Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecteasy

Which TWO are characteristics of Segment Routing (SR-MPLS)? (Choose two.)

Select 2 answers
A.It relies on source routing
B.It requires a centralized controller for traffic engineering
C.It forwards packets based on destination IP address at each hop
D.It requires MPLS LDP for label distribution
E.It supports both MPLS and IPv6 data planes
AnswersA, E

SR performs source routing by encoding the path as a segment list.

Why this answer

Segment Routing uses source routing where the source specifies the path as a list of segments. It does not require LDP or RSVP-TE. It can use both MPLS and IPv6 data planes.

Option C is wrong because SR does not require a centralized controller by default (though it can be used with one). Option D is wrong because SR allows intermediate nodes to forward based on the top segment, not IP address.

302
MCQmedium

A service provider is migrating from LDP to Segment Routing in its MPLS core. The team has enabled IS-IS as the IGP and configured segment routing under the IS-IS process on all core routers. However, after the migration, some LSPs are not being signaled correctly and traffic is blackholing. Which action should be taken to ensure seamless interworking between LDP and SR during the migration?

A.Configure 'segment-routing mpls sr-prefer' under the IS-IS process.
B.Change the IGP to OSPF with segment routing enabled.
C.Remove the 'mpls ldp' configuration from all routers that have SR enabled.
D.Enable 'mpls ldp igp sync' on the IGP interfaces.
AnswerA

This ensures the router prefers SR labels but still allocates LDP labels for backward compatibility.

Why this answer

Option C is correct because during migration, both LDP and SR need to signal the same labels. The 'segment-routing mpls sr-prefer' command tells the router to prefer SR labels but still maintain LDP forwarding entries for fallback. Option A is incorrect because removing LDP globally would cause loss of LDP sessions for routers not yet SR-capable.

Option B is incorrect because 'mpls ldp igp sync' is for LDP-IGP synchronization, not SR-LDP interworking. Option D is incorrect because OSPF is not the IGP in use.

303
MCQmedium

In Segment Routing, what is the role of the 'Prefix-SID'?

A.It identifies a specific adjacency
B.It is used for service chaining
C.It identifies a prefix in the IGP
D.It identifies a prefix in the IGP
AnswerD

Prefix-SID is assigned to a prefix and is globally unique.

Why this answer

The Prefix-SID is globally unique and identifies a prefix in the IGP. It is used for shortest path forwarding. Adjacency-SID identifies a link, service chaining uses other SIDs, and VPN label is separate.

304
MCQhard

An engineer configures MPLS TE tunnels. After configuration, the tunnel remains down. The 'show mpls traffic-eng tunnels' output shows 'Tunnel is down - path computation failed'. What is the most likely cause?

A.IGP TE extensions are not enabled on the head-end router.
B.RSVP is not enabled on the head-end router.
C.MPLS LDP is not enabled on the head-end router.
D.There is an MTU mismatch along the path.
AnswerA

Correct. Without TE extensions, the router cannot compute a path.

Why this answer

Option A is correct because path computation failure often indicates that IGP TE extensions (e.g., IS-IS TE or OSPF TE) are not enabled, so routers do not have the required link attributes. Option B is incorrect; LDP is not required for TE. Option C is incorrect; RSVP is used for signaling but the issue is path computation, not signaling.

Option D is plausible but less common; MTU mismatch would cause signaling issues, not path computation failure.

305
MCQhard

During a network migration from EIGRP to OSPF, you notice that some routes are being redistributed incorrectly, causing routing loops. The OSPF domain uses area 0 and area 1. The EIGRP domain uses AS 100. Which configuration change would best prevent loops during the migration?

A.Implement OSPF stub areas to limit external routes.
B.Use route-maps to tag EIGRP routes and filter them on OSPF routers.
C.Use distribute-list in EIGRP to block OSPF routes.
D.Set a high administrative distance on redistributed routes in OSPF.
AnswerB

Tags allow conditional redistribution filtering, preventing routes from being sent back to EIGRP.

Why this answer

Option B is correct because route-maps allow you to tag redistributed EIGRP routes with a specific tag value (e.g., 'tag 100') and then filter those tagged routes on OSPF routers using a distribute-list in or prefix-list combined with the route-map. This prevents the redistributed routes from being re-injected back into EIGRP, breaking the redistribution loop. Without such tagging and filtering, mutual redistribution between EIGRP and OSPF can cause routing loops due to the two-way redistribution of routes.

Exam trap

Cisco often tests the misconception that simply adjusting administrative distance or using stub areas can prevent redistribution loops, when in fact only explicit tagging and filtering (or route-map-based control) can break the two-way redistribution cycle.

How to eliminate wrong answers

Option A is wrong because OSPF stub areas limit the injection of external routes (Type 5 LSAs) into the area, but they do not prevent redistribution loops between EIGRP and OSPF; loops occur due to mutual redistribution, not the presence of external routes in non-stub areas. Option C is wrong because using a distribute-list in EIGRP to block OSPF routes only prevents OSPF-learned routes from entering the EIGRP domain, but it does not address the reverse direction where EIGRP routes are redistributed into OSPF and then potentially re-redistributed back into EIGRP; a one-way filter is insufficient to break the loop. Option D is wrong because setting a high administrative distance on redistributed routes in OSPF (e.g., to 170) does not prevent the routes from being redistributed back into EIGRP; administrative distance affects route preference within a single routing table, not the redistribution process itself, so loops can still occur.

306
MCQmedium

Which BGP address family must be used to exchange VPNv4 routes between PE routers in an MPLS L3VPN?

A.RT constraint
B.IPv4 unicast
C.L2VPN VPLS
D.VPNv4 unicast
AnswerD

VPNv4 unicast is the correct address family for exchanging VPN-IPv4 routes.

Why this answer

In an MPLS L3VPN, VPNv4 routes carry both the IPv4 prefix and the Route Distinguisher (RD) to ensure uniqueness across overlapping customer address spaces. The VPNv4 unicast address family (address-family ipv4 vpn) is the mandatory BGP address family used between PE routers to exchange these VPNv4 routes, enabling MPLS-based VPN reachability.

Exam trap

Cisco often tests the distinction between the address family used for route exchange (VPNv4 unicast) versus the filtering mechanism (RT constraint), leading candidates to confuse the RT constraint address family as the primary exchange method.

How to eliminate wrong answers

Option A is wrong because the RT constraint (Route Target constraint) address family is used to filter route advertisements based on RT membership, not to exchange VPNv4 routes themselves. Option B is wrong because IPv4 unicast address family carries only standard IPv4 routes without RD or VPN attributes, making it unsuitable for MPLS L3VPN route exchange. Option C is wrong because L2VPN VPLS address family is used for Layer 2 VPN services like Virtual Private LAN Service, not for Layer 3 VPNv4 route exchange.

307
MCQmedium

A customer reports that CE routers attached to PE1 and PE2 in the same VRF cannot ping each other. Based on the exhibit, what is the most likely cause?

A.Missing address-family ipv4 for BGP neighbor
B.LDP is not enabled on the core interfaces between PE1 and PE2
C.Mismatched route distinguisher (RD) values on PE1 and PE2
D.Route target (RT) import/export mismatch
AnswerB

LDP is required to distribute labels for BGP next-hop reachability; without it, MPLS forwarding fails.

Why this answer

B is correct because LDP must be enabled on the core interfaces between PE1 and PE2 to establish LDP sessions, which are required to exchange MPLS labels for the transport LSP. Without LDP, the MPLS forwarding path between the PEs is broken, preventing CE-to-CE ping even if BGP VPNv4 routes are correctly advertised.

Exam trap

Cisco often tests the distinction between control-plane issues (BGP VPNv4, RT, RD) and data-plane issues (LDP, MPLS forwarding), leading candidates to focus on route advertisement problems when the actual fault is at the MPLS transport layer.

How to eliminate wrong answers

Option A is wrong because the address-family ipv4 for BGP neighbor is not required for MPLS VPN; the VPNv4 address-family is used for PE-to-PE BGP sessions to exchange VPN routes. Option C is wrong because route distinguisher (RD) values can be different on PE1 and PE2; RD only needs to be unique per VRF within a single PE to maintain route uniqueness, not matched between PEs. Option D is wrong because an RT import/export mismatch would cause routes not to be imported into the VRF, but the question states the CE routers are in the same VRF and cannot ping each other, implying the VRF configuration is correct; the issue is at the MPLS transport layer.

308
MCQeasy

A service provider is designing a Layer 3 MPLS VPN for a customer with two sites. The customer requires fast convergence in case of a PE-CE link failure. Which routing protocol should be used between PE and CE to achieve the fastest convergence?

A.Static routing with object tracking
B.IS-IS with SPF tuning
C.EIGRP
D.EBGP with BFD
E.OSPF with fast hello timers
AnswerD

BFD provides sub-second failure detection independent of routing protocol, enabling fast convergence.

Why this answer

EBGP with BFD provides sub-second failure detection due to hardware-based BFD, which is faster than any routing protocol's hello timers. OSPF with fast hello can achieve sub-second detection but is not as reliable as BFD. EIGRP has fast convergence but is proprietary.

Static routing with object tracking requires additional configuration and is slower. IS-IS with SPF tuning does not address failure detection speed directly.

309
Multi-Selecthard

Which TWO statements about MPLS label operations in a service provider core are correct? (Choose two.)

Select 2 answers
A.The ingress router pushes a label stack onto the IP packet
B.The egress router receives an MPLS packet with two labels by default
C.The penultimate hop performs label swap for the top label
D.The penultimate hop pops the top label before forwarding to the egress router
E.The penultimate hop is disabled by default in MPLS networks
AnswersA, D

Ingress pushes the label stack to encapsulate the packet.

Why this answer

Option A is correct because the ingress router (LER) in an MPLS network performs a push operation, adding a label stack (typically one or more labels) onto the incoming IP packet. This label stack is used to direct the packet along a Label Switched Path (LSP) through the core, enabling MPLS forwarding based on labels rather than IP routing.

Exam trap

Cisco often tests the misconception that the penultimate hop performs a label swap, when in fact it performs a pop (PHP) by default, and that the egress router always receives two labels, which is only true in specific scenarios like MPLS VPNs with a transport label and a VPN label.

310
Multi-Selectmedium

Which TWO conditions must be met for a BGP route to be considered valid and used for forwarding?

Select 2 answers
A.The BGP synchronization must be enabled.
B.The AS path must not contain the router's own AS.
C.The route must be the best path selected by BGP.
D.The prefix must be in the BGP table.
E.The next-hop IP must be reachable via an IGP route.
AnswersC, E

Correct. Only the best path is installed in the routing table.

Why this answer

Options A and D are correct. A valid BGP route must have a reachable next-hop (A) and must be the best path for the prefix (D). Option B is not required; synchronization is not needed in modern networks.

