Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Drag & Dropmedium

Drag and drop the steps to configure a GRE tunnel on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

GRE tunnel configuration involves creating the tunnel interface, setting source and destination, and assigning an IP address.

377
MCQmedium

Based on the exhibit, which prefix is NOT reachable via MPLS forwarding?

A.10.1.1.1/32
B.10.3.3.3/32
C.10.2.2.2/32
D.10.5.5.5/32
AnswerD

The outgoing label is Untagged, so MPLS forwarding is not applied, likely causing packet drop.

Why this answer

Option D (10.5.5.5/32) is correct because the exhibit shows that the LDP label bindings are only present for prefixes 10.1.1.1/32, 10.2.2.2/32, and 10.3.3.3/32. The prefix 10.5.5.5/32 is not in the LDP label information base (LIB), meaning no MPLS label has been assigned to it, so it cannot be forwarded via MPLS and must be forwarded using standard IP routing instead.

Exam trap

Cisco often tests the distinction between prefixes that have LDP label bindings versus those that are simply present in the routing table, trapping candidates who assume all IGP routes are automatically MPLS-switched without verifying the label bindings.

How to eliminate wrong answers

Option A is wrong because 10.1.1.1/32 has an LDP label binding (label 16) as shown in the exhibit, making it reachable via MPLS forwarding. Option B is wrong because 10.3.3.3/32 has an LDP label binding (label 18) as shown in the exhibit, making it reachable via MPLS forwarding. Option C is wrong because 10.2.2.2/32 has an LDP label binding (label 17) as shown in the exhibit, making it reachable via MPLS forwarding.

378
Multi-Selecthard

Which TWO are essential components for deploying EVPN in a service provider network?

Select 2 answers
A.Overlay tunnel encapsulation such as VXLAN or MPLS
B.OSPF as the underlay routing protocol
C.BGP for MAC/VPN route advertisement
D.PIM-SM for multicast replication
E.RSVP-TE for path computation
AnswersA, C

EVPN requires an overlay for traffic forwarding.

Why this answer

Options B and E are correct. EVPN uses an overlay tunnel (VXLAN/MPLS) and BGP as control plane. Option A is wrong because OSPF is not used.

Option C is wrong because RSVP-TE is not required. Option D is wrong because PIM is for multicast, but EVPN can use other mechanisms.

379
Multi-Selecthard

A network architect is designing a model-driven telemetry solution for a large SP network. Which three factors are critical to consider when configuring telemetry subscriptions? (Choose three.)

Select 3 answers
A.The size of the YANG data model.
B.The collection protocol (gRPC vs gNMI vs native TCP).
C.Network bandwidth to the telemetry collector.
D.The sampling interval for periodic subscriptions.
E.The encoding format (GPB, JSON, XML).
AnswersB, C, D

The protocol determines capabilities like on-change reporting, encoding, and transport efficiency.

Why this answer

Network bandwidth to the collector ensures the data can be transmitted without loss. The collection protocol affects performance and feature support. The sampling interval determines data granularity and load.

The size of the YANG model is not a subscription configuration factor, and encoding format is a trade-off but not as critical as the others.

380
MCQeasy

A service provider's network core runs IS-IS as the IGP. After adding a new router, some routers have incomplete LSP databases. The new router's interfaces are up, and IS-IS adjacency is up with neighbors. What is the cause? The network has a mix of interface MTUs, with some links having MTU 1500 and others 4470.

A.MTU mismatch on the interface
B.IS-IS overload bit set on the new router
C.IS-IS LSP flooding is inhibited on the new router
D.The new router's system-id is a duplicate
AnswerA

Smaller MTU can cause LSP fragmentation/drop, leading to incomplete databases.

Why this answer

The correct answer is A because an MTU mismatch on the interface causes incomplete LSP databases. IS-IS uses a maximum LSP size derived from the interface MTU minus the IS-IS header overhead (typically 3 bytes for the LSP header). When a router with a smaller MTU (e.g., 1500) receives an LSP that was generated on a larger MTU link (e.g., 4470), the LSP may be too large to be stored or processed, leading to fragmentation or rejection.

This results in an incomplete LSP database on some routers, even though adjacencies are up.

Exam trap

Cisco often tests the misconception that MTU mismatch only affects adjacency formation, but in IS-IS, adjacencies can form even with MTU mismatch, and the real impact is on LSP database synchronization due to LSP size constraints.

How to eliminate wrong answers

Option B is wrong because the IS-IS overload bit prevents the router from being used for transit traffic but does not affect LSP database completeness; it only sets the overload flag in the router's LSP, signaling other routers to avoid using it for transit. Option C is wrong because if LSP flooding were inhibited on the new router, it would not send its own LSPs, but the problem states that adjacencies are up and some routers have incomplete databases, which points to a size mismatch rather than a flooding suppression. Option D is wrong because a duplicate system-id would cause adjacency failures or routing loops, not incomplete LSP databases; IS-IS would detect the duplicate via LSP sequence numbers and reject the newer LSP, but adjacencies would still form.

381
Multi-Selecthard

Which TWO are possible causes for a NETCONF session failing to establish with a Cisco IOS-XE device?

Select 2 answers
A.The device is running IOS-XR
B.The YANG module namespace is incorrect
C.NTP is not synchronized
D.TCP port 830 is blocked by a firewall
E.NETCONF is not enabled or SSH is not configured for NETCONF
AnswersD, E

NETCONF over SSH uses port 830 by default; if blocked, the TCP connection fails.

Why this answer

NETCONF over SSH requires SSH to be enabled and TCP port 830 (default) to be accessible. If NETCONF is not enabled, or port 830 is blocked, the session fails. YANG module namespace does not affect session establishment.

Device platform (XR) is irrelevant as IOS-XR also supports NETCONF. NTP synchronization is not required for SSH.

382
MCQhard

An SP is using NETCONF with YANG to automate VRF provisioning. The engineer notices that the NETCONF session is established but configuration changes are not applied. Which issue is most likely?

A.The YANG model does not support the target configuration datastore
B.The NETCONF capability :candidate is not advertised
C.The device does not support :url capability
D.The user does not have write access to the candidate datastore
AnswerB

If :candidate is not advertised, the device does not support candidate datastore, and edit-config with candidate fails.

Why this answer

If the device does not advertise the :candidate capability, edit-config operations that use the candidate datastore will fail. Option A: YANG model support might be an issue but less likely if session established; Option B: write access is typically based on user permissions; Option D: :url capability is optional for loading configs. Thus C is correct.

383
MCQeasy

A service provider is configuring VRF-lite between two CE routers connected to the same PE. The CE routers are in different VRFs. Which command allows the PE router to forward traffic between the VRFs?

A.vrf forward RED
B.route-target export RED:100 import BLUE:100
C.ip route vrf RED 0.0.0.0 0.0.0.0 10.1.1.1 global
D.ip route vrf RED 0.0.0.0 0.0.0.0 vrf BLUE
AnswerD

Correct. This command uses the 'vrf' keyword to route between VRFs.

Why this answer

Option D is correct because the command `ip route vrf RED 0.0.0.0 0.0.0.0 vrf BLUE` creates a static inter-VRF route on the PE router, allowing traffic from VRF RED to be forwarded to VRF BLUE without requiring MPLS or BGP. This is the standard method for VRF-lite inter-VRF communication on the same PE, using a static route that points to the next-hop VRF instead of an IP address.

Exam trap

Cisco often tests the distinction between VRF-lite static inter-VRF routes and MPLS L3VPN route-target commands, trapping candidates who confuse the simple static route approach with the BGP-based route-target import/export mechanism.

How to eliminate wrong answers

Option A is wrong because `vrf forward RED` is not a valid Cisco IOS command; it does not exist and would not configure inter-VRF forwarding. Option B is wrong because `route-target export RED:100 import BLUE:100` is used in MPLS L3VPN environments to control route distribution between VRFs via MP-BGP, not for direct VRF-lite forwarding on a single PE. Option C is wrong because `ip route vrf RED 0.0.0.0 0.0.0.0 10.1.1.1 global` installs a default route in VRF RED pointing to a next-hop in the global routing table, which does not forward traffic into another VRF; it only sends traffic to the global table, not to VRF BLUE.

384
MCQmedium

During an MPLS network migration from LDP to Segment Routing, an engineer notices that some routers are not advertising Prefix-SIDs for certain loopbacks. The IGP is OSPF. What configuration is required on these routers to advertise Prefix-SIDs?

A.Enable 'mpls ldp autoconfig' on the loopback interface.
B.Enable 'segment-routing mpls' globally and configure 'prefix-sid index' under the loopback interface.
C.Configure 'segment-routing mpls set-adjacency-sid' on the loopback.
D.Configure 'segment-routing mpls' globally and assign a SID index under the OSPF router process for the loopback.
AnswerD

This enables SR globally and assigns the Prefix-SID under OSPF.

Why this answer

In OSPF, Prefix-SIDs for loopbacks are advertised by configuring 'segment-routing mpls' globally and then assigning a SID index under the OSPF router process using the 'prefix-sid index' command for the specific loopback network. This ties the SID to the OSPF prefix advertisement, enabling SR-MPLS forwarding without LDP.

Exam trap

Cisco often tests the distinction between where Prefix-SID configuration is applied (under the IGP process) versus interface-level commands, leading candidates to mistakenly configure 'prefix-sid index' directly on the loopback interface.

How to eliminate wrong answers

Option A is wrong because 'mpls ldp autoconfig' enables LDP on the interface, which is not used for Segment Routing and would not advertise Prefix-SIDs. Option B is wrong because 'prefix-sid index' is configured under the OSPF router process, not directly under the loopback interface; the interface-level command does not exist for OSPF. Option C is wrong because 'segment-routing mpls set-adjacency-sid' is used to assign Adjacency-SIDs on interfaces, not Prefix-SIDs for loopbacks.

385
Multi-Selectmedium

Which TWO of the following are characteristics of MPLS L3VPN architecture? (Choose two.)

Select 2 answers
A.All traffic is forwarded using MPLS label switching only
B.Each customer has a separate VRF on the PE router
C.LDP is required for label distribution in the core
D.The P routers maintain a full routing table for each VPN
E.Customer IP prefixes are exchanged using MP-BGP VPNv4 updates
AnswersB, E

VRF is essential for L3VPN isolation.

Why this answer

Option B is correct because in MPLS L3VPN, each customer is assigned a separate Virtual Routing and Forwarding (VRF) instance on the Provider Edge (PE) router. This VRF maintains a unique routing table and forwarding table per customer, ensuring complete isolation between different VPN customers on the same PE.

