Cisco SPCOR / CCNP Service Provider Core 350-501 (350-501) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

In an MPLS VPN, what label operation does the egress PE perform on the VPN packet before forwarding it to the CE?

A.Swap the top label
B.Impose a VPN label
C.Pop the label stack
D.Push a new label
E.Replace the transport label
AnswerC

The egress PE removes all labels and forwards the IP packet.

Why this answer

The egress PE pops both the VPN label and the transport label (if any) and forwards the IP packet to the CE. If the packet arrives with only the transport label (penultimate hop popping), the egress PE receives only the VPN label and pops it. In all cases, the egress PE removes the MPLS labels.

452
MCQeasy

A service provider has deployed a new MPLS L3VPN service for a customer with multiple sites. The customer reports intermittent voice quality issues during peak hours. The provider uses a DiffServ QoS model with MPLS EXP markings. The PE routers apply the following policy on the customer-facing interfaces: policy-map CUSTOMER-OUT class VOICE priority percent 10 set mpls experimental topmost 5 class VIDEO bandwidth remaining percent 30 set mpls experimental topmost 4 class DATA bandwidth remaining percent 70 set mpls experimental topmost 0 The core network has a simple policy that maps EXP 5 to PQ, EXP 4 to a low-latency queue, and EXP 0 to best effort. The provider monitors the network and finds that the PE-CE interfaces are not congested (average utilization is 40%), but the voice packets are experiencing jitter. The customer's voice traffic is about 5% of the link capacity. Which action is most likely to reduce the jitter?

A.Add a police command under the VOICE class to limit voice traffic to 5% and shape the priority queue.
B.Configure the core routers to map EXP 5 to a low latency queue instead of PQ.
C.Increase the priority percent to 20 for voice traffic.
D.Change the set mpls experimental topmost to set ip dscp ef for voice.
AnswerA

Policing and shaping the priority queue prevents bursts and reduces jitter.

Why this answer

The voice traffic is only 5% of link capacity, but the priority percent 10 command allows up to 10% of the link to be treated as priority. During peak hours, if other traffic (e.g., video or data) bursts and exceeds the remaining bandwidth, the priority queue can still be policed implicitly by the scheduler, but jitter arises because the priority queue is not rate-limited. Adding a police command under the VOICE class to limit voice to 5% and shaping the priority queue ensures that voice traffic does not exceed its actual rate, preventing microbursts that cause jitter in the priority queue.

Exam trap

Cisco often tests the misconception that simply increasing priority percentage or changing marking will solve jitter, when the real issue is the lack of explicit policing on the priority queue to match the actual traffic rate.

How to eliminate wrong answers

Option B is wrong because mapping EXP 5 to a low-latency queue instead of PQ would actually increase jitter for voice, as PQ provides the strictest priority and lowest jitter. Option C is wrong because increasing priority percent to 20 would allow more traffic into the priority queue, potentially worsening jitter due to increased queuing delay from bursts. Option D is wrong because changing the marking from MPLS EXP to IP DSCP EF does not address the root cause of jitter (unpoliced priority queue); the core network already maps EXP 5 to PQ, and DSCP marking would be irrelevant in the MPLS core unless the core also maps DSCP.

453
MCQhard

An operator notices that a new MPLS-TE tunnel is not being established. The tunnel configuration includes a dynamic path option and a bandwidth of 100 Mbps. The network uses RSVP-TE with CSPF. The link-state database shows sufficient reservable bandwidth on all links along the calculated path. What is the most likely cause of the tunnel establishment failure?

A.RSVP-TE is not enabled on the transit interfaces
B.The path option is misconfigured with a strict explicit path
C.MPLS LDP is not enabled on the core routers
D.The tunnel source interface is not configured with an IP address
AnswerA

RSVP-TE must be enabled on each interface along the path for signaling.

