Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQeasy

A service provider wants to provide Internet access to an MPLS L3VPN customer without leaking the Internet route into the VRF. Which feature allows the PE to forward traffic from the VRF to the global routing table?

A.Static default route from VRF to global
B.Route leaking between VRF and global
C.VRF-Aware Firewall
D.NAT with VRF awareness
AnswerD

NAT translates VRF source IP to global IP and route via global table.

Why this answer

Option A is correct because VRF-Aware NAT with outside interface in global routing enables NAT. Option B is wrong because VRF-Aware Firewall is not a standard feature. Option C is wrong because route leaking is what they want to avoid.

Option D is wrong because static routing does not provide Internet access without default route.

2
MCQhard

A service provider is deploying Segment Routing (SR) with TI-LFA for fast convergence. Which mechanism does TI-LFA use to repair a link failure in a node segment path?

A.Precomputes a backup path using a segment list (label stack) that avoids the failed link
B.Uses loop-free alternate (LFA) as defined in IPFRR
C.Uses RSVP-TE to signal a protected LSP
D.Relies on BFD to trigger a backup path in the forwarding table
AnswerA

TI-LFA precomputes a backup path by inserting a segment list to steer traffic around the failure.

Why this answer

TI-LFA uses a post-convergence path and pushes additional segment IDs (SIDs) for the repair path. Option A is correct because TI-LFA relies on MPLS label stacking to steer traffic around the failure. Option B is wrong because RSVP-TE is different.

Option C is wrong because BFD only detects failure. Option D is wrong because LFA alone does not use segment routing.

3
MCQmedium

A network engineer is troubleshooting QoS on a Cisco ASR 1000 router. The router has a service-policy applied on the ingress interface GigabitEthernet0/0/0. The policy uses a class-map to match traffic based on NBAR protocol discovery for 'cisco-jabber'. The goal is to mark the traffic with DSCP AF41. However, when the engineer checks the policy statistics, the class 'jabber' shows zero matches, even though the users are actively using Cisco Jabber. The NBAR protocol discovery is enabled globally and on the interface. The engineer verifies that the NBAR protocol pack is up-to-date. What is the most likely reason for the class-map not matching?

A.The service-policy should be applied on the egress interface instead
B.Cisco Jabber traffic is encrypted, so NBAR cannot identify it
C.The class-map is using 'match access-group' instead of 'match protocol'
D.The NBAR protocol pack is not activated on this interface
AnswerB

NBAR relies on deep packet inspection; encryption hides application signatures.

Why this answer

Cisco Jabber uses encrypted signaling and media (SRTP/TLS), which prevents NBAR from performing deep packet inspection to identify the application. Even with an up-to-date protocol pack, NBAR cannot match encrypted traffic unless decryption is performed elsewhere. Therefore, the class-map matching 'cisco-jabber' via NBAR protocol discovery will show zero matches.

Exam trap

Cisco often tests the limitation that NBAR cannot classify encrypted or obfuscated traffic, leading candidates to incorrectly assume the issue is with policy direction, match method, or protocol pack activation.

How to eliminate wrong answers

Option A is wrong because applying the service-policy on the egress interface would not solve the NBAR identification issue; marking is typically done on ingress to preserve the DSCP value across the network, and egress policies are for queuing/shaping, not for matching encrypted traffic. Option C is wrong because the question states the class-map uses NBAR protocol discovery, not 'match access-group', so this is a misdirection; the issue is encryption, not the match method. Option D is wrong because the engineer verified the NBAR protocol pack is up-to-date and NBAR is enabled globally and on the interface, so the protocol pack is activated; the problem is that encrypted traffic cannot be inspected.

4
MCQhard

A network engineer is troubleshooting MPLS LSP connectivity. The MPLS LDP session is up on both endpoints, but some MPLS labels are missing in the LFIB. Which configuration change would most likely resolve the issue?

A.Configure 'label protocol ldp' on all routers
B.Enable 'mpls ldp advertise-labels'
C.Configure 'mpls ip' on all interfaces
D.Enable 'mpls ldp explicit-null' on the ingress
AnswerB

This command ensures that LDP advertises labels for all FECs.

Why this answer

Option B is correct because the 'mpls ldp advertise-labels' command ensures that LDP advertises label bindings to its peers. If this is disabled (default is enabled, but can be overridden), LDP sessions may be up but no labels are distributed, resulting in missing labels in the LFIB. Re-enabling it forces LDP to send label mappings for all FECs, resolving the connectivity issue.

Exam trap

Cisco often tests the distinction between LDP session establishment (which can be up) and label advertisement (which can be suppressed via filters), leading candidates to overlook the 'advertise-labels' command and instead focus on interface-level MPLS enablement or protocol selection.

How to eliminate wrong answers

Option A is wrong because 'label protocol ldp' is used to select LDP as the label distribution protocol on a per-interface basis, but if LDP sessions are already up, this command is not needed and does not address missing label advertisements. Option C is wrong because 'mpls ip' enables MPLS forwarding on an interface, but if LDP sessions are up and labels are missing, the issue is with label advertisement, not MPLS enablement on interfaces. Option D is wrong because 'mpls ldp explicit-null' configures the use of explicit null labels (label 0) for certain FECs, which is a traffic-engineering optimization and does not cause missing labels in the LFIB; it would only affect label values, not their presence.

5
Multi-Selecteasy

A service provider is planning to offer L2VPN services using MPLS. Which TWO statements are true regarding Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS)?

Select 2 answers
A.EoMPLS provides a point-to-point pseudowire between two PE routers.
B.VPLS requires all PE routers to be in the same VLAN.
C.VPLS uses a hub-and-spoke topology to interconnect multiple sites.
D.VPLS emulates a multipoint Ethernet service over MPLS.
E.EoMPLS supports MAC address learning between sites.
AnswersA, D

EoMPLS is a point-to-point service.

Why this answer

EoMPLS (Ethernet over MPLS) is correct because it establishes a point-to-point pseudowire (Martini draft, RFC 4448) between two PE routers, transporting Layer 2 Ethernet frames across an MPLS core without MAC learning or multipoint capabilities.

Exam trap

Cisco often tests the distinction between point-to-point (EoMPLS) and multipoint (VPLS) services, and the trap here is confusing MAC learning (VPLS) with simple transport (EoMPLS), or assuming VPLS uses a hub-and-spoke topology instead of a full mesh.

6
Multi-Selectmedium

Which TWO of the following are characteristics of Segment Routing (SR-MPLS) compared to traditional LDP-based MPLS? (Select two.)

Select 2 answers
A.SR-MPLS requires a dedicated label range from 16 to 99.
B.SR-MPLS does not support traffic engineering.
C.SR-MPLS does not require LDP or RSVP-TE for label distribution.
D.SR-MPLS cannot provide fast reroute protection.
E.SR-MPLS uses a segment list to encode the path in the packet header.
AnswersC, E

Labels are distributed via IGP extensions.

Why this answer

Options A and E are correct. SR-MPLS uses a segment list (stack of labels) encoded in the packet header, and it does not require LDP or RSVP-TE for label distribution; labels are assigned by the IGP (OSPF or IS-IS). Option B is wrong: SR-MPLS can do traffic engineering via SR-TE policies.

Option C is wrong: SR-MPLS supports fast reroute (TI-LFA). Option D is wrong: SR-MPLS can support any label range (16-1,048,575).

7
MCQeasy

Which LISP feature allows a device to register its location to a mapping system so that another device can find it?

A.ETR
B.Map-Resolver (MR)
C.Proxy ITR (PITR)
D.xTR
AnswerA

ETR registers EID-to-RLOC mappings with the mapping system.

Why this answer

Option B is correct: In LISP, the ITR (Ingress Tunnel Router) performs mapping lookup, but the ETR (Egress Tunnel Router) registers mappings with the MR/MS (Map-Resolver/Map-Server). Option A (xTR) is both; Option C (MR) resolves mappings; Option D (PITR) is proxy ITR for non-LISP sites.

8
MCQhard

Refer to the exhibit. A service provider is applying this QoS policy on a PE-CE interface. The business customer complains that voice traffic (marked with DSCP EF) experiences drops during congestion. What is the likely cause?

A.The police rate under the REALTIME class is limiting voice traffic to 10% of bandwidth.
B.The priority level is set too low; voice should be priority level 4.
C.The 'bandwidth remaining ratio' command under class-default is starving the priority queue.
D.The policy is applied in the output direction; it should be input.
AnswerA

Policing drops traffic exceeding 10%.

Why this answer

The REALTIME class uses the 'police' command to enforce a rate of 10% of the interface bandwidth. When voice traffic marked DSCP EF exceeds this policed rate, packets are dropped, even though the class is configured with priority queuing. The police rate is the bottleneck, not the priority queue itself.

Exam trap

Cisco often tests the distinction between priority queuing (which provides low latency) and policing (which enforces a rate limit), leading candidates to overlook that a police rate in a priority class can cause drops even when the priority queue is not congested.

How to eliminate wrong answers

Option B is wrong because priority levels in Cisco QoS (0-7) control the scheduling order within the priority queue, not the amount of bandwidth; voice traffic with DSCP EF is typically mapped to priority level 4 by default, and raising it would not prevent drops caused by policing. Option C is wrong because the 'bandwidth remaining ratio' command under class-default only affects the distribution of leftover bandwidth among non-priority classes; it does not starve the priority queue, which is serviced first regardless of remaining ratios. Option D is wrong because the policy is applied in the output direction, which is correct for shaping and policing egress traffic; applying it input would not control outbound drops on the PE-CE interface.

9
MCQhard

A service provider is migrating from LDP-based MPLS to Segment Routing (SR-MPLS) with IS-IS. After enabling SR on all routers, the adjacency segment IDs (ADJ-SIDs) are not being advertised. Which configuration is missing?

A.The `segment-routing mpls` command is not enabled under the IS-IS process
B.The router is running OSPF instead of IS-IS
C.The interface has the `isis adjacency-sid` command incorrectly configured
D.The loopback interface does not have an ip address configured
AnswerA

IS-IS requires the segment-routing mpls command under the IS-IS process to advertise SR capabilities.

Why this answer

In IS-IS, adjacency segment IDs are programmed only when a specific prefix-SID (e.g., the loopback) is configured and SR is enabled globally. Without an SR-capable IGP process on the interface, ADJ-SIDs are not allocated. The most common missing piece is the `segment-routing mpls` command under the IS-IS process.

10
MCQhard

A service provider is implementing MPLS-TE with FRR (Fast Reroute) using one-to-one backup tunnels. After activation, they notice that the number of labels in the forwarding table has increased significantly. What is the most likely reason for this increase?

A.One-to-one backup creates a unique backup tunnel for each protected LSP
B.RSVP-TE signaling is not properly aggregating labels
C.Penultimate Hop Popping (PHP) is disabled
D.Facility backup is being used instead of one-to-one
AnswerA

Each protected LSP gets its own backup tunnel, increasing label count linearly.