Exam trap

Cisco often tests the misconception that LDP is mandatory for MPLS L3VPN, but in reality, any label distribution protocol (LDP, RSVP-TE, or SR-MPLS) can be used in the core.

386
MCQeasy

An engineer is configuring QoS on a service provider edge router to prioritize real-time traffic. Which queuing mechanism provides the lowest latency and jitter for voice traffic?

A.FIFO
B.CBWFQ
C.WRED
D.LLQ
AnswerD

LLQ combines strict priority queue with CBWFQ for real-time traffic.

Why this answer

LLQ (Low Latency Queuing) is the correct choice because it combines a strict priority queue with CBWFQ, ensuring that voice traffic is always served before any other queue. This strict priority scheduling minimizes both latency and jitter for real-time traffic, which is critical for voice quality.

Exam trap

Cisco often tests the distinction between queuing mechanisms and congestion avoidance, so candidates may mistakenly choose WRED (a drop mechanism) or CBWFQ (which lacks strict priority) instead of LLQ for real-time traffic.

How to eliminate wrong answers

Option A is wrong because FIFO (First In, First Out) provides no traffic differentiation or priority, so voice packets can be delayed by large data packets, increasing latency and jitter. Option B is wrong because CBWFQ (Class-Based Weighted Fair Queuing) assigns bandwidth weights to classes but does not include a strict priority queue, so voice traffic may still experience queuing delays. Option C is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets to prevent tail drops, not a queuing mechanism, and it does not provide low latency or jitter for voice traffic.

387
MCQmedium

A service provider is troubleshooting BGP route selection for prefixes received from two different peers. The first peer prepends its AS path twice, making it longer than the second peer's path. However, the router still prefers the route with the longer AS path. Which additional attribute could cause this behavior?

A.The route has a lower MED
B.The route has a higher weight
C.The route has a lower origin type
D.The route has a higher local preference
E.The route has a lower neighbor router ID
AnswerD

Local preference is the first criterion in BGP path selection; a higher value will be chosen regardless of AS path length.

Why this answer

In BGP, the path with higher local preference is preferred regardless of AS path length. If both have same local preference, then shortest AS path wins. Here, the longer AS path is preferred, meaning the local preference must be higher on that route.

Weight is Cisco-proprietary and local to the router; if set, it can override local preference. MED is compared only if paths come from the same AS. Origin type is compared after AS path.

Community affects but does not directly override AS path length.

388
MCQhard

A service provider is experiencing congestion on a core link connecting two P routers. The customer traffic is classified into three classes: voice (low latency), video (low loss), and data (best effort). The current configuration uses DSCP-based classification at the PE ingress, but many customers are remarking DSCP values to gain better service, bypassing the provider's QoS policy. The provider wants to enforce a strict trust boundary at the PE and re-mark all traffic according to a per-customer contract. Additionally, the provider must offer per-customer bandwidth guarantees, ensuring that one customer's traffic does not starve another customer's traffic on the congested core link. The solution must be scalable to hundreds of customers. What should the designer recommend?

A.Apply a flat QoS policy on the core interfaces that polices each DSCP value to a fixed rate; trust is not needed because the core enforces its own limits.
B.Use auto-qos on all PE interfaces and rely on CoS trust; the core uses MPLS EXP derived from CoS to ensure proper queuing.
C.Implement hierarchical QoS on the PE egress to customer-facing interfaces, with parent-level shaping per customer and child-level policing per class, and set a trust boundary to mark all traffic based on the customer contract at ingress.
D.Configure MPLS Traffic Engineering tunnels on the core with bandwidth reservation per customer class; use EXP-null to preserve markings end-to-end.
AnswerC

Hierarchical QoS provides both per-customer and per-class enforcement, and setting trust boundary at ingress solves the remarking issue.

Why this answer

Option A is correct because hierarchical QoS allows per-customer shaping at the parent level to enforce per-customer bandwidth limits, and per-class policing at the child level to enforce per-class contracts. This provides the required trust boundary and per-customer guarantees. Option B is wrong because auto-qos does not provide per-customer granularity and relies on trust which is already broken.

Option C is wrong because MPLS TE tunnels reserve bandwidth but do not solve the trust boundary issue; also resetting EXP is complex. Option D is wrong because a flat policy on core does not allow per-customer differentiation and cannot enforce per-customer guarantees.

389
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

390
MCQmedium

A service provider is deploying MPLS Layer 3 VPN and needs to ensure that BGP next-hop resolution works correctly for VPNv4 prefixes learned from a route reflector. The PE routers are directly connected to the RR via iBGP, and there is an IGP running within the MPLS core. Which condition must be met for the PE to install the VPNv4 prefix into its routing table?

A.The next-hop must be reachable via the IGP with an MPLS label.
B.The next-hop must be a directly connected interface.
C.The PE must have a VPN label for the next-hop.
D.The IGP must be IS-IS, not OSPF.
AnswerA

MPLS LSP must exist to the next-hop for label imposition.

Why this answer

For a PE router to install a VPNv4 prefix learned from a route reflector into its routing table, the BGP next-hop (typically the remote PE) must be reachable via the IGP with an associated MPLS label. This ensures that the transport LSP exists to forward traffic toward the next-hop, which is required for MPLS L3VPN operation. Without an MPLS label in the IGP for the next-hop, the PE cannot build the necessary label stack and will not install the VPNv4 route.

Exam trap

Cisco often tests the misconception that a directly connected next-hop or a VPN label for the next-hop is required, when in fact the critical condition is IGP reachability with an MPLS label for the BGP next-hop.

How to eliminate wrong answers

Option B is wrong because the next-hop does not need to be a directly connected interface; it only needs to be reachable via the IGP with an MPLS label, even if multiple hops away. Option C is wrong because the PE does not need a VPN label for the next-hop; the VPN label is assigned by the remote PE for the specific VPN prefix, not for the next-hop itself. Option D is wrong because the IGP can be either IS-IS or OSPF, as both can carry MPLS label information via extensions like MPLS-TE or LDP; there is no requirement for IS-IS specifically.

391
MCQmedium

A customer reports intermittent packet loss on a MPLS L3VPN connection. The PE router shows 'show mpls forwarding' entries for the CE prefix, but ping from the PE to the CE fails intermittently. Which action should be taken to isolate the issue?

A.Check 'show ip route vrf CUSTOMER' and 'show bgp vpnv4 unicast vrf CUSTOMER' to confirm the VRF routes.
B.Use 'show mpls lsp' to verify the LSP to the CE's PE.
C.Examine the 'show mpls forwarding vrf CUSTOMER' output to see label operations.
D.Review the 'show bgp vpnv4 unicast all' output to verify route advertisement.
AnswerA

This verifies that the VRF has the correct routes and that BGP VPNv4 routes are properly imported.

Why this answer

Option A is correct because the intermittent packet loss suggests a control-plane issue rather than a data-plane problem. By checking 'show ip route vrf CUSTOMER' and 'show bgp vpnv4 unicast vrf CUSTOMER', you can verify that the VRF route for the CE prefix is present in the routing table and that BGP is advertising the correct VPNv4 route with the proper next-hop and label. This isolates whether the failure is due to missing or incorrect route propagation, which is a common cause of intermittent reachability in MPLS L3VPN.

Exam trap

Cisco often tests the distinction between control-plane verification (routing table, BGP) and data-plane verification (MPLS forwarding, LSP) in MPLS L3VPN troubleshooting, leading candidates to mistakenly focus on label operations or LSPs when the root cause is a missing or unstable route.

How to eliminate wrong answers

Option B is wrong because 'show mpls lsp' verifies the label-switched path (LSP) between PEs, but the issue is between the PE and the CE, which is a Layer 3 adjacency (often a direct link or static route) and does not involve an LSP. Option C is wrong because 'show mpls forwarding vrf CUSTOMER' shows label operations for packets entering the VRF, but since the ping from PE to CE fails intermittently, the problem is likely in the VRF route presence or BGP advertisement, not in the MPLS forwarding table. Option D is wrong because 'show bgp vpnv4 unicast all' displays all VPNv4 routes from all VRFs, which is too broad and may obscure the specific VRF route; the VRF-specific command is more targeted and efficient for isolating the CE prefix issue.

392
MCQhard

A network engineer is troubleshooting OSPFv3 on a service provider's IPv6 network. The router shows that OSPFv3 adjacency never reaches FULL, says 'Init'. The neighbor is directly connected over a point-to-point link. What is the most likely cause?

A.LSA throttling prevents exchanges
B.Mismatched OSPF router-id
C.Mismatched area IDs
D.Missing 'ipv6 ospf' interface command on one side
AnswerD

OSPFv3 requires explicit interface configuration to activate adjacency.

Why this answer

The 'Init' state in OSPFv3 indicates that the router has received a Hello packet from the neighbor but the neighbor has not received a Hello packet back. On a point-to-point link, the most common cause is that the 'ipv6 ospf <process-id> area <area-id>' interface command is missing on one side, which prevents OSPFv3 from sending Hellos on that interface. Without this command, the interface is not enabled for OSPFv3, so the neighbor never sees a Hello and the adjacency cannot progress to FULL.

Exam trap

Cisco often tests the distinction between OSPFv2 and OSPFv3 interface activation methods, trapping candidates who assume that OSPFv3 uses a similar 'network' command or that a global OSPF process automatically enables all interfaces.

How to eliminate wrong answers

Option A is wrong because LSA throttling controls the rate of LSA generation and flooding, not the formation of adjacencies; it would not cause the adjacency to stall in Init. Option B is wrong because mismatched OSPF router-IDs do not prevent adjacency formation in OSPFv3; the router-ID is used for router identification but is not checked during the Hello exchange for adjacency compatibility. Option C is wrong because mismatched area IDs would cause the adjacency to stall in the ExStart or Exchange state, not in Init; the Init state indicates that the Hello packet was received but not reciprocated, which is unrelated to area ID mismatch.

393
MCQmedium

A service provider is migrating its MPLS core from LDP to Segment Routing with MPLS data plane (SR-MPLS). The network currently uses TE tunnels with RSVP-TE for traffic engineering. Which technology can the provider use to continue performing traffic engineering after the migration without requiring RSVP-TE?

A.LDP
B.MPLS-TE (RSVP-TE)
C.SR-TE
D.BGP-LU
AnswerC

SR-TE policies enable traffic engineering with Segment Routing.

Why this answer

Option C is correct because Segment Routing offers traffic engineering capabilities via a centralized controller (e.g., PCE) or distributed policies using SR-TE policies, eliminating the need for RSVP-TE. Option A is wrong because LDP does not support traffic engineering. Option B is wrong because BGP-LU only provides LSP labels, not TE.

