Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 676750

988 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

An engineer is configuring RSVP-TE fast reroute for link protection. Which protection method uses a pre-configured bypass tunnel that protects multiple LSPs on the same link?

A.Local Path Protection
B.Global Repair
C.1:1 detour
D.Facility backup
AnswerD

Bypass tunnel protects multiple LSPs.

Why this answer

In RSVP-TE FRR, facility backup uses a bypass tunnel that can protect multiple LSPs on the same link. In contrast, 1:1 detour creates a separate detour LSP for each protected LSP.

677
Multi-Selectmedium

Which THREE are benefits of implementing MPLS-TE in a service provider core?

Select 3 answers
A.Reduction in BGP routing table size
B.Ability to guarantee bandwidth for specific traffic flows
C.Load balancing across multiple paths
D.Fast restoration using Fast Reroute (FRR)
E.Native support for multicast
AnswersB, C, D

TE tunnels can be provisioned with bandwidth reservations.

Why this answer

MPLS-TE allows operators to reserve bandwidth along explicit paths using RSVP-TE signaling, ensuring that specific traffic flows receive guaranteed bandwidth. This is achieved through bandwidth reservation and admission control, which prevents oversubscription on TE tunnels.

Exam trap

Cisco often tests the misconception that MPLS-TE reduces routing table size or natively supports multicast, but these are not inherent benefits of the technology.

678
MCQeasy

A service provider needs to offer L3VPN services to multiple customers, each with overlapping IP addresses. The provider plans to use MPLS VPNs with VRFs. Which statement is TRUE regarding the configuration of VRFs on the PE routers?

A.The VRF must run OSPF to exchange routes with the CE router
B.Route targets (RTs) are used to control the import and export of VPNv4 routes between VRFs
C.MPLS labels are assigned per prefix inside a VRF by manual configuration
D.Each VRF must have a unique route distinguisher across the entire provider network
AnswerB

RTs determine which VRFs receive which routes, allowing overlapping addresses.

Why this answer

Option D is correct because route targets (RTs) are used to control the import/export of VPNv4 routes between PE routers, ensuring proper segregation and connectivity. Option A is wrong because RD must match within a VPN to avoid route ambiguity, but it can differ if RTs are properly configured; however, the question asks for TRUE statement. Option B is wrong because MPLS label allocation per VRF is automatic.

Option C is wrong because OSPF is not required; any IGP or BGP can be used.

679
MCQhard

A service provider is troubleshooting an MPLS L3VPN issue where a CE router is receiving the VPN route from the PE but cannot ping the remote CE's loopback. The PE shows that the VPN label is assigned but cannot route the packets. Which command would help determine if the remote PE is correctly resolving the BGP next-hop via IGP?

A.show ip route bgp
B.show mpls ldp neighbor
C.show ip route vrf CUST
D.show mpls forwarding-table vrf CUST
AnswerA

Shows the BGP route and its next-hop reachability (via IGP).

Why this answer

Option A, 'show ip route bgp', is correct because the issue is that the remote PE cannot route packets to the BGP next-hop of the VPN route. The CE receives the route, but the PE cannot forward packets, indicating a missing or incorrect IGP route to the next-hop address. This command displays BGP routes in the global routing table, allowing you to verify if the next-hop is reachable via IGP (e.g., OSPF or IS-IS) and if the recursive routing is successful.

Exam trap

Cisco often tests the distinction between VRF-specific commands and global routing table commands; the trap here is that candidates assume 'show ip route vrf CUST' will show the next-hop reachability, but it only shows the VPN route itself, not the underlying IGP route required for recursive forwarding.

How to eliminate wrong answers

Option B is wrong because 'show mpls ldp neighbor' checks LDP session status and label exchange between directly connected LSRs, but it does not verify IGP reachability to the BGP next-hop, which is the root cause here. Option C is wrong because 'show ip route vrf CUST' shows routes within the VRF, including the VPN route received from the remote PE, but it does not show the global IGP route to the BGP next-hop; the issue is in the global routing table, not the VRF. Option D is wrong because 'show mpls forwarding-table vrf CUST' displays the MPLS forwarding entries for the VRF, including the VPN label and outgoing interface, but it does not reveal whether the BGP next-hop is reachable via IGP; the forwarding table assumes the next-hop is reachable, which is the problem here.

680
MCQmedium

A service provider is deploying MPLS-TE with RSVP-TE in their core network. They notice that some LSPs are not being established due to resource contention. Which action would best address this issue without redesigning the entire traffic engineering deployment?

A.Enable preemption on RSVP-TE LSPs with appropriate priority levels.
B.Increase the bandwidth of all core links.
C.Configure LSP path-option explicit paths with strict hops.
D.Disable RSVP-TE and use LDP for label distribution.
AnswerA

Preemption allows higher-priority LSPs to take resources from lower-priority ones, resolving contention dynamically.

Why this answer

Enabling preemption on RSVP-TE LSPs with appropriate setup and hold priorities allows higher-priority LSPs to tear down lower-priority LSPs to free up bandwidth, resolving resource contention without redesigning the entire TE deployment. This is the standard mechanism defined in RFC 3209 for managing bandwidth contention in MPLS-TE networks.

Exam trap

Cisco often tests the misconception that explicit path configuration or bandwidth upgrades are the primary solutions for resource contention, when in fact preemption priorities are the designed mechanism for dynamic contention resolution in RSVP-TE.

How to eliminate wrong answers

Option B is wrong because increasing the bandwidth of all core links is a costly, non-scalable approach that may not be feasible and does not address the root cause of contention; it also requires a network redesign. Option C is wrong because configuring LSP path-option explicit paths with strict hops forces a specific path but does not resolve bandwidth contention on those links; it may even worsen contention by not allowing dynamic rerouting. Option D is wrong because disabling RSVP-TE and using LDP for label distribution removes traffic engineering capabilities entirely, as LDP does not support bandwidth reservation or explicit path control, which would not solve the resource contention issue.

681
MCQhard

An engineer is deploying Segment Routing in an MPLS network. To ensure that routers can forward packets based on SR-MPLS labels without requiring LDP, which requirement must be met?

A.IS-IS or OSPF must have the SR extension enabled.
B.MPLS LDP must be enabled on all interfaces.
C.All routers must run BGP-LU.
D.The IGP must have the overload bit set.
AnswerA

Correct. The IGP distributes prefix-SIDs for SR-MPLS label forwarding.

Why this answer

Segment Routing (SR) can operate without LDP by encoding the forwarding path as a list of MPLS labels derived from the IGP. For routers to allocate and advertise these SR-MPLS labels, the IGP (IS-IS or OSPF) must have the Segment Routing extension enabled. This allows the IGP to distribute prefix-SIDs (labels) that routers use to forward packets, eliminating the need for LDP.

Exam trap

Cisco often tests the misconception that LDP is always required for MPLS forwarding, but SR-MPLS bypasses LDP by using the IGP to distribute labels, so candidates must recognize that the IGP SR extension is the enabling requirement.

How to eliminate wrong answers

Option B is wrong because MPLS LDP is specifically not required when SR-MPLS is used; SR replaces LDP by using IGP-distributed labels. Option C is wrong because BGP-LU (BGP Labeled Unicast) is used for inter-domain label distribution, not for the basic intra-domain label allocation needed for SR-MPLS forwarding. Option D is wrong because the IGP overload bit is a mechanism to prevent transit traffic through a router during convergence or maintenance, and it has no role in enabling SR-MPLS label-based forwarding.

682
Multi-Selectmedium

Which TWO statements about MPLS label operations are correct? (Choose two.)

Select 2 answers
A.Label swapping is performed at every transit LSR.
B.In PHP, the penultimate hop LSR removes the top label before forwarding to the egress.
C.The ingress LSR performs a swap operation.
D.The egress LSR always performs a pop operation.
E.Label popping always happens at the penultimate hop.
AnswersA, B

Transit LSRs swap the incoming label with an outgoing label.

Why this answer

Penultimate Hop Popping (PHP) removes the label before the final hop, and the ingress LSR pushes the initial label.

683
MCQmedium

A network engineer at a service provider is using Cisco NSO to automate the provisioning of VLANs on thousands of access devices. The engineer creates a service using a custom YANG model and deploys it to a set of devices. However, the deployment fails with a 'failed to reach devices' error for some devices, while others succeed. The engineer checks device connectivity and confirms all devices are reachable via SSH and NETCONF. The engineer also verifies that the NSO device list is accurate and includes all target devices. What is the most likely cause of the failure?

A.The service model uses an unsupported feature on those devices.
B.The devices are not in sync with NSO.
C.The devices have insufficient memory to accept the configuration.
D.The NSO package is not loaded on those devices.
AnswerB

Out-of-sync devices prevent NSO from deploying services on them, and the error may manifest as 'failed to reach' because NSO cannot reconcile the configuration.

Why this answer

When NSO deploys a service, it first checks whether the target devices are in sync with the NSO CDB (configuration database). If a device is out of sync (e.g., its running configuration differs from what NSO expects), NSO will refuse to push the new service configuration and will report a 'failed to reach devices' error, even though the device is reachable via SSH/NETCONF. This is a safety mechanism to prevent configuration conflicts or overwriting unmanaged changes.

Exam trap

Cisco often tests the misconception that 'failed to reach devices' always indicates a network connectivity problem, when in fact it can be caused by NSO's synchronization check failing on a reachable device.

How to eliminate wrong answers

Option A is wrong because an unsupported feature would typically cause a validation or commit error, not a 'failed to reach devices' error; NSO would still attempt to connect and then reject the configuration. Option C is wrong because insufficient memory would manifest as a commit failure or device crash, not a connectivity error, and NSO would still establish a session. Option D is wrong because NSO packages are loaded on the NSO server, not on the managed devices; devices only need to support NETCONF or CLI for NSO to manage them.

684
MCQeasy

An MPLS core network uses LDP to distribute labels. An engineer wants to verify that the LDP session between two routers is up and exchanging labels. Which command should be used?

A.show mpls interfaces
B.show mpls l2transport binding
C.show mpls ldp neighbor
D.show mpls forwarding-table
AnswerC

Displays LDP neighbors and session state.