Why this answer

One-to-one backup tunnels in MPLS-TE FRR create a dedicated backup LSP for each protected primary LSP. This means every primary LSP gets its own unique set of labels for the backup path, leading to a significant increase in the number of labels in the forwarding table. In contrast, facility backup shares a single bypass tunnel among multiple protected LSPs, which conserves labels.

Exam trap

Cisco often tests the distinction between one-to-one and facility backup, where candidates may confuse the label increase with a signaling or PHP issue, rather than recognizing it as a direct consequence of the one-to-one backup design.

How to eliminate wrong answers

Option B is wrong because RSVP-TE signaling does aggregate labels for the primary LSP, but the label increase is a direct consequence of the one-to-one backup design, not a signaling failure. Option C is wrong because disabling PHP would affect label imposition at the penultimate hop, but it does not cause a significant increase in the number of labels; PHP affects label stack depth, not the count of unique backup labels. Option D is wrong because facility backup (bypass tunnels) actually reduces label usage by sharing a single backup tunnel among multiple LSPs, which is the opposite of the observed increase.

11
Multi-Selectmedium

Which TWO features are used to improve BGP convergence in an MPLS VPN environment?

Select 2 answers
A.Route redistribution
B.Next-hop-self
C.Bidirectional Forwarding Detection (BFD)
D.BGP multipath
E.BGP Prefix Independent Convergence (PIC)
AnswersC, E

BFD quickly detects link failures.

Why this answer

Bidirectional Forwarding Detection (BFD) provides sub-second failure detection for BGP sessions, reducing the time to detect a link or neighbor failure from seconds (default BGP keepalive/hold timers) to milliseconds. BGP Prefix Independent Convergence (PIC) pre-installs backup paths in the forwarding table, allowing traffic to be rerouted immediately upon failure without waiting for BGP to reconverge. Together, these features drastically improve BGP convergence in an MPLS VPN environment.

Exam trap

Cisco often tests the distinction between features that improve convergence speed (BFD, PIC) versus features that affect routing behavior or path selection (next-hop-self, multipath, redistribution), leading candidates to mistakenly select options that are useful but do not directly address convergence time.

12
Multi-Selecthard

Which THREE of the following are benefits of using Segment Routing over LDP in an MPLS network? (Choose three.)

Select 3 answers
A.Enables traffic engineering without RSVP-TE.
B.Reduces the number of protocols required in the network.
C.Eliminates the need for LDP and RSVP-TE in the core.
D.Provides inherent security against label spoofing.
E.Requires BGP-LU for label distribution.
AnswersA, B, C

Correct: SR-TE provides traffic engineering capabilities.

Why this answer

Option A is correct because Segment Routing (SR) can perform traffic engineering using SR-TE policies (via a controller or PCEP) or SR Flexible Algorithm, without requiring RSVP-TE. This eliminates the complexity of RSVP-TE's soft-state signaling and per-LSP state maintenance, relying instead on source-routed segment lists encoded in the packet header.

Exam trap

Cisco often tests the misconception that Segment Routing eliminates all security concerns or that it mandates BGP-LU, when in fact SR's security model is similar to traditional MPLS and BGP-LU is optional for specific use cases like inter-domain label distribution.

13
MCQmedium

Refer to the exhibit. A PE router is showing a VRF route. What does the [200/0] indicate?

A.Administrative distance 200 and metric 0
B.Local preference 200 and MED 0
C.Label value 200 and metric 0
D.AS path length 200 and weight 0
AnswerA

BGP external routes have AD 200.

Why this answer

In BGP, the bracket notation shows [administrative distance/metric]. [200/0] means AD 200 (BGP external) and metric 0. AS path length, local preference, and label values are not shown in this format.

14
Drag & Dropmedium

Drag and drop the steps to configure a Layer 3 interface on a Cisco switch (SVI) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SVI configuration requires creating the VLAN, then the interface VLAN, assigning an IP, and enabling it.

15
MCQmedium

Based on the exhibit, what is preventing the BGP session from establishing?

A.The BGP MD5 password is mismatched
B.The BGP update-source is misconfigured
C.The neighbor has reached its maximum prefix limit
D.The TTL security check is blocking the connection
AnswerD

The error 'Connection is not permitted by TTL security check (TTL=1)' clearly indicates the TTL security mechanism is rejecting the packet.

Why this answer

Option C is correct. The error message indicates the TTL security check is rejecting the connection because the incoming TTL is not 255 (as expected for an eBGP multihop session). The remote AS is shown as 65000, so it is eBGP.

The neighbor is reached via a single-hop but the TTL check expects TTL=255, but the router sees a TTL less than that. Option A is wrong because no prefix limit is mentioned. Option B is wrong because no MD5 error is shown.

Option D is wrong because the message clearly states TTL security check.

16
MCQmedium

Based on the exhibit, which statement is true about the QoS policy?

A.The class-default will use weighted fair queuing (WFQ).
B.The VIDEO class will be limited to 30% of the total interface bandwidth.
C.The VOICE class is allocated a strict priority queue with a bandwidth limit of 10% of the interface bandwidth.
D.The VIDEO class is guaranteed at least 30% of the total interface bandwidth.
AnswerC

The 'priority percent 10' command provides a strict priority queue with a bandwidth limit of 10%.

Why this answer

The exhibit shows a QoS policy where the VOICE class is configured with the 'priority' command and a bandwidth statement of 10 percent. In Cisco IOS, the 'priority' command under a class map creates a strict priority queue (LLQ), and the bandwidth percentage defines the maximum amount of interface bandwidth that can be used by this queue, ensuring low-latency treatment for voice traffic. Therefore, option C is correct.

Exam trap

Cisco often tests the distinction between 'bandwidth' (which guarantees a minimum bandwidth) and 'bandwidth remaining percent' (which guarantees a percentage of the leftover bandwidth after priority queues), and the trap here is that candidates mistakenly interpret 'bandwidth remaining percent' as a guarantee of total interface bandwidth rather than a share of the remaining bandwidth.

How to eliminate wrong answers

Option A is wrong because the class-default in a policy map that includes a priority queue (LLQ) automatically uses the default queuing mechanism, which is FIFO, not WFQ; WFQ is only used in class-default when no priority queue is configured. Option B is wrong because the VIDEO class is configured with the 'bandwidth remaining percent 30' command, which guarantees a minimum bandwidth share of the remaining bandwidth after the priority queue is serviced, not a hard limit of 30% of the total interface bandwidth. Option D is wrong because the VIDEO class is not guaranteed at least 30% of the total interface bandwidth; the 'bandwidth remaining percent' command only guarantees a percentage of the leftover bandwidth after the priority queue's traffic is served, and it does not provide a minimum guarantee of the total interface bandwidth.

17
MCQmedium

Refer to the exhibit. An engineer applies two service policies to the same subinterface in the outbound direction. Which statement describes the expected behavior?

A.The router automatically nests CHILD-QOS inside SHAKE-1M creating hierarchical QoS.
B.The router compiles a combined policy that merges classifications.
C.Only the SHAKE-1M policy is applied; the CHILD-QOS policy is ignored.
D.Both policies are applied sequentially; traffic is shaped then classified.
AnswerC

Correct: Only one output policy allowed per interface on IOS XR.

Why this answer

When two service policies are applied to the same subinterface in the same direction, the router only honors the first policy applied; the second policy is ignored. In this case, SHAKE-1M was applied first, so CHILD-QOS is not processed. Cisco IOS does not allow multiple service policies in the same direction on a single interface or subinterface, as each direction can have only one active policy-map.

Exam trap

The trap here is that candidates assume multiple service policies can be stacked or merged in the same direction, but Cisco enforces a strict one-policy-per-direction rule, making the second policy silently ignored.

How to eliminate wrong answers

Option A is wrong because hierarchical QoS is created by nesting a child policy inside a parent policy using the 'service-policy' command within a policy-map class, not by applying two separate service policies to the same subinterface. Option B is wrong because the router does not merge or compile classifications from multiple service policies; it simply ignores the second policy. Option D is wrong because both policies are not applied sequentially; only the first policy applied (SHAKE-1M) is active, and the second (CHILD-QOS) is disregarded entirely.

18
MCQeasy

A service provider wants to offer Layer 2 VPN services using MPLS. Which technology should be used to transport Ethernet frames across the MPLS core?

A.Pseudowire
B.LDP
C.VPLS
D.L3VPN
AnswerA

Pseudowire provides point-to-point Layer 2 transport over MPLS.

Why this answer

Pseudowire (A) is the correct technology because it provides a point-to-point Layer 2 circuit over an MPLS core, allowing Ethernet frames to be encapsulated and transported transparently. This is defined in RFC 4448 (Ethernet over MPLS) and enables service providers to offer E-Line services. Pseudowire uses MPLS labels to forward frames across the core without requiring the core routers to participate in the customer's Layer 2 control plane.

Exam trap

Cisco often tests the distinction between point-to-point (Pseudowire) and multipoint (VPLS) Layer 2 services, so the trap here is that candidates may confuse VPLS as the answer because it also transports Ethernet frames, but the question specifies 'Layer 2 VPN services' without mentioning multipoint, making Pseudowire the correct choice.

How to eliminate wrong answers

Option B (LDP) is wrong because LDP is a label distribution protocol used to distribute MPLS labels for building LSPs, not a technology for transporting Ethernet frames. Option C (VPLS) is wrong because VPLS provides multipoint-to-multipoint Layer 2 connectivity (E-LAN), not the point-to-point Ethernet transport described in the question. Option D (L3VPN) is wrong because L3VPN operates at Layer 3, routing IP packets based on customer VPN routes, and does not transport raw Ethernet frames across the MPLS core.

19
MCQhard

A service provider is deploying multicast over MPLS L3VPN. Which mechanism is used to provide multicast in the core between PE routers?

A.IGMP
B.PIM-SM
C.PIM-DM
D.mLDP
AnswerD

mLDP is the multicast label distribution protocol for MPLS.

Why this answer

mLDP is used for multicast label distribution in the MPLS core. PIM-SM and PIM-DM are protocol independent multicast modes, but not specifically for MPLS core multicast. IGMP is for host registration.

20
MCQmedium

A service provider is redesigning its MPLS core to support both L3VPN and L2VPN services. They want to minimize the number of labels in the forwarding table while maintaining per-VRF label allocation. Which label allocation mode should be used for the L3VPN service?

A.Per-VRF label allocation
B.Per-CE label allocation
C.Per-prefix label allocation
D.Per-instance label allocation
AnswerA

Per-VRF assigns a single label per VRF, minimizing labels while allowing per-VRF forwarding.

Why this answer

Per-VRF label allocation assigns a single MPLS label per VRF, meaning all routes within a VRF share the same label. This minimizes the number of labels in the forwarding table compared to per-prefix allocation, while still maintaining per-VRF isolation for L3VPN services. It is the recommended mode when the goal is to reduce label consumption without sacrificing VPN separation.

Exam trap

Cisco often tests the distinction between per-VRF and per-prefix label allocation, where candidates mistakenly choose per-prefix because they think it offers finer granularity, but the question explicitly asks for minimizing labels, which per-VRF achieves.