Why this answer

RSVP-TE must be explicitly enabled on every interface that will participate in MPLS-TE label-switched path (LSP) signaling. Even if the link-state database shows sufficient reservable bandwidth, without RSVP-TE enabled on transit interfaces, the PATH messages cannot be processed, and the tunnel will fail to establish. This is a common misconfiguration when deploying MPLS-TE.

Exam trap

Cisco often tests the distinction between having sufficient bandwidth in the link-state database (IGP) versus having RSVP-TE actually enabled on the interfaces, leading candidates to overlook the required interface-level RSVP configuration.

How to eliminate wrong answers

Option B is wrong because a dynamic path option does not use a strict explicit path; a strict explicit path would be configured under a different path option type, and the question states a dynamic path option is used. Option C is wrong because MPLS LDP is not required for MPLS-TE tunnels; RSVP-TE signals its own labels, and LDP is used for different label distribution purposes. Option D is wrong because if the tunnel source interface lacked an IP address, the tunnel would not even come up operationally, and the operator would likely notice that issue before attempting to establish the tunnel; the question focuses on RSVP-TE signaling failure.

454
Multi-Selecteasy

Which TWO are benefits of model-driven telemetry over SNMP polling?

Select 2 answers
A.Supports structured data models (YANG)
B.Reduces CPU usage on the device
C.Requires fewer credentials for access
D.Works with legacy devices without modification
E.Uses XML exclusively
AnswersA, B

YANG models provide structured, machine-readable data, enabling easier integration and automation.

Why this answer

Model-driven telemetry reduces CPU usage by pushing data instead of polling, and it uses structured data models (YANG) for better programmability. SNMP uses UDP and unstructured data. XML exclusivity is not a benefit as telemetry supports multiple encodings.

Fewer credentials and legacy compatibility are not inherent benefits.

455
MCQhard

A network operator uses gRPC Network Management Interface (gNMI) to collect telemetry data from routers. They notice that some updates are missing. Which gNMI mode should be used to ensure that all state changes are captured?

A.ON_CHANGE
B.TARGET_DEFINED
C.POLL
D.SAMPLE
AnswerA

Sends updates only when a value changes, capturing all changes.

Why this answer

ON_CHANGE mode in gNMI ensures that the target device sends a telemetry update immediately whenever a state change occurs, guaranteeing that no updates are missed. This is in contrast to SAMPLE mode, which only sends periodic snapshots and can miss transient changes between intervals. Therefore, to capture all state changes, ON_CHANGE is the correct subscription mode.

Exam trap

Cisco often tests the misconception that SAMPLE mode with a very short interval is sufficient to capture all changes, but the trap is that SAMPLE can still miss state changes that occur and revert between samples, whereas ON_CHANGE guarantees delivery of every transition.

How to eliminate wrong answers

Option B (TARGET_DEFINED) is wrong because it is not a standard gNMI subscription mode; gNMI defines only ON_CHANGE, SAMPLE, and POLL, and TARGET_DEFINED is a misleading distractor. Option C (POLL) is wrong because POLL mode requires the collector to explicitly request data at intervals, which can miss state changes that occur between polls. Option D (SAMPLE) is wrong because SAMPLE mode sends data at a fixed periodic interval, and any state changes that occur and revert within that interval may be lost.

456
MCQmedium

In a Layer 3 MPLS VPN, a CE router is dual-homed to two different PE routers. The PE routers advertise the same prefix to the route reflector with different route targets. What ensures that only the best path is installed in the VRF?

A.Each PE router independently selects the best path based on BGP attributes.
B.The route reflector discards duplicate prefixes.
C.MPLS labels ensure that only one path is used.
D.The CE router must advertise the same route to only one PE.
AnswerA

BGP best path selection runs in the VRF context on each PE, using standard attributes.

Why this answer

BGP path selection applies within the VRF. The route with higher local preference or shorter IGP metric to the next-hop determines the best path. Route targets are used for import/export only.

