Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A service provider is deploying segment routing (SR) with MPLS data plane. The network uses OSPF as the IGP. Which configuration is required to enable SR-MPLS and ensure that routers advertise prefix-SIDs for their loopback interfaces?

A.Configure 'mpls ip' on all interfaces and 'router ospf 1 mpls ldp auto-config'.
B.Configure 'label mode per-prefix' under the OSPF process and assign a label to the loopback.
C.Configure 'segment-routing global-block 16000 23999' globally and enable 'mpls ip' on all interfaces.
D.Configure 'segment-routing mpls' globally and assign a prefix-SID to the loopback interface under OSPF.
AnswerD

This enables SR-MPLS and advertises a prefix-SID for the loopback.

Why this answer

Option D is correct because to enable SR-MPLS with OSPF, you must globally enable segment routing with the 'segment-routing mpls' command, and then assign a prefix-SID to the loopback interface under the OSPF process using the 'prefix-sid' command. This ensures that routers advertise the prefix-SID for their loopback via OSPF extensions, which is the fundamental requirement for SR-MPLS operation without LDP.

Exam trap

Cisco often tests the distinction between enabling segment routing globally versus configuring the SRGB; candidates mistakenly think that setting the SRGB alone enables SR-MPLS, but the 'segment-routing mpls' command is the actual enabler.

How to eliminate wrong answers

Option A is wrong because it enables MPLS LDP via auto-config, which is not required for SR-MPLS and actually introduces a different label distribution protocol (LDP) that conflicts with the segment routing paradigm. Option B is wrong because 'label mode per-prefix' is a command used for MPLS LDP label allocation, not for SR-MPLS prefix-SID assignment; SR-MPLS uses the 'prefix-sid' command under OSPF, not label mode configuration. Option C is wrong because while configuring the segment-routing global block (SRGB) is important for SR-MPLS, it does not enable segment routing itself; the 'segment-routing mpls' global command is mandatory, and 'mpls ip' on interfaces is not required for SR-MPLS as it relies on IGP extensions, not LDP.

227
MCQmedium

A network engineer is troubleshooting QoS in a service provider environment. Customer traffic is marked with DSCP AF31 (011010) at the CE. On the PE router, the policy maps trust DSCP and sets the CoS to 4. However, core routers remark the DSCP to 0. What is the most likely cause?

A.A policer on the core router is marking down out-of-contract traffic
B.The core routers use LDP labels and ignore DSCP
C.The ingress PE did not set MPLS EXP bits
D.The MPLS EXP bits are not copied from DSCP
AnswerA

Policers can re-mark DSCP to 0 for excess traffic.

Why this answer

The core routers likely have a policy that marks down packets exceeding their contracted rate. Option D is correct because a policer could mark down the DSCP. Option A is wrong because MPLS EXP is separate from DSCP.

Option B is wrong because MPLS EXP is not involved. Option C is wrong because re-marking on core is not typical if configured correctly.

228
MCQmedium

Refer to the exhibit. An engineer notices that R1 has an LDP neighbor but 'show mpls forwarding-table' on R1 shows no label bindings for prefixes learned from R2. What is the most likely cause?

A.The LDP discovery source is incorrect
B.The peer LDP identifier is not reachable
C.LDP session is not established
D.R1 is configured for 'label distribution on-demand'
AnswerD

Downstream on-demand means labels are not sent until requested; if no request, no labels.

Why this answer

R1 shows an LDP neighbor (session is up) but no label bindings for prefixes from R2. This occurs when R1 is configured for 'label distribution on-demand' (RFC 5036), meaning it only requests label bindings for prefixes in its routing table, not all prefixes from the peer. Since R1 has not yet needed those specific prefixes, it has not requested labels, so the forwarding table remains empty.

Exam trap

Cisco often tests the distinction between LDP session state (neighbor adjacency) and label binding exchange, tricking candidates into thinking a working session guarantees label bindings, when in fact 'label distribution on-demand' can suppress label advertisements.

How to eliminate wrong answers

Option A is wrong because the LDP discovery source being incorrect would prevent neighbor discovery entirely, but the exhibit shows an LDP neighbor is present, so discovery is working. Option B is wrong because if the peer LDP identifier were not reachable, the LDP session would not establish; the exhibit confirms a session exists, so reachability is fine. Option C is wrong because the LDP session is established (neighbor is shown), so the session is not the issue; the problem is specifically with label binding exchange, not session state.

229
Multi-Selecteasy

Which TWO statements about YANG data models are true? (Choose two.)

Select 2 answers
A.YANG models can be directly converted to SNMP MIBs.
B.YANG models define only configuration data, not state data.
C.YANG models define CLI commands.
D.YANG models are used to model data for NETCONF and RESTCONF.
E.YANG models can be augmented to extend existing models.
AnswersD, E

YANG is the data modeling language for NETCONF/RESTCONF.

Why this answer

Option D is correct because YANG (RFC 6020/7950) is a data modeling language specifically designed to model configuration and state data for network management protocols like NETCONF and RESTCONF. YANG defines the structure, constraints, and semantics of data that can be exchanged via these protocols, making it the standard for model-driven network automation.

Exam trap

Cisco often tests the misconception that YANG is only for configuration data, but candidates must remember that YANG explicitly supports both config and state data via the 'config false' statement.

230
MCQhard

A service provider is deploying a new MPLS core with Segment Routing and requires fast convergence upon link failure. They plan to use TI-LFA (Topology Independent Loop-Free Alternate). What is a prerequisite for TI-LFA to provide protection against any single link failure?

A.IGP must be a link-state protocol with complete topology information (OSPF or IS-IS).
B.BGP-LU must be enabled for label distribution.
C.LDP must be enabled on all interfaces.
D.RSVP-TE must be configured with FRR.
AnswerA

TI-LFA uses the link-state database to compute backup paths.

Why this answer

TI-LFA relies on the IGP having a complete view of the network topology to compute a post-convergence path that avoids the failed link. OSPF and IS-IS are link-state protocols that flood link-state advertisements (LSAs) or link-state packets (LSPs) to provide this full topology database, which is essential for TI-LFA to calculate a loop-free backup path for any single link failure.

Exam trap

Cisco often tests the misconception that TI-LFA requires LDP or RSVP-TE, but the key prerequisite is a link-state IGP (OSPF or IS-IS) with complete topology information, as TI-LFA is a Segment Routing feature that uses IGP-based SIDs for path computation.

How to eliminate wrong answers

Option B is wrong because BGP-LU (BGP Labeled Unicast) is used for inter-domain label distribution and does not provide the link-state topology information required by TI-LFA; TI-LFA operates within a single IGP domain. Option C is wrong because LDP is not a prerequisite for TI-LFA; in fact, Segment Routing can operate without LDP by using IGP-distributed labels (Prefix-SIDs), and TI-LFA is designed for SR-based networks. Option D is wrong because RSVP-TE with FRR is a separate MPLS fast-reroute mechanism that requires explicit tunnel signaling and resource reservation, whereas TI-LFA is a topology-based, signaling-free protection mechanism that works with Segment Routing and a link-state IGP.

231
Multi-Selectmedium

Which TWO are benefits of using Segment Routing over LDP in a service provider core?

Select 2 answers
A.Reduces the number of labels in the control plane.
B.Label allocation is per-prefix, not per-interface.
C.Eliminates the need for IGP convergence for label distribution.
D.Simplifies MPLS TE tunnel configuration.
E.Supports TI-LFA for fast reroute with full topology protection.
AnswersB, E

SR assigns a single label per prefix independent of the outgoing interface, simplifying label management.

Why this answer

Options A and C are correct. SR supports TI-LFA for fast reroute, and native per-prefix label allocation. Option B is wrong because SR still requires IGP convergence for label distribution.

Option D is wrong because SR can be used with TE, but LDP also supports TE. Option E is wrong because SR may actually increase the number of labels due to SID stack.

232
MCQmedium

In an MPLS network, which field in the MPLS label header is used to carry QoS information between LSRs?

A.ToS
B.IP Precedence
C.EXP bits
D.DSCP
AnswerC

EXP bits are used for QoS in MPLS.

Why this answer

In MPLS, the EXP (Experimental) bits, also known as the Traffic Class (TC) field per RFC 5462, are 3 bits in the MPLS label header used to carry Quality of Service (QoS) information between Label Switch Routers (LSRs). These bits allow LSRs to apply per-hop behaviors (PHBs) such as queuing and scheduling based on the packet's QoS class, enabling differentiated services across the MPLS network.

Exam trap

Cisco often tests the distinction between IP-layer QoS fields (ToS, IP Precedence, DSCP) and MPLS-layer QoS fields (EXP bits), so the trap here is that candidates mistakenly choose DSCP or IP Precedence because they are familiar QoS markings, forgetting that MPLS uses its own label header field for QoS between LSRs.

How to eliminate wrong answers

Option A is wrong because ToS (Type of Service) is an 8-bit field in the IP header, not in the MPLS label header; it is used for QoS in IP networks, not between LSRs. Option B is wrong because IP Precedence is a 3-bit subset of the IP ToS field, used in IP networks for QoS classification, but it is not part of the MPLS label header. Option D is wrong because DSCP (Differentiated Services Code Point) is a 6-bit field in the IP header (replacing the older ToS field) used for QoS in IP networks, not in the MPLS label header; MPLS uses EXP bits to carry QoS information between LSRs.

233
MCQhard

Based on the exhibit, why is the route 10.10.10.0/24 from remote PE not installed in the VRF Customer-A on PE1?

A.The localpref is too low (100)
B.The VRF imports route-target 200:200, but the route has RT 100:100
C.The MPLS label allocation failed on the remote PE
D.The route distinguisher on the VRF (100:1) does not match the remote RD
AnswerB

Route-target import filter must match the route's RT for installation.

Why this answer

Option B is correct: The route has RT 100:100, but VRF Customer-A imports RT 200:200. Thus, the route is not imported. Option A is wrong because the localpref is 100, which is default and not an issue.

Option C is wrong because the RD mismatch is between VRFs, but RD does not affect import; RT does. Option D is wrong because label allocation is working fine (vpn-label:24000).

234
MCQmedium

An engineer is designing an MPLS L3VPN solution and must ensure that the provider edge (PE) routers can handle routing updates for multiple customers without interfering with each other. Which mechanism should be used on the PE routers?

A.Route distinguishers
B.Route reflectors
C.MPLS-TE
D.VRF-Lite
AnswerD

VRF-Lite creates separate routing tables for each customer.

Why this answer

VRF-Lite (Virtual Routing and Forwarding) is the correct mechanism because it allows a single PE router to maintain multiple separate routing tables (VRFs), each dedicated to a different customer. This ensures that routing updates for one customer are isolated from another, preventing interference. VRF-Lite achieves this without MPLS, using only IP forwarding and per-VRF routing instances.