How to eliminate wrong answers

Option B (Per-CE label allocation) is wrong because it assigns a label per customer edge (CE) router, which does not directly minimize labels in the core and is not a standard L3VPN label mode; it is more relevant to Carrier Supporting Carrier (CSC) or inter-AS scenarios. Option C (Per-prefix label allocation) is wrong because it assigns a unique label for each prefix in the VRF, which maximizes label usage and contradicts the goal of minimizing labels in the forwarding table. Option D (Per-instance label allocation) is wrong because it is not a recognized label allocation mode in MPLS L3VPN; the correct terms are per-VRF, per-prefix, or per-CE, and 'per-instance' is a distractor.

21
MCQeasy

Which tool can verify connectivity along an MPLS Label Switched Path (LSP) and detect label loops?

A.SNMP
B.traceroute
C.MPLS LSP ping
D.ping
AnswerC

This is the dedicated OAM tool for LSP connectivity verification.

Why this answer

MPLS LSP ping sends MPLS echo request packets that traverse the LSP, verifying label forwarding and detecting loops.

22
MCQmedium

In an MPLS network, a PE router receives a VPNv4 route from a route reflector. The route is not being installed in the VRF table. Which condition could cause this?

A.The route target does not match the VRF import map.
B.The MPLS label is missing.
C.The route distinguisher is incorrect.
D.The next-hop is unreachable.
AnswerA

VRF import filters based on route targets; if mismatch, the route is not installed.

Why this answer

A VPNv4 route is installed into a VRF table only if its Route Target (RT) matches an import statement in the VRF's route-target import list or import map. If the RT does not match, the PE router will not import the route into the VRF, even though the route is valid in the BGP VPNv4 table. This is the most common cause for a VPNv4 route being present in BGP but missing from the VRF.

Exam trap

Cisco often tests the distinction between the Route Distinguisher (which makes prefixes unique) and the Route Target (which controls import/export), leading candidates to incorrectly blame the RD when the RT is the actual filter.

How to eliminate wrong answers

Option B is wrong because a missing MPLS label would prevent the route from being usable for forwarding, but the route can still be installed in the VRF table as long as the RT matches and next-hop is reachable. Option C is wrong because the Route Distinguisher (RD) is used to make VPNv4 prefixes unique across VRFs; an incorrect RD would cause a different issue (e.g., prefix collision or wrong VRF association), but it does not prevent installation if the RT matches. Option D is wrong because an unreachable next-hop would cause the route to be marked as invalid in the BGP table and not installed in the IP routing table, but the route could still be present in the VRF table if the RT matches; the next-hop check occurs after import.

23
MCQmedium

Refer to the exhibit. The router cannot form a full OSPF adjacency with 10.0.0.2. Which is the most likely cause?

A.Duplicate router IDs.
B.Mismatched authentication.
C.Mismatched hello interval.
D.Mismatched MTU.
AnswerD

OSPF Database Description packets include MTU; a mismatch prevents progression from EXSTART.

Why this answer

Option A is correct because a mismatched MTU commonly causes OSPF to get stuck in EXSTART state. Option B (hello interval) would prevent INIT. Option C (duplicate router ID) might cause other issues.

Option D (authentication) would cause failure earlier.

24
MCQeasy

Which OSPF neighbor state indicates that a router has received a hello packet from a neighbor but the neighbor's Router ID is not yet seen in its own hello packet?

A.Down
B.Two-way
C.Init
D.ExStart
AnswerC

Init state indicates hello received but not bidirectional.

Why this answer

The Init state is the first step in OSPF neighbor formation after the Down state. A router enters Init when it receives a Hello packet from a neighbor but does not yet see its own Router ID in the neighbor's Hello packet, indicating that bidirectional communication is not yet confirmed.

Exam trap

Cisco often tests the distinction between Init and Two-way states, and the trap here is confusing the receipt of a Hello packet (Init) with the confirmation of bidirectional communication (Two-way).

How to eliminate wrong answers

Option A is wrong because the Down state means no Hello packets have been received from the neighbor at all, not that a Hello was received without the router's ID. Option B is wrong because the Two-way state is reached after both routers have seen each other's Router IDs in their respective Hello packets, confirming bidirectional communication. Option D is wrong because ExStart is a later state in the database exchange process, occurring after the Two-way state and the election of the Designated Router and Backup Designated Router.

25
Multi-Selecthard

Which THREE of the following are characteristics of Segment Routing (SR-MPLS) compared to traditional MPLS with LDP?

Select 3 answers
A.It can only be used for transit, not for egress routers.
B.The IGP (IS-IS or OSPF) is used to advertise prefix SIDs.
C.It supports explicit path control via segment lists.
D.Labels are distributed via multicast to all routers.
E.No need for LDP or RSVP-TE for label distribution.
AnswersB, C, E

Correct. IGP extensions carry label information.

Why this answer

Options A, C, and E are correct. SR-MPLS does not require LDP (A), uses IGP to distribute labels (C), and supports traffic engineering via segment lists (E). Option B is incorrect; LDP uses multicast for discovery, but SR-MPLS uses IGP flooding, not multicast.

Option D is incorrect; LDP can be used for both transit and egress.

26
MCQmedium

A company is connecting two sites using MPLS L3VPN. The PE routers are running both LDP and Segment Routing (SR-MPLS) in the core. The CE router at Site A cannot reach the CE at Site B. On the PEs, the VRF routes are present. Which command would you use to verify the MPLS forwarding path for the VPN traffic?

A.show mpls ldp bindings
B.show ip route vrf VPN-A 10.1.1.0
C.show mpls forwarding-table vrf VPN-A 10.1.1.0
D.show bgp vpnv4 unicast labels
AnswerC

Displays the MPLS forwarding entry including the outgoing label stack and next hop.

Why this answer

To verify the MPLS forwarding path, including the label stack used for VPN traffic, the command `show mpls forwarding-table vrf <vrf-name> <prefix>` shows the outgoing labels and next hop. `show ip route vrf` only shows the IP route without labels. `show mpls ldp bindings` shows LDP bindings but not per-prefix forwarding. `show bgp vpnv4 unicast labels` shows the VPN labels but not the transport labels.

27
MCQmedium

An engineer configures model-driven telemetry on a Cisco XR router to send data to a collector. After configuring, the collector receives no data. The engineer verifies that the collector IP and port are reachable. What is the next step to troubleshoot?

A.Check if the YANG model is valid
B.Verify that the router has a route to the collector
C.Check that the sensor-group and destination-group are correctly associated and committed in the subscription
D.Reboot the router
E.Check the SNMP community strings
AnswerC

The subscription must link the sensor-group and destination-group; if misconfigured, no data is sent.

Why this answer

A common misconfiguration is that the sensor-group and destination-group are not properly associated under the subscription. The telemetry configuration requires a subscription that links a sensor-group with a destination-group. Without correct association, no data is sent.

SNMP, routes, YANG model validity, or reboot are not the immediate next step.

28
MCQmedium

A network engineer is configuring an MPLS L3VPN on a PE router. The VRF is configured with route-target import/export. The PE and CE are running eBGP. The CE advertises routes to the PE, and the PE installs them in the VRF routing table. However, the remote PE does not receive these routes via BGP VPNv4. The local PE's BGP table shows the VPNv4 prefixes with the correct next hop and label. The remote PE's BGP table shows no such prefixes. The IGP between the PEs is working, and MPLS LSPs are up. What is the most likely cause and correct action?

A.Enable the 'soft-reconfiguration inbound' command
B.Reset the BGP session between the PEs
C.Check the MTU on the link between the PEs
D.Check the route-target import/export configuration on both PEs and ensure they match
AnswerD

If route-target export does not match the import, the remote PE will discard the route.

Why this answer

Despite the local PE having the routes in BGP VPNv4, the remote PE does not receive them. This often indicates that the route-target export on the local PE does not match the route-target import on the remote PE, or that the VPNv4 session is not correctly configured. Since the local PE shows the prefixes in its BGP VPNv4 table, they are being advertised to the BGP peer, but the remote PE's import policy filters them due to mismatched RT.

The correct action is to verify the route-target configuration on both PEs.

29
Multi-Selectmedium

A network engineer is troubleshooting a BGP route selection issue on a router that receives the same prefix from two different peers. Which THREE BGP attributes are considered in the route selection process before the 'prefer the route with the lowest metric' step?

Select 3 answers
A.Highest weight
B.Shortest AS_PATH
C.Prefer locally originated routes (network or aggregate)
D.Highest local preference
E.Lowest origin type (IGP < EGP < incomplete)
AnswersA, C, D

Weight is the first attribute considered; higher weight is preferred.

Why this answer

Weight is a Cisco-proprietary BGP attribute that is locally significant to the router and is checked first in the BGP best-path selection process. A route with a higher weight is preferred over all other attributes, including local preference and AS_PATH length, making it the most influential attribute for inbound traffic engineering on a single router.

Exam trap

Cisco often tests the exact order of BGP path selection steps, and the trap here is that candidates confuse the sequence by thinking AS_PATH or Origin type are evaluated before locally originated routes or local preference, when in fact they come later.

30
MCQhard

A service provider has a network with PE1, P1, P2, and PE2 connected in a chain: PE1-P1-P2-PE2. The IGP is IS-IS with wide metrics, and MPLS LDP is enabled on all interfaces. The goal is to provide L3VPN services between PE1 and PE2. The engineer has configured MP-iBGP between PE1 and PE2, and the VPNv4 routes are exchanged. However, when a CE router behind PE1 tries to reach the CE behind PE2, the traffic fails. The engineer checks the MPLS forwarding table on PE1 and sees that the label for the BGP next-hop (PE2's loopback) is 'Untagged'. The BGP next-hop is reachable via ICMP. What is the most likely cause of this issue?

A.The IS-IS metric between PE1 and P1 is too high, causing suboptimal routing.
B.The MPLS TTL propagation is disabled, causing packets to be dropped.
C.LDP is not enabled on the interface between PE1 and P1.
D.The MTU on the link between PE1 and P1 is set to 1500, causing fragmentation.
AnswerC

Without LDP, no label is received from P1 for the BGP next-hop.

Why this answer

The MPLS forwarding table on PE1 shows the label for PE2's loopback as 'Untagged', which indicates that LDP has not assigned a label for that prefix on the incoming interface. Since LDP is responsible for distributing labels for IGP routes (like loopbacks) in an MPLS LDP-enabled network, the missing label means LDP is not operational on the link between PE1 and P1. Without a label, PE1 cannot push an MPLS label for the BGP next-hop, causing the VPNv4 traffic to be dropped or forwarded as IP, which fails because the core routers (P1, P2) do not have the VPN route.

Exam trap

Cisco often tests the distinction between BGP route exchange (which works) and MPLS label assignment (which fails), leading candidates to incorrectly focus on routing protocol issues or MTU/TTL parameters instead of verifying LDP adjacency and label bindings.