Option D is wrong because MPLS-TE is synonymous with RSVP-TE.

394
Multi-Selecthard

Which TWO commands are most effective to verify that an SR-TE policy is active and forwarding traffic? (Choose two.)

Select 2 answers
A.show segment-routing traffic-eng policy
B.show isis database verbose
C.show mpls forwarding-table labels
D.show segment-routing traffic-eng segment-list
E.show bgp labels
AnswersA, C

Shows the SR-TE policies, their state (active/inactive), and candidate paths.

Why this answer

To verify SR-TE policy, `show segment-routing traffic-eng policy` (C) shows policy status, candidate paths, and segment lists. `show mpls forwarding-table labels` (E) shows the forwarding entry for the SR-TE label, confirming installation. Option A shows BGP-LU labels, not SR-TE. Option B shows IGP segments, not SR-TE policy forwarding.

Option D shows segment list details but not active forwarding state.

395
MCQeasy

An SP network uses NTP for synchronization. To secure NTP, which authentication mode should be used?

A.NTPv4 autokey
B.NTPv3 symmetric key
C.NTPv4 with SHA-1
D.NTPv4 with MD5
AnswerA

NTPv4 autokey provides strong cryptographic authentication.

Why this answer

NTPv4 autokey provides cryptographic authentication and is recommended. Option A: NTPv3 symmetric key is less secure; Option C: MD5 is outdated; Option D: SHA-1 is not standard for NTP. Thus B is correct.

396
MCQmedium

A service provider has implemented model-driven telemetry to monitor the health of its core network. The telemetry collector is a single server running a custom application that receives and processes gRPC streams from 200 routers. The collector is experiencing high CPU usage and is falling behind in processing data, causing some telemetry data to be dropped. The engineer decides to offload processing to multiple collectors. The routers support dial-out mode and can be configured with a list of collector IPs. The engineer wants to distribute the load evenly across collectors without manual configuration per router. Which should the engineer implement?

A.Use a load balancer in front of the collectors and configure all routers to send to the load balancer VIP.
B.Use a multicast address for telemetry subscription so all collectors receive all data.
C.Configure each router with a round-robin DNS name that resolves to multiple collector IPs.
D.Divide the routers into groups and assign each group to a different collector IP via the router configuration.
AnswerA

A load balancer provides dynamic distribution and requires no changes to router configuration beyond the VIP.

Why this answer

Option A is correct because a load balancer distributes incoming gRPC streams from all 200 routers across multiple collectors based on a configured algorithm (e.g., round-robin or least connections), achieving even load distribution without per-router configuration. The routers simply send telemetry to a single virtual IP (VIP), and the load balancer forwards each stream to an available collector, preventing any single collector from being overwhelmed. This matches the requirement to offload processing and avoid manual configuration per router.

Exam trap

Cisco often tests the misconception that DNS round-robin or multicast can solve load distribution in telemetry, but the trap here is that dial-out gRPC requires TCP unicast connections and DNS round-robin lacks real-time load awareness, making a load balancer the only viable option for even distribution without manual configuration.

How to eliminate wrong answers

Option B is wrong because multicast addresses are not supported for dial-out gRPC telemetry; dial-out mode uses TCP-based unicast connections to specific collector IPs, and multicast would cause all collectors to receive duplicate data, increasing CPU load rather than reducing it. Option C is wrong because round-robin DNS does not provide real-time load balancing; DNS caching by routers and intermediate resolvers can cause uneven distribution, and DNS changes are not immediate, leading to potential overload of some collectors. Option D is wrong because it requires manual configuration per router to assign groups to specific collector IPs, which violates the requirement to distribute load evenly without manual configuration per router.

397
MCQhard

Refer to the exhibit. A service provider is receiving BGP prefixes from a customer (AS 64512). The provider wants to tag all routes from that customer that match prefix 10.1.0.0/16 or more specific with community 65000:100, while not modifying other routes. After applying the configuration, which statement is true?

A.Only routes matching 10.1.0.0/16 or more specific will have the community added; other routes remain unchanged.
B.Routes with a mask longer than /24 will be rejected by the prefix-list.
C.All routes from the customer will have their communities replaced with 65000:100.
D.Routes not matching the prefix-list will be denied and not installed.
AnswerA

The route-map permits matching routes with additive community, denies others without affecting acceptance.

Why this answer

The configuration uses a route-map applied to the neighbor with a match clause referencing a prefix-list that permits 10.1.0.0/16 le 32. This matches the exact prefix and any more specific prefix (up to /32). The set community 65000:100 action adds the community without using the additive keyword, but because the route-map does not contain a deny clause for non-matching routes, all routes are still accepted; only matching routes have the community added.

Thus, only routes matching 10.1.0.0/16 or more specific will have community 65000:100 added, and other routes remain unchanged.

Exam trap

Cisco often tests the misconception that a route-map with a match clause and no explicit deny will reject non-matching routes, when in fact unmatched routes are still permitted and unchanged unless a deny sequence is present.

How to eliminate wrong answers

Option B is wrong because the prefix-list permits 10.1.0.0/16 le 32, which allows masks longer than /24 (e.g., /25, /28) — there is no reject condition for masks longer than /24. Option C is wrong because the set community command does not include the additive keyword, so it replaces any existing communities on matching routes, but it does not affect non-matching routes at all; the route-map only applies the set action to matched prefixes, not to all routes. Option D is wrong because the route-map has no explicit deny statement; routes that do not match the prefix-list simply fall through without a set action and are still accepted and installed normally.

398
MCQmedium

A service provider needs to prioritize voice traffic over best-effort data in an MPLS VPN. The PE router uses a QoS policy applied to the ingress interface. Which action ensures that voice packets are marked with the correct DSCP value before entering the MPLS core?

A.Apply a policy-map that matches voice traffic using a class-map and the 'set dscp ef' action.
B.Configure the ingress interface with 'mls qos trust dscp' to preserve the customer marking.
C.Use a policy-map with the 'set mpls experimental 5' command.
D.Apply a police action to drop traffic exceeding the voice bandwidth.
AnswerA

Sets DSCP EF for voice packets on ingress.

Why this answer

Option A is correct because the question specifies that the PE router must mark voice packets with the correct DSCP value before they enter the MPLS core. The 'set dscp ef' action in a policy-map applied to the ingress interface explicitly sets the DSCP field to EF (46) for voice traffic matched by a class-map, ensuring proper classification and treatment across the MPLS network. This is the standard method for marking IP packets at the edge before MPLS encapsulation.

Exam trap

Cisco often tests the distinction between IP-layer marking (DSCP) and MPLS-layer marking (EXP), so the trap here is that candidates may choose 'set mpls experimental 5' thinking it achieves the same result, but the question explicitly requires DSCP marking before MPLS encapsulation.

How to eliminate wrong answers

Option B is wrong because 'mls qos trust dscp' preserves the existing DSCP marking from the customer, but the question requires the service provider to actively mark voice packets, not just trust markings that may be absent or incorrect. Option C is wrong because 'set mpls experimental 5' sets the MPLS EXP bits on the MPLS label, not the DSCP value in the IP header; the question explicitly asks for DSCP marking before entering the MPLS core, which is an IP-layer action. Option D is wrong because a police action that drops excess traffic does not mark packets with a DSCP value; it only enforces bandwidth limits, failing to address the requirement to set the DSCP value for voice traffic.

399
MCQeasy

In an MPLS VPN environment, which address family is used to exchange VPNv4 routes between PE routers?

A.Route-target (RT)
B.IPv4 unicast
C.VPNv6 unicast
D.VPNv4 unicast
AnswerD

VPNv4 carries both IPv4 prefixes and route distinguishers.

Why this answer

BGP address family VPNv4 (AF 128) is used to carry IPv4 VPN routes between PEs. Option B is correct. Option A is wrong because IPv4 unicast is for global routes.

Option C is wrong because VPNv6 is for IPv6. Option D is wrong because RT is a community attribute, not an address family.

400
MCQeasy

A service provider is deploying MPLS in their core network and wants to ensure that all routers in the MPLS domain can dynamically exchange label bindings. Which protocol should be enabled on all routers to meet this requirement?

A.LDP
B.OSPF
C.iBGP
D.RSVP-TE
AnswerA

LDP dynamically distributes labels for all prefixes in the IGP.

Why this answer

LDP is the standard protocol for distributing MPLS labels in a dynamic MPLS network. Option B is incorrect because RSVP-TE is used for traffic engineering, not basic label distribution. Option C is incorrect because iBGP carries VPN labels, not transport labels.

Option D is incorrect because OSPF does not distribute labels.

401
MCQmedium

Segment Routing with TI-LFA (Topology Independent Loop-Free Alternate) provides fast convergence. Which statement accurately describes TI-LFA?

A.TI-LFA only protects against link failures, not node failures.
B.TI-LFA uses a pre-computed backup tunnel signaled via RSVP-TE.
C.TI-LFA computes a backup path that is guaranteed to be loop-free and topology independent.
D.TI-LFA requires BFD to detect failures.
AnswerC

TI-LFA uses post-convergence path and ensures loop avoidance.

Why this answer

TI-LFA computes a backup path using segment lists that are guaranteed to avoid the failed link/node, and it works regardless of the network topology (topology independent). It is based on SR-MPLS or SRv6.

402
MCQmedium

When implementing MPLS TE tunnels in a service provider core, what is the purpose of the 'affinity' attribute?

A.To set the color of the tunnel
B.To adjust the cost of TE tunnels
C.To define administrative groups for link inclusion/exclusion
D.To bind tunnels to specific interfaces
AnswerC

Affinity allows tunnels to restrict links based on administrative group membership.

Why this answer

The 'affinity' attribute in MPLS TE is used to define administrative groups (also known as link colors) that allow you to include or exclude specific links from a TE tunnel path based on user-defined properties. This enables traffic engineering policies such as forcing traffic to avoid certain links or preferring links with specific characteristics, without modifying the underlying IGP metric.

Exam trap

Cisco often tests the confusion between 'affinity' (administrative groups for link inclusion/exclusion) and 'color' (a separate attribute used in Segment Routing or for visual identification), leading candidates to mistakenly choose Option A.

How to eliminate wrong answers

Option A is wrong because 'affinity' does not set the color of the tunnel; it uses color-like bitmask values to represent administrative groups on links, not to assign a visual or logical color to the tunnel itself. Option B is wrong because adjusting the cost of TE tunnels is done via the 'metric' or 'cost' command under the tunnel interface, not through the affinity attribute. Option D is wrong because binding tunnels to specific interfaces is achieved using the 'mpls traffic-eng tunnels' command on the interface or explicit path definitions, not via affinity.