Exam trap

Cisco often tests the distinction between VRF-Lite (which provides routing isolation without MPLS) and full MPLS L3VPN (which uses RDs and route targets for VPNv4 prefix uniqueness and distribution), leading candidates to mistakenly choose route distinguishers as the isolation mechanism.

How to eliminate wrong answers

Option A is wrong because route distinguishers (RDs) are used to make IPv4 prefixes unique across VRFs in an MPLS L3VPN, but they do not provide routing isolation; they are just a prefix-extension mechanism. Option B is wrong because route reflectors are used to scale BGP route distribution within an MPLS L3VPN core, not to isolate customer routing updates on the PE. Option C is wrong because MPLS-TE (Traffic Engineering) controls the path of MPLS LSPs for optimization, not the separation of customer routing tables.

235
MCQmedium

A network operator wants to prefer a specific BGP route from a peer for a prefix. After applying a route-map to set local preference to 200, the route is still not preferred over a route from another peer with local preference 150. What could be the issue?

A.The prefix was received with a higher weight.
B.The neighbor address-family is not correct.
C.The route-map was applied on the wrong BGP neighbor direction.
D.The route is received via an IBGP session.
AnswerA

Correct. Weight is considered before local preference, so a higher weight overrides a lower local preference.

Why this answer

Option D is correct because BGP path selection checks weight first. If the other route has a higher weight (Cisco proprietary), it will be preferred regardless of local preference. Option A is incorrect because even if applied incorrectly, local preference would still take effect from internal peers.

Option B is plausible but less likely; address-family mismatch would prevent route exchange entirely. Option C is incorrect because local preference is compared among all received routes.

236
MCQmedium

The CE router behind the VRF interface is unable to reach the remote CE. Which configuration error is most likely the cause?

A.The BGP neighbor is configured with a directly connected interface address but uses update-source Loopback0.
B.The VRF is missing the 'rd' command.
C.The 'mpls ip' command is missing on the core interface.
D.The VRF interface does not have an IP address.
AnswerA

This mismatch causes BGP to try to source from the loopback while expecting a session to the interface address, likely leading to session failure.

Why this answer

The BGP neighbor is defined using the directly connected interface address 10.0.0.2, but the update-source is set to Loopback0. This mismatch prevents the BGP session from establishing because the router expects the neighbor to be reachable via the loopback. The neighbor should be the remote PE's loopback address.

237
MCQeasy

A router is receiving a BGP prefix with community 100:100. The operator wants to modify the local preference to 200 for this prefix. Which configuration will achieve this?

A.route-map SET_LP permit 10, match community 100, set local-preference 200
B.route-map SET_LP permit 10, match ip address prefix-list, set weight 200
C.ip bgp-community new-format, route-map SET_LP permit 10, match community 100, set community 200
D.route-map SET_LP permit 10, match community 100, set metric 200
AnswerA

Correct. This sets local preference as desired.

Why this answer

Option D is correct because the 'set local-preference 200' command under a route-map that matches the community will achieve this. Option A is incorrect because the 'set community' modifies community, not local preference. Option B is incorrect because 'set weight' modifies weight.

Option C is incorrect because 'set metric' modifies MED.

238
MCQhard

A service provider is deploying Segment Routing over IPv6 (SRv6) and needs to ensure that the forwarding plane can support SRv6 encapsulated packets. Which hardware capability is most critical for SRv6 at the line rate?

A.MPLS label swap capability
B.VXLAN tunnel termination
C.IPv6 extension header processing
D.NAT64 translation support
AnswerC

SRv6 uses the SRH, an IPv6 extension header, requiring line-rate processing.

Why this answer

SRv6 (Segment Routing over IPv6) encapsulates packets with an IPv6 header containing a Segment Routing Header (SRH), which is a type of IPv6 extension header. For line-rate forwarding, the hardware must natively process IPv6 extension headers in the forwarding plane without punting to the CPU, as software processing would cause performance degradation. Option C is correct because this capability is the most critical for SRv6 at line rate.

Exam trap

Cisco often tests the misconception that SRv6 is MPLS-based, leading candidates to incorrectly select MPLS label swap capability, but SRv6 is an IPv6-native technology that relies on IPv6 extension header processing.

How to eliminate wrong answers

Option A is wrong because MPLS label swap capability is irrelevant to SRv6, which uses IPv6 encapsulation and the SRH, not MPLS labels; SRv6 does not rely on MPLS forwarding. Option B is wrong because VXLAN tunnel termination is a separate overlay technology for network virtualization and does not directly support SRv6's IPv6-based segment routing. Option D is wrong because NAT64 translation support is used for IPv6-to-IPv4 translation and has no role in SRv6 packet forwarding or segment processing.

239
Multi-Selecteasy

During QoS troubleshooting, you capture traffic and see that DSCP markings are not being applied as configured. Which two common misconfigurations could cause this? (Choose two.)

Select 2 answers
A.The policy-map is not applied to the correct interface direction (input vs output)
B.The class-map is using the wrong match criteria (e.g., DSCP value)
C.The policy-map is applied to a loopback interface
D.The marking is configured under the wrong policy-map
E.The device is running out of TCAM space
AnswersA, B

DSCP marking can be done inbound or outbound; applying to the wrong direction means the marking never occurs on the traffic path.

Why this answer

Option A is correct because a policy-map must be applied in the correct direction (input or output) for the marking to take effect. If a marking policy is applied to the wrong direction, the packets will not be processed by the policy, and DSCP values will remain unchanged. This is a common misconfiguration when the intended marking should occur on ingress but the policy is applied to egress, or vice versa.

Exam trap

Cisco often tests the distinction between input and output policy application, as candidates may overlook that a marking policy applied to the wrong direction will silently fail to modify DSCP values.

240
MCQeasy

A service provider is deploying IGMPv3 snooping on an MVPN network to optimize multicast forwarding. After configuration, multicast traffic is not reaching receivers. The source is sending to group 239.1.1.1. The PE router has received the IGMP report from the receiver, and the MDT is established. What is the most likely reason?

A.The RP for the group is not configured
B.The IGMP snooping is filtering the multicast traffic because of wrong VLAN configuration
C.The source-specific multicast (SSM) range is applied but the receiver sent a (*,G) report
D.The multicast routing is not enabled globally
AnswerC

Correct. IGMPv3 allows source-specific reports. If the group falls in SSM range, the receiver must specify the source; otherwise, traffic is not forwarded.

Why this answer

Option C is correct because IGMPv3 snooping on the PE router processes the receiver's IGMPv3 report. If the SSM range (232.0.0.0/8) is applied to group 239.1.1.1, the receiver must send an IGMPv3 (S,G) report to join a specific source. However, if the receiver sends a (*,G) report (which is allowed only in ASM mode), the IGMP snooping will not install the forwarding entry, causing multicast traffic to be dropped even though the MDT is established.

Exam trap

The trap here is that candidates assume IGMPv3 snooping always works with any group, forgetting that the SSM range enforces (S,G) reports and that a (*,G) report in that range is silently dropped, not processed.

How to eliminate wrong answers

Option A is wrong because the RP is not required for SSM operation; in SSM, receivers learn the source via out-of-band mechanisms, and the PE uses the (S,G) state directly without an RP. Option B is wrong because the question states the MDT is established and the IGMP report is received, indicating VLAN configuration is correct; IGMP snooping filtering due to wrong VLAN would prevent the report from reaching the PE. Option D is wrong because multicast routing must be enabled globally for any multicast forwarding to work, but the question confirms the MDT is established, which implies multicast routing is already enabled.

241
Multi-Selecthard

Which two are characteristics of the Anycast SID in Segment Routing? (Choose two.)

Select 2 answers
A.It identifies an adjacency between two routers.
B.It is typically used as an Adj-SID for load balancing.
C.It is unique per node and identifies a specific router.
D.It provides redundancy and fast convergence by allowing traffic to be rerouted to another router.
E.It is shared among multiple routers in the same anycast group.
AnswersD, E

If one anycast router fails, traffic goes to another.

Why this answer

B correct: multiple nodes can advertise the same Anycast SID, enabling load balancing. E correct: Anycast SID is used for redundancy and fast convergence. A wrong: Node-SID is unique.

C wrong: Anycast SID is not for adjacency. D wrong: The Anycast SID is advertised with a prefix SID type, not an Adj-SID type.

242
MCQhard

While troubleshooting a customer complaint about slow data transfers, you notice that traffic from a specific site is being dropped. The QoS policy on the PE router includes a police command for the customer's traffic. The observed drop rate is exactly half of the configured police rate. What is the most probable reason?

A.The police is using a token-bucket algorithm with a small burst size that is being exceeded
B.The police rate is configured in bits per second but the traffic is measured in bytes per second
C.The traffic is using a different DSCP value than expected
D.The police action is set to drop, but the exceed-action is transmit
AnswerA

A small burst size means the bucket drains quickly, causing more packets to exceed the rate and be dropped, even if the long-term average is below the police rate.

Why this answer

The observed drop rate being exactly half the configured police rate strongly suggests that the token-bucket algorithm is operating with a burst size that is too small. When the burst size is insufficient, the bucket empties quickly under sustained traffic, causing packets to be marked as exceeding the rate and dropped. The police command in Cisco IOS uses a single-rate two-color marker (RFC 2697) or a two-rate three-color marker (RFC 2698), and a small burst size leads to premature drops even when the average rate is below the configured police rate.

Exam trap

Cisco often tests the misconception that the police rate alone determines drops, but the trap here is that the burst size (bc/be) directly controls the token-bucket depth, and an undersized burst causes the policer to drop packets at a fixed ratio (e.g., 50%) even when the average rate is below the CIR.

How to eliminate wrong answers

Option B is wrong because the police rate is configured in bits per second (bps) by default, and traffic is measured in bits per second as well; a mismatch with bytes per second would cause a consistent 8x discrepancy, not exactly half. Option C is wrong because a different DSCP value would affect classification and marking, but it would not cause a precise 50% drop rate relative to the configured police rate; it would either match or not match the class map. Option D is wrong because if the police action is set to drop and the exceed-action is transmit, then packets that conform are transmitted and packets that exceed are dropped, but this would not produce a drop rate exactly half of the configured rate; the drop rate would depend on traffic burstiness and bucket depth, not a fixed ratio.

243
Multi-Selectmedium

An ISP is designing a new core network using MPLS-TE. They require very fast failure detection for link and node failures to minimize traffic loss. Which two technologies should they combine? (Choose two.)