How to eliminate wrong answers

Option A is wrong because a high IS-IS metric would affect path selection but would not cause the BGP next-hop label to be 'Untagged'; LDP still assigns labels regardless of metric values. Option B is wrong because disabling MPLS TTL propagation affects TTL handling in the MPLS header but does not prevent label assignment or cause an 'Untagged' entry in the forwarding table. Option D is wrong because an MTU of 1500 is standard and would not cause the label to be missing; fragmentation issues would manifest as packet drops after label imposition, not as a missing label in the forwarding table.

31
MCQhard

Refer to the exhibit. A network engineer applies this policy on the PE-CE link. What is the expected behavior for VoIP traffic matching the access list?

A.VoIP traffic is given strict priority queuing with up to 30% bandwidth
B.VoIP traffic is dropped if congestion occurs
C.VoIP traffic is shaped to 30% of bandwidth
D.VoIP traffic is queued in the default class with fair-queue
AnswerA

Priority queue guarantees bandwidth up to 30% with strict priority.

Why this answer

Option B is correct because priority queue provides strict priority; traffic is not shaped. Option A is wrong because priority does not shape. Option C is wrong because fair-queue is for default class.

Option D is wrong because congestion is avoided but not specifically by WRED.

32
MCQhard

A service provider is deploying an MPLS L3VPN solution for a customer with two sites. The PE routers are running OSPF as the IGP and LDP for label distribution. The provider wants to ensure that customer traffic is load-balanced across two equal-cost paths between the PEs. The network team notices that all traffic is taking only one path despite the IGP showing equal-cost routes. The team has verified that the MPLS forwarding table on the P router shows only one label entry for the BGP next-hop. The team suspects a load-balancing issue. Which action best resolves the problem?

A.Increase the OSPF maximum-paths value to 4
B.Enable per-flow load balancing on all routers with 'load-balance per-flow'
C.Enable BGP additional-paths on the PE routers
D.Configure LDP to use the 'mpls ldp igp sync' command
AnswerB

This enables load balancing based on flow, which is required for MPLS to use multiple equal-cost paths.

Why this answer

Option B is correct because the issue is that MPLS L3VPN traffic is not being load-balanced despite equal-cost IGP paths. This typically occurs when the MPLS forwarding table on the P router has only one label entry for the BGP next-hop, indicating that per-flow load balancing is not enabled. Enabling 'load-balance per-flow' on all routers ensures that the CEF (Cisco Express Forwarding) uses per-flow hashing to distribute traffic across multiple equal-cost LSPs (Label Switched Paths), rather than per-packet or default behavior that may favor a single path.

Exam trap

Cisco often tests the misconception that IGP equal-cost routes automatically guarantee MPLS load balancing, but the trap here is that MPLS forwarding uses the label entry for the BGP next-hop, and without per-flow load balancing, the router may install only one label entry in the LFIB (Label Forwarding Information Base) for that next-hop, causing all traffic to follow a single path.

How to eliminate wrong answers

Option A is wrong because increasing OSPF maximum-paths to 4 does not address the MPLS label-level load-balancing issue; the IGP already shows equal-cost routes, so the problem lies in how MPLS forwards traffic across those paths, not in route selection. Option C is wrong because BGP additional-paths is used to advertise multiple paths for a prefix to avoid path-hiding in BGP, but it does not affect how the MPLS forwarding table load-balances traffic across existing equal-cost LSPs; the issue is on the P router, not BGP path advertisement. Option D is wrong because 'mpls ldp igp sync' ensures LDP and IGP are synchronized to prevent blackholing during convergence, but it does not enable load balancing across multiple LSPs; the problem is not synchronization but the lack of per-flow hashing in the forwarding plane.

33
MCQmedium

Refer to the exhibit. A network engineer is troubleshooting MPLS forwarding for prefix 10.10.10.0/24. The router shows two entries. What does the 'Pop tag' in the outgoing tag indicate?

A.The router will swap the label with the local label 16.
B.The router has received an error in label distribution.
C.The router will pop the MPLS label before forwarding the packet.
D.The router will forward the packet without an MPLS label.
AnswerC

PHP is performed by the penultimate router.

Why this answer

The 'Pop tag' in the outgoing tag indicates that the router is the penultimate hop in the MPLS LSP. According to Penultimate Hop Popping (PHP) behavior, the penultimate router removes (pops) the top label before forwarding the IP packet to the egress LSR, so the egress router receives a pure IP packet and does not need to perform a label lookup. This is standard MPLS behavior defined in RFC 3031.

Exam trap

Cisco often tests the distinction between 'Pop tag' (PHP/Implicit NULL) and 'Untagged' (no label at all), leading candidates to confuse the two; 'Pop tag' means the label is actively removed, while 'Untagged' means the packet was never labeled.

How to eliminate wrong answers

Option A is wrong because 'Pop tag' means the label is removed, not swapped; swapping would show a specific outgoing label value (e.g., 16) instead of 'Pop tag'. Option B is wrong because 'Pop tag' is a normal, intentional label operation in MPLS, not an error condition; label distribution errors typically result in missing or incorrect label bindings, not a 'Pop tag' indication. Option D is wrong because the router will forward the packet without an MPLS label only after popping it; the 'Pop tag' action itself removes the label, and the packet is then forwarded as a native IP packet, but the statement 'forward the packet without an MPLS label' is misleading because it implies the router never had a label, whereas PHP explicitly pops the existing label.

34
Multi-Selectmedium

Which TWO statements about MPLS label switching are correct? (Choose two.)

Select 2 answers
A.The transit LSR performs label swapping.
B.The CE receives a frame with an MPLS label.
C.The ingress LSR imposes a label on the packet.
D.PHP (Penultimate Hop Popping) causes the egress router to pop the label.
E.The egress LSR performs label swapping before forwarding.
AnswersA, C

Correct: Transit routers swap the incoming label with an outgoing label.

Why this answer

Option A is correct because a transit Label Switch Router (LSR) in an MPLS network performs label swapping: it receives a labeled packet, replaces the incoming label with an outgoing label from its LFIB (Label Forwarding Information Base), and forwards the packet toward the egress LSR. This is the fundamental operation of an LSR in the core of an MPLS domain, as defined in RFC 3031.

Exam trap

Cisco often tests the distinction between which router performs label popping in PHP (penultimate hop vs. egress) and which router swaps labels (transit LSR vs. egress LSR), leading candidates to confuse the roles of the penultimate and egress routers.

35
Multi-Selecthard

Which three features are unique to Segment Routing when compared to traditional MPLS with LDP? (Choose three)

Select 3 answers
A.Source-based path selection
B.TI-LFA fast convergence
C.Stateful TE tunnels
D.Network-wide label range (SRGB)
E.Centralized controller (PCE) requirement
AnswersA, B, D

SR uses source routing where the path is encoded in the packet header.

Why this answer

Source-based path selection, SRGB, and TI-LFA are inherent to SR and not present in LDP-based MPLS. Stateful TE tunnels exist in RSVP-TE, and PCE is optional for SR.

36
MCQeasy

Which tool is used to validate YANG data models against device capabilities and to generate Python bindings for automation scripts?

A.RESTCONF
B.pyang
C.Ansible
D.NETCONF
AnswerB

Validates YANG models and can generate Python bindings.

Why this answer

B is correct because pyang is a YANG data modeling language validator and converter that can validate YANG modules against device capabilities (e.g., via RFC 7895 YANG Library) and generate Python bindings (e.g., using the `--plugindir` or `pyang --format pybind` options) for use in automation scripts. It directly supports the task of validating YANG models and producing Python code, unlike the other options which are protocols or automation frameworks.

Exam trap

Cisco often tests the distinction between a protocol (NETCONF/RESTCONF) and a tool (pyang), so the trap here is that candidates confuse the transport or automation framework with the actual YANG validation and binding generation tool.

How to eliminate wrong answers

Option A is wrong because RESTCONF is an HTTP-based protocol for accessing data defined in YANG, not a tool for validating YANG models or generating Python bindings. Option C is wrong because Ansible is an automation engine that can use YANG models via modules like `ios_config`, but it does not validate YANG data models or generate Python bindings natively. Option D is wrong because NETCONF is a network configuration protocol that transports YANG-defined data, but it is not a tool for YANG model validation or Python code generation.

37
MCQeasy

An engineer is deploying MPLS in the core and wants to ensure that all core routers use the same label for a specific prefix, regardless of which router originated it. Which MPLS label allocation mode should be used?

A.Per-interface label mode
B.Per-next-hop label mode
C.Per-prefix label mode
D.Per-VRF label mode
AnswerC

Per-prefix allocates one label per prefix, ensuring same label across all routers.

Why this answer

Per-prefix label mode (option C) is correct because it assigns a single label for a specific prefix across all core routers, regardless of which router originated the route. This ensures label consistency, which is critical for proper MPLS forwarding and troubleshooting. In contrast, per-next-hop or per-interface modes would create different labels for the same prefix based on the next hop or interface, breaking the requirement for uniform label allocation.

Exam trap

Cisco often tests the distinction between per-prefix and per-next-hop label modes, and the trap here is that candidates confuse per-next-hop (which creates multiple labels for the same prefix) with per-prefix, thinking that per-next-hop ensures consistency when it actually does the opposite.

How to eliminate wrong answers

Option A is wrong because per-interface label mode assigns a unique label per interface for each FEC, which would cause the same prefix to have different labels on different interfaces, not a single label across all routers. Option B is wrong because per-next-hop label mode allocates a label per next hop for a given prefix, leading to multiple labels for the same prefix if multiple next hops exist, violating the requirement for a single label. Option D is wrong because per-VRF label mode is used in MPLS VPNs to assign a label per VRF, not per prefix, and would not ensure a single label for a specific prefix across the core.

38
MCQmedium

A customer requires MPLS Layer 2 VPN connectivity between two sites using Pseudowire. Which control protocol is used to signal the pseudowire label?

A.RSVP-TE
B.LDP
C.BGP
D.OSPF
AnswerB

LDP signaled pseudowire is used in AToM.

Why this answer

Option B is correct because LDP is used for pseudowire label signaling in AToM. Option A is wrong because BGP is used for auto-discovery. Option C is wrong because RSVP-TE is for traffic engineering.

Option D is wrong because OSPF is an IGP.

39
MCQeasy

A service provider recently deployed MPLS L3VPN for a customer with four sites (Site1, Site2, Site3, Site4) connected to PE1, PE2, PE3, and PE4 respectively. All sites are in VRF CUST-A with route targets 100:1 import and 100:1 export on all PEs. The customer reports that Site4 cannot ping the loopback interface (10.1.1.1/32) of Site1, but Site2 and Site3 can reach it. The provider verifies that BGP sessions between all PEs and the route reflector are up and that VPNv4 routes are advertised. The VRF on PE4 shows the route 10.1.1.1/32 with next-hop 192.0.2.1 (PE1's loopback) but when Site4 initiates a ping, it fails. What should the provider check next?