457
Multi-Selecthard

Which THREE BGP path attributes are considered during the best path selection process after local preference? (Choose three.)

Select 3 answers
A.Multi-exit discriminator (MED)
B.Next-hop IP address
C.AS path length
D.Router ID
E.Origin code
AnswersA, C, E

Lower MED is preferred.

Why this answer

After local preference, BGP considers: AS path length, origin type, MED (multi-exit discriminator). Next-hop is considered earlier? Actually order: weight, local pref, local (originate), AS path, origin, MED, etc. So correct: AS path, origin, MED.

458
Multi-Selectmedium

Which THREE components are required for model-driven telemetry with gRPC? (Choose three.)

Select 3 answers
A.SNMP trap receiver
B.NETCONF session
C.YANG data model
D.gRPC dial-out from the network device
E.Telemetry receiver
AnswersC, D, E

Defines the data to be streamed.

Why this answer

YANG data models (C) are required because they define the structure and semantics of the telemetry data being streamed. gRPC uses YANG as its schema language to encode data in Protocol Buffers (protobuf) or JSON format, ensuring the receiver can parse and interpret the telemetry information correctly.

Exam trap

Cisco often tests the distinction between dial-in (NETCONF/RESTCONF) and dial-out (gRPC) telemetry, and candidates mistakenly think a NETCONF session or SNMP trap is part of the gRPC telemetry stack, but they are separate protocols with different transport and data models.

459
MCQhard

A service provider is implementing IPv6 transition in its core. Which transition mechanism is recommended for carrying IPv6 over an existing MPLS/IPv4 backbone without dual-stacking all routers?

A.ISATAP
B.NAT64
C.6to4 tunneling
D.6PE (IPv6 Provider Edge)
AnswerD

6PE uses MPLS labels; only PEs need dual-stack.

Why this answer

Option B is correct because 6PE (IPv6 Provider Edge) allows IPv6 over MPLS with only PE routers dual-stacked. Option A is wrong because 6to4 requires encapsulation endpoints. Option C is wrong because NAT64 is for translation.

Option D is wrong because ISATAP is for intra-site.

460
MCQmedium

Based on the exhibit, which statement about label allocation for prefix 10.1.1.0/24 is true?

A.Router 192.168.2.2 is the penultimate hop for this prefix.
B.The local router will use PHP for this prefix.
C.The local router allocated label 161 for the prefix
D.Router 192.168.1.1 is the egress LSR for this prefix.
AnswerC

Yes, local binding tag is 161.

Why this answer

The remote binding from 192.168.2.2 shows 'imp-null', meaning that router is advertising an implicit null label (POP). This indicates that the next-hop is directly connected or the router is the egress for that prefix.

461
MCQhard

In a Segment Routing network with TI-LFA enabled, which mechanism prevents micro-loops during a link failure?

A.Constraint Shortest Path First computation
B.Explicit path with segment list and delay timer
C.Loop-Free Alternate precomputed backup paths
D.Prefix Independent Convergence with fast reroute
AnswerB

Correct. TI-LFA encodes a post-convergence path as an explicit segment list and introduces a delay to allow other routers to converge, preventing micro-loops.

Why this answer

In Segment Routing with TI-LFA, micro-loops are prevented by using an explicit path with a segment list and a delay timer. When a link fails, the protecting router installs a backup path with a segment list that steers traffic around the failure, and a delay timer ensures that the backup path is not activated until the network has converged, preventing transient loops.

Exam trap

Cisco often tests the distinction between TI-LFA and traditional LFA, where candidates mistakenly think LFA alone prevents micro-loops, but TI-LFA specifically adds segment lists and delay timers to address this issue.