Select 2 answers
A.OSPF with hello timers set to 1 second
B.MPLS-TE Fast Reroute (FRR)
C.Bidirectional Forwarding Detection (BFD)
D.LSP Ping and Traceroute
E.Label Distribution Protocol (LDP)
AnswersB, C

Provides local repair via backup tunnels.

Why this answer

Option A and D are correct. BFD provides fast failure detection (sub-second), and MPLS-TE Fast Reroute (FRR) provides local protection with backup tunnels. Option B (LDP) does not provide fast detection; Option C (OSPF) alone is too slow; Option E (LSP ping) is for troubleshooting.

244
Multi-Selectmedium

Which THREE are common causes of QoS misconfiguration on PE routers? (Choose three.)

Select 3 answers
A.Applying a policy-map in the wrong direction (input vs output).
B.Using the 'bandwidth percent' command in a class that also has a priority queue.
C.Insufficient bandwidth on the subscriber line.
D.Class-map match criteria that do not correctly identify the intended traffic.
E.Attaching a QoS policy to a VRF interface using a policy-map that references a non-VRF-aware class-map.
AnswersA, D, E

Correct: Common mistake that causes policy to have no effect.

Why this answer

Applying a policy-map in the wrong direction (input vs output) is a common QoS misconfiguration because QoS actions like shaping, policing, and queuing are direction-specific. For example, shaping is typically applied on the egress interface to control outbound traffic, while policing can be applied inbound to rate-limit incoming traffic. Misapplying a policy-map (e.g., attaching a shaper to the input direction) will either be ignored by the router or cause unexpected behavior, leading to QoS failures.

Exam trap

Cisco often tests the distinction between QoS misconfiguration (e.g., wrong direction, incorrect match criteria) and capacity issues (e.g., insufficient bandwidth), so candidates mistakenly select 'insufficient bandwidth' as a misconfiguration when it is actually a resource constraint that QoS cannot fix.

245
MCQhard

An engineer is troubleshooting an MPLS VPN issue where CE1 cannot ping CE2 across the provider network. The PE routers are configured with MP-BGP and LDP. On PE1, 'show ip bgp vpnv4 vrf CUST' shows the route to CE2's loopback as valid, but 'show mpls forwarding-table' does not list a label for that prefix. What is the most likely cause?

A.MTU mismatch on the MPLS core interfaces
B.LDP is not enabled on the core link between PE1 and P
C.Route target mismatch between PE1 and PE2
D.BGP session between PE1 and PE2 is not established
AnswerC

Incorrect RT prevents the VPN label from being installed in the forwarding table despite BGP advertisement.

Why this answer

The route is present in the VRF BGP table on PE1 (valid), but no MPLS label is assigned for that prefix in the forwarding table. This indicates that PE1 has learned the route via MP-BGP but cannot install it into the MPLS forwarding table because the route target (RT) import policy on PE1 does not match the RT export policy on PE2. Without a matching RT, PE1 does not consider the VPNv4 route as belonging to the CUST VRF, so it cannot resolve the next hop or assign a label for forwarding.

Exam trap

Cisco often tests the distinction between BGP route validity (learned via MP-BGP) and VRF route installation (controlled by RT import), leading candidates to mistakenly suspect BGP session or LDP issues when the real problem is a route target mismatch.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch on core interfaces would cause fragmentation or packet drops, not a missing label in the MPLS forwarding table for a specific VPN prefix. Option B is wrong because LDP not being enabled on the core link would prevent label assignment for all transit prefixes, not just a single VPN route, and the issue here is specific to a VRF route. Option D is wrong because if the BGP session between PE1 and PE2 were not established, the route to CE2's loopback would not appear as valid in 'show ip bgp vpnv4 vrf CUST'; the route is present, so the session is up.

246
MCQeasy

A customer is connected to a service provider MPLS L3VPN network using BGP. The CE advertises a prefix 10.1.1.0/24 to the PE. On the PE, the customer's VRF route table shows the route with the next-hop set to the CE. When the PE receives a packet destined to 10.1.1.1, what label stack will the PE apply before forwarding the packet across the MPLS core?

A.Only the transport label (LDP or RSVP) for the egress PE
B.Only the MPLS VPN label assigned to the route by the egress PE
C.No label, because the CE is directly connected
D.Both the transport label and the VPN label
AnswerB

The ingress PE pushes the VPN label (inner) and a transport label (outer), but the VPN label is specific to the VRF.

Why this answer

Option A is correct. For a packet going from the PE to a CE in the same VRF, the PE will push an MPLS label (LSP label) towards the egress PE, not a VPN label for the CE. Actually, when forwarding from local CE to remote CE, the ingress PE pushes both transport label (for the egress PE) and the VPN label.

But the question says 'before forwarding across the MPLS core', so the packet goes to the remote PE. The PE will push an outer transport label (LDP or RSVP-TE label) and an inner VPN label identifying the VRF or prefix. Option A says only MPLS VPN label, which is correct as the inner label; the outer label is also needed.

However, the phrasing 'the PE will apply which label?' might be interpreted as the label stack. Typically, the PE pushes two labels: transport label + VPN label. Among options, only A mentions VPN label, but it says 'only the MPLS VPN label assigned to that route by the egress PE' - that is the inner label.

The outer label is also needed. But since it's multiple choice, best answer is the inner VPN label because the transport label is core-dependent. Actually, the standard is that the ingress PE imposes two labels.

Option A correctly identifies the VPN label, though it omits transport. But option D says no label, which is wrong. Option B says transport label only, wrong.

Option C says both, but does not specify. The most accurate is that the PE will apply a VPN label (assigned by the remote PE) and a transport label, but since it's asking for 'which label', likely the VPN label is the one specific to the service. Given typical exam questions, they expect the VPN label.

I'll go with A.

247
MCQeasy

A service provider operates an MPLS-TE network using RSVP-TE with a full mesh of tunnels between core routers. The network uses OSPF as IGP with traffic engineering extensions. Recently, a new headend router PE-New was added and configured with several TE tunnels to remote destinations. However, some tunnels repeatedly go down after a few minutes and show in the 'down' state with the error 'Tunnel path option 0: no path to destination (TEDB lookup failed)'. The TE tunnels that remain up are those to destinations that are directly connected to the same OSPF area. The network has multiple OSPF areas (area 0, 1, 2) with inter-area routes redistributed. The operator suspects the issue is related to the TEDB (Traffic Engineering Database) not having complete information. Which action is MOST likely to resolve the issue?

A.Increase the tunnel hold-priority and setup-priority values
B.Add the remote loopbacks to OSPF using network statements in area 0
C.Change the IGP to IS-IS with wide metrics and enable MPLS-TE on all IS-IS levels
D.Configure static routes for the remote destinations on PE-New
AnswerC

IS-IS natively propagates TE information across all levels, ensuring TEDB completeness for inter-area tunnels.

Why this answer

Option D is correct: In multi-area OSPF, the TEDB is not flooded across area boundaries by default. To have TE information for inter-area destinations, IS-IS is preferred; but if OSPF is used, enabling 'flooding' of TE LSAs across areas requires configuring 'mpls traffic-eng inter-area' or similar (on Cisco IOS XR, the command is 'mpls traffic-eng inter-area [level-2]' but for OSPF, it's 'mpls traffic-eng area X' with redistribution; however, the simplest fix is to use a single area or IS-IS. Option A: Static routes do not provide TE information.

Option B: Adding IP routes does not populate the TEDB. Option C: Increasing hold-priority does not fix missing TEDB entries.

248
Drag & Dropmedium

Drag and drop the steps to configure EIGRP on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

EIGRP configuration requires entering the EIGRP process, advertising networks, and optionally disabling auto-summary.

249
MCQmedium

A network operator is configuring RSVP-TE tunnels for traffic engineering in an MPLS core. They want to enforce that the tunnel path strictly follows a predefined set of hops. Which explicit path option should be used?

A.Exact
B.Loose
C.Strict
D.Dynamic
AnswerC

Strict explicit path requires each hop to be adjacent.

Why this answer

The 'strict' keyword enforces that each hop is directly connected. Option B is incorrect because 'loose' allows intermediate hops. Option C is incorrect because 'dynamic' computes path automatically.

Option D is incorrect because 'exact' is not a standard keyword for explicit paths.

250
MCQhard

An MPLS-TE tunnel is configured with Fast Reroute using link protection. The primary path traverses links A-B and B-C. If link B-C fails, which action does the head-end router take?

A.The router at node B switches traffic to a pre-computed backup tunnel around link B-C.
B.The head-end router immediately switches to a secondary explicit path.
C.RSVP-TE signals a new LSP from the head-end after detecting the failure.
D.Traffic is dropped until the IGP converges on the new topology.
AnswerA

Link protection works by having the PLR (point of local repair) at the upstream node.

Why this answer

Option A is correct because MPLS-TE Fast Reroute (FRR) with link protection pre-computes a backup tunnel that bypasses the protected link. When link B-C fails, the router at node B (the Point of Local Repair, or PLR) immediately switches traffic to this pre-established backup tunnel, ensuring sub-50ms failover without involving the head-end router.

Exam trap

Cisco often tests the misconception that the head-end router handles all rerouting decisions in MPLS-TE, but FRR delegates local repair to the PLR, so candidates must remember that link protection is handled at the point of failure, not the head-end.

How to eliminate wrong answers

Option B is wrong because the head-end router does not immediately switch to a secondary explicit path; FRR is designed for local repair at the PLR, and head-end path switching would be slower and is not triggered by link protection. Option C is wrong because RSVP-TE does not signal a new LSP from the head-end upon failure detection; FRR uses pre-signaled backup tunnels, and new LSP signaling would exceed the sub-50ms recovery target. Option D is wrong because traffic is not dropped until IGP convergence; FRR provides fast reroute before IGP reconverges, preventing packet loss.

251
MCQmedium

A service provider is deploying a new automation framework using Ansible to configure MPLS VPNs. They need to ensure that the Ansible playbook can handle configuration rollback in case of failure. Which Ansible feature should be used?

A.Use the 'backup' option in the ios_config module
B.Use 'tags' to selectively apply tasks
C.Use 'check_mode' to validate changes before applying
D.Set 'ignore_errors' to true
AnswerA

Backs up running config before changes for rollback.

Why this answer

The 'backup' option in the ios_config module instructs Ansible to save a copy of the running configuration to a local file before making any changes. If the playbook fails or produces an undesired state, the operator can restore the device to the previous configuration using that backup file. This provides a straightforward rollback mechanism for MPLS VPN deployments without requiring external version control or manual snapshots.

Exam trap

Cisco often tests the distinction between validation (check_mode) and actual rollback (backup), so the trap here is assuming that a dry run or ignoring errors provides a safety net for reverting changes after they have been applied.