A.Ensure that the IGP operating in the core has propagated the loopback interface address of PE1 to all P routers.
B.Verify that the BGP session between PE4 and the route reflector is using the correct update source.
C.Verify that the CE router at Site4 is configured with the correct VRF name and default gateway.
D.Check the VRF route target import on PE1 to ensure it includes the route target exported by PE4 for Site4's subnet.
AnswerD

Even if the remote prefix is in the VRF, return traffic requires the local prefix to be imported by the remote PE.

Why this answer

Option B is correct because the ping failure is likely due to return path routing; the VRF on PE4 has the route, but the ping echo reply must be routed back to Site4. The VRF on PE1 must have a route for Site4's subnet. Typically, the import and export RTs are symmetric, but if PE1 is not importing the RT that PE4 exports (e.g., Site4's prefix), the return traffic will be dropped.

Checking the RT import on PE1 for the route from Site4 is the most common cause. Option A is incorrect because BGP sessions are already up. Option C is incorrect because IGP propagation of loopbacks is not needed for VPNv4.

Option D is incorrect because CE configuration is likely fine since Site2 and Site3 work.

40
MCQeasy

Which technology should be used to provide per-flow load balancing across multiple equal-cost paths in an MPLS network while preserving packet order?

A.ECMP with a hash algorithm based on layer 3 and layer 4 headers
B.LAG with default hashing
C.Policy-based routing with next-hop per destination
D.Per-packet round-robin load balancing
AnswerA

ECMP hashing preserves flow ordering.

Why this answer

ECMP with a hash algorithm based on Layer 3 and Layer 4 headers is the correct choice because it provides per-flow load balancing by computing a hash over source/destination IP addresses and TCP/UDP port numbers, ensuring that all packets belonging to the same flow are forwarded over the same equal-cost path. This preserves packet order while distributing different flows across multiple paths in an MPLS network.

Exam trap

Cisco often tests the distinction between per-flow and per-packet load balancing, and the trap here is that candidates confuse ECMP with per-packet round-robin, assuming both preserve order, but only per-flow hashing guarantees packet ordering within a flow.

How to eliminate wrong answers

Option B is wrong because LAG (Link Aggregation Group) with default hashing operates at the link level, not at the network layer, and does not provide per-flow load balancing across multiple equal-cost paths in an MPLS network; it bundles physical links into a single logical link and may reorder packets if the hash is not flow-aware. Option C is wrong because policy-based routing with next-hop per destination is a static, destination-based forwarding mechanism that does not dynamically load balance per flow across equal-cost paths and can lead to packet reordering if policies change. Option D is wrong because per-packet round-robin load balancing sends packets sequentially across paths without considering flow affinity, which breaks packet order and causes severe reordering issues in TCP and other stateful protocols.

41
MCQmedium

A service provider is deploying MPLS L3VPN and notices that BGP next-hop resolution for VPNv4 routes fails on the PE routers. The PE routers are running OSPF as the IGP and have loopback interfaces used for LDP and BGP peering. Which configuration change should the engineer implement to ensure that the BGP next-hop is reachable?

A.Configure 'neighbor x.x.x.x update-source loopback0' under the BGP router configuration.
B.Configure 'neighbor x.x.x.x allowas-in 1' under the BGP VRF configuration.
C.Apply the 'neighbor x.x.x.x next-hop-self' command under the BGP VRF configuration.
D.Increase the 'maximum-paths' value under the BGP address-family VPNv4.
AnswerA

This ensures BGP uses the loopback as the source IP, making the next-hop reachable via IGP.

Why this answer

The BGP next-hop for VPNv4 routes is typically the loopback interface of the remote PE router. For BGP to consider the next-hop reachable, the local PE must have an IGP route to that loopback address. The 'neighbor x.x.x.x update-source loopback0' command ensures that BGP uses the loopback interface as the source IP for the TCP session, which aligns the BGP peering address with the IGP-advertised loopback, making the next-hop reachable via OSPF.

Exam trap

Cisco often tests the distinction between BGP session establishment (which requires reachability to the neighbor's IP) and BGP next-hop resolution (which requires reachability to the next-hop address carried in the route); candidates confuse these two separate requirements and incorrectly apply 'next-hop-self' or 'allowas-in'.

How to eliminate wrong answers

Option B is wrong because 'allowas-in' permits the local AS to appear in the AS_PATH, which is used for route acceptance in VRF contexts, not for next-hop resolution. Option C is wrong because 'next-hop-self' changes the next-hop to the local PE's address on routes sent to a BGP neighbor, but the issue is that the original next-hop (remote PE loopback) is unreachable due to IGP routing, not that the next-hop needs to be changed. Option D is wrong because 'maximum-paths' controls the number of equal-cost paths for load balancing, not next-hop reachability.

42
MCQmedium

Refer to the exhibit. CE1 is not receiving the VPNv4 route for the 192.168.1.0/24 subnet. What is the most likely cause?

A.PE1 is missing the VRF configuration for CUSTOMER_A
B.PE1 is missing the neighbor statement under address-family ipv4 vrf CUSTOMER_A
C.CE1 is missing the network statement under router bgp 65001
D.The neighbor 10.0.0.2 is using an incorrect update-source
AnswerB

Why this answer

For CE1 to receive the VPNv4 route for 192.168.1.0/24, PE1 must redistribute the route from the VRF into BGP. The neighbor statement under address-family ipv4 vrf CUSTOMER_A is required to establish an eBGP peering with CE1 and exchange IPv4 routes within that VRF. Without it, PE1 will not send any routes to CE1, even if the VRF and route targets are correctly configured.

Exam trap

Cisco often tests the distinction between VRF configuration and BGP address-family activation, tricking candidates into thinking a missing VRF is the issue when the real problem is the missing neighbor statement under the VRF address-family.

How to eliminate wrong answers

Option A is wrong because PE1 missing the VRF configuration for CUSTOMER_A would prevent any VRF-based routing, but the question states CE1 is not receiving the VPNv4 route specifically, implying the VRF exists but the BGP peering is broken. Option C is wrong because CE1 missing the network statement under router bgp 65001 would prevent CE1 from advertising the 192.168.1.0/24 route to PE1, but the issue is CE1 not receiving the route, not advertising it. Option D is wrong because the neighbor 10.0.0.2 using an incorrect update-source would affect the BGP session between PE1 and CE1, but the exhibit shows the peering is established (otherwise CE1 would not be a BGP neighbor at all), and the problem is specifically that the route is not being sent to CE1.

43
MCQhard

A large service provider runs a dual-stack MPLS core with Segment Routing (SR-MPLS) and IS-IS as the IGP. The network has been operating stably for months. Recently, a new PE router (PE-5) was added and configured with IS-IS and SR. After the addition, some remote prefixes in the VRF on other PEs become unreachable. Troubleshooting reveals that the BGP next hop for those prefixes is the loopback of another PE (PE-3), but the MPLS forwarding table on PE-3 shows no label for the prefix. The IS-IS database on PE-3 shows the prefix-SID for PE-5's loopback, but the forwarding table does not have a label for that prefix. Commands like 'show mpls forwarding-table' show no entry for PE-5's loopback. What is the most likely cause and correct action?

A.Clear the IS-IS adjacency between PE-3 and PE-5
B.Enable MPLS on the interface connecting to PE-5
C.Check and adjust the SRGB configuration on PE-5 to match the range used by other routers
D.Configure BGP to redistribute IS-IS routes into BGP
AnswerC

If SRGB ranges are mismatched, the label allocated may be invalid, causing the forwarding entry not to be installed.

Why this answer

The issue is that PE-3 does not have a label for PE-5's loopback because the prefix-SID for PE-5 is not programmed in the LFIB. This commonly happens when the SRGB (Segment Routing Global Block) on PE-5 does not overlap with PE-3's SRGB, or when the label index is not configured correctly. Since the IS-IS database shows the prefix-SID, the IGP is advertising it, but the label may be out of range.

The correct action is to check and align the SRGB configuration on all routers. Option B (clear IS-IS adjacency) is a generic reset that might not fix the underlying mismatch. Option C (enable MPLS on the interface) is already done if LDP was used, but SR uses IGP, not LDP.

Option D (redistribute into BGP) is not relevant.

44
MCQhard

A large SP network uses Segment Routing (SR) with MPLS data plane. They want to enforce a strict path for certain traffic flows across the core while using shortest-path for others. Which technique should be used?

A.SR-TE with explicit path using segment list
B.Using TI-LFA
C.Configuring bandwidth reservation on all links
D.Using SR policies with color extended community based on BGP
AnswerA

SR-TE with a segment list defines the exact path through the network.

Why this answer

SR-TE with explicit path using segment lists allows defining a strict path. Option B (TI-LFA) is for fast reroute, not path enforcement. Option C is not SR-related.

Option D uses color for service mapping but relies on underlying IGP routing; it doesn't enforce a strict path. Thus A is correct.

45
Multi-Selecthard

Which THREE actions can help mitigate the impact of BGP prefix flapping in a service provider network?

Select 3 answers
A.Use route summarization.
B.Implement route dampening.
C.Use BGP peer groups.
D.Increase the BGP hold timer.
E.Apply BGP graceful restart.
AnswersA, B, D

Summarization aggregates multiple prefixes, reducing the impact of individual flaps.

Why this answer

Route summarization (A) reduces the number of BGP prefixes advertised, which inherently limits the impact of flapping because a single summary prefix represents many more-specific prefixes. If a specific subprefix flaps, the aggregate remains stable, preventing the flapping from propagating to BGP peers. This is a proactive approach to minimize the control-plane churn caused by unstable routes.

Exam trap

Cisco often tests the distinction between mechanisms that reduce control-plane churn (summarization, dampening) versus those that maintain forwarding during failures (graceful restart), leading candidates to incorrectly select graceful restart as a flapping mitigation tool.

46
MCQhard

Refer to the exhibit. The output shows an MPLS forwarding entry with FRR protection. What is the purpose of the backup path shown?

A.To handle penultimate hop popping for the primary path.
B.To forward traffic if the primary outgoing interface fails.
C.To provide a load-balancing alternative for the primary path.
D.To carry the VPN label separately.
AnswerB

The backup path activates when primary fails, ensuring fast convergence.

Why this answer

The backup path is used when the primary next-hop fails, providing fast reroute. Option A is incorrect because VPN label is still present. Option C is incorrect because FRR does not create a load-balancing group.

Option D is incorrect because backup path is not for PHP; PHP is for penultimate hop.

47
MCQeasy

A service provider wants to stream interface counters from a Cisco router to a collector using model-driven telemetry. The collector is behind NAT and cannot be reached from the router. Which telemetry model should be used?

A.Dial-out
B.SNMP traps
C.gNMI
D.NETCONF
E.Dial-in
AnswerA

Dial-out lets the router push telemetry to the collector, working even if the collector is behind NAT.

Why this answer

Dial-out telemetry allows the router to initiate the connection to the collector, which is useful when the collector is behind NAT and not directly reachable. Dial-in requires the collector to initiate the connection, which would not work if the collector cannot be reached from the router. gNMI can be used in both modes but typically dial-in. NETCONF is not for streaming telemetry.

SNMP traps are not model-driven.

