Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 751825

988 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecthard

A network architect is designing a model-driven telemetry solution for a large SP network. Which three factors are critical to consider when configuring telemetry subscriptions? (Choose three.)

Select 3 answers
A.The size of the YANG data model.
B.The collection protocol (gRPC vs gNMI vs native TCP).
C.Network bandwidth to the telemetry collector.
D.The sampling interval for periodic subscriptions.
E.The encoding format (GPB, JSON, XML).
AnswersB, C, D

The protocol determines capabilities like on-change reporting, encoding, and transport efficiency.

Why this answer

The collection protocol (gRPC, gNMI, or native TCP) is critical because it determines the transport mechanism, security model, and compatibility with the telemetry collector. gRPC offers high-performance streaming with TLS, gNMI provides a standardized interface for both telemetry and configuration, and native TCP is simpler but less flexible. Choosing the wrong protocol can lead to interoperability issues or performance bottlenecks in a large SP network.

Exam trap

Cisco often tests the distinction between factors that are critical for subscription configuration versus those that are important for overall telemetry deployment but not directly part of the subscription setup, leading candidates to mistakenly select encoding format or YANG model size.

752
MCQmedium

In BGP route selection, when comparing two routes with the same LOCAL_PREF, which attribute is considered next?

A.Locally originated routes (prefer routes originated by the local router)
B.MED
C.AS_PATH length
D.eBGP over iBGP
AnswerA

Correct; routes originated locally are preferred over received routes.

Why this answer

After LOCAL_PREF, the next step in BGP best path selection is whether the route was originated locally (via network or aggregate command). Then AS_PATH length is considered.

753
MCQeasy

A service provider's network core runs IS-IS as the IGP. After adding a new router, some routers have incomplete LSP databases. The new router's interfaces are up, and IS-IS adjacency is up with neighbors. What is the cause? The network has a mix of interface MTUs, with some links having MTU 1500 and others 4470.

A.MTU mismatch on the interface
B.IS-IS overload bit set on the new router
C.IS-IS LSP flooding is inhibited on the new router
D.The new router's system-id is a duplicate
AnswerA

Smaller MTU can cause LSP fragmentation/drop, leading to incomplete databases.

Why this answer

The correct answer is A because an MTU mismatch on the interface causes incomplete LSP databases. IS-IS uses a maximum LSP size derived from the interface MTU minus the IS-IS header overhead (typically 3 bytes for the LSP header). When a router with a smaller MTU (e.g., 1500) receives an LSP that was generated on a larger MTU link (e.g., 4470), the LSP may be too large to be stored or processed, leading to fragmentation or rejection.

This results in an incomplete LSP database on some routers, even though adjacencies are up.

Exam trap

Cisco often tests the misconception that MTU mismatch only affects adjacency formation, but in IS-IS, adjacencies can form even with MTU mismatch, and the real impact is on LSP database synchronization due to LSP size constraints.

How to eliminate wrong answers

Option B is wrong because the IS-IS overload bit prevents the router from being used for transit traffic but does not affect LSP database completeness; it only sets the overload flag in the router's LSP, signaling other routers to avoid using it for transit. Option C is wrong because if LSP flooding were inhibited on the new router, it would not send its own LSPs, but the problem states that adjacencies are up and some routers have incomplete databases, which points to a size mismatch rather than a flooding suppression. Option D is wrong because a duplicate system-id would cause adjacency failures or routing loops, not incomplete LSP databases; IS-IS would detect the duplicate via LSP sequence numbers and reject the newer LSP, but adjacencies would still form.

754
Multi-Selecthard

Which TWO are possible causes for a NETCONF session failing to establish with a Cisco IOS-XE device?

Select 2 answers
A.The device is running IOS-XR
B.The YANG module namespace is incorrect
C.NTP is not synchronized
D.TCP port 830 is blocked by a firewall
E.NETCONF is not enabled or SSH is not configured for NETCONF
AnswersD, E

NETCONF over SSH uses port 830 by default; if blocked, the TCP connection fails.

Why this answer

Option D is correct because NETCONF uses TCP port 830 as its default transport port (per RFC 6242). If a firewall blocks this port, the TCP three-way handshake cannot complete, preventing the NETCONF session from establishing. This is a common network-layer cause of session failure.

Exam trap

Cisco often tests the distinction between session establishment failures (caused by transport or authentication issues) and operational failures (caused by incorrect YANG models or data), leading candidates to confuse namespace errors with connectivity problems.

755
MCQhard

An SP is using NETCONF with YANG to automate VRF provisioning. The engineer notices that the NETCONF session is established but configuration changes are not applied. Which issue is most likely?

A.The YANG model does not support the target configuration datastore
B.The NETCONF capability :candidate is not advertised
C.The device does not support :url capability
D.The user does not have write access to the candidate datastore
AnswerB

If :candidate is not advertised, the device does not support candidate datastore, and edit-config with candidate fails.

Why this answer

NETCONF uses datastores to manage configuration. The `:candidate` capability allows changes to be made to a candidate configuration before committing them. If this capability is not advertised, the device defaults to the `:writable-running` capability, which requires changes to be applied directly to the running datastore.

Since the engineer is likely using a candidate-based workflow (e.g., `edit-config` with target `candidate`), the session establishes but changes are silently ignored or rejected because the device does not support a separate candidate datastore.

Exam trap

Cisco often tests the distinction between NETCONF capabilities (like `:candidate`) and YANG model compatibility, leading candidates to incorrectly blame the YANG model or user permissions when the real issue is a missing capability advertisement.

How to eliminate wrong answers

Option A is wrong because YANG models define data structures, not datastore support; the target datastore (e.g., candidate) is a NETCONF capability issue, not a YANG model limitation. Option C is wrong because the `:url` capability is used for referencing remote files (e.g., via FTP or HTTP) in operations like `copy-config`, and its absence would not prevent configuration changes via standard `edit-config`. Option D is wrong because the user's write access is irrelevant if the device does not advertise the `:candidate` capability; without the capability, the candidate datastore does not exist as a writable target.

756
MCQmedium

Which LDP label distribution mode is characterized by a router advertising labels for all prefixes in its routing table to all neighbors, regardless of whether they are needed?

A.Downstream on demand with conservative label retention
B.Downstream on demand with liberal label retention
C.Downstream unsolicited with conservative label retention
D.Downstream unsolicited with liberal label retention
AnswerD

Correct. This is the default mode for LDP.

Why this answer

Downstream unsolicited means the router sends label bindings without being asked; liberal label retention means it keeps all bindings even if not from the next hop.

757
MCQeasy

A service provider is configuring VRF-lite between two CE routers connected to the same PE. The CE routers are in different VRFs. Which command allows the PE router to forward traffic between the VRFs?

A.vrf forward RED
B.route-target export RED:100 import BLUE:100
C.ip route vrf RED 0.0.0.0 0.0.0.0 10.1.1.1 global
D.ip route vrf RED 0.0.0.0 0.0.0.0 vrf BLUE
AnswerD

Correct. This command uses the 'vrf' keyword to route between VRFs.

Why this answer

Option D is correct because the command `ip route vrf RED 0.0.0.0 0.0.0.0 vrf BLUE` creates a static inter-VRF route on the PE router, allowing traffic from VRF RED to be forwarded to VRF BLUE without requiring MPLS or BGP. This is the standard method for VRF-lite inter-VRF communication on the same PE, using a static route that points to the next-hop VRF instead of an IP address.

Exam trap

Cisco often tests the distinction between VRF-lite static inter-VRF routes and MPLS L3VPN route-target commands, trapping candidates who confuse the simple static route approach with the BGP-based route-target import/export mechanism.

How to eliminate wrong answers

Option A is wrong because `vrf forward RED` is not a valid Cisco IOS command; it does not exist and would not configure inter-VRF forwarding. Option B is wrong because `route-target export RED:100 import BLUE:100` is used in MPLS L3VPN environments to control route distribution between VRFs via MP-BGP, not for direct VRF-lite forwarding on a single PE. Option C is wrong because `ip route vrf RED 0.0.0.0 0.0.0.0 10.1.1.1 global` installs a default route in VRF RED pointing to a next-hop in the global routing table, which does not forward traffic into another VRF; it only sends traffic to the global table, not to VRF BLUE.

758
MCQmedium

During an MPLS network migration from LDP to Segment Routing, an engineer notices that some routers are not advertising Prefix-SIDs for certain loopbacks. The IGP is OSPF. What configuration is required on these routers to advertise Prefix-SIDs?

A.Enable 'mpls ldp autoconfig' on the loopback interface.
B.Enable 'segment-routing mpls' globally and configure 'prefix-sid index' under the loopback interface.
C.Configure 'segment-routing mpls set-adjacency-sid' on the loopback.
D.Configure 'segment-routing mpls' globally and assign a SID index under the OSPF router process for the loopback.
AnswerD

This enables SR globally and assigns the Prefix-SID under OSPF.

Why this answer

In OSPF, Prefix-SIDs for loopbacks are advertised by configuring 'segment-routing mpls' globally and then assigning a SID index under the OSPF router process using the 'prefix-sid index' command for the specific loopback network. This ties the SID to the OSPF prefix advertisement, enabling SR-MPLS forwarding without LDP.

Exam trap

Cisco often tests the distinction between where Prefix-SID configuration is applied (under the IGP process) versus interface-level commands, leading candidates to mistakenly configure 'prefix-sid index' directly on the loopback interface.

How to eliminate wrong answers

Option A is wrong because 'mpls ldp autoconfig' enables LDP on the interface, which is not used for Segment Routing and would not advertise Prefix-SIDs. Option B is wrong because 'prefix-sid index' is configured under the OSPF router process, not directly under the loopback interface; the interface-level command does not exist for OSPF. Option C is wrong because 'segment-routing mpls set-adjacency-sid' is used to assign Adjacency-SIDs on interfaces, not Prefix-SIDs for loopbacks.