Why this answer

The command 'show mpls ldp neighbor' displays the status of LDP sessions, including the neighbor's IP address, session state (e.g., Operational), and label exchange activity. Since LDP is the protocol used to distribute labels in this MPLS core network, this command directly verifies that the session is up and exchanging labels between the two routers.

Exam trap

Cisco often tests the distinction between verifying the LDP session itself (show mpls ldp neighbor) versus verifying the results of label exchange (show mpls forwarding-table), leading candidates to confuse the output of label distribution with the state of the label distribution protocol.

How to eliminate wrong answers

Option A is wrong because 'show mpls interfaces' displays which interfaces are enabled for MPLS and their LDP or TDP status, but it does not show LDP session state or label exchange with a specific neighbor. Option B is wrong because 'show mpls l2transport binding' is used for Layer 2 VPN (L2VPN) pseudowire label bindings, not for verifying LDP session status. Option D is wrong because 'show mpls forwarding-table' displays the LFIB (Label Forwarding Information Base) entries, which are the result of label exchange, but it does not show the LDP session state or neighbor adjacency.

685
MCQmedium

A service provider uses BGP route reflectors to scale iBGP. A route reflected from a route reflector arrives at a client with the originator-id set. What is the purpose of the originator-id attribute?

A.To identify the route reflector that reflected the route
B.To indicate the cluster-id of the route reflector
C.To prevent routing loops by ensuring the route is not accepted if the originator-id matches the local router-id
D.To carry the next-hop information for IPv6 prefixes
AnswerC

Correct; if a router receives a route with its own router-id as originator-id, it discards the route.

Why this answer

The originator-id is set by the route reflector to the router-id of the originating router in the AS. It prevents routing loops by allowing a route to be ignored if the originator-id matches the receiving router's ID.

686
MCQmedium

An SP engineer is configuring hierarchical QoS on a PE router. The parent policy shapes the traffic to 10 Mbps, and the child policy applies LLQ for voice and CBWFQ for data. What is the primary purpose of using policing within the LLQ child policy?

A.To re-mark voice traffic to a lower DSCP
B.To drop excess voice traffic and prevent starvation of other queues
C.To police the parent shape rate
D.To buffer excess voice traffic
AnswerB

Correct; policing limits voice traffic in LLQ.

Why this answer

In hierarchical QoS (HQoS), the parent policy shapes the aggregate traffic to 10 Mbps, while the child policy applies LLQ for voice and CBWFQ for data. The primary purpose of policing within the LLQ child policy is to enforce a strict rate limit on voice traffic, dropping excess packets to prevent voice from consuming bandwidth beyond its allocated share. This prevents voice traffic from starving other queues (e.g., data) within the shaped parent rate, ensuring fairness and protecting other classes from congestion.

Exam trap

Cisco often tests the misconception that policing in a child policy is used to enforce the parent shape rate, but in reality, the parent shape rate is enforced by the shape command in the parent policy, while child policing controls per-class fairness within that shaped rate.

How to eliminate wrong answers

Option A is wrong because re-marking voice traffic to a lower DSCP is not the primary purpose of policing within LLQ; policing can mark down but its main role here is to drop excess traffic to protect other queues, not just re-mark. Option C is wrong because the parent shape rate is enforced by the parent policy's shape command, not by policing within the child LLQ policy; policing in the child operates on the child's traffic, not the parent's aggregate rate. Option D is wrong because policing does not buffer traffic; it either drops or re-marks packets, while buffering is a function of queuing mechanisms like WFQ or tail-drop, not policing.

687
MCQeasy

A service provider is implementing QoS on an MPLS network to support voice, video, and data traffic. Which queuing mechanism provides the lowest latency for real-time traffic?

A.FIFO
B.WRED
C.LLQ
D.CBWFQ
AnswerC

LLQ provides a strict priority queue that ensures low latency and jitter for real-time traffic.

Why this answer

LLQ (Low Latency Queuing) is the correct choice because it provides a strict priority queue specifically designed for real-time traffic like voice and video. By placing delay-sensitive packets into a dedicated priority queue that is serviced before all other queues, LLQ ensures minimal and predictable latency, which is essential for maintaining voice quality in an MPLS network.

Exam trap

Cisco often tests the misconception that CBWFQ alone can handle real-time traffic, but the trap is that CBWFQ lacks a strict priority queue, so only LLQ provides the necessary low-latency guarantee for voice and video.

How to eliminate wrong answers

Option A is wrong because FIFO (First In, First Out) offers no traffic differentiation or priority handling, so real-time packets can be delayed behind large data packets, causing jitter and unacceptable latency. Option B is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets proactively to prevent tail drops, but it does not provide any queuing or priority scheduling, so it cannot guarantee low latency for real-time traffic. Option D is wrong because CBWFQ (Class-Based Weighted Fair Queuing) provides bandwidth guarantees per class but does not include a strict priority queue; real-time traffic can still experience delay if competing with other classes for service.

688
MCQeasy

A client reports intermittent connectivity issues when accessing a server across a provider MPLS network. The issue occurs only during peak hours. Which component should be checked first?

A.BGP peering status between CE and PE.
B.CPU utilization of the server.
C.Interface errors and discards on the CE router.
D.MPLS labels in the core.
AnswerC

Peak traffic can cause output discards or CRC errors, leading to connectivity drops.

Why this answer

Intermittent connectivity during peak hours strongly suggests a bandwidth or queuing issue at the edge of the MPLS network. Interface errors (e.g., CRC, runts) and discards on the CE router indicate congestion or Layer 1/2 problems, which are the most common cause of such time-dependent symptoms. Checking this first aligns with the standard troubleshooting methodology of verifying the physical and data-link layers before moving to higher-layer protocols.

Exam trap

Cisco often tests the principle that intermittent issues during peak hours are almost always due to congestion or interface errors at the edge, not control-plane or core problems, leading candidates to incorrectly focus on BGP or MPLS labels.

How to eliminate wrong answers

Option A is wrong because BGP peering between CE and PE is a control-plane function; if it were flapping or down, connectivity would be lost entirely or consistently, not just intermittently during peak hours. Option B is wrong because server CPU utilization is an endpoint issue unrelated to the MPLS network; while high CPU could cause slow responses, it would not cause intermittent connectivity across the provider network. Option D is wrong because MPLS labels in the core are typically stable and not affected by peak-hour traffic patterns; label switching is deterministic and congestion in the core would manifest as drops or discards at the CE/PE edge, not as label failures.

689
MCQmedium

An SP engineer is configuring hierarchical QoS on a PE router to enforce a per-subscriber bandwidth contract of 10 Mbps and prioritize voice within that contract. Which MQC configuration sequence is correct?

A.Define parent policy-map with shape, then child policy-map with LLQ, apply child directly to interface.
B.Use policing in the parent policy to enforce 10 Mbps and child for LLQ.
C.Define one policy-map with both shape and LLQ in the same class.
D.Define child class-map and policy-map with LLQ, then parent policy-map with shape and service-policy child, applied to interface.
AnswerD

This correctly implements H-QoS: child policy first, then parent with shape and child policy reference.

Why this answer

Hierarchical QoS uses a parent policy for shaping and a child policy for classification and priority queuing. The child is applied to the parent's class-default.

690
Multi-Selecthard

A service provider is implementing BGP security using RPKI. Which three components are required for RPKI-based BGP origin validation? (Choose three.)

Select 3 answers
A.Route Origin Authorization (ROA)
B.BGPsec path validation
C.Relying Party (cache server)
D.IS-IS routing protocol
E.RPKI-to-Router (RTR) protocol
AnswersA, C, E

ROA authorizes an AS to originate a prefix.

Why this answer

RPKI requires: 1) ROA (Route Origin Authorization) created by the prefix holder; 2) Relying Party (cache server) that fetches and validates ROAs; 3) RTR protocol to download the VRP (Validated ROA Payload) to routers. BGPsec is a separate standard for path validation. IS-IS is not involved.

691
MCQeasy

An SP customer reports intermittent voice quality issues. The engineer wants to measure jitter and packet loss between two remote sites using Cisco IP SLA. Which IP SLA operation type should be configured?

A.DNS Query
B.ICMP Echo
C.HTTP Get
D.TCP Connect
E.UDP Jitter
AnswerE

UDP Jitter measures jitter, packet loss, and one-way delay, ideal for voice quality monitoring.

Why this answer

The UDP Jitter operation (option E) is correct because it measures both one-way jitter and packet loss by sending UDP packets with precise timestamps, which is essential for diagnosing voice quality issues. Unlike other IP SLA operations, UDP Jitter specifically tracks inter-packet delay variation (jitter) and loss patterns that directly impact VoIP and real-time traffic.

Exam trap

Cisco often tests the misconception that ICMP Echo (ping) can measure jitter, but ICMP does not provide per-packet timestamps or loss differentiation between directions, making it unsuitable for voice quality diagnostics.

How to eliminate wrong answers

Option A is wrong because DNS Query measures DNS resolution time, not jitter or packet loss. Option B is wrong because ICMP Echo measures round-trip time and reachability, but it does not provide jitter or packet loss statistics needed for voice quality analysis. Option C is wrong because HTTP Get measures web server response time and application-layer performance, not network-layer jitter or loss.

Option D is wrong because TCP Connect measures TCP handshake completion time and does not capture jitter or packet loss metrics.

692
Matchingmedium

Match each MPLS VPN technology to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses BGP to distribute VPN routes between PE routers

Emulates Layer 2 services like Ethernet or ATM over MPLS

Multipoint Layer 2 VPN that simulates an Ethernet LAN

Point-to-point Layer 2 VPN providing pseudowire connectivity

Multicast VPN that supports IP multicast over MPLS

Why these pairings

These are key MPLS VPN service types in service provider networks.

693
MCQhard

An engineer is troubleshooting MPLS traffic engineering tunnels and needs to verify path calculation and RSVP errors. Which command should be used?

A.show ip route
B.show mpls ldp neighbor
C.show mpls traffic-eng tunnels
D.debug mpls lfib errors
AnswerC

This command provides details on TE tunnels, including path computation and signaling status.

Why this answer

Option C is correct because the 'show mpls traffic-eng tunnels' command displays detailed information about MPLS TE tunnels, including path calculation status, RSVP signaling errors, and tunnel state. This command is specifically designed to verify TE tunnel operations and troubleshoot issues such as path computation failures or RSVP resource reservation problems.