How to eliminate wrong answers

Option A is wrong because Constraint Shortest Path First (CSPF) computation is used in MPLS-TE for path calculation under constraints, not for micro-loop prevention in TI-LFA. Option C is wrong because Loop-Free Alternate (LFA) precomputed backup paths provide fast reroute but do not inherently prevent micro-loops during convergence; TI-LFA extends LFA with segment lists and delay timers to address this. Option D is wrong because Prefix Independent Convergence (PIC) with fast reroute is a mechanism for fast convergence in MPLS networks, but it does not specifically prevent micro-loops; TI-LFA uses explicit segment lists and timers for that purpose.

462
MCQeasy

During MPLS LDP operation, a router receives a label mapping for a prefix from its neighbor. What is the correct behavior when the receiving router has a route to that prefix?

A.It installs the label as the outgoing label for the prefix.
B.It discards the label mapping unless it has a corresponding route.
C.It uses UDP to send a notification back.
D.It installs the label as the incoming label for the prefix.
AnswerD

The router updates its LIB with the received label as the outgoing label for the prefix.

Why this answer

The router installs the received label as the incoming label for that prefix in its LIB and switches to that label. Option A is incorrect because it does not install an outgoing label; it stores the mapping. Option C is incorrect because it does not discard; it uses it.

Option D is incorrect because LDP uses UDP for discovery, but TCP for session; the label mapping is over TCP.

463
MCQeasy

Which protocol is used to discover MPLS peers for LDP session establishment?

A.TCP
B.UDP
C.ARP
D.ICMP
AnswerB

LDP hello messages are sent via UDP on port 646.

Why this answer

LDP uses UDP hello messages to discover neighbors. Option A is correct. Option B is wrong because TCP is used for session establishment, not discovery.

Option C is wrong because ICMP is not used. Option D is wrong because ARP is for Layer 2.

464
MCQeasy

Which multicast RP model is recommended for large-scale networks to provide redundancy and load sharing?

A.Auto-RP
B.BSR
C.Anycast-RP
D.Static RP
AnswerC

Correct. Anycast-RP uses the same IP address for multiple RPs, enabling load sharing and redundancy.

Why this answer

Anycast-RP is recommended for large-scale networks because it allows multiple RPs to share the same IP address, providing redundancy and load sharing without requiring dynamic RP discovery protocols. This model uses MSDP (Multicast Source Discovery Protocol) or PIM (Protocol Independent Multicast) to synchronize multicast state between RPs, ensuring that sources and receivers can register with the nearest RP for optimal path selection.

Exam trap

Cisco often tests the misconception that BSR or Auto-RP provide load sharing, but the trap here is that only Anycast-RP explicitly supports both redundancy and load sharing by allowing multiple RPs to actively serve different groups or sources simultaneously.

How to eliminate wrong answers

Option A is wrong because Auto-RP uses a flood-and-prune mechanism with a designated RP announcement group (224.0.1.39/40), which can cause scalability issues and lacks built-in load sharing across multiple RPs. Option B is wrong because BSR (Bootstrap Router) uses a single elected BSR to distribute RP information, creating a single point of failure and not inherently supporting load sharing across multiple RPs. Option D is wrong because Static RP requires manual configuration on every router, offers no redundancy if the single RP fails, and cannot provide load sharing without additional complex configurations like Anycast-RP.

465
MCQmedium

An MPLS Traffic Engineering LSP fails to establish. The RSVP signaling shows 'PathErr: Admission Control Failure'. The link has sufficient bandwidth but the headend reports a lack of resources. What is the most likely cause?

A.The tunnel is requesting more bandwidth than available on any path
B.The MPLS forwarding table is corrupted
C.The headend router does not have the correct destination address
D.The RSVP bandwidth is not configured on the interface or is set to 0
E.The LSP is configured with a strict explicit path that is impossible
AnswerD

Without 'ip rsvp bandwidth' command on the interface, RSVP cannot allocate resources.

Why this answer

Admission control in RSVP-TE uses bandwidth constraints either per tunnel or per interface. A common misconfiguration is not reserving global pool bandwidth under the interface. The headend could be misconfiguring the bandwidth request, but the error is at the interface level under RSVP.