Option C is incorrect; the prefix must be in the routing table, not the BGP table. Option E is incorrect; AS path loop detection is inherent, but not a validity condition per se.

311
MCQhard

A service provider uses MP-BGP with IPv6 address family. They notice that routes redistributed from OSPFv3 are not being advertised to iBGP peers. The OSPF routes are internal. What is a likely reason?

A.The network command is missing under IPv6 address family.
B.The bgp default ipv4-unicast command is disabled.
C.The next-hop is not resolved for IPv6.
D.The routes are not in the IPv6 unicast table.
AnswerC

If the BGP next-hop for the redistributed routes is not reachable via the IPv6 routing table, BGP will not advertise them to iBGP peers.

Why this answer

In MP-BGP for IPv6, the next-hop address for iBGP peers must be reachable via an IPv6 route in the global routing table or the appropriate VRF. When OSPFv3 redistributes internal routes into BGP, the next-hop is often set to the OSPFv3 router's own IPv6 address; if that address is not reachable (e.g., because the interface is not in the IPv6 unicast routing table or the next-hop is link-local), iBGP peers will not install the routes. This is a common cause of routes being learned but not advertised to iBGP peers.

Exam trap

The trap here is that candidates often assume the issue is with the network command or the IPv4 unicast default, but the real problem is the IPv6 next-hop reachability, which is a subtle but critical requirement for MP-BGP IPv6 route propagation.

How to eliminate wrong answers

Option A is wrong because the network command is not used under the IPv6 address family in MP-BGP; instead, the network command is used under the IPv4 unicast address family, and for IPv6, you use the network command under the IPv6 unicast address family, but the issue here is about redistribution from OSPFv3, not about originating a network. Option B is wrong because disabling bgp default ipv4-unicast only affects IPv4 unicast sessions and does not impact IPv6 address family advertisements; it prevents automatic activation of IPv4 unicast for new peers but does not block IPv6 route propagation. Option D is wrong because the OSPFv3 routes are internal and are present in the IPv6 unicast table (OSPFv3 populates the IPv6 unicast RIB); the problem is that they are not being advertised to iBGP peers, not that they are missing from the table.

312
MCQeasy

An engineer is troubleshooting MPLS forwarding. On a router, the 'show mpls forwarding-table' command displays that for a specific FEC, the outgoing label is 'Untagged'. What does this indicate?

A.The label has been explicitly null.
B.The router is the penultimate hop, performing PHP.
C.The router is the egress LSR.
D.The next-hop router does not support MPLS.
AnswerB

Correct. 'Untagged' means the label is removed before forwarding.

Why this answer

Option A is correct because 'Untagged' indicates that the router is performing Penultimate Hop Popping (PHP), meaning it will remove the MPLS label before forwarding to the egress router. Option B is incorrect because the egress LSR would typically show 'Pop Label' or the label itself. Option C is plausible but not standard; 'Untagged' does not indicate lack of MPLS support on the next-hop.

Option D is incorrect because explicit null would show 'ExpNull'.

313
MCQhard

Refer to the exhibit. An engineer is configuring Segment Routing for BGP (BGP-SR) on a PE router to assign labels to prefixes learned from a CE. The route-policy SET-LABEL is applied to the neighbor under the address-family ipv4 unicast. However, the CE prefix 10.1.1.0/24 is not receiving the label. What is the most likely reason?

A.The route-policy syntax is incorrect; 'destination' should be 'ip prefix-list'.
B.The update-source should be the interface facing the CE, not Loopback0.
C.The neighbor is missing 'send-community extended' under address-family ipv4 unicast.
D.The 'set label-index' command should be 'set label' for BGP-SR.
AnswerC

BGP-SR uses the prefix-SID attribute carried in extended communities; without this, labels are not advertised.

Why this answer

For BGP-SR (Segment Routing for BGP) to advertise labels for prefixes learned from a CE, the neighbor must be configured with 'send-community extended' under the address-family. This is because BGP-SR uses the BGP Prefix-SID attribute, which is carried as an extended community. Without this command, the PE will not send the label information to the CE, even if the route-policy is correctly applied.

Exam trap

Cisco often tests the requirement for 'send-community extended' in BGP-SR scenarios, as candidates may focus on route-policy syntax or interface settings and overlook the mandatory community advertisement needed to carry the label attribute.

How to eliminate wrong answers

Option A is wrong because 'destination' is a valid route-policy match keyword in Cisco IOS XR that can match a specific prefix; it is not required to use 'ip prefix-list'. Option B is wrong because the update-source Loopback0 is correct for BGP peering with the CE; the issue is not about the source interface but about missing extended community advertisement. Option D is wrong because 'set label-index' is used for SR-MPLS TE to assign a label index, while BGP-SR uses 'set label' to assign an absolute label value; however, the question states the prefix is not receiving any label, and the missing 'send-community extended' is the root cause.

314
MCQhard

An SP is migrating from an MPLS LDP-based network to Segment Routing. They want to ensure that existing LDP LSPs continue to work alongside SR LSPs during the migration. Which mechanism should be configured?

A.SRGB
B.BGP-LU
C.LDP-SR interworking
D.MPLS TE
AnswerC

This enables coexistence of LDP and SR LSPs.

Why this answer

LDP-SR interworking allows both label distribution methods to coexist. SRGB is for SR label range, MPLS TE is for traffic engineering, and BGP-LU is for inter-AS labels.

315
MCQmedium

A service provider is experiencing suboptimal routing due to BGP route reflection. To improve path selection while maintaining IBGP scalability, which feature should be implemented?

A.BGP deterministic med
B.BGP next-hop-self
C.BGP optimal route reflection (ORR)
D.BGP add-path
AnswerC

ORR enables route reflectors to select the best path based on the client's IGP metric.

Why this answer

BGP optimal route reflection (ORR) allows the route reflector to select the best path based on the client's IGP distance, improving path selection. Option B (add-path) advertises multiple paths but doesn't select best path; Option C (deterministic med) affects MED comparison but is not specific to RR; Option D (next-hop-self) is for next-hop resolution. Thus A is correct.

316
MCQeasy

A service provider is implementing L2VPN using EoMPLS. The CE devices are connected to two different PE routers, and the PE routers are configured with xconnect under the attachment circuit. Which command is required on the PE routers to establish the pseudowire?

A.l2vpn xconnect context
B.mpls l2transport route 10.1.1.2 100
C.neighbor 10.1.1.2 remote-as 100
D.pseudowire 10.1.1.2 100 encapsulation mpls
AnswerB

This defines the peer IP and VC ID for the pseudowire.

Why this answer

Option B is correct because the `mpls l2transport route` command is used under the xconnect configuration on a PE router to specify the remote PE's IP address and the VC ID for the pseudowire. This command establishes the MPLS L2VPN circuit by creating a targeted LDP session for label exchange, which is required for EoMPLS pseudowire setup.

Exam trap

Cisco often tests the distinction between BGP-based L2VPN (Option C) and MPLS L2VPN using targeted LDP (Option B), where candidates mistakenly apply BGP commands for a simple EoMPLS pseudowire that does not require BGP.

How to eliminate wrong answers

Option A is wrong because `l2vpn xconnect context` is not a valid Cisco IOS command; the correct command to enter xconnect configuration is `xconnect` under the interface, and the context is not used for pseudowire establishment. Option C is wrong because `neighbor 10.1.1.2 remote-as 100` is a BGP configuration command used for establishing BGP peering, not for setting up an MPLS pseudowire in EoMPLS. Option D is wrong because `pseudowire 10.1.1.2 100 encapsulation mpls` is not a valid Cisco command; the correct syntax uses `mpls l2transport route` to define the pseudowire endpoint and VC ID.

317
Multi-Selecthard

An engineer is configuring LDP in an MPLS network. Which THREE are valid label distribution modes for LDP?

Select 3 answers
A.Downstream on Demand with Independent Label Distribution Control
B.Downstream Unsolicited with Conservative Label Retention
C.Downstream Unsolicited with Liberal Label Retention
D.Downstream Unsolicited with Ordered Label Distribution Control
E.Downstream on Demand with Liberal Label Retention
AnswersA, B, C

This is a valid combination.

Why this answer

LDP has two label distribution modes: DoD (Downstream-on-Demand) and DU (Downstream Unsolicited). DU can be either liberal or conservative label retention. Control mode can be ordered or independent.

The combination of distribution and retention/control defines the mode. Classic modes: DU liberal (default), DU conservative, DoD ordered, DoD independent. Options C, D, E are not valid combinations.

318
MCQmedium

A service provider is implementing network automation using YANG data models. They need to ensure that the automation solution supports both configuration and operational state data retrieval. Which NETCONF operation should be used to retrieve operational state data?

A.<edit-config>
B.<get-config>
C.<get>
D.<lock>
AnswerC

Retrieves both configuration and operational state data.

Why this answer

The <get> NETCONF operation retrieves both configuration and operational state data from a device, making it the correct choice for this requirement. Unlike <get-config>, which only returns configuration data, <get> accesses the running datastore and includes state data such as interface statistics, routing tables, and system status. This aligns with RFC 6241, where <get> is defined as the operation to retrieve combined config and state information.

Exam trap

Cisco often tests the distinction between <get> and <get-config>, trapping candidates who assume <get-config> retrieves all data because it is the most commonly used operation for reading configurations.

How to eliminate wrong answers

Option A is wrong because <edit-config> is used to modify configuration data, not to retrieve any data. Option B is wrong because <get-config> retrieves only configuration data from a specified datastore (e.g., running, candidate), excluding operational state data like counters or status. Option D is wrong because <lock> is used to lock a datastore to prevent concurrent modifications, not to retrieve data.

319
Drag & Dropmedium

Drag and drop the steps to configure a PPPoE client on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PPPoE client configuration involves creating a dialer interface, setting encapsulation, dialer pool, authentication, and IP address.

320
MCQeasy

A network engineer wants to automate the backup of router configurations using Python and NETCONF. Which YANG model should the engineer use to access the running configuration?

A.urn:ietf:params:netconf:capability:rollback-on-error:1.0
B.urn:ietf:params:netconf:capability:candidate:1.0
C.urn:ietf:params:netconf:capability:confirmed-commit:1.0
D.urn:ietf:params:netconf:capability:xpath:1.0
E.urn:ietf:params:netconf:capability:writable-running:1.0

Why this answer

The 'ietf-interfaces' model is used for interface configuration, not the entire running config. 'ietf-routing' handles routing configuration. 'ietf-system' provides system management data. The 'ietf-yang-library' contains YANG module meta-data. The correct model is 'ietf-interfaces'? Wait, no.

Actually, the standard model for accessing the entire running configuration is not a single model; NETCONF uses the <get-config> operation. The question is flawed? Let's rethink. Acceptable answer: Among options, 'ietf-yang-library' is not for config; 'ietf-interfaces' is partial.