759
MCQmedium

A service provider wants to provide a point-to-point Ethernet service between two customer sites with strict Service Level Agreements (SLAs). Which MEF service type should be used?

A.E-LAN
B.E-Access
C.E-Line
D.E-Tree
AnswerC

E-Line provides point-to-point Ethernet connectivity.

Why this answer

E-Line is a MEF standard for point-to-point Ethernet services, providing dedicated bandwidth and SLA guarantees.

760
Multi-Selectmedium

Which TWO of the following are characteristics of MPLS L3VPN architecture? (Choose two.)

Select 2 answers
A.All traffic is forwarded using MPLS label switching only
B.Each customer has a separate VRF on the PE router
C.LDP is required for label distribution in the core
D.The P routers maintain a full routing table for each VPN
E.Customer IP prefixes are exchanged using MP-BGP VPNv4 updates
AnswersB, E

VRF is essential for L3VPN isolation.

Why this answer

Option B is correct because in MPLS L3VPN, each customer is assigned a separate Virtual Routing and Forwarding (VRF) instance on the Provider Edge (PE) router. This VRF maintains a unique routing table and forwarding table per customer, ensuring complete isolation between different VPN customers on the same PE.

Exam trap

Cisco often tests the misconception that LDP is mandatory for MPLS L3VPN, but in reality, any label distribution protocol (LDP, RSVP-TE, or SR-MPLS) can be used in the core.

761
MCQeasy

An engineer is configuring QoS on a service provider edge router to prioritize real-time traffic. Which queuing mechanism provides the lowest latency and jitter for voice traffic?

A.FIFO
B.CBWFQ
C.WRED
D.LLQ
AnswerD

LLQ combines strict priority queue with CBWFQ for real-time traffic.

Why this answer

LLQ (Low Latency Queuing) is the correct choice because it combines a strict priority queue with CBWFQ, ensuring that voice traffic is always served before any other queue. This strict priority scheduling minimizes both latency and jitter for real-time traffic, which is critical for voice quality.

Exam trap

Cisco often tests the distinction between queuing mechanisms and congestion avoidance, so candidates may mistakenly choose WRED (a drop mechanism) or CBWFQ (which lacks strict priority) instead of LLQ for real-time traffic.

How to eliminate wrong answers

Option A is wrong because FIFO (First In, First Out) provides no traffic differentiation or priority, so voice packets can be delayed by large data packets, increasing latency and jitter. Option B is wrong because CBWFQ (Class-Based Weighted Fair Queuing) assigns bandwidth weights to classes but does not include a strict priority queue, so voice traffic may still experience queuing delays. Option C is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets to prevent tail drops, not a queuing mechanism, and it does not provide low latency or jitter for voice traffic.

762
Multi-Selectmedium

Which two actions are performed by an MPLS label edge router (LER) when it receives an unlabeled IP packet destined for a prefix with an LSP? (Choose two.)

Select 2 answers
A.It performs a recursive lookup in the LFIB.
B.It performs a label swap operation.
C.It forwards the packet based on the MPLS label.
D.It pops the top label and forwards based on the inner header.
E.It performs a label push operation to add an MPLS label.
AnswersC, E

Correct: After pushing, the packet is forwarded using the label.

Why this answer

The LER (or ingress LSR) imposes a label stack (push operation) on the packet, then forwards it based on the label. It does not swap labels (that's done by LSRs), nor does it pop the label (egress LER does).

763
MCQeasy

Which IS-IS metric type supports values up to 2^24-1 and is used for traffic engineering?

A.Extended metrics
B.Narrow metrics
C.TE metrics
D.Wide metrics
AnswerD

Wide metrics use 24 bits and support larger values for TE.

Why this answer

IS-IS wide metrics use a 24-bit field, allowing values up to 16,777,215, and are required for TE.

764
MCQmedium

A service provider is troubleshooting BGP route selection for prefixes received from two different peers. The first peer prepends its AS path twice, making it longer than the second peer's path. However, the router still prefers the route with the longer AS path. Which additional attribute could cause this behavior?

A.The route has a lower MED
B.The route has a higher weight
C.The route has a lower origin type
D.The route has a higher local preference
E.The route has a lower neighbor router ID
AnswerD

Local preference is the first criterion in BGP path selection; a higher value will be chosen regardless of AS path length.

Why this answer

BGP selects the best path based on a sequence of comparison steps. The first step after considering the next-hop reachability is to prefer the route with the highest weight (Cisco proprietary), then the highest local preference. Since the router prefers the longer AS path, a higher local preference (option D) on the first peer's route overrides the shorter AS path of the second peer, as local preference is evaluated before AS path length in the BGP best-path selection algorithm.

Exam trap

Cisco often tests the order of BGP path selection attributes, and the trap here is that candidates mistakenly think AS path length is always the deciding factor, forgetting that local preference (or weight) is evaluated first and can override a shorter AS path.

How to eliminate wrong answers

Option A is wrong because a lower MED (Multi-Exit Discriminator) is compared only if the paths are from the same neighboring AS, and it is evaluated after AS path length; a lower MED would not cause a longer AS path to be preferred. Option B is wrong because a higher weight is the first criterion in Cisco's BGP best-path selection and would cause the route to be preferred regardless of AS path length, but the question states the router prefers the route with the longer AS path, implying weight is not the overriding factor here (or weight is equal). Option C is wrong because a lower origin type (IGP < EGP < incomplete) is compared after AS path length; a lower origin could not override a shorter AS path.

Option E is wrong because a lower neighbor router ID is used only as a tiebreaker after all other steps, including AS path length, and would not cause a longer AS path to be preferred.

765
MCQeasy

An engineer wants to secure NTP on IOS XR routers. Which configuration is required to prevent unauthorized time synchronization?

A.NTP broadcast mode
B.NTP access group with ACL
C.NTP version 4 only
D.NTP authentication with a key
AnswerD

NTP authentication validates the source using a shared key.

Why this answer

NTP authentication using a key ensures that only trusted NTP servers can update the router's clock, preventing spoofing attacks.

766
MCQhard

Which SRv6 SID behavior is used to support EVPN-IRB (Integrated Routing and Bridging) for L2VPN with bridging?

A.End.X
B.End.DT2U
C.End.DT4
D.End.DT6
AnswerB

Correct: End.DT2U decapsulates and bridges to an Ethernet segment.

Why this answer

End.DT2U is used for L2VPN bridging (EVPN VPWS) and EVPN-IRB uses End.DT2U for bridge domain.

767
MCQhard

A service provider is experiencing congestion on a core link connecting two P routers. The customer traffic is classified into three classes: voice (low latency), video (low loss), and data (best effort). The current configuration uses DSCP-based classification at the PE ingress, but many customers are remarking DSCP values to gain better service, bypassing the provider's QoS policy. The provider wants to enforce a strict trust boundary at the PE and re-mark all traffic according to a per-customer contract. Additionally, the provider must offer per-customer bandwidth guarantees, ensuring that one customer's traffic does not starve another customer's traffic on the congested core link. The solution must be scalable to hundreds of customers. What should the designer recommend?

A.Apply a flat QoS policy on the core interfaces that polices each DSCP value to a fixed rate; trust is not needed because the core enforces its own limits.
B.Use auto-qos on all PE interfaces and rely on CoS trust; the core uses MPLS EXP derived from CoS to ensure proper queuing.
C.Implement hierarchical QoS on the PE egress to customer-facing interfaces, with parent-level shaping per customer and child-level policing per class, and set a trust boundary to mark all traffic based on the customer contract at ingress.
D.Configure MPLS Traffic Engineering tunnels on the core with bandwidth reservation per customer class; use EXP-null to preserve markings end-to-end.
AnswerC

Hierarchical QoS provides both per-customer and per-class enforcement, and setting trust boundary at ingress solves the remarking issue.

Why this answer

Option A is correct because hierarchical QoS allows per-customer shaping at the parent level to enforce per-customer bandwidth limits, and per-class policing at the child level to enforce per-class contracts. This provides the required trust boundary and per-customer guarantees. Option B is wrong because auto-qos does not provide per-customer granularity and relies on trust which is already broken.

Option C is wrong because MPLS TE tunnels reserve bandwidth but do not solve the trust boundary issue; also resetting EXP is complex. Option D is wrong because a flat policy on core does not allow per-customer differentiation and cannot enforce per-customer guarantees.

768
MCQmedium

A service provider is deploying MPLS Layer 3 VPN and needs to ensure that BGP next-hop resolution works correctly for VPNv4 prefixes learned from a route reflector. The PE routers are directly connected to the RR via iBGP, and there is an IGP running within the MPLS core. Which condition must be met for the PE to install the VPNv4 prefix into its routing table?

A.The next-hop must be reachable via the IGP with an MPLS label.
B.The next-hop must be a directly connected interface.
C.The PE must have a VPN label for the next-hop.
D.The IGP must be IS-IS, not OSPF.
AnswerA

MPLS LSP must exist to the next-hop for label imposition.

Why this answer

For a PE router to install a VPNv4 prefix learned from a route reflector into its routing table, the BGP next-hop (typically the remote PE) must be reachable via the IGP with an associated MPLS label. This ensures that the transport LSP exists to forward traffic toward the next-hop, which is required for MPLS L3VPN operation. Without an MPLS label in the IGP for the next-hop, the PE cannot build the necessary label stack and will not install the VPNv4 route.

Exam trap

Cisco often tests the misconception that a directly connected next-hop or a VPN label for the next-hop is required, when in fact the critical condition is IGP reachability with an MPLS label for the BGP next-hop.