Exam trap

Cisco often tests the distinction between MPLS TE-specific commands and general MPLS or routing commands, so the trap here is that candidates might confuse 'show mpls ldp neighbor' (for LDP-based label distribution) with TE tunnel verification, or mistakenly think 'debug mpls lfib errors' is appropriate for RSVP path errors when it actually targets LFIB corruption issues.

How to eliminate wrong answers

Option A is wrong because 'show ip route' displays the IP routing table and is not relevant to MPLS TE tunnel path calculation or RSVP error verification. Option B is wrong because 'show mpls ldp neighbor' shows LDP neighbor relationships, which are used for label distribution in non-TE MPLS, not for TE tunnel path calculation or RSVP signaling. Option D is wrong because 'debug mpls lfib errors' debugs Label Forwarding Information Base (LFIB) errors, which is a debugging tool for label forwarding issues, not for verifying TE tunnel path calculation or RSVP errors.

694
Multi-Selecthard

Which THREE are valid methods to provide fast convergence in an MPLS/Segment Routing network? (Select three.)

Select 3 answers
A.BGP Prefix Independent Convergence (PIC)
B.Topology-Independent LFA (TI-LFA)
C.Loop-Free Alternate (LFA)
D.RSVP-TE Fast Reroute (FRR)
E.IP Fast Reroute (IPFRR)
AnswersB, C, D

TI-LFA works with SR and provides node/link protection.

Why this answer

B is correct because Topology-Independent LFA (TI-LFA) provides fast convergence in Segment Routing networks by computing a backup path that is guaranteed to be loop-free regardless of the network topology. It leverages the Segment Routing data plane to pre-install a repair path using a segment list, enabling sub-50ms failover without relying on IGP convergence.

Exam trap

Cisco often tests the distinction between IPFRR (which is IP-layer only) and TI-LFA/LFA/RSVP-TE FRR (which are MPLS/Segment Routing-specific), so candidates mistakenly select IPFRR because it sounds similar to LFA, but it does not apply to MPLS/Segment Routing networks.

695
Multi-Selecthard

Which THREE of the following are valid IS-IS TLV types used to support traffic engineering and segment routing? (Choose three.)

Select 3 answers
A.TLV 22 (Extended IS Reachability)
B.TLV 2 (IS Neighbors)
C.TLV 36 (Prefix SID)
D.TLV 135 (Extended IP Reachability)
E.TLV 128 (IP Internal Reachability)
AnswersA, C, D

Correct. Used for TE and wide metrics.

Why this answer

IS-IS TE extensions use various TLVs. TLV 22 (Extended IS Reachability) carries wide metrics and TE information. TLV 135 (Extended IP Reachability) carries IP prefixes with wide metrics.

TLV 36 (Prefix SID) is used for segment routing to assign SIDs to prefixes.

696
MCQhard

An ISP operates an MPLS Layer 3 VPN backbone. A customer, Corporation X, has four sites (A, B, C, D) each connected to a different PE router (PE-A, PE-B, PE-C, PE-D). They use OSPF as the CE-PE routing protocol. Sites A, B, and C can exchange routes without issue. However, Site D suddenly loses connectivity to Site B, though it can still reach Sites A and C. Show commands on PE-D reveal that the VRF for Corporation X imports RT:100:200, and the route for Site B (prefix 10.10.20.0/24) is present in the BGP VPNv4 table with RT:100:200 and next-hop 10.0.2.2. The OSPF neighbor between PE-D and the CE at Site D is up, and no route filters are configured. ‘ping 10.10.20.0’ from PE-D fails. What is the most likely cause of the issue?

A.OSPF route redistribution from PE-B into BGP is set to external type 2, while PE-D expects type 1.
B.The route target for Site B is misconfigured on PE-D, not matching the export RT from PE-B.
C.PE-D is not assigning an MPLS label for the route to Site B, causing packets to be dropped.
D.The BGP next-hop (10.0.2.2) for Site B's route is not reachable in PE-D's global routing table.
AnswerD

Correct: If the next-hop is unreachable, the VPNv4 route cannot be installed in the VRF, causing loss of connectivity to that specific site.

Why this answer

The route is in the VPNv4 table with the correct RT, so import is working. The next-hop is 10.0.2.2. If that next-hop is not reachable in the global routing table of PE-D, the VPNv4 route will not be installed in the VRF.

Checking ‘show ip route 10.0.2.2’ on PE-D would confirm. Option A is plausible but incorrect because an RT mismatch would prevent the route from even appearing in the VPNv4 table. Option C is incorrect because OSPF is redistributed, and the route type does not affect reachability.

Option D is incorrect because label allocation is not the issue; the prefix is present with labels.

697
MCQmedium

Which MPLS VPN technology allows a service provider to offer overlapping IP addresses to different customers while using a single routing table per VPN?

A.Any Transport over MPLS (AToM)
B.VPLS
C.MPLS Traffic Engineering (TE)
D.MPLS Layer 3 VPN (BGP/MPLS IP VPN)
AnswerD

Uses VRFs to isolate routing per VPN.

Why this answer

D is correct because MPLS Layer 3 VPN (BGP/MPLS IP VPN) uses per-VPN routing tables (VRFs) to maintain separate forwarding instances for each customer. This allows overlapping IP addresses across different customers while keeping each VPN's routes isolated. The provider edge routers exchange VPNv4 routes using MP-BGP with route distinguishers (RDs) to make overlapping prefixes unique, and route targets (RTs) control which VRFs import/export those routes.

Exam trap

Cisco often tests the distinction between Layer 2 VPN technologies (AToM, VPLS) and Layer 3 VPNs (MPLS L3VPN), so the trap here is that candidates confuse 'overlapping IP addresses' with 'overlapping MAC addresses' or assume any MPLS-based service can handle IP overlap, but only per-VPN routing tables (VRFs) in L3VPN provide that isolation.

How to eliminate wrong answers

Option A is wrong because Any Transport over MPLS (AToM) is a Layer 2 VPN technology that transports Layer 2 frames (e.g., Ethernet, ATM) over an MPLS backbone, not a Layer 3 VPN solution, and it does not provide per-VPN routing tables or handle overlapping IP addresses. Option B is wrong because VPLS (Virtual Private LAN Service) is a Layer 2 VPN technology that emulates an Ethernet LAN across an MPLS network, using MAC address learning and flooding, not IP routing tables, so it cannot isolate overlapping IP addresses per VPN. Option C is wrong because MPLS Traffic Engineering (TE) is a mechanism for optimizing traffic paths across the MPLS core using RSVP-TE or CR-LDP, not a VPN technology; it does not create per-VPN routing tables or address overlapping IPs.

698
MCQhard

A network engineer is troubleshooting a NETCONF session that fails to establish between a controller and a router. The router supports NETCONF over SSH on port 830. The controller can reach the router but the session fails. What is the most likely cause?

A.The router's NETCONF capability is disabled
B.The SSH host key of the router is not in the controller's known_hosts file
C.The controller is using the wrong port (e.g., 22)
D.The router does not support YANG models
AnswerB

SSH host key verification failure can cause session failure.

Why this answer

The most likely cause is that the SSH host key of the router is not in the controller's known_hosts file. NETCONF over SSH (RFC 6242) requires SSH transport, and the controller must authenticate the router's SSH host key during session establishment. If the host key is missing or mismatched, the SSH handshake fails, preventing the NETCONF session from starting, even though the router is reachable and NETCONF is enabled.

Exam trap

Cisco often tests the distinction between transport-layer failures (SSH host key) and application-layer failures (NETCONF capability or YANG support), leading candidates to incorrectly choose options related to NETCONF configuration rather than SSH authentication.

How to eliminate wrong answers

Option A is wrong because if the router's NETCONF capability were disabled, the controller would typically receive a capability exchange failure or a clear error, but the question states the session fails to establish, which points to a transport-layer issue rather than an application-layer capability. Option C is wrong because the controller can reach the router, and the question specifies the router supports NETCONF over SSH on port 830; using port 22 would likely result in a connection timeout or refusal, but the session failure here is due to SSH authentication, not port mismatch. Option D is wrong because YANG model support is irrelevant to session establishment; NETCONF sessions can be established without any YANG models, as models are used for data modeling and operations after the session is up.

699
MCQhard

A service provider has recently deployed MPLS L3VPN to provide IP connectivity to multiple enterprise customers. One customer reports that they cannot reach a remote site that is connected to a different PE router. The engineer checks the BGP VPNv4 table on the customer's PE and sees the route for the remote site, but the next-hop is unreachable. The interface between the PE and P routers is up/up, and IGP reachability to the PE's loopback is fine. What is the most likely cause? Consider that the network uses LDP for label distribution and OSPF as the IGP.

A.MPLS LDP is not enabled on the interface connecting to the P router
B.BGP next-hop-self is not configured on the PE
C.The VRF route-target import/export is misconfigured
D.The PE router does not have an LSP to the remote PE
AnswerA

LDP must be enabled on the interface to exchange labels for the loopback route.

Why this answer

The correct answer is A. Since the interface between the PE and P routers is up/up and IGP reachability to the PE's loopback is fine, the issue is that MPLS LDP is not enabled on that interface. Without LDP, the PE cannot advertise a label for its loopback to the P router, so the P router cannot push the correct label for packets destined to the remote PE.

This makes the BGP VPNv4 next-hop unreachable even though the route itself is present in the table.

Exam trap

The trap here is that candidates often focus on BGP configuration (like next-hop-self) or VRF import/export when the route is present but unreachable, missing the fundamental MPLS label distribution issue that LDP must be enabled on all transit interfaces for end-to-end LSPs.

How to eliminate wrong answers

Option B is wrong because BGP next-hop-self is used to change the next-hop of VPNv4 routes to the local PE's loopback, but the problem states the route is present with an unreachable next-hop, not that the next-hop is incorrect. Option C is wrong because VRF route-target import/export misconfiguration would cause the route to be missing from the VRF table entirely, not to appear with an unreachable next-hop. Option D is wrong because an LSP to the remote PE is exactly what is missing, but the root cause is that LDP is not enabled on the interface, which prevents label distribution and thus the LSP from being built.

700
Multi-Selecthard

A service provider is deploying L3VPN with inter-AS option B (ASBR-to-ASBR). Which TWO statements are true about this design?