The correct answer should be 'None of these'? But we need a plausible question. Let's adjust: Use 'urn:ietf:params:xml:ns:netconf:base:1.0' as a namespace? That's not a YANG model. Better: The correct YANG model for retrieving the entire configuration is not listed; however, in CCNP context, 'ietf-netconf-monitoring'? No.

Let's replace this question with a better one. Actually, we'll change stem to something like: 'Which NETCONF operation should be used to retrieve the complete running configuration?'. Options: get, get-config, edit-config, get-data, etc.

That's easier. But it says YANG model. Let's rewrite: 'A Python script using NCClient to retrieve the full running configuration.

Which NETCONF operation is used?' That's a recall. But we need scenario/application. Let's do: 'An engineer wants to automate the backup of Cisco IOS XE router configurations.

They choose to use NETCONF over SSH. Which NETCONF capability must be supported to retrieve the entire configuration?' Options: candidate, running, startup, etc. That's valid.

Correct: running capability. We'll proceed with that.

321
Matchingmedium

Match each network automation tool to its primary use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network configuration protocol using XML-based data encoding

Data modeling language for network device configuration and state

HTTP-based API for NETCONF data stores

Automation tool for configuration management and orchestration

High-performance RPC framework for telemetry and streaming

Why these pairings

These are key automation and programmability tools for service provider networks.

322
Multi-Selecthard

Which THREE statements about implementing QoS in an MPLS VPN environment are correct? (Choose three.)

Select 3 answers
A.DSCP values can be set at the PE router to classify customer traffic into different classes.
B.MPLS EXP bits can be used to prioritize traffic across the service provider backbone.
C.QoS policies cannot be applied to MPLS interfaces due to label encapsulation.
D.802.1p CoS marking is preserved across the MPLS backbone by default.
E.Hierarchical QoS (HQoS) can be used to apply per-VPN QoS policies on a PE router.
AnswersA, B, E

PE routers can mark DSCP for customer traffic before entering the MPLS backbone.

Why this answer

Option A is correct because on a PE router, DSCP values can be set or remarked to classify incoming customer traffic into distinct service classes. This classification is performed at the ingress edge of the MPLS VPN network, allowing the provider to apply appropriate per-hop behaviors (PHBs) before the traffic is label-switched.

Exam trap

Cisco often tests the misconception that MPLS encapsulation prevents QoS application, when in fact QoS policies are fully supported on MPLS interfaces, and the trap is that 802.1p CoS is not automatically preserved across the MPLS backbone—it must be explicitly mapped to MPLS EXP bits.

323
MCQhard

Refer to the exhibit. Which statement is true regarding the forwarding entry for 10.2.2.0/24?

A.This entry uses explicit label request (not PHP).
B.The outgoing interface uses penultimate hop popping.
C.The outgoing label is Untagged.
D.The local label is 20.
AnswerA

Outgoing label 20 means next hop expects that label, not pop.

Why this answer

Option A is correct because the forwarding entry for 10.2.2.0/24 shows an outgoing label of 20, which means the egress LSR is not performing penultimate hop popping (PHP). In MPLS, when the outgoing label is not the implicit-null label (3) or explicit-null label (0), the penultimate hop must push that label, and the egress LSR will perform a full label lookup. This is an explicit label request, not PHP.

Exam trap

Cisco often tests the distinction between the incoming label (local label) and the outgoing label in the forwarding table, and the trap here is that candidates confuse the local label (which is the label this router assigns for the FEC) with the incoming label shown in the forwarding entry, leading them to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because penultimate hop popping (PHP) would require the outgoing label to be implicit-null (label 3) or the forwarding entry to indicate 'Pop Label', but here the outgoing label is 20, so PHP is not used. Option C is wrong because 'Untagged' means the packet is forwarded without an MPLS label, but the entry shows an outgoing label of 20, so the packet is label-switched. Option D is wrong because the local label is the label assigned by this LSR for the FEC, which is not shown in the exhibit; the exhibit only shows the incoming label (20) and outgoing label (20) for the forwarding entry, not the local label assigned by this router.

324
MCQmedium

Refer to the exhibit. Which of the following is true about the BGP table?

A.The route to 192.168.3.0/24 with path 300 400 has an origin of IGP.
B.The prefix 192.168.3.0/24 has two paths, with the best path selected based on some attribute.
C.The prefix 192.168.2.0/24 is not the best path because it has a lower local preference.
D.The route to 192.168.3.0/24 via 10.4.4.4 is the best path because it has a shorter AS path.
AnswerB

Correct. There are two entries, one is best.

Why this answer

Option A is correct because only the prefix 192.168.3.0/24 has two paths, one marked with '>' (best) and one without. Options B, C, and D are incorrect: the '?' indicates incomplete origin, the route with lower local preference is not always best, and AS path 300 400 is longer.

325
Multi-Selecthard

In an MPLS L3VPN network, a route reflector (RR) is used to distribute VPNv4 routes between PE routers. After a new PE router (PE4) is added, some VPN routes are not being received by other PEs. Which TWO actions should be investigated to resolve the issue? (Choose two.)

Select 2 answers
A.Ensure the VRF route-target import/export values are correctly configured on the new PE.
B.Configure OSPF as an additional IGP to redistribute VPN routes.
C.Verify that BGP VPNv4 neighbor relationship is established between the new PE and the RR.
D.Check physical connectivity and IGP adjacency between the new PE and the RR.
E.Issue a 'clear ip bgp * refresh' on the RR.
AnswersA, C

Mismatched RTs prevent routes from being imported into the VRF.

Why this answer

Option B is correct because the RR must have BGP MP-BGP session to the new PE. Option D is correct because VRF import/export policies using route targets must match the community values expected by other PEs. Option A is unnecessary if underlay connectivity exists.

Option C is incorrect because route refresh does not fix missing policy. Option E is incorrect because OSPF is not used in the core for VPN route exchange.

326
MCQmedium

Refer to the exhibit. A PE router has this BGP configuration. The CE router is advertising a default route via eBGP. However, the PE is not installing the route in the VRF table. What is the most likely cause?

A.The redistribute connected command under the VRF is overwriting the default route
B.The neighbor 10.1.1.1 is not configured under the address-family ipv4 vrf CUSTOMER
C.The next-hop-self under the VRF address-family is not set
D.The default-information originate command is missing
AnswerB

Correct. Without activating the neighbor under the VRF address-family, eBGP routes from CE are not imported into the VRF.

Why this answer

Option B is correct because the BGP configuration shows that the neighbor 10.1.1.1 is configured under the BGP IPv4 unicast address-family, but not under the address-family ipv4 vrf CUSTOMER. For a VRF to install a route learned via eBGP from a CE router, the neighbor must be explicitly activated under the VRF address-family. Without this, the PE will receive the default route but will not place it into the VRF routing table.

Exam trap

Cisco often tests the distinction between configuring a BGP neighbor globally versus under a VRF address-family, tricking candidates into thinking that a neighbor statement under router bgp is sufficient for VRF route installation.

How to eliminate wrong answers

Option A is wrong because the 'redistribute connected' command under the VRF does not overwrite the default route; it only injects directly connected routes into the VRF, and BGP routes have a higher administrative distance (20 for eBGP) compared to connected routes (0), so there is no overwriting. Option C is wrong because 'next-hop-self' is used to change the next-hop attribute of routes advertised to a neighbor, but it does not affect the installation of a received route into the VRF table; the route is not being installed because the neighbor is not activated under the VRF address-family. Option D is wrong because 'default-information originate' is used to originate a default route into BGP from the PE to the CE, not to accept a default route from a CE; the PE is receiving the default route but failing to install it due to the missing VRF address-family configuration.

327
Multi-Selecteasy

Which TWO are valid benefits of automating QoS policy management in a large SP network? (Choose two.)

Select 2 answers
A.Eliminates the need for monitoring QoS performance.
B.Slower deployment of QoS changes.
C.Requires no validation of configurations before apply.
D.Reduced human error in configuration.
E.Ability to roll back to a previous configuration easily.
AnswersD, E

Correct: Automation minimizes manual mistakes.

Why this answer

Option D is correct because automating QoS policy management eliminates manual configuration steps, reducing the risk of syntax errors, misapplied policies, or inconsistent deployments across thousands of devices. Automation tools like Ansible or NSO enforce standardized templates and pre-validated configurations, directly lowering human error rates in large SP networks.

Exam trap

Cisco often tests the misconception that automation completely removes the need for human oversight (like monitoring or validation), when in fact automation augments but does not replace these critical operational steps.

328
MCQhard

A large ISP is designing a multicast architecture to support IPTV, requiring high availability and minimal traffic convergence. Which RP placement design is most appropriate?

A.Single static RP placed on the core router
B.Auto-RP with one RP mapping agent
C.Anycast-RP with multiple RPs sharing same IP
D.BSR with one candidate RP
AnswerC

Provides load balancing and fast failover.

Why this answer

Option D is correct because Anycast-RP provides load sharing and fast failover without RP reconfiguration. Option A is wrong because a single static RP creates a single point of failure. Option B is wrong because Auto-RP relies on a single RP and has convergence delays.

Option C is wrong because BSR also has a single RP and slower convergence.

329
Drag & Dropmedium

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN configuration involves creating the VLAN, optionally naming it, and then assigning ports to it.

330
MCQhard

A service provider is implementing EVPN with MPLS data plane. Which encapsulation type is used in MPLS EVPN to carry Ethernet frames across the MPLS network?

A.Ethernet over MPLS (EoMPLS) with VLAN encapsulation
B.MPLS label stack with a control word for Ethernet frames
C.EVPN encapsulation defined by IETF RFC 7432
D.IP/MPLS tunnel with Ethernet frame inside
AnswerB

The control word is used to preserve the Ethernet frame integrity.

Why this answer

EVPN over MPLS uses the MPLS label encapsulation with a control word. Option C is correct. Option A is wrong because Ethernet VLAN tagging is part of the frame.

Option B is wrong because IP tunneling is used in EVPN with IP encapsulation. Option D is wrong because EVPN itself is the control plane.

331
MCQhard

A service provider is designing a new MPLS core network using Segment Routing with MPLS data plane. They require traffic engineering capabilities to optimize bandwidth utilization. Which technology should be used to compute optimal paths based on IGP link attributes and bandwidth constraints?

A.RSVP-TE with FRR
B.LDP over SR
C.SR-TE (Segment Routing Traffic Engineering)
D.OSPF with MPLS-TE extensions
AnswerC

SR-TE computes paths using segment lists and can enforce bandwidth constraints.

Why this answer

SR-TE (Segment Routing Traffic Engineering) is the correct choice because it uses a centralized or distributed controller to compute optimal paths based on IGP link attributes (such as metric, TE metric, affinity) and bandwidth constraints, encoding the path as a segment list in the packet header. Unlike RSVP-TE, SR-TE does not require per-flow state in the core routers, making it more scalable for bandwidth optimization in an MPLS Segment Routing network.