How to eliminate wrong answers

Option B is wrong because the next-hop does not need to be a directly connected interface; it only needs to be reachable via the IGP with an MPLS label, even if multiple hops away. Option C is wrong because the PE does not need a VPN label for the next-hop; the VPN label is assigned by the remote PE for the specific VPN prefix, not for the next-hop itself. Option D is wrong because the IGP can be either IS-IS or OSPF, as both can carry MPLS label information via extensions like MPLS-TE or LDP; there is no requirement for IS-IS specifically.

769
MCQmedium

A service provider wants to automate service provisioning using NSO. Which protocol is typically used by NSO to configure network devices?

A.CLI scripting
B.NETCONF
C.SNMP
D.RESTCONF
AnswerB

Correct. NETCONF is used for configuration management with YANG models.

Why this answer

NSO uses NETCONF as the primary protocol for device configuration, leveraging YANG models for service modeling.

770
Multi-Selectmedium

Which TWO of the following are characteristics of IS-IS Partial Route Computation (PRC)? (Choose two.)

Select 2 answers
A.PRC is used when a router's system ID changes.
B.PRC is triggered when a new adjacency is formed.
C.PRC improves convergence by avoiding full SPF runs for prefix changes.
D.PRC recomputes only IP prefixes without recalculating the SPF tree.
E.PRC requires metric-style wide to operate.
AnswersC, D

Correct. PRC reduces CPU load for prefix changes.

Why this answer

PRC is used when only leaf (IP prefix) information changes, not the IS-IS topology. It avoids full SPF recalculation, improving convergence.

771
MCQeasy

Which feature is used to validate that a BGP route origin is authorized by the prefix owner?

A.BGP prefix filtering
B.BGP community filtering
C.BGP GSHUT
D.RPKI Origin Validation
AnswerD

RPKI validates origin AS using ROAs.

Why this answer

RPKI BGP Origin Validation uses ROAs to validate the origin AS. Routes are marked as valid, invalid, or not-found based on ROA records.

772
Multi-Selectmedium

Which TWO are benefits of using EVPN over traditional VPLS for L2VPN services? (Choose two.)

Select 2 answers
A.Provides MAC address learning via control plane
B.Uses LDP for label distribution
C.Requires full mesh of pseudowires
D.Simpler configuration than VPLS
E.Supports all-active multi-homing
AnswersA, E

EVPN uses BGP to advertise MAC routes.

Why this answer

EVPN offers better control plane (BGP) and supports multi-homing with all-active load balancing.

773
MCQeasy

In IS-IS, which type of router is responsible for exchanging routing information between different areas?

A.L1/L2 router
B.L1 router
C.Attached router
D.L2 router
AnswerD

L2 routers exchange information between areas.

Why this answer

L2 routers handle inter-area routing in IS-IS, while L1 routers handle intra-area routing. L1/L2 routers act as both.

774
MCQhard

In SR-PCE architecture, which protocol is used for communication between the Path Computation Element (PCE) and the Path Computation Client (PCC) to request and report SR-TE paths?

A.RESTCONF
B.PCEP
C.NETCONF
D.BGP-LS
AnswerB

PCEP is the standard protocol for PCE-PCC interactions.

Why this answer

B is correct because the Path Computation Element Protocol (PCEP), defined in RFC 5440 and extended for Segment Routing in RFC 8664, is the dedicated protocol used between a PCE and a PCC to request, report, and delegate SR-TE paths. PCEP carries explicit path computation requests (PCReq) and replies (PCRep), as well as state reporting (PCRpt) and delegation (PCUpd) messages, making it the standard control-plane protocol for SR-PCE architectures.

Exam trap

Cisco often tests the distinction between protocols that carry topology information (BGP-LS) versus protocols that carry path computation requests (PCEP), so candidates mistakenly choose BGP-LS because they associate it with Segment Routing, but it does not handle the PCE-PCC signaling.

How to eliminate wrong answers

Option A is wrong because RESTCONF is a RESTful protocol used for YANG-based data model access over HTTP, not for real-time path computation signaling between PCE and PCC. Option C is wrong because NETCONF is a network management protocol for configuration and state retrieval, not a path computation signaling protocol. Option D is wrong because BGP-LS is used to advertise link-state and topology information (e.g., IGP link-state data) to a controller or PCE, but it does not carry path computation requests or reports between PCE and PCC.

775
MCQhard

A service provider is deploying BGP PIC (Prefix Independent Convergence) for edge routers. What is the primary benefit of BGP PIC?

A.It provides fast convergence by pre-installing backup paths in the FIB
B.It reduces the number of BGP updates during a flap
C.It reduces the memory usage on the router
D.It eliminates the need for BFD
AnswerA

Correct; backup paths are precomputed and installed.

Why this answer

BGP PIC provides fast failover by precomputing backup paths in the forwarding table, enabling sub-second convergence upon failure, independent of the number of prefixes.

776
MCQeasy

Which BGP attribute is used to influence inbound traffic to a multi-homed AS by indicating the preferred entry point?

A.AS_PATH
B.COMMUNITY
C.MED
D.LOCAL_PREF
AnswerC

MED influences inbound traffic.

Why this answer

MED (Multi-Exit Discriminator) is used to influence inbound traffic from neighboring ASes by suggesting the preferred path into the AS.

777
MCQmedium

A service provider wants to protect its core routers from CPU exhaustion caused by excessive ICMP traffic. Which control plane protection mechanism on IOS XR would be most appropriate to rate-limit ICMP packets destined to the router?

A.Enable MPLS traffic engineering to reroute ICMP
B.Use BGP prefix filtering to block ICMP routes
C.Implement CoPP by creating a class-map for ICMP and applying a police rate under a control-plane policy-map
D.Configure an ACL to deny ICMP on all interfaces
AnswerC

CoPP allows granular classification and rate-limiting of control plane traffic.

Why this answer

CoPP (Control Plane Policing) on IOS XR uses class maps and policy maps to classify and rate-limit control plane traffic, including ICMP. ACL-based policing is less granular, and MPLS TE or BGP prefix filtering do not apply.

778
Multi-Selectmedium

A service provider wants to protect its core routers from control plane attacks. Which two mechanisms are effective in mitigating such attacks on IOS XR? (Choose two.)

Select 2 answers
A.MPLS TTL propagation
B.Unicast Reverse Path Forwarding (uRPF)
C.Control Plane Policing (CoPP)
D.BGP prefix filtering
E.NTP authentication
AnswersB, C

uRPF drops packets with spoofed source IPs, reducing attack traffic.

Why this answer

CoPP polices control plane traffic. uRPF prevents spoofed source IPs, which are often used in attacks. BGP prefix filtering is for routing updates, not control plane attacks. MPLS TTL propagation is for traceroute.

NTP authentication secures time sync.

779
MCQmedium

A customer reports intermittent packet loss on a MPLS L3VPN connection. The PE router shows 'show mpls forwarding' entries for the CE prefix, but ping from the PE to the CE fails intermittently. Which action should be taken to isolate the issue?

A.Check 'show ip route vrf CUSTOMER' and 'show bgp vpnv4 unicast vrf CUSTOMER' to confirm the VRF routes.
B.Use 'show mpls lsp' to verify the LSP to the CE's PE.
C.Examine the 'show mpls forwarding vrf CUSTOMER' output to see label operations.
D.Review the 'show bgp vpnv4 unicast all' output to verify route advertisement.
AnswerA

This verifies that the VRF has the correct routes and that BGP VPNv4 routes are properly imported.

Why this answer

Option A is correct because the intermittent packet loss suggests a control-plane issue rather than a data-plane problem. By checking 'show ip route vrf CUSTOMER' and 'show bgp vpnv4 unicast vrf CUSTOMER', you can verify that the VRF route for the CE prefix is present in the routing table and that BGP is advertising the correct VPNv4 route with the proper next-hop and label. This isolates whether the failure is due to missing or incorrect route propagation, which is a common cause of intermittent reachability in MPLS L3VPN.

Exam trap

Cisco often tests the distinction between control-plane verification (routing table, BGP) and data-plane verification (MPLS forwarding, LSP) in MPLS L3VPN troubleshooting, leading candidates to mistakenly focus on label operations or LSPs when the root cause is a missing or unstable route.

How to eliminate wrong answers

Option B is wrong because 'show mpls lsp' verifies the label-switched path (LSP) between PEs, but the issue is between the PE and the CE, which is a Layer 3 adjacency (often a direct link or static route) and does not involve an LSP. Option C is wrong because 'show mpls forwarding vrf CUSTOMER' shows label operations for packets entering the VRF, but since the ping from PE to CE fails intermittently, the problem is likely in the VRF route presence or BGP advertisement, not in the MPLS forwarding table. Option D is wrong because 'show bgp vpnv4 unicast all' displays all VPNv4 routes from all VRFs, which is too broad and may obscure the specific VRF route; the VRF-specific command is more targeted and efficient for isolating the CE prefix issue.

780
MCQhard

In SRv6, what is the function of the 'End.DT4' behavior?

A.Decapsulation and IPv4 lookup in a VRF table
B.Decapsulation and IPv6 lookup in a VRF table
C.Decapsulation and Ethernet switching
D.Encapsulation and forwarding to an IPv6 destination
AnswerA

Correct: End.DT4 is for L3VPNv4.

Why this answer

End.DT4 is a SRv6 endpoint behavior that decapsulates an IPv6 packet with an SRH and performs a lookup in the IPv4 VRF table for L3VPN.

781
MCQhard

In an IS-IS network, a service provider wants to achieve fast convergence using Partial Route Computation (PRC). Which of the following events triggers a PRC instead of a full SPF?

A.A router's system ID changes
B.An LSP with a new fragment arrives
C.A new adjacency is formed between two routers
D.An IP prefix is withdrawn from a directly connected network
AnswerD

Correct. A prefix change without topology change triggers PRC.

Why this answer

PRC is triggered when an IP prefix changes (addition, removal, or metric change) without a change in the IS-IS topology (i.e., no change in adjacency or reachable IS-IS neighbors). PRC only recalculates the affected prefixes, avoiding full SPF.