How to eliminate wrong answers

Option B is wrong because 'tags' are used to selectively run or skip tasks in a playbook, not to provide any rollback capability. Option C is wrong because 'check_mode' (dry run) only simulates changes and does not create a backup or enable rollback after actual changes are applied. Option D is wrong because setting 'ignore_errors' to true causes Ansible to continue executing tasks even after a failure, which does not roll back changes and can leave the device in a broken state.

252
Drag & Dropmedium

Drag and drop the steps to configure MPLS LDP on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MPLS LDP requires CEF, enabling MPLS on interfaces, and setting the LDP router-id.

253
MCQeasy

A service provider is experiencing high CPU usage on a router running BGP. Which action should be taken first to mitigate the issue without disrupting traffic?

A.Disable BGP on the router.
B.Increase the BGP keepalive timer.
C.Apply inbound route filtering using prefix lists.
D.Implement BGP route dampening.
AnswerC

Filtering unnecessary inbound routes reduces the number of prefixes the router must process, lowering CPU utilization.

Why this answer

High CPU usage on a BGP-speaking router is often caused by processing a large number of BGP updates. Applying inbound route filtering using prefix lists (option C) reduces the number of routes the router must process and store, directly lowering CPU load without disrupting existing traffic flows. This is a non-disruptive, targeted mitigation that addresses the root cause of excessive route processing.

Exam trap

Cisco often tests the misconception that route dampening is a first-line CPU mitigation tool, when in fact it is a stability mechanism for flapping routes and can itself be CPU-intensive; the correct first step is to filter unwanted routes at the point of entry.

How to eliminate wrong answers

Option A is wrong because disabling BGP entirely would drop all BGP sessions and disrupt traffic, which violates the requirement to not disrupt traffic. Option B is wrong because increasing the BGP keepalive timer reduces the frequency of keepalive messages but does not address the CPU load caused by processing BGP updates or route churn; it may even delay failure detection. Option D is wrong because BGP route dampening is designed to suppress flapping routes over time, not to reduce immediate CPU usage from a high volume of updates; it can actually increase CPU load during the dampening calculation phase and does not filter routes.

254
MCQmedium

A service provider is designing a core network with IS-IS as the IGP. To support MPLS traffic engineering, which IS-IS extensions are required?

A.IS-IS multi-topology (MT)
B.IS-IS TE extensions (RFC 5305)
C.IS-IS wide metrics
D.IS-IS L1/L2 routing
AnswerB

TE extensions advertise link bandwidth, admin-group, etc.

Why this answer

IS-IS TE extensions (as per RFC 5305) carry link attributes like bandwidth. Option B is correct. Option A is wrong because wide metrics are for scalability.

Option C is wrong because multi-topology is for multiple SPFs. Option D is wrong because L1/L2 routing is standard.

255
Drag & Dropmedium

Drag and drop the steps for the BGP route selection process (best path selection) in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BGP best path selection follows a specific order: weight, local preference, locally originated, AS_PATH length, MED.

256
Multi-Selectmedium

Which TWO statements about EVPN Route Type 2 (MAC/IP advertisement) are correct?

Select 2 answers
A.It is used for MAC learning and ARP suppression
B.It advertises both MAC and IP addresses of hosts
C.It provides load balancing via aliasing
D.It includes the Ethernet Segment Identifier (ESI)
E.It is not used for host mobility
AnswersA, B

RT2 is used to populate MAC tables and suppress ARP.

Why this answer

EVPN Route Type 2 advertises MAC and IP addresses. Options A and C are correct. Option B is wrong because RT2 does not include ESI.

Option D is wrong because RT2 is not used for aliasing. Option E is wrong because it is used for host mobility.

257
Multi-Selecthard

Which THREE characteristics apply to the BGP-LS (BGP Link State) protocol?

Select 3 answers
A.It supports only IS-IS, not OSPF.
B.It uses a separate address family from VPNv4.
C.It distributes link-state information from IGPs like OSPF and IS-IS.
D.It uses BGP as the transport protocol.
E.It carries traffic-engineering parameters in the NLRI.
AnswersB, C, D

BGP-LS uses AFI 16388, SAFI 71.

Why this answer

BGP-LS uses a separate address family (AFI 16388 / SAFI 71) from VPNv4 (AFI 1 / SAFI 128) to carry link-state information. This separation allows BGP-LS to operate independently from VPNv4 routes, enabling the collection and distribution of IGP topology data without interfering with MPLS VPN signaling.

Exam trap

Cisco often tests the misconception that BGP-LS only supports IS-IS (Option A) or that TE parameters are carried in the NLRI (Option E), when in fact BGP-LS supports both OSPF and IS-IS, and TE attributes are carried as sub-TLVs within the BGP-LS path attribute, not directly in the NLRI.

258
MCQmedium

A service provider is deploying MPLS L3VPN to connect multiple customer sites. The PE router receives a route from a CE router via MP-BGP. Which attribute must the PE router add to the route before advertising it to the route reflector?

A.MPLS label
B.Route distinguisher (RD)
C.Route target (RT)
D.IGP metric
AnswerB

RD makes the customer prefix unique across the MPLS VPN backbone.

Why this answer

When a PE router receives a customer route from a CE router via MP-BGP, it must first make the route unique within the MPLS VPN context by adding a Route Distinguisher (RD). The RD prepended to the IPv4 prefix creates a VPNv4 address (per RFC 4364), which is the format required for advertisement to a route reflector. Without the RD, the route would not be distinguishable from other customers' overlapping IP prefixes in the BGP table.

Exam trap

Cisco often tests the distinction between RD and RT, where candidates mistakenly think RT is required for route advertisement to the route reflector, but the RD is the attribute that makes the route globally unique in the VPNv4 address family.

How to eliminate wrong answers

Option A is wrong because the MPLS label is added by the PE router during label allocation for the VPN route, but it is not an attribute added before advertising to the route reflector; the label is part of the NLRI in the MP-BGP update, not a separate attribute. Option C is wrong because the Route Target (RT) controls route import/export between VRF instances and is attached to the route, but it is not required for the route to be advertised to the route reflector; the RD is the mandatory attribute for VPNv4 address uniqueness. Option D is wrong because the IGP metric is a routing metric used within the IGP (e.g., OSPF or IS-IS) and is not added by the PE router to MP-BGP VPNv4 updates; BGP uses MED or local preference for path selection, not IGP metrics.

259
Multi-Selecteasy

Which TWO MPLS VPN features are used to provide Layer 3 VPN services in a service provider network?

Select 2 answers
A.LDP
B.VRF
C.MPLS labels
D.RSVP-TE
E.MP-BGP
AnswersC, E

MPLS labels are used to encapsulate and forward VPN traffic across the provider core.

Why this answer

MP-BGP (Option E) is used to exchange VPNv4 routes between Provider Edge (PE) routers, carrying both the route and its corresponding MPLS label. MPLS labels (Option C) are used to forward packets across the provider core via label-switched paths (LSPs), enabling the separation of customer traffic. Together, MP-BGP and MPLS labels form the foundation of Layer 3 MPLS VPN services.

Exam trap

Cisco often tests the distinction between the control plane protocols (MP-BGP) and data plane mechanisms (MPLS labels) versus supporting protocols like LDP or RSVP-TE, leading candidates to mistakenly include LDP as a VPN service feature.

260
MCQhard

Refer to the exhibit. The router is configured as a route reflector for VPNv4. What is the requirement for the route reflector to propagate VPNv4 routes received from a client to other clients?

A.The route reflector must filter routes based on route-target communities
B.The route reflector must use the same cluster ID for all clients
C.The route reflector must include the originator ID attribute to prevent loops
D.The route reflector must set the next-hop to itself for all reflected routes
AnswerC

The originator ID identifies the original advertiser; the route reflector must not modify it.

Why this answer

The route reflector must have the originator ID and cluster ID set appropriately to avoid loops. Option A is correct because the originator ID ensures that routes from different clients are reflected correctly. Option B is wrong because the route reflector does not modify next-hop by default.

Option C is wrong because the RT is used for import/export, not propagation. Option D is wrong because the cluster ID prevents loops, but the originator ID is required for proper reflection.

261
MCQhard

A large SP plans to deploy SR-TE tunnels across the backbone using an SDN controller for path computation. To ensure fast convergence and scalability, which automation approach should be used for tunnel creation?

A.Static configuration on each router
B.PCEP with stateful delegation to controller
C.RSVP-TE tunnels
D.NetFlow-based path selection
E.SNMP traps
AnswerB

Stateful PCEP enables the controller to optimize and update SR-TE paths in real time, improving convergence.

Why this answer

PCEP with stateful delegation allows the controller to compute and update paths dynamically, providing fast convergence and scalability. Static configuration lacks automation, RSVP-TE is not SR-based, NetFlow is for monitoring, and SNMP traps are for alerts, not tunnel creation.

262
MCQeasy

An SP network engineer is designing a new segment routing traffic engineering deployment within a single IGP area. The network consists of 50 core routers running IS-IS and MPLS. The engineer needs to steer traffic from Router A to Router D over a path that avoids high latency links. Which technology should be used to define and instantiate the explicit path?

A.Use LDP to distribute labels and rely on IGP shortest path.
B.Set up a Path Computation Element (PCE) and delegate path computation.
C.Implement BGP LU to create an explicit path via local policies.
D.Configure an SR-TE policy with an explicit path using segment lists.
AnswerD

SR-TE policies provide explicit path steering via segment lists specifying nodes or adjacency SIDs.

Why this answer

Option A is correct: SR-TE policies with explicit paths allow steering traffic over a specific sequence of nodes or links using segment lists. Option B is wrong because PCE can be used but is not required for explicit paths; the policy can be configured locally. Option C is wrong because LDP is label distribution, not path steering.

Option D is wrong because BGP-LU distributes labels for BGP prefixes, not TE.

263
MCQmedium

A network administrator configures a class map to match VoIP traffic using 'match ip dscp ef' on a Cisco router. However, the QoS policy is not applying the expected marking to VoIP packets. What is a possible reason?

A.The policy is applied in the output direction instead of input.
B.The VoIP traffic is not marked with DSCP EF from the source.
C.The policy is applied to the wrong interface.
D.The class map uses the wrong match type.
AnswerB

If the source does not set DSCP EF, the match will fail and the traffic will not be classified.

Why this answer

Option B is correct because the 'match ip dscp ef' command in the class map checks the DSCP value already present in the incoming VoIP packets. If the source device (e.g., an IP phone) does not mark the packets with DSCP EF (46), the class map will not match, and the QoS policy will not apply the expected marking. The policy can only re-mark packets that are already matched by the class map.

Exam trap

Cisco often tests the misconception that a QoS policy can re-mark traffic regardless of the original packet markings, when in fact the class map must first match the existing DSCP value for the policy to take effect.