403
MCQeasy

A network engineer notices that voice traffic is being dropped during congestion. The traffic is marked with DSCP EF. After reviewing the QoS policy, it is discovered that the voice traffic is not being placed into a priority queue. Which configuration change would ensure voice traffic receives priority treatment?

A.Increase the queue limit to 1000 packets
B.Increase the bandwidth percentage for the voice class
C.Enable WRED on the voice class
D.Add the 'priority' command under the voice class in the policy map
AnswerD

The 'priority' command places traffic into a low-latency queue, which is essential for real-time traffic like voice.

Why this answer

DSCP EF (Expedited Forwarding, per RFC 3246) requires strict priority queuing to guarantee low latency and jitter for voice traffic. The 'priority' command under the voice class in a policy map places the traffic into a strict priority queue (LLQ), ensuring it is serviced before any other queue during congestion. Without this command, the voice traffic is treated as a regular class, subject to bandwidth constraints and potential drops.

Exam trap

Cisco often tests the misconception that bandwidth guarantees or queue tuning alone can provide priority treatment, when in fact only the 'priority' command creates the strict priority queue required for real-time traffic like voice.

How to eliminate wrong answers

Option A is wrong because increasing the queue limit only allows more packets to be buffered, but does not provide priority treatment; during congestion, the queue can still experience tail drops and delay. Option B is wrong because increasing the bandwidth percentage for the voice class only guarantees a minimum bandwidth share, but does not create a priority queue; voice traffic can still be delayed by other queues. Option C is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets before the queue is full, which is inappropriate for real-time voice traffic that requires low jitter and minimal drops; WRED would introduce additional delay and potential packet loss.

404
Multi-Selecthard

A network engineer is troubleshooting an LDP session failure between two directly connected routers. The routers are configured with the 'mpls ldp' command under the interface. The 'show mpls ldp neighbor' command shows no neighbors. Which two additional pieces of information should the engineer verify? (Choose two.)

Select 2 answers
A.Verify that the interface IP addresses are in the same subnet.
B.Verify that TCP port 646 is open on the interface ACL.
C.Verify that 'mpls ip' is enabled globally.
D.Verify that the LDP router IDs are reachable via routing.
E.Verify that OSPF is configured on the interface.
AnswersA, D

LDP hello messages are sent to the all-routers multicast address; mismatched subnets prevent discovery.

Why this answer

Option A is correct because LDP sessions are established only between directly connected LSRs when using the default 'mpls ldp' interface configuration. The LDP Hello messages are sent as UDP packets to the multicast address 224.0.0.2, and if the interface IP addresses are not in the same subnet, the Hello messages will not be received, preventing neighbor discovery.

Exam trap

Cisco often tests the distinction between LDP Hello (UDP multicast) and LDP session (TCP unicast), and candidates mistakenly focus on TCP ACLs or global MPLS commands instead of verifying subnet adjacency and router ID reachability.

405
MCQhard

An engineer is troubleshooting a BGP route reflector setup. Clients are not receiving all routes. The 'show bgp neighbors' output shows a state of 'Active'. What is the most likely cause?

A.The route reflector does not have a full mesh with clients
B.The route reflector is detecting an AS_PATH loop
C.Next-hop reachability issue
D.Incorrect BGP neighbor statement on the route reflector or client
AnswerD

Active state indicates TCP session failure, often due to misconfiguration.

Why this answer

Option B is correct because the BGP session is in Active state, meaning the router is trying to connect but not succeeding, often due to a missing or incorrect neighbor configuration. Option A (Route reflectors do not peer with clients) is false; Option C (AS_PATH loop detection) would not prevent session establishment; Option D (next-hop reachability) does not affect BGP session state.

406
MCQmedium

A service provider is using Segment Routing with TI-LFA for fast convergence. During a link failure, the router performing the local repair must compute a backup path that avoids the failed link. Which type of Adjacency Segment Identifier (Adj-SID) is required for the backup path to be loop-free?

A.Anycast Adj-SID
B.Unprotected Adj-SID
C.Protected Adj-SID
D.Backup Adj-SID
AnswerC

Protected Adj-SID enables fast reroute protection in SR networks.

Why this answer

TI-LFA requires the backup path to use a specific Adj-SID that steers traffic away from the failed link. The 'protected' Adj-SID is designed for this purpose. Option A is incorrect because 'unprotected' Adj-SID does not support fast reroute.

Option C is incorrect because there is no 'backup' Adj-SID; it's a property. Option D is incorrect because 'anycast' Adj-SID is used for anycast groups, not for FRR.

407
MCQmedium

A service provider is troubleshooting BGP route selection between two eBGP peers. The router receives a prefix from Peer A with local preference 150 and AS path length 3. From Peer B, the same prefix has local preference 100 and AS path length 2. Which route will be preferred?

A.The route from Peer A because it has a higher weight.
B.The route from Peer A because local preference is higher.
C.Both routes are equally preferred and will be used for load balancing.
D.The route from Peer B because AS path is shorter.
AnswerB

Local preference is the first tiebreaker after weight; higher value wins.

Why this answer

BGP selects the route with highest local preference first. Peer A has local preference 150, which is higher than Peer B's 100, so Peer A's route is preferred regardless of AS path length.

408
MCQeasy

A service provider is implementing MPLS L3VPN and needs to ensure that BGP route advertisement uses a specific next-hop. Which technique ensures BGP advertises the PE-CE next-hop instead of the PE-PE loopback?

A.Route-map with set next-hop
B.next-hop-unchanged
C.next-hop-self
D.Disable next-hop-check
AnswerC

Sets the next-hop to the router's own address for iBGP advertisements.

Why this answer

In MPLS L3VPN, the PE-CE next-hop (the PE interface facing the CE) must be advertised to the remote PE so that the remote PE knows to forward traffic directly to the local PE's CE-facing interface. The `next-hop-self` command on the PE forces BGP to set the next-hop to the PE's own IP address (typically the loopback or the interface used for BGP peering), which overrides the default behavior of preserving the original next-hop. This ensures that the remote PE uses the correct next-hop for VPN traffic.

Exam trap

Cisco often tests the distinction between `next-hop-self` (used to force the PE's own address as the next-hop) and `next-hop-unchanged` (used to preserve the original next-hop in inter-AS scenarios), and candidates confuse these two commands.

How to eliminate wrong answers

Option A is wrong because a route-map with `set next-hop` can manually override the next-hop, but it is not the standard or most efficient technique for this specific requirement; it requires additional configuration and may not be as reliable as `next-hop-self` in all scenarios. Option B is wrong because `next-hop-unchanged` is used in MPLS VPN inter-AS scenarios (option B) to preserve the original next-hop across AS boundaries, which is the opposite of what is needed here. Option D is wrong because disabling next-hop-check (`no bgp next-hop-check`) is used in BGP confederation or route reflector scenarios to allow routes with unreachable next-hops to be accepted, not to change the next-hop value.

409
MCQmedium

Refer to the exhibit. A telemetry subscription is configured on an IOS-XR router. The collector at 10.1.1.100 is not receiving data. Which configuration error is present?

A.The destination IP address is incorrect
B.Missing 'protocol' specification in the destination-group
C.The sample-interval is too short
D.The subscription is not committed
E.The sensor-group path is invalid
AnswerB

The destination-group must include 'protocol grpc' or 'protocol tcp'; otherwise, no data is transmitted.

Why this answer

In IOS-XR, the destination-group requires a protocol (e.g., 'protocol grpc') to be specified. Without it, the destination is incomplete and data will not be sent. The sensor-group path is valid, sample-interval is reasonable, destination IP/port are present, and subscription is committed.

The missing protocol is the most likely error.

410
MCQeasy

A junior automation engineer is writing a Python script to configure OSPF on a Cisco IOS-XE router using RESTCONF. The script sends a PUT request to update the OSPF configuration but receives a 401 Unauthorized response. The engineer has configured a local user with privilege 15 on the router and enabled restconf. The engineer verified that the router's RESTCONF API is running on port 443. What is the most likely missing element in the script?

A.The script must include an Accept header.
B.The script must include a Content-Type header set to application/yang-data+json.
C.The script must use HTTP basic authentication with the correct username and password.
D.The script must use HTTPS with a valid certificate.
AnswerC

RESTCONF uses HTTP basic authentication by default; without it, the server returns 401.

Why this answer

A 401 Unauthorized response indicates the request lacks proper authentication. The engineer likely forgot to include HTTP basic authentication headers with the correct username and password. Other options relate to content types or TLS, which would cause different errors (e.g., 415 Unsupported Media Type).

411
MCQeasy

An SP engineer implements LLQ for VoIP traffic on a DS3 link. The policy-map calls for a priority queue of 500 kbps. The actual VoIP traffic averages 400 kbps with bursts to 600 kbps. What is the expected behavior during bursts?

A.The excess traffic is reclassified to best-effort and placed in the default queue.
B.The priority queue uses tail-drop and discards only when the queue is full.
C.The priority queue drops all traffic above the configured 500 kbps during the burst.
D.The excess traffic is queued in the priority queue until bandwidth is available.
AnswerC

LLQ polices the priority queue to its configured rate; excess is dropped.

Why this answer

C is correct because the priority queue in a Low Latency Queueing (LLQ) policy is policed at the configured rate (500 kbps). When VoIP traffic bursts exceed this rate, the excess packets are dropped immediately by the policer, not queued or reclassified. This ensures that the priority queue does not starve other queues and maintains low latency for conforming traffic.

Exam trap

Cisco often tests the misconception that the priority queue can buffer excess traffic or reclassify it, when in fact LLQ uses a policer to drop traffic exceeding the configured bandwidth to protect other queues.

How to eliminate wrong answers

Option A is wrong because LLQ does not reclassify excess priority traffic to best-effort; instead, it drops the excess packets via policing. Option B is wrong because the priority queue does not use tail-drop; it uses a policer that drops packets exceeding the configured bandwidth, regardless of queue depth. Option D is wrong because the priority queue cannot queue excess traffic above the configured rate; LLQ strictly polices the priority queue to prevent it from monopolizing bandwidth.