782
Multi-Selecthard

Which THREE are MEF-defined Ethernet service types? (Choose three.)

Select 3 answers
A.E-LAN
B.E-Access
C.E-WAN
D.E-Tree
E.E-Line
AnswersA, D, E

Multipoint-to-multipoint Ethernet service.

Why this answer

MEF defines E-Line, E-LAN, and E-Tree. E-Access is also defined but is not part of the three main types. E-WAN is not a standard MEF service.

783
MCQmedium

Which RSVP message is used to tear down an MPLS-TE LSP by being sent from the ingress toward the egress?

A.PATH Error
B.PATH Tear
C.RESV Confirm
D.RESV Tear
AnswerB

Correct.

Why this answer

RSVP-TE uses PATH messages to establish state and RESV to reserve. To tear down, a PathTear message is sent from the ingress to the egress, or a ResvTear from egress to ingress.

784
MCQmedium

A service provider wants to prevent IP spoofing attacks from customer edge devices connected to a PE router. The customer prefixes are known and asymmetric routing is not present. Which uRPF mode should be configured on the PE-CE interface?

A.No uRPF needed because BGP prefix filtering prevents spoofing
B.Strict mode uRPF
C.VRF-aware uRPF
D.Loose mode uRPF
AnswerB

Strict mode verifies the source IP is reachable via the incoming interface, ideal for PE-CE links with symmetric routing.

Why this answer

Strict mode uRPF checks that the source IP address is reachable via the same interface the packet arrived on, and that the route points back to that interface. This is suitable when symmetric routing is guaranteed, as on PE-CE links in L3VPN.

785
MCQmedium

An engineer configures an SRv6 SID with the behavior End.DT6. What is the primary function of this SID?

A.Perform IPv4 decapsulation and forward using a VPN IPv4 table.
B.Perform IPv6 decapsulation and forward using a VPN IPv6 routing table.
C.Perform IPv6 encapsulation and forward.
D.Perform IPv6 decapsulation and forward using the global IPv6 routing table.
AnswerB

Correct.

Why this answer

End.DT6 (Endpoint with Decapsulation and IPv6 table lookup) is used for L3VPN over SRv6. It decapsulates the outer IPv6 header and forwards based on the inner IPv6 destination using a specific VRF table.

786
MCQhard

A network engineer is troubleshooting OSPFv3 on a service provider's IPv6 network. The router shows that OSPFv3 adjacency never reaches FULL, says 'Init'. The neighbor is directly connected over a point-to-point link. What is the most likely cause?

A.LSA throttling prevents exchanges
B.Mismatched OSPF router-id
C.Mismatched area IDs
D.Missing 'ipv6 ospf' interface command on one side
AnswerD

OSPFv3 requires explicit interface configuration to activate adjacency.

Why this answer

The 'Init' state in OSPFv3 indicates that the router has received a Hello packet from the neighbor but the neighbor has not received a Hello packet back. On a point-to-point link, the most common cause is that the 'ipv6 ospf <process-id> area <area-id>' interface command is missing on one side, which prevents OSPFv3 from sending Hellos on that interface. Without this command, the interface is not enabled for OSPFv3, so the neighbor never sees a Hello and the adjacency cannot progress to FULL.

Exam trap

Cisco often tests the distinction between OSPFv2 and OSPFv3 interface activation methods, trapping candidates who assume that OSPFv3 uses a similar 'network' command or that a global OSPF process automatically enables all interfaces.

How to eliminate wrong answers

Option A is wrong because LSA throttling controls the rate of LSA generation and flooding, not the formation of adjacencies; it would not cause the adjacency to stall in Init. Option B is wrong because mismatched OSPF router-IDs do not prevent adjacency formation in OSPFv3; the router-ID is used for router identification but is not checked during the Hello exchange for adjacency compatibility. Option C is wrong because mismatched area IDs would cause the adjacency to stall in the ExStart or Exchange state, not in Init; the Init state indicates that the Hello packet was received but not reciprocated, which is unrelated to area ID mismatch.

787
MCQmedium

A service provider is migrating its MPLS core from LDP to Segment Routing with MPLS data plane (SR-MPLS). The network currently uses TE tunnels with RSVP-TE for traffic engineering. Which technology can the provider use to continue performing traffic engineering after the migration without requiring RSVP-TE?

A.LDP
B.MPLS-TE (RSVP-TE)
C.SR-TE
D.BGP-LU
AnswerC

SR-TE policies enable traffic engineering with Segment Routing.

Why this answer

C is correct because Segment Routing Traffic Engineering (SR-TE) allows the service provider to perform traffic engineering without RSVP-TE by using segment lists (label stacks) to steer traffic along explicit paths. SR-TE leverages the IGP (OSPF or IS-IS) to distribute segment IDs (SIDs) and uses a centralized controller or headend node to compute and enforce TE policies, eliminating the need for RSVP-TE's per-flow signaling and state maintenance.

Exam trap

Cisco often tests the misconception that BGP-LU can replace RSVP-TE for traffic engineering, but BGP-LU only provides label distribution for inter-domain reachability, not explicit path control within a single domain.

How to eliminate wrong answers

Option A is wrong because LDP is a label distribution protocol that only distributes labels for IGP shortest-path forwarding, not for traffic engineering; it lacks explicit path control and cannot replace RSVP-TE. Option B is wrong because MPLS-TE (RSVP-TE) is the technology being migrated away from, and the question explicitly asks for a solution that does not require RSVP-TE. Option D is wrong because BGP-LU (BGP Labeled Unicast) is used for inter-domain label distribution and MPLS VPN services, not for intra-domain traffic engineering with explicit path steering.

788
Multi-Selecthard

Which TWO commands are most effective to verify that an SR-TE policy is active and forwarding traffic? (Choose two.)

Select 2 answers
A.show segment-routing traffic-eng policy
B.show isis database verbose
C.show mpls forwarding-table labels
D.show segment-routing traffic-eng segment-list
E.show bgp labels
AnswersA, C

Shows the SR-TE policies, their state (active/inactive), and candidate paths.

Why this answer

The 'show segment-routing traffic-eng policy' command displays the operational state of SR-TE policies, including whether the policy is 'up' and actively forwarding traffic. It shows the candidate path, binding SID, and forwarding status, making it the primary verification command for SR-TE policy activity.

Exam trap

Cisco often tests the distinction between configuration verification (e.g., segment-lists) and operational/forwarding verification, leading candidates to choose 'show segment-routing traffic-eng segment-list' (which only shows configured lists) instead of the policy state or forwarding table commands.

789
MCQeasy

Which MQC component is used to match traffic based on criteria such as DSCP or IP precedence?

A.Class-map
B.Service-policy
C.Policy-map
D.Access-list
AnswerA

Class-map uses match statements to identify traffic.

Why this answer

In the Modular QoS CLI (MQC), the class-map component is used to define traffic classes by matching packets based on criteria such as DSCP (Differentiated Services Code Point) or IP precedence values. The class-map uses match statements (e.g., match ip dscp, match ip precedence) to classify traffic, which is then applied within a policy-map for QoS actions. This makes class-map the correct MQC component for traffic matching.

Exam trap

Cisco often tests the distinction between class-map (classification) and policy-map (action), so candidates mistakenly select policy-map because they associate it with QoS policies, forgetting that classification is done separately in the class-map.

How to eliminate wrong answers

Option B is wrong because a service-policy is used to attach a policy-map to an interface (inbound or outbound), not to match traffic based on DSCP or IP precedence. Option C is wrong because a policy-map defines QoS actions (e.g., shaping, policing, queuing) and references class-maps, but does not itself perform traffic matching. Option D is wrong because an access-list (ACL) can match traffic based on IP addresses or ports, but it is not an MQC component; MQC uses class-maps with match statements for DSCP or IP precedence classification.

790
MCQeasy

An SP network uses NTP for synchronization. To secure NTP, which authentication mode should be used?

A.NTPv4 autokey
B.NTPv3 symmetric key
C.NTPv4 with SHA-1
D.NTPv4 with MD5
AnswerA

NTPv4 autokey provides strong cryptographic authentication.

Why this answer

NTPv4 autokey (Option A) is the correct answer because it provides a secure, automated key distribution mechanism using public-key cryptography (RFC 5906). This eliminates the need for manual key exchange, making it the recommended authentication mode for securing NTP in service provider networks.

Exam trap

Cisco often tests the distinction between NTPv3 symmetric key (manual) and NTPv4 autokey (automated), leading candidates to incorrectly choose symmetric key because they overlook the 'secure' requirement in the question.

How to eliminate wrong answers

Option B is wrong because NTPv3 symmetric key uses pre-shared keys that must be manually distributed and updated, which is operationally burdensome and less secure in large SP environments. Option C is wrong because NTPv4 with SHA-1 is not a defined authentication mode; NTPv4 supports SHA-1 only as a hash algorithm within the autokey framework, not as a standalone mode. Option D is wrong because NTPv4 with MD5 is deprecated due to known vulnerabilities in the MD5 algorithm, and Cisco recommends against using MD5 for NTP authentication.

791
MCQmedium

A service provider has implemented model-driven telemetry to monitor the health of its core network. The telemetry collector is a single server running a custom application that receives and processes gRPC streams from 200 routers. The collector is experiencing high CPU usage and is falling behind in processing data, causing some telemetry data to be dropped. The engineer decides to offload processing to multiple collectors. The routers support dial-out mode and can be configured with a list of collector IPs. The engineer wants to distribute the load evenly across collectors without manual configuration per router. Which should the engineer implement?

