 239.1.1.1 is used for BUM traffic replication; if it were unreachable, the VNI might still be operationally up but unable to forward broadcast traffic, so it would not cause the VNI to be operationally down.

11
MCQmedium

A data center engineer is troubleshooting intermittent connectivity between two servers in different VLANs. The servers are connected to different leaf switches in a VXLAN EVPN fabric. When checking the fabric, the engineer notices that the NVE interface on one leaf is up/up but the VNI for the server VLAN is not listed in 'show nve vni'. What is the most likely cause?

A.MTU mismatch on the underlay network
B.Anycast gateway is not configured on the leaf
C.BGP EVPN peers are not established
D.The VLAN-to-VNI mapping is missing under the VLAN configuration
AnswerD

The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; without it, the VNI does not appear in the NVE interface.

Why this answer

The NVE interface being up/up indicates the overlay tunnel is operational, but the absence of the VNI in 'show nve vni' means the VNI is not instantiated on the NVE. This typically occurs when the VLAN-to-VNI mapping is missing under the VLAN configuration (e.g., 'vlan 100' then 'vn-segment 10100'), which prevents the VNI from being associated with the NVE interface and advertised via BGP EVPN.

Exam trap

Cisco often tests the distinction between the NVE interface being operational (up/up) and the VNI being properly instantiated via VLAN-to-VNI mapping, leading candidates to incorrectly suspect BGP or underlay issues when the real problem is a missing local configuration step.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch on the underlay network would cause packet drops or fragmentation, not the absence of a VNI from the NVE VNI list. Option B is wrong because anycast gateway configuration (e.g., 'ip virtual-router address' or 'fabric forwarding anycast-gateway-mac') is used for first-hop redundancy and does not affect whether a VNI appears in 'show nve vni'. Option C is wrong because BGP EVPN peers not being established would prevent route exchange but would not prevent the VNI from being locally instantiated on the NVE; the VNI would still appear in 'show nve vni' even if peers are down.

12
MCQhard

During a maintenance window, a network engineer plans to upgrade the NX-OS software on a pair of Nexus 9000 switches configured as vPC peers. The engineer wants to minimize traffic disruption. Which upgrade sequence is recommended?

A.Upgrade both switches simultaneously using ISSU
B.Reload both switches to a previous version, then upgrade
C.Upgrade the primary vPC peer first, then the secondary
D.Upgrade the secondary vPC peer first, then the primary
AnswerD

Upgrading secondary first ensures the primary remains operational; after secondary upgrade, it can take over if needed during primary upgrade.

Why this answer

In a vPC pair, the secondary peer is upgraded first to preserve the primary's role as the forwarding anchor. Upgrading the secondary peer allows it to reboot and rejoin the vPC domain without disrupting the data plane because the primary peer continues to forward traffic. Once the secondary is stable, the primary is upgraded, ensuring minimal traffic loss.

Exam trap

Cisco often tests the misconception that upgrading the primary first is safer because it is the 'leader,' but the correct sequence is to upgrade the secondary first to avoid a disruptive role transition.

How to eliminate wrong answers

Option A is wrong because ISSU (In-Service Software Upgrade) is not supported on Nexus 9000 switches in vPC mode; it requires non-disruptive upgrades which are not available for vPC peer links. Option B is wrong because reloading both switches to a previous version would cause a complete traffic outage, defeating the goal of minimizing disruption. Option C is wrong because upgrading the primary vPC peer first would cause the primary to reboot, leading to a vPC role change and potential traffic black-holing until the secondary takes over, increasing disruption.

13
MCQhard

A large enterprise uses Cisco Nexus 9000 switches in a VXLAN EVPN fabric. The underlay is OSPF. Each leaf switch has a loopback0 interface as the source interface for VXLAN tunnel endpoints. After a maintenance window, an engineer modifies the IP address of loopback0 on leaf-5 from 10.1.1.5/32 to 10.1.1.105/32. Subsequently, all VXLAN tunnels to leaf-5 go down. OSPF adjacencies between leaf-5 and the spines are still FULL. The engineer checks the NVE interface on leaf-5 and sees the source-interface is loopback0 but the interface status is up/up. However, pings from other leaves to 10.1.1.105 fail. What is the most likely cause?

A.The OSPF process on leaf-5 was not restarted after the IP change
B.The new loopback IP 10.1.1.105 is not included in the OSPF network statement under router ospf
C.The MTU on loopback0 is set too low causing OSPF hello drops
D.The VXLAN source-interface was automatically changed to a different loopback
AnswerB

The new IP subnet must be advertised via OSPF to be reachable by other leaves.

Why this answer

The correct answer is B. After changing the loopback0 IP address on leaf-5, the new IP 10.1.1.105/32 must be explicitly advertised into OSPF for other leaves to reach it. If the OSPF network statement under router ospf still references the old subnet or does not include 10.1.1.105/32, the route for this new loopback IP will not be installed in the OSPF database.

Consequently, other leaves cannot route to the new VTEP IP, causing VXLAN tunnels to fail even though OSPF adjacencies remain FULL (since adjacencies are formed over physical interfaces, not the loopback).

Exam trap

Cisco often tests the distinction between OSPF adjacency status (which relies on physical interfaces) and route advertisement (which depends on network statements covering the loopback IP), leading candidates to incorrectly assume that FULL adjacencies guarantee reachability to the VTEP IP.

How to eliminate wrong answers

Option A is wrong because restarting the OSPF process is not required after a loopback IP change; OSPF dynamically detects interface IP changes and updates LSAs accordingly, provided the new IP is covered by an existing network statement. Option C is wrong because MTU misconfiguration on loopback0 would not selectively cause OSPF hello drops only after an IP change; OSPF hellos are sent over the physical underlay interfaces, not the loopback, and a low MTU on loopback0 would not affect OSPF adjacencies that are already FULL. Option D is wrong because the VXLAN source-interface is explicitly configured under the NVE interface and does not automatically change; the engineer confirmed the source-interface remains loopback0 and the NVE interface is up/up.

14
MCQmedium

Refer to the exhibit. A network engineer notices that the VPC peer status is down, and the peer-keepalive is not reachable. Based on the configuration, what is the likely issue?

A.The peer-link port-channel10 has VLAN 100-110 allowed, but the peer-keepalive uses a separate VLAN.
B.The peer-keepalive destination must be on the management VRF.
C.The VPC domain priority should be lower.
D.The peer-keepalive source and destination are swapped.
AnswerB

Nexus requires the peer-keepalive to be sent via the management VRF, which is not specified here. The command should include 'vrf management'.

Why this answer

The peer-keepalive link must be routed via the management VRF to ensure it remains independent of the data-plane and peer-link state. If the peer-keepalive destination is not in the management VRF, the keepalive packets may be dropped or unreachable, causing the VPC peer status to remain down. The configuration shown likely omits the 'vrf member management' under the peer-keepalive configuration, or the destination IP is not reachable through the management interface.

Exam trap

Cisco often tests the requirement that peer-keepalive must use the management VRF (or a dedicated VRF) and not rely on the peer-link or any data VLAN, leading candidates to incorrectly focus on VLAN allowed lists or priority values instead of the VRF configuration.

How to eliminate wrong answers

Option A is wrong because the peer-link port-channel VLAN allowed list does not affect peer-keepalive reachability; peer-keepalive uses a separate Layer 3 path (typically management VRF) and is not dependent on the VLANs allowed on the peer-link. Option C is wrong because the VPC domain priority determines which switch is the primary for role election, not the peer-keepalive status; a lower priority would not fix an unreachable peer-keepalive destination. Option D is wrong because swapping the source and destination IP addresses would still result in an unreachable path if the destination is not in the correct VRF; the core issue is the VRF mismatch, not the direction of the addresses.

15
Multi-Selectmedium

Which TWO statements about VXLAN BGP EVPN control plane are true? (Choose two.)

Select 2 answers
A.The underlay network provides IP connectivity between VTEPs
B.BGP EVPN advertises MAC addresses and IP addresses as routes
C.VXLAN encapsulates Ethernet frames in IP packets using MPLS labels
D.VXLAN uses a 32-bit network identifier (VNI)
E.The control plane is responsible for actual data forwarding
AnswersA, B

Underlay routing (e.g., IS-IS, OSPF) enables VTEP-to-VTEP reachability.

Why this answer

Option A is correct because the VXLAN underlay network (typically an IP-based fabric using protocols like OSPF or IS-IS) provides IP connectivity between VTEPs, enabling them to encapsulate and decapsulate VXLAN packets. Without this underlay reachability, VTEPs cannot communicate, making it a foundational requirement for VXLAN operation.

Exam trap

Cisco often tests the distinction between the 24-bit VNI (VXLAN Network Identifier) and the 32-bit VXLAN segment ID used in some older documentation, leading candidates to mistakenly select a 32-bit identifier.

16
MCQhard

In a Cisco ACI fabric, the administrator notices that traffic between two endpoints in different EPGs but on the same leaf switch is being dropped when a contract is applied. The endpoints are in the same VRF but different bridge domains. What is the likely cause?

A.The VRF is not configured correctly.
B.The bridge domains are not in the same network.
C.The leaf switch is missing a route to the destination.
D.The contract does not allow communication between those EPGs.
AnswerD

Contracts must explicitly permit inter-EPG traffic.

Why this answer

In Cisco ACI, inter-EPG communication is governed by contracts. Even when endpoints reside on the same leaf switch, same VRF, and different bridge domains, traffic is dropped unless a contract explicitly permits the communication between the source and destination EPGs. The contract defines the filter (e.g., IP protocol, ports) and the direction (provider/consumer) required for traffic to flow.

Exam trap

Cisco often tests the misconception that endpoints in the same VRF can always communicate, but in ACI, contracts override Layer 3 reachability, and candidates mistakenly blame routing or subnet mismatches instead of the missing contract.

How to eliminate wrong answers

Option A is wrong because the VRF configuration is irrelevant; both endpoints are in the same VRF, and the issue is not about VRF reachability but about policy enforcement. Option B is wrong because bridge domains can be in different subnets; ACI routes between them using the VRF, and the contract is the gatekeeper, not the subnet. Option C is wrong because the leaf switch does not need a separate route; ACI uses a distributed anycast gateway and the leaf already has the endpoint's location learned via COOP, so routing is not the issue.

17
MCQeasy

A network engineer is implementing QoS on a Nexus 9000 switch. The requirement is to prioritize storage traffic (iSCSI) and ensure lossless behavior. Which queuing strategy should be applied to the egress interface?

A.Tail drop with DSCP-based classification.
B.Weighted Round Robin (WRR) with three queues.
C.Priority Flow Control (PFC) with a no-drop queue for iSCSI.
D.Policing at the ingress and marking at the egress.
AnswerC

PFC enables lossless Ethernet by pausing traffic when buffers are full.

Why this answer

Option C is correct because Priority Flow Control (PFC) is the IEEE 802.1Qbb mechanism designed to provide lossless behavior for specific traffic classes, such as iSCSI storage traffic, on Nexus 9000 switches. By creating a no-drop queue for iSCSI, PFC uses pause frames on a per-priority basis to prevent buffer overflow, ensuring zero packet loss required by storage protocols.

Exam trap

Cisco often tests the misconception that any queuing or scheduling algorithm (like WRR or tail drop) can provide lossless behavior, but the trap here is that only PFC with a dedicated no-drop queue satisfies the strict no-loss requirement for storage traffic like iSCSI or FCoE.