The most common fix is enabling bandwidth reservation under the interface.

466
MCQhard

A service provider offers IPTV services using multicast. The network uses Multicast VPN (MVPN) with Rosen GRE encapsulation (Profile 1) in an MPLS L3VPN environment. The Provider Edge (PE) routers participate in both the default MDT and data MDT for high-bandwidth streams. Recently, a new channel was added, and it uses a data MDT. The content server is attached to a PE that is acting as a multicast source. Other PEs are receivers. Upon adding the channel, some receivers report missing packets. The network engineer checks the PEs and notices that the data MDT group address is being advertised via BGP as an MDT SAFI route, but some PEs are not joining the data MDT. The source PE's multicast routing table shows that it believes data MDT is active. Which architecture issue is most likely preventing some PEs from joining the data MDT?

A.The source PE is not sending IGMP joins for the data MDT group.
B.The default MDT group is flapping.
C.The PIM sparse mode RP is not reachable.
D.The data MDT group is not within the configured data MDT group range on the receiving PEs.
AnswerD

Correct. If the group is outside the configured range, the PE will not participate in that data MDT.

Why this answer

The data MDT group must be within the configured data-MDT group range on each PE; if not, the PE will ignore the BGP MDT SAFI route and not join the data MDT. Source PE IGMP joins are not relevant; default MDT issues are separate; PIM RP reachability might affect default MDT but not data MDT join if using SSM.

467
Multi-Selecteasy

Which THREE are valid reasons for using the 'ipv6 unicast-routing' command on a Cisco router?

Select 3 answers
A.It enables IPv6 on all interfaces.
B.It enables global IPv6 routing.
C.It enables IPv6 CEF.
D.It enables IPv6 multicast routing.
E.It allows configuration of IPv6 routing protocols like OSPFv3.
AnswersB, C, E

Correct. This is the primary purpose.

Why this answer

Options B, D, and E are correct. This command enables IPv6 routing globally (B), enables IPv6 CEF (D), and allows configuration of IPv6 routing protocols (E). Option A is incorrect; it does not enable IPv6 on interfaces.

Option C is incorrect; IPv6 is enabled by default on some platforms, but the command does not enable multicast routing.

468
MCQmedium

Refer to the exhibit. The router has an outgoing label of 'Pop' for prefix ***********. What does this imply?

A.The router has not learned a label for that prefix
B.The router will not forward traffic for that prefix
C.The router is the penultimate hop and will remove the label before forwarding
D.The router will push a new label for that prefix
AnswerC

Penultimate hop popping (PHP) removes the outermost label.

Why this answer

A 'Pop' outgoing label indicates that the router is the penultimate hop and advertises implicit null. Option D is correct. Option A is wrong because Pop means the label is removed.

Option B is wrong because the outgoing interface is still used. Option C is wrong because Pop is not a failure.

469
MCQeasy

A service provider wants to prioritize voice traffic over data traffic on a PE-CE link. Which QoS mechanism should be applied at the PE ingress to classify packets?

A.Policer
B.Class-based marking based on NBAR
C.WRED
D.Shaper
AnswerB

NBAR performs deep packet inspection to classify traffic by application.

Why this answer

Class-based marking using NBAR can classify traffic based on application. Options B, C, D are actions (policing, shaping, dropping) that occur after classification. Thus A is correct.

470
MCQeasy

Which routing protocol is used between CE and PE routers in a typical MPLS L3VPN deployment?

A.RIP
B.BGP
C.EIGRP
D.IS-IS
AnswerB

eBGP is commonly used for CE-PE routing in L3VPN to carry customer routes and support multi-homing.

Why this answer

The CE-PE routing protocol can be any: static, RIP, EIGRP, OSPF, or BGP. However, in service provider networks, eBGP or OSPF are common. The question asks for typical; BGP is often used for multi-homing and scalability.