Select 2 answers
A.The VPN label is removed by the ASBR before forwarding to the neighbor AS.
B.ASBRs peer using eBGP and exchange labeled VPN-IPv4 prefixes.
C.Route reflectors are required to propagate VPN routes between ASes.
D.ASBRs perform label swap for VPN labels when forwarding traffic.
E.ASBRs exchange unlabeled IPv4 routes and use MP-BGP to carry VPNv4 routes.
AnswersB, D

ASBRs eBGP peer and exchange VPNv4 prefixes with labels, allowing end-to-end MPLS.

Why this answer

In inter-AS Option B, ASBRs peer using eBGP and exchange labeled VPN-IPv4 prefixes (AFI 1, SAFI 128). This allows the VPNv4 routes to be carried across AS boundaries without requiring a full mesh of MP-IBGP between PEs, as the ASBRs re-advertise the routes with a new next-hop and perform label allocation for the VPN labels.

Exam trap

Cisco often tests the misconception that Option B requires route reflectors or that the VPN label is removed at the ASBR, when in fact the ASBR performs a label swap and directly exchanges VPNv4 prefixes via eBGP without needing route reflectors.

701
Multi-Selecteasy

Which TWO of the following are services that can be offered using MPLS Layer 3 VPN (L3VPN) technology? (Select two.)

Select 2 answers
A.IP transit services
B.Layer 2 bridging between sites
C.Transport of Ethernet frames over MPLS
D.Native multicast support without tunnels
E.Internet access for customers
AnswersA, E

L3VPN provides IP routing between sites.

Why this answer

MPLS Layer 3 VPN (L3VPN) uses a peer-to-peer model where the provider edge (PE) router participates in the customer's routing via MP-BGP (RFC 4364). This allows the provider to offer IP transit services by carrying customer IP routes across the MPLS backbone, and Internet access by connecting the customer VRF to an Internet-facing VRF or global routing table. Both services rely on the L3VPN architecture's ability to separate and forward IP traffic based on VRFs and route targets.

Exam trap

Cisco often tests the distinction between L3VPN and L2VPN services, so the trap here is that candidates confuse Layer 2 transport (Ethernet frames, bridging) with Layer 3 IP forwarding, leading them to select options B or C as valid L3VPN services.

702
MCQhard

An SP network engineer needs to implement hierarchical QoS on a PE router to shape customer traffic to a contracted rate of 10 Mbps while providing priority for voice traffic and bandwidth guarantee for critical data. Which MQC configuration correctly achieves this?

A.Create a child policy with class-maps for voice and data; create a parent policy that applies the child policy and shapes to 10 Mbps; apply parent policy to the interface.
B.Apply a service-policy out with shape and then apply another service-policy in with priority; both on the same interface.
C.Apply a single policy-map that includes both shape and priority; no hierarchy needed.
D.Use a policy-map with shape average 10 Mbps and then use the bandwidth command for voice and data classes; no hierarchy.
AnswerA

This is the correct hierarchical QoS design: child policy handles classification and queuing, parent policy shapes the aggregate traffic.

Why this answer

Hierarchical QoS (HQoS) is required when you need to shape traffic to a contracted rate (e.g., 10 Mbps) while also applying per-class actions like priority and bandwidth guarantees. Option A correctly uses a child policy to define class-based QoS (priority for voice, bandwidth for critical data) and a parent policy that applies the shape average command to the entire child policy aggregate, enforcing the 10 Mbps contract. This two-level MQC structure ensures that shaping occurs at the parent level before the child policy’s per-class queuing and scheduling are applied.

Exam trap

The trap here is that candidates often assume a single policy-map can combine shape and priority/bandwidth, but Cisco specifically tests that hierarchical QoS is mandatory when you need to shape an aggregate rate while applying per-class queuing actions, as shape average in a flat policy acts per-class, not on the total traffic.

How to eliminate wrong answers

Option B is wrong because applying separate service-policies for shape (outbound) and priority (inbound) on the same interface does not create a hierarchical relationship; shaping must be applied as a parent to the child policy that contains priority/bandwidth, and applying them as independent policies cannot enforce the contracted rate while preserving per-class treatment. Option C is wrong because a single flat policy-map cannot simultaneously apply shape average and priority/bandwidth commands in a way that respects hierarchy—Cisco MQC requires separate parent/child levels to shape the aggregate and then schedule within the shaped rate. Option D is wrong because using shape average and bandwidth commands in the same policy-map without hierarchy will cause the shape to be applied per-class rather than to the aggregate traffic, breaking the contracted rate enforcement and potentially causing oversubscription.

703
MCQmedium

A service provider is migrating their MPLS core network to Segment Routing (SR-MPLS). All existing core routers run IOS-XR and are configured with an SRGB of 16000-23999 and OSPF as the IGP. A new router (R5) is added as a PE. The engineer configures R5 with the same SRGB and enables segment-routing under OSPF. However, when configuring an SR-TE policy from R5 to the remote loopback 10.0.0.1 on R1, the policy remains down. Show commands reveal that R5 is not learning the prefix-SID for 10.0.0.1. On R1, the prefix-SID is configured with index 100. The engineer verifies that OSPF adjacencies are up and that R5 can ping 10.0.0.1. What is the most likely cause of the issue?

A.The OSPF process on R5 is not configured with segment-routing mpls.
B.The SR-TE policy on R5 is missing the color attribute.
C.R1 is not configured with the same SRGB as R5.
D.The prefix-SID index 100 is not within the SRGB range of R5 (16000-23999).
AnswerA

Without this command, R5 cannot exchange prefix-SID information via OSPF.

Why this answer

Option B is correct because without 'segment-routing mpls' under the OSPF process, R5 cannot participate in Segment Routing, meaning it does not advertise its own prefix-SIDs nor learn the prefix-SIDs of other routers. This prevents the SR-TE policy from obtaining the necessary label bindings. Option A is incorrect because index 100 maps to label 16100 (16000+100), which is within the SRGB range.

Option C is incorrect because while color is a key attribute in SR-TE policies, the policy can still be defined with a segment-list; however, the primary issue here is the lack of prefix-SID learning. Option D is incorrect because the SRGB is consistent across all routers.

704
MCQmedium

In an MPLS L3VPN, how can a service provider prevent a CE device from learning the MPLS label stack and potentially spoofing labels?

A.Disable MPLS on the PE-CE interface
B.Use LDP authentication between PE and CE
C.Configure MPLS VPN route-target filtering
D.Enable TTL propagation on the PE-CE link
AnswerA

This prevents the CE from seeing MPLS labels.

Why this answer

Disabling MPLS on the PE-CE link ensures the CE does not receive labeled packets. TTL propagation is for traceroute, not for preventing label exposure. LDP authentication secures label distribution but does not prevent CE from receiving labels if MPLS is enabled.

705
MCQeasy

An ISP is designing an MPLS core network and needs to choose an IGP that supports fast convergence. Which IGP meets this requirement and is most commonly used in MPLS core networks?

A.IS-IS
B.OSPFv3
C.EIGRP
D.RIPng
AnswerA

IS-IS provides fast convergence and is the predominant IGP in service provider MPLS cores.

Why this answer

IS-IS is the correct choice because it is a link-state IGP that inherently supports fast convergence through mechanisms like incremental SPF (iSPF) and prefix-independent convergence (PIC). It is widely deployed in MPLS core networks due to its scalability, extensibility via TLVs, and native support for MPLS Traffic Engineering (MPLS-TE) without requiring additional protocol extensions like OSPF's opaque LSA.

Exam trap

Cisco often tests the misconception that OSPF is the default IGP for all networks, but in MPLS core environments, IS-IS is the preferred choice due to its native TE support and hierarchical scalability, making OSPF a distractor despite its fast convergence capabilities.

How to eliminate wrong answers

Option B (OSPFv3) is wrong because while OSPFv3 supports IPv6 and fast convergence, it is less commonly used in MPLS core networks compared to IS-IS due to its reliance on opaque LSAs for MPLS-TE, which adds complexity; IS-IS is the dominant IGP in service provider cores. Option C (EIGRP) is wrong because EIGRP is a Cisco-proprietary distance-vector protocol that does not natively support MPLS-TE and is not designed for the hierarchical, scalable architecture required in MPLS core networks. Option D (RIPng) is wrong because RIPng is a distance-vector protocol with slow convergence (based on hop count) and is unsuitable for any modern MPLS core network due to its lack of fast convergence, scalability, and MPLS-TE support.

706
Multi-Selectmedium

In an MPLS network using RSVP-TE for traffic engineering, which two mechanisms can be used for fast reroute (FRR) protection? (Choose two.)

Select 2 answers
A.Local Protection using segment routing adjacency SID
B.Global Repair using a secondary LSP from headend
C.Facility backup using a bypass tunnel
D.Hot Standby Router Protocol (HSRP)
E.1:1 protection using a dedicated detour LSP
AnswersC, E

Correct: bypass tunnel protects multiple LSPs.

Why this answer

RSVP-TE FRR offers two protection methods: facility backup (bypass tunnel) and 1:1 protection (detour LSP). Global Repair is not a standard term; Local Protection is used in segment routing.

707
MCQeasy

Which access technology uses a passive optical splitter to deliver broadband services to multiple subscribers over a single fiber?

A.GPON
B.Cable (DOCSIS)
C.Metro Ethernet
D.DSL (Digital Subscriber Line)
AnswerA

GPON is a passive optical network with optical splitters.

Why this answer

GPON (Gigabit Passive Optical Network) uses passive splitters to share fiber among multiple subscribers.

708
MCQmedium

An engineer configures the 'set-overload-bit' command on an IS-IS router. What is the immediate effect on the network?

A.The router stops participating in SPF calculations.
B.The router's LSPs are no longer advertised.
C.The router's neighbors drop adjacency.
D.The router is not used as a transit path but still has routes.
AnswerD

Correct. Overload bit prevents transit traffic while still being reachable.

Why this answer

The 'set-overload-bit' command causes the IS-IS router to set the overload bit in its Link State PDUs (LSPs). This signals to other routers that the advertising router should not be used for transit traffic, but it still participates in SPF calculations and can be reached as a leaf or end node. Therefore, the router retains its routes and adjacency, but other routers will not forward traffic through it.