A.Use a load balancer in front of the collectors and configure all routers to send to the load balancer VIP.
B.Use a multicast address for telemetry subscription so all collectors receive all data.
C.Configure each router with a round-robin DNS name that resolves to multiple collector IPs.
D.Divide the routers into groups and assign each group to a different collector IP via the router configuration.
AnswerA

A load balancer provides dynamic distribution and requires no changes to router configuration beyond the VIP.

Why this answer

Option A is correct because a load balancer distributes incoming gRPC streams from all 200 routers across multiple collectors based on a configured algorithm (e.g., round-robin or least connections), achieving even load distribution without per-router configuration. The routers simply send telemetry to a single virtual IP (VIP), and the load balancer forwards each stream to an available collector, preventing any single collector from being overwhelmed. This matches the requirement to offload processing and avoid manual configuration per router.

Exam trap

Cisco often tests the misconception that DNS round-robin or multicast can solve load distribution in telemetry, but the trap here is that dial-out gRPC requires TCP unicast connections and DNS round-robin lacks real-time load awareness, making a load balancer the only viable option for even distribution without manual configuration.

How to eliminate wrong answers

Option B is wrong because multicast addresses are not supported for dial-out gRPC telemetry; dial-out mode uses TCP-based unicast connections to specific collector IPs, and multicast would cause all collectors to receive duplicate data, increasing CPU load rather than reducing it. Option C is wrong because round-robin DNS does not provide real-time load balancing; DNS caching by routers and intermediate resolvers can cause uneven distribution, and DNS changes are not immediate, leading to potential overload of some collectors. Option D is wrong because it requires manual configuration per router to assign groups to specific collector IPs, which violates the requirement to distribute load evenly without manual configuration per router.

792
MCQhard

Refer to the exhibit. A service provider is receiving BGP prefixes from a customer (AS 64512). The provider wants to tag all routes from that customer that match prefix 10.1.0.0/16 or more specific with community 65000:100, while not modifying other routes. After applying the configuration, which statement is true?

A.Only routes matching 10.1.0.0/16 or more specific will have the community added; other routes remain unchanged.
B.Routes with a mask longer than /24 will be rejected by the prefix-list.
C.All routes from the customer will have their communities replaced with 65000:100.
D.Routes not matching the prefix-list will be denied and not installed.
AnswerA

The route-map permits matching routes with additive community, denies others without affecting acceptance.

Why this answer

The configuration uses a route-map applied to the neighbor with a match clause referencing a prefix-list that permits 10.1.0.0/16 le 32. This matches the exact prefix and any more specific prefix (up to /32). The set community 65000:100 action adds the community without using the additive keyword, but because the route-map does not contain a deny clause for non-matching routes, all routes are still accepted; only matching routes have the community added.

Thus, only routes matching 10.1.0.0/16 or more specific will have community 65000:100 added, and other routes remain unchanged.

Exam trap

Cisco often tests the misconception that a route-map with a match clause and no explicit deny will reject non-matching routes, when in fact unmatched routes are still permitted and unchanged unless a deny sequence is present.

How to eliminate wrong answers

Option B is wrong because the prefix-list permits 10.1.0.0/16 le 32, which allows masks longer than /24 (e.g., /25, /28) — there is no reject condition for masks longer than /24. Option C is wrong because the set community command does not include the additive keyword, so it replaces any existing communities on matching routes, but it does not affect non-matching routes at all; the route-map only applies the set action to matched prefixes, not to all routes. Option D is wrong because the route-map has no explicit deny statement; routes that do not match the prefix-list simply fall through without a set action and are still accepted and installed normally.

793
MCQmedium

A service provider needs to prioritize voice traffic over best-effort data in an MPLS VPN. The PE router uses a QoS policy applied to the ingress interface. Which action ensures that voice packets are marked with the correct DSCP value before entering the MPLS core?

A.Apply a policy-map that matches voice traffic using a class-map and the 'set dscp ef' action.
B.Configure the ingress interface with 'mls qos trust dscp' to preserve the customer marking.
C.Use a policy-map with the 'set mpls experimental 5' command.
D.Apply a police action to drop traffic exceeding the voice bandwidth.
AnswerA

Sets DSCP EF for voice packets on ingress.

Why this answer

Option A is correct because the question specifies that the PE router must mark voice packets with the correct DSCP value before they enter the MPLS core. The 'set dscp ef' action in a policy-map applied to the ingress interface explicitly sets the DSCP field to EF (46) for voice traffic matched by a class-map, ensuring proper classification and treatment across the MPLS network. This is the standard method for marking IP packets at the edge before MPLS encapsulation.

Exam trap

Cisco often tests the distinction between IP-layer marking (DSCP) and MPLS-layer marking (EXP), so the trap here is that candidates may choose 'set mpls experimental 5' thinking it achieves the same result, but the question explicitly requires DSCP marking before MPLS encapsulation.

How to eliminate wrong answers

Option B is wrong because 'mls qos trust dscp' preserves the existing DSCP marking from the customer, but the question requires the service provider to actively mark voice packets, not just trust markings that may be absent or incorrect. Option C is wrong because 'set mpls experimental 5' sets the MPLS EXP bits on the MPLS label, not the DSCP value in the IP header; the question explicitly asks for DSCP marking before entering the MPLS core, which is an IP-layer action. Option D is wrong because a police action that drops excess traffic does not mark packets with a DSCP value; it only enforces bandwidth limits, failing to address the requirement to set the DSCP value for voice traffic.

794
MCQeasy

In an MPLS VPN environment, which address family is used to exchange VPNv4 routes between PE routers?

A.Route-target (RT)
B.IPv4 unicast
C.VPNv6 unicast
D.VPNv4 unicast
AnswerD

VPNv4 carries both IPv4 prefixes and route distinguishers.

Why this answer

Option D is correct because in an MPLS VPN environment, VPNv4 routes (which include both the IPv4 prefix and the Route Distinguisher) are exchanged between Provider Edge (PE) routers using the VPNv4 unicast address family under the BGP configuration. This address family allows PE routers to carry customer routes with unique RD values, enabling address overlap across different VPNs.

Exam trap

Cisco often tests the distinction between the address family used for route exchange (VPNv4 unicast) and the community attribute (Route Target) that controls route distribution, leading candidates to mistakenly select Route-target as the answer.

How to eliminate wrong answers

Option A is wrong because Route-target (RT) is a BGP extended community attribute used to control the import/export of VPN routes into VRFs, not an address family for exchanging routes. Option B is wrong because IPv4 unicast is the standard address family for exchanging global IPv4 routes, but it lacks the Route Distinguisher (RD) necessary to differentiate overlapping customer prefixes in an MPLS VPN. Option C is wrong because VPNv6 unicast is used for exchanging IPv6 VPN routes (VPNv6) between PE routers, not for VPNv4 routes.

795
MCQeasy

A service provider is deploying MPLS in their core network and wants to ensure that all routers in the MPLS domain can dynamically exchange label bindings. Which protocol should be enabled on all routers to meet this requirement?

A.LDP
B.OSPF
C.iBGP
D.RSVP-TE
AnswerA

LDP dynamically distributes labels for all prefixes in the IGP.

Why this answer

LDP (Label Distribution Protocol) is the correct choice because it is the standard protocol used in MPLS networks to dynamically distribute label bindings for all routes in the routing table. It operates by establishing LDP sessions between directly connected LSRs and exchanging label mappings for each prefix, ensuring every router in the MPLS domain has the necessary labels to forward labeled packets.

Exam trap

Cisco often tests the distinction between protocols that distribute labels for all routes (LDP) versus protocols that only distribute labels for specific routes (e.g., iBGP for BGP routes) or are used for traffic engineering (RSVP-TE), leading candidates to mistakenly choose iBGP or RSVP-TE when the question asks for dynamic label exchange across the entire MPLS domain.

How to eliminate wrong answers

Option B (OSPF) is wrong because OSPF is an interior gateway protocol (IGP) used for IP routing, not for distributing MPLS label bindings; it does not carry label information. Option C (iBGP) is wrong because iBGP is used to exchange BGP routes and their associated labels (via the 'label' or 'vpnv4' address family) but only for BGP-learned prefixes, not for all routes in the MPLS domain, and it requires LDP or another label distribution protocol for IGP routes. Option D (RSVP-TE) is wrong because RSVP-TE is a signaling protocol for traffic engineering and MPLS-TE tunnels, not for general dynamic label exchange for all prefixes; it is used for explicit path setup and resource reservation, not for distributing label bindings for all IGP routes.

796
MCQeasy

Which BGP attribute is used to indicate the preference of a route within an AS and is propagated to iBGP peers but not to eBGP peers by default?

A.WEIGHT
B.LOCAL_PREF
C.MED
D.AS_PATH
AnswerB

Correct. LOCAL_PREF is used for route preference within an AS.

Why this answer

LOCAL_PREF is a well-known discretionary attribute that indicates the degree of preference for a route within an AS. It is sent to iBGP peers but not to eBGP peers by default.

797
Multi-Selectmedium

Which three BGP attributes are considered during the route selection process before comparing AS_PATH length? (Choose three.)

Select 3 answers
A.LOCAL_PREF
B.Weight
C.NEXT_HOP
D.Locally originated routes
E.MED
AnswersA, B, D

LOCAL_PREF is compared second.

Why this answer

Weight, LOCAL_PREF, and locally originated routes are compared before AS_PATH length in the BGP best path selection algorithm.

798
MCQmedium

Segment Routing with TI-LFA (Topology Independent Loop-Free Alternate) provides fast convergence. Which statement accurately describes TI-LFA?

A.TI-LFA only protects against link failures, not node failures.
B.TI-LFA uses a pre-computed backup tunnel signaled via RSVP-TE.
C.TI-LFA computes a backup path that is guaranteed to be loop-free and topology independent.
D.TI-LFA requires BFD to detect failures.
AnswerC

TI-LFA uses post-convergence path and ensures loop avoidance.