How to eliminate wrong answers

Option A is wrong because tail drop is a simple congestion avoidance mechanism that drops packets indiscriminately when a queue is full, which cannot guarantee lossless behavior for iSCSI; DSCP-based classification alone does not prevent drops. Option B is wrong because Weighted Round Robin (WRR) is a scheduling algorithm that services multiple queues based on weights, but it does not provide per-priority pause or lossless guarantees; iSCSI requires a no-drop queue, not just weighted servicing. Option D is wrong because policing at the ingress drops excess traffic to enforce a rate limit, which contradicts the requirement for lossless behavior; marking at the egress only sets QoS markings and does not prevent drops.

18
MCQeasy

A data center runs OSPF as the underlay for an EVPN-VXLAN fabric. The fabric includes two spine switches and eight leaf switches. After adding a new leaf switch, the network team notices that some EVPN routes are missing from the other leaves. The new leaf has established BGP EVPN sessions to both spines and the BGP sessions are up. The spines report receiving all routes from the new leaf, but the other leaves do not receive certain prefixes. The engineer checks the BGP configuration on the new leaf and sees the address-family l2vpn evpn is configured under router bgp. Which action should the engineer take to resolve the issue?

A.Check the new leaf's BGP router ID for uniqueness
B.Verify the new leaf has the address-family l2vpn evpn activated under the neighbor configuration
C.Ensure the new leaf's BGP next-hop-self is enabled
D.Verify the cluster ID on the route reflectors is consistent
AnswerB

The address-family must be activated under each neighbor to advertise routes.

Why this answer

The issue is that the new leaf has BGP EVPN sessions to both spines, but other leaves do not receive certain prefixes. Since the spines (acting as route reflectors) receive all routes from the new leaf but do not propagate them to other leaves, the most likely cause is that the address-family l2vpn evpn is not activated under the neighbor configuration on the new leaf. Without this activation, the new leaf does not advertise its EVPN routes to the spines, even though the BGP session is up and the address-family is configured globally under router bgp.

Exam trap

Cisco often tests the distinction between configuring the address-family globally under router bgp versus activating it under a specific neighbor, leading candidates to assume global configuration is sufficient.

How to eliminate wrong answers

Option A is wrong because a duplicate BGP router ID would cause session flapping or instability, not a selective missing of certain prefixes while the BGP sessions remain up. Option C is wrong because next-hop-self is not required in an EVPN-VXLAN fabric with an OSPF underlay; the spines (route reflectors) typically handle next-hop processing, and the issue is about route advertisement, not next-hop reachability. Option D is wrong because the cluster ID on route reflectors must be consistent to prevent loops, but inconsistent cluster IDs would cause all reflected routes to be affected, not just certain prefixes, and the spines are already receiving all routes from the new leaf.

19
Multi-Selectmedium

Which three EVPN route types are essential for VXLAN EVPN operation in a typical data center fabric? (Choose three.)

Select 3 answers
A.Type-3 (Inclusive Multicast Ethernet Tag)
B.Type-2 (MAC/IP Advertisement)
C.Type-4 (Ethernet Segment)
D.Type-5 (IP Prefix Advertisement)
E.Type-1 (Ethernet Auto-Discovery)
AnswersA, B, D

Required for BUM traffic forwarding.

Why this answer

Type-3 (Inclusive Multicast Ethernet Tag) routes are essential for VXLAN EVPN because they enable BUM traffic replication across the underlay network by advertising the VNI and multicast group mapping, allowing VTEPs to join the correct multicast tree for flooding unknown unicast, broadcast, and multicast frames.

Exam trap

Cisco often tests the misconception that Type-1 and Type-4 are required for all VXLAN EVPN deployments, but they are only mandatory for multi-homing (EVPN-MH) or MPLS interworking, not for a typical single-homed data center fabric.

20
MCQmedium

A data center uses Cisco ACI with multiple tenants. The security policy requires that all traffic between EPGs must be explicitly allowed via contracts. However, the operations team reports that communication between two EPGs in the same bridge domain is working even though no contract is applied. What is the most likely reason?

A.The default behavior in ACI allows communication between EPGs in the same bridge domain without a contract
B.The contract is applied but not enforced due to a configuration error
C.The VRF has a default route that bypasses contract enforcement
D.A preferred group contract is applied to the VRF
AnswerA

ACI allows intra-BD communication by default; contracts are needed for inter-BD or inter-VRF traffic.

Why this answer

In Cisco ACI, the default behavior for EPGs within the same bridge domain (BD) is that they can communicate without a contract. This is because EPGs in the same BD share the same Layer 2 domain, and ACI does not enforce contract-based filtering for intra-BD traffic unless a contract is explicitly applied. The security policy requiring contracts applies only to inter-BD or inter-VRF traffic, not to intra-BD communication.

Exam trap

Cisco often tests the misconception that contracts are required for all EPG-to-EPG communication, but the trap here is that intra-BD traffic is an exception where no contract is needed by default.

How to eliminate wrong answers

Option B is wrong because if a contract were applied but not enforced due to a configuration error, the traffic would still be blocked or behave unpredictably, not consistently work; ACI enforces contracts at the leaf switch level, and a misconfiguration would typically cause a deny, not an allow. Option C is wrong because a default route in the VRF does not bypass contract enforcement; contracts are enforced at the EPG level regardless of routing, and a default route only affects Layer 3 forwarding, not policy enforcement. Option D is wrong because a preferred group contract would explicitly allow all traffic within the VRF, but the question states no contract is applied; a preferred group contract is a contract that must be explicitly configured, and its absence means it cannot be the reason.

21
MCQmedium

A network engineer is configuring a Fabric Extender (FEX) to connect to a parent switch. Which best practice should be followed for FEX host interfaces?

A.Configure all host interfaces as trunk ports.
B.Use the same FEX ID for redundancy.
C.Use LACP for the FEX uplinks.
D.Enable Virtual Port Channel (vPC) on the parent switch.
E.Disable spanning-tree on FEX host interfaces.
AnswerD

vPC provides active-active redundancy for FEX uplinks.

Why this answer

Enabling Virtual Port Channel (vPC) on the parent switch is a best practice for FEX host interfaces because it allows the FEX to be dual-homed to two separate parent switches, providing link-level redundancy and active-active forwarding. Without vPC, the FEX would rely on a single parent switch, creating a single point of failure and potentially causing traffic black-holing during a parent switch failure.

Exam trap

Cisco often tests the misconception that FEX uplinks require LACP or that FEX IDs can be shared for redundancy, when in fact FEX uplinks use static fabric channels and each FEX must have a unique ID.

How to eliminate wrong answers

Option A is wrong because configuring all host interfaces as trunk ports is not a best practice; FEX host interfaces should typically be configured as access ports or host-facing ports (using the 'switchport host' macro) to optimize STP and port-channel settings, and trunk ports are only needed if the downstream device requires multiple VLANs. Option B is wrong because using the same FEX ID for redundancy is not possible; each FEX must have a unique FEX ID to be properly identified by the parent switch, and redundancy is achieved through vPC or dual-homing, not by sharing IDs. Option C is wrong because LACP is not used for FEX uplinks; FEX uplinks use a proprietary fabric channel (FabricPortChannel) that does not support LACP, and the FEX-to-parent switch link is a static port-channel or individual fabric links.

Option E is wrong because disabling spanning-tree on FEX host interfaces is dangerous and not a best practice; while FEX host interfaces can use the 'spanning-tree portfast' feature to bypass listening/learning states, completely disabling spanning-tree would risk loops if a downstream device is misconfigured or a cable is looped.

22
MCQmedium

A server connected to Ethernet1/1 is unable to communicate on VLAN 1. The server is configured to send untagged frames. Based on the exhibit, what is the most likely cause?

A.The spanning-tree port type edge trunk is causing BPDU guard to block the port.
B.The port is in err-disabled state due to a loop.
C.VLAN 1 is not allowed on the trunk, so untagged frames are dropped.
D.The port is administratively down.
AnswerC

Untagged frames are placed in native VLAN 1, but VLAN 1 is not in the allowed list.

Why this answer

The server sends untagged frames, which are placed into the native VLAN of the trunk port. By default, the native VLAN is VLAN 1. However, if VLAN 1 is explicitly removed from the allowed VLAN list on the trunk (e.g., with 'switchport trunk allowed vlan remove 1'), the switch will drop all frames belonging to that VLAN, including untagged frames that would otherwise be classified into VLAN 1.

This matches the exhibit where the port is configured as a trunk but VLAN 1 is not allowed, causing the server's traffic to be dropped.

Exam trap

Cisco often tests the misconception that untagged frames are always allowed on a trunk port, but the trap here is that the native VLAN must be explicitly permitted in the allowed VLAN list; otherwise, untagged frames are dropped even if the port is up and configured as a trunk.

How to eliminate wrong answers

Option A is wrong because spanning-tree port type edge trunk enables PortFast and BPDU guard on a trunk, but BPDU guard would only block the port if a BPDU is received, not because of VLAN 1 untagged traffic. Option B is wrong because the port is not in err-disabled state; the exhibit shows the port is up/up, and a loop would cause a different error condition like a spanning-tree loop or err-disable due to a loop guard violation. Option D is wrong because the port is administratively up; the exhibit shows the port status as 'connected' or 'up/up', not 'administratively down'.

23
MCQeasy

A data center network uses VXLAN EVPN for network virtualization. Which component is responsible for advertising MAC addresses and host routes across the fabric?

A.Static routing.
B.MP-BGP EVPN address family.
C.OSPF.
D.VXLAN VTEP.
AnswerB

MP-BGP EVPN is the control plane for VXLAN EVPN.

Why this answer

In a VXLAN EVPN fabric, the MP-BGP EVPN address family (AFI L2VPN / SAFI EVPN) is the control plane protocol that distributes MAC addresses, IP-to-MAC bindings, and host routes (Type-2 routes) across all VTEPs. This enables each VTEP to build its forwarding table dynamically without relying on data-plane learning or flooding, ensuring optimal east-west traffic forwarding.

Exam trap

Cisco often tests the distinction between the data-plane function (VTEP encapsulation) and the control-plane function (MP-BGP EVPN), so the trap here is that candidates mistakenly think the VTEP itself advertises MAC addresses, when in fact it relies on MP-BGP EVPN for that role.

How to eliminate wrong answers

Option A is wrong because static routing is a manual configuration method that cannot dynamically advertise MAC addresses or host routes across a VXLAN EVPN fabric; it lacks the control-plane intelligence needed for EVPN route distribution. Option C is wrong because OSPF is an interior gateway protocol (IGP) designed for IPv4/IPv6 unicast routing, not for advertising Layer 2 MAC addresses or EVPN-specific routes like Type-2 or Type-3. Option D is wrong because a VXLAN VTEP is a data-plane endpoint that encapsulates/decapsulates VXLAN frames; it does not itself advertise MAC addresses or host routes—that function is performed by the control plane (MP-BGP EVPN).

24
MCQeasy

Which command displays the VLANs allowed on a trunk interface?

A.show running-config interface
B.show vlan
C.show interface switchport
D.show interface trunk
AnswerD

This command directly shows trunk status and allowed VLANs.

Why this answer

The 'show interface trunk' command displays trunk parameters, including the VLANs allowed on the trunk interface. This command shows the trunking mode, encapsulation (e.g., 802.1Q), and the allowed VLAN list for each trunk port. It is the direct command to verify which VLANs are permitted on a specific trunk link.

Exam trap

The trap here is that candidates often confuse 'show interface switchport' (which shows trunking status and native VLAN) with 'show interface trunk' (which shows the allowed VLAN list), leading them to choose option C instead of D.