Exam trap

Cisco often tests the misconception that setting the overload bit stops all routing functionality or drops adjacencies, when in fact it only prevents transit traffic while preserving reachability and neighbor relationships.

How to eliminate wrong answers

Option A is wrong because the router continues to participate in SPF calculations; the overload bit only affects transit path selection, not the router's own SPF computation. Option B is wrong because the router's LSPs are still advertised; the overload bit is a flag within the LSP, not a suppression of LSP advertisement. Option C is wrong because the overload bit does not cause neighbors to drop adjacency; adjacencies remain established and the router can still be reached directly.

709
Multi-Selectmedium

Which TWO of the following are advantages of segment routing over traditional LDP-based MPLS? (Choose two.)

Select 2 answers
A.Reduces the number of BGP peers required
B.Eliminates the need for the LDP protocol
C.Requires RSVP-TE for traffic engineering
D.Provides source routing capability
E.Eliminates the need for IGP
AnswersB, D

SR uses IGP extensions instead of LDP.

Why this answer

Option B is correct because segment routing (SR-MPLS) eliminates the need for the LDP protocol by encoding MPLS labels directly in the IGP (e.g., OSPF or IS-IS) using extensions like RFC 8665 and RFC 8667. This simplifies the control plane by removing an entire protocol (LDP) and its associated state, reducing operational complexity and convergence time.

Exam trap

Cisco often tests the misconception that segment routing eliminates the IGP entirely, but in reality, SR relies on the IGP to distribute SIDs, so the IGP is still required.

710
MCQeasy

In MPLS forwarding, what label operation does a transit LSR perform on the top label of a labeled packet?

A.Swap
B.None
C.Pop
D.Push
AnswerA

Swap is the correct operation for a transit LSR.

Why this answer

A transit Label Switch Router (LSR) in an MPLS network receives a labeled packet and must forward it toward the egress LSR. The core operation on the top label is a swap: the incoming label is replaced with an outgoing label learned from the downstream LSR via Label Distribution Protocol (LDP) or other label distribution protocols. This maintains the label-switched path (LSP) and ensures the packet continues along the correct path.

Exam trap

Cisco often tests the distinction between the roles of ingress, transit, and egress LSRs, and the trap here is that candidates confuse the transit LSR's swap operation with the penultimate hop's pop operation or the ingress LSR's push operation.

How to eliminate wrong answers

Option B (None) is wrong because a transit LSR must always perform a label operation on the top label to forward the packet; doing nothing would drop the packet or cause a forwarding loop. Option C (Pop) is wrong because pop (penultimate hop popping, PHP) is performed by the penultimate LSR (the LSR just before the egress), not by a generic transit LSR. Option D (Push) is wrong because push is performed by the ingress LSR when it first imposes a label on an unlabeled packet; a transit LSR receives an already-labeled packet and does not push an additional label.

711
MCQeasy

Which MPLS-based service provides point-to-point Ethernet connectivity over a service provider network, emulating a wire?

A.L3VPN
B.VPWS
C.VPLS
D.EVPN
AnswerB

Correct. VPWS provides point-to-point pseudowire.

Why this answer

VPWS (Virtual Private Wire Service) is a pseudowire that provides point-to-point L2VPN connectivity, emulating a physical wire.

712
MCQeasy

A service provider wants to prevent IP spoofing at the customer edge by verifying that the source IP address of incoming packets is reachable via the interface they arrive on. Which uRPF mode should be used?

A.Strict mode
B.ACL-based filtering
C.Reverse path filtering disabled
D.Loose mode
AnswerA

Strict mode verifies source IP reachability via the same interface.

Why this answer

Strict mode checks that the source IP is in the FIB and that the best return route is through the same interface. Loose mode only checks that the source IP is in the FIB. Strict mode is used at customer edges where traffic should come from a specific interface.

713
MCQmedium

A customer is experiencing intermittent packet loss in an MPLS L3VPN network. The PE routers show no errors on interfaces. Which tool can help isolate the issue by showing the complete path a packet takes through the MPLS network?

A.Traceroute
B.Ping
C.MPLS traceroute
D.MPLS ping
AnswerC

MPLS traceroute displays the label stack at each hop along the LSP.

Why this answer

MPLS traceroute (often implemented via LSP ping with the 'traceroute' option or the 'mpls traceroute' command) is the correct tool because it uses MPLS echo request/reply messages (RFC 8029) to traverse the label-switched path (LSP) hop by hop, revealing the exact label stack and transit LSRs. This allows identification of a failing or misbehaving node in the MPLS core that standard IP traceroute would not see, since IP traceroute relies on TTL expiry in the IP header, which may not occur in an MPLS network where labels are swapped and IP TTL is often copied from the label TTL.

Exam trap

Cisco often tests the distinction between MPLS ping (end-to-end LSP validation) and MPLS traceroute (hop-by-hop path discovery), and the trap here is that candidates confuse 'ping' with 'traceroute' and assume MPLS ping provides per-hop details, when it only confirms connectivity without revealing the intermediate path.

How to eliminate wrong answers

Option A is wrong because standard IP traceroute uses ICMP TTL-exceeded messages, which may not be generated by MPLS transit LSRs if they propagate the IP TTL from the MPLS label TTL, or if the LSRs are configured to not send ICMP for MPLS traffic, thus failing to reveal the MPLS path. Option B is wrong because ping (ICMP echo) only tests end-to-end reachability and cannot isolate which specific hop in the MPLS LSP is causing packet loss; it provides no per-hop visibility. Option D is wrong because MPLS ping (LSP ping) only verifies the end-to-end LSP connectivity and does not provide hop-by-hop path information; it will either succeed or fail, but cannot pinpoint the exact intermediate node where loss occurs.

714
MCQeasy

A network operator deploys a QoS policy on a route reflector to classify traffic based on BGP community values. However, the policy is not matching the intended traffic. Which is the most likely cause?

A.The policy-map is applied to the wrong interface.
B.The class-map uses a match statement referencing BGP community values, which are not visible at the QoS classification stage.
C.The service-policy is applied in the wrong direction (input vs output).
D.The class-default class is consuming all traffic.
AnswerB

BGP communities are control-plane attributes; QoS uses packet headers.

Why this answer

BGP community values are exchanged as part of the BGP routing update and are stored in the BGP table, but they are not carried in the IP packet header. QoS classification in Cisco IOS operates on fields within the Layer 2 or Layer 3 packet header (e.g., DSCP, IP precedence, CoS) and cannot inspect BGP attributes like community values. Therefore, a class-map using a match statement for BGP communities will never match traffic at the QoS classification stage, making this the most likely cause of the policy not working.

Exam trap

Cisco often tests the distinction between control-plane attributes (like BGP communities) and data-plane packet headers, leading candidates to incorrectly assume that any attribute visible in the routing table can be used for QoS classification.

How to eliminate wrong answers

Option A is wrong because the question states the policy is deployed on a route reflector, and the issue is that the policy is not matching the intended traffic; applying the policy-map to the wrong interface would cause no traffic to be classified at all, but the core problem is that the classification criteria (BGP community) are invalid for QoS, not the interface selection. Option C is wrong because the direction (input vs output) affects when the policy is applied relative to packet forwarding, but even if the direction is correct, the policy still cannot match on BGP communities since they are not present in the packet header. Option D is wrong because the class-default class consuming all traffic would indicate that no other class matches, which is exactly what happens when the match criteria are invalid, but the root cause is the inability to match on BGP communities, not a misconfiguration of class-default; class-default is a catch-all and would only be relevant if other classes had valid match statements.

715
MCQmedium

An SP network uses NSO for service orchestration. Which component in NSO provides the abstraction layer to communicate with different device types using protocols like NETCONF or CLI?

A.YANG
B.NED
C.RESTCONF
D.CDB
AnswerB

NED abstracts device specifics.

Why this answer

NEDs (Network Element Drivers) are plugins that translate NSO's service models to device-specific configurations.

716
Multi-Selecthard

A service provider is implementing 6VPE to provide IPv6 L3VPN services. Which three statements about 6VPE are true?

Select 3 answers
A.6VPE supports overlapping IPv6 address spaces between different VPNs.
B.6VPE PE routers must have IPv6 connectivity to the MPLS core.
C.6VPE requires a full IPv6 routing table on the PE router.
D.6VPE uses MP-BGP extensions with AFI 2 (IPv6) and SAFI 128 (MPLS-labeled VPN address family).
E.6VPE encapsulates IPv6 packets using GRE tunnels.
AnswersA, B, D

VRFs separate VPNs, allowing overlapping addresses.

Why this answer

6VPE uses MP-BGP with AFI=2 and SAFI=1 (or 128?) Actually, 6VPE uses AFI=2 (IPv6) and SAFI=1 (unicast) or SAFI=128 (VPN). Standard is SAFI=128 for VPN. It advertises IPv6 prefixes with an MPLS label and VPN label. 6VPE requires dual-stack PE routers.

717
MCQhard

A service provider is deploying Segment Routing Traffic Engineering (SR-TE) with a Path Computation Element (PCE). The PCE fails to compute a path for an SR-TE policy configured with constraint 'avoid nodes in affinity red'. The core network has red affinity assigned to several nodes. Which is the most likely cause?

A.The PCE does not have the updated link-state database with the affinity attributes
B.The headend router does not have the SR-TE policy configured with the correct path
C.The PCE is not reachable from the headend router
D.The SR-TE policy is configured with a strict explicit path that conflicts with the constraint
E.The red affinity is not properly configured in the network
AnswerA

PCE needs current IGP database to honor constraints; if not updated, it cannot compute paths with avoid conditions.

Why this answer

The PCE computes paths based on the link-state database (LSDB) it receives from the IGP (e.g., OSPF or IS-IS). If the LSDB does not include the affinity (color) attributes for the nodes, the PCE cannot evaluate the 'avoid nodes in affinity red' constraint. This results in a path computation failure, even though the affinities are correctly configured on the network devices.

Exam trap

Cisco often tests the misconception that a path computation failure is due to misconfigured affinities on the network devices, when in fact the root cause is the PCE lacking the updated link-state database with those affinity attributes.