Why this answer

Option C is correct because TI-LFA (Topology Independent Loop-Free Alternate) computes a backup path that is guaranteed to be loop-free regardless of the network topology, using segment lists (label stacks) to steer traffic around a failure. It does not rely on the presence of a natural loop-free alternate in the IGP topology, making it topology independent. This ensures fast convergence (typically sub-50ms) without requiring signaling protocols like RSVP-TE.

Exam trap

Cisco often tests the distinction between TI-LFA and traditional LFA or RSVP-TE; the trap here is assuming TI-LFA requires a signaling protocol (like RSVP-TE) or that it only protects link failures, when in fact it is topology independent and protects both link and node failures using segment routing.

How to eliminate wrong answers

Option A is wrong because TI-LFA protects against both link and node failures, as it can compute a backup path that avoids a specific failed node by using adjacency segments or prefix segments. Option B is wrong because TI-LFA does not use RSVP-TE; it is a segment routing mechanism that uses pre-computed MPLS label stacks (segment lists) derived from the IGP (IS-IS or OSPF) without any signaling. Option D is wrong because TI-LFA does not require BFD for failure detection; it relies on IGP fast convergence mechanisms such as link-state advertisements (LSA) or hello timers, though BFD can be optionally used to accelerate detection.

799
MCQmedium

An SP uses NSO to orchestrate MPLS L3VPN services. The service model is written in YANG, and the NED communicates with the PE routers. Which protocol does NSO use to push configuration to the network devices?

A.CLI
B.PCEP
C.SNMP
D.NETCONF
AnswerD

NSO uses NETCONF for device configuration and management.

Why this answer

NSO can use NETCONF or RESTCONF southbound to communicate with network devices. NETCONF is the standard for configuration management.

800
MCQmedium

When implementing MPLS TE tunnels in a service provider core, what is the purpose of the 'affinity' attribute?

A.To set the color of the tunnel
B.To adjust the cost of TE tunnels
C.To define administrative groups for link inclusion/exclusion
D.To bind tunnels to specific interfaces
AnswerC

Affinity allows tunnels to restrict links based on administrative group membership.

Why this answer

The 'affinity' attribute in MPLS TE is used to define administrative groups (also known as link colors) that allow you to include or exclude specific links from a TE tunnel path based on user-defined properties. This enables traffic engineering policies such as forcing traffic to avoid certain links or preferring links with specific characteristics, without modifying the underlying IGP metric.

Exam trap

Cisco often tests the confusion between 'affinity' (administrative groups for link inclusion/exclusion) and 'color' (a separate attribute used in Segment Routing or for visual identification), leading candidates to mistakenly choose Option A.

How to eliminate wrong answers

Option A is wrong because 'affinity' does not set the color of the tunnel; it uses color-like bitmask values to represent administrative groups on links, not to assign a visual or logical color to the tunnel itself. Option B is wrong because adjusting the cost of TE tunnels is done via the 'metric' or 'cost' command under the tunnel interface, not through the affinity attribute. Option D is wrong because binding tunnels to specific interfaces is achieved using the 'mpls traffic-eng tunnels' command on the interface or explicit path definitions, not via affinity.

801
MCQeasy

A network engineer notices that voice traffic is being dropped during congestion. The traffic is marked with DSCP EF. After reviewing the QoS policy, it is discovered that the voice traffic is not being placed into a priority queue. Which configuration change would ensure voice traffic receives priority treatment?

A.Increase the queue limit to 1000 packets
B.Increase the bandwidth percentage for the voice class
C.Enable WRED on the voice class
D.Add the 'priority' command under the voice class in the policy map
AnswerD

The 'priority' command places traffic into a low-latency queue, which is essential for real-time traffic like voice.

Why this answer

DSCP EF (Expedited Forwarding, per RFC 3246) requires strict priority queuing to guarantee low latency and jitter for voice traffic. The 'priority' command under the voice class in a policy map places the traffic into a strict priority queue (LLQ), ensuring it is serviced before any other queue during congestion. Without this command, the voice traffic is treated as a regular class, subject to bandwidth constraints and potential drops.

Exam trap

Cisco often tests the misconception that bandwidth guarantees or queue tuning alone can provide priority treatment, when in fact only the 'priority' command creates the strict priority queue required for real-time traffic like voice.

How to eliminate wrong answers

Option A is wrong because increasing the queue limit only allows more packets to be buffered, but does not provide priority treatment; during congestion, the queue can still experience tail drops and delay. Option B is wrong because increasing the bandwidth percentage for the voice class only guarantees a minimum bandwidth share, but does not create a priority queue; voice traffic can still be delayed by other queues. Option C is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets before the queue is full, which is inappropriate for real-time voice traffic that requires low jitter and minimal drops; WRED would introduce additional delay and potential packet loss.

802
MCQmedium

What is the function of the admin plane in IOS XR architecture?

A.It runs routing protocols for the default SDR
B.It handles data plane forwarding
C.It provides a management interface for configuring Secure Domain Routers (SDRs)
D.It is used for customer-facing VPN services
AnswerC

Correct. The admin plane manages SDR creation and system-level configuration.

Why this answer

The admin plane is a separate management context for administrative tasks such as configuring SDRs, managing hardware, and system-level settings. It provides isolation from the default SDR.

803
Multi-Selectmedium

A service provider is implementing MAP-T (Mapping of Address and Port using Translation) to transition customers from IPv4 to IPv6. Which two characteristics of MAP-T are true? (Choose two.)

Select 2 answers
A.MAP-T is primarily used for IPv6-to-IPv4 communication only
B.MAP-T requires a dedicated IPv6 prefix for each customer
C.MAP-T employs a Border Router that performs translation between IPv4 and IPv6
D.MAP-T uses encapsulation to transport IPv4 packets over an IPv6 network
E.MAP-T can operate in stateless mode
AnswersC, E

Correct. The BR performs IPv4-IPv6 translation.

Why this answer

MAP-T uses stateful or stateless translation between IPv4 and IPv6, and it uses a Border Router (BR) that performs translation. MAP-T does not use encapsulation; it uses translation (NAT). MAP-T also uses a Domain Name System (DNS) but that is not unique.

The key characteristics: it uses a BR for translation and can be stateless.

804
Multi-Selectmedium

An engineer is configuring BGP route reflectors to scale iBGP. Which TWO attributes are used to prevent routing loops in a route reflector cluster? (Choose two.)

Select 2 answers
A.ORIGINATOR_ID
B.NEXT_HOP
C.LOCAL_PREF
D.AS_PATH
E.CLUSTER_LIST
AnswersA, E

ORIGINATOR_ID prevents loops within a cluster.

Why this answer

CLUSTER_LIST and ORIGINATOR_ID are used to prevent loops. CLUSTER_LIST is a sequence of cluster IDs; ORIGINATOR_ID identifies the originator.

805
MCQeasy

In the DiffServ model, which field is used in the IP header to mark packets for QoS treatment?

A.IP Precedence
B.DSCP
C.802.1p
D.MPLS EXP
AnswerB

DSCP is the standard marking field in DiffServ.

Why this answer

The DiffServ model uses the 6-bit DSCP field in the IP header to classify packets.

806
MCQmedium

An SP network uses OSPF with RSVP-TE for traffic engineering. Which OSPF extension is required to advertise TE link parameters such as maximum reservable bandwidth?

A.OSPF Type 7 LSAs
B.OSPF Type 11 Opaque LSAs
C.OSPF Type 10 Opaque LSAs
D.OSPF Type 5 LSAs
AnswerC

Correct. Type 10 Opaque LSAs carry TE information.

Why this answer

OSPF TE extensions are defined in RFC 3630, which introduces the Opaque LSA (Type 9, 10, 11). Specifically, Type 10 Opaque LSAs carry TE information. The TE LSA is carried in an Opaque LSA of area scope (Type 10).

807
Multi-Selecthard

A network engineer is troubleshooting an LDP session failure between two directly connected routers. The routers are configured with the 'mpls ldp' command under the interface. The 'show mpls ldp neighbor' command shows no neighbors. Which two additional pieces of information should the engineer verify? (Choose two.)

Select 2 answers
A.Verify that the interface IP addresses are in the same subnet.
B.Verify that TCP port 646 is open on the interface ACL.
C.Verify that 'mpls ip' is enabled globally.
D.Verify that the LDP router IDs are reachable via routing.
E.Verify that OSPF is configured on the interface.
AnswersA, D

LDP hello messages are sent to the all-routers multicast address; mismatched subnets prevent discovery.

Why this answer

Option A is correct because LDP sessions are established only between directly connected LSRs when using the default 'mpls ldp' interface configuration. The LDP Hello messages are sent as UDP packets to the multicast address 224.0.0.2, and if the interface IP addresses are not in the same subnet, the Hello messages will not be received, preventing neighbor discovery.

Exam trap

Cisco often tests the distinction between LDP Hello (UDP multicast) and LDP session (TCP unicast), and candidates mistakenly focus on TCP ACLs or global MPLS commands instead of verifying subnet adjacency and router ID reachability.

808
MCQhard

An engineer is troubleshooting a BGP route reflector setup. Clients are not receiving all routes. The 'show bgp neighbors' output shows a state of 'Active'. What is the most likely cause?

A.The route reflector does not have a full mesh with clients
B.The route reflector is detecting an AS_PATH loop
C.Next-hop reachability issue
D.Incorrect BGP neighbor statement on the route reflector or client
AnswerD

Active state indicates TCP session failure, often due to misconfiguration.

Why this answer

The 'Active' state in BGP indicates that the router is trying to establish a TCP connection with the neighbor but has not yet succeeded. This is most commonly caused by a misconfiguration in the BGP neighbor statement, such as an incorrect IP address, wrong AS number, or a missing neighbor statement on one side. Since the route reflector is not forming a BGP session, clients cannot receive any routes, which explains the symptom.