48
Multi-Selecteasy

Which two protocols are commonly used for label exchange in an MPLS network? (Choose two.)

Select 2 answers
A.OSPF
B.PIM
C.LDP
D.BGP
E.IS-IS
AnswersC, D

LDP exchanges labels for IGP prefixes.

Why this answer

LDP and BGP are commonly used for label exchange. LDP for IGP labels, BGP for VPN labels. OSPF, IS-IS, and PIM do not exchange MPLS labels.

49
MCQeasy

A network engineer needs to ensure that a specific customer's traffic is not adversely affected by other customers' traffic in a shared MPLS core. Which technology should be used?

A.QoS policies on PE routers with shaping and policing
B.iBGP route reflectors
C.MPLS Traffic Engineering
D.802.1Q VLANs
AnswerA

QoS allows per-customer traffic controls.

Why this answer

Option C is correct: QoS on the PE routers can shape and police traffic per customer. Option A (MPLS TE) is for bandwidth optimization, not per-customer guarantee; Option B (VLANs) is layer 2; Option D (iBGP) is routing.

50
MCQmedium

A service provider is troubleshooting a BGP route advertisement issue. Routes from a customer are not being advertised to the upstream provider. The PE router is configured with 'neighbor 10.0.0.1 route-map RMAP out'. The route-map RMAP permits the customer prefix. However, the BGP table on the PE shows the prefix as valid but not advertised. What is a likely cause?

A.The next-hop is not reachable from the upstream provider
B.The BGP session to the upstream provider is flapping
C.The prefix is not in the global routing table
D.The route-map is applied inbound instead of outbound
AnswerA

If next-hop-self is not used, the next-hop might be a customer-facing interface not reachable upstream.

Why this answer

The BGP table shows the prefix as valid but not advertised, which indicates that BGP has the route but is not sending it to the upstream neighbor. A common cause is that the next-hop for the customer prefix is not reachable from the PE router via the interface used to reach the upstream provider. BGP will not advertise a route if the next-hop is not reachable in the routing table (unless 'neighbor x.x.x.x next-hop-self' is configured), because the upstream router would be unable to forward traffic to that next-hop.

Exam trap

Cisco often tests the subtle distinction between a prefix being 'valid' (next-hop reachable in the global routing table) and 'advertised' (next-hop reachable from the specific neighbor's perspective), leading candidates to overlook next-hop reachability as the root cause.

How to eliminate wrong answers

Option B is wrong because a flapping BGP session would cause the session to go up and down, resulting in prefixes being withdrawn and re-advertised, not a stable 'valid but not advertised' state. Option C is wrong because if the prefix were not in the global routing table, it would not appear as valid in the BGP table; BGP requires the prefix to be in the routing table (or have a valid route) to be considered valid. Option D is wrong because the question states the route-map is applied outbound, and if it were mistakenly applied inbound, the prefix would still be advertised (the outbound filter would not exist), and the issue would be with receiving routes, not advertising them.

51
Multi-Selecthard

A service provider is implementing Segment Routing (SR) with MPLS. Which three statements are true regarding SR-MPLS? (Choose three.)

Select 3 answers
A.SR-MPLS supports traffic engineering only with a central controller
B.SR-MPLS does not require LDP or RSVP-TE
C.The SRGB must be globally unique across the domain
D.Adjacency SIDs are advertised via BGP-LS
E.Prefix-SIDs are bound to node loopbacks
AnswersB, C, E

SR uses IGP to distribute labels, eliminating the need for LDP or RSVP-TE.

Why this answer

SR-MPLS does not require LDP or RSVP-TE (A). The SRGB should be globally unique (B). Prefix-SIDs are typically bound to node loopbacks (D).

Option C is false: Adjacency SIDs are advertised via IGP, not BGP-LS exclusively. Option E is false: SR supports distributed TE via TI-LFA and explicit paths without a central controller.

52
Multi-Selectmedium

Which TWO statements about BGP route reflectors are true?

Select 2 answers
A.The cluster ID is used to detect routing loops.
B.A route reflector does not modify the next-hop attribute.
C.Route reflectors modify the AS_PATH attribute.
D.Route reflectors must be fully meshed.
E.A route reflector passes routes from non-client to non-client.
AnswersA, B

Multiple RRs in the same cluster use the cluster ID to avoid loops.

Why this answer

Option A is correct because BGP route reflectors use the cluster ID to detect and prevent routing loops. When a route reflector receives an update containing its own cluster ID in the cluster-list attribute, it discards the route, breaking the loop. This mechanism is defined in RFC 4456 and is essential for loop-free route propagation in non-full-mesh iBGP topologies.

Exam trap

Cisco often tests the misconception that route reflectors modify the AS_PATH or that they pass routes between non-clients, when in fact they preserve the AS_PATH and only reflect routes from non-clients to clients, not between non-clients.

53
MCQeasy

A service provider is designing a greenfield MPLS core and wants to minimize control-plane complexity while still supporting traffic engineering. They plan to use Segment Routing with MPLS. Which statement about Segment Routing in this context is accurate?

A.Segment Routing only works with IPv6 data plane.
B.Segment Routing uses RSVP-TE for label distribution.
C.Segment Routing reduces the number of protocols required in the core.
D.Segment Routing requires TI-LFA to be enabled for traffic engineering.
AnswerC

SR eliminates LDP and RSVP-TE, relying only on an IGP with SR extensions, thus reducing protocol complexity.

Why this answer

Option C is correct because Segment Routing (SR-MPLS) eliminates the need for a separate label distribution protocol like LDP or RSVP-TE. The MPLS labels are derived directly from the IGP (IS-IS or OSPF) extensions, reducing control-plane complexity while still enabling traffic engineering via SR-TE policies and flexible path computation.

Exam trap

Cisco often tests the misconception that Segment Routing requires a separate label distribution protocol like LDP or RSVP-TE, when in fact it uses IGP extensions (IS-IS or OSPF) to distribute labels, reducing protocol complexity.

How to eliminate wrong answers

Option A is wrong because Segment Routing supports both MPLS (SR-MPLS) and IPv6 (SRv6) data planes; it is not limited to IPv6. Option B is wrong because SR-MPLS does not use RSVP-TE for label distribution; labels are signaled via IGP extensions (IS-IS or OSPF) with the Segment Routing extensions, not via RSVP-TE. Option D is wrong because TI-LFA (Topology Independent Loop-Free Alternate) is a fast-reroute mechanism that can be used with SR but is not required for traffic engineering; SR-TE can be achieved using explicit paths or SR policies without TI-LFA.

54
Multi-Selectmedium

Which TWO statements about BGP FlowSpec (RFC 8955) are correct?

Select 2 answers
A.FlowSpec can be deployed in BGP sessions between a route reflector and a client.
B.FlowSpec uses a separate BGP session from the regular IPv4 unicast session.
C.FlowSpec is designed to replace ACLs on provider edge routers.
D.FlowSpec requires MPLS forwarding to operate.
E.FlowSpec uses the IPv4 unicast or VPNv4 address family.
AnswersA, E

FlowSpec routes can be propagated via BGP within the service provider network.

Why this answer

Option A is correct because BGP FlowSpec (RFC 8955) can be deployed between a route reflector and its clients. The route reflector propagates FlowSpec NLRI (Network Layer Reachability Information) to its clients, allowing the clients to install traffic filtering rules without requiring a full BGP mesh. This is a common deployment model in service provider networks to distribute flow-spec routes efficiently.

Exam trap

Cisco often tests the misconception that FlowSpec requires a separate BGP session or MPLS, but the trap here is that candidates confuse the address family separation (which uses the same session) with a separate session, or assume MPLS is mandatory because FlowSpec is often discussed in MPLS VPN contexts.

55
MCQhard

A network engineer is troubleshooting an OSPF adjacency issue between two routers connected via a serial link. The routers are configured with point-to-point network type. The adjacency stays in EXSTART state. What is the most likely cause?

A.Mismatched OSPF area ID.
B.Mismatched hello/dead intervals.
C.Mismatched MTU.
D.Duplicate router IDs.
AnswerC

OSPF uses the MTU in Database Description packets; a mismatch causes the adjacency to stay in EXSTART.

Why this answer

On a point-to-point OSPF link, the EXSTART state indicates that the routers have formed a bidirectional communication (2WAY) and are now negotiating the master/slave relationship for database description (DBD) packet exchange. A mismatched MTU between the two interfaces causes the DBD packets to be dropped or rejected, preventing the adjacency from progressing beyond EXSTART. This is a common issue on serial links where one side may have a different MTU configured.

Exam trap

Cisco often tests the EXSTART state trap by making candidates confuse it with the more common mismatched hello/dead intervals or area ID issues, which actually prevent reaching EXSTART, while MTU mismatch is the specific cause of stalling in EXSTART.

How to eliminate wrong answers

Option A is wrong because a mismatched OSPF area ID would prevent the adjacency from forming at all, typically stalling in the INIT or 2WAY state, not EXSTART. Option B is wrong because mismatched hello/dead intervals would cause the adjacency to fail during the INIT or 2WAY state, as routers would not receive Hello packets within the expected interval. Option D is wrong because duplicate router IDs would cause one router to reject the other's Hello packets, leading to a state of DOWN or INIT, not EXSTART.

56
Matchingmedium

Match each IS-IS term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link State PDU containing routing information

Designated Intermediate System on a broadcast network

Network Service Access Point, the IS-IS address

Subnetwork Point of Attachment, e.g., MAC address

IS-IS Hello PDU used for neighbor discovery

Why these pairings

These are core IS-IS protocol concepts for service provider routing.

57
MCQmedium

A service provider is deploying EVPN-VPWS for point-to-point services. They have set up an EVPN instance with Ethernet Segment Identifier (ESI) and EVI. After configuration, the pseudowire is not coming up. Which misconfiguration is most likely?

A.The same EVI is used on both PEs.
B.The ESI is all-zeros.
C.The MTU mismatch on the attachment circuits.
D.The BGP EVPN address-family is not activated.
AnswerA

In EVPN-VPWS, the EVI must match on both endpoints; otherwise, the pseudowire cannot be established.

Why this answer

Option B is correct because for EVPN-VPWS, the same EVI must be used on both PEs to establish the pseudowire. Option A is wrong because a non-zero ESI is required, but all-zeros is invalid. Option C is wrong because BGP EVPN address-family is needed but its absence would affect all EVPN services, not just VPWS.

Option D is wrong because MTU mismatch causes issues but is less likely than EVI mismatch.

58
MCQmedium

A service provider has deployed QoS on its MPLS backbone to offer different classes of service. The provider notices that EF (Expedited Forwarding) traffic sometimes experiences high jitter during congestion. Following recommended practices, which action is MOST likely to reduce jitter for EF traffic?

A.Use priority queuing (LLQ) for EF traffic with a policer
B.Apply traffic shaping on all EF packets at the edge
C.Change the DSCP value of EF traffic to AF41 to reduce drops
D.Apply weighted random early detection (WRED) on the EF queue
AnswerA

LLQ gives strict priority, minimizing jitter by servicing EF first.