How to eliminate wrong answers

Option B is wrong because the headend router's SR-TE policy configuration is irrelevant if the PCE cannot compute the path; the policy is the trigger for the PCE request, not the cause of the computation failure. Option C is wrong because if the PCE were unreachable, the headend would receive a connectivity error or timeout, not a path computation failure specific to the affinity constraint. Option D is wrong because a strict explicit path would be defined by the operator and would not involve the PCE computing a path with constraints; the PCE would simply validate the explicit path, not fail due to constraint evaluation.

Option E is wrong because the question states that the core network has red affinity assigned to several nodes, so the affinity is properly configured; the issue is that the PCE lacks the updated LSDB containing those affinity attributes.

718
MCQhard

A service provider has a network with multiple PE routers providing MPLS L3VPN services. Customers are complaining that some remote sites are unreachable after a recent software upgrade on PE1. Upon investigation, you notice that PE1 is receiving BGP VPNv4 routes from the route reflector, but some routes are not being installed in the VRF routing table. PE1 is configured with BGP additional-path capability and has a route policy that selects only the best path. The VRF on PE1 has import and export route targets configured correctly. The missing routes have a higher local preference but are not selected due to a tie-break in BGP path selection. Which action should be taken to ensure that all valid routes are installed in the VRF?

A.Reset the BGP session between PE1 and the route reflector.
B.Configure BGP additional-paths for the VRF and adjust the route policy to allow multiple paths.
C.Disable route target filtering on PE1 to import all routes.
D.Increase the local preference on the route reflector for the missing routes.
AnswerB

Additional-paths allows multiple BGP paths to be installed in the VRF.

Why this answer

B is correct because the issue is that PE1 is configured with BGP additional-path capability but has a route policy that selects only the best path. When BGP path selection ties on local preference and other attributes, additional-path send/receive capability allows multiple paths to be considered, but the route policy must be adjusted to permit multiple paths into the VRF. Without this, only the single best path is installed, even if valid alternative paths exist.

Exam trap

Cisco often tests the distinction between enabling BGP additional-path capability globally and actually configuring the VRF to accept multiple paths; candidates mistakenly think that enabling additional-path alone is sufficient, but the route policy must be adjusted to allow multiple paths into the VRF routing table.

How to eliminate wrong answers

Option A is wrong because resetting the BGP session would not change the route selection logic; the same tie-break would occur again, and the missing routes would still not be installed. Option C is wrong because disabling route target filtering would import all routes regardless of RT, which violates VRF isolation and could introduce incorrect routing, but the problem is not about RT filtering—it is about BGP path selection limiting the number of paths installed. Option D is wrong because increasing local preference on the route reflector would only affect the tie-break if the missing routes had a lower local preference, but the scenario states they have a higher local preference and are still not selected due to a different tie-break; changing local preference would not resolve the fundamental issue of multiple paths not being accepted.

719
MCQmedium

A service provider is deploying OSPFv3 for IPv6 in its core. The network uses multiple areas. Which LSA type is used by OSPFv3 to advertise prefix information for inter-area routes?

A.Network LSA (Type 0x2002)
B.Intra-Area Prefix LSA (Type 0x2009)
C.Router LSA (Type 0x2001)
D.Inter-Area Prefix LSA (Type 0x2003)
AnswerD

Correct LSA for inter-area prefixes.

Why this answer

In OSPFv3, Inter-Area Prefix LSAs (Type 0x2003) are used to advertise prefixes from other areas.

720
MCQeasy

An SP has configured MPLS TE tunnels for traffic engineering. To verify the status of the TE tunnels, which command provides the most relevant information?

A.show mpls forwarding-table
B.show mpls ldp tunnels
C.show mpls traffic-eng tunnels brief
D.show ip rsvp reservation
AnswerC

This command summarizes TE tunnel states and is the primary verification tool.

Why this answer

The 'show mpls traffic-eng tunnels brief' command directly displays the status, state (up/down), and key parameters (e.g., bandwidth, path) of all configured MPLS TE tunnels, making it the most relevant command for verifying TE tunnel status. It provides a concise view of tunnel endpoints, admin/operational states, and signaled bandwidth, which is essential for traffic engineering verification.

Exam trap

Cisco often tests the distinction between LDP and RSVP-TE; candidates mistakenly think LDP is involved in TE tunnel signaling, but LDP is for label distribution in non-TE MPLS, while TE tunnels exclusively use RSVP-TE for path setup and bandwidth reservation.

How to eliminate wrong answers

Option A is wrong because 'show mpls forwarding-table' displays the LFIB (Label Forwarding Information Base) entries for all MPLS labels, not the status or configuration of TE tunnels; it shows how packets are forwarded based on labels, not tunnel state. Option B is wrong because 'show mpls ldp tunnels' is not a valid Cisco command; LDP (Label Distribution Protocol) does not manage TE tunnels—TE uses RSVP-TE for signaling, not LDP. Option D is wrong because 'show ip rsvp reservation' shows RSVP reservation state (e.g., bandwidth reservations) but does not provide the operational status or brief summary of MPLS TE tunnels; it is a lower-level RSVP command, not a TE tunnel verification tool.

721
MCQeasy

A service provider is deploying a BNG for subscriber management. Which protocol is typically used to authenticate subscribers and assign IP addresses in a PPPoE-based broadband network?

A.DHCP
B.RADIUS
C.IPoE
D.TACACS+
AnswerB

RADIUS is widely used for subscriber AAA in BNG.

Why this answer

RADIUS is the standard protocol for authentication, authorization, and accounting (AAA) in BNG environments. DHCP assigns IP addresses, but authentication is via RADIUS. TACACS+ is for device administration; IPoE uses DHCP but not typically for authentication.

722
MCQeasy

A service provider is deploying a point-to-point Layer 2 VPN across an MPLS network using Ethernet over MPLS (EoMPLS) with Martini encapsulation. The customer requires transparent transport of VLAN tags (Q-in-Q) between two sites. The provider configures the attachment circuits on the PE routers as VLAN subinterfaces with dot1q encapsulation. After configuration, the customer reports that only untagged frames pass through the pseudowire; double-tagged frames are dropped at the egress PE. Which action resolves the issue?

A.Replace the attachment circuit with a port-mode Layer 2 interface and disable VLAN tagging on the PE
B.Configure the pseudowire to use the 'tag-imposition' keyword to allow double tagging
C.Configure the PE routers to use VLAN translation to map both tags to a single tag before encapsulation
D.Change the encapsulation on the PE subinterfaces to dot1q second-dot1q and enable the preservation of the outer VLAN tag at the ingress PE
AnswerD

Why this answer

Option D is correct because EoMPLS with Martini encapsulation (RFC 4448) supports Q-in-Q transparent transport only when the ingress PE is configured to preserve the outer VLAN tag. Using 'dot1q second-dot1q' encapsulation on the subinterface tells the PE to treat the outer tag as part of the payload and not strip it, allowing both tags to be carried across the pseudowire. Without this, the default dot1q encapsulation strips the outer tag, causing double-tagged frames to be dropped at the egress PE.

Exam trap

Cisco often tests the distinction between 'dot1q' and 'dot1q second-dot1q' encapsulation on subinterfaces, where candidates mistakenly think that standard dot1q encapsulation will preserve double tags, but it actually strips the outer tag before encapsulation into the pseudowire.

How to eliminate wrong answers

Option A is wrong because replacing the attachment circuit with a port-mode Layer 2 interface and disabling VLAN tagging would strip all VLAN tags, preventing Q-in-Q transport entirely. Option B is wrong because 'tag-imposition' is not a valid keyword for EoMPLS pseudowires; it is a concept used in MPLS VPN label imposition, not for preserving double tags in Layer 2 VPNs. Option C is wrong because VLAN translation would map both tags to a single tag, which defeats the purpose of transparent Q-in-Q transport and does not preserve the original double-tagged frame structure.

723
MCQhard

A service provider uses BGP FlowSpec (RFC 8955) to mitigate DDoS attacks. Which component in the network is responsible for originating the FlowSpec rules and distributing them to routers?

A.A FlowSpec controller (e.g., router with policy or SDN controller)
B.The trigger router used for RTBH
C.The victim's CE router
D.An anomaly detection system like Cisco Peakflow
AnswerA

The controller originates FlowSpec NLRI and distributes via BGP.

Why this answer

In FlowSpec, a controller (or a router acting as controller) originates the FlowSpec NLRI and distributes it to edge routers via BGP. Edge routers apply the actions (e.g., drop, rate-limit). The trigger router is for RTBH; detection system may trigger but does not distribute FlowSpec.

724
MCQhard

A service provider wants to gracefully shut down a BGP session to a customer for maintenance without causing traffic loss. Which BGP feature should be used to signal the peer to reroute traffic before the session is brought down?

A.BGP TTL Security
B.BGP Route Refresh
C.BGP Graceful Shutdown (GSHUT)
D.BGP Fast External Failover
AnswerC

GSHUT advertises routes with a low local preference to drain traffic.

Why this answer

BGP Graceful Shutdown (GSHUT) uses a well-known community or attribute to inform peers that the session is going down, allowing them to reroute traffic. BFD detects failures fast but does not signal; TTL propagation is for MPLS; route refresh is for soft reconfiguration.

725
MCQeasy

Which QoS mechanism marks packets at the edge of the network to classify traffic into different service classes?

A.Queuing
B.Shaping
C.Policing
D.Marking
AnswerD

Marking sets the QoS bits in the packet header.

Why this answer

Marking is the QoS mechanism that sets the Differentiated Services Code Point (DSCP) or IP Precedence bits in the packet header at the ingress edge of the network. This classification allows downstream devices to apply per-hop behaviors (PHBs) based on the marked value, as defined in RFC 2474 and RFC 2597. Unlike queuing, shaping, or policing, marking does not delay or drop packets; it only modifies the packet header to indicate the desired service class.

Exam trap

Cisco often tests the distinction between marking and policing, where candidates mistakenly think policing is used for classification because it can re-mark packets, but the question specifically asks for the mechanism that marks at the edge to classify traffic, which is marking itself, not policing.

How to eliminate wrong answers

Option A is wrong because queuing is a congestion management mechanism that determines the order in which packets are transmitted out of an interface, not a mechanism for marking packets at the edge. Option B is wrong because shaping smooths traffic bursts by buffering and delaying packets to conform to a configured rate, but it does not mark packets with classification information. Option C is wrong because policing enforces a traffic rate by dropping or re-marking packets that exceed a threshold, but its primary function is rate limiting, not initial marking at the edge for classification.