Exam trap

Cisco often tests the distinction between BGP session states and route advertisement issues, so candidates mistakenly attribute 'Active' to routing problems like next-hop unreachability or loops, when it actually points to TCP connection or neighbor configuration errors.

How to eliminate wrong answers

Option A is wrong because a full mesh is not required with a route reflector; the route reflector design intentionally avoids a full mesh by having clients connect only to the reflector. Option B is wrong because an AS_PATH loop would cause routes to be withdrawn or not advertised, but the BGP session itself would still reach an 'Established' state, not 'Active'. Option C is wrong because next-hop reachability issues affect route installation in the RIB, not the BGP session state; the session would still be 'Established' even if next hops are unreachable.

809
MCQmedium

A service provider is using Segment Routing with TI-LFA for fast convergence. During a link failure, the router performing the local repair must compute a backup path that avoids the failed link. Which type of Adjacency Segment Identifier (Adj-SID) is required for the backup path to be loop-free?

A.Anycast Adj-SID
B.Unprotected Adj-SID
C.Protected Adj-SID
D.Backup Adj-SID
AnswerC

Protected Adj-SID enables fast reroute protection in SR networks.

Why this answer

In Segment Routing with TI-LFA, the router performing local repair must compute a backup path that is guaranteed loop-free. A Protected Adj-SID (Adj-SID with the B-flag set) is required because it indicates that the adjacency segment is protected by a fast-reroute mechanism, allowing the router to use a precomputed backup path that avoids the failed link while ensuring no forwarding loops occur.

Exam trap

Cisco often tests the misconception that any Adj-SID can be used for TI-LFA backup, but only the Protected Adj-SID (B-flag set) guarantees loop-free behavior, while Unprotected Adj-SID leads to potential loops or blackholing.

How to eliminate wrong answers

Option A is wrong because an Anycast Adj-SID identifies a set of routers sharing the same anycast prefix, not a specific adjacency, and it does not provide per-link protection or loop-free backup path computation. Option B is wrong because an Unprotected Adj-SID (B-flag not set) explicitly indicates no fast-reroute protection is available, so it cannot be used for a TI-LFA backup path. Option D is wrong because there is no standard 'Backup Adj-SID' in Segment Routing; the correct term is Protected Adj-SID, and the backup path is derived from the protected adjacency SID.

810
MCQeasy

In the Modular QoS CLI (MQC), which component is used to define traffic classes based on match criteria?

A.policy-map
B.access-list
C.class-map
D.service-policy
AnswerC

Class-map defines traffic classes with match criteria.

Why this answer

In the Modular QoS CLI (MQC), the class-map is the component used to define traffic classes by specifying match criteria such as IP precedence, DSCP values, or access-group references. The class-map groups packets that match one or more conditions, allowing the policy-map to apply QoS actions (e.g., policing, shaping) to that specific class. Without a class-map, the policy-map cannot differentiate between traffic types.

Exam trap

Cisco often tests the distinction between the component that defines traffic (class-map) versus the component that applies actions (policy-map), leading candidates to mistakenly select policy-map when asked about defining traffic classes.

How to eliminate wrong answers

Option A is wrong because a policy-map is used to associate QoS actions (like bandwidth, police, shape) with a class-map, not to define the traffic classes themselves. Option B is wrong because an access-list is a packet filtering tool that can be referenced within a class-map as a match criterion, but it is not the component that defines the traffic class in MQC. Option D is wrong because a service-policy is the command that applies a policy-map to an interface or direction (input/output), not a component for defining traffic classes.

811
MCQmedium

A service provider is troubleshooting BGP route selection between two eBGP peers. The router receives a prefix from Peer A with local preference 150 and AS path length 3. From Peer B, the same prefix has local preference 100 and AS path length 2. Which route will be preferred?

A.The route from Peer A because it has a higher weight.
B.The route from Peer A because local preference is higher.
C.Both routes are equally preferred and will be used for load balancing.
D.The route from Peer B because AS path is shorter.
AnswerB

Local preference is the first tiebreaker after weight; higher value wins.

Why this answer

B is correct because BGP's route selection process evaluates local preference before AS path length. The route from Peer A has a local preference of 150, which is higher than Peer B's 100, so it is preferred regardless of the shorter AS path from Peer B. Local preference is the second BGP attribute in the decision process (after weight) and is used to influence outbound traffic from an AS.

Exam trap

Cisco often tests the order of BGP path selection attributes, and the trap here is that candidates mistakenly prioritize AS path length over local preference because they remember 'shortest AS path' but forget it comes after local preference in the decision process.

How to eliminate wrong answers

Option A is wrong because weight is a Cisco-proprietary attribute that is not mentioned in the question; local preference is the relevant attribute here, and weight would only be considered first if it were set. Option C is wrong because the routes have different local preference values (150 vs. 100), so they are not equally preferred; BGP does not load-balance between routes with different local preferences. Option D is wrong because although AS path length is considered in BGP path selection, it is evaluated after local preference; since local preference differs, the AS path length is not compared.

812
MCQhard

A service provider is designing a network to support mobile backhaul for eMBB, uRLLC, and mMTC services. Which technology allows the physical network to be divided into virtual networks with dedicated resources for each service type?

A.Q-in-Q
B.MPLS TE
C.VPLS
D.Network slicing
AnswerD

Network slicing is the correct technology.

Why this answer

Network slicing enables multiple virtual networks on a shared physical infrastructure, each with tailored performance characteristics.

813
MCQhard

A service provider uses OSPFv3 for IPv6 routing in the core. Which statement correctly describes OSPFv3 adjacency formation on a broadcast multiaccess network?

A.OSPFv3 does not use DR/BDR election; instead, it forms full mesh adjacencies.
B.All routers on the network form full adjacencies with every other router.
C.The DR is elected based on the highest router ID, with a tiebreaker of highest interface priority.
D.The Designated Router (DR) is elected to reduce the number of adjacencies and LSDB flooding.
AnswerD

DR/BDR reduce O(n^2) to O(n).

Why this answer

OSPFv3 operates similarly to OSPFv2 on broadcast networks, electing a DR and BDR using Hello protocol, and forming adjacencies with the DR.

814
MCQeasy

A service provider is implementing MPLS L3VPN and needs to ensure that BGP route advertisement uses a specific next-hop. Which technique ensures BGP advertises the PE-CE next-hop instead of the PE-PE loopback?

A.Route-map with set next-hop
B.next-hop-unchanged
C.next-hop-self
D.Disable next-hop-check
AnswerC

Sets the next-hop to the router's own address for iBGP advertisements.

Why this answer

In MPLS L3VPN, the PE-CE next-hop (the PE interface facing the CE) must be advertised to the remote PE so that the remote PE knows to forward traffic directly to the local PE's CE-facing interface. The `next-hop-self` command on the PE forces BGP to set the next-hop to the PE's own IP address (typically the loopback or the interface used for BGP peering), which overrides the default behavior of preserving the original next-hop. This ensures that the remote PE uses the correct next-hop for VPN traffic.

Exam trap

Cisco often tests the distinction between `next-hop-self` (used to force the PE's own address as the next-hop) and `next-hop-unchanged` (used to preserve the original next-hop in inter-AS scenarios), and candidates confuse these two commands.

How to eliminate wrong answers

Option A is wrong because a route-map with `set next-hop` can manually override the next-hop, but it is not the standard or most efficient technique for this specific requirement; it requires additional configuration and may not be as reliable as `next-hop-self` in all scenarios. Option B is wrong because `next-hop-unchanged` is used in MPLS VPN inter-AS scenarios (option B) to preserve the original next-hop across AS boundaries, which is the opposite of what is needed here. Option D is wrong because disabling next-hop-check (`no bgp next-hop-check`) is used in BGP confederation or route reflector scenarios to allow routes with unreachable next-hops to be accepted, not to change the next-hop value.

815
MCQmedium

Refer to the exhibit. A telemetry subscription is configured on an IOS-XR router. The collector at 10.1.1.100 is not receiving data. Which configuration error is present?

A.The destination IP address is incorrect
B.Missing 'protocol' specification in the destination-group
C.The sample-interval is too short
D.The subscription is not committed
E.The sensor-group path is invalid
AnswerB

The destination-group must include 'protocol grpc' or 'protocol tcp'; otherwise, no data is transmitted.

Why this answer

Option B is correct because in IOS-XR telemetry, a destination-group must include the 'protocol' keyword (e.g., 'protocol grpc' or 'protocol tcp') to specify the transport protocol for the collector. Without this specification, the router does not know how to send the telemetry data, and the collector at 10.1.1.100 will not receive any data.

Exam trap

Cisco often tests the requirement for the 'protocol' keyword in the destination-group, as candidates may assume that specifying the IP and port alone is sufficient, overlooking this mandatory parameter.

How to eliminate wrong answers

Option A is wrong because the destination IP address 10.1.1.100 is explicitly shown in the exhibit, and there is no indication that it is incorrect; the issue is a missing protocol specification, not a wrong IP. Option C is wrong because the sample-interval being too short would cause high CPU or data loss, but it would not prevent the collector from receiving data entirely; the collector would still receive some data. Option D is wrong because the subscription is shown in the running configuration, implying it is committed; IOS-XR requires an explicit 'commit' for configuration to take effect, and if it were missing, the subscription would not appear in the running config.

Option E is wrong because the sensor-group path is present in the exhibit (e.g., 'Cisco-IOS-XR-infra-statsd-oper:statistics'), and there is no evidence it is invalid; an invalid path would cause a configuration rejection or no data, but the primary error here is the missing protocol.

816
Multi-Selecthard

Which THREE are benefits of using EVPN over traditional VPLS? (Choose three.)

Select 3 answers
A.MAC address learning over the control plane (MAC mobility)
B.BGP-based control plane for MAC/VXLAN route distribution
C.Support for all-active multi-homing with ESI
D.Simpler configuration without BGP
E.Lower latency due to MPLS label switching
AnswersA, B, C

EVPN advertises MACs via BGP, allowing mobility.