How to eliminate wrong answers

Option A is wrong because applying the policy in the output direction does not prevent matching on DSCP EF; the 'match ip dscp ef' command inspects the packet header regardless of direction, and marking policies can be applied in either direction as long as the match criteria are met. Option C is wrong because the policy being applied to the wrong interface would cause no traffic to be matched at all, but the question states the policy is not applying the expected marking to VoIP packets, implying the policy is present but not matching; the issue is with the match criteria, not the interface assignment. Option D is wrong because the class map uses the correct match type ('match ip dscp ef') for matching DSCP values; there is no alternative match type for DSCP in a class map that would be more appropriate.

264
MCQmedium

Which protocol is used to exchange label binding information in a classic MPLS network without Segment Routing?

A.LDP
B.OSPF
C.BGP
D.IS-IS
AnswerA

LDP is used for label distribution in classic MPLS.

Why this answer

LDP is the standard protocol for label distribution in classic MPLS. BGP can carry labels for inter-AS, but not primarily for IGP label binding. OSPF and IS-IS are IGPs.

265
MCQhard

Refer to the exhibit. An engineer makes a RESTCONF request to retrieve operational data for all interfaces, but the response shows only one interface. What is the most likely cause?

A.The interfaces are in different VRFs
B.The device does not support the YANG model
C.The request path includes a specific interface key, filtering the result
D.The engineer used the wrong HTTP method
E.The collector is not subscribed to telemetry
AnswerC

The path '/interface=GigabitEthernet0/0/0' selects only that interface; to get all, use '/interfaces'.

Why this answer

The request path includes '/interface=GigabitEthernet0/0/0', which filters the list to that specific interface. To retrieve all interfaces, the path should be '/interfaces' without the key. The YANG model is supported (200 OK), the HTTP method is correct, telemetry and VRFs are irrelevant.

266
MCQeasy

Which statement about the use of MTU in an MPLS network is correct?

A.MPLS adds a label stack to packets, reducing the payload MTU.
B.MPLS does not affect the MTU because labels are part of the header.
C.MTU must be increased on all MPLS interfaces.
D.MPLS eliminates the need for IP fragmentation.
AnswerA

The label overhead reduces available MTU for data.

Why this answer

Option C is correct. MPLS adds a label stack header, which reduces the effective MTU for payload. If the packet size exceeds the MTU of the outgoing interface after label imposition, fragmentation may be needed.

Option A is false because MPLS can fragment (though not always desirable); Option B is false because MTU is not automatically increased; Option D is false because MPLS adds overhead.

267
Multi-Selectmedium

A service provider is designing a BGP-based network. Which TWO are characteristics of BGP within a service provider core?

Select 2 answers
A.IBGP sessions require a full mesh or route reflectors to avoid routing loops
B.BGP MED attribute is mandatory for all routes
C.BGP uses the AS path for loop prevention in iBGP
D.BGP route reflectors always modify the AS path
E.BGP relies on an IGP for next-hop reachability within the AS
AnswersA, E

iBGP does not advertise routes learned from another iBGP peer to prevent loops; thus full mesh or RR is needed.

Why this answer

In a service provider core, BGP typically uses IBGP full mesh or route reflectors, and integrates with IGP for next-hop reachability. BGP loop prevention via AS path is relevant for eBGP, not iBGP. MED is used for influencing inbound traffic, but it is an optional attribute.

Route reflectors are common.

268
MCQhard

An engineer is configuring an MPLS L3VPN and needs to ensure that the PE router installs VPNv4 routes from a remote PE into the VRF of a customer. The remote PE sends a VPNv4 route with route-target 100:1. Which configuration on the local PE causes the route to be imported into the VRF?

A.router bgp 100 address-family ipv4 vrf CUSTOMER route-target import 100:1
B.vrf definition CUSTOMER rd 100:1 route-target both 100:1 route-map IMPORT
C.vrf definition CUSTOMER rd 100:1 route-target import 100:1
D.vrf definition CUSTOMER rd 100:1 route-target export 100:1
AnswerC

This imports routes with RT 100:1 into the VRF.

Why this answer

Option C is correct because the `route-target import 100:1` command under the VRF definition configures the local PE to accept VPNv4 routes that carry the specified route-target (100:1) from the remote PE. This import RT must match the export RT of the remote PE for the route to be installed into the VRF's routing table. The `rd 100:1` defines the route distinguisher, which is separate from the RT and ensures uniqueness of the VPNv4 prefix.

Exam trap

Cisco often tests the distinction between `route-target import` and `route-target export`, and the trap here is that candidates may select the export-only option (D) or misplace the RT command under BGP (A), failing to recognize that import must be explicitly configured under the VRF definition to receive routes from a remote PE.

How to eliminate wrong answers

Option A is wrong because the `route-target import 100:1` command is placed under `address-family ipv4 vrf CUSTOMER` within BGP, which is not a valid configuration; route-target import/export is configured under the VRF definition, not under the BGP address-family for the VRF. Option B is wrong because it uses the `route-target both 100:1 route-map IMPORT` syntax; while `route-target both` is valid, appending a route-map to the import/export RT statement is not supported in standard IOS/IOS-XE — route-maps can only be applied to `import` or `export` individually, not to `both`, and the syntax is incorrect. Option D is wrong because `route-target export 100:1` only configures the local PE to attach that RT to outgoing VPNv4 routes; it does not cause the import of incoming routes from the remote PE, which requires the `import` keyword.

269
MCQhard

A large service provider is migrating its L2VPN services (VPWS and VPLS) to EVPN-based solutions to improve scalability and support multi-homing. During the rollout for a customer using VLAN-based EVPN for a data center interconnect, the operations team notices frequent MAC address flapping and broadcast storms on one of the attachment circuits connected to a PE router. The PE is configured for EVPN-MPLS with ESI multihoming using all-active mode. The customer has two PEs (PE1 and PE2) connected to the same CE via two separate Ethernet links. The MAC table on PE1 shows the same MAC address alternating between the local AC interface and the remote EVPN peers. What is the most likely cause and the correct action to resolve this issue?

A.Implement ESI multihoming with per-flow load balancing to ensure consistent designated forwarder election.
B.Disable split-horizon on the local AC interface to allow MAC learning from the CE directly.
C.Enable selective multicast on the EVPN instance to reduce broadcast traffic.
D.Use MPLS encapsulation instead of VXLAN to avoid MAC address issues.
AnswerA

Proper ESI configuration and DF election prevent duplicate MACs and loops; per-flow load balancing can help but the key is correct ESI.

Why this answer

Option C is correct because in all-active multihoming, split-horizon is required to prevent loops, but if the ESI is misconfigured (e.g., different ESI on each PE), the designated forwarder (DF) election may fail, causing both PEs to forward traffic and create loops, leading to MAC flapping. Implementing ESI multihoming with per-flow load balancing (option C) is not a direct fix; the correct action is to ensure ESI values match and that split-horizon is enabled. However, the options are designed such that option C is the only one that addresses the root cause (incorrect ESI configuration).

Option A (disable split-horizon) would worsen the problem. Option B (enable selective multicast) is for multicast, not MAC flapping. Option D (use MPLS encapsulation instead of VXLAN) does not affect MAC learning loops.

Therefore, the correct answer is C.

270
MCQmedium

A network engineer is troubleshooting slow BGP convergence after a link failure in an MPLS core. Which feature can be enabled on the PE routers to fast-failover traffic upon BGP next-hop unreachability?

A.Route Reflector clustering
B.Bidirectional Forwarding Detection (BFD)
C.Local Preference manipulation
D.BGP Prefix Independent Convergence (PIC)
AnswerD

BGP PIC pre-installs backup paths for fast failover.

Why this answer

Option B is correct because BGP PIC (Prefix Independent Convergence) provides fast failover using backup paths. Option A is wrong because BFD is for fast detection, not convergence. Option C is wrong because Local Pref influences path selection, not convergence.

Option D is wrong because Route Reflectors reduce iBGP sessions, not failover speed.

271
MCQeasy

Which encapsulation technology is commonly used in service provider networks to separate subscriber traffic in an Ethernet aggregation network?

A.Q-in-Q (802.1ad)
B.VXLAN
C.802.1Q
D.MPLS
AnswerA

Double tagging separates subscriber from service VLAN.

Why this answer

Option B is correct because Q-in-Q (802.1ad) allows service providers to stack VLAN tags and separate subscriber traffic effectively. Option A is wrong because 802.1Q is a single VLAN tag. Option C is wrong because VXLAN is used in overlay networks, not typically in aggregation.

Option D is wrong because MPLS is not an encapsulation for Ethernet subscriber separation.

272
MCQeasy

A network engineer is using Cisco NSO to create a managed L3VPN service. After deploying the service, the engineer notices that the configuration on the devices is not being updated. What is the most likely cause?

A.The service model is not compiled.
B.The service has not been committed.
C.The device is not in the device list.
D.The sync-from command was not run.
AnswerB

In NSO, commit is required to push the configuration to devices; without it, the configuration remains in the candidate.

Why this answer

In NSO, services are committed to push configuration changes to devices. If the commit is not performed, the changes remain in the candidate database and are not applied. Other options are less likely given the symptom.

273
Multi-Selectmedium

Which two statements about MPLS label distribution are correct? (Choose two)

Select 2 answers
A.RSVP-TE allocates labels based on LDP.
B.LDP can establish sessions with non-directly connected neighbors using targeted LDP.
C.LDP uses the BGP next-hop as the label FEC.
D.LDP distributes labels for all IGP routes in the routing table.
E.TDP is the Cisco proprietary version of LDP.
AnswersB, D

Targeted LDP allows LDP sessions between non-adjacent routers.

Why this answer

LDP distributes labels for IGP routes and supports targeted sessions for non-directly connected neighbors. TDP is deprecated, RSVP-TE allocates labels for TE, and LDP uses IGP next-hop.

274
Multi-Selectmedium

Which THREE steps are required when configuring MPLS L3VPN on a PE router? (Choose three.)

Select 3 answers
A.Configure BGP on the CE router to advertise routes to PE
B.Create a VRF definition
C.Configure BGP address-family ipv4 vrf to exchange VPN routes
D.Configure route-target import/export using route-map
E.Assign the customer-facing interface to the VRF
AnswersB, C, E

The VRF must be created on the PE.

Why this answer

To configure MPLS L3VPN, you must: create a VRF (step A), assign an interface to the VRF (step B), configure BGP to exchange VPN routes (step C). Step D is optional (route-target export/import is done via route-map or configuration). Step E is done on CE, not PE.

275
MCQmedium

An engineer is designing an MPLS L3VPN for a customer with multiple sites. The customer requires overlapping IP addresses between sites. Which method allows the provider to support overlapping customer addresses?