471
MCQeasy

A small service provider is deploying MPLS in its core network for the first time. They have a simple topology: three P routers in the core and two PE routers connecting customers. They have configured LDP on all interfaces and OSPF as the IGP. They also configured a basic L3VPN for a customer with a single CE attached to each PE. The customer reports that they can ping between CEs for a few minutes, but then the connectivity drops. After a few seconds, it returns. This pattern repeats every few minutes. The engineer checks the LDP neighbors and sees that all LDP sessions are up. The OSPF adjacencies are stable. The engineer also notices that the pings time out exactly when the LDP graceful restart timer is expiring on one of the P routers. What is the most likely cause?

A.The BGP session between the PEs is flapping due to a hold timer mismatch or connectivity issue.
B.The LDP graceful restart timer is causing periodic re-establishment of LDP sessions.
C.The OSPF network type on the core links is set to point-to-point, causing SPF recalculation every 5 minutes.
D.One of the core interfaces is flapping due to a hardware issue, triggering IGP and LDP convergence.
AnswerA

If the BGP session between PEs goes down, VPN routes are withdrawn, causing connectivity loss. When the session comes back, routes are re-advertised, restoring connectivity. The pattern matches.

Why this answer

Option D is correct because if the BGP session between PEs is going down (e.g., due to a hold timer issue or misconfiguration), the VPN routes would be withdrawn and re-advertised, causing intermittent connectivity. Option A is wrong because LDP graceful restart timer is for LDP session recovery, but LDP sessions are up. Option B is wrong because OSPF network type does not cause periodic drops.

Option C is wrong because interface flaps would cause more permanent outages.

472
MCQhard

A service provider is deploying multicast service for IPTV using PIM-SM with a single RP. During high traffic periods, the RP becomes overloaded. What is the most scalable solution to distribute the load across multiple RPs?

A.Use Anycast-RP
B.Use Bidirectional PIM
C.Increase the RP's memory and CPU
D.Use PIM-DM
AnswerA

Anycast-RP allows multiple RPs under a single RP address, distributing the load.

Why this answer

Anycast-RP allows multiple RPs to share the same IP address, enabling load distribution and redundancy. In PIM-SM, sources register with the nearest RP via unicast routing, and receivers join toward the same Anycast-RP address, which is routed to the closest physical RP. This distributes the registration and join processing load across multiple RPs without requiring protocol changes.

Exam trap

Cisco often tests the misconception that Bidirectional PIM or simply upgrading hardware can solve RP overload, but the key is that Anycast-RP is the only option that distributes the RP load across multiple devices while maintaining a single RP address for the multicast domain.

How to eliminate wrong answers

Option B is wrong because Bidirectional PIM is designed for many-to-many multicast applications and uses a shared tree rooted at the RP, but it does not inherently distribute load across multiple RPs; it still relies on a single RP per group. Option C is wrong because increasing the RP's memory and CPU is a vertical scaling approach that does not address the fundamental architecture limitation of a single RP becoming a bottleneck; it is not a scalable solution for load distribution. Option D is wrong because PIM-DM uses a flood-and-prune mechanism that is inefficient for sparse-mode IPTV deployments and does not use an RP at all, so it cannot distribute RP load.

473
MCQmedium

You are a network engineer at a service provider. Your network uses MPLS L3VPN with OSPF as the IGP and LDP for label distribution. A customer has two sites connected to different PEs (PE1 and PE2) in the same VPN. The customer's CE routers are running eBGP with the PEs. Recently, the customer reports that traffic between the two sites is intermittently dropping. Upon investigation, you find that the BGP session between PE1 and the CE at site A goes down briefly every few minutes. The logs on PE1 show BGP notifications with error code 'Hold Timer Expired'. The CE router at site A is a low-end device with limited CPU. What is the most likely cause and the best course of action?