726
MCQmedium

A service provider is migrating from OSPF to IS-IS in the core network. They need to support Traffic Engineering and Segment Routing. Which IS-IS TLV must be supported to carry TE information?

A.TLV 130
B.TLV 22
C.TLV 135
D.TLV 128
AnswerB

TLV 22 (Extended IS reachability) carries TE information including wide metrics.

Why this answer

IS-IS TLV 22 (Extended IS reachability) carries TE metrics and other attributes for traffic engineering. TLVs 128 and 130 are IP reachability TLVs; TLV 135 is for extended IP reachability.

727
Multi-Selectmedium

Which TWO are key features of IOS XR architecture? (Choose two.)

Select 2 answers
A.Configuration applied immediately without validation
B.Monolithic kernel with shared memory address space
C.Distributed OS with process separation
D.Single process for all routing protocols
E.Commit/rollback configuration model
AnswersC, E

Each process runs independently.

Why this answer

IOS XR is a distributed OS with process separation and a commit/rollback model. Monolithic kernel and shared memory are not features.

728
MCQhard

In Segment Routing over IPv6 (SRv6), what is the function of the SRH (Segment Routing Header)?

A.It replaces the IPv6 header to reduce overhead
B.It contains the segment list (ordered list of SIDs)
C.It provides OAM capabilities for path monitoring
D.It uses the IPv6 flow label to encode the path
AnswerB

SRH contains a list of SIDs that define the forwarding path.

Why this answer

The Segment Routing Header (SRH) is a new IPv6 extension header defined in RFC 8754 that carries an ordered list of Segment Identifiers (SIDs). When a packet is forwarded along a segment-routed path, the SRH encodes the explicit path by listing each segment (node or adjacency SID) in sequence, and the active segment is updated as the packet traverses each hop. This allows the source node to steer packets through a specific path without intermediate nodes needing to maintain per-flow state.

Exam trap

Cisco often tests the distinction between the SRH's core function (carrying the segment list) and ancillary features like OAM or flow label usage, so candidates may incorrectly associate the SRH with monitoring or encoding mechanisms that are separate from its primary role.

How to eliminate wrong answers

Option A is wrong because the SRH does not replace the IPv6 header; it is an extension header that follows the fixed IPv6 header, and the IPv6 header remains intact with its source and destination addresses. Option C is wrong because while SRv6 can support OAM functions (e.g., via mechanisms like ping or traceroute using SIDs), the primary and defining function of the SRH is to carry the segment list, not to provide OAM capabilities. Option D is wrong because the IPv6 flow label is a separate 20-bit field in the IPv6 header used for flow classification and load balancing, not for encoding the path; the path is encoded in the SRH segment list.

729
MCQhard

Which Cisco platform is designed for the core/backbone of large service provider networks and offers high scalability with IOS XR?

A.Cisco NCS 5500
B.Cisco CRS
C.Cisco 8000 series
D.Cisco ASR 9000
AnswerB

CRS is the core router.

Why this answer

The Cisco CRS (Carrier Routing System) is a high-end core router designed for the backbone of large SP networks.

730
MCQeasy

In IOS XR architecture, what is the purpose of Secure Domain Router (SDR)?

A.To encrypt control plane traffic
B.To enable process separation and fault isolation
C.To provide a secure management plane
D.To aggregate multiple physical routers
AnswerB

SDR provides fault isolation between virtual routers.

Why this answer

SDR logically partitions a physical router into multiple independent routers, each with its own control plane and resources.

731
MCQhard

Refer to the exhibit. Which statement is correct about the LDP bindings for prefix 10.0.0.0/24?

A.There are two remote label bindings for this prefix from different LSRs.
B.Both remote bindings are from the same LSR.
C.The local label for this prefix is 18.
D.The router is performing PHP for this prefix.
AnswerA

Correct. Two remote bindings exist.

Why this answer

The exhibit shows two remote label bindings for prefix 10.0.0.0/24, one with an incoming label of 18 from LSR 192.168.1.2 and another with an incoming label of 19 from LSR 192.168.1.3. This indicates that two different LSRs have advertised label bindings for the same prefix, which is typical in an MPLS network with multiple paths. Therefore, option A is correct.

Exam trap

Cisco often tests the distinction between local and remote label bindings, and the trap here is that candidates may mistakenly interpret the labels 18 and 19 as local labels or assume both remote bindings come from the same LSR, leading them to choose option B or C.

How to eliminate wrong answers

Option B is wrong because the two remote bindings originate from different LSRs (192.168.1.2 and 192.168.1.3), not the same LSR. Option C is wrong because the local label for this prefix is not shown in the exhibit; the labels 18 and 19 are remote labels advertised by other LSRs, not the local label of the router itself. Option D is wrong because PHP (Penultimate Hop Popping) is indicated by an implicit null label (label 3) being advertised, but the exhibit shows explicit label values (18 and 19), so PHP is not being performed for this prefix.

732
MCQeasy

An engineer notices that MPLS VPN traffic is taking a suboptimal path because the MPLS label binding for the BGP next-hop loopback is missing. What is the most likely cause?

A.The remote PE is configured with a different VPN ID.
B.The local PE does not have a route to its own loopback.
C.LDP is not enabled on the core-facing interfaces.
D.LDP is not enabled on the PE-CE interface.
AnswerC

LDP on core interfaces is required to propagate labels for the loopback.

Why this answer

MPLS VPN traffic relies on LDP to distribute labels for the BGP next-hop loopback addresses used in the VPNv4 route exchange. If LDP is not enabled on the core-facing interfaces, the local PE cannot obtain a label binding for the remote PE's loopback, causing the traffic to be forwarded via IP (without a label) or taking a suboptimal path. Enabling LDP on all core-facing interfaces resolves the missing label binding and restores optimal label-switched forwarding.

Exam trap

Cisco often tests the distinction that LDP is required on core-facing interfaces for MPLS label distribution, not on PE-CE interfaces, and that the missing label binding is for the remote PE's loopback, not the local PE's route.

How to eliminate wrong answers

Option A is wrong because the VPN ID is used to identify the VRF on the PE and does not affect MPLS label bindings for the BGP next-hop loopback; a mismatch would prevent VPN route import/export, not cause a missing label. Option B is wrong because the local PE must have a route to its own loopback for local operations, but the issue is about the label binding for the remote PE's loopback, not the local one. Option D is wrong because LDP is not required on PE-CE interfaces; it is only needed on core-facing interfaces to exchange labels for loopback routes between PEs.

733
MCQeasy

Which MEF service type provides a multipoint-to-multipoint Ethernet virtual connection?

A.E-Access
B.E-Line
C.E-LAN
D.E-Tree
AnswerC

Correct. E-LAN is multipoint-to-multipoint.

Why this answer

E-LAN (Ethernet LAN) service provides multipoint-to-multipoint connectivity, as per MEF standards.

734
MCQeasy

What is the primary function of the aggregation layer in a service provider network?

A.Provide direct customer connections
B.Aggregate traffic from the access layer and forward to the core
C.Perform deep packet inspection
D.Provide high-speed backbone connectivity
AnswerB

Aggregation layer consolidates access traffic.

Why this answer

The aggregation layer collects traffic from access nodes and forwards it to the core, often performing QoS, filtering, and subscriber management.

735
MCQhard

An SP is designing a MPLS L3VPN service with BGP as the PE-CE routing protocol. They want to ensure that the CE router does not become a transit router between two sites. Which BGP feature should be configured on the PE to prevent the CE from advertising routes received from one site to another?

A.Site of Origin (SoO)
B.allowas-in
C.disable-connected-check
D.as-override
AnswerA

SoO marks routes so that a CE will ignore routes with its own SoO, preventing transit.

Why this answer

The Site of Origin (SoO) BGP community is the correct feature because it prevents routing loops in MPLS L3VPN environments where the same CE router connects to multiple sites. When configured on the PE, SoO tags routes received from a CE with a unique identifier for that site; if the PE receives a route with the same SoO value from another site, it discards the route, ensuring the CE does not become a transit router between sites.

Exam trap

Cisco often tests the confusion between SoO and as-override, as both deal with BGP updates in MPLS L3VPN, but as-override modifies the AS_PATH to allow route acceptance, while SoO prevents route redistribution to avoid transit routing.

How to eliminate wrong answers

Option B (allowas-in) is wrong because it allows the PE to accept BGP updates containing its own AS number, which is used in hub-and-spoke topologies to permit route reflection, not to prevent transit routing. Option C (disable-connected-check) is wrong because it disables the TCP connection check for eBGP multihop sessions, ensuring the BGP session stays up even if the next-hop is not directly connected, which is unrelated to preventing transit routing. Option D (as-override) is wrong because it replaces the CE's AS number with the PE's AS number in BGP updates to overcome the split-horizon rule in hub-and-spoke designs, but it does not prevent the CE from advertising routes between sites.

736
MCQmedium

Based on the exhibit, which statement is true about the applied QoS policy?

A.The default class matches only best-effort traffic.
B.The policy uses low-latency queuing for voice.
C.Video traffic is being dropped at a rate of 5 kbps.
D.Voice traffic is experiencing drops due to policer.
AnswerC

The video class shows an exceed rate of 5 kbps, confirming drops.

Why this answer

Option B is correct because the video class is exceeding its police rate (CIR 20 kbps) with an exceed rate of 5 kbps, indicating that 5 kbps of video traffic is being dropped. Option A is false because the voice class has no drops. Option C is false because the default class matches any traffic.

Option D is false because no priority or LLQ is configured, only policing.

737
MCQhard

In an SP network using NSO for service orchestration, which component abstracts device-specific CLI or SNMP interactions into a common model for NETCONF/RESTCONF southbound communication?

A.YANG model
B.CDB (Configuration Database)
C.RESTCONF northbound API
D.NED (Network Element Driver)
AnswerD

NED abstracts device-specific operations to a common YANG model.

Why this answer

The Network Element Driver (NED) provides the abstraction layer between NSO and network devices, translating YANG models to device-specific configurations (e.g., CLI, SNMP).

738
MCQeasy

An SP is managing a large MPLS network and needs to verify the MPLS forwarding entries for a specific VRF. Which command provides the most complete information for the VRF?