How to eliminate wrong answers

Option A is wrong because 'show running-config interface' displays the running configuration for an interface, which may include the 'switchport trunk allowed vlan' command if configured, but it does not show the dynamic or negotiated allowed VLAN list, and it is not the standard command to view active trunk parameters. Option B is wrong because 'show vlan' displays VLAN information and which ports are members of each VLAN, but it does not show the allowed VLAN list on a trunk interface; it shows access VLAN membership. Option C is wrong because 'show interface switchport' displays administrative and operational switchport modes, including trunking status, but it does not show the allowed VLAN list; it shows the native VLAN and trunk encapsulation but not the permitted VLANs.

25
MCQeasy

A data center uses VPC between two Nexus switches. Which statement is true about the VPC peer-link?

A.It must be a single link.
B.It carries only control traffic.
C.It is used only for orphan ports.
D.It carries both data and control traffic.
AnswerD

The VPC peer-link is used for both control plane communication (e.g., configuration synchronization) and data plane forwarding (e.g., for orphan ports or traffic requiring cross-peer forwarding).

Why this answer

The VPC peer-link is a critical component in a vPC domain, carrying both data traffic (e.g., traffic from orphan ports or traffic that must traverse the peer-link for forwarding) and control traffic (e.g., vPC keepalive messages and Cisco Fabric Services (CFS) synchronization). This dual role ensures that the two Nexus switches operate as a single logical entity for the downstream devices, providing loop-free Layer 2 multipathing.

Exam trap

Cisco often tests the misconception that the peer-link is only for control traffic, but the trap here is that candidates forget the peer-link also carries data traffic for orphan ports and for forwarding when a vPC member link fails.

How to eliminate wrong answers

Option A is wrong because the peer-link can consist of up to eight physical links bundled into a single port-channel (using LACP or static on), not a single link. Option B is wrong because the peer-link carries both control traffic (e.g., vPC keepalive, CFS) and data traffic (e.g., traffic for orphan ports, multicast, or broadcast frames). Option C is wrong because the peer-link is used for many purposes beyond orphan ports, including forwarding traffic for vPC member ports when the local link fails and synchronizing MAC address tables.

26
MCQhard

In a Cisco ACI fabric, a tenant has multiple bridge domains in the same VRF all with 'Unicast Routing' enabled and hardware proxy mode. However, endpoints in different BDs within the same VRF cannot communicate even with a contract. What is a possible reason?

A.The 'L3 Unknown Multicast Flooding' is set to flood.
B.The 'ARP Flooding' is enabled.
C.The contracts are unidirectional.
D.The bridge domains are in different subnets.
AnswerB

In hardware proxy mode, ARP flooding should be disabled to enable proxy ARP. If enabled, the leaf will flood ARP requests and proxy behavior may not function, potentially breaking communication.

Why this answer

When 'Unicast Routing' is enabled on a bridge domain (BD) in hardware proxy mode, the ACI fabric relies on the endpoint database to forward traffic between BDs within the same VRF. For inter-BD communication, the source BD must learn the destination endpoint's MAC address via ARP. If 'ARP Flooding' is disabled (the default when Unicast Routing is enabled), the fabric does not flood ARP requests to remote BDs; instead, it expects the ARP request to be resolved by the COOP database.

However, in hardware proxy mode, the fabric does not automatically proxy ARP for endpoints in different BDs, so ARP requests are dropped, preventing communication even with a contract. Enabling 'ARP Flooding' allows ARP requests to flood across BDs, enabling endpoint discovery and thus inter-BD communication.

Exam trap

Cisco often tests the misconception that enabling 'Unicast Routing' and a contract is sufficient for inter-BD communication, but the trap is that ARP flooding must also be enabled to allow endpoint discovery across bridge domains in hardware proxy mode.

How to eliminate wrong answers

Option A is wrong because 'L3 Unknown Multicast Flooding' set to flood controls how unknown multicast traffic is handled at Layer 3, not ARP or unicast routing between BDs; it does not affect inter-BD unicast communication. Option C is wrong because contracts in ACI are inherently unidirectional by design (a contract provides a direction from provider to consumer), but this does not prevent communication; a contract must be applied correctly with both directions considered, but the issue here is ARP resolution, not contract directionality. Option D is wrong because bridge domains in different subnets are expected for inter-BD routing; the problem is not subnet mismatch but the lack of ARP flooding to resolve endpoints across BDs.

27
MCQeasy

In a VXLAN EVPN fabric, which protocol is used to exchange MAC and IP address reachability information among VTEPs?

A.BGP
B.IS-IS
C.EIGRP
D.OSPF
AnswerA

BGP EVPN is the standard control plane for VXLAN.

Why this answer

In a VXLAN EVPN fabric, BGP (Border Gateway Protocol) is used as the control plane protocol to exchange MAC and IP address reachability information among VTEPs. Specifically, MP-BGP (Multiprotocol BGP) with EVPN address family (AFI L2VPN / SAFI EVPN) carries Type-2 routes (MAC/IP advertisement) to distribute host reachability across the overlay network, enabling efficient MAC learning and ARP suppression.

Exam trap

Cisco often tests the distinction between underlay routing protocols (OSPF, IS-IS, EIGRP) and the overlay control plane (MP-BGP EVPN), leading candidates to mistakenly select an IGP that handles only underlay IP reachability rather than the protocol that actually exchanges MAC/IP information in the overlay.

How to eliminate wrong answers

Option B (IS-IS) is wrong because IS-IS is a link-state IGP used for underlay routing (e.g., IP reachability between VTEPs) but does not carry MAC/IP reachability information in the overlay; EVPN requires MP-BGP for this purpose. Option C (EIGRP) is wrong because EIGRP is a Cisco-proprietary distance-vector IGP that operates only in the underlay and lacks the multiprotocol extensions and EVPN address family needed to exchange MAC/IP routes. Option D (OSPF) is wrong because OSPF is a link-state IGP used for underlay IP routing and cannot transport Layer 2 MAC or host IP information; it does not support the EVPN NLRI or BGP-based control plane required for VXLAN EVPN fabrics.

28
Multi-Selecteasy

An engineer is troubleshooting a VXLAN network where traffic between two VTEPs in the same VNI is not being forwarded. The underlay network is operational and IP connectivity exists between the VTEPs. Which two actions should the engineer take to verify the VXLAN configuration?

Select 2 answers
A.Verify that the multicast group for BUM traffic is reachable.
B.Verify that the NVE interface is configured with the correct source-interface.
C.Verify that the VXLAN tunnel endpoint IP addresses are in the same subnet.
D.Verify that the VNI is mapped to the correct VLAN on the local VTEP.
E.Verify that the VXLAN routing table is populated correctly.
AnswersB, D

The NVE interface must have a valid source-interface to encapsulate VXLAN packets.

Why this answer

A and B are correct because the NVE interface must have a valid source-interface to encapsulate VXLAN packets, and the VNI must be mapped to the correct VLAN to forward traffic. Option C is incorrect because multicast group reachability is only required for BUM traffic, not unicast. Option D is incorrect because VTEP IPs can be on different subnets.

Option E is incorrect because VXLAN is a Layer 2 overlay and does not involve routing.

29
MCQmedium

During a network upgrade, an engineer applies a new OSPF configuration on a Nexus 9000 spine. After the change, several leaf switches lose connectivity to each other. The engineer examines the logs and sees OSPF adjacency flapping. What is the most likely cause?

A.Duplicate router IDs.
B.OSPF hello timer mismatch.
C.MTU mismatch on the fabric links.
D.Incorrect area configuration.
AnswerA

Duplicate router IDs cause OSPF neighbors to flap.

Why this answer

Duplicate router IDs cause OSPF adjacency flapping because OSPF uses the Router ID (RID) to uniquely identify each router in the OSPF domain. When two routers share the same RID, they reject each other's Hello packets, leading to repeated adjacency resets. In a Nexus 9000 spine-leaf topology, this often occurs when the spine's RID is accidentally configured to match an existing leaf's RID, disrupting the entire fabric's OSPF convergence.

Exam trap

Cisco often tests the distinction between 'adjacency flapping' (caused by duplicate RIDs or mismatched authentication) and 'failure to form adjacency' (caused by hello/dead timer or MTU mismatches), so candidates mistakenly choose MTU or timer issues when the symptom is flapping rather than non-formation.

How to eliminate wrong answers

Option B is wrong because an OSPF hello timer mismatch prevents adjacency formation entirely (neighbors remain in INIT state), not flapping; flapping implies adjacency is established and then breaks. Option C is wrong because an MTU mismatch on fabric links typically causes OSPF to fail to form adjacency (stuck in EXSTART/EXCHANGE) due to database descriptor packet rejection, not flapping. Option D is wrong because an incorrect area configuration would cause a type mismatch in Hello packets (area ID field), preventing adjacency from forming at all, not causing established adjacencies to flap.

30
MCQhard

In a BGP EVPN deployment, route type 2 (MAC/IP advertisement) is used to advertise MAC addresses. What additional information is carried in route type 2 for IP routing?

A.IP address and route distinguisher
B.IP address and MAC address
C.IP prefix and next-hop
D.MAC address and VNI
AnswerB

Route type 2 contains the MAC address and optionally the IP address for host routing.

Why this answer

In BGP EVPN, route type 2 (MAC/IP Advertisement Route) is used to advertise both MAC addresses and their associated IP addresses. The additional information carried for IP routing is the IP address and the MAC address, enabling the control plane to support both Layer 2 bridging and Layer 3 routing (e.g., host route advertisement for IP-based forwarding). This is defined in RFC 7432, where the route type 2 NLRI includes a MAC address field and an optional IP address field.

Exam trap

Cisco often tests the distinction between route type 2 (MAC/IP advertisement) and route type 5 (IP prefix route), trapping candidates who confuse the IP address field in type 2 with an IP prefix or next-hop information.

How to eliminate wrong answers

Option A is wrong because the route distinguisher (RD) is part of the EVPN NLRI prefix, not an additional field carried specifically for IP routing; it is used to distinguish overlapping IP prefixes across different VRFs. Option C is wrong because route type 2 carries a single IP address (e.g., a /32 host route), not an IP prefix and next-hop; IP prefix and next-hop are associated with route type 5 (IP prefix route). Option D is wrong because while the MAC address and VNI are present in route type 2, the VNI is part of the EVPN NLRI for identifying the broadcast domain, not an additional element for IP routing; the question specifically asks for the additional information carried for IP routing, which is the IP address.

31
MCQeasy

A network engineer is configuring a VPC peer-link on a Nexus switch. Which interface configuration is required for the peer-link port-channel?

A.switchport mode trunk
B.spanning-tree port type edge trunk
C.switchport mode access
D.no switchport
AnswerA

Trunk mode allows multiple VLANs to traverse the peer-link.

Why this answer

A VPC peer-link is a special port-channel that carries control traffic (e.g., Cisco Fabric Services over Ethernet) and data traffic between VPC peer switches. It must be configured as a trunk (switchport mode trunk) to allow multiple VLANs, including the VPC VLAN and the peer-keepalive link VLAN, to traverse the link. Without trunk mode, the peer-link cannot properly forward the necessary VLAN traffic for VPC operation.

Exam trap

Cisco often tests the distinction between a VPC peer-link (which must be a Layer 2 trunk) and a VPC peer-keepalive link (which is a Layer 3 routed link), causing candidates to confuse the two and incorrectly apply 'no switchport' to the peer-link.