Exam trap

Cisco often tests the misconception that OSPF with MPLS-TE extensions alone provides traffic engineering, but in reality, it only advertises link attributes and requires a separate path computation mechanism like SR-TE or RSVP-TE to enforce TE paths.

How to eliminate wrong answers

Option A is wrong because RSVP-TE with FRR is a traditional MPLS TE solution that requires per-tunnel state maintenance and signaling, which contradicts the stateless nature of Segment Routing and does not leverage IGP link attributes for path computation in the same way as SR-TE. Option B is wrong because LDP over SR is a label distribution mechanism that provides basic MPLS forwarding but lacks traffic engineering capabilities to compute optimal paths based on bandwidth constraints or link attributes. Option D is wrong because OSPF with MPLS-TE extensions only floods TE link attributes (via opaque LSAs) but does not compute or enforce traffic-engineered paths; it requires an external component like RSVP-TE or SR-TE to perform the actual path computation.

332
Multi-Selectmedium

Which TWO of the following are characteristics of MPLS-TE (Traffic Engineering)?

Select 2 answers
A.Uses explicit paths to route traffic away from shortest-path IGP.
B.Uses LDP for label distribution along the TE tunnel.
C.Allows bandwidth reservation and priority.
D.Requires per-platform label space for TE tunnels.
E.Requires all routers in the TE tunnel to be in the same OSPF area.
AnswersA, C

MPLS-TE can specify explicit paths for traffic engineering.

Why this answer

MPLS-TE uses explicit paths (either strict or loose) to direct traffic away from the shortest path determined by the IGP (e.g., OSPF or IS-IS). This allows network operators to engineer traffic flows based on administrative policies, such as load balancing or avoiding congested links, rather than relying solely on the IGP's metric-based shortest path.

Exam trap

Cisco often tests the distinction between LDP and RSVP-TE, so the trap here is that candidates mistakenly associate MPLS-TE with LDP because both are label distribution protocols, but TE explicitly requires RSVP-TE for constraint-based path setup.

333
Multi-Selectmedium

Which TWO statements correctly describe Segment Routing characteristics? (Select two.)

Select 2 answers
A.All routers must be configured with the same SRGB value
B.The path is encoded as a label stack at the source router
C.Label distribution does not rely on LDP or RSVP
D.SR eliminates all per-prefix state from core routers
E.Traffic engineering policies are distributed via BGP without any IGP extension
AnswersB, C

SR uses a label stack to specify the path.

Why this answer

Option B is correct because Segment Routing (SR) encodes the forwarding path as an ordered list of segment identifiers (SIDs) pushed onto a label stack at the source router. This source-routing paradigm allows the ingress node to specify the exact path through the network without requiring intermediate routers to maintain per-flow state.

Exam trap

Cisco often tests the misconception that SR eliminates all per-prefix state from core routers, but in reality, core routers still maintain IGP per-prefix state and may hold SR-MPLS labels for those prefixes.

334
Matchingmedium

Match each BGP attribute to its category or purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Well-known mandatory attribute for loop prevention

Well-known mandatory attribute indicating next-hop IP

Well-known discretionary attribute for best path selection

Optional non-transitive attribute to influence inbound traffic

Optional transitive attribute for route tagging and policy

Why these pairings

These are critical BGP attributes for service provider routing policies.

335
MCQeasy

An engineer is configuring QoS for voice traffic on a Cisco router. Which marking should be applied to voice packets to ensure proper end-to-end prioritization?

A.DSCP AF41
B.DSCP CS3
C.DSCP EF
D.IP Precedence 3
AnswerC

DSCP EF is the correct marking for voice payload.

Why this answer

Voice traffic requires low latency, jitter, and packet loss. DSCP EF (Expedited Forwarding, per-hop behavior value 46) is the standard marking for real-time voice payloads, ensuring strict priority queuing (PQ) across the network. RFC 3246 defines EF for this purpose, and Cisco routers use it to map voice to the priority queue.

Exam trap

Cisco often tests the distinction between voice bearer (RTP) and voice signaling (SIP/H.323) markings, so the trap here is that candidates confuse DSCP CS3 (for signaling) with DSCP EF (for actual voice payload), or assume IP Precedence 3 is sufficient despite its lack of strict priority behavior.

How to eliminate wrong answers

Option A is wrong because DSCP AF41 (Assured Forwarding class 4, low drop probability) is designed for data traffic that needs bandwidth guarantees but can tolerate some loss, not for real-time voice. Option B is wrong because DSCP CS3 (Class Selector 3, value 24) is a legacy marking often used for voice signaling (e.g., SIP, H.323), not for voice bearer (RTP) packets. Option D is wrong because IP Precedence 3 (value 3) is an older, less granular marking that does not provide the strict priority queuing behavior required for voice; it maps to DSCP 24 (CS3) by default, which is for signaling, not bearer traffic.

336
MCQmedium

An engineer is troubleshooting a QoS policy on a Cisco router. The policy is intended to mark voice traffic with DSCP EF and video traffic with DSCP AF41. After applying the policy, voice traffic is correctly marked, but video traffic is marked as DSCP 0. What is the most likely cause?

A.The class map for video traffic does not match the traffic correctly.
B.The video traffic is being policed and dropped.
C.The trust boundary is set to 'trust dscp' and the incoming video traffic is not marked.
D.The policy is not applied to the correct interface direction.
AnswerA

A misconfigured match statement would cause video traffic to fall into the default class, resulting in DSCP 0.

Why this answer

Option A is correct because the most common reason for video traffic being marked as DSCP 0 (default) while voice traffic is correctly marked is that the class map for video traffic fails to match the intended packets. This could be due to an incorrect match statement (e.g., using the wrong ACL, protocol, or DSCP value) or a misconfigured match criterion that does not capture the video flows. Since voice traffic is marked correctly, the policy itself is applied and functional, isolating the issue to the video class map's matching logic.

Exam trap

Cisco often tests the misconception that a marking policy failure is due to interface direction or trust boundaries, when the real issue is a misconfigured class map that does not match the intended traffic, especially when one traffic type works and another does not.

How to eliminate wrong answers

Option B is wrong because policing drops or re-marks traffic based on a configured rate, but the symptom here is that video traffic is marked as DSCP 0, not dropped; policing would either drop packets or re-mark them to a lower DSCP value, but DSCP 0 is the default marking for unclassified traffic, not a typical policed re-mark value. Option C is wrong because if the trust boundary is set to 'trust dscp', the router would preserve any existing DSCP markings on incoming traffic; if video traffic arrived unmarked (DSCP 0), it would remain DSCP 0, but the policy should still be able to mark it via the class map—this option implies the policy cannot override trust, which is incorrect because a marking policy applied in the correct direction will overwrite the DSCP value regardless of trust settings. Option D is wrong because if the policy were not applied to the correct interface direction, voice traffic would also fail to be marked correctly; since voice is marked as DSCP EF, the policy is clearly applied in the correct direction (likely input) and is functioning for at least one traffic class.

337
Multi-Selecteasy

Which TWO are functions of the MPLS data plane?

Select 2 answers
A.Label push at ingress LSR
B.Label distribution via LDP
C.Label swap at transit LSR
D.Metric calculation for routing
E.Route exchange via BGP
AnswersA, C

Pushing a label is a data plane operation.

Why this answer

Label push, swap, pop are data plane operations. Options A and C are correct. Option B is wrong because LDP is control plane.

Option D is wrong because metric calculation is IGP. Option E is wrong because BGP is control plane.

338
MCQmedium

A service provider is deploying a new MPLS core network. The network has four routers: P1, P2, PE1, and PE2. OSPF is used as the IGP. The engineer configures MPLS LDP on all interfaces. After enabling LDP, the engineer notices that the LDP session between P1 and P2 is established, but no labels are exchanged for the loopback0 interfaces of PE1 and PE2. The loopback0 addresses are advertised in OSPF. The engineer verifies that the OSPF routes are present in the routing table of all routers. What is the most likely reason for the missing labels?

A.An access-list is applied under 'mpls ldp advertise-labels' that denies the loopback prefixes.
B.LDP is using UDP for label exchange.
C.The OSPF cost to the loopbacks is too high.
D.The loopback interfaces are not enabled with 'mpls ip'.
AnswerA

Label advertisement can be filtered; this is a common issue.

Why this answer

The most likely reason is that an access-list is applied under 'mpls ldp advertise-labels' that denies the loopback prefixes. LDP by default advertises labels for all prefixes in the routing table, but the 'advertise-labels' command can filter which prefixes receive labels. If the loopback0 prefixes of PE1 and PE2 are denied by such an access-list, no labels will be advertised for them, even though OSPF routes are present.

Exam trap

Cisco often tests the misconception that 'mpls ip' must be enabled on the loopback interface itself for its prefix to receive a label, when in fact LDP advertises labels for any prefix in the routing table as long as the outgoing interface has 'mpls ip' enabled.

How to eliminate wrong answers

Option B is wrong because LDP uses TCP (port 646) for session establishment and label exchange, not UDP; UDP is used only for LDP discovery (hello messages). Option C is wrong because OSPF cost does not affect LDP label advertisement; LDP advertises labels for all reachable prefixes regardless of metric, as long as they are in the routing table. Option D is wrong because 'mpls ip' must be enabled on interfaces for LDP to form adjacencies and exchange labels, but the loopback interfaces themselves do not need 'mpls ip' for their prefixes to be advertised with labels; the issue is about label advertisement for the loopback prefixes, not LDP session establishment.

339
Multi-Selectmedium

Which THREE are benefits of implementing MPLS-TE in a service provider core?

Select 3 answers
A.Reduction in BGP routing table size
B.Ability to guarantee bandwidth for specific traffic flows
C.Load balancing across multiple paths
D.Fast restoration using Fast Reroute (FRR)
E.Native support for multicast
AnswersB, C, D

TE tunnels can be provisioned with bandwidth reservations.

Why this answer

Options A, B, and C are correct. MPLS-TE allows bandwidth guarantees, fast restoration via FRR, and load balancing. Option D is wrong because it does not reduce BGP routes; BGP routes are independent.

Option E is wrong because MPLS-TE is not typically used for multicast.

340
MCQeasy

A service provider needs to offer L3VPN services to multiple customers, each with overlapping IP addresses. The provider plans to use MPLS VPNs with VRFs. Which statement is TRUE regarding the configuration of VRFs on the PE routers?

A.The VRF must run OSPF to exchange routes with the CE router
B.Route targets (RTs) are used to control the import and export of VPNv4 routes between VRFs
C.MPLS labels are assigned per prefix inside a VRF by manual configuration
D.Each VRF must have a unique route distinguisher across the entire provider network
AnswerB

RTs determine which VRFs receive which routes, allowing overlapping addresses.