Why this answer

Option B is correct because priority queuing ensures EF traffic is served before other queues, reducing jitter. Option A is wrong because shaping reduces bandwidth but does not eliminate jitter if congestion exists. Option C is wrong because WRED is for congestion avoidance and can drop EF packets if not excluded.

Option D is wrong because changing DSCP does not improve jitter directly; proper queuing is key.

59
Multi-Selectmedium

Which THREE technologies or protocols are used to implement automated service provisioning in a Cisco service provider network?

Select 3 answers
A.Cisco NSO
B.SNMP
C.YANG
D.RIP
E.NETCONF
AnswersA, C, E

NSO is an orchestration platform that automates service provisioning across multi-vendor networks.

Why this answer

Cisco NSO provides orchestration and service lifecycle management. NETCONF is used for configuration management. YANG provides data models for configuration and state data.

SNMP is for monitoring, not provisioning. RIP is a routing protocol, not for provisioning.

60
MCQeasy

Refer to the exhibit. An engineer configures IP SLA for UDP jitter. The operation completes successfully, but the customer reports voice quality issues. What should the engineer check next?

A.The packet loss is 0%
B.The frequency is too low
C.The jitter value is within threshold
D.The destination is unreachable
E.The threshold is set too high
AnswerE

A 100 ms threshold is too high for jitter; it should be lowered to trigger alerts when jitter impacts voice quality.

Why this answer

The threshold of 100 ms is too high for jitter monitoring; voice quality typically degrades when jitter exceeds 20-30 ms. With a 100 ms threshold, even if jitter spikes to harmful levels, the SLA does not trigger an alert. The current jitter (5 ms) and packet loss (0%) are fine, but the threshold setting prevents proactive detection.

61
MCQhard

An ISP is deploying EVPN-VXLAN for its data center interconnect. Which statement about control-plane learning is correct?

A.MAC addresses are learned via IRB
B.MAC addresses are learned via OSPF
C.MAC addresses are learned via BGP MP-BGP EVPN address family
D.MAC addresses are learned via VXLAN data plane
AnswerC

EVPN uses BGP for MAC route advertisement.

Why this answer

Option A is correct because EVPN uses BGP as the control plane to advertise MAC/VPN routes. Option B is wrong because IRB is for integrated routing and bridging, not control-plane learning. Option C is wrong because MP-BGP is used, not OSPF.

Option D is wrong because VXLAN is data-plane encapsulation.

62
MCQhard

An SP uses BGP FlowSpec to mitigate DDoS attacks. They also want to rate-limit the traffic per FlowSpec rule. Which configuration is required to enable policing within a FlowSpec action?

A.Configure MPLS TE bandwidth reservation for the FlowSpec routes.
B.Use policy-based routing (PBR) to set QoS parameters.
C.Apply a QoS policy-map to the interface and match the FlowSpec destination.
D.Include the 'rate-limit' action in the FlowSpec rule using the 'action' clause.
AnswerD

FlowSpec allows rate-limiting directly in the rule definition.

Why this answer

Option D is correct because BGP FlowSpec allows the inclusion of a 'rate-limit' action within the FlowSpec rule's 'action' clause to enforce policing. This action directly applies a traffic rate limit (in bits per second) to the matched flow, enabling DDoS mitigation without requiring external QoS policies or MPLS TE reservations.

Exam trap

Cisco often tests the misconception that FlowSpec actions require external QoS mechanisms (like policy-maps or PBR), when in fact the 'rate-limit' action is a native, built-in FlowSpec action that directly enables policing within the rule.

How to eliminate wrong answers

Option A is wrong because MPLS TE bandwidth reservation is used for traffic engineering and path selection, not for per-flow policing within BGP FlowSpec actions. Option B is wrong because policy-based routing (PBR) operates on routing decisions and cannot be dynamically triggered by FlowSpec rules to apply QoS parameters; FlowSpec uses its own action mechanism. Option C is wrong because applying a QoS policy-map to an interface and matching the FlowSpec destination is an indirect, static approach that does not leverage the dynamic, rule-based policing capabilities of BGP FlowSpec's built-in 'rate-limit' action.

63
MCQmedium

A service provider is deploying LISP (Locator/ID Separation Protocol) to provide mobility and multihoming for customer endpoints. Which LISP component is responsible for maintaining the mapping between Endpoint Identifiers (EIDs) and Routing Locators (RLOCs) and for responding to Map-Request messages from ITRs?

A.Ingress Tunnel Router (ITR)
B.Map-Server (MS)
C.Map-Resolver (MR)
D.Egress Tunnel Router (ETR)
AnswerB

MS maintains the EID-to-RLOC mapping and responds to Map-Requests.

Why this answer

Option B is correct. The Map-Server maintains the EID-to-RLOC mapping database and responds to Map-Requests. Option A (ITR) encapsulates and sends packets to the ETR.

Option C (ETR) decapsulates and receives packets. Option D (MR) forwards Map-Requests to the MS, but the MS provides the mapping.

64
MCQhard

You are a network architect for a large service provider. The network consists of multiple core routers (P routers) and edge routers (PE routers) supporting both L3VPN and L2VPN services. The network currently uses LDP for label distribution and has a flat IGP (OSPF) design. Recently, there have been scalability issues: the IGP convergence time has increased significantly, and the OSPF link-state database (LSDB) has grown large, causing high CPU utilization on core routers. Additionally, the LDP sessions are taking longer to establish after a router reboot. You are tasked with redesigning the network to improve scalability and convergence. The budget allows for significant changes but cannot replace all hardware. Which approach best addresses the scalability issues while minimizing disruption?

A.Upgrade OSPF to OSPFv3 to support IPv6 and improve performance
B.Implement Segment Routing (SR-MPLS) to replace LDP and reduce IGP overhead
C.Introduce IS-IS as a second IGP to offload traffic from OSPF, and use route redistribution between the two protocols
D.Replace OSPF with BGP as the core IGP to reduce link-state overhead
AnswerB

SR-MPLS eliminates LDP and reduces IGP LSDB size because SIDs are advertised as TLV extensions, reducing the number of LSA types.

Why this answer

Segment Routing (SR-MPLS) eliminates the need for LDP by encoding MPLS labels directly in the IGP (OSPF or IS-IS) using extensions, which reduces control-plane overhead and speeds up convergence. This directly addresses the large OSPF LSDB and slow LDP session establishment because SR-MPLS does not require a separate label distribution protocol and can leverage a single IGP for both routing and label information, improving scalability without hardware replacement.

Exam trap

Cisco often tests the misconception that adding a second IGP or upgrading to OSPFv3 will improve scalability, when in fact the real issue is the overhead of a separate label distribution protocol (LDP) and the LSDB size, which Segment Routing directly addresses by integrating label distribution into the IGP.

How to eliminate wrong answers

Option A is wrong because OSPFv3 is an IPv6 routing protocol that does not inherently reduce LSDB size or improve convergence; it would add IPv6 overhead without solving the core LDP and IGP scalability issues. Option C is wrong because introducing IS-IS as a second IGP with route redistribution would increase complexity, LSDB size, and convergence time due to mutual redistribution loops and administrative overhead, making scalability worse. Option D is wrong because BGP is not designed as an IGP; it lacks fast convergence and link-state awareness, and using it as a core IGP would introduce path-vector convergence delays and require full-mesh or route reflectors, increasing rather than reducing overhead.

65
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where the CE router is receiving the correct VPN prefixes from the PE, but traffic from the CE to those prefixes is being dropped. The PE has a default route pointing to the CE. What is the most likely cause?

A.The VRF on the PE is not configured with the correct route-target import.
B.The PE does not have a specific route for the destination in its global routing table.
C.The CE does not have a route back to the PE's loopback.
D.The PE-CE link MTU is smaller than the packet size.
AnswerB

Without a specific route, the PE may not push the correct MPLS label, causing the core to drop the packet.

Why this answer

The CE is receiving the correct VPN prefixes from the PE, so the VRF import/export is working. However, when the CE sends traffic to those prefixes, the PE must forward the packets. The PE has a default route pointing to the CE, but if the PE's global routing table lacks a specific route for the destination prefix (which is normal for L3VPN, as VPN routes are in the VRF, not the global table), the PE will drop the traffic because it cannot find a valid next hop in the global table for the outer IP header.

This is a classic issue where the PE's global table must have a route to the CE's loopback or the PE-CE link subnet to enable recursive forwarding.

Exam trap

Cisco often tests the misconception that a VRF route alone is sufficient for forwarding, but in reality, the PE must have a global route to the BGP next-hop (typically the remote PE's loopback) for the MPLS label-switched path to function.

How to eliminate wrong answers

Option A is wrong because the CE is already receiving the correct VPN prefixes, which proves the VRF route-target import is functioning correctly; if it were misconfigured, the prefixes would not be present on the CE. Option C is wrong because the CE does not need a route back to the PE's loopback; the CE only needs a route to the PE's interface IP (or a default route) to send traffic, and the problem is on the PE side, not the CE. Option D is wrong because an MTU mismatch would typically cause fragmentation issues or ICMP unreachables, not a complete drop of all traffic to the VPN prefixes, and the CE is receiving routes, so the control plane is unaffected.

66
MCQmedium

A team uses Ansible to automate configuration of Cisco devices. They want to ensure that configurations are applied only if the device is reachable and the current configuration differs from the intended. Which Ansible module or feature is best suited for this?

A.ios_system
B.net_get
C.ios_config with check_mode
D.ios_command
E.ios_facts
AnswerC

check_mode performs a diff and only applies changes when there is a difference, ensuring idempotency.

Why this answer

The ios_config module with check_mode and diff is idempotent: it compares the intended config with the current and applies only if there is a difference. ios_command runs arbitrary commands without idempotency. ios_system and ios_facts are for specific settings or information gathering. net_get retrieves files.

67
MCQmedium

Refer to the exhibit. The router is configured as a PE router in an MPLS VPN network. Which option correctly identifies a configuration error that would prevent proper operation?

A.The neighbor remote-as should be the same AS number for iBGP
B.The interface lacks the 'mpls ip' command
C.The OSPF network statement uses an incorrect wildcard mask
D.The BGP network statement does not match the interface prefix
AnswerC

The wildcard mask 0.255.255.255 is too broad and does not match the /30 prefix correctly.

Why this answer

Option C is correct because the OSPF network statement uses a wildcard mask of 0.0.0.0, which matches only the exact IP address 10.1.1.1, but the interface has a /30 prefix (255.255.255.252), so the correct wildcard mask should be 0.0.0.3 to include the entire subnet. This misconfiguration prevents OSPF from advertising the correct network, breaking MPLS VPN CE-to-PE routing.

Exam trap

Cisco often tests the distinction between OSPF wildcard masks and subnet masks, where candidates mistakenly think any wildcard mask that includes the interface IP is sufficient, but the mask must match the subnet exactly for OSPF to advertise the correct network.