How to eliminate wrong answers

Option B is wrong because 'spanning-tree port type edge trunk' is used for access ports connected to end hosts to enable PortFast and BPDU guard, not for a VPC peer-link which is a core infrastructure link that should use a normal spanning-tree port type (e.g., network or normal). Option C is wrong because 'switchport mode access' restricts the interface to a single VLAN, which would prevent the peer-link from carrying the multiple VLANs required for VPC data and control traffic. Option D is wrong because 'no switchport' places the interface into routed (Layer 3) mode, but a VPC peer-link must operate at Layer 2 to forward VLAN-tagged frames between the VPC peers.

32
MCQmedium

Which statement is true about the VLANs carried on a VPC peer-link?

A.The peer-link carries only the VLANs allowed on the member interfaces.
B.The peer-link carries all VLANs that are allowed on the trunk interface.
C.The peer-link requires spanning-tree port type edge trunk configuration.
D.The peer-link must be configured as a layer 3 interface.
AnswerB

The peer-link is a trunk that can carry any VLAN allowed on it.

Why this answer

In a vPC domain, the peer-link is a special trunk that carries all VLANs allowed on the trunk interface, including those not present on any member port. This ensures that orphaned traffic (traffic arriving on the peer-link destined for a device connected to the other vPC peer) can be forwarded correctly. The peer-link must carry all VLANs to maintain Layer 2 connectivity and loop-free behavior without relying on spanning tree.

Exam trap

Cisco often tests the misconception that the peer-link only carries VLANs present on member ports, when in fact it must carry all VLANs allowed on the trunk to support orphan port traffic and maintain vPC loop-free operation.

How to eliminate wrong answers

Option A is wrong because the peer-link carries all VLANs allowed on the trunk interface, not only those allowed on the member interfaces; restricting VLANs would break traffic for orphan ports. Option C is wrong because the peer-link does not require spanning-tree port type edge trunk; it typically uses a regular trunk with spanning-tree BPDU filtering or guard enabled, but edge trunk is not a requirement. Option D is wrong because the peer-link must be a Layer 2 trunk interface, not a Layer 3 interface, as it carries VLAN traffic between vPC peers.

33
MCQmedium

An engineer is troubleshooting connectivity between two Nexus 9000 switches configured with vPC. The vPC peer link is up, but the vPC peer-keepalive link is failing. Which action should be taken to ensure vPC convergence in the event of a peer-link failure?

A.Ensure the peer-keepalive link uses a dedicated management interface or a separate VRF.
B.Disable vPC on both switches and reconfigure the port channels.
C.Reconfigure the vPC domain with a lower priority on the secondary switch.
D.Increase the vPC peer-keepalive hold timeout to 5 seconds.
AnswerA

A dedicated keepalive link ensures reliable communication and prevents split-brain.

Why this answer

When the vPC peer link fails, the peer-keepalive link is used by the secondary switch to detect that the primary is still alive and to avoid becoming the primary (which would cause a split-brain scenario). Using a dedicated management interface or a separate VRF ensures the keepalive messages are isolated from the data plane and remain reachable even if the peer link goes down, allowing the secondary to correctly keep its vPC member ports in a suspended state and maintain convergence.

Exam trap

Cisco often tests the misconception that the peer-keepalive link is only for role negotiation during normal operation, when in fact it is critical for preventing split-brain during peer-link failures, and candidates may overlook the need for its isolation from the data plane.

How to eliminate wrong answers

Option B is wrong because disabling vPC and reconfiguring port channels is a disruptive, manual process that does not address the keepalive failure and would cause unnecessary downtime; vPC convergence relies on the keepalive link to prevent split-brain, not on reconfiguration. Option C is wrong because changing the vPC domain priority on the secondary switch does not affect the keepalive link's functionality; priority determines the role (primary/secondary) but does not fix a failing keepalive path. Option D is wrong because increasing the hold timeout to 5 seconds only delays the detection of a keepalive failure, potentially prolonging a split-brain scenario; it does not ensure the keepalive link is reliable or isolated.

34
Multi-Selecteasy

Which TWO characteristics are true about Cisco VPC? (Choose two)

Select 2 answers
A.VPC allows dual-homing of a server to two different switches.
B.VPC keepalive uses Layer 2 connectivity.
C.VPC requires a dedicated management VLAN.
D.VPC peer-link can be a single link or EtherChannel.
E.VPC member ports can be on different VLANs on each peer.
AnswersA, D

VPC enables a server to connect to two switches simultaneously, treating them as a single logical node.

Why this answer

Option A is correct because Cisco Virtual PortChannel (vPC) allows a server to be dual-homed to two different switches, enabling active-active load balancing and link redundancy. This is achieved by making the two switches appear as a single logical switch to the downstream device using the vPC protocol, which synchronizes state and forwarding information across the peer link.

Exam trap

Cisco often tests the misconception that vPC keepalive uses Layer 2 connectivity, when in fact it requires Layer 3 reachability, and that vPC member ports can have mismatched VLANs, which is not allowed because the VLAN configuration must be consistent across both peers for the vPC to operate correctly.

35
MCQhard

Refer to the exhibit. What is the most likely cause of the NVE interface being down?

A.The VXLAN destination UDP port is incorrect.
B.The overlay VLAN is not configured.
C.The source interface is not configured.
D.The VNI list is empty.
AnswerC

The output shows 'Source Interface: not configured', which prevents NVE from coming up.

Why this answer

The NVE (Network Virtualization Edge) interface requires a valid source interface (typically a loopback) to establish VXLAN tunnels. If the source interface is not configured under the NVE interface, the interface remains in a down state because it cannot form VXLAN overlay adjacencies. This is the most common cause of an NVE interface being down in Cisco NX-OS.

Exam trap

Cisco often tests the specific requirement that the NVE interface must have a source interface configured to come up, and candidates mistakenly think an empty VNI list or incorrect UDP port would cause the interface to be down, but those affect traffic forwarding, not the interface state.

How to eliminate wrong answers

Option A is wrong because the VXLAN destination UDP port (default 4789) is a static value used for encapsulation and does not affect the operational state of the NVE interface itself; an incorrect port would cause packet drops but not bring the interface down. Option B is wrong because the overlay VLAN is configured under the bridge domain or VNI mapping, not directly on the NVE interface, and its absence would prevent traffic forwarding but not cause the NVE interface to be down. Option D is wrong because an empty VNI list means no VNIs are mapped to the NVE, which would prevent VXLAN traffic but the NVE interface can still be up/up if the source interface is properly configured.

36
MCQmedium

In a centralized anycast gateway VXLAN EVPN design, which is a requirement?

A.Each VTEP has a unique anycast IP address.
B.All VTEPs share a common anycast IP address for the default gateway.
C.The anycast gateway is configured on the spine switches.
D.The route reflector is an external BGP speaker.
AnswerB

This is the definition of centralized anycast gateway.

Why this answer

In a centralized anycast gateway VXLAN EVPN design, all VTEPs share a common anycast IP address and MAC address for the default gateway. This allows any VTEP to serve as the first-hop router for hosts, enabling optimal east-west traffic forwarding without requiring a separate gateway device. The anycast IP is configured on each VTEP's VLAN interface, and the same IP/MAC is advertised via EVPN Type-2 routes.

Exam trap

Cisco often tests the misconception that the anycast gateway is configured on spine switches or that each VTEP uses a unique anycast IP, when in fact the shared anycast IP/MAC on leaf VTEPs is the defining requirement.

How to eliminate wrong answers

Option A is wrong because each VTEP does not have a unique anycast IP address; instead, all VTEPs share the same anycast IP and MAC for the default gateway. Option C is wrong because the anycast gateway is configured on the leaf switches (VTEPs), not on the spine switches, which act as route reflectors or underlay forwarders. Option D is wrong because the route reflector can be an internal BGP speaker (e.g., a spine switch) and does not have to be an external BGP speaker; in fact, iBGP is commonly used within the fabric.

37
MCQmedium

An engineer is troubleshooting high CPU utilization on a Nexus 7700 switch. The output of 'show process cpu' shows high usage from the 'netstack' process. Which action should the engineer take to identify the cause?

A.Enable 'feature netstack' to get more details.
B.Reboot the switch to clear the process.
C.Check for broadcast storms using 'show interface'.
D.Use 'show system internal netstack stats'.
AnswerD

This command shows internal netstack counters and helps isolate the issue.

Why this answer

The 'netstack' process handles network stack operations, including packet processing and forwarding. The 'show system internal netstack stats' command provides detailed internal statistics about the netstack process, such as packet drops, buffer usage, and error counters, which help pinpoint the root cause of high CPU utilization.

Exam trap

Cisco often tests the distinction between generic interface troubleshooting and process-specific internal diagnostics, leading candidates to choose a broad command like 'show interface' instead of the targeted internal command for the identified process.

How to eliminate wrong answers

Option A is wrong because 'feature netstack' is not a valid command; netstack is an internal process, not a feature that can be enabled. Option B is wrong because rebooting the switch is a disruptive, temporary fix that does not identify the underlying cause and may mask the issue. Option C is wrong while broadcast storms can cause high CPU, the question specifically identifies the 'netstack' process, and 'show interface' does not provide netstack-specific statistics; the correct diagnostic command targets the process directly.

38
MCQeasy

A network engineer is configuring a VPC on a pair of Nexus 9000 switches. Which command is required to synchronize the configuration between the VPC peers?

A.auto-recovery.
B.peer-keepalive destination <ip>.
C.vpc domain <id>.
D.role preempt.
AnswerB

Peer-keepalive is mandatory for VPC to monitor peer liveliness.

Why this answer

Option B is correct because the `peer-keepalive destination <ip>` command configures a Layer 3 keepalive link between VPC peers, which is essential for monitoring peer liveness and synchronizing configuration states. Without this keepalive, the VPC peers cannot detect failures or maintain consistent forwarding, making it a mandatory component for VPC configuration on Nexus 9000 switches.

Exam trap

Cisco often tests the distinction between the peer-keepalive (Layer 3) and the peer-link (Layer 2) — candidates mistakenly think the peer-link alone synchronizes configurations, but the keepalive is mandatory for liveness detection and configuration sync initiation.

How to eliminate wrong answers

Option A is wrong because `auto-recovery` is used to automatically bring a VPC member port out of suspension after a peer failure, not for synchronizing configurations between peers. Option C is wrong because `vpc domain <id>` creates the VPC domain and enables VPC functionality, but it does not directly synchronize configurations; it is a prerequisite command, not the synchronization mechanism. Option D is wrong because `role preempt` controls which peer assumes the primary role after a failure, but it does not handle configuration synchronization; it affects role election, not data consistency.

39
MCQmedium

A network engineer is troubleshooting a VXLAN EVPN problem where some endpoints are not reachable. The output of 'show bgp l2vpn evpn' shows Type-3 routes but no Type-2 routes for a specific VNI. What should the engineer check?

A.The route-target import/export is misconfigured.
B.BGP session is not established.
C.The VNI is not configured under the NVE interface.
D.The VLAN corresponding to the VNI has no active ports.
AnswerD

Type-2 routes carry MAC/IP information. Without active ports in the VLAN, no MACs are learned, so no Type-2 routes are advertised.

Why this answer

Type-3 routes (IMET routes) are used for BUM traffic forwarding and are advertised when the VNI is configured under the NVE interface, even if no endpoints are active. Type-2 routes (MAC/IP advertisement routes) are only generated when the switch learns a MAC address on a VLAN associated with that VNI. If Type-3 routes exist but Type-2 routes are missing, the VNI is correctly configured for the overlay, but no active ports in the corresponding VLAN are learning MAC addresses, preventing Type-2 route generation.

Exam trap

Cisco often tests the distinction between control-plane (BGP route types) and data-plane (VNI/NVE configuration) readiness, trapping candidates who assume Type-3 routes imply full VNI functionality without checking for active MAC learning on the access side.

How to eliminate wrong answers

Option A is wrong because a route-target import/export misconfiguration would prevent the reception or advertisement of all EVPN route types (including Type-3), not selectively block Type-2 routes while allowing Type-3. Option B is wrong because if the BGP session were not established, no EVPN routes (neither Type-2 nor Type-3) would appear in the 'show bgp l2vpn evpn' output. Option C is wrong because if the VNI were not configured under the NVE interface, the switch would not generate any EVPN routes for that VNI, including Type-3 routes.

40
Matchingmedium

Match each Cisco UCS Manager CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays hardware details of servers

Enters organization configuration mode

Creates a logical server definition

Configures virtual network interface card

Applies pending configuration changes

Why these pairings

These commands are used in UCS Manager CLI for server management.

41
Multi-Selecthard

Which TWO statements are true about Cisco ACI contracts? (Choose two)

Select 2 answers
A.Contracts can be reused across multiple EPGs.
B.Contracts are unidirectional from consumer to provider.
C.A contract can include multiple subjects.
D.Subjects within a contract specify only the destination ports.
E.Contracts are always bidirectional.
AnswersA, C

A contract can be applied to many EPG pairs, allowing reuse and simplified policy management.

Why this answer

Option A is correct because Cisco ACI contracts are designed as reusable policy constructs. Once a contract is defined, it can be applied to multiple EPGs (Endpoint Groups) without redefining the rules, promoting consistency and reducing administrative overhead. This reusability is a core principle of ACI's policy-based networking model.

Exam trap

Cisco often tests the misconception that contracts are strictly unidirectional from consumer to provider, when in fact they are bidirectional by default, with filters providing granular control over traffic direction.

42
MCQmedium

An engineer is configuring VXLAN bridging and routing on a Cisco Nexus 9000 switch. Which configuration is required to enable inter-VNI routing?

A.Configure a VLAN interface under the bridge domain.
B.Enable ip routing under VRF.
C.Configure anycast gateway MAC.
D.Configure a VRF and associate the VLAN interface to it.
AnswerC

Provides a common gateway MAC across all leaf switches, enabling seamless routing between VNIs.

Why this answer

Inter-VNI routing requires a shared anycast gateway MAC address across all VTEPs in the same VXLAN fabric. This allows the switch to respond to ARP requests for the gateway IP and forward traffic between different VNIs without relying on a traditional routed interface. The anycast gateway MAC is configured under the VLAN interface (SVI) using the 'fabric forwarding anycast-gateway-mac' command.

Exam trap

Cisco often tests the misconception that simply enabling IP routing or associating an SVI to a VRF is sufficient for inter-VNI routing, when in fact the anycast gateway MAC is the mandatory configuration that enables the distributed gateway functionality.

How to eliminate wrong answers

Option A is wrong because configuring a VLAN interface under the bridge domain is part of VXLAN bridging, not routing; inter-VNI routing requires an SVI with anycast gateway, not just a VLAN interface in the bridge domain. Option B is wrong because enabling 'ip routing' under VRF is a prerequisite for any L3 forwarding but does not specifically enable inter-VNI routing; the critical missing piece is the anycast gateway MAC. Option D is wrong because associating a VLAN interface to a VRF is necessary for VRF-based routing but alone does not enable inter-VNI routing; the anycast gateway MAC must be configured on the SVI to allow the switch to act as a distributed gateway.

43
MCQmedium

In a Cisco ACI fabric, a new EPG is created and associated with a bridge domain that has 'Unicast Routing' enabled. However, endpoints in that EPG cannot communicate with endpoints in other EPGs in the same VRF. What is missing?

A.The EPG must be attached to a Layer 3 outside
B.The bridge domain must have 'L3 Unknown Multicast Flooding' set
C.A contract between the EPGs
D.A route leak between bridge domains
AnswerC

Inter-EPG communication requires a contract; without it, packets are dropped.

Why this answer

In Cisco ACI, communication between EPGs within the same VRF is not allowed by default; it requires a contract. A contract defines the policies (allow/deny) and filters for traffic between EPGs. Without a contract, all traffic is dropped, even if the bridge domain has unicast routing enabled.

Option C is correct because the missing element is the contract that explicitly permits inter-EPG communication.

Exam trap

Cisco often tests the misconception that enabling unicast routing on a bridge domain is sufficient for inter-EPG communication, when in fact contracts are mandatory in ACI to allow any traffic between EPGs.

How to eliminate wrong answers

Option A is wrong because attaching a Layer 3 outside is used for external connectivity (e.g., to a router or WAN), not for enabling communication between EPGs within the same VRF. Option B is wrong because 'L3 Unknown Multicast Flooding' controls how unknown multicast traffic is handled (flood or forward to a multicast router), not unicast routing between EPGs. Option D is wrong because route leaking between bridge domains is not a native ACI concept; inter-EPG routing within the same VRF is handled by the ACI fabric automatically via the contract policy, not by explicit route leaks.

44
MCQeasy

Refer to the exhibit. What is the current state of the VPC domain?

A.VPC domain not configured
B.Peer-link down
C.Consistency check failed
D.Operational
AnswerD

All fields indicate normal operation.

Why this answer

The exhibit shows the output of 'show vpc' with the vPC domain ID set to 100, the peer-keepalive link status as 'Active', and the peer-link status as 'up'. The vPC role is 'primary' and the operational status is listed as 'operational', which indicates that the vPC domain is fully functional and all consistency checks have passed. Therefore, the current state is operational.

Exam trap

Cisco often tests the distinction between the peer-link being 'up' and the vPC domain being 'operational', where candidates may incorrectly assume a peer-link failure when the domain is actually operational, or confuse a consistency check failure with a peer-link issue.

How to eliminate wrong answers

Option A is wrong because the output clearly shows a vPC domain ID of 100, peer-keepalive link status as 'Active', and peer-link status as 'up', indicating the domain is configured. Option B is wrong because the peer-link status is explicitly shown as 'up' in the output, not down. Option C is wrong because the operational status is 'operational' and there is no indication of a consistency check failure; a failed consistency check would show a 'failed' or 'suspended' status for the vPC.

45
Drag & Dropmedium

Arrange the steps to create a service profile template in Cisco UCS Manager.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Service profile template requires UUID pool, vNIC template, profile creation, server pool association, and assignment.

46
MCQmedium

An organization is deploying a new leaf-spine fabric with Cisco ACI. The requirement is to allow inter-tenant communication between two EPGs in different tenants. Which configuration object is necessary to enable this communication?

A.A common VRF that spans both tenants.
B.A filter that permits the required traffic.
C.A bridge domain that connects both EPGs.
D.A shared contract between the two EPGs.
AnswerD

Contracts define allowed communication; shared contracts work across tenants.

Why this answer

In Cisco ACI, inter-tenant communication between EPGs in different tenants requires a shared contract. A contract defines the rules (filters) that permit traffic between EPGs, and when it is marked as 'shared,' it can be consumed by EPGs across tenant boundaries. This allows the provider EPG in one tenant to expose services to a consumer EPG in another tenant without merging the tenants' VRFs or bridge domains.

Exam trap

Cisco often tests the misconception that a shared VRF or bridge domain is required for inter-tenant communication, but the correct mechanism is a shared contract that applies policy across tenant boundaries without merging the underlying network constructs.

How to eliminate wrong answers

Option A is wrong because a common VRF spanning both tenants is not a configuration object for inter-tenant communication; VRFs are tenant-scoped and cannot be shared across tenants—each tenant has its own private VRF namespace. Option B is wrong because a filter alone only defines the traffic type (e.g., TCP port 80) but does not provide the policy framework (contract) needed to permit traffic between EPGs; a filter must be part of a contract. Option C is wrong because a bridge domain connects EPGs within the same tenant and VRF, not across tenants; inter-tenant communication requires a contract, not a shared bridge domain.

47
Multi-Selecteasy

Which two VXLAN control plane options are supported on Cisco Nexus 9000 switches? (Choose two.)

Select 2 answers
A.Multicast
B.OTV
C.Static VXLAN tunnel
D.OpenFlow
E.MP-BGP EVPN
AnswersA, E

Traditional VXLAN uses multicast for BUM traffic and MAC learning.

Why this answer

VXLAN on Cisco Nexus 9000 switches supports both multicast-based control plane (using IGMP/PIM to flood BUM traffic) and MP-BGP EVPN (RFC 7432) as the control plane for distributing MAC/VTEP reachability. Multicast is the traditional method for handling BUM traffic in VXLAN fabrics, while MP-BGP EVPN provides a more scalable, standards-based control plane with host route advertisement and multi-tenancy.

Exam trap

Cisco often tests the distinction between VXLAN control plane options and other overlay technologies (like OTV) or configuration methods (like static tunnels), leading candidates to confuse supported control planes with unrelated features.

48
MCQhard

In a VXLAN EVPN multi-tier design, which feature ensures traffic between leaf switches takes the optimal path without hair-pinning through a spine?

A.Anycast gateway
B.Type-2 routes
C.ECMP
D.ARP suppression
AnswerC

ECMP enables load distribution across multiple spines, avoiding hair-pinning.

Why this answer

C is correct because Equal-Cost Multipath (ECMP) in a VXLAN EVPN multi-tier design allows leaf switches to load-balance traffic across multiple equal-cost spine paths, ensuring that traffic between leaf switches takes the most direct route without being forced to hair-pin through a spine. ECMP leverages the underlying IP fabric's routing to forward VXLAN-encapsulated packets over any available spine, avoiding suboptimal forwarding that would occur if a single spine were used as a relay.

Exam trap

Cisco often tests the misconception that Anycast Gateway or ARP suppression directly influences inter-leaf forwarding paths, when in fact ECMP is the mechanism that enables optimal multi-path routing in the underlay to avoid hair-pinning.

How to eliminate wrong answers

Option A is wrong because Anycast Gateway (e.g., using the same IP and MAC on multiple VTEPs) is designed to provide first-hop redundancy and optimal host-to-gateway forwarding, not to prevent hair-pinning of leaf-to-leaf traffic through a spine. Option B is wrong because Type-2 routes (MAC/IP advertisement routes) are used in EVPN to advertise host reachability and MAC-to-IP bindings, not to influence the path selection between leaf switches. Option D is wrong because ARP suppression is a feature that reduces broadcast traffic by caching ARP replies on the VTEP, but it does not affect the forwarding path or prevent hair-pinning through a spine.

49
MCQhard

Refer to the exhibit. What is the most likely cause of neighbor 10.1.1.3 being stuck in EXSTART?

A.Duplicate router ID.
B.OSPF network type mismatch.
C.MTU mismatch between the interfaces.
D.The interface is configured as passive.
AnswerC

MTU mismatch prevents DBD packets from being sent successfully.

Why this answer

In OSPF, the EXSTART state indicates that neighbors are negotiating the master/slave relationship and exchanging Database Description (DBD) packets. If the MTU of the interface on one side is larger than the MTU on the other, the larger DBD packet will be silently dropped, preventing the neighbor from progressing past EXSTART. This is a classic symptom of an MTU mismatch, as the OSPF adjacency will remain stuck in EXSTART or EXCHANGE.

Exam trap

Cisco often tests the MTU mismatch trap by having candidates confuse it with a network type mismatch, but the key differentiator is that MTU issues cause the adjacency to stall specifically in EXSTART/EXCHANGE, while network type mismatches prevent the adjacency from forming past INIT/2WAY.