412
MCQhard

A service provider is building a new network slicing architecture to offer differentiated services to enterprise customers. The architecture uses SRv6 with network slices identified by slice IDs embedded in the SRv6 SID. The underlay is an IP network with ISIS. Each slice will have dedicated resources in the core, including guaranteed bandwidth and low latency. The plan is to use the SRv6 network programming concept to steer traffic into different slices. The provider wants to ensure that slice isolation is maintained end-to-end, including at the egress PE where traffic is handed off to the customer. However, during testing, they observe that traffic from one slice is incorrectly entering another slice's queue on an intermediate node, causing performance interference. The intermediate node is a transit router that does not terminate SRv6 but performs 'SID-based forwarding'. Which mechanism is most likely missing to ensure slice isolation on transit nodes?

A.The transit nodes are not configured to enforce per-slice QoS policies based on the slice ID in the SID.
B.The SRv6 SID does not carry the slice ID; it only carries the locator.
C.The egress PE is misconfigured to strip the slice ID before forwarding.
D.The ingress PE is not setting the slice ID correctly.
AnswerA

Correct. Transit nodes need to recognize the slice ID and apply appropriate queuing; otherwise, slices compete for resources.

Why this answer

Transit nodes must have per-slice QoS policies that map the slice ID (carried in the SID) to dedicated queue resources. Without such policies, all traffic may be mapped to a default queue, breaking isolation. The SID can indeed carry the slice ID; egress PE stripping or ingress PE misconfiguration would affect other nodes, not specifically transit.

413
MCQeasy

A network engineer is configuring QoS on a Cisco ASR 9000 router to support multiple traffic classes. The policy must ensure that real-time traffic (EF) is not starved by high-volume bulk data (AF11). Which queuing strategy should be applied to the EF class to provide low latency and strict priority?

A.Weighted Round Robin (WRR)
B.Class-Based Weighted Fair Queuing (CBWFQ)
C.Priority Queuing (LLQ)
D.First-In-First-Out (FIFO)
AnswerC

LLQ provides a strict priority queue for EF traffic.

Why this answer

Option B is correct because Priority queuing provides a strict priority queue that services the EF class before other queues, ensuring low latency. LLQ is the implementation of priority queuing with CBWFQ. Option A (CBWFQ) provides fair bandwidth allocation but no strict priority.

Option C (WRR) is byte-based and not strict. Option D (FIFO) does not differentiate.

414
MCQeasy

A network engineer is configuring MPLS LDP on a new router. After enabling LDP globally and on the interface, the LDP session does not establish. The IGP (OSPF) is fully operational. What should the engineer verify first?

A.The LDP password matches.
B.The router-id is a loopback.
C.The IGP metric is set.
D.The interface has 'mpls ip' enabled.
AnswerD

This is the most basic verification; if MPLS is not enabled on the interface, LDP will not form.

Why this answer

Option A is correct because the most basic check is whether the interface has 'mpls ip' enabled. Option B is wrong because LDP router-id can be any reachable IP, not necessarily a loopback. Option C is wrong because password mismatch would cause authentication failure, but the session might still attempt to establish.

Option D is wrong because IGP metric does not affect LDP session establishment.

415
MCQeasy

A service provider has deployed segment routing with OSPF as the IGP in its core network. The network consists of 100 routers in a single area. The operations team reports that after a link failure between Router X and Router Y, traffic from Router A to Router B is taking a suboptimal path even though IGP convergence is complete and all routers have updated their LSDB. Router A and Router B are both segment routing capable. The team verifies that no SR-TE policies are configured and that all routers are using the default SPF algorithm. The expected shortest path from A to B should go through the newly restored link, but instead it still traverses an alternate path. Which action should resolve the issue?

A.Remove and re-add the adjacency SID configuration on the restored link.
B.Execute 'clear ip ospf process' on all routers along the expected path.
C.Configure an SR-TE policy from A to B with an explicit path using the restored link.
D.Issue 'clear mpls forwarding labels' on Router A to rebuild the label table.
AnswerB

This forces OSPF to re-flood LSAs and run SPF, ensuring the restored link is considered in the shortest path tree.

Why this answer

Option D is correct: The issue is likely that OSPF link-state advertisement (LSA) flooding is delayed or blocked, preventing the repair of the LSDB. 'clear ip ospf process' forces a fresh LSA flood and SPF computation. Option A is wrong because SR-TE policies are not used. Option B is wrong because the problem is not with label allocation but with routing.

Option C is wrong because adjacency SIDs are automatically allocated and not the root cause.

416
Matchingmedium

Match each QoS mechanism to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifying packets based on specified criteria

Setting QoS bits (e.g., DSCP, CoS) in packet headers

Enforcing traffic rate limits by dropping or remarking excess packets

Buffering excess traffic to smooth output rate

Congestion avoidance by selectively dropping packets based on queue depth

Why these pairings

These are fundamental QoS tools used in service provider networks.

417
MCQhard

A network engineer needs to design a multicast solution for IPTV distribution across a service provider network. Which protocol is best suited for building a shared distribution tree where the RP is dynamically elected?

A.PIM-DM
B.PIM-SM with Auto-RP
C.MSDP
D.PIM-SM with BSR
AnswerD

BSR provides dynamic RP election in a standards-based way.

Why this answer

PIM-SM with BSR (Bootstrap Router) is the correct choice because it provides a dynamic, automated mechanism for electing an RP (Rendezvous Point) within a PIM-SM domain. BSR uses a distributed election process where candidate BSRs exchange bootstrap messages to elect a single BSR, which then collects candidate-RP advertisements and distributes the RP-set to all routers, enabling shared distribution trees without manual RP configuration.

Exam trap

Cisco often tests the distinction between Auto-RP and BSR, where candidates mistakenly think Auto-RP dynamically elects the RP, but Auto-RP only advertises RP information from a statically configured RP or mapping agent, whereas BSR provides true dynamic RP election through a distributed bootstrap process.

How to eliminate wrong answers

Option A is wrong because PIM-DM (Dense Mode) uses a flood-and-prune approach to build source-based trees, not shared trees, and does not involve an RP or dynamic RP election. Option B is wrong because PIM-SM with Auto-RP uses a separate, statically configured RP (or a mapping agent) to advertise RP information, but it does not dynamically elect the RP itself; Auto-RP relies on a designated RP or a mapping agent, which is not a fully dynamic election mechanism like BSR. Option C is wrong because MSDP (Multicast Source Discovery Protocol) is used to interconnect multiple PIM-SM domains by sharing active source information between RPs, not for building a shared distribution tree or dynamically electing an RP within a single domain.

418
MCQhard

In EVPN multihoming with all-active mode, what is the purpose of the aliasing capability?

A.It permits the use of a single ESI label across all PEs in the ES.
B.It reduces the number of BGP updates by aggregating MAC routes.
C.It allows load balancing of traffic across all PEs.
D.It enables one PE to advertise MAC addresses for another PE in the same ES.
AnswerD

Correct. Aliasing allows a PE to advertise MACs for other PEs in the same ES, making all active paths known.

Why this answer

In EVPN all-active multihoming, the aliasing capability allows a PE that has learned a MAC address via local attachment to the Ethernet Segment (ES) to advertise that MAC address on behalf of other PEs in the same ES. This enables remote PEs to load-balance traffic destined to that MAC across all multihomed PEs, even if only one PE actually learned the MAC locally. Without aliasing, traffic would be forced to the specific PE that learned the MAC, defeating the purpose of all-active redundancy.

Exam trap

Cisco often tests the distinction between aliasing (advertising MACs for other PEs) and load balancing (the forwarding behavior that aliasing enables), causing candidates to mistakenly select 'load balancing' as the purpose of aliasing itself.

How to eliminate wrong answers

Option A is wrong because the aliasing capability does not involve a single ESI label; each PE in the ES advertises its own MPLS label (e.g., the ESI label or MAC/IP advertisement label), and the aliasing function is about MAC address advertisement, not label consolidation. Option B is wrong because aliasing does not reduce BGP updates or aggregate MAC routes; in fact, it may increase the number of MAC/IP advertisement routes as each PE advertises the same MAC addresses, and aggregation is not a feature of EVPN aliasing. Option C is wrong because aliasing itself does not perform load balancing; it enables load balancing by allowing remote PEs to see multiple next hops for the same MAC, but the actual load balancing is a forwarding decision made by the remote PE based on the received aliased routes.

419
MCQmedium

An engineer is using RESTCONF to configure an interface on a Cisco IOS-XE device. The request returns a 400 Bad Request error. What is the most likely cause?

A.The device does not support RESTCONF
B.The user does not have sufficient privileges
C.The URI is incorrect
D.The YANG module is not loaded
E.The JSON payload contains incorrect data types or missing mandatory leafs
AnswerE

400 Bad Request indicates a client-side error; invalid payload is a common cause.

Why this answer

A 400 Bad Request typically indicates a client error, such as invalid JSON payload, missing mandatory fields, or incorrect data types. If the module is not supported, a 404 would be returned. Authentication errors result in 401.

Incorrect URI gives 404. Privilege issues give 403 or 401.

420
Multi-Selectmedium

Which two of the following are characteristics of MPLS Traffic Engineering that differentiate it from pure MPLS forwarding?

Select 2 answers
A.Requires LDP for LSP creation
B.Allows bandwidth reservation
C.Supports explicit path selection
D.Provides optimal load balancing based on topology
E.Uses RSVP for label distribution
AnswersB, C

Correct. MPLS TE can reserve bandwidth along a path to guarantee QoS.

Why this answer

MPLS Traffic Engineering (MPLS-TE) explicitly supports bandwidth reservation, which allows an operator to guarantee a certain amount of bandwidth for a traffic-engineered LSP. This is a key differentiator from pure MPLS forwarding, where LSPs are created without any bandwidth awareness and simply forward packets based on the label-swapping mechanism.

Exam trap

Cisco often tests the misconception that MPLS-TE requires LDP for LSP creation, but in reality, MPLS-TE uses RSVP-TE for signaling and does not depend on LDP for the TE LSPs themselves.

421
MCQhard

A service provider is migrating from LDP to Segment Routing in an IS-IS network. After enabling IS-IS with segment-routing on all routers, they observe that some prefixes still receive labels from LDP instead of from SR. Which configuration is most likely missing on these routers?

A.Missing 'segment-routing mpls' command under IS-IS
B.OSPF segment-routing is still configured
C.TI-LFA is not enabled
D.SRGB range conflicts with MPLS label range
AnswerA

This command enables SR label allocation in IS-IS.

Why this answer

When migrating from LDP to Segment Routing in an IS-IS network, the 'segment-routing mpls' command must be explicitly enabled under the IS-IS routing process. Without this command, IS-IS will not allocate MPLS labels for prefixes using the Segment Routing (SR) extension, causing the router to fall back to LDP for label distribution. This is the most common missing configuration when SR labels are not being assigned.