A.Configure BGP route dampening on PE1 to suppress flapping routes.
B.Disable LDP on the link between PE1 and CE1.
C.Change the IGP from OSPF to IS-IS to reduce routing updates.
D.Increase the BGP hold time on PE1 to 180 seconds.
AnswerD

Increasing the hold time gives the CE more time to send keepalives, reducing session drops.

Why this answer

The BGP session drops due to 'Hold Timer Expired' because the low-end CE router's CPU is overloaded, causing it to fail sending BGP keepalives within the default 90-second hold time. Increasing the hold time on PE1 to 180 seconds (option D) gives the CE more time to send keepalives, reducing false timeouts. This directly addresses the root cause—insufficient CPU to maintain timely keepalives—without changing routing protocols or suppressing routes.

Exam trap

Cisco often tests the misconception that route dampening or IGP changes fix BGP session stability issues, when the real problem is a mismatch in BGP timers due to peer resource constraints.

How to eliminate wrong answers

Option A is wrong because BGP route dampening suppresses flapping routes but does not prevent the BGP session from going down due to hold timer expiry; it would only penalize routes after the session flaps, not fix the underlying keepalive issue. Option B is wrong because LDP is used for label distribution in the MPLS core and is not involved in the CE-PE eBGP session; disabling it would break MPLS L3VPN functionality. Option C is wrong because changing the IGP from OSPF to IS-IS does not affect BGP keepalive timing or CE router CPU load; it would only alter interior routing updates, which are unrelated to the hold timer expiry between PE and CE.

474
Multi-Selectmedium

Which TWO statements about QoS policy propagation via BGP (QPPB) are correct?

Select 2 answers
A.QPPB can be applied on inbound direction only.
B.QPPB is an IETF standard.
C.It uses BGP communities to mark QoS on traffic received from customer.
D.It uses MPLS EXP bits to propagate QoS.
E.It dynamically adjusts BGP attributes based on QoS policy.
AnswersA, C

It applies to traffic coming from customers.

Why this answer

Option A is correct because QPPB can be applied on inbound direction only. QPPB uses BGP policy to classify traffic based on IP precedence or QoS group, and the classification is performed on incoming traffic before any routing decision. The outbound direction is not supported for QPPB classification.

Exam trap

Cisco often tests the misconception that QPPB is an IETF standard or that it can be applied bidirectionally, when in fact it is a Cisco proprietary feature limited to inbound direction only.

475
MCQmedium

An ISP is implementing BGP communities to influence routing behavior for their customers. They want to ensure that a customer's routes are not advertised to a specific transit provider. Which BGP community should be used?

A.LOCAL_AS
B.NO_EXPORT
C.NO_PEER
D.NO_ADVERTISE
AnswerB

This community ensures the route stays within the local AS and is not sent to any external AS.

Why this answer

The NO_EXPORT community (RFC 1997) tells a router to advertise the route to iBGP peers within the same AS but not to any eBGP peers. In this scenario, the ISP wants to prevent a customer's routes from being advertised to a specific transit provider, which is an eBGP neighbor. Applying the NO_EXPORT community to those routes ensures they stay within the ISP's AS and are not sent to any external transit provider.

Exam trap

Cisco often tests the distinction between NO_EXPORT and NO_ADVERTISE, where candidates mistakenly choose NO_ADVERTISE because they think it only blocks eBGP advertisements, but in reality NO_ADVERTISE blocks all advertisements (including iBGP), making NO_EXPORT the correct choice when the goal is to block only external (eBGP) propagation.

How to eliminate wrong answers

Option A (LOCAL_AS) is wrong because it is not a standard BGP community; it is a BGP feature (often used with 'allowas-in' or 'local-as' on a neighbor statement) that prepends the local AS number in the AS_PATH, but it does not control route advertisement to a specific transit provider. Option C (NO_PEER) is wrong because it is not a standard BGP well-known community; the correct community to prevent advertisement to any eBGP peer is NO_EXPORT, and NO_PEER is a common distractor that does not exist in RFC 1997. Option D (NO_ADVERTISE) is wrong because it prevents the route from being advertised to any BGP peer (iBGP or eBGP), which is too restrictive; the requirement is only to block advertisement to a specific transit provider (an eBGP peer), not to all peers.