A.Implement VPLS instead of L3VPN.
B.Use separate VRF per site with route distinguisher.
C.Use BGP communities to control route distribution.
D.Use the same VRF for all sites with different route targets.
AnswerB

Each VRF has its own routing table, and the RD makes routes globally unique even with overlapping IPs.

Why this answer

B is correct because a separate VRF per site with a unique route distinguisher (RD) allows the provider to maintain isolated routing tables for each customer site. This isolation enables overlapping IP addresses between sites, as each VRF treats its prefixes as unique within the MPLS L3VPN backbone, regardless of address duplication.

Exam trap

Cisco often tests the misconception that route targets alone solve overlapping address issues, but the trap here is that route targets control route propagation, not address uniqueness—only the route distinguisher (RD) within a VRF provides the necessary prefix uniqueness.

How to eliminate wrong answers

Option A is wrong because VPLS is a Layer 2 VPN technology that provides Ethernet multipoint connectivity, not IP routing; it does not inherently support overlapping IP addresses without additional mechanisms like VLAN segmentation. Option C is wrong because BGP communities control route distribution and policy (e.g., filtering or preference), but they do not create separate routing tables or address space isolation required for overlapping IPs. Option D is wrong because using the same VRF for all sites with different route targets would merge routes into a single routing table, causing conflicts with overlapping addresses; route targets control import/export policies, not address uniqueness.

276
Multi-Selecthard

Which THREE YANG data nodes are part of the Cisco-IOS-XR-qos-ma-cfg module for defining a QoS policy-map? (Choose three.)

Select 3 answers
A.class
B.urn:cisco:params:xml:ns:yang:Cisco-IOS-XR-qos-ma-cfg
C.shape
D.police
E.interface
AnswersA, C, D

Correct: The 'class' node groups match and actions.

Why this answer

Option A is correct because the 'class' YANG data node is defined in the Cisco-IOS-XR-qos-ma-cfg module to specify a traffic class within a QoS policy-map. This node allows you to associate a class-map with the policy, enabling differentiated treatment of traffic based on classification criteria.

Exam trap

Cisco often tests the distinction between YANG data nodes and module metadata (like namespace URIs), tricking candidates into selecting the namespace as a valid data node when it is merely a module identifier.

277
Multi-Selecthard

A service provider is automating QoS policy deployment using Cisco NSO and YANG. During validation, the engineer discovers that the pushed policy is not taking effect. Which three possible causes should be investigated? (Choose three.)

Select 3 answers
A.The device has a feature license missing for QoS
B.The device does not support the YANG model used
C.The policy was applied to a subinterface but the YANG path specifies a main interface
D.The NETCONF transaction was not committed
E.The policy-map name conflicts with an existing one
AnswersB, C, D

If the device lacks the required YANG modules, the configuration push may succeed but the policy may not be effective.

Why this answer

Option B is correct because Cisco NSO uses YANG models to translate service definitions into device-specific CLI or NETCONF operations. If the target device does not support the YANG model referenced in the service package, the NETCONF or CLI operations will fail silently or produce no effect, as the device cannot interpret the configuration intent. This is a common validation failure when using model-driven orchestration with heterogeneous device populations.

Exam trap

Cisco often tests the distinction between a configuration that is accepted by the device (no commit errors) versus one that actually takes effect, trapping candidates who assume a successful commit means the policy is active.

278
MCQeasy

A service provider wants to ensure that customer traffic is not impacted during a planned maintenance on a core LSR in an MPLS network. Which MPLS feature should be used?

A.MPLS TE Fast Reroute
B.MPLS TTL propagation
C.MPLS LDP synchronization
D.MPLS OAM
AnswerA

FRR provides sub-50ms protection by pre-computing backup paths.

Why this answer

MPLS TE Fast Reroute (FRR) is the correct feature because it provides local protection against link or node failures by pre-computing backup paths (bypass tunnels) that are activated within 50 milliseconds of a failure. This ensures that customer traffic is not impacted during planned maintenance on a core LSR, as the backup path is already in place and can be triggered by a manual administrative action (e.g., shutting down the interface) to seamlessly redirect traffic before the maintenance begins.

Exam trap

The trap here is that candidates often confuse MPLS TE FRR with MPLS LDP synchronization or MPLS OAM, mistakenly thinking that any 'protection' or 'monitoring' feature can handle planned maintenance, when only FRR provides the sub-50 ms local repair capability required for hitless maintenance.

How to eliminate wrong answers

Option B (MPLS TTL propagation) is wrong because it controls how the TTL field is copied between the IP and MPLS headers for traceroute and hop-count visibility, and it has no role in traffic protection or maintenance scenarios. Option C (MPLS LDP synchronization) is wrong because it ensures that IGP and LDP are synchronized to prevent black-holing during link restoration, but it does not provide fast local protection or pre-computed backup paths for planned maintenance. Option D (MPLS OAM) is wrong because it is a set of tools for fault detection, connectivity verification, and performance monitoring (e.g., LSP ping/traceroute, VCCV), not a mechanism to reroute traffic during maintenance.

279
MCQeasy

A network engineer needs to automate configuration of multiple Cisco routers and wants to use a protocol that supports both datastore operations and selective retrieval of configuration. Which protocol should be used?

A.SNMPv3
B.gRPC
C.NETCONF
D.OpenFlow
E.RESTCONF
AnswerC

NETCONF supports full datastore operations and selective retrieval using XPath filters.

Why this answer

NETCONF is designed for configuration management with operations like get-config, edit-config, etc., and supports selective retrieval via filters. RESTCONF is simpler but less comprehensive. SNMPv3 is for monitoring, not configuration. gRPC is primarily for streaming telemetry.

OpenFlow is for SDN forwarding.

280
Multi-Selectmedium

Which two are requirements for deploying Segment Routing in a service provider network? (Choose two.)

Select 2 answers
A.TE tunnels must be configured
B.IGP supporting segment routing (OSPF or IS-IS)
C.LDP must be enabled
D.All routers must run BGP
E.MPLS forwarding
AnswersB, E

The IGP must support SR extensions.

Why this answer

Segment Routing requires MPLS forwarding and an IGP that supports segment routing (OSPF or IS-IS). LDP is not required, BGP is not required for core, and TE tunnels are not mandatory.

281
MCQhard

An engineer is troubleshooting BGP convergence. The router has multiple paths for a prefix, but it selects a path with a lower local preference over a path with a higher local preference. The higher local preference path is from an EBGP peer. What could cause this?

A.The router is configured with 'bgp deterministic-med'.
B.The path with lower local preference has a higher weight.
C.The path with lower local preference has a higher router ID.
D.The path with lower local preference has a lower MED.
AnswerB

Correct. Weight is checked before local preference.

Why this answer

Option D is correct because if the router is configured with 'bgp bestpath compare-routerid', the router ID can override local preference if all other attributes are equal? No, local preference is compared before router ID. Actually, weight is compared first. If the lower local preference path has a higher weight, it wins.

So option A (weight) is also plausible. But we need to be specific: The scenario says lower local preference is chosen over higher local preference. The only way is if weight is higher on the lower local preference path.

So option A is correct. But we also have option D: 'The router was configured with 'bgp deterministic-med'? That affects MED comparison, not local preference. So let's rethink: Actually, weight is compared first.

So if the lower local preference path has a higher weight, it will be chosen. So correct is A. But we need to vary positions.

Let's set correct as A. But we have A already used in Q1, Q6. Let's change Q9 to correct B? Let's use 'The router has a higher weight on the lower local preference path' as B.

So correct B. Alternatively, we can make the correct answer 'The path with lower local preference was received from a peer with a higher weight' which is B. So set B as correct.

Options: A: The router has a lower MED on that path. B: The router has a higher weight on that path. C: The router has a higher router ID on that path.

D: The router has 'bgp deterministic-med' enabled. Correct: B.

282
MCQeasy

A network engineer is designing an MPLS core using Segment Routing. They want to minimize label stack depth while still providing fast convergence using TI-LFA. Which prefix-SID assignment strategy should be used?

A.Assign a node-SID to each loopback interface
B.Use per-interface label mode from SRGB
C.Allocate labels per-VRF on PE routers
D.Advertise prefix-SIDs for all IGP prefixes
AnswerD

Prefix-SIDs enable TI-LFA with minimal label depth.

Why this answer

Option D is correct because advertising prefix-SIDs for all IGP prefixes allows TI-LFA to compute backup paths using any prefix in the network, not just loopbacks. This minimizes label stack depth by enabling TI-LFA to use a single prefix-SID for the repair path, avoiding the need for additional labels or explicit path constructs. Fast convergence is achieved because TI-LFA precomputes a backup next-hop that can be activated immediately upon failure, and having all prefixes as SIDs ensures the backup path can be expressed with minimal label imposition.

Exam trap

Cisco often tests the misconception that node-SIDs (loopbacks) are sufficient for TI-LFA, but the trap is that TI-LFA requires prefix-SIDs for all prefixes to achieve optimal label stack depth and fast convergence, as node-SIDs alone may force deeper stacks or suboptimal backup paths.

How to eliminate wrong answers

Option A is wrong because assigning a node-SID only to loopback interfaces restricts TI-LFA to using only those loopback addresses as repair targets, which may force deeper label stacks or suboptimal backup paths when the failure involves a non-loopback prefix. Option B is wrong because per-interface label mode from SRGB is used for adjacency-SIDs, not for prefix-SIDs, and TI-LFA relies on prefix-SIDs for fast reroute; adjacency-SIDs would increase label stack depth and are not designed for TI-LFA's loop-free alternate computation. Option C is wrong because per-VRF label allocation on PE routers is a BGP/MPLS VPN concept unrelated to Segment Routing prefix-SID assignment and does not affect TI-LFA convergence or label stack depth in the MPLS core.

283
MCQhard

In a VXLAN EVPN deployment, a host sends a broadcast ARP request. Which component in the fabric is responsible for replying on behalf of the target host to reduce flooding?

A.The VTEP that receives the broadcast
B.The spine switch
C.The VTEP that has the target host's MAC address in its local table (ARP suppression)
D.The default gateway (anycast IP)
AnswerC

ARP suppression allows VTEP to proxy-reply.

Why this answer

In VXLAN EVPN, ARP suppression is a feature implemented on the ingress VTEP (the VTEP that receives the broadcast ARP request). The ingress VTEP maintains a local ARP/ND cache populated via EVPN Type-2 routes (MAC/IP advertisement routes). When a broadcast ARP request arrives, the ingress VTEP checks its local cache for the target IP; if found, it replies directly on behalf of the target host, suppressing the broadcast and preventing unnecessary flooding across the fabric.

Option C correctly identifies this VTEP as the component responsible for the reply.