Exam trap

Cisco often tests the distinction between enabling segment-routing globally versus enabling it under the IGP process; the trap here is that candidates assume 'segment-routing mpls' is automatically applied when SR is enabled globally, but it must be explicitly configured under IS-IS or OSPF.

How to eliminate wrong answers

Option B is wrong because OSPF segment-routing configuration is irrelevant in an IS-IS network; the question explicitly states IS-IS is used, so OSPF settings have no effect on IS-IS SR behavior. Option C is wrong because TI-LFA (Topology Independent Loop-Free Alternate) is a fast-reroute mechanism that relies on SR, but its absence does not prevent SR from assigning labels; it only affects protection. Option D is wrong because an SRGB range conflict with the MPLS label range would cause label allocation failures or errors, not a fallback to LDP; LDP would still be used only if SR is not properly enabled.

422
MCQmedium

A service provider is deploying MPLS L3VPN over an OSPF backbone. The PE routers are configured with OSPF as the IGP. The CE router of customer A is connected to two PEs for redundancy. Which configuration is required on the PE routers to ensure that the CE router can load-balance traffic across both PEs without loops?

A.Use OSPF sham-links between the two PEs.
B.Use the BGP cost community to adjust the path selection on the CE.
C.Configure OSPF with the capability vrf-lite and enable the down-bit on the PE-CE link.
D.Disable the DN-bit on the PE-CE OSPF interface.
AnswerC

The down-bit prevents the CE from re-advertising routes learned from one PE to the other PE, avoiding loops.

Why this answer

Option C is correct because configuring OSPF with the capability vrf-lite and enabling the down-bit on the PE-CE link prevents routing loops in a multi-homed CE scenario. The down-bit is set by the PE when redistributing routes into OSPF, ensuring that the CE does not re-advertise those routes back to another PE, which would cause a loop. The vrf-lite capability allows the CE to understand the down-bit without requiring full MPLS/VPN functionality, enabling load-balancing across both PEs safely.

Exam trap

Cisco often tests the distinction between the down-bit (DN-bit) used in OSPF PE-CE scenarios and the sham-link concept used for OSPF area 0 extension, leading candidates to mistakenly choose sham-links for loop prevention in multi-homed CE designs.

How to eliminate wrong answers

Option A is wrong because OSPF sham-links are used to connect two PE routers in different OSPF areas within an MPLS L3VPN to maintain OSPF adjacency across the backbone, not to prevent loops or enable load-balancing for a multi-homed CE. Option B is wrong because the BGP cost community influences path selection on the PE side for inter-AS or multi-homing scenarios, but it does not affect the CE's OSPF routing decisions or prevent loops in the PE-CE OSPF domain. Option D is wrong because disabling the DN-bit (down-bit) on the PE-CE OSPF interface would allow the CE to re-advertise routes learned from one PE back to the other PE, creating a routing loop; the DN-bit must be enabled to prevent this.

423
Multi-Selectmedium

Which TWO of the following are characteristics of MPLS LDP?

Select 2 answers
A.Distributes labels for BGP routes
B.Label distribution based on IP routing table
C.Requires an IGP like OSPF for session reachability
D.UDP for discovery, TCP for session
E.TCP for both discovery and session
AnswersB, D

By default, LDP distributes labels for all IGP routes.

Why this answer

B is correct because MPLS LDP distributes labels for routes found in the IP routing table, not for BGP routes. LDP peers exchange label bindings for each prefix in the IGP routing table, enabling label-switched paths (LSPs) for those destinations. This is fundamental to LDP's operation as defined in RFC 5036.

Exam trap

Cisco often tests the misconception that LDP requires an IGP for session reachability, but the trap is that LDP uses its own UDP discovery mechanism and can form sessions over any IP reachable path, though an IGP is commonly used for loopback reachability in practice.

424
MCQhard

A service provider is designing a QoS policy for a multi-service MPLS VPN network that carries voice, video, and data traffic. The network uses DiffServ and MPLS EXP markings. The design must ensure that voice traffic is given priority over video and data, while video traffic should have better treatment than data but not at the expense of voice. The provider plans to use a hierarchical QoS (HQoS) policy at the PE-CE interfaces. Which configuration approach best meets these requirements?

A.Mark voice traffic with EXP 5, video with EXP 4, and data with EXP 0, and rely on the core to prioritize based on EXP.
B.Use a single-level policy with LLQ for voice and video together, and CBWFQ for data.
C.Apply a parent policy with a shape for the total bandwidth and a child policy with LLQ for voice and CBWFQ for video and data.
D.Apply class-based shaping to each traffic class separately on the interface.
AnswerC

This provides hierarchical control, ensuring voice gets priority within the shaped bandwidth while video and data get fair treatment.

Why this answer

Option C is correct because hierarchical QoS (HQoS) allows the service provider to enforce a total bandwidth shape at the parent level while using a child policy to apply LLQ for voice (ensuring strict priority) and CBWFQ for video and data (ensuring video gets better treatment than data without starving voice). This meets the requirement that video should not degrade voice, as the parent shape prevents any single class from monopolizing the link, and the child policy’s LLQ guarantees voice priority over all other traffic.

Exam trap

Cisco often tests the misconception that a single-level LLQ can handle multiple priority classes together, but the trap here is that combining voice and video in one LLQ queue violates the strict priority requirement for voice over video, which HQoS with separate child policies resolves.

How to eliminate wrong answers

Option A is wrong because relying solely on EXP markings in the core does not enforce per-interface queuing or bandwidth guarantees at the PE-CE edge; the core may treat EXP 5 and EXP 4 similarly if no DiffServ PHB is strictly mapped, and it cannot prevent video from competing with voice on the access link. Option B is wrong because placing voice and video together in a single LLQ class gives them equal priority, violating the requirement that video must not degrade voice; LLQ treats all traffic in the priority queue the same, so voice could be delayed by video bursts. Option D is wrong because applying class-based shaping separately to each traffic class does not provide a hierarchical structure to enforce a total bandwidth limit or guarantee that voice gets strict priority over video and data; it only shapes individual classes independently, which can lead to oversubscription and no priority queuing.

425
MCQhard

A service provider wants to use Segment Routing TE with Flex-Algo to engineer traffic around links with low bandwidth. Which configuration approach should be taken?

A.Configure a policy-map to apply QoS marking on TE tunnels.
B.Use the 'min-delay' metric in Flex-Algo to prefer low-delay links.
C.Define a Flex-Algo with a metric type of 'min-unidirectional-link-bandwidth'.
D.Use standard IS-IS metric and adjust it on low-bandwidth links to a high value.
AnswerC

This Flex-Algo metric excludes links with insufficient bandwidth, meeting the requirement.

Why this answer

Flex-Algo allows definition of custom metric types; 'min-unidirectional-link-bandwidth' excludes low-bandwidth links from the topology.

426
MCQmedium

A service provider is implementing MPLS in their core network. They want to ensure that labeled packets for BGP prefixes are forwarded correctly without requiring an IGP label for every BGP prefix. Which technique should be used to achieve this?

A.Use BGP-free core with LDP or Segment Routing
B.Enable MPLS on all interfaces and rely on BGP label distribution
C.Implement LDP for BGP prefixes
D.Configure static labels for BGP prefixes
AnswerA

BGP-free core allows forwarding based on labels assigned by LDP/SR for BGP next hops.

Why this answer

A BGP-free core with LDP or Segment Routing allows the service provider to forward labeled packets for BGP prefixes without requiring an IGP label for every BGP prefix. In this design, edge routers (PEs) impose a label stack where the outer label (IGP label) is distributed by LDP or Segment Routing for the BGP next-hop, and the inner label is the BGP label. Core routers (P routers) only need to swap the outer label based on the IGP label, not the BGP prefix, thus eliminating the need for IGP labels per BGP prefix.

Exam trap

Cisco often tests the misconception that LDP can distribute labels for BGP prefixes, but LDP is strictly for IGP prefixes; the correct approach is to use a BGP-free core where LDP or Segment Routing handles the IGP label for the BGP next-hop, not the BGP prefix itself.

How to eliminate wrong answers

Option B is wrong because enabling MPLS on all interfaces and relying on BGP label distribution alone does not provide a label-switched path for the BGP next-hop; core routers would still need an IGP label to forward the packet, which is not automatically generated for BGP prefixes. Option C is wrong because LDP is designed to distribute labels for IGP prefixes (e.g., loopback addresses), not for BGP prefixes; LDP cannot directly assign labels to BGP prefixes. Option D is wrong because configuring static labels for BGP prefixes is not scalable and does not leverage dynamic label distribution; it would require manual configuration for every prefix and does not integrate with the IGP label-switched path.

427
MCQeasy

A network engineer is configuring Segment Routing on an IOS-XR router. They want to use the preferred algorithm for automatically computing paths based on IGP metrics. Which algorithm should be configured under the SR segment list?

A.strict-spf
B.delay
C.te
D.preferred
AnswerD

The 'preferred' algorithm uses the IGP metric-based shortest path.

Why this answer

The 'preferred' algorithm in SR-MPLS uses IGP metric-based SPF computation. Option A is incorrect because 'strict-spf' enforces strict shortest path. Option C is incorrect because 'delay' uses latency, not IGP metric.

Option D is incorrect because 'te' uses traffic engineering constraints.

428
MCQmedium

An engineer notices that an MPLS LSP in the core is not establishing. Which troubleshooting step should be performed first?

A.Verify LDP neighbor adjacency
B.Ping the far-end loopback interface
C.Check BGP IPv4 unicast neighbors
D.Check OSPF neighbor adjacency on all links
AnswerA

LDP adjacency is essential for label exchange and LSP building.

Why this answer

Option B is correct because verifying LDP adjacency is the first step in troubleshooting MPLS LSP establishment. Option A is wrong because checking BGP is not directly relevant to MPLS LSP establishment. Option C is wrong because pinging the far-end loopback tests reachability but not LSP establishment.

Option D is wrong because checking OSPF neighbor adjacency is not specific to MPLS.

429
MCQhard

When automating configuration changes across a large network using a tool like Cisco NSO, what is the best practice to minimize the risk of negative impact?

A.Rely on rollback automation
B.Use a staging environment with identical configuration to test before production
C.Limit automation to read-only commands
D.Automate only during maintenance windows
E.Apply changes directly to production devices
AnswerB

Testing in a staging environment that mirrors production allows early detection of issues, minimizing production impact.

Why this answer

Using a staging environment with identical configuration allows comprehensive testing before production deployment, minimizing risks. While maintenance windows and rollback are useful, they are reactive rather than proactive. Applying directly to production is risky.