How to eliminate wrong answers

Option A is wrong because the neighbor remote-as for iBGP should be the same AS number as the router's own BGP AS, and the exhibit shows neighbor 10.1.1.2 remote-as 65000, which matches the router's BGP AS 65000, so this is correct. Option B is wrong because the interface configuration includes 'mpls ip' under interface GigabitEthernet0/0, so MPLS is enabled on that interface. Option D is wrong because the BGP network statement uses 'network 10.1.1.0 mask 255.255.255.252', which exactly matches the /30 prefix on the interface, so it is correctly configured.

68
Multi-Selectmedium

A service provider is designing an MPLS L3VPN network to provide Layer 3 VPN services to multiple customers. Which two statements correctly describe the roles of the Provider Edge (PE) and Customer Edge (CE) routers in this architecture?

Select 2 answers
A.P routers store all customer VPN routes in their global routing table.
B.CE routers perform MPLS label switching between PE routers.
C.PE routers advertise customer routes via MP-BGP with route distinguishers and route targets.
D.CE routers participate in the service provider's IGP to exchange loopback addresses.
E.PE routers maintain separate VRF tables for each customer VPN.
AnswersC, E

Correct. MP-BGP is used to distribute VPNv4 routes with RD and RT.

Why this answer

PE routers maintain separate VRF tables for each customer VPN and advertise customer routes via MP-BGP with route distinguishers and route targets. CE routers do not participate in the service provider's IGP.

69
Multi-Selectmedium

Which TWO statements correctly describe the use of OSPF in a service provider network?

Select 2 answers
A.OSPF uses the Bellman-Ford algorithm to compute routes.
B.OSPF uses different LSA types to advertise different types of routing information.
C.OSPF is a distance-vector routing protocol.
D.OSPF can support multiple areas with a backbone area 0.
E.OSPF uses TLVs to encode routing information.
AnswersB, D

LSA types 1-5 and 7 are used.

Why this answer

Option B is correct because OSPF uses different LSA types (e.g., Type 1 Router LSA, Type 2 Network LSA, Type 3 Summary LSA, Type 5 AS-External LSA) to advertise different categories of routing information, such as router links, network links, inter-area routes, and external routes. This LSA-type differentiation is fundamental to OSPF's link-state architecture, enabling efficient flooding and route computation within and across areas.

Exam trap

Cisco often tests the distinction between link-state and distance-vector protocols, and candidates may mistakenly associate OSPF with Bellman-Ford or TLVs due to superficial similarities with other protocols like IS-IS or EIGRP.

70
Multi-Selectmedium

Which THREE factors must be considered when deploying MPLS Layer 3 VPN services to ensure optimal scalability and convergence?

Select 3 answers
A.Label distribution via LDP or TDP must be consistent across all P routers.
B.Route reflectors should be used to reduce the number of BGP sessions in the service provider core.
C.All PE routers must be directly connected via eBGP to exchange VPNv4 routes.
D.The number of VRFs per PE router is limited by available memory and route processing capacity.
E.The use of BGP next-hop-self is mandatory to prevent routing blackholes in multi-area IGP environments.
AnswersA, B, D

Inconsistent label distribution can cause label mismatch and forwarding failures.

Why this answer

Option A is correct because consistent label distribution across all P (Provider) routers is essential for MPLS L3VPN scalability and convergence. LDP (Label Distribution Protocol) or TDP (Tag Distribution Protocol, Cisco proprietary predecessor) must be uniformly configured to ensure a seamless label-switched path (LSP) from ingress to egress PE. Inconsistent label distribution can cause label binding mismatches, leading to forwarding failures or suboptimal convergence during topology changes.

Exam trap

Cisco often tests the misconception that eBGP is required between PEs for VPNv4 exchange, when in fact iBGP (often with route reflectors) is the standard, and eBGP is only used at the CE-PE edge.

71
MCQhard

A service provider operates a large MPLS network with Segment Routing (SR) and BGP-LS enabled on all routers. They have deployed a centralized Path Computation Element (PCE) to compute SR-TE policies for optimal traffic engineering. The PCE is configured to receive the network topology via BGP-LS from a route reflector (RR). Recently, the PCE has been unable to compute paths for certain destinations, and logs show that the topology database is missing some links and nodes. The engineer verifies that all routers have BGP-LS configured and are peering with the RR. The RR's BGP table shows the BGP-LS NLRI received from all routers. However, the PCE sees only a subset of the topology. Which action should the engineer take to resolve the issue?

A.Check the IGP (OSPF/IS-IS) configuration on the routers. BGP-LS relies on IGP to obtain link-state information, and if IGP does not have full visibility, BGP-LS will not either.
B.Apply a prefix-list on the PCE to filter out unwanted BGP-LS prefixes, as the PCE may be overwhelmed.
C.Configure the RR to send BGP-LS routes to the PCE. Verify that the RR has a BGP session with the PCE in the address-family link-state.
D.Verify that the PCE itself has a BGP-LS adjacency to each router, bypassing the RR.
AnswerC

The PCE needs to receive BGP-LS updates from the RR. If the RR is not configured to advertise BGP-LS to the PCE, the PCE's topology will be incomplete.

Why this answer

The PCE is not receiving the full topology because the RR is not sending BGP-LS routes to the PCE. The most likely cause is that the RR is not configured to advertise BGP-LS to the PCE. Option B is correct: the engineer should add the PCE as a BGP neighbor on the RR and ensure that the address-family link-state is activated.

Option A is wrong because the BGP-LS sessions from routers to the RR are already working. Option C is wrong because the PCE itself likely has BGP-LS configured; the issue is the path before the PCE. Option D is wrong because the problem is not about policy filtering on the PCE; missing nodes/links indicate incomplete topology, not excessive data.

72
MCQeasy

Refer to the exhibit. An engineer checks the policy and notices that the policing is not working as expected—traffic is not being dropped even when exceeding 1 Mbps. What could be the issue?

A.The service-policy is applied inbound, but police should be applied outbound to be effective
B.The police command is missing an exceed-action, so traffic is transmitted instead of dropped
C.The police rate is too high compared to interface speed
D.The shape command is interfering with the police command
AnswerB

Without an explicit exceed-action, Cisco IOS defaults to 'transmit' for conforming and exceeding traffic, meaning no packets are dropped.

Why this answer

Option B is correct because the `police` command in Cisco IOS QoS requires an explicit `exceed-action` to define what happens to traffic that exceeds the committed information rate (CIR). Without specifying an action like `drop`, the default behavior is to transmit the excess traffic, which explains why no packets are being dropped even when the rate exceeds 1 Mbps. The policing logic is still applied, but without an exceed-action, the router simply forwards all traffic, rendering the policer ineffective.

Exam trap

Cisco often tests the default behavior of the `police` command, specifically that without an `exceed-action`, traffic is transmitted rather than dropped, which catches candidates who assume policing always drops excess traffic.

How to eliminate wrong answers

Option A is wrong because policing can be applied inbound or outbound; there is no requirement that police must be applied outbound to be effective. In fact, inbound policing is commonly used to rate-limit traffic before it enters the network. Option C is wrong because the police rate being too high compared to the interface speed would not prevent dropping; it would simply mean that traffic rarely exceeds the policer, but if it does exceed, the missing exceed-action is the root cause.

Option D is wrong because the `shape` command does not inherently interfere with the `police` command; they can coexist, and shaping queues traffic while policing drops or marks it, but the absence of an exceed-action is the direct cause of the issue.

73
MCQhard

A service provider has deployed Segment Routing (SR-MPLS) with OSPF as the IGP. They enabled TI-LFA for link protection. During a maintenance window, they shut down a core link between two P routers. Expected behavior is that TI-LFA should provide sub-50ms failover. However, after the shutdown, traffic loss exceeds 10 seconds. Analysis shows that the backup path uses a segment list that includes a node SID from a router that is currently unreachable due to the same failure. The TI-LFA backup path calculation appears to have included a node that is dependent on the failed link. What design issue is most likely causing this?

A.Increase the prefix-SID index on all routers to avoid conflicts
B.Configure the backup path to use adjacency SIDs instead of node SIDs
C.Reduce the IGP metric on the backup links to ensure they are perceived as shorter paths
D.Disable TI-LFA and rely on LFA
AnswerB

Adjacency SIDs are link-specific and do not depend on the reachability of a node that may be affected by the failure.

Why this answer

TI-LFA calculates backup paths using the post-convergence topology. If the backup path includes a node that is only reachable through the failed link, it means the TI-LFA calculation did not properly exclude nodes that are dependent on the failure. This can happen if the IGP metric on the backup path is not properly set, or if the router does not consider remote node failures correctly.

The correct action is to ensure that the IGP metric on the backup path is lower than the direct path, or to implement MICRO-LOOP avoidance. Alternatively, the TI-LFA may need to use adjacency SIDs instead of node SIDs for the backup path.

74
MCQmedium

An engineer is troubleshooting MPLS label switching in a service provider core. They notice that packets are being forwarded correctly between provider edge routers, but when they check the MPLS forwarding table on a P router, they see only implicit-null labels for some destinations. What is the most likely reason for this?

A.The router is using explicit-null label due to security policies.
B.The router has a directly connected neighbor that is the egress LER.
C.The router is misconfigured to use implicit-null for all labels.
D.The router is performing penultimate hop popping (PHP) incorrectly.
AnswerB

Implicit-null is used in PHP; the egress LER advertises it to the penultimate hop.

Why this answer

Implicit-null (label 3) is advertised when the next-hop router is directly connected and wants to trigger PHP. This is normal behavior. Option B is incorrect because implicit-null is not a sign of misconfiguration.

Option C is incorrect because explicit-null is label 0. Option D is incorrect because PHP is standard.

75
MCQeasy

An SP is deploying a Quality of Service (QoS) architecture in its core network to support multiple services: voice, video, and data. The core routers use MPLS and implement QoS based on the MPLS EXP bits. The architecture must ensure that voice packets are never dropped, even during congestion, while allowing video to have higher priority than data. The current design marks voice with EXP 4, video with EXP 3, and data with EXP 0. During a traffic burst, voice traffic is being dropped, which should not happen. The core routers have the following queue configuration: (1) a priority queue (PQ) for EXP 4+5, (2) a bandwidth queue for EXP 2-3, (3) a default queue for EXP 0-1. What is most likely the cause of voice drops?

A.Voice traffic is being marked with EXP 4 but the priority queue also includes EXP 5, which may cause policing.
B.The bandwidth queue for video is configured to borrow from the priority queue.
C.The priority queue is not strictly priority; it shares bandwidth with other queues.
D.The priority queue is rate-limited by a policer that shapes traffic to a certain bandwidth.
AnswerD

Correct. Many implementations use a policer on the priority queue to prevent starvation; if the police rate is too low, voice packets are dropped.

Why this answer

Voice drops occur because the priority queue is often rate-limited by a policer to prevent starvation of other queues. If the policer rate is set too low, voice packets are dropped during bursts. Strict priority without policing does not drop, but policing is common in SP core to protect other queues.

The bandwidth queue and default queue are not the issue.

Page 1 of 7

Page 2

All pages