Why this answer

Option D is correct because route targets (RTs) are used to control the import/export of VPNv4 routes between PE routers, ensuring proper segregation and connectivity. Option A is wrong because RD must match within a VPN to avoid route ambiguity, but it can differ if RTs are properly configured; however, the question asks for TRUE statement. Option B is wrong because MPLS label allocation per VRF is automatic.

Option C is wrong because OSPF is not required; any IGP or BGP can be used.

341
MCQhard

A service provider is troubleshooting an MPLS L3VPN issue where a CE router is receiving the VPN route from the PE but cannot ping the remote CE's loopback. The PE shows that the VPN label is assigned but cannot route the packets. Which command would help determine if the remote PE is correctly resolving the BGP next-hop via IGP?

A.show ip route bgp
B.show mpls ldp neighbor
C.show ip route vrf CUST
D.show mpls forwarding-table vrf CUST
AnswerA

Shows the BGP route and its next-hop reachability (via IGP).

Why this answer

Option A, 'show ip route bgp', is correct because the issue is that the remote PE cannot route packets to the BGP next-hop of the VPN route. The CE receives the route, but the PE cannot forward packets, indicating a missing or incorrect IGP route to the next-hop address. This command displays BGP routes in the global routing table, allowing you to verify if the next-hop is reachable via IGP (e.g., OSPF or IS-IS) and if the recursive routing is successful.

Exam trap

Cisco often tests the distinction between VRF-specific commands and global routing table commands; the trap here is that candidates assume 'show ip route vrf CUST' will show the next-hop reachability, but it only shows the VPN route itself, not the underlying IGP route required for recursive forwarding.

How to eliminate wrong answers

Option B is wrong because 'show mpls ldp neighbor' checks LDP session status and label exchange between directly connected LSRs, but it does not verify IGP reachability to the BGP next-hop, which is the root cause here. Option C is wrong because 'show ip route vrf CUST' shows routes within the VRF, including the VPN route received from the remote PE, but it does not show the global IGP route to the BGP next-hop; the issue is in the global routing table, not the VRF. Option D is wrong because 'show mpls forwarding-table vrf CUST' displays the MPLS forwarding entries for the VRF, including the VPN label and outgoing interface, but it does not reveal whether the BGP next-hop is reachable via IGP; the forwarding table assumes the next-hop is reachable, which is the problem here.

342
MCQmedium

A service provider is deploying MPLS-TE with RSVP-TE in their core network. They notice that some LSPs are not being established due to resource contention. Which action would best address this issue without redesigning the entire traffic engineering deployment?

A.Enable preemption on RSVP-TE LSPs with appropriate priority levels.
B.Increase the bandwidth of all core links.
C.Configure LSP path-option explicit paths with strict hops.
D.Disable RSVP-TE and use LDP for label distribution.
AnswerA

Preemption allows higher-priority LSPs to take resources from lower-priority ones, resolving contention dynamically.

Why this answer

Enabling preemption on RSVP-TE LSPs with appropriate setup and hold priorities allows higher-priority LSPs to tear down lower-priority LSPs to free up bandwidth, resolving resource contention without redesigning the entire TE deployment. This is the standard mechanism defined in RFC 3209 for managing bandwidth contention in MPLS-TE networks.

Exam trap

Cisco often tests the misconception that explicit path configuration or bandwidth upgrades are the primary solutions for resource contention, when in fact preemption priorities are the designed mechanism for dynamic contention resolution in RSVP-TE.

How to eliminate wrong answers

Option B is wrong because increasing the bandwidth of all core links is a costly, non-scalable approach that may not be feasible and does not address the root cause of contention; it also requires a network redesign. Option C is wrong because configuring LSP path-option explicit paths with strict hops forces a specific path but does not resolve bandwidth contention on those links; it may even worsen contention by not allowing dynamic rerouting. Option D is wrong because disabling RSVP-TE and using LDP for label distribution removes traffic engineering capabilities entirely, as LDP does not support bandwidth reservation or explicit path control, which would not solve the resource contention issue.

343
MCQhard

An engineer is deploying Segment Routing in an MPLS network. To ensure that routers can forward packets based on SR-MPLS labels without requiring LDP, which requirement must be met?

A.IS-IS or OSPF must have the SR extension enabled.
B.MPLS LDP must be enabled on all interfaces.
C.All routers must run BGP-LU.
D.The IGP must have the overload bit set.
AnswerA

Correct. The IGP distributes prefix-SIDs for SR-MPLS label forwarding.

Why this answer

Option C is correct because for SR-MPLS forwarding, the IGP (IS-IS or OSPF) must have the Segment Routing extension enabled to distribute prefix-SIDs. Option A is incorrect; BGP-LU is not required for SR-MPLS. Option B is incorrect; LDP is not needed if SR is used.

Option D is incorrect; the overload bit is unrelated.

344
MCQmedium

A network engineer at a service provider is using Cisco NSO to automate the provisioning of VLANs on thousands of access devices. The engineer creates a service using a custom YANG model and deploys it to a set of devices. However, the deployment fails with a 'failed to reach devices' error for some devices, while others succeed. The engineer checks device connectivity and confirms all devices are reachable via SSH and NETCONF. The engineer also verifies that the NSO device list is accurate and includes all target devices. What is the most likely cause of the failure?

A.The service model uses an unsupported feature on those devices.
B.The devices are not in sync with NSO.
C.The devices have insufficient memory to accept the configuration.
D.The NSO package is not loaded on those devices.
AnswerB

Out-of-sync devices prevent NSO from deploying services on them, and the error may manifest as 'failed to reach' because NSO cannot reconcile the configuration.

Why this answer

When NSO deploys a service, it first checks whether the target devices are in sync with the NSO CDB (configuration database). If a device is out of sync (e.g., its running configuration differs from what NSO expects), NSO will refuse to push the new service configuration and will report a 'failed to reach devices' error, even though the device is reachable via SSH/NETCONF. This is a safety mechanism to prevent configuration conflicts or overwriting unmanaged changes.

Exam trap

Cisco often tests the misconception that 'failed to reach devices' always indicates a network connectivity problem, when in fact it can be caused by NSO's synchronization check failing on a reachable device.

How to eliminate wrong answers

Option A is wrong because an unsupported feature would typically cause a validation or commit error, not a 'failed to reach devices' error; NSO would still attempt to connect and then reject the configuration. Option C is wrong because insufficient memory would manifest as a commit failure or device crash, not a connectivity error, and NSO would still establish a session. Option D is wrong because NSO packages are loaded on the NSO server, not on the managed devices; devices only need to support NETCONF or CLI for NSO to manage them.

345
MCQeasy

An MPLS core network uses LDP to distribute labels. An engineer wants to verify that the LDP session between two routers is up and exchanging labels. Which command should be used?

A.show mpls interfaces
B.show mpls l2transport binding
C.show mpls ldp neighbor
D.show mpls forwarding-table
AnswerC

Displays LDP neighbors and session state.

Why this answer

The command 'show mpls ldp neighbor' displays the status of LDP sessions, including the neighbor's IP address, session state (e.g., Operational), and label exchange activity. Since LDP is the protocol used to distribute labels in this MPLS core network, this command directly verifies that the session is up and exchanging labels between the two routers.

Exam trap

Cisco often tests the distinction between verifying the LDP session itself (show mpls ldp neighbor) versus verifying the results of label exchange (show mpls forwarding-table), leading candidates to confuse the output of label distribution with the state of the label distribution protocol.

How to eliminate wrong answers

Option A is wrong because 'show mpls interfaces' displays which interfaces are enabled for MPLS and their LDP or TDP status, but it does not show LDP session state or label exchange with a specific neighbor. Option B is wrong because 'show mpls l2transport binding' is used for Layer 2 VPN (L2VPN) pseudowire label bindings, not for verifying LDP session status. Option D is wrong because 'show mpls forwarding-table' displays the LFIB (Label Forwarding Information Base) entries, which are the result of label exchange, but it does not show the LDP session state or neighbor adjacency.

346
MCQeasy

A service provider is implementing QoS on an MPLS network to support voice, video, and data traffic. Which queuing mechanism provides the lowest latency for real-time traffic?

A.FIFO
B.WRED
C.LLQ
D.CBWFQ
AnswerC

LLQ provides a strict priority queue that ensures low latency and jitter for real-time traffic.

Why this answer

LLQ (Low Latency Queuing) is the correct choice because it provides a strict priority queue specifically designed for real-time traffic like voice and video. By placing delay-sensitive packets into a dedicated priority queue that is serviced before all other queues, LLQ ensures minimal and predictable latency, which is essential for maintaining voice quality in an MPLS network.

Exam trap

Cisco often tests the misconception that CBWFQ alone can handle real-time traffic, but the trap is that CBWFQ lacks a strict priority queue, so only LLQ provides the necessary low-latency guarantee for voice and video.

How to eliminate wrong answers

Option A is wrong because FIFO (First In, First Out) offers no traffic differentiation or priority handling, so real-time packets can be delayed behind large data packets, causing jitter and unacceptable latency. Option B is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets proactively to prevent tail drops, but it does not provide any queuing or priority scheduling, so it cannot guarantee low latency for real-time traffic. Option D is wrong because CBWFQ (Class-Based Weighted Fair Queuing) provides bandwidth guarantees per class but does not include a strict priority queue; real-time traffic can still experience delay if competing with other classes for service.

347
MCQeasy

A client reports intermittent connectivity issues when accessing a server across a provider MPLS network. The issue occurs only during peak hours. Which component should be checked first?

A.BGP peering status between CE and PE.
B.CPU utilization of the server.
C.Interface errors and discards on the CE router.
D.MPLS labels in the core.
AnswerC

Peak traffic can cause output discards or CRC errors, leading to connectivity drops.

Why this answer

Intermittent connectivity during peak hours strongly suggests a bandwidth or queuing issue at the edge of the MPLS network. Interface errors (e.g., CRC, runts) and discards on the CE router indicate congestion or Layer 1/2 problems, which are the most common cause of such time-dependent symptoms. Checking this first aligns with the standard troubleshooting methodology of verifying the physical and data-link layers before moving to higher-layer protocols.

Exam trap

Cisco often tests the principle that intermittent issues during peak hours are almost always due to congestion or interface errors at the edge, not control-plane or core problems, leading candidates to incorrectly focus on BGP or MPLS labels.

How to eliminate wrong answers

Option A is wrong because BGP peering between CE and PE is a control-plane function; if it were flapping or down, connectivity would be lost entirely or consistently, not just intermittently during peak hours. Option B is wrong because server CPU utilization is an endpoint issue unrelated to the MPLS network; while high CPU could cause slow responses, it would not cause intermittent connectivity across the provider network. Option D is wrong because MPLS labels in the core are typically stable and not affected by peak-hour traffic patterns; label switching is deterministic and congestion in the core would manifest as drops or discards at the CE/PE edge, not as label failures.