476
MCQeasy

A network administrator needs to automate the deployment of a new QoS policy on dozens of provider edge routers. Which Cisco tool is best suited for this purpose?

A.Cisco Network Services Orchestrator (NSO)
B.Cisco SecureX
C.Cisco Prime Infrastructure
D.Cisco ISE
AnswerA

NSO is a multi-vendor orchestration platform that can automate the deployment of QoS policies via NETCONF or CLI.

Why this answer

Cisco Network Services Orchestrator (NSO) is the correct tool because it provides model-driven orchestration and automation for deploying and managing network configurations across hundreds of devices using YANG data models and NETCONF. For QoS policy deployment, NSO can push consistent service definitions (e.g., class-maps, policy-maps, service-policy) to multiple provider edge routers simultaneously, ensuring compliance and reducing manual errors.

Exam trap

Cisco often tests the distinction between lifecycle management tools (Prime Infrastructure) and true orchestration platforms (NSO), where candidates mistakenly choose Prime Infrastructure for bulk configuration deployment because of its template features, but NSO is the only option that provides model-driven, transactional, and multi-vendor orchestration required for automated QoS policy deployment at scale.

How to eliminate wrong answers

Option B is wrong because Cisco SecureX is a cloud-native security platform focused on threat detection, response, and integration of security products, not on network configuration automation or QoS policy deployment. Option C is wrong because Cisco Prime Infrastructure is a lifecycle management tool for wired and wireless networks that provides monitoring, troubleshooting, and template-based configuration, but it lacks the model-driven orchestration and multi-vendor support of NSO for large-scale automated service deployment. Option D is wrong because Cisco ISE (Identity Services Engine) is a policy-based access control and authentication server for network admission control (NAC) and security, not designed for automating QoS policy deployment on provider edge routers.

477
MCQmedium

A service provider is migrating from LDP to Segment Routing. What is the correct order of operations to ensure uninterrupted MPLS forwarding?

A.Enable SR on each router one by one while LDP remains active, then remove LDP after SR is stable.
B.Enable SR on all routers simultaneously.
C.Configure IS-IS SR extensions on all routers, then disable LDP.
D.Disable LDP first to free labels, then enable SR.
AnswerA

Correct. This gradual migration ensures continuous forwarding via LDP while SR is established.

Why this answer

Option A is correct because it follows the recommended migration strategy of running LDP and Segment Routing (SR) in parallel. By enabling SR on each router one by one while LDP remains active, MPLS forwarding continues uninterrupted via LDP until SR is fully deployed and stable. Once SR is verified on all routers, LDP can be safely removed without causing any forwarding black holes.

Exam trap

Cisco often tests the misconception that you must disable the old protocol before enabling the new one, but the correct approach is to run both protocols in parallel to maintain forwarding continuity during migration.

How to eliminate wrong answers

Option B is wrong because enabling SR on all routers simultaneously is operationally risky; any misconfiguration or instability in SR could cause widespread forwarding disruption without a fallback. Option C is wrong because configuring IS-IS SR extensions alone does not automatically enable SR MPLS forwarding; you must also enable SR globally and on interfaces, and disabling LDP before SR is stable would break MPLS forwarding. Option D is wrong because disabling LDP first removes the existing label bindings, causing immediate MPLS forwarding failures before SR can provide replacement labels.

478
Multi-Selecthard

Which three of the following are valid methods for protecting a pseudowire in an MPLS network?

Select 3 answers
A.Multi-segment PW with backup
B.Ethernet OAM CFM
C.RSVP FRR for link protection
D.PW redundancy with active/standby
E.LSP ping for fault detection
AnswersA, