CCNA Network Questions

11 of 86 questions · Page 2/2 · Network · Answers revealed

76
MCQeasy

A mid-size organization is upgrading its data center network to support server virtualization. They have deployed two Nexus 9300 switches as access switches for their server racks. The servers are configured with VLAN tagging and connect to the switches using trunks. The network administrator needs to ensure that the switches can provide default gateway services to the servers to reduce latency. They have configured interface VLAN interfaces and HSRP for redundancy. After implementation, the servers can communicate within the same VLAN but fail to reach the default gateway. The network administrator checks the switch configuration and finds that "ip routing" is not enabled globally. What is the most likely impact of this missing configuration?

A.The switches will not forward traffic between VLANs.
B.The servers will not receive DHCP addresses.
C.HSRP will not elect an active router.
D.The VLAN interfaces will not come up.
AnswerA

ip routing is required for inter-VLAN forwarding.

Why this answer

Without the 'ip routing' command enabled globally, the Nexus 9300 switches operate as Layer 2 devices only. This means they can forward frames within the same VLAN (since that relies on MAC address learning and switching), but they cannot perform IP routing between VLANs or route traffic to the configured SVI (VLAN interface) default gateway. The servers can communicate within the same VLAN because that is purely Layer 2 switching, but any attempt to reach the default gateway (which requires Layer 3 forwarding) fails because the switch does not have IP routing enabled.

Exam trap

Cisco often tests the misconception that HSRP or SVI functionality requires global IP routing to be enabled, when in fact HSRP can operate and SVIs can come up without 'ip routing', but inter-VLAN routing and default gateway reachability will fail.

How to eliminate wrong answers

Option B is wrong because DHCP address assignment relies on DHCP snooping, IP helper-address, or a DHCP server; the absence of 'ip routing' does not prevent a switch from relaying DHCP requests or a server from obtaining an IP address via broadcast within the same VLAN. Option C is wrong because HSRP operates at Layer 3 using the SVI IP address and does not require global IP routing to be enabled; HSRP can still elect an active router and maintain virtual IP/MAC addresses as long as the SVI is up and the HSRP configuration is correct. Option D is wrong because VLAN interfaces (SVIs) come up as long as the VLAN exists and at least one port in that VLAN is up; the 'ip routing' command does not affect the operational state of an SVI.

77
MCQmedium

A Nexus 9000 switch is configured with VPC. The VPC keepalive link fails. What is the effect on the VPC domain?

A.Both switches suspend the VPC VLANs.
B.Both switches continue to forward traffic normally.
C.The secondary switch suspends its VPC member ports.
D.The primary switch becomes orphan.
AnswerC

To avoid split-brain, the secondary switch suspends its VPC member ports while keepalive is down.

Why this answer

In a VPC domain, the keepalive link is used to monitor the liveness of the peer switch, but it does not carry data traffic. When the keepalive link fails, the secondary switch cannot confirm the primary is alive, so it suspends its VPC member ports to prevent a dual-active scenario. The primary switch remains active and continues forwarding traffic normally because it assumes the secondary has failed.

Exam trap

Cisco often tests the misconception that a keepalive link failure causes both switches to stop forwarding or that the primary becomes orphan, but the correct behavior is that only the secondary suspends its VPC member ports to maintain a single active forwarding path.

How to eliminate wrong answers

Option A is wrong because both switches do not suspend VPC VLANs; only the secondary suspends its VPC member ports to avoid a split-brain condition. Option B is wrong because both switches do not continue forwarding traffic normally; the secondary suspends its VPC ports, disrupting traffic on that side. Option D is wrong because the primary switch does not become orphan; it remains active and continues to forward traffic, while the secondary suspends its ports.

78
MCQeasy

A network engineer is troubleshooting VXLAN connectivity between two VTEPs. The source VTEP is configured with `nve1` and member VNI 10000. The `show nve peers` command shows the remote VTEP IP but the status is 'Init'. What is a likely cause?

A.The multicast group is not reachable.
B.The remote VTEP is not configured with the same VNI.
C.The MTU is too low.
D.The VRF is mismatched between the VTEPs.
AnswerA

VXLAN relies on multicast for BUM traffic; if the multicast group is unreachable, the peer remains in 'Init'.

Why this answer

The 'Init' status in the output of 'show nve peers' indicates that the VXLAN tunnel endpoint (VTEP) has learned the remote VTEP IP address (likely via BGP EVPN or static configuration) but is unable to complete the tunnel establishment. In VXLAN multicast mode, the underlay multicast group is used for BUM traffic and for VTEP discovery. If the multicast group is not reachable (e.g., due to missing PIM configuration, incorrect RP, or firewall filtering), the source VTEP cannot receive the multicast join or data from the remote VTEP, leaving the peer stuck in 'Init' state.

Exam trap

Cisco often tests the distinction between control-plane and data-plane issues; the trap here is that candidates assume 'Init' means a configuration mismatch (like VNI or VRF) rather than an underlay multicast reachability problem, because they overlook that VXLAN multicast mode requires a functional underlay multicast tree for peer establishment.

How to eliminate wrong answers

Option B is wrong because a VNI mismatch would typically cause the remote VTEP to not advertise that VNI in BGP EVPN, resulting in the peer not being learned at all, or the VNI not being operational, but the peer status would not show 'Init' for a learned peer. Option C is wrong because an MTU issue would cause packet fragmentation or drops after the tunnel is established, not prevent the peer from leaving the 'Init' state; the 'Init' state is a control-plane issue, not a data-plane MTU problem. Option D is wrong because a VRF mismatch would affect traffic forwarding and route import/export in BGP EVPN, but the peer status is independent of VRF configuration; the VTEP peer can still be established even with mismatched VRFs, though traffic may not be forwarded correctly.

79
MCQhard

An administrator is deploying a new application in a Cisco ACI fabric. The application requires multicast traffic between end hosts. Which configuration is necessary for multicast in ACI?

A.Enable PIM on the leaf switches.
B.Configure a multicast group in the EPG.
C.Create a multicast policy in the bridge domain.
D.Use IGMP snooping only.
AnswerC

A multicast policy in the bridge domain enables multicast forwarding.

Why this answer

In Cisco ACI, multicast forwarding is enabled at the bridge domain level using a multicast policy. This policy configures the necessary IGMP snooping and multicast group membership for the fabric, allowing end hosts to receive multicast traffic without requiring PIM on the leaf switches. Option C is correct because the bridge domain multicast policy is the required configuration for multicast in ACI.

Exam trap

Cisco often tests the misconception that PIM must be enabled for multicast in ACI, but the fabric's overlay uses head-end replication and IGMP snooping at the bridge domain level instead.

How to eliminate wrong answers

Option A is wrong because PIM is not required in ACI; the fabric uses a head-end replication model with IGMP snooping and a multicast policy, not traditional PIM routing. Option B is wrong because multicast groups are not configured in the EPG; the EPG defines endpoint groups and contracts, while multicast group membership is managed via the bridge domain multicast policy. Option D is wrong because IGMP snooping alone is insufficient; ACI requires the multicast policy in the bridge domain to enable the fabric's multicast forwarding behavior, including head-end replication.

80
MCQhard

A large enterprise data center is deploying a new application using Cisco ACI with a multi-pod design. The application requires low-latency communication between servers in different pods. The network team has configured the ACI fabric with two pods, each connected via inter-pod network (IPN) switches. After deployment, the application experiences intermittent latency spikes and packet loss. The APIC health scores remain high but the latency issue persists. The team has verified the underlay IP connectivity and MTU settings. What is the most likely cause of the latency issues?

A.The application servers are using different VLANs that are not stretched between pods.
B.The CoS settings for the application traffic are not properly mapped to the appropriate queue on the IPN switches.
C.The IPN switches are using a shared link aggregation group that is causing traffic congestion.
D.The inter-pod network is not configured with enough bandwidth due to oversubscription.
AnswerB

Improper CoS mapping leads to sporadic drops.

Why this answer

In a Cisco ACI multi-pod design, the IPN switches must properly trust and map the CoS values from the ACI fabric to the appropriate egress queues. If the CoS markings are not correctly configured on the IPN switches, application traffic can experience buffer drops and latency spikes even when the underlay has sufficient bandwidth and the APIC health scores are high. This is a common misconfiguration because the IPN switches are Layer 3 devices that require explicit QoS policies to preserve the ACI fabric's priority handling.

Exam trap

Cisco often tests the misconception that underlay connectivity and MTU settings are sufficient for multi-pod performance, when in fact the IPN switches require explicit QoS configuration to preserve ACI's priority handling across pods.

How to eliminate wrong answers

Option A is wrong because VLANs are not stretched between pods in ACI multi-pod; inter-pod traffic uses Layer 3 routing via the IPN, so different VLANs per pod do not cause latency or packet loss. Option C is wrong because a shared link aggregation group (LAG) on IPN switches would not inherently cause congestion; LAGs are used for bandwidth aggregation and redundancy, and the issue is about queue drops, not link bundling. Option D is wrong because oversubscription of the inter-pod network would manifest as consistent congestion and high APIC health degradation, not intermittent latency spikes with high health scores; the problem is QoS misconfiguration, not bandwidth shortage.

81
MCQmedium

An engineer is troubleshooting a BGP EVPN session between a leaf and a spine. The 'show bgp l2vpn evpn summary' output shows the peer state as 'Active'. What does this indicate?