348
MCQeasy

An SP customer reports intermittent voice quality issues. The engineer wants to measure jitter and packet loss between two remote sites using Cisco IP SLA. Which IP SLA operation type should be configured?

A.DNS Query
B.ICMP Echo
C.HTTP Get
D.TCP Connect
E.UDP Jitter
AnswerE

UDP Jitter measures jitter, packet loss, and one-way delay, ideal for voice quality monitoring.

Why this answer

UDP Jitter is designed to measure jitter, packet loss, and latency, which are critical for voice quality. ICMP Echo only measures RTT. TCP Connect measures connection time.

HTTP Get measures HTTP response time. DNS Query measures DNS resolution time.

349
Matchingmedium

Match each MPLS VPN technology to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses BGP to distribute VPN routes between PE routers

Emulates Layer 2 services like Ethernet or ATM over MPLS

Multipoint Layer 2 VPN that simulates an Ethernet LAN

Point-to-point Layer 2 VPN providing pseudowire connectivity

Multicast VPN that supports IP multicast over MPLS

Why these pairings

These are key MPLS VPN service types in service provider networks.

350
MCQhard

An engineer is troubleshooting MPLS traffic engineering tunnels and needs to verify path calculation and RSVP errors. Which command should be used?

A.show ip route
B.show mpls ldp neighbor
C.show mpls traffic-eng tunnels
D.debug mpls lfib errors
AnswerC

This command provides details on TE tunnels, including path computation and signaling status.

Why this answer

Option C is correct because the 'show mpls traffic-eng tunnels' command displays detailed information about MPLS TE tunnels, including path calculation status, RSVP signaling errors, and tunnel state. This command is specifically designed to verify TE tunnel operations and troubleshoot issues such as path computation failures or RSVP resource reservation problems.

Exam trap

Cisco often tests the distinction between MPLS TE-specific commands and general MPLS or routing commands, so the trap here is that candidates might confuse 'show mpls ldp neighbor' (for LDP-based label distribution) with TE tunnel verification, or mistakenly think 'debug mpls lfib errors' is appropriate for RSVP path errors when it actually targets LFIB corruption issues.

How to eliminate wrong answers

Option A is wrong because 'show ip route' displays the IP routing table and is not relevant to MPLS TE tunnel path calculation or RSVP error verification. Option B is wrong because 'show mpls ldp neighbor' shows LDP neighbor relationships, which are used for label distribution in non-TE MPLS, not for TE tunnel path calculation or RSVP signaling. Option D is wrong because 'debug mpls lfib errors' debugs Label Forwarding Information Base (LFIB) errors, which is a debugging tool for label forwarding issues, not for verifying TE tunnel path calculation or RSVP errors.

351
Multi-Selecthard

Which THREE are valid methods to provide fast convergence in an MPLS/Segment Routing network? (Select three.)

Select 3 answers
A.BGP Prefix Independent Convergence (PIC)
B.Topology-Independent LFA (TI-LFA)
C.Loop-Free Alternate (LFA)
D.RSVP-TE Fast Reroute (FRR)
E.IP Fast Reroute (IPFRR)
AnswersB, C, D

TI-LFA works with SR and provides node/link protection.

Why this answer

B is correct because Topology-Independent LFA (TI-LFA) provides fast convergence in Segment Routing networks by computing a backup path that is guaranteed to be loop-free regardless of the network topology. It leverages the Segment Routing data plane to pre-install a repair path using a segment list, enabling sub-50ms failover without relying on IGP convergence.

Exam trap

Cisco often tests the distinction between IPFRR (which is IP-layer only) and TI-LFA/LFA/RSVP-TE FRR (which are MPLS/Segment Routing-specific), so candidates mistakenly select IPFRR because it sounds similar to LFA, but it does not apply to MPLS/Segment Routing networks.

352
MCQhard

An ISP operates an MPLS Layer 3 VPN backbone. A customer, Corporation X, has four sites (A, B, C, D) each connected to a different PE router (PE-A, PE-B, PE-C, PE-D). They use OSPF as the CE-PE routing protocol. Sites A, B, and C can exchange routes without issue. However, Site D suddenly loses connectivity to Site B, though it can still reach Sites A and C. Show commands on PE-D reveal that the VRF for Corporation X imports RT:100:200, and the route for Site B (prefix 10.10.20.0/24) is present in the BGP VPNv4 table with RT:100:200 and next-hop 10.0.2.2. The OSPF neighbor between PE-D and the CE at Site D is up, and no route filters are configured. ‘ping 10.10.20.0’ from PE-D fails. What is the most likely cause of the issue?

A.OSPF route redistribution from PE-B into BGP is set to external type 2, while PE-D expects type 1.
B.The route target for Site B is misconfigured on PE-D, not matching the export RT from PE-B.
C.PE-D is not assigning an MPLS label for the route to Site B, causing packets to be dropped.
D.The BGP next-hop (10.0.2.2) for Site B's route is not reachable in PE-D's global routing table.
AnswerD

Correct: If the next-hop is unreachable, the VPNv4 route cannot be installed in the VRF, causing loss of connectivity to that specific site.

Why this answer

The route is in the VPNv4 table with the correct RT, so import is working. The next-hop is 10.0.2.2. If that next-hop is not reachable in the global routing table of PE-D, the VPNv4 route will not be installed in the VRF.

Checking ‘show ip route 10.0.2.2’ on PE-D would confirm. Option A is plausible but incorrect because an RT mismatch would prevent the route from even appearing in the VPNv4 table. Option C is incorrect because OSPF is redistributed, and the route type does not affect reachability.

Option D is incorrect because label allocation is not the issue; the prefix is present with labels.

353
MCQmedium

Which MPLS VPN technology allows a service provider to offer overlapping IP addresses to different customers while using a single routing table per VPN?

A.Any Transport over MPLS (AToM)
B.VPLS
C.MPLS Traffic Engineering (TE)
D.MPLS Layer 3 VPN (BGP/MPLS IP VPN)
AnswerD

Uses VRFs to isolate routing per VPN.

Why this answer

Option B is correct: MPLS Layer 3 VPN (BGP/MPLS IP VPN) uses VRFs to provide separate routing tables per VPN, allowing overlapping addresses. Option A (VPLS) is layer 2; Option C (AToM) is pseudowire; Option D (MPLS TE) is traffic engineering.

354
MCQhard

A network engineer is troubleshooting a NETCONF session that fails to establish between a controller and a router. The router supports NETCONF over SSH on port 830. The controller can reach the router but the session fails. What is the most likely cause?

A.The router's NETCONF capability is disabled
B.The SSH host key of the router is not in the controller's known_hosts file
C.The controller is using the wrong port (e.g., 22)
D.The router does not support YANG models
AnswerB

SSH host key verification failure can cause session failure.

Why this answer

The most likely cause is that the SSH host key of the router is not in the controller's known_hosts file. NETCONF over SSH (RFC 6242) requires SSH transport, and the controller must authenticate the router's SSH host key during session establishment. If the host key is missing or mismatched, the SSH handshake fails, preventing the NETCONF session from starting, even though the router is reachable and NETCONF is enabled.

Exam trap

Cisco often tests the distinction between transport-layer failures (SSH host key) and application-layer failures (NETCONF capability or YANG support), leading candidates to incorrectly choose options related to NETCONF configuration rather than SSH authentication.

How to eliminate wrong answers

Option A is wrong because if the router's NETCONF capability were disabled, the controller would typically receive a capability exchange failure or a clear error, but the question states the session fails to establish, which points to a transport-layer issue rather than an application-layer capability. Option C is wrong because the controller can reach the router, and the question specifies the router supports NETCONF over SSH on port 830; using port 22 would likely result in a connection timeout or refusal, but the session failure here is due to SSH authentication, not port mismatch. Option D is wrong because YANG model support is irrelevant to session establishment; NETCONF sessions can be established without any YANG models, as models are used for data modeling and operations after the session is up.

355
MCQhard

A service provider has recently deployed MPLS L3VPN to provide IP connectivity to multiple enterprise customers. One customer reports that they cannot reach a remote site that is connected to a different PE router. The engineer checks the BGP VPNv4 table on the customer's PE and sees the route for the remote site, but the next-hop is unreachable. The interface between the PE and P routers is up/up, and IGP reachability to the PE's loopback is fine. What is the most likely cause? Consider that the network uses LDP for label distribution and OSPF as the IGP.

A.MPLS LDP is not enabled on the interface connecting to the P router
B.BGP next-hop-self is not configured on the PE
C.The VRF route-target import/export is misconfigured
D.The PE router does not have an LSP to the remote PE
AnswerA

LDP must be enabled on the interface to exchange labels for the loopback route.

Why this answer

The correct answer is A. Since the interface between the PE and P routers is up/up and IGP reachability to the PE's loopback is fine, the issue is that MPLS LDP is not enabled on that interface. Without LDP, the PE cannot advertise a label for its loopback to the P router, so the P router cannot push the correct label for packets destined to the remote PE.

This makes the BGP VPNv4 next-hop unreachable even though the route itself is present in the table.

Exam trap

The trap here is that candidates often focus on BGP configuration (like next-hop-self) or VRF import/export when the route is present but unreachable, missing the fundamental MPLS label distribution issue that LDP must be enabled on all transit interfaces for end-to-end LSPs.

How to eliminate wrong answers

Option B is wrong because BGP next-hop-self is used to change the next-hop of VPNv4 routes to the local PE's loopback, but the problem states the route is present with an unreachable next-hop, not that the next-hop is incorrect. Option C is wrong because VRF route-target import/export misconfiguration would cause the route to be missing from the VRF table entirely, not to appear with an unreachable next-hop. Option D is wrong because an LSP to the remote PE is exactly what is missing, but the root cause is that LDP is not enabled on the interface, which prevents label distribution and thus the LSP from being built.

356
Multi-Selecthard

A service provider is deploying L3VPN with inter-AS option B (ASBR-to-ASBR). Which TWO statements are true about this design?

Select 2 answers
A.The VPN label is removed by the ASBR before forwarding to the neighbor AS.
B.ASBRs peer using eBGP and exchange labeled VPN-IPv4 prefixes.
C.Route reflectors are required to propagate VPN routes between ASes.
D.ASBRs perform label swap for VPN labels when forwarding traffic.
E.ASBRs exchange unlabeled IPv4 routes and use MP-BGP to carry VPNv4 routes.
AnswersB, D

ASBRs eBGP peer and exchange VPNv4 prefixes with labels, allowing end-to-end MPLS.

Why this answer

In inter-AS Option B, ASBRs peer using eBGP and exchange labeled VPN-IPv4 prefixes (AFI 1, SAFI 128). This allows the VPNv4 routes to be carried across AS boundaries without requiring a full mesh of MP-IBGP between PEs, as the ASBRs re-advertise the routes with a new next-hop and perform label allocation for the VPN labels.

Exam trap

Cisco often tests the misconception that Option B requires route reflectors or that the VPN label is removed at the ASBR, when in fact the ASBR performs a label swap and directly exchanges VPNv4 prefixes via eBGP without needing route reflectors.

357
Multi-Selecteasy

Which TWO of the following are services that can be offered using MPLS Layer 3 VPN (L3VPN) technology? (Select two.)

Select 2 answers
A.IP transit services
B.Layer 2 bridging between sites
C.Transport of Ethernet frames over MPLS
D.Native multicast support without tunnels
E.Internet access for customers
AnswersA, E

L3VPN provides IP routing between sites.

Why this answer

Options A and C are correct. MPLS L3VPN provides Layer 3 connectivity between customer sites; Internet service can be provided via separate VRF or global table; IP transit is a typical Layer 3 service. Option B (Layer 2 bridging) is for L2VPN/VPLS.

Option D (Transport of Ethernet frames) is L2VPN. Option E (Multicast support) is possible but is a feature, not a service itself.

358
MCQmedium

A service provider is migrating their MPLS core network to Segment Routing (SR-MPLS). All existing core routers run IOS-XR and are configured with an SRGB of 16000-23999 and OSPF as the IGP. A new router (R5) is added as a PE. The engineer configures R5 with the same SRGB and enables segment-routing under OSPF. However, when configuring an SR-TE policy from R5 to the remote loopback 10.0.0.1 on R1, the policy remains down. Show commands reveal that R5 is not learning the prefix-SID for 10.0.0.1. On R1, the prefix-SID is configured with index 100. The engineer verifies that OSPF adjacencies are up and that R5 can ping 10.0.0.1. What is the most likely cause of the issue?

A.The OSPF process on R5 is not configured with segment-routing mpls.
B.The SR-TE policy on R5 is missing the color attribute.
C.R1 is not configured with the same SRGB as R5.
D.The prefix-SID index 100 is not within the SRGB range of R5 (16000-23999).
AnswerA

Without this command, R5 cannot exchange prefix-SID information via OSPF.

Why this answer

Option B is correct because without 'segment-routing mpls' under the OSPF process, R5 cannot participate in Segment Routing, meaning it does not advertise its own prefix-SIDs nor learn the prefix-SIDs of other routers. This prevents the SR-TE policy from obtaining the necessary label bindings. Option A is incorrect because index 100 maps to label 16100 (16000+100), which is within the SRGB range.

Option C is incorrect because while color is a key attribute in SR-TE policies, the policy can still be defined with a segment-list; however, the primary issue here is the lack of prefix-SID learning. Option D is incorrect because the SRGB is consistent across all routers.

359
MCQeasy

An ISP is designing an MPLS core network and needs to choose an IGP that supports fast convergence. Which IGP meets this requirement and is most commonly used in MPLS core networks?

A.IS-IS
B.OSPFv3
C.EIGRP
D.RIPng
AnswerA

IS-IS provides fast convergence and is the predominant IGP in service provider MPLS cores.

Why this answer

IS-IS is the correct choice because it is a link-state IGP that inherently supports fast convergence through mechanisms like incremental SPF (iSPF) and prefix-independent convergence (PIC). It is widely deployed in MPLS core networks due to its scalability, extensibility via TLVs, and native support for MPLS Traffic Engineering (MPLS-TE) without requiring additional protocol extensions like OSPF's opaque LSA.

Exam trap

Cisco often tests the misconception that OSPF is the default IGP for all networks, but in MPLS core environments, IS-IS is the preferred choice due to its native TE support and hierarchical scalability, making OSPF a distractor despite its fast convergence capabilities.

How to eliminate wrong answers

Option B (OSPFv3) is wrong because while OSPFv3 supports IPv6 and fast convergence, it is less commonly used in MPLS core networks compared to IS-IS due to its reliance on opaque LSAs for MPLS-TE, which adds complexity; IS-IS is the dominant IGP in service provider cores. Option C (EIGRP) is wrong because EIGRP is a Cisco-proprietary distance-vector protocol that does not natively support MPLS-TE and is not designed for the hierarchical, scalable architecture required in MPLS core networks. Option D (RIPng) is wrong because RIPng is a distance-vector protocol with slow convergence (based on hop count) and is unsuitable for any modern MPLS core network due to its lack of fast convergence, scalability, and MPLS-TE support.

360
MCQmedium

An engineer configures the 'set-overload-bit' command on an IS-IS router. What is the immediate effect on the network?

A.The router stops participating in SPF calculations.
B.The router's LSPs are no longer advertised.
C.The router's neighbors drop adjacency.
D.The router is not used as a transit path but still has routes.
AnswerD

Correct. Overload bit prevents transit traffic while still being reachable.

Why this answer

Option C is correct because setting the overload bit in IS-IS LSPs tells other routers not to use this router for transit traffic, but it still advertises its own prefixes and can be a destination. Option A is incorrect; the router still participates in SPF. Option B is incorrect; LSPs are still advertised.

Option D is incorrect; neighbors remain adjacent.

361
Multi-Selectmedium

Which TWO of the following are advantages of segment routing over traditional LDP-based MPLS? (Choose two.)

Select 2 answers
A.Reduces the number of BGP peers required
B.Eliminates the need for the LDP protocol
C.Requires RSVP-TE for traffic engineering
D.Provides source routing capability
E.Eliminates the need for IGP
AnswersB, D

SR uses IGP extensions instead of LDP.

Why this answer

Option B is correct because segment routing (SR-MPLS) eliminates the need for the LDP protocol by encoding MPLS labels directly in the IGP (e.g., OSPF or IS-IS) using extensions like RFC 8665 and RFC 8667. This simplifies the control plane by removing an entire protocol (LDP) and its associated state, reducing operational complexity and convergence time.

Exam trap

Cisco often tests the misconception that segment routing eliminates the IGP entirely, but in reality, SR relies on the IGP to distribute SIDs, so the IGP is still required.

362
MCQeasy

In MPLS forwarding, what label operation does a transit LSR perform on the top label of a labeled packet?

A.Swap
B.None
C.Pop
D.Push
AnswerA

Swap is the correct operation for a transit LSR.

Why this answer

A transit Label Switch Router (LSR) in an MPLS network receives a labeled packet and must forward it toward the egress LSR. The core operation on the top label is a swap: the incoming label is replaced with an outgoing label learned from the downstream LSR via Label Distribution Protocol (LDP) or other label distribution protocols. This maintains the label-switched path (LSP) and ensures the packet continues along the correct path.

Exam trap

Cisco often tests the distinction between the roles of ingress, transit, and egress LSRs, and the trap here is that candidates confuse the transit LSR's swap operation with the penultimate hop's pop operation or the ingress LSR's push operation.

How to eliminate wrong answers

Option B (None) is wrong because a transit LSR must always perform a label operation on the top label to forward the packet; doing nothing would drop the packet or cause a forwarding loop. Option C (Pop) is wrong because pop (penultimate hop popping, PHP) is performed by the penultimate LSR (the LSR just before the egress), not by a generic transit LSR. Option D (Push) is wrong because push is performed by the ingress LSR when it first imposes a label on an unlabeled packet; a transit LSR receives an already-labeled packet and does not push an additional label.

363
MCQmedium

A customer is experiencing intermittent packet loss in an MPLS L3VPN network. The PE routers show no errors on interfaces. Which tool can help isolate the issue by showing the complete path a packet takes through the MPLS network?

A.Traceroute
B.Ping
C.MPLS traceroute
D.MPLS ping
AnswerC

MPLS traceroute displays the label stack at each hop along the LSP.

Why this answer

MPLS traceroute shows the entire LSP path including labels at each hop. Traceroute does not show MPLS labels, MPLS ping tests connectivity but not detailed path, and ping only tests end-to-end.

364
MCQeasy

A network operator deploys a QoS policy on a route reflector to classify traffic based on BGP community values. However, the policy is not matching the intended traffic. Which is the most likely cause?

A.The policy-map is applied to the wrong interface.
B.The class-map uses a match statement referencing BGP community values, which are not visible at the QoS classification stage.
C.The service-policy is applied in the wrong direction (input vs output).
D.The class-default class is consuming all traffic.
AnswerB

BGP communities are control-plane attributes; QoS uses packet headers.

Why this answer

BGP community values are exchanged as part of the BGP routing update and are stored in the BGP table, but they are not carried in the IP packet header. QoS classification in Cisco IOS operates on fields within the Layer 2 or Layer 3 packet header (e.g., DSCP, IP precedence, CoS) and cannot inspect BGP attributes like community values. Therefore, a class-map using a match statement for BGP communities will never match traffic at the QoS classification stage, making this the most likely cause of the policy not working.

Exam trap

Cisco often tests the distinction between control-plane attributes (like BGP communities) and data-plane packet headers, leading candidates to incorrectly assume that any attribute visible in the routing table can be used for QoS classification.

How to eliminate wrong answers

Option A is wrong because the question states the policy is deployed on a route reflector, and the issue is that the policy is not matching the intended traffic; applying the policy-map to the wrong interface would cause no traffic to be classified at all, but the core problem is that the classification criteria (BGP community) are invalid for QoS, not the interface selection. Option C is wrong because the direction (input vs output) affects when the policy is applied relative to packet forwarding, but even if the direction is correct, the policy still cannot match on BGP communities since they are not present in the packet header. Option D is wrong because the class-default class consuming all traffic would indicate that no other class matches, which is exactly what happens when the match criteria are invalid, but the root cause is the inability to match on BGP communities, not a misconfiguration of class-default; class-default is a catch-all and would only be relevant if other classes had valid match statements.

365
MCQhard

A service provider is deploying Segment Routing Traffic Engineering (SR-TE) with a Path Computation Element (PCE). The PCE fails to compute a path for an SR-TE policy configured with constraint 'avoid nodes in affinity red'. The core network has red affinity assigned to several nodes. Which is the most likely cause?

A.The PCE does not have the updated link-state database with the affinity attributes
B.The headend router does not have the SR-TE policy configured with the correct path
C.The PCE is not reachable from the headend router
D.The SR-TE policy is configured with a strict explicit path that conflicts with the constraint
E.The red affinity is not properly configured in the network
AnswerA

PCE needs current IGP database to honor constraints; if not updated, it cannot compute paths with avoid conditions.

Why this answer

The most likely cause is that the PCE does not have the updated link-state database reflecting the affinities, so it cannot enforce the constraint. Other options: The PCE might be unable to compute due to other reasons, but affinity mismatches are common. SR-TE policy on the headend does not require explicit paths; it relies on the PCE.

Label imposition is not affected by PCE failure. Red affinity should be configured correctly.

366
MCQhard

A service provider has a network with multiple PE routers providing MPLS L3VPN services. Customers are complaining that some remote sites are unreachable after a recent software upgrade on PE1. Upon investigation, you notice that PE1 is receiving BGP VPNv4 routes from the route reflector, but some routes are not being installed in the VRF routing table. PE1 is configured with BGP additional-path capability and has a route policy that selects only the best path. The VRF on PE1 has import and export route targets configured correctly. The missing routes have a higher local preference but are not selected due to a tie-break in BGP path selection. Which action should be taken to ensure that all valid routes are installed in the VRF?

A.Reset the BGP session between PE1 and the route reflector.
B.Configure BGP additional-paths for the VRF and adjust the route policy to allow multiple paths.
C.Disable route target filtering on PE1 to import all routes.
D.Increase the local preference on the route reflector for the missing routes.
AnswerB

Additional-paths allows multiple BGP paths to be installed in the VRF.

Why this answer

B is correct because the issue is that PE1 is configured with BGP additional-path capability but has a route policy that selects only the best path. When BGP path selection ties on local preference and other attributes, additional-path send/receive capability allows multiple paths to be considered, but the route policy must be adjusted to permit multiple paths into the VRF. Without this, only the single best path is installed, even if valid alternative paths exist.

Exam trap

Cisco often tests the distinction between enabling BGP additional-path capability globally and actually configuring the VRF to accept multiple paths; candidates mistakenly think that enabling additional-path alone is sufficient, but the route policy must be adjusted to allow multiple paths into the VRF routing table.

How to eliminate wrong answers

Option A is wrong because resetting the BGP session would not change the route selection logic; the same tie-break would occur again, and the missing routes would still not be installed. Option C is wrong because disabling route target filtering would import all routes regardless of RT, which violates VRF isolation and could introduce incorrect routing, but the problem is not about RT filtering—it is about BGP path selection limiting the number of paths installed. Option D is wrong because increasing local preference on the route reflector would only affect the tie-break if the missing routes had a lower local preference, but the scenario states they have a higher local preference and are still not selected due to a different tie-break; changing local preference would not resolve the fundamental issue of multiple paths not being accepted.

367
MCQeasy

An SP has configured MPLS TE tunnels for traffic engineering. To verify the status of the TE tunnels, which command provides the most relevant information?

A.show mpls forwarding-table
B.show mpls ldp tunnels
C.show mpls traffic-eng tunnels brief
D.show ip rsvp reservation
AnswerC

This command summarizes TE tunnel states and is the primary verification tool.

Why this answer

Option A is correct because 'show mpls traffic-eng tunnels brief' displays the status, state, and role of all TE tunnels. Option B is wrong because 'show mpls ldp tunnels' shows LDP tunnel statistics, not TE tunnels. Option C is wrong because 'show ip rsvp reservation' shows RSVP reservations, which are used by TE but do not list tunnels.

Option D is wrong because 'show mpls forwarding-table' shows the LFIB, not TE tunnel status.

368
MCQeasy

A service provider is deploying a point-to-point Layer 2 VPN across an MPLS network using Ethernet over MPLS (EoMPLS) with Martini encapsulation. The customer requires transparent transport of VLAN tags (Q-in-Q) between two sites. The provider configures the attachment circuits on the PE routers as VLAN subinterfaces with dot1q encapsulation. After configuration, the customer reports that only untagged frames pass through the pseudowire; double-tagged frames are dropped at the egress PE. Which action resolves the issue?

A.Replace the attachment circuit with a port-mode Layer 2 interface and disable VLAN tagging on the PE
B.Configure the pseudowire to use the 'tag-imposition' keyword to allow double tagging
C.Configure the PE routers to use VLAN translation to map both tags to a single tag before encapsulation
D.Change the encapsulation on the PE subinterfaces to dot1q second-dot1q and enable the preservation of the outer VLAN tag at the ingress PE
AnswerD

Why this answer

Option D is correct because EoMPLS with Martini encapsulation (RFC 4448) supports Q-in-Q transparent transport only when the ingress PE is configured to preserve the outer VLAN tag. Using 'dot1q second-dot1q' encapsulation on the subinterface tells the PE to treat the outer tag as part of the payload and not strip it, allowing both tags to be carried across the pseudowire. Without this, the default dot1q encapsulation strips the outer tag, causing double-tagged frames to be dropped at the egress PE.

Exam trap

Cisco often tests the distinction between 'dot1q' and 'dot1q second-dot1q' encapsulation on subinterfaces, where candidates mistakenly think that standard dot1q encapsulation will preserve double tags, but it actually strips the outer tag before encapsulation into the pseudowire.

How to eliminate wrong answers

Option A is wrong because replacing the attachment circuit with a port-mode Layer 2 interface and disabling VLAN tagging would strip all VLAN tags, preventing Q-in-Q transport entirely. Option B is wrong because 'tag-imposition' is not a valid keyword for EoMPLS pseudowires; it is a concept used in MPLS VPN label imposition, not for preserving double tags in Layer 2 VPNs. Option C is wrong because VLAN translation would map both tags to a single tag, which defeats the purpose of transparent Q-in-Q transport and does not preserve the original double-tagged frame structure.

369
MCQeasy

Which QoS mechanism marks packets at the edge of the network to classify traffic into different service classes?

A.Queuing
B.Shaping
C.Policing
D.Marking
AnswerD

Marking sets the QoS bits in the packet header.

Why this answer

Classification and marking are used to identify and mark packets with a specific class of service (e.g., DSCP, IP Precedence). This occurs at the edge before the packet traverses the core.

370
MCQhard

In Segment Routing over IPv6 (SRv6), what is the function of the SRH (Segment Routing Header)?

A.It replaces the IPv6 header to reduce overhead
B.It contains the segment list (ordered list of SIDs)
C.It provides OAM capabilities for path monitoring
D.It uses the IPv6 flow label to encode the path
AnswerB

SRH contains a list of SIDs that define the forwarding path.

Why this answer

SRH carries a list of segment IDs (SIDs) that define the path. Option D is correct. Option A is wrong because SRH does not replace the IPv6 header.

Option B is wrong because OAM is separate. Option C is wrong because the flow label is not used for segment list.

371
MCQhard

Refer to the exhibit. Which statement is correct about the LDP bindings for prefix 10.0.0.0/24?

A.There are two remote label bindings for this prefix from different LSRs.
B.Both remote bindings are from the same LSR.
C.The local label for this prefix is 18.
D.The router is performing PHP for this prefix.
AnswerA

Correct. Two remote bindings exist.

Why this answer

Option B is correct because the local label is 180, and there are two remote bindings from different LSRs. Option A is incorrect; the local label is 180, not 18. Option C is incorrect; the remote labels are from two different peers.

Option D is incorrect; there is no implied PHP from this output.

372
MCQeasy

An engineer notices that MPLS VPN traffic is taking a suboptimal path because the MPLS label binding for the BGP next-hop loopback is missing. What is the most likely cause?

A.The remote PE is configured with a different VPN ID.
B.The local PE does not have a route to its own loopback.
C.LDP is not enabled on the core-facing interfaces.
D.LDP is not enabled on the PE-CE interface.
AnswerC

LDP on core interfaces is required to propagate labels for the loopback.

Why this answer

LDP must be enabled on core-facing interfaces to distribute labels for the loopback. If it is missing, no label is available.

373
MCQhard

An SP is designing a MPLS L3VPN service with BGP as the PE-CE routing protocol. They want to ensure that the CE router does not become a transit router between two sites. Which BGP feature should be configured on the PE to prevent the CE from advertising routes received from one site to another?

A.Site of Origin (SoO)
B.allowas-in
C.disable-connected-check
D.as-override
AnswerA

SoO marks routes so that a CE will ignore routes with its own SoO, preventing transit.

Why this answer

Option D is correct because disabling route propagation (e.g., using 'neighbor x.x.x.x next-hop-self' or 'no bgp default route-advertise' but the key is to prevent the CE from learning other CE routes; typically on the PE, you set 'neighbor CE next-hop-self' and also ensure that the CE only receives routes from its own site. However, the exact feature is to use 'neighbor CE soft-reconfiguration inbound' plus filters, but specifically, 'disable-optimal-route-splitting' is not standard. Actually, the standard is to use 'neighbor CE prefix-list' to filter outgoing routes, but among options, 'disable-route-propagation' is a Cisco feature that prevents routes from being sent back to the same BGP AS.

Alternatively, 'allowas-in' would allow duplicates. The correct answer is to not allow routes from other sites to be sent to the CE; typically you use 'neighbor CE route-map' to filter. Option D is correct because 'neighbor x.x.x.x disable-connected-check' is unrelated.

Wait, checking options: A: allowas-in, B: as-override, C: soo, D: disable-connected-check. Actually, SoO (Site of Origin) is used to prevent loops in multi-homed BGP, but the question asks to prevent the CE from becoming a transit. With SoO, the PE marks routes with a SoO extended community, and the CE can be prevented from advertising routes back if it sees its own SoO.

But SoO is not the primary method; best practice is to set next-hop-self on the PE and not advertise other site routes. However, among given options, SoO is the correct one. Let's rethink: Option C (SoO) is used to prevent routing loops by adding a unique SoO value per site; when the CE receives a route with its own SoO, it drops it.

Thus it prevents a CE from learning routes from other sites. So Option C is correct. Explanation: SoO prevents the CE from accepting routes that originated from its own site, thus it cannot become a transit.

374
MCQmedium

Based on the exhibit, which statement is true about the applied QoS policy?

A.The default class matches only best-effort traffic.
B.The policy uses low-latency queuing for voice.
C.Video traffic is being dropped at a rate of 5 kbps.
D.Voice traffic is experiencing drops due to policer.
AnswerC

The video class shows an exceed rate of 5 kbps, confirming drops.

Why this answer

Option B is correct because the video class is exceeding its police rate (CIR 20 kbps) with an exceed rate of 5 kbps, indicating that 5 kbps of video traffic is being dropped. Option A is false because the voice class has no drops. Option C is false because the default class matches any traffic.

Option D is false because no priority or LLQ is configured, only policing.

375
MCQeasy

An SP is managing a large MPLS network and needs to verify the MPLS forwarding entries for a specific VRF. Which command provides the most complete information for the VRF?

A.show ip cef vrf <name>
B.show mpls forwarding-table vrf <name>
C.show mpls vrf <name>
D.show bgp vpnv4 unicast all labels
AnswerB

Shows the complete LFIB for the VRF with inbound and outbound labels.

Why this answer

Option D is correct because 'show mpls forwarding-table vrf <name>' displays the label forwarding table for the VRF, including inbound and outbound labels. Option A is wrong because 'show ip cef vrf' shows CEF table, not MPLS labels. Option B is wrong because 'show bgp vpnv4 unicast all labels' shows BGP label bindings, not the forwarding table.

Option C is wrong because 'show mpls vrf' is not a valid command.

Page 4

Page 5 of 7

Page 6

All pages