Limiting to read-only avoids changes altogether, which is not the goal.

430
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration requires entering global config mode, enabling the OSPF process, and then advertising networks under the OSPF process.

431
Drag & Dropmedium

Drag and drop the steps to configure a standard ACL on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Standard ACL configuration requires creating the ACL and applying it to an interface in the appropriate direction.

432
MCQeasy

Which QoS mechanism is most effective for preventing congestion on a service provider edge link when traffic exceeds the link capacity?

A.Priority queuing
B.Traffic policing
C.Traffic shaping
D.WRED
AnswerC

Shapes traffic to avoid line-rate bursts and drops.

Why this answer

Option D is correct because shaping buffers traffic at the edge to prevent drops. Option A is wrong because priority queuing starves other traffic. Option B is wrong because WRED drops packets before congestion, but shaping is better for link capacity.

Option C is wrong because policing drops excess traffic, which may be undesirable.

433
MCQhard

A service provider is troubleshooting BGP route advertisement for a VPNv4 prefix. The PE router receives the prefix from the route reflector but does not install it in the VRF routing table. The BGP table shows the prefix as valid but not best. What is the most likely cause?

A.The VRF does not have the correct route-target import.
B.The next-hop is not reachable via the IGP with an MPLS label.
C.The BGP table is full and cannot accept more prefixes.
D.The MPLS label is missing in the BGP update.
AnswerB

Next-hop unreachability causes the route to be not best.

Why this answer

For a VPNv4 prefix to be installed in the VRF routing table, BGP must select it as the best path. A key requirement for best-path selection is that the next-hop address must be reachable via the IGP with an associated MPLS label (via LDP or other label distribution protocol). If the next-hop is not reachable with a label, the route remains valid but not best, and thus is not installed in the VRF.

Exam trap

Cisco often tests the distinction between a route being valid (accepted into BGP table) versus best (eligible for installation into the VRF), and the trap here is that candidates assume a valid route should automatically be installed, overlooking the next-hop reachability with label requirement for MPLS VPNs.

How to eliminate wrong answers

Option A is wrong because the VRF route-target import configuration determines whether the prefix is accepted into the VRF at all; if the import RT matches, the prefix enters the BGP table, but the issue here is that it is already in the BGP table as valid, so RT import is not the problem. Option C is wrong because a full BGP table would prevent new prefixes from being accepted, but the prefix is already present in the BGP table as valid, so table capacity is not the limiting factor. Option D is wrong because if the MPLS label were missing in the BGP update, the prefix would likely be marked as invalid or not installed at all, but the question states the prefix is valid, indicating the label is present in the update; the problem is that the next-hop itself is not reachable via the IGP with a label.

434
Multi-Selecteasy

Which two MPLS OAM tools can be used to troubleshoot label switching paths? (Choose two)

Select 2 answers
A.traceroute
B.show ip route
C.MPLS LSP ping
D.ping
E.MPLS echo request
AnswersC, E

MPLS LSP ping sends MPLS echo request to verify LSP connectivity.

Why this answer

MPLS LSP ping (echo request) and MPLS traceroute are the primary OAM tools for LSP verification.

435
MCQeasy

A network operator is migrating from traditional MPLS LDP to Segment Routing (SR) with IS-IS. The network consists of four routers (R1-R4) in a square topology. The engineer has enabled SR on all routers and configured prefix-SIDs for loopbacks. However, when checking the MPLS forwarding table on R1, the engineer sees that some prefixes have label values that are not the prefix-SIDs. For example, the prefix for R4's loopback shows label 16004 instead of the expected 16004 (which is correct). But for another prefix, the label is 16003 instead of 16003 (correct). The engineer does not see any labels for some external routes. What is the most likely reason that some labels are missing?

A.The IS-IS wide metrics are not enabled on all interfaces.
B.Route redistribution from another protocol is not configured.
C.The prefix-SIDs are inconsistent across routers.
D.External routes are not covered by prefix-SIDs; they require LDP or another label distribution mechanism.
AnswerD

SR only assigns labels to IGP prefixes; external routes need separate handling.

Why this answer

Option D is correct because Segment Routing (SR) with IS-IS only assigns prefix-SIDs to prefixes that are part of the IS-IS domain and explicitly configured with a SID. External routes, such as those redistributed from another protocol (e.g., BGP or OSPF), are not covered by prefix-SIDs and require a separate label distribution mechanism like LDP or a manually configured explicit-null label to be forwarded with MPLS encapsulation. The engineer's observation that some labels are missing for external routes directly points to this limitation.

Exam trap

Cisco often tests the misconception that SR with IS-IS automatically assigns labels to all routes in the routing table, when in fact prefix-SIDs only apply to IGP routes within the same protocol domain, and external routes still need LDP or another label distribution mechanism.

How to eliminate wrong answers

Option A is wrong because IS-IS wide metrics are required for SR operation (to support the extended TLV format for SIDs), but their absence would cause SR to fail entirely or produce incorrect SID assignments, not just missing labels for external routes. Option B is wrong because route redistribution from another protocol is not the root cause; while redistribution may introduce external routes, the missing labels are due to the lack of a label distribution mechanism for those routes, not the act of redistribution itself. Option C is wrong because inconsistent prefix-SIDs across routers would cause label mismatch or forwarding loops, not missing labels; the engineer already confirmed that some prefix-SIDs (e.g., 16004) are correctly installed, indicating consistency is not the issue.

436
Matchingmedium

Match each multicast protocol to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Host-to-router protocol for joining multicast groups

Sparse mode multicast routing using RP

Dense mode multicast routing assuming all routers want traffic

Protocol for connecting multiple PIM-SM domains

Bootstrap Router for automatic RP election

Why these pairings

These are essential multicast protocols for service provider IPTV and content delivery.

437
MCQeasy

Refer to the exhibit. This JSON policy is used for Segment Routing Traffic Engineering. What is the purpose of the 'color' attribute?

A.It sets the metric type for the path calculation
B.It defines the preference value for the candidate path
C.It identifies a specific SR-TE policy to be used for traffic steering
D.It specifies the link affinity constraint for the path
AnswerC

Color is used to match traffic via color-based forwarding.

Why this answer

The color attribute distinguishes between multiple paths to the same destination. Option B is correct. Option A is wrong because preference is separate.

Option C is wrong because affinity constraints are under constraints. Option D is wrong because color does not set metric type.

438
Multi-Selectmedium

A service provider plans to deploy automation using Cisco NSO. Which two benefits does NSO provide for service lifecycle management? (Choose two.)

Select 2 answers
A.Automatic rollback on failed deployment.
B.Multi-vendor device support via NETCONF and CLI.
C.On-device scripting engine.
D.Real-time traffic monitoring.
E.Built-in configuration compliance checks.
AnswersA, B

NSO automatically rolls back changes if a deployment fails, ensuring device consistency.

Why this answer

NSO provides multi-vendor device support via its NETCONF and CLI adapters, and it offers automatic rollback on failed deployments to ensure consistency. Compliance checks and traffic monitoring are not core NSO features, and on-device scripting is not a benefit of NSO itself.

439
MCQmedium

A service provider is automating the provisioning of MPLS L3VPNs across multiple devices using NETCONF. During a deployment, the automation script fails with an error indicating that the device does not support the required YANG model. Which action should the engineer take to verify device capabilities?

A.Use the hello message exchange to check supported YANG modules via capabilities.
B.Use CLI show command to list YANG models.
C.Use RESTCONF with GET to retrieve device capabilities.
D.Use SNMP to check device OID.
AnswerA

The NETCONF hello message includes capabilities such as supported YANG models, making this the correct approach.

Why this answer

NETCONF hello message exchange includes the list of supported YANG modules in the capabilities. This is the standard way to discover device capabilities. Other options are either not standard or would not provide the required information.

440
Multi-Selecteasy

Which TWO types of SIDs are defined in Segment Routing? (Select two.)

Select 2 answers
A.Adjacency-SID
B.TI-LFA SID
C.Service-SID
D.Prefix-SID
E.Node-SID
AnswersA, D

Identifies a link adjacency.

Why this answer

Segment Routing (SR) defines two primary types of Segment Identifiers (SIDs): the Prefix-SID and the Adjacency-SID. A Prefix-SID is a global or local label associated with an IGP prefix (e.g., a loopback), enabling shortest-path forwarding toward that prefix. An Adjacency-SID is a local label associated with a specific adjacency (link) between two routers, forcing traffic out that exact interface regardless of the IGP shortest path.

Exam trap

Cisco often tests the distinction between Node-SID and Prefix-SID, where candidates mistakenly treat Node-SID as a separate SID type, but it is actually a Prefix-SID assigned to the router's loopback address.

441
MCQeasy

Refer to the exhibit. The VRF CUSTOMER is configured with route-target import 100:1. Why is this route not installed in the VRF table?

A.VRF not properly configured.
B.Route target mismatch.
C.Route distinguisher missing.
D.Next-hop unreachable.
AnswerB

The route carries RT:200:1, but the VRF imports only RT:100:1.

Why this answer

B is correct because the VRF CUSTOMER is configured with route-target import 100:1, but the route in question carries a different route-target value (e.g., 100:2). For a route to be installed into a VRF table, the route-target extended community attached to the route must match at least one of the import route-targets configured on the VRF. A mismatch prevents the route from being imported, even if other conditions are satisfied.

Exam trap

Cisco often tests the distinction between route distinguisher (RD) and route-target (RT) — candidates confuse RD uniqueness with RT import/export matching, leading them to pick 'Route distinguisher missing' when the actual issue is a route-target mismatch.

How to eliminate wrong answers

Option A is wrong because the VRF is properly configured with a route distinguisher and route-target import statement; the issue is not a missing or misconfigured VRF definition. Option C is wrong because a route distinguisher is required for VRF route uniqueness in the BGP table, but its absence would cause a different error (e.g., the route not being carried in BGP at all), not a failure to import a route that already has an RD. Option D is wrong because the next-hop reachability is not the cause here; if the next-hop were unreachable, the route would still be considered for import but would be marked as invalid or not installed due to unreachability, whereas the question explicitly states the route is not installed due to route-target mismatch.

442
MCQhard

A service provider is deploying Segment Routing Traffic Engineering (SR-TE) to optimize traffic flows. Which mechanism is used to steer traffic into an SR-TE policy?

A.RSVP-TE tunnel interface
B.Color extended community on BGP routes
C.BGP prefix-independent convergence (PIC)
D.Manual static route pointing to the policy
E.LDP label distribution
AnswerB

The color community is the standard way to steer traffic into an SR-TE policy.