How to eliminate wrong answers

Option A is wrong because a duplicate router ID would cause the adjacency to flap or remain in INIT/2WAY, not EXSTART, as OSPF detects the duplicate during the Hello exchange. Option B is wrong because an OSPF network type mismatch (e.g., broadcast vs. point-to-point) typically results in neighbors stuck in INIT or 2WAY, not EXSTART, due to mismatched Hello/dead intervals or DR/BDR election issues. Option D is wrong because a passive interface suppresses OSPF Hellos entirely, preventing any neighbor discovery, so the adjacency would never reach EXSTART.

50
MCQeasy

A network engineer is troubleshooting high CPU utilization on a Nexus 9000 switch. Which command is most useful to identify the process consuming the most CPU?

A.show processes cpu history
B.show process cpu sort
C.show system resources
D.show cpu usage
AnswerB

This command sorts processes by CPU usage, allowing identification of the most intensive process.

Why this answer

Option B is correct because the 'show process cpu sort' command on Nexus 9000 switches displays the current CPU utilization sorted by the process consuming the most CPU, allowing the engineer to quickly identify the top CPU consumer. This command provides a real-time, sorted list of processes with their CPU usage percentages, which is directly useful for troubleshooting high CPU utilization.

Exam trap

Cisco often tests the distinction between 'show processes cpu' (which lists all processes unsorted) and 'show process cpu sort' (which sorts by CPU usage), and the trap here is that candidates may confuse 'show cpu usage' with a valid command or assume 'show system resources' provides process-level detail.

How to eliminate wrong answers

Option A is wrong because 'show processes cpu history' shows historical CPU utilization data in a graphical format over time, not the current processes consuming CPU, so it cannot identify the specific process causing the spike. Option C is wrong because 'show system resources' displays overall system resource usage (memory, CPU, buffers) but does not break down CPU usage by individual process, making it insufficient for pinpointing the culprit process. Option D is wrong because 'show cpu usage' is not a valid command on Nexus 9000 switches; the correct command for a summary of CPU usage is 'show processes cpu', which lists all processes but not sorted by CPU consumption.

51
Drag & Dropmedium

Arrange the steps to configure a vPC domain on a pair of Cisco Nexus switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

vPC requires feature vPC, then domain creation, keepalive link, peer-link, and member ports.

52
MCQmedium

A network engineer is troubleshooting an OSPF adjacency issue between two Nexus switches. The neighbors are stuck in the EXSTART state. What is the most likely cause?

A.Hold timer mismatch
B.Incorrect area ID
C.MTU mismatch
D.Duplicate router ID
AnswerC

MTU mismatch leads to DBD packet rejection, keeping the neighbor in EXSTART.

Why this answer

An MTU mismatch prevents the exchange of Database Description packets, causing neighbors to remain in EXSTART. Other options cause different adjacency states.

53
MCQhard

You are a network engineer at a financial institution. The company has two data centers: DC1 and DC2, connected via a dark fiber link. Each data center has a pair of Nexus 7000 switches in a vPC configuration. The dark fiber link connects to a port on each Nexus 7000 pair using a Layer 2 port-channel. The requirement is to extend VLAN 100 between the two data centers for a critical application that requires a stretched Layer 2 domain. The current configuration has the port-channel on both sides set to mode 'active' with LACP. VLAN 100 is allowed on the trunk. The application servers report intermittent connectivity issues, with some packets being dropped. Upon inspection, you notice that the MAC address table on the Nexus 7000 in DC1 shows the MAC address of the server in DC2 on the dark fiber port-channel interface, but also on a local access port connected to a different server in the same VLAN. What is the most likely cause of the intermittent connectivity?

A.The dark fiber link is experiencing high latency, causing MAC address timeouts.
B.LACP is misconfigured on one side, causing the port-channel to operate as individual links.
C.There is an asymmetric routing issue between the data centers.
D.Spanning Tree Protocol is not blocking one of the redundant paths, creating a loop.
AnswerD

A loop causes MAC flapping and intermittent connectivity.

Why this answer

The MAC address table showing the same MAC address on both the dark fiber port-channel and a local access port indicates a Layer 2 loop. In a vPC environment with a Layer 2 extension between data centers, Spanning Tree Protocol (STP) should block one of the redundant paths to prevent loops. If STP fails to block the appropriate port, frames loop, causing MAC address flapping and intermittent packet drops.

Exam trap

The trap here is that candidates often attribute intermittent connectivity to LACP or routing issues, but the key clue is the MAC address appearing on two different interfaces in the same VLAN, which is a definitive sign of a Layer 2 loop that STP should have prevented.

How to eliminate wrong answers

Option A is wrong because high latency does not cause MAC address timeouts or flapping; MAC aging timers are independent of latency, and high latency would cause retransmissions, not MAC table instability. Option B is wrong because LACP misconfiguration would cause the port-channel to operate as individual links, which could lead to inconsistent forwarding but not the specific symptom of the same MAC appearing on both a port-channel and a local access port; this symptom is classic for a loop. Option C is wrong because asymmetric routing is a Layer 3 issue, but the problem occurs in a stretched Layer 2 domain where routing is not involved; asymmetric routing would not cause MAC address flapping on the same VLAN.

54
MCQhard

In an EVPN-VXLAN fabric, a network engineer notices that MAC addresses learned from an external router are not being advertised as EVPN type-2 routes. The external router is connected to a leaf switch via a Layer 3 port. Which additional configuration is needed on the leaf switch?

A.Configure `redistribute host-routes` under the BGP address-family l2vpn evpn.
B.Configure `evpn` under the VLAN interface associated with the external router's VLAN.
C.Configure `ip arp evpn` on the Layer 3 interface.
D.Configure `routing-config` under BGP to enable both MAC-VRF and IP-VRF.
AnswerC

Allows the switch to advertise the neighbor's MAC and IP via EVPN.

Why this answer

Option C is correct because when an external router is connected via a Layer 3 port, the leaf switch learns the router's MAC address through ARP, not through a VLAN. To advertise this MAC as an EVPN type-2 route, the `ip arp evpn` command must be configured on the Layer 3 interface. This command enables the switch to synchronize ARP entries into the EVPN BGP control plane, allowing MAC/IP advertisement for directly connected hosts on routed interfaces.

Exam trap

Cisco often tests the distinction between VLAN-based EVPN (where MACs are learned from the bridge domain) and routed interface EVPN (where MACs come from ARP), leading candidates to incorrectly choose VLAN-related options like `evpn` under the VLAN interface when the scenario involves a Layer 3 port.

How to eliminate wrong answers

Option A is wrong because `redistribute host-routes` under BGP address-family l2vpn evpn is used to redistribute host routes from the routing table into EVPN, not to advertise MAC addresses learned via ARP; it addresses IP prefix advertisement, not MAC-VRF type-2 routes. Option B is wrong because `evpn` under a VLAN interface is used to enable EVPN for a VLAN-based service (e.g., IRB), but the external router is connected via a Layer 3 port, not a VLAN; this configuration would not apply to a routed interface. Option D is wrong because `routing-config` under BGP is not a valid command; the correct approach for MAC-VRF and IP-VRF is to configure separate address-family contexts (e.g., `address-family l2vpn evpn` and `vrf definition`) and the `routing-config` keyword does not exist in Cisco NX-OS EVPN configuration.

55
MCQhard

A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?

A.The fabric is using VRF leaking that bypasses contracts.
B.The contract is not configured with the correct subject.
C.The leaf switches have not downloaded the updated policy.
D.The EPGs are in the same bridge domain.
AnswerC

Leaves may have stale policy if not refreshed.

Why this answer

In Cisco ACI, the leaf switches enforce contracts locally based on the policy downloaded from the APIC. If a contract is correctly configured on the APIC but traffic is still permitted, the most likely cause is that the leaf switches have not yet received or applied the updated policy. This can happen due to a delay in policy propagation, a communication issue between the APIC and leaf switches, or the leaf not having completed the policy resolution process.

Exam trap

Cisco often tests the misconception that once a contract is configured on the APIC, it is immediately enforced everywhere, ignoring the asynchronous policy download and local leaf switch policy resolution process.

How to eliminate wrong answers

Option A is wrong because VRF leaking in ACI is explicitly controlled by contracts and does not bypass them; any inter-VRF traffic must still be permitted by a contract. Option B is wrong because the contract subject is only relevant for defining filters and actions; if the deny rule is present and applied to the EPGs, the subject configuration is not the cause of the policy not being enforced. Option D is wrong because EPGs in the same bridge domain can communicate only if a contract allows it; being in the same bridge domain does not automatically bypass contract enforcement.

56
MCQeasy

Which protocol is used by Cisco ACI fabric to distribute endpoint information among spines?

A.IS-IS
B.OSPF
C.BGP
D.COOP
AnswerD

COOP (Council of Oracles Protocol) is the ACI-specific protocol for endpoint database distribution.

Why this answer

D is correct because the Cisco ACI fabric uses the Council of Oracle Protocol (COOP) specifically to distribute endpoint information (such as IP-to-MAC bindings and location) among spine switches. COOP operates as a lightweight, publish-subscribe protocol that runs between leaf and spine switches, ensuring that all spines maintain a consistent endpoint database without the overhead of a full routing protocol.

Exam trap

Cisco often tests the distinction between the underlay routing protocol (IS-IS) and the overlay endpoint distribution protocol (COOP), so candidates mistakenly choose IS-IS because they recall it is used in ACI, but they fail to recognize that endpoint distribution is a separate function handled by COOP.

How to eliminate wrong answers

Option A is wrong because IS-IS is used as the underlay routing protocol in ACI to establish reachability between leaf and spine switches, not to distribute endpoint information. Option B is wrong because OSPF is not used in ACI fabric; the underlay is based on IS-IS with a link-state database, and OSPF would add unnecessary complexity and is not designed for endpoint distribution. Option C is wrong because BGP is used in ACI for external routing (e.g., connecting to outside networks via L3Out) and for the Overlay-1 control plane, but it does not distribute internal endpoint information among spines; that is the role of COOP.

57
MCQhard

In a vPC domain, a consistency check failure is observed for the vPC keepalive link. What is the impact on the vPC domain operation?

A.The vPC peer link will be suspended.
B.The secondary switch will shutdown its vPC member ports.
C.The vPC domain will continue to operate but with reduced reliability.
D.Both switches will independently forward traffic via the vPC peer link.
AnswerC

The keepalive is a secondary monitoring mechanism; its loss increases risk of split-brain if the peer link fails.

Why this answer

The vPC keepalive link is used as a secondary heartbeat to detect dual-active scenarios when the peer link fails. A consistency check failure on the keepalive link does not directly affect data forwarding; the vPC domain continues to operate, but the loss of this redundancy mechanism reduces reliability because the switches can no longer reliably detect a split-brain condition without the peer link.

Exam trap

Cisco often tests the distinction between the keepalive link and the peer link; the trap here is that candidates assume any consistency check failure will suspend the vPC domain, but only failures on the peer link or critical parameters (like vPC VLAN consistency) cause suspension, while keepalive failures merely degrade redundancy.

How to eliminate wrong answers

Option A is wrong because the vPC peer link is suspended only when there is a peer-link failure or a consistency check failure on the peer link itself, not on the keepalive link. Option B is wrong because the secondary switch shuts down its vPC member ports only when a dual-active detection occurs (e.g., peer link fails and keepalive is also lost), not due to a keepalive consistency check failure alone. Option D is wrong because both switches independently forwarding traffic via the vPC peer link describes a split-brain scenario that happens when the peer link fails and the keepalive link is also lost, not when only the keepalive consistency check fails.

58
Multi-Selectmedium

When troubleshooting a VXLAN EVPN fabric with Cisco Nexus 9000 switches, which three commands provide information about the EVPN operation? (Choose three.)

Select 3 answers
A.show bgp l2vpn evpn summary.
B.show l2route mac all.
C.show running-config interface nve1.
D.show nve peers.
E.show ip interface brief.
AnswersA, B, D

Shows BGP EVPN session status.

Why this answer

The 'show bgp l2vpn evpn summary' command is correct because it displays the BGP session status for the L2VPN address family, which is the control plane protocol for VXLAN EVPN. This command shows neighbor states, prefixes received, and route table statistics, directly indicating whether EVPN route exchange is operational.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config interface nve1') and operational verification commands (like 'show nve peers'), leading candidates to mistakenly select configuration-only outputs as evidence of EVPN operation.

59
Multi-Selectmedium

An OSPF router in a broadcast network has not formed a neighbor relationship. What are three possible causes? (Choose three.)

Select 3 answers
A.Authentication incorrect
B.MTU mismatch
C.Area ID mismatch
D.Hello interval mismatch
E.Network type mismatch
AnswersB, D, E

Causes the routers to stay in ExStart state during database exchange.

Why this answer

In OSPF, an MTU mismatch prevents the formation of a neighbor relationship because OSPF routers compare the MTU value in Database Description (DBD) packets. If the receiving router's interface MTU is smaller than the DBD packet size, the packet is dropped, and the neighbor state remains stuck in EXSTART/EXCHANGE. This is a common issue on broadcast networks where different link types or misconfigured interfaces exist.

Exam trap

Cisco often tests the MTU mismatch as a subtle cause of OSPF neighbor failure, especially since it is less obvious than Hello/Dead interval or Area ID mismatches, and candidates may overlook it or confuse it with Layer 2 issues.

60
Multi-Selecteasy

A network engineer is verifying VPC configuration on a pair of Nexus switches. Which two commands should be used to check VPC status and consistency? (Choose two.)

Select 2 answers
A.show vpc role
B.show vpc consistency-parameters
C.show vpc peer-keepalive
D.show vpc
E.show vpc statistics
AnswersB, D

This checks for configuration mismatches between VPC peers.

Why this answer

Option D (show vpc) is correct because it displays the overall VPC status, including the local and peer VPC system MAC, role, and the operational state of each VPC member port. Option B (show vpc consistency-parameters) is correct because it verifies that critical parameters (e.g., STP mode, VLAN interfaces, MTU) are consistent between the two VPC peers, which is essential for VPC to function correctly and avoid traffic black-holing.

Exam trap

Cisco often tests the distinction between commands that show operational status (show vpc) versus those that verify configuration synchronization (show vpc consistency-parameters), leading candidates to mistakenly select 'show vpc role' or 'show vpc peer-keepalive' as sufficient for consistency checks.

61
MCQhard

A network engineer is configuring Cisco Nexus VXLAN with BGP EVPN. The VTEPs are using loopback0 as the NVE source. The physical interfaces are up, but the NVE interface remains down. What is the most likely cause?

A.The loopback0 interface is not reachable via the underlay network.
B.The NVE interface is not configured with source-interface.
C.The VLAN 1 is not associated with the NVE interface.
D.The loopback0 interface is not created.
AnswerA

The NVE source must be routable in the underlay. If loopback0 is not advertised by IGP, the NVE interface stays down.

Why this answer

The NVE interface requires the specified source interface (loopback0) to have IP reachability via the underlay network to establish VXLAN tunnels. If loopback0 is not reachable (e.g., due to missing OSPF/IS-IS routes or incorrect underlay configuration), the NVE interface will remain in a down state even if the physical interfaces are up. This is because the NVE interface depends on the underlay routing to encapsulate and forward VXLAN traffic.

Exam trap

Cisco often tests the dependency of the NVE interface on underlay IP reachability, tricking candidates into focusing on NVE-specific configuration errors (like missing source-interface) rather than verifying the underlay routing for the loopback address.

How to eliminate wrong answers

Option B is wrong because the NVE interface is already configured with source-interface loopback0 (as stated in the question), so the absence of that configuration is not the issue. Option C is wrong because VLAN 1 association with the NVE interface is not required for the NVE interface to come up; VLANs are mapped to VNIs after the NVE is operational. Option D is wrong because the loopback0 interface is explicitly mentioned as the NVE source, implying it exists; if it were not created, the NVE configuration would fail at the CLI level, not just keep the interface down.

62
MCQhard

A data center design requires Layer 2 extension between two sites using OTV. The network engineer notices that MAC addresses from Site A are not learned at Site B. OTV adjacency is up, and both sites have the same overlay interface configured. Which configuration issue is most likely the cause?

A.The OTV control group is misconfigured on one side.
B.The spanning tree root bridge is different at each site.
C.The multicast group range for the overlay does not match.
D.The site VLAN is not allowed on the OTV join interface.
AnswerD

The join interface must be a trunk that carries the site VLAN for OTV to forward traffic.

Why this answer

D is correct because the OTV join interface must have the site VLAN allowed; if the site VLAN is not permitted on the join interface, the OTV edge device cannot send or receive encapsulated traffic for that VLAN, preventing MAC address learning between sites even though the OTV adjacency is up.

Exam trap

Cisco often tests the distinction between control-plane (adjacency) and data-plane (VLAN transport) issues, and the trap here is that candidates assume a working OTV adjacency guarantees all VLANs are extended, overlooking the need to explicitly allow the site VLAN on the join interface.

How to eliminate wrong answers

Option A is wrong because the OTV control group is used for control-plane communication (IS-IS adjacency), and if it were misconfigured, the OTV adjacency would not form; the question states adjacency is up, so the control group is correctly configured. Option B is wrong because OTV does not rely on spanning tree; it uses its own loop-prevention mechanism (authoritative edge device) and isolates STP domains, so different root bridges at each site do not affect MAC learning. Option C is wrong because the multicast group range for the overlay is used for data-plane transport; if it did not match, traffic would not be forwarded, but the question specifies the same overlay interface configuration, implying the multicast group range is consistent.

63
MCQeasy

A network engineer is configuring OSPF on a Cisco Nexus switch for a data center network. The requirement is to ensure that the switch does not become the Designated Router (DR) on a multi-access segment. Which OSPF configuration achieves this?

A.Set OSPF priority to 255 on the interface
B.Set OSPF priority to 0 on the interface
C.Change the OSPF network type to point-to-point
D.Configure the interface as passive under OSPF
AnswerB

Priority 0 means the router will never become DR or BDR.

Why this answer

Setting the OSPF priority to 0 on the interface prevents the switch from participating in the DR/BDR election process, ensuring it will never become the Designated Router (DR) or Backup Designated Router (BDR) on a multi-access segment. This is the standard method per RFC 2328 to make a router ineligible for DR/BDR status while still allowing it to form full adjacencies with the DR and BDR.

Exam trap

Cisco often tests the misconception that setting a high priority (like 255) ensures a router does not become DR, when in fact it does the opposite; the trap here is confusing priority 0 (ineligible) with priority 255 (most likely to be elected).

How to eliminate wrong answers

Option A is wrong because setting OSPF priority to 255 (the highest possible value) makes the switch the most likely candidate to become the DR, which directly contradicts the requirement. Option C is wrong because changing the network type to point-to-point eliminates the DR/BDR election entirely, which may not be desirable if the segment is truly multi-access and other routers need to participate in elections; it also changes OSPF behavior (e.g., no hello/dead interval mismatches) and could break adjacency with neighbors expecting a broadcast network. Option D is wrong because configuring the interface as passive under OSPF suppresses OSPF hello packets entirely, preventing the switch from forming any OSPF adjacencies on that interface, which is more restrictive than simply avoiding DR status.

64
MCQeasy

A multicast application requires that all receivers join the same group using PIM sparse mode. Which router is responsible for forwarding traffic from the source to the RP?

A.Rendezvous point (RP)
B.First-hop router
C.Last-hop router
D.Source-specific router
AnswerB

The source's DR unicasts the traffic to the RP.

Why this answer

In PIM sparse mode, the first-hop router (the router directly connected to the multicast source) is responsible for encapsulating the source's multicast traffic in unicast PIM register messages and forwarding them to the rendezvous point (RP). This process establishes the initial path and triggers the RP to join the source-specific tree (SPT) toward the source.

Exam trap

Cisco often tests the misconception that the RP originates or forwards traffic from the source, when in fact the first-hop router is the one that encapsulates and sends the source traffic to the RP using PIM register messages.

How to eliminate wrong answers

Option A is wrong because the RP is the meeting point for receivers and sources, but it does not forward traffic from the source to itself; it receives register messages from the first-hop router and then joins the SPT toward the source. Option C is wrong because the last-hop router (the router directly connected to receivers) is responsible for sending PIM join messages toward the RP and later switching to the SPT, not for forwarding traffic from the source to the RP. Option D is wrong because there is no standard 'source-specific router' in PIM sparse mode; the concept of source-specific multicast (SSM) uses a different model (PIM-SSM) where receivers join directly to the source via (S,G) state, bypassing the RP entirely.

65
Multi-Selecthard

An engineer is designing a Cisco ACI multi-site solution. Which two considerations are critical for inter-site connectivity? (Choose two.)

Select 2 answers
A.Configure a stretch VLAN across sites.
B.Use a separate OSPF process per site.
C.Deploy a L3Out at each site for external connectivity.
D.Use a single APIC cluster for both sites.
E.Ensure IP connectivity between the sites for the underlay.
AnswersC, E

Each site typically has its own L3Out.

Why this answer

In Cisco ACI Multi-Site, each site operates with its own APIC cluster and independent fabric. A L3Out at each site is critical because it provides external connectivity for that site's endpoints, allowing traffic to exit locally rather than being hair-pinned across the inter-site network. This design optimizes traffic flow and aligns with the Multi-Site architecture where sites are managed separately but interconnected via the Inter-Site Network (ISN).

Exam trap

Cisco often tests the misconception that a single APIC cluster can manage multiple sites, but in reality, each site requires its own APIC cluster for independent operation and fault isolation.

66
MCQhard

An engineer is troubleshooting BGP EVPN control plane. They issue 'show bgp l2vpn evpn' and see Type-3 routes but no Type-2 routes for any VNI. Which condition is most likely?

A.The VTEP has not learned any MAC addresses
B.The overlay VNI is not mapped to a VLAN
C.The BGP neighbor is not from the same AS
D.The EVPN address-family is not enabled
AnswerA

Type-2 routes carry MAC/IP information. Without any MACs learned, no Type-2 routes are generated.

Why this answer

Type-3 routes (Inclusive Multicast Ethernet Tag routes) are generated automatically when an EVPN VNI is configured, regardless of MAC learning. Type-2 routes (MAC/IP Advertisement routes) are only generated after the VTEP learns MAC addresses from data-plane traffic or from local endpoints. The absence of Type-2 routes with Type-3 present indicates the VTEP has not yet learned any MAC addresses for that VNI.

Exam trap

Cisco often tests the distinction between control-plane-generated routes (Type-3) and data-plane-triggered routes (Type-2), trapping candidates who assume both route types appear simultaneously upon VNI configuration.

How to eliminate wrong answers

Option B is wrong because an unmapped overlay VNI would prevent Type-3 routes from being generated as well, but the question states Type-3 routes are present. Option C is wrong because BGP EVPN sessions can operate between different AS numbers (eBGP) or the same AS (iBGP); AS mismatch does not selectively suppress Type-2 routes while allowing Type-3 routes. Option D is wrong because if the EVPN address-family were not enabled, no EVPN routes (including Type-3) would appear in the BGP table.

67
Multi-Selectmedium

Which THREE components are part of an EVPN VXLAN fabric? (Choose three)

Select 3 answers
A.IS-IS
B.MP-BGP
C.VRF
D.NVE interface
E.VPC
AnswersB, C, D

MP-BGP is the standard control plane for EVPN, advertising MAC/IP routes and other attributes.

Why this answer

MP-BGP is the control plane protocol for EVPN VXLAN fabrics. It advertises MAC/VPN reachability information using EVPN address families (L2VPN AFI/SAFI 70/128) and enables overlay route distribution between VTEPs. Without MP-BGP, the fabric cannot dynamically learn remote MAC addresses or maintain a scalable, loop-free control plane.

Exam trap

Cisco often tests the distinction between underlay protocols (like IS-IS or OSPF) and overlay components (like MP-BGP, NVE, VRF), and candidates mistakenly select an underlay protocol as part of the EVPN VXLAN fabric.

68
MCQhard

An organization has deployed a pair of Nexus 93180YC-EX switches as vPC peers in a data center. The switches are connected to a server with two 10GbE interfaces configured as an LACP port-channel. The vPC configuration has been verified and was working correctly for months. After a scheduled maintenance window that included upgrading the NX-OS software from version 7.0(3)I7(1) to 7.0(3)I7(5), the server begins experiencing frequent link flaps on the port-channel. The server administrator reports that every 5-10 minutes, the link goes down for about 2 seconds and then recovers. The network team checks the logs on the Nexus switches and sees repeated messages: 'LACP-3-MISCONFIG: Port-channel <channel> is misconfigured: partner not on same aggregator.' The 'show vpc brief' output shows all vPCs in the 'up' state. The 'show port-channel summary' shows the port-channel is up with both member ports in the bundle. What is the most likely root cause?

A.The LACP fast rate timer default changed to slow in the new software, causing a timeout mismatch with the server.
B.The vPC delay-restore timer is set too low, causing the vPC to prematurely come up before LACP is fully up.
C.The vPC peer-link VLAN allowed list does not include the server's VLAN, causing intermittent drops.
D.The LACP system priority is not configured consistently between the vPC peers, causing the LACP system identifier to differ.
AnswerD

In a vPC, the LACP system identifier must be identical on both peers to appear as a single partner to the server. Inconsistent system priority leads to different identifiers, triggering the misconfiguration log and link flaps.

Why this answer

Option C is correct because in a vPC setup, both peer switches must have the same LACP system identifier (derived from system priority and MAC address) so the server sees a single logical partner. If the LACP system priority is not consistent across the peers, the system identifiers will differ, causing the server to detect multiple partners, leading to the 'partner not on same aggregator' error and link flaps. Option A is incorrect because the LACP rate timer mismatch would cause constant timeout issues, not intermittent flaps with the specific log message.

Option B is incorrect because VLAN mismatch would cause persistent connectivity failures, not intermittent flaps. Option D is incorrect because delay-restore timer affects recovery after link failure, not during steady-state operation.

69
Multi-Selecthard

Which THREE conditions must be met for a Cisco Nexus switch to form a vPC? (Choose three.)

Select 3 answers
A.Both switches must use the same routing protocol
B.The peer-keepalive link must be carried over the peer-link
C.Both switches must run the same NX-OS software version
D.A dedicated peer-link port-channel must be configured
E.The vPC domain ID must be identical on both switches
AnswersC, D, E

Same version ensures feature compatibility and stability.

Why this answer

Option C is correct because Cisco vPC requires both peer switches to run the same NX-OS software version to ensure consistent feature support, protocol behavior, and configuration syntax. Version mismatches can lead to unexpected failures, such as the vPC not forming or inconsistent forwarding states across the peer-link.

Exam trap

Cisco often tests the misconception that the peer-keepalive link must traverse the peer-link, when in fact it must be a separate Layer 3 path to avoid a single point of failure for vPC health monitoring.

70
Multi-Selecthard

Which TWO configuration steps are necessary to enable VXLAN EVPN on a Cisco Nexus 9000 switch using the centralized anycast gateway model?

Select 2 answers
A.Enable the address-family l2vpn evpn under the BGP configuration.
B.Enable IGMP snooping on all VLANs extended over VXLAN.
C.Configure the same anycast gateway MAC and IP address on all VTEPs in the VLAN.
D.Set the VXLAN destination UDP port to 8472.
E.Create an NVE interface with a loopback interface as the source.
AnswersA, C

BGP EVPN is required for route distribution.

Why this answer

Option A is correct because in VXLAN EVPN, BGP is used as the control plane to exchange MAC and IP reachability information. Enabling the address-family l2vpn evpn under BGP configuration is mandatory to advertise EVPN routes (type-2 and type-3) between VTEPs, which is the foundation of the centralized anycast gateway model.

Exam trap

Cisco often tests the distinction between mandatory EVPN control plane steps (BGP address-family l2vpn evpn) and generic VXLAN data plane steps (NVE interface, UDP port), leading candidates to select options like creating the NVE interface or setting the UDP port as 'necessary' for EVPN, when they are actually prerequisites for VXLAN itself but not the two specific steps asked for enabling VXLAN EVPN with centralized anycast gateway.

71
MCQhard

Refer to the exhibit. A network administrator configured VXLAN EVPN as above. The VTEP can communicate with neighbors on VNI 5001, but cannot reach the default gateway for VNI 5002. What is the problem?

A.The default route in VRF TenantA is not exported.
B.The route-target for VNI 5002 is missing.
C.The VNI 5002 does not have an associated VLAN.
D.The NVE interface does not have ingress-replication configured.
AnswerB

The configuration lacks a separate RD and route-target for VNI 5002, preventing EVPN route exchange for that VNI.

Why this answer

The VXLAN EVPN configuration for VNI 5002 is missing the route-target import/export statements under the VRF TenantA address-family l2vpn evpn. Without the route-target, the VTEP cannot import EVPN type-2 and type-3 routes for VNI 5002, preventing it from learning the default gateway's MAC/IP or the IMET route needed for BUM traffic. This explains why the VTEP can communicate on VNI 5001 (which has route-targets) but not reach the gateway on VNI 5002.

Exam trap

Cisco often tests the distinction between Layer 2 VNI (which needs VLAN association and ingress-replication) and Layer 3 VNI (which needs route-target configuration), and the trap here is that candidates assume a missing VLAN or ingress-replication is the root cause, when the real issue is the missing route-target for the Layer 3 VNI under the VRF.

How to eliminate wrong answers

Option A is wrong because the default route in VRF TenantA is not relevant; the issue is with EVPN route import for VNI 5002, not with route leaking or export of a default route. Option C is wrong because VNI 5002 can operate without an associated VLAN if it is used for Layer 3 VNI (IRB) or if the VLAN mapping is done elsewhere; the exhibit shows no VLAN association, but that is not the cause of the gateway unreachability. Option D is wrong because ingress-replication is configured under the NVE interface for VNI 5001 and 5002 (as shown in the exhibit), so the problem is not missing replication; the missing route-target prevents the VTEP from learning the gateway's MAC/IP via EVPN.

72
MCQeasy

Refer to the exhibit. An engineer is configuring a server-facing interface on a Nexus switch. The server is running VMware ESXi with multiple virtual machines in VLANs 10, 20, and 30. After applying the configuration, the ESXi host reports that it cannot communicate on VLAN 30. Which configuration change should be made?

A.Remove the 'spanning-tree port type edge trunk' command
B.Change the native VLAN to 30
C.Create VLAN 30 in the global VLAN database
D.Configure the port as an access port in VLAN 30
AnswerC

If VLAN 30 does not exist, the switch will not forward traffic for it even if allowed on the trunk.

Why this answer

Option C is correct because VLAN 30 must exist in the global VLAN database before it can be used on any interface. Even though the interface configuration allows VLAN 30 as a trunked VLAN, the switch will not forward traffic for a VLAN that has not been created globally. Without the 'vlan 30' command in global configuration mode, the VLAN is not present in the switch's VLAN database, and the interface will not pass traffic for that VLAN.

Exam trap

Cisco often tests the misconception that configuring a VLAN on an interface (e.g., 'switchport trunk allowed vlan add 30') automatically creates the VLAN in the global database, but in NX-OS, the VLAN must be explicitly created first.

How to eliminate wrong answers

Option A is wrong because removing 'spanning-tree port type edge trunk' would disable PortFast and BPDU guard on the trunk, which is unrelated to VLAN 30 communication failure; it would only affect STP convergence and loop prevention. Option B is wrong because changing the native VLAN to 30 would cause all untagged traffic to be placed in VLAN 30, but the issue is that VLAN 30 does not exist globally, and the native VLAN mismatch could also cause connectivity problems for other VLANs. Option D is wrong because configuring the port as an access port in VLAN 30 would remove the trunk and prevent the ESXi host from carrying multiple VLANs (10, 20, 30) to the virtual machines, breaking the required trunking behavior.

73
MCQmedium

A financial services company is migrating its core banking application to a new data center built on Cisco Nexus 9000 switches with VXLAN EVPN. The application requires active-active multihoming for its servers, which are dual-homed to two leaf switches. The network team has configured vPC on the leaf switches for the server connections. After the migration, the application team reports that some packets are being dropped during failover events when one of the vPC member links goes down. The network team confirms that vPC is properly configured and the peer-keepalive is functioning. What is the most likely cause of packet drops during failure?

A.The vPC peer-gateway feature is not enabled.
B.The vPC orphan port configuration is missing.
C.The vPC role is not configured with preempt.
D.The vPC consistency parameters are not identical between the peer switches.
AnswerD

Mismatched parameters cause forwarding inconsistencies.

Why this answer

Option A is correct because vPC consistency parameters must match; if not, traffic may be dropped because the switches have different forwarding information. Option B is for gateway IP, not failover drops. Option C is for role election.

Option D is for ports not in vPC.

74
Multi-Selectmedium

A network engineer is troubleshooting an OSPF adjacency that fails to reach FULL state between two Nexus 9000 switches. Which TWO are common causes for this issue?

Select 2 answers
A.Mismatched OSPF process ID
B.Mismatched area ID
C.Mismatched router ID
D.Mismatched hello/dead timers
E.Mismatched network type
AnswersB, D

OSPF neighbors must belong to the same area to form an adjacency.

Why this answer

Option B is correct because OSPF requires that both routers in a neighbor relationship belong to the same area. If the area IDs differ, the routers will not exchange routing information and the adjacency will stall at the EXSTART or EXCHANGE state, never reaching FULL. This is a fundamental OSPF neighbor requirement defined in RFC 2328.

Exam trap

Cisco often tests the misconception that the OSPF process ID must match between neighbors, but it is only locally significant and does not affect adjacency formation.

75
Multi-Selecthard

Which two benefits does EVPN provide compared to traditional VPLS? (Choose two.)

Select 2 answers
A.Simpler BGP configuration
B.Load balancing of traffic across multiple active paths
C.Reduced MAC address learning
D.No need for MPLS
E.Support for IP routing
AnswersB, E

EVPN allows active-active multihoming, improving bandwidth utilization.

Why this answer

EVPN uses BGP to advertise MAC addresses and IP prefixes, enabling per-flow load balancing across multiple equal-cost paths via its all-active multi-homing capability. In contrast, traditional VPLS relies on a single active forwarder per site (using Spanning Tree Protocol or VPLS Multihoming), which prevents active-active load balancing and wastes bandwidth.

Exam trap

Cisco often tests the misconception that EVPN simplifies BGP configuration or eliminates MPLS, when in fact EVPN requires more BGP knobs and still relies on an MPLS or VXLAN transport layer.

Page 1 of 2 · 86 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network questions.