Exam trap

Cisco often tests the misconception that the spine switch or the default gateway handles ARP suppression, when in fact it is the ingress VTEP that performs this function using its locally cached EVPN-learned MAC/IP entries.

How to eliminate wrong answers

Option A is wrong because the VTEP that receives the broadcast is the ingress VTEP, which performs ARP suppression only if it has the target host's MAC address in its local table; it does not automatically reply simply because it received the broadcast. Option B is wrong because spine switches in a VXLAN EVPN fabric operate as pure IP underlay routers (typically running an IGP like OSPF or IS-IS) and do not participate in the overlay control plane or maintain ARP caches for tenant hosts. Option D is wrong because the default gateway (anycast IP) is used for routing traffic between subnets, not for replying to intra-subnet ARP requests; ARP suppression is a function of the VTEP, not the gateway.

284
MCQmedium

An SP is deploying Inter-AS MPLS VPN option B. Which design characteristic is unique to Option B compared to Option A?

A.ASBRs exchange VPNv4 routes directly via MP-EBGP
B.Requires a full mesh of MP-IBGP sessions between all PEs
C.ASBRs maintain separate VRF for each VPN
D.Traffic is forwarded using IP, not MPLS
AnswerA

Option B uses MP-EBGP between ASBRs to exchange VPNv4 routes.

Why this answer

Option B uses VPNv4 exchange between ASBRs without VRF, while Option A uses VRF-to-VRF. Option D is correct. Option A is wrong because Option B does not require VRF on ASBR.

Option B is wrong because MPLS is required. Option C is wrong because full mesh is not required in Option B.

285
Multi-Selecteasy

A network engineer is designing a new MPLS core. Which three of the following are recommended best practices for MPLS LDP configuration? (Choose three.)

Select 3 answers
A.Use explicit null label for BGP prefixes
B.Set the LDP session holdtime to 180 seconds
C.Enable LDP authentication using MD5
D.Enable LDP on all core interfaces
E.Configure label filtering to limit label distribution
AnswersC, D, E

LDP authentication protects against spoofing and is a security best practice.

Why this answer

Enabling LDP on all core interfaces (A), configuring label filtering (C) for security, and enabling LDP authentication (D) are best practices. Explicit null (B) is not a default best practice; holdtime (E) is default 180 seconds and not a specific best practice.

286
Multi-Selectmedium

Which TWO QoS mechanisms are used to provide congestion avoidance? (Choose two.)

Select 2 answers
A.Policing
B.RED
C.CBWFQ
D.LLQ
E.WRED
AnswersB, E

RED (Random Early Detection) is a congestion avoidance mechanism.

Why this answer

RED (Random Early Detection) and WRED (Weighted Random Early Detection) are congestion avoidance mechanisms that proactively drop packets before a queue becomes full, signaling TCP senders to reduce their transmission rate. Unlike congestion management tools (like CBWFQ or LLQ) that queue packets during congestion, RED/WRED monitor average queue depth and drop packets probabilistically to prevent tail drops and global TCP synchronization.

Exam trap

Cisco often tests the distinction between congestion management (queuing/scheduling) and congestion avoidance (active queue management), so the trap here is that candidates confuse mechanisms like CBWFQ or LLQ (which manage congestion after it occurs) with RED/WRED (which avoid congestion by dropping packets early).

287
MCQhard

In a Carrier Supporting Carrier (CSC) architecture, which condition is necessary for the customer carrier's BGP routes to be carried over the provider carrier's MPLS backbone?

A.The BGP next-hop on the customer carrier's routes must be reachable via IGP in the provider carrier.
B.The provider carrier's VRF must have the route-target matching the customer carrier's.
C.The provider carrier must be in the same AS as the customer carrier.
D.The customer carrier must use LDP for label distribution.
AnswerA

For the provider carrier to switch MPLS packets, the BGP next-hop must be reachable via the IGP and have a label binding.

Why this answer

Option D is correct because in CSC, the customer carrier's BGP next-hop must be reachable via the provider carrier's IGP for label switching to work. Option A is wrong because AS numbers can be different; the provider carrier treats the customer carrier as a VPN. Option B is wrong because LDP is used for label distribution in the customer carrier's network, but it's not a condition for the provider carrier.

Option C is wrong because the route-target is used for VPN route import/export, but CSC does not necessarily require a VRF on the provider carrier if using BGP-free core.

288
MCQhard

In an MPLS L3VPN network, a customer has overlapping IP addresses between two VPNs. The provider edge routers are configured with VRF instances. Which method ensures that traffic from one VPN does not leak into the other when using MPLS labels?

A.Assign different MPLS label ranges to each VRF.
B.Apply BGP community strings to filter routes.
C.Use distinct route targets for import and export per VRF.
D.Configure different route distinguishers for each VPN.
AnswerC

RTs control which routes are imported into a VRF, preventing leakage.

Why this answer

The correct method is to import/export route targets correctly to keep VPN routes separate. Option A is incorrect because route distinguishers only make routes unique, they don't prevent leaking. Option C is incorrect because label allocation is per VRF, but leaking occurs due to route import policies.

Option D is incorrect because BGP communities are used for route filtering, but RT is the standard mechanism.

289
MCQmedium

Which BGP extended community is used to signal the OSPF domain ID between PE routers in an MPLS L3VPN when OSPF is the PE-CE protocol?

A.Site of Origin
B.OSPF Domain ID
C.OSPF Route Type
D.Route Target
AnswerB

This community specifically carries the OSPF domain ID.

Why this answer

In an MPLS L3VPN where OSPF is the PE-CE protocol, the OSPF Domain ID extended community is used to signal the OSPF domain identifier between PE routers. This allows the receiving PE to determine whether the OSPF route originated from the same OSPF domain (and thus should be redistributed as an intra-area or inter-area route) or from a different domain (requiring a Type 5 LSA). The OSPF Domain ID is carried as a BGP extended community (type 0x0005 or 0x8005) and is critical for maintaining OSPF route type semantics across the MPLS backbone.

Exam trap

Cisco often tests the confusion between the OSPF Domain ID and the OSPF Route Type extended communities, where candidates mistakenly think the Route Type carries the domain information, but in reality the Route Type only encodes the OSPF path type and metric, while the Domain ID identifies the originating OSPF domain.

How to eliminate wrong answers

Option A is wrong because the Site of Origin (SoO) extended community is used to prevent routing loops in MPLS L3VPN environments, not to signal the OSPF domain ID. Option C is wrong because the OSPF Route Type extended community carries the OSPF route type (e.g., intra-area, inter-area, external) and the metric type, but it does not convey the domain identifier. Option D is wrong because the Route Target extended community controls VPN route import/export between VRF instances and has no role in signaling OSPF domain identity.

290
MCQmedium

Refer to the exhibit. An engineer is troubleshooting packet loss in the MPLS core. For prefix 10.3.3.0/24, the outgoing label is 'Untagged'. What does this indicate?

A.The packet will have an implicit null label (label 3) imposed
B.The prefix is not reachable and packets will be dropped
C.The outgoing label is the same as the local label (label 18)
D.No MPLS label is being imposed on outgoing packets for this prefix
AnswerD

Untagged means no label.

Why this answer

When the outgoing label for a prefix in the MPLS forwarding table shows 'Untagged', it means that for packets destined to that prefix, no MPLS label is imposed. The router will forward the packet as a standard IP packet (without an MPLS header) out the egress interface. This typically occurs when the next-hop router has signaled an implicit null label (label 3) via LDP, instructing the upstream router to pop the label stack and send the packet as IP.

Exam trap

Cisco often tests the distinction between 'Untagged' (meaning no label is imposed, typically due to PHP with implicit null) and 'Pop' (which explicitly indicates the label is removed), leading candidates to confuse the two or incorrectly associate 'Untagged' with unreachability.

How to eliminate wrong answers

Option A is wrong because an implicit null label (label 3) causes the upstream router to pop the top label and forward the packet without any label, not to impose label 3. Option B is wrong because 'Untagged' does not indicate unreachability; the prefix is reachable and packets are forwarded as IP. Option C is wrong because the outgoing label being the same as the local label (label 18) would be described as 'Pop' or 'Implicit Null', not 'Untagged'.

291
MCQmedium

A service provider is deploying EVPN-MPLS for L2VPN services. The customer requires that MAC addresses learned from one PE are not advertised to other PEs unless they are active. Which EVPN route type is used for MAC address withdrawal?

A.Route Type 5: IP Prefix
B.Route Type 1: Ethernet Auto-Discovery (A-D)
C.Route Type 2: MAC/IP Advertisement
D.Route Type 3: Inclusive Multicast Ethernet Tag
AnswerC

MAC addresses are advertised in Type 2 routes; withdrawal is done by withdrawing the route.

Why this answer

Option C is correct because EVPN Route Type 2 (MAC/IP Advertisement) carries both MAC addresses and their associated IP addresses, and it supports a 'sticky' or 'withdraw' mechanism via the BGP Withdraw message. When a MAC address becomes inactive on a PE, the PE sends a BGP Withdraw for the specific Route Type 2 route, effectively removing that MAC from the control plane of other PEs. This ensures that only active MAC addresses are advertised, meeting the customer requirement.

Exam trap

Cisco often tests the distinction between Route Type 2 for individual MAC withdrawal and Route Type 1 for mass Ethernet segment withdrawal, leading candidates to confuse the two when the question specifies 'MAC addresses learned from one PE' rather than a segment-level failure.

How to eliminate wrong answers

Option A is wrong because Route Type 5 (IP Prefix) is used for inter-subnet forwarding (EVPN-VPN) to advertise IP prefixes, not for MAC address withdrawal. Option B is wrong because Route Type 1 (Ethernet Auto-Discovery) is used for mass withdrawal of all MAC addresses associated with an Ethernet segment (e.g., during link failure) or for aliasing/backup paths, not for individual MAC address withdrawal. Option D is wrong because Route Type 3 (Inclusive Multicast Ethernet Tag) is used to advertise multicast tunnel endpoints for BUM traffic, not for MAC address withdrawal.

292
MCQhard

A network operator is deploying Segment Routing with TI-LFA across an OSPF network. After configuring OSPF with 'segment-routing mpls' and 'fast-reroute per-prefix', they notice that backup paths are not being installed for some prefixes. 'Show ip ospf segment-routing protected' shows 'No FRR backup' for those prefixes. What is a possible reason?

A.LDP label distribution is still active
B.The prefix-SID index is not globally unique
C.OSPF does not support TI-LFA for per-prefix prefixes
D.Adjacency-SIDs are not configured on neighboring routers
AnswerD

TI-LFA uses adjacency-SIDs to create the repair path.