A.The session is in the process of being established.
B.The session is up and exchanging prefixes.
C.There is a configuration mismatch.
D.The TCP connection is not established.
AnswerD

Active means BGP is trying to establish a TCP connection.

Why this answer

In BGP EVPN, the 'Active' state indicates that the BGP speaker is actively trying to establish a TCP connection with the peer but has not yet completed the three-way handshake. This means the TCP session is not established, which is a prerequisite for BGP session establishment. The peer remains in 'Active' until the TCP connection is successfully formed.

Exam trap

The trap here is that candidates often confuse 'Active' with 'Connect' or think it means the session is actively exchanging routes, when in fact it indicates a TCP connection failure that must be resolved before BGP can proceed.

How to eliminate wrong answers

Option A is wrong because the 'Active' state specifically indicates that the TCP connection is not yet established, not that the session is in the process of being established (which would be 'Connect' or 'OpenSent' states). Option B is wrong because a session that is up and exchanging prefixes would be in the 'Established' state, not 'Active'. Option C is wrong because a configuration mismatch typically results in the session flapping or staying in 'Idle' state, not 'Active'; 'Active' is a TCP connection issue, not a configuration mismatch.

82
MCQhard

An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?

A.Context (default)
B.Application-profile
C.Global
D.VRF
AnswerD

VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.

Why this answer

The VRF (private L3 context) is the correct scope because contract scope determines the boundary within which a contract is effective. By setting the contract scope to VRF, the contract applies only to EPGs within the same VRF. Since EPGs in different bridge domains are typically in the same VRF, you must explicitly configure contracts to permit inter-EPG traffic; otherwise, it is denied by default.

This matches the requirement that traffic between EPGs in the same bridge domain is allowed by default (via the default intra-EPG and intra-bridge domain forwarding), while traffic between EPGs in different bridge domains requires an explicit contract.

Exam trap

Cisco often tests the misconception that 'context' is a separate scope option, when in fact the default contract scope is VRF (context), and the exam expects you to know that VRF is the correct term for the private L3 network boundary that enforces the deny-by-default inter-EPG behavior.

How to eliminate wrong answers

Option A (Context/default) is wrong because the default contract scope is actually 'context' (VRF), not a separate scope; the term 'Context' is ambiguous and not a distinct contract scope in ACI—the default behavior is VRF-level scoping, which already denies inter-EPG traffic without a contract. Option B (Application-profile) is wrong because contract scope at the application-profile level would restrict the contract to EPGs within the same application profile, but this does not address the requirement for bridge-domain-level isolation; it is too narrow and would not allow default intra-bridge domain traffic across different application profiles. Option C (Global) is wrong because a global contract scope makes the contract apply across all VRFs, which would permit traffic between EPGs in different VRFs (and thus different bridge domains) without explicit permission, violating the requirement that such traffic must be denied by default.

83
MCQmedium

Refer to the exhibit. A network engineer notices that traffic for VNI 10000 is not being encapsulated. What is the most likely reason?

A.BGP EVPN is not configured.
B.VNI 10000 is not configured under the nve interface.
C.The VRF association is incorrect.
D.The source-interface is not reachable.
AnswerB

The show output clearly does not include member vni 10000.

Why this answer

VNI 10000 must be explicitly mapped to an NVE interface under the 'interface nve1' configuration using the 'member vni 10000' command. Without this mapping, the NVE interface does not know which VNI to encapsulate traffic for, even if the VNI exists in the network. Option B correctly identifies this missing configuration as the most likely cause.

Exam trap

Cisco often tests the distinction between control-plane (BGP EVPN) and data-plane (NVE interface) configurations, trapping candidates who assume that a VNI configured in the VRF or advertised via EVPN automatically enables encapsulation on the NVE interface.

How to eliminate wrong answers

Option A is wrong because BGP EVPN is the control plane protocol used to advertise VNI reachability, but traffic encapsulation itself is a data-plane function performed by the NVE interface; the absence of BGP EVPN would prevent route distribution but not directly block encapsulation if the VNI is already configured under NVE. Option C is wrong because VRF association is a Layer 3 construct that maps a VRF to a VNI for routing, but encapsulation failure for VNI 10000 specifically points to the NVE interface configuration, not the VRF mapping. Option D is wrong because if the source-interface were unreachable, no VNI traffic would be encapsulated at all, not just VNI 10000; the issue is isolated to a single VNI, indicating a configuration omission rather than a reachability problem.

84
MCQeasy

A data center switch has multiple access ports configured with spanning-tree portfast. A new server is connected to one of these ports and immediately causes a network loop. What is the most likely cause?