Why this answer

SR-TE policies can be steered using color-based forwarding where the color extended community is attached to BGP routes. The headend matches the color to an SR-TE policy with the same color and steers traffic accordingly. Other methods like next-hop labels or VRF selection are not standard.

443
MCQmedium

A customer is experiencing packet loss during congestion on a link. The service provider wants to implement a QoS policy that drops less important traffic before more important traffic. Which queuing mechanism is best suited?

A.Class-Based Weighted Fair Queuing (CBWFQ) with WRED
B.FIFO queuing
C.Low Latency Queuing (LLQ)
D.Traffic shaping
AnswerA

CBWFQ allocates bandwidth per class, WRED drops low priority before high priority.

Why this answer

CBWFQ with WRED is the best choice because CBWFQ provides per-class queuing with guaranteed bandwidth, while WRED proactively drops less important traffic (based on IP precedence or DSCP) before the queue becomes full, preventing tail drop and ensuring that higher-priority traffic is preserved during congestion. This combination allows the service provider to selectively discard lower-priority packets under congestion, meeting the requirement to drop less important traffic before more important traffic.

Exam trap

Cisco often tests the misconception that LLQ alone can prioritize traffic during congestion, but the trap here is that LLQ provides strict priority queuing without proactive dropping, so it does not selectively drop less important traffic; WRED is required for that function.

How to eliminate wrong answers

Option B (FIFO queuing) is wrong because it treats all traffic equally, dropping packets from the tail of the queue regardless of importance, which does not differentiate between traffic classes. Option C (LLQ) is wrong because it is designed to provide strict priority queuing for delay-sensitive traffic (e.g., voice), but it does not inherently drop less important traffic before more important traffic; it can starve other queues if not policed, and it lacks the proactive dropping mechanism of WRED. Option D (Traffic shaping) is wrong because it buffers excess traffic to smooth out bursts and does not drop packets; it delays them, which does not address the requirement to drop less important traffic during congestion.

444
MCQmedium

A customer is using a Cisco ASR 9000 router with hierarchical QoS (HQoS) on a subscriber interface. The parent policy sets a shape rate of 10 Mbps, but the observed traffic rate is only 8 Mbps. What is a common misconfiguration that would cause this?

A.The child policy includes a police command that is limiting traffic below the parent shaper rate
B.The child policy uses 'bandwidth remaining' instead of 'bandwidth'
C.The child policy includes a bandwidth command that exceeds the parent shaper rate
D.The parent shaper uses 'shape peak' instead of 'shape average'
AnswerA

If a child policy has a police command with a rate of 8 Mbps, that overrides the parent shaper for that class, resulting in a lower observed rate.

Why this answer

In hierarchical QoS (HQoS) on a Cisco ASR 9000, the parent policy shapes traffic to a specified rate, but if the child policy includes a police command, that policer can independently drop or mark down traffic before it reaches the parent shaper. This causes the observed traffic rate to be lower than the parent shape rate, as the child policer is the actual bottleneck. The correct answer is A because the police command in the child policy is limiting traffic below the 10 Mbps parent shaper, resulting in only 8 Mbps observed.

Exam trap

Cisco often tests the distinction between shaping and policing in HQoS, where candidates mistakenly think the parent shaper always controls the final rate, ignoring that a child policer can override it by dropping traffic earlier in the pipeline.

How to eliminate wrong answers

Option B is wrong because 'bandwidth remaining' allocates unused bandwidth from the parent shaper and does not cap the rate; it would not cause the observed rate to be lower than the parent shape. Option C is wrong because a 'bandwidth' command that exceeds the parent shaper rate would simply be constrained by the parent shaper, resulting in traffic at the parent shape rate (10 Mbps), not below it. Option D is wrong because 'shape peak' allows bursts above the committed rate, which would increase the observed rate, not reduce it below the parent shape; 'shape average' is the typical command for strict rate limiting.

445
MCQmedium

A service provider is designing a new MPLS L3VPN service. The customer requires that their VPN traffic be isolated from other customers and that the provider edge routers maintain separate routing tables for each VPN. Which architectural component is essential for this separation?

A.MPLS label stacking
B.VRF (Virtual Routing and Forwarding)
C.VLAN tagging on the customer-facing interfaces
D.BGP route reflectors
AnswerB

VRF creates separate routing tables per VPN instance, enabling isolation.

Why this answer

VRF (Virtual Routing and Forwarding) is the essential architectural component that enables a provider edge router to maintain separate, isolated routing tables for each VPN customer. Each VRF instance contains its own routing table, CEF (Cisco Express Forwarding) table, and associated interfaces, ensuring that traffic from one customer is never forwarded using another customer's routing information. This per-VPN isolation is fundamental to MPLS L3VPN services as defined in RFC 4364.

Exam trap

Cisco often tests the distinction between data-plane isolation (VLANs, MPLS labels) and control-plane isolation (VRF), and the trap here is that candidates confuse VLAN tagging (Layer 2) with the Layer 3 routing table separation provided by VRFs, assuming VLANs alone can achieve the required routing isolation.

How to eliminate wrong answers

Option A is wrong because MPLS label stacking is a forwarding mechanism used to separate transport labels from service labels in an MPLS network, but it does not create or maintain separate routing tables per VPN; it operates at the data plane, not the control plane. Option C is wrong because VLAN tagging on customer-facing interfaces provides Layer 2 segmentation (802.1Q) but does not create separate Layer 3 routing tables; a single VLAN can still be mapped to a single VRF, but VLANs alone cannot isolate routing information. Option D is wrong because BGP route reflectors are used to scale BGP route distribution within an MPLS VPN by reducing the number of iBGP sessions, but they do not provide per-VPN routing table isolation; they propagate VPNv4 routes that already carry the Route Distinguisher (RD) and Route Target (RT) attributes.

446
MCQmedium

During a multicast deployment, some receivers are not receiving the stream. The PIM neighbor table shows the upstream interface is correct. Which command would verify whether the multicast routing table has the correct outgoing interface list?

A.show ip igmp groups
B.show ip pim neighbor
C.show ip mroute
D.show ip route
AnswerC

Shows multicast routing table, including incoming and outgoing interfaces.

Why this answer

Option C is correct because show ip mroute displays the multicast routing table with OIL. Option A is wrong because show ip pim neighbor only shows neighbors. Option B is wrong because show ip igmp groups shows receiver groups.

Option D is wrong because show ip route is unicast.

447
MCQhard

Refer to the exhibit. A network automation engineer uses NETCONF to retrieve the QoS policy 'POLICE-CUSTOMER'. Based on the response, what is the effect of this policy?

A.It polices all traffic to a maximum of 256 kbps and drops excess.
B.It sets DSCP CS4 on traffic exceeding 256 kbps.
C.It guarantees a priority queue for traffic up to 256 kbps.
D.It shapes traffic to an average rate of 256 kbps.
AnswerA

Correct: Policer with exceed-action drop.

Why this answer

The NETCONF response shows a 'police' configuration under the QoS policy 'POLICE-CUSTOMER' with a committed information rate (CIR) of 256000 bps (256 kbps) and a conform-action of 'transmit' with an exceed-action of 'drop'. This is a standard policing action that meters traffic to the specified rate and drops any packets that exceed it, as defined in RFC 2697 (Single Rate Three Color Marker). Option A correctly identifies this behavior.

Exam trap

Cisco often tests the distinction between policing (drops/marks excess) and shaping (buffers excess), and candidates mistakenly associate any rate-limiting action with shaping or marking without checking the specific action keywords in the configuration.

How to eliminate wrong answers

Option B is wrong because the configuration shows an exceed-action of 'drop', not 'set-dscp-transmit' or any marking action; DSCP CS4 would require a 'set-dscp' action in the exceed-action or violate-action. Option C is wrong because policing does not guarantee a priority queue; priority queuing is a scheduling mechanism configured under a class-map with 'priority' command, not a police action. Option D is wrong because shaping buffers and delays excess traffic to smooth bursts, whereas policing drops or marks excess traffic without buffering; the configuration explicitly uses 'police' not 'shape'.

448
MCQhard

In an SR network, which configuration is required to activate TI-LFA for link protection?

A.metric delay interface configuration
B.label-preferred under the interface
C.fast-reroute per-prefix ti-lfa under the IGP process
D.mpls traffic-eng auto-tunnel primary
AnswerC

This command enables TI-LFA for all prefixes in the IGP domain.

Why this answer

Option C is correct because the command 'fast-reroute per-prefix ti-lfa' under the IGP process (IS-IS or OSPF) explicitly enables TI-LFA. Option A is wrong because 'mpls traffic-eng auto-tunnel primary' is for TE auto-tunnel, not TI-LFA. Option B is wrong because 'label-preferred' is not a valid command.

Option D is wrong because 'metric delay' is for IGP convergence, not TI-LFA.

449
MCQeasy

In a Layer 3 MPLS VPN, a customer site that is part of VRF RED is unable to communicate with another site that is also in VRF RED. The 'show ip bgp vpnv4 vrf RED' command shows the routes, but the router does not install them in the routing table. Which configuration element is most likely missing?

A.A BGP session between PEs.
B.The route-target export on the receiving PE.
C.The route-target import on the receiving PE.
D.An MPLS LDP session between PEs.
AnswerC

Correct. Import is needed to accept routes into the VRF.

Why this answer

Option B is correct because route-target import on the receiving PE is required to install VPNv4 routes into the VRF. Option A is incorrect; export is for sending routes. Option C is incorrect; LDP is used for label exchange but not for VRF route installation.

Option D is incorrect; BGP sessions between PEs are usually in place if routes are seen.

450
MCQmedium

Refer to the exhibit. The router has three LDP neighbors established. A network administrator notices that MPLS labels for the prefix 10.4.4.0/24 are not being advertised from this router to its neighbors, although the prefix is present in the routing table. Which is the most likely cause?

A.The LDP session to 10.3.3.3 is down.
B.The route to 10.4.4.0/24 is not the best path in the routing table.
C.The 'mpls ldp' command has not been applied globally.
D.The multicast routing table is empty for the prefix.
AnswerB

LDP assigns a label only to the best IGP route; if the route is not best, no label is allocated.

Why this answer

Option B is correct because the LDP neighbor for 10.4.4.4 (via 10.3.3.3) is up, but the router does not have a label for 10.4.4.0/24. This suggests the route is not being used for forwarding because of the IGP metric or administrative distance. Option A is wrong because the neighbor is up.

Option C is wrong because LDP has been configured globally. Option D is wrong because there is no indication of an mroute issue.

Page 5

Page 6 of 7

Page 7

All pages