A.show ip cef vrf <name>
B.show mpls forwarding-table vrf <name>
C.show mpls vrf <name>
D.show bgp vpnv4 unicast all labels
AnswerB

Shows the complete LFIB for the VRF with inbound and outbound labels.

Why this answer

Option B is correct because the 'show mpls forwarding-table vrf <name>' command displays the complete MPLS forwarding entries for a specific VRF, including the incoming label, outgoing label, next-hop, and outgoing interface. This command is specifically designed to verify MPLS label-switched paths (LSPs) for a VRF, which is essential for troubleshooting MPLS VPN forwarding. It provides the most complete information for MPLS forwarding, as it shows both the label operations (swap, pop, push) and the VRF-specific forwarding details.

Exam trap

Cisco often tests the distinction between control plane (BGP, CEF) and data plane (MPLS forwarding) commands, and the trap here is that candidates confuse 'show ip cef vrf' (which shows IP forwarding) with 'show mpls forwarding-table vrf' (which shows MPLS label forwarding), leading them to choose option A instead of the correct B.

How to eliminate wrong answers

Option A is wrong because 'show ip cef vrf <name>' displays the CEF (Cisco Express Forwarding) table for the VRF, which shows IP prefix and next-hop information but does not include MPLS label details such as incoming or outgoing labels. Option C is wrong because 'show mpls vrf <name>' is not a valid Cisco IOS command; the correct command for VRF-specific MPLS information is 'show mpls forwarding-table vrf <name>'. Option D is wrong because 'show bgp vpnv4 unicast all labels' displays BGP VPNv4 label information for all VRFs, but it shows only the labels advertised via BGP, not the complete MPLS forwarding entries (e.g., incoming labels, outgoing interfaces) for a specific VRF.

739
MCQmedium

In SR-MPLS, when a router receives a packet with an MPLS label corresponding to an Adjacency SID, what operation does it perform?

A.It pops the label and forwards the packet out of the specific interface.
B.It performs a recursive lookup in the FIB to determine the next hop.
C.It pushes an additional label and forwards.
D.It swaps the label with the next-hop label and forwards.
AnswerA

Correct: The label is popped and packet forwarded on the corresponding link.

Why this answer

An Adjacency SID represents a specific link; when a router receives a packet with that label, it pops the label and forwards the packet out of the associated interface, because the Adjacency SID is a 'penultimate hop popping' type of SID.

740
MCQmedium

In EVPN multi-homing with all-active mode, which mechanism is used to elect a designated forwarder (DF) for broadcast, unknown unicast, and multicast (BUM) traffic on a given Ethernet segment?

A.Load balancing via MLAG
B.ES-IS protocol
C.DF election via ESI label and route type 4
D.MSTP
AnswerC

Route type 4 (Ethernet Segment route) is used to announce ESI and perform DF election.

Why this answer

The DF election is performed using a deterministic algorithm based on the ESI and the list of PEs, with the lowest IP address becoming DF.

741
MCQeasy

Which component of the IOS XR architecture is responsible for managing the system configuration and providing a separation of control plane for multiple tenants?

A.Default SDR
B.XR Config Manager
C.Admin Plane
D.LRO (Label Rewrite Engine)
AnswerA

Default SDR (Secure Domain Router) handles configuration and control plane separation.

Why this answer

Secure Domain Router (SDR) provides logical separation of control plane resources, while admin plane is for system administration.

742
MCQmedium

Based on the exhibit, which prefix is NOT reachable via MPLS forwarding?

A.10.1.1.1/32
B.10.3.3.3/32
C.10.2.2.2/32
D.10.5.5.5/32
AnswerD

The outgoing label is Untagged, so MPLS forwarding is not applied, likely causing packet drop.

Why this answer

Option D (10.5.5.5/32) is correct because the exhibit shows that the LDP label bindings are only present for prefixes 10.1.1.1/32, 10.2.2.2/32, and 10.3.3.3/32. The prefix 10.5.5.5/32 is not in the LDP label information base (LIB), meaning no MPLS label has been assigned to it, so it cannot be forwarded via MPLS and must be forwarded using standard IP routing instead.

Exam trap

Cisco often tests the distinction between prefixes that have LDP label bindings versus those that are simply present in the routing table, trapping candidates who assume all IGP routes are automatically MPLS-switched without verifying the label bindings.

How to eliminate wrong answers

Option A is wrong because 10.1.1.1/32 has an LDP label binding (label 16) as shown in the exhibit, making it reachable via MPLS forwarding. Option B is wrong because 10.3.3.3/32 has an LDP label binding (label 18) as shown in the exhibit, making it reachable via MPLS forwarding. Option C is wrong because 10.2.2.2/32 has an LDP label binding (label 17) as shown in the exhibit, making it reachable via MPLS forwarding.

743
MCQeasy

A network engineer needs to perform maintenance on a BGP router without causing traffic loss. They plan to use BGP Graceful Shutdown (GSHUT). What does GSHUT do?

A.It immediately terminates all BGP sessions
B.It uses BGP fast external failover to speed up convergence
C.It sets the local preference to a lower value to withdraw routes gracefully
D.It increases the MED to deprefer routes
AnswerC

Lower local preference makes routes less preferred, causing traffic to shift before shutdown.

Why this answer

BGP GSHUT adjusts the local preference of routes to make them less preferred, gracefully draining traffic before the session is shut down. This avoids packet loss.

744
Multi-Selectmedium

A network engineer is designing a Segment Routing over IPv6 (SRv6) deployment. Which TWO statements are true about the SRv6 SID format and behaviors? (Choose two.)

Select 2 answers
A.End.X behavior is a default behavior for any SID that is not explicitly defined.
B.End.DT6 behavior is used for IPv6 L3VPN services.
C.End.DT4 behavior is used for EVPN L2VPN services over SRv6.
D.The SRv6 SID is 128 bits long and consists of a Locator, Function, and optional Arguments.
E.The SRH (Segment Routing Header) is an extension header that replaces the IPv6 header when SR is used.
AnswersB, D

Correct. End.DT6 decapsulates and forwards to IPv6 VPN.

Why this answer

SRv6 SID is 128 bits and includes locator, function, and optional argument. End.DT4 is for IPv4 L3VPN; End.DT6 is for IPv6 L3VPN; End.DT2U is for L2VPN (EVPN VPWS). The SRH is the new routing header.

Thus A and D are correct.

745
MCQmedium

In OSPFv3, which statement correctly describes how OSPFv3 differs from OSPFv2 regarding router IDs and adjacencies?

A.OSPFv3 uses a 32-bit Router ID independent of IPv6 addresses.
B.OSPFv3 uses the same LSA types as OSPFv2.
C.OSPFv3 requires both IPv4 and IPv6 addresses on interfaces.
D.OSPFv3 uses IPv6 addresses to form adjacencies.
AnswerA

Correct. Router ID is 32-bit and must be configured or derived from an IPv4 address.

Why this answer

OSPFv3 uses a 32-bit Router ID independent of IPv6 addresses. Adjacencies are formed with Router IDs, not link-local addresses. OSPFv3 runs per-link rather than per-subnet.

746
Multi-Selecthard

Which TWO are essential components for deploying EVPN in a service provider network?

Select 2 answers
A.Overlay tunnel encapsulation such as VXLAN or MPLS
B.OSPF as the underlay routing protocol
C.BGP for MAC/VPN route advertisement
D.PIM-SM for multicast replication
E.RSVP-TE for path computation
AnswersA, C

EVPN requires an overlay for traffic forwarding.

Why this answer

A is correct because EVPN requires an overlay tunnel encapsulation to transport Layer 2 frames across the IP/MPLS underlay. VXLAN (RFC 7348) and MPLS (RFC 7432) are the two primary encapsulations used to carry Ethernet frames over the overlay, enabling MAC address learning and forwarding in the EVPN control plane.

Exam trap

Cisco often tests the misconception that a specific underlay protocol (like OSPF) is mandatory for EVPN, when in fact only the overlay encapsulation and BGP control plane are essential, while the underlay can be any IP-routed network.

747
Multi-Selectmedium

A service provider is implementing security for BGP peering. Which two methods help prevent BGP route hijacking? (Choose two.)

Select 2 answers
A.BGP next-hop-self
B.BGP multipath
C.RPKI origin validation
D.BGP prefix filtering
E.BGP GSHUT
AnswersC, D

Validates that the origin AS is authorized.

Why this answer

Prefix filtering (with prefix-lists and route-maps) ensures only expected prefixes are accepted from peers. RPKI validation provides cryptographic verification of origin AS. Both prevent hijacking.

748
MCQeasy

In the DiffServ model, which DSCP value is used for Voice over IP (VoIP) traffic to ensure Expedited Forwarding (EF) per-hop behavior?

A.DSCP 34 (AF41)
B.DSCP 26 (AF31)
C.DSCP 46 (EF)
D.DSCP 0 (Best Effort)
AnswerC

DSCP 46 is the standard value for Expedited Forwarding, used for voice.

Why this answer

EF PHB is used for low-loss, low-latency traffic such as voice. The recommended DSCP value for EF is 46 (binary 101110).

749
MCQmedium

During a DDoS attack, an SP wants to drop traffic destined to the victim IP at the network edge without affecting other traffic. Which technique should be used to achieve this by propagating a black-hole route from a trigger router to all edge routers?

A.S/RTBH (Remotely Triggered Black Hole) using BGP community
B.Cisco Peakflow to reroute traffic
C.BGP FlowSpec to distribute filtering rules
D.IDMS to scrub traffic
AnswerA

S/RTBH advertises a /32 route with a blackhole community to trigger null routing.

Why this answer

S/RTBH uses BGP to advertise a /32 route with a specific community to trigger routers to install a null route. This drops traffic to the victim IP at the edge. FlowSpec is more flexible but not specifically for RTBH; Peakflow detects anomalies; IDMS scrubs traffic.

750
MCQeasy

Which MPLS-based service provides point-to-point Ethernet connectivity over a service provider network, also known as a pseudowire?

A.EVPN
B.VPWS
C.L3VPN
D.VPLS
AnswerB

VPWS is the correct point-to-point service.

Why this answer

VPWS (Virtual Private Wire Service) is a point-to-point L2VPN service that emulates a wire, also called a pseudowire.

Page 9

Page 10 of 14

Page 11