Why this answer

EVPN offers BGP-based control plane, multi-homing support, and MAC mobility. VPLS traditionally uses LDP and does not natively support multi-homing or MAC mobility as effectively.

817
MCQeasy

A junior automation engineer is writing a Python script to configure OSPF on a Cisco IOS-XE router using RESTCONF. The script sends a PUT request to update the OSPF configuration but receives a 401 Unauthorized response. The engineer has configured a local user with privilege 15 on the router and enabled restconf. The engineer verified that the router's RESTCONF API is running on port 443. What is the most likely missing element in the script?

A.The script must include an Accept header.
B.The script must include a Content-Type header set to application/yang-data+json.
C.The script must use HTTP basic authentication with the correct username and password.
D.The script must use HTTPS with a valid certificate.
AnswerC

RESTCONF uses HTTP basic authentication by default; without it, the server returns 401.

Why this answer

A 401 Unauthorized response indicates the request lacks proper authentication. The engineer likely forgot to include HTTP basic authentication headers with the correct username and password. Other options relate to content types or TLS, which would cause different errors (e.g., 415 Unsupported Media Type).

818
MCQeasy

An SP engineer implements LLQ for VoIP traffic on a DS3 link. The policy-map calls for a priority queue of 500 kbps. The actual VoIP traffic averages 400 kbps with bursts to 600 kbps. What is the expected behavior during bursts?

A.The excess traffic is reclassified to best-effort and placed in the default queue.
B.The priority queue uses tail-drop and discards only when the queue is full.
C.The priority queue drops all traffic above the configured 500 kbps during the burst.
D.The excess traffic is queued in the priority queue until bandwidth is available.
AnswerC

LLQ polices the priority queue to its configured rate; excess is dropped.

Why this answer

C is correct because the priority queue in a Low Latency Queueing (LLQ) policy is policed at the configured rate (500 kbps). When VoIP traffic bursts exceed this rate, the excess packets are dropped immediately by the policer, not queued or reclassified. This ensures that the priority queue does not starve other queues and maintains low latency for conforming traffic.

Exam trap

Cisco often tests the misconception that the priority queue can buffer excess traffic or reclassify it, when in fact LLQ uses a policer to drop traffic exceeding the configured bandwidth to protect other queues.

How to eliminate wrong answers

Option A is wrong because LLQ does not reclassify excess priority traffic to best-effort; instead, it drops the excess packets via policing. Option B is wrong because the priority queue does not use tail-drop; it uses a policer that drops packets exceeding the configured bandwidth, regardless of queue depth. Option D is wrong because the priority queue cannot queue excess traffic above the configured rate; LLQ strictly polices the priority queue to prevent it from monopolizing bandwidth.

819
Multi-Selectmedium

An SP engineer is designing a QoS policy for a business customer with three traffic classes: Voice (critical latency), Transactional Data (low delay), and Bulk Data (no strict requirements). The link is 100 Mbps. Which TWO actions should be part of the policy? (Select two.)

Select 2 answers
A.Use FIFO queuing for the bulk data class.
B.Apply LLQ to the voice class with a policer to limit its rate to 10 Mbps.
C.Use WRED on the voice class for congestion avoidance.
D.Set the queue limit to 1000 packets for all classes.
E.Apply CBWFQ to the transactional data class with a bandwidth of 30 Mbps.
AnswersB, E

LLQ ensures low latency; policing prevents voice from starving other classes.

Why this answer

LLQ provides strict priority for voice. CBWFQ with bandwidth guarantees for transactional data ensures it gets capacity. Bulk data can use remaining bandwidth.

820
MCQmedium

In IS-IS, which metric type supports traffic engineering (TE) and is required for segment routing?

A.Default metric (TLV 2)
B.Narrow metrics (TLV 128/130)
C.TE metric (TLV 138)
D.Wide metrics (TLV 135/236/22)
AnswerD

Wide metrics use 24-bit fields and support TE.

Why this answer

IS-IS wide metrics (TLV 135/236/22) support TE and segment routing; narrow metrics (TLV 128/130) are limited to 6-bit metrics.

821
MCQhard

A service provider wants to use BGP Prefix Independent Convergence (PIC) for faster failover. Which BGP feature must be enabled to support PIC?

A.BGP additional paths
B.BGP multipath
C.BGP route reflectors
D.BGP fast external fallover
AnswerA

Additional paths allow backup path installation.

Why this answer

BGP PIC requires BGP additional paths (add-path) or BGP PIC edge, which installs backup paths in the FIB independent of the prefix count.

822
MCQhard

A service provider is building a new network slicing architecture to offer differentiated services to enterprise customers. The architecture uses SRv6 with network slices identified by slice IDs embedded in the SRv6 SID. The underlay is an IP network with ISIS. Each slice will have dedicated resources in the core, including guaranteed bandwidth and low latency. The plan is to use the SRv6 network programming concept to steer traffic into different slices. The provider wants to ensure that slice isolation is maintained end-to-end, including at the egress PE where traffic is handed off to the customer. However, during testing, they observe that traffic from one slice is incorrectly entering another slice's queue on an intermediate node, causing performance interference. The intermediate node is a transit router that does not terminate SRv6 but performs 'SID-based forwarding'. Which mechanism is most likely missing to ensure slice isolation on transit nodes?

A.The transit nodes are not configured to enforce per-slice QoS policies based on the slice ID in the SID.
B.The SRv6 SID does not carry the slice ID; it only carries the locator.
C.The egress PE is misconfigured to strip the slice ID before forwarding.
D.The ingress PE is not setting the slice ID correctly.
AnswerA

Correct. Transit nodes need to recognize the slice ID and apply appropriate queuing; otherwise, slices compete for resources.

Why this answer

Transit nodes must have per-slice QoS policies that map the slice ID (carried in the SID) to dedicated queue resources. Without such policies, all traffic may be mapped to a default queue, breaking isolation. The SID can indeed carry the slice ID; egress PE stripping or ingress PE misconfiguration would affect other nodes, not specifically transit.

823
MCQmedium

In RSVP-TE, which message is sent by the headend router along the explicit route to reserve resources and establish an LSP?

A.RESV
B.PATH
C.RSVP Hello
D.RSVP Tear
AnswerB

Correct. PATH carries the ERO and requests resources.

Why this answer

In RSVP-TE, the headend router sends a PATH message along the explicit route to signal the desired LSP. This message carries the label request, traffic parameters, and the explicit route object (ERO) to each downstream router, which then forwards it hop-by-hop toward the destination. Only after the PATH message reaches the tailend does the tailend respond with a RESV message to actually reserve resources and establish the LSP.

Exam trap

Cisco often tests the distinction between the direction of PATH (headend to tailend) and RESV (tailend to headend), trapping candidates who confuse which message initiates the reservation versus which message actually reserves resources.

How to eliminate wrong answers

Option A is wrong because the RESV message is sent by the tailend router back toward the headend to reserve resources and confirm the LSP, not by the headend. Option C is wrong because the RSVP Hello message is used for neighbor liveness detection and graceful restart, not for LSP establishment. Option D is wrong because the RSVP Tear message is used to tear down an existing LSP, not to establish one.

824
MCQeasy

A network engineer is configuring QoS on a Cisco ASR 9000 router to support multiple traffic classes. The policy must ensure that real-time traffic (EF) is not starved by high-volume bulk data (AF11). Which queuing strategy should be applied to the EF class to provide low latency and strict priority?

A.Weighted Round Robin (WRR)
B.Class-Based Weighted Fair Queuing (CBWFQ)
C.Priority Queuing (LLQ)
D.First-In-First-Out (FIFO)
AnswerC

LLQ provides a strict priority queue for EF traffic.

Why this answer

Low Latency Queuing (LLQ) is the correct choice because it combines strict priority queuing with CBWFQ, ensuring that EF (real-time) traffic is always served before other queues. This prevents starvation of delay-sensitive traffic by bulk data (AF11) while still allowing fair treatment of other classes. LLQ is the standard Cisco mechanism for supporting real-time traffic like VoIP with guaranteed low latency.

Exam trap

Cisco often tests the misconception that CBWFQ alone can provide low latency for real-time traffic, but the trap is that CBWFQ lacks a strict priority queue, so candidates must recognize that LLQ is required for EF traffic to avoid delay and jitter.

How to eliminate wrong answers

Option A is wrong because Weighted Round Robin (WRR) does not provide strict priority; it services queues in a round-robin fashion based on weights, which can cause delay for real-time traffic if the bulk data queue is heavy. Option B is wrong because Class-Based Weighted Fair Queuing (CBWFQ) assigns bandwidth guarantees but lacks a strict priority mechanism, so EF traffic could still be delayed by AF11 traffic during congestion. Option D is wrong because First-In-First-Out (FIFO) treats all traffic equally with no differentiation, making it impossible to protect real-time traffic from being starved by bulk data.

825
Multi-Selectmedium

An SP is implementing DDoS mitigation using BGP FlowSpec. Which three types of actions can be specified in a FlowSpec rule? (Choose three.)

Select 3 answers
A.Drop (discard)
B.Sample (copy to analyzer)
C.Mark DSCP
D.Traffic-rate (rate-limit)
E.Redirect to a next-hop
AnswersA, D, E

Drop is a standard action to discard traffic.

Why this answer

BGP FlowSpec can specify actions like traffic-rate (rate-limiting), redirect (to a next-hop or VRF), and drop (discard). Marking DSCP is not typical; sample is used for traffic analysis but not a standard action in FlowSpec.

Page 10

Page 11 of 14

Page 12
Cisco SPCOR / CCNP Service Provider Core 350-501 350-501 Questions 751–825 | Page 11/14 | Courseiva