Why this answer

Option D is correct because TI-LFA (Topology Independent Loop-Free Alternate) for per-prefix fast-reroute in OSPF requires that adjacency-SIDs be configured on neighboring routers. Without adjacency-SIDs, OSPF cannot compute the necessary repair paths to provide backup protection, resulting in 'No FRR backup' for those prefixes.

Exam trap

Cisco often tests the misconception that TI-LFA works automatically with just 'fast-reroute per-prefix', when in fact adjacency-SIDs are a prerequisite for the repair path computation in OSPF.

How to eliminate wrong answers

Option A is wrong because LDP label distribution being active does not prevent OSPF from installing TI-LFA backup paths; OSPF Segment Routing and LDP can coexist, and the issue is specifically about SR-TI-LFA operation. Option B is wrong because a non-globally unique prefix-SID index would cause label conflicts or forwarding issues, but it would not prevent the installation of backup paths via TI-LFA; the 'No FRR backup' output indicates a failure in repair path computation, not a label allocation problem. Option C is wrong because OSPF does support TI-LFA for per-prefix prefixes when properly configured with adjacency-SIDs; the statement that OSPF does not support it is incorrect.

293
MCQmedium

A service provider is deploying MPLS L3VPN and wants to ensure that routes from a specific customer VRF are only advertised to a specific remote PE. Which mechanism should be used?

A.Applying a route-map to the VRF export statement
B.Configuring a separate VPNv4 address-family for that PE
C.Using a unique route-distinguisher per VRF
D.Setting the next-hop-self on the PE
AnswerA

Correct. A route-map on export can filter routes before they are advertised to other PEs via VPNv4.

Why this answer

Option B is correct because a route-map on the VRF export can filter which routes are advertised into VPNv4. Option A is incorrect as RD does not filter advertisements. Option C is incorrect because VPNv4 address-family is shared among PEs.

Option D is incorrect as next-hop-self does not control route advertisement.

294
MCQeasy

A service provider is migrating from a legacy MPLS network using LDP to Segment Routing (SR-MPLS). They have enabled SR on all routers and are using IS-IS. The migration plan is to keep LDP running alongside SR during the transition. After enabling SR, some traffic is being forwarded using the SR path, but the network operator notices that some CEs in an L2VPN are experiencing packet loss during failover scenarios. Troubleshooting shows that the primary pseudowire is using SR labels, but the backup pseudowire is still using LDP labels. The backup path is not working correctly. What is the most likely cause?

A.The backup path uses a different IGP metric
B.The backup pseudowire is still using LDP labels and the LDP session for the backup path is down
C.The MTU on the backup path is smaller than on the primary
D.The prefix-SID for the remote PE is missing in the SR-TE database
AnswerB

If LDP sessions are down for the backup path, the backup pseudowire cannot use SR labels, leading to packet loss.

Why this answer

During coexistence of LDP and SR, there might be a mismatch in label switching. The backup pseudowire might be using LDP labels that are not consistent with the SR forwarding plane. The most likely cause is that the backup path is not properly programmed to use SR labels, or the LDP session for the backup path is down.

The correct action is to ensure that the pseudowire's backup signaling is using the same transport mechanisms as the primary, or to disable LDP gradually.

295
MCQhard

A service provider is experiencing intermittent multicast issues in their core network. They use PIM-SM with a static RP at 10.1.1.1. The multicast traffic originates from a source connected to PE1 and is received by customers connected to PE2. Recently, after a firewall upgrade between the PE routers and the core, some multicast streams stopped working, while others continue. The network team notices that 'show ip mroute' on PE2 shows the (*, G) entry but not the (S, G) entry for the affected groups. The RP is reachable via OSPF. The firewall logs show no dropped packets for known multicast addresses. Which action should the engineer take to restore full multicast forwarding?

A.Increase the PIM register suppression interval on the source's first-hop router
B.Configure a static RP at the customer site (PE2) to bypass the firewall for registration traffic
C.Change the multicast mode from PIM-SM to PIM-DM on all interfaces
D.Enable Auto-RP on the network to dynamically learn the RP
AnswerB

A static RP on PE2 ensures that the source's registration reaches the RP even if the firewall blocks unicast PIM register messages. This allows the (S,G) to be formed.

Why this answer

Option B is correct. The firewall upgrade likely blocked PIM register messages from PE1 to the RP, preventing the RP from learning about the source. By configuring a static RP on the customer-facing interface or using a different RP that can receive registration, the (S,G) state can be built.

Option A is wrong because PIM-SM is correct for sparse-mode groups. Option C is wrong because adjusting timers would not fix the absence of (S,G). Option D is wrong because Auto-RP would add complexity and might be blocked by the firewall as well.

296
MCQhard

A service provider operates a large MPLS VPN network using OSPF as the IGP and LDP for label distribution. The PE routers (PE1, PE2, PE3) are connected to a core of P routers. Recently, a new link was added between P2 and P3. After the link came up, the engineering team noticed that several VPN routes that were previously reachable via PE2 are now being blackholed when traffic is sent from PE1 to those prefixes. The teams verify that the VPNv4 routes are present in the BGP table on PE1 with valid next-hops, but traffic fails. The traceroute from PE1 to the CE behind PE2 stops at P2. The show mpls forwarding-table on P2 shows the correct label for the VPN prefix, but the outgoing interface is null. Which action should the engineer take to resolve the issue without causing additional disruption?

A.Clear LDP neighbor sessions on P2 to re-initiate label exchange.
B.Add a static route on P2 for the BGP next-hop pointing to Null0.
C.Shut down the new link between P2 and P3.
D.Clear BGP sessions on PE1 to force re-advertisement of VPN routes.
AnswerA

Correct. This forces LDP to re-establish and exchange labels, likely resolving the missing label.

Why this answer

The issue is that P2 has a label for the VPN prefix but a null outgoing interface, indicating an LDP label mapping problem. Clearing LDP neighbor sessions on P2 forces re-establishment of LDP sessions and re-exchange of label bindings, which should resolve the missing or incorrect label mapping for the BGP next-hop without disrupting other services.

Exam trap

Cisco often tests the misconception that clearing BGP sessions (Option D) fixes MPLS forwarding issues, but the real problem is at the LDP label distribution layer, not the BGP VPN route advertisement.

How to eliminate wrong answers

Option B is wrong because adding a static route to Null0 for the BGP next-hop would blackhole all traffic to that next-hop, worsening the issue. Option C is wrong because shutting down the new link between P2 and P3 is a disruptive workaround that does not address the root cause (LDP label inconsistency) and may cause routing loops or suboptimal paths. Option D is wrong because clearing BGP sessions on PE1 would only re-advertise VPN routes but does not fix the underlying MPLS label forwarding issue on P2; the VPNv4 routes are already present with valid next-hops in BGP.

297
MCQhard

A network engineer is automating BGP configuration using the Cisco IOS-XE YANG model. They want to enable the 'always-compare-med' feature under BGP. Which XPath expression correctly targets this leaf?

A./bgp/global/always-compare-med
B./native/router/bgp/scope/global/always-compare-med
C./native/router/bgp/always-compare-med
D./router/bgp/global/always-compare-med
AnswerB

Correct path according to Cisco IOS-XE YANG model.

Why this answer

Option B is correct because the Cisco IOS-XE native YANG model (urn:cisco:params:xml:ns:yang:cisco-native) structures BGP configuration under /native/router/bgp/scope/global/always-compare-med. The 'scope' container is required to differentiate between global and VRF-specific BGP settings, and 'always-compare-med' is a leaf within the global scope. This path accurately reflects the hierarchical model used by Cisco for BGP automation.

Exam trap

Cisco often tests the exact hierarchical path in the native YANG model, and the trap here is that candidates assume a simplified path like /bgp/global/always-compare-med or forget the mandatory 'scope' container, leading them to choose an incomplete or incorrect XPath expression.

How to eliminate wrong answers

Option A is wrong because /bgp/global/always-compare-med does not match the Cisco IOS-XE native YANG model; the root must be /native/router/bgp and the 'scope' container is mandatory. Option C is wrong because /native/router/bgp/always-compare-med omits the 'scope/global' container, which is required to correctly target the global BGP configuration leaf. Option D is wrong because /router/bgp/global/always-compare-med lacks the /native root and the 'scope' container, and does not follow the Cisco native YANG model structure.

298
MCQhard

An MPLS network is experiencing micro-loops during convergence after a link failure. The network uses LDP and IS-IS as IGP. Which of the following solutions can prevent micro-loops during IGP convergence without requiring additional protocols?

A.Implement MPLS-TE FRR using bypass tunnels.
B.Enable BGP PIC (Prefix Independent Convergence).
C.Configure LFA (Loop-Free Alternate) on the IGP.
D.Deploy RSVP-TE with fast-reroute.
AnswerC

LFA computes backup paths that avoid loops during convergence.

Why this answer

Loop-free alternates (LFA) provide fast convergence and micro-loop avoidance. Option B is incorrect because BGP PIC is for BGP convergence. Option C is incorrect because RSVP-TE is separate.

Option D is incorrect because MPLS-TE FRR is for RSVP-TE tunnels.

299
MCQmedium

A service provider is deploying MPLS L2VPN using Virtual Private Wire Service (VPWS). After configuration, the two CEs cannot ping each other. The PE routers show the xconnect interface is up, but no MAC addresses are learned. What is the most likely cause?

A.The MTU on the core links is less than 1500
B.The control word is enabled on one PE but not the other
C.The VC ID mismatch between the two PEs
D.The encapsulation type on the AC is different on the two PEs
AnswerC

VC ID must match for the pseudowire to be established.

Why this answer

If the attachment circuit (AC) is up but no MAC learning occurs, the issue is likely that the MPLS core LSP is not available for the pseudowire. The pseudowire status may be down due to LSP issues. VC ID mismatch would cause the pseudowire to not come up.

MTU or encapsulation issues would show errors.

300
Multi-Selectmedium

A service provider is troubleshooting an L2VPN where a CE is unable to ping the remote CE. The PE-CE interfaces are up, and the pseudowire status shows 'up'. Which two actions should be taken to further isolate the issue? (Choose two.)

Select 2 answers
A.Check the MAC address table on the CE
B.Check the LDP session between PEs
C.Verify the VFI configuration on the PE
D.Verify the VC ID match on both PEs
E.Verify the MTU consistency on the pseudowire
AnswersD, E

Mismatched VC IDs can cause traffic to be dropped despite pseudowire being up.

Why this answer

VC ID mismatch (A) and MTU inconsistency (C) are common causes when pseudowire is up but traffic fails. LDP session (B) is already up because pseudowire is up. MAC address table (D) is not relevant for point-to-point L2VPN.

VFI (E) is for VPLS, not point-to-point.

Page 3

Page 4 of 7

Page 5

All pages