A.The portfast feature is disabled by default on the switch.
B.The server sends BPDUs.
C.The port is not configured with BPDUguard.
D.The switch is running MSTP instead of PVST+.
AnswerC

Without BPDUguard, the port stays up when a BPDU is received, potentially causing a loop.

Why this answer

Option C is correct because Spanning Tree Protocol (STP) PortFast immediately transitions a port to the forwarding state, bypassing the listening and learning phases. However, PortFast alone does not protect against loops if a rogue device (like a server) inadvertently connects two switch ports or sends BPDUs. BPDUguard must be explicitly configured on the port to disable it upon receiving any BPDU, preventing a loop.

Without BPDUguard, the switch will process the BPDU and may re-enter STP convergence, potentially causing a loop if the server is misconfigured or bridging traffic.

Exam trap

Cisco often tests the misconception that PortFast alone prevents loops, but the trap here is that PortFast only speeds up initial convergence; without BPDUguard, a PortFast port can still participate in STP and cause a loop if it receives a BPDU.

How to eliminate wrong answers

Option A is wrong because PortFast is not disabled by default on a switch; it is a per-port feature that must be explicitly enabled with the 'spanning-tree portfast' interface command. Option B is wrong because the server sending BPDUs is the trigger for the loop, not the cause of the loop itself—the root cause is the lack of BPDUguard to protect the PortFast port from those BPDUs. Option D is wrong because MSTP (Multiple Spanning Tree Protocol) and PVST+ (Per-VLAN Spanning Tree Plus) both support PortFast and BPDUguard; the protocol variant does not inherently cause loops when PortFast is enabled without BPDUguard.

85
MCQmedium

An engineer is designing a Layer 3 network for a data center using OSPF. The core switches are connected to aggregation switches. To optimize convergence, which OSPF network type should be used on the links between core and aggregation?

A.broadcast
B.non-broadcast
C.point-to-multipoint
D.point-to-point
AnswerD

Eliminates DR election, reduces convergence time.

Why this answer

In a data center spine-leaf architecture, the links between core (spine) and aggregation (leaf) switches are typically point-to-point Layer 3 links. Configuring OSPF network type point-to-point (option D) on these interfaces eliminates the need for DR/BDR election, reduces hello and dead timers (default 10s/40s vs 30s/120s for broadcast), and allows faster convergence because OSPF immediately forms a neighbor adjacency without waiting for election delays.

Exam trap

Cisco often tests the misconception that broadcast is the default and therefore best for Ethernet links, but in a data center spine-leaf design, point-to-point is preferred because it eliminates DR/BDR election overhead and provides faster convergence.

How to eliminate wrong answers

Option A is wrong because broadcast network type requires a Designated Router (DR) and Backup Designated Router (BDR) election, which adds unnecessary convergence delay and overhead on point-to-point links between core and aggregation switches. Option B is wrong because non-broadcast network type is used for NBMA environments (e.g., Frame Relay) where neighbors must be manually configured and DR/BDR election still occurs, making it unsuitable for direct point-to-point Ethernet links. Option C is wrong because point-to-multipoint is designed for hub-and-spoke topologies where a single interface connects to multiple neighbors, not for the direct point-to-point links between core and aggregation switches.

86
MCQeasy

Refer to the exhibit. A network engineer has configured a port-channel for OSPF adjacency. What additional configuration is required for the port-channel to operate correctly?

A.Set the OSPF priority.
B.No additional configuration needed.
C.Enable OSPF on the port-channel with `ip router ospf process`.
D.Configure the channel-group mode on member interfaces.
AnswerD

Member interfaces must be assigned to the port-channel using `channel-group`.

Why this answer

Option D is correct because for a port-channel to form an OSPF adjacency, the member interfaces must be configured with a channel-group mode (e.g., 'channel-group 1 mode active') to bundle them into a logical port-channel interface. Without this, the interfaces remain individual Layer 2 or Layer 3 links, and OSPF cannot establish adjacency over the port-channel as a single logical link.

Exam trap

Cisco often tests the misconception that creating the port-channel interface alone is sufficient, when in fact the member interfaces must be explicitly assigned to the port-channel using the channel-group command.

How to eliminate wrong answers

Option A is wrong because OSPF priority is used for Designated Router (DR) and Backup Designated Router (BDR) election on multiaccess networks, not for enabling or operating a port-channel. Option B is wrong because additional configuration is indeed required: the member interfaces must be assigned to the port-channel using the channel-group command; simply creating the port-channel interface does not bundle the physical links. Option C is wrong because 'ip router ospf process' is used to enable OSPF on an interface, but the port-channel interface itself must first exist and be properly formed; the missing step is bundling the member interfaces, not enabling OSPF on the port-channel.

← PreviousPage 2 of 2 · 86 questions total

Ready to test yourself?

Try a timed practice session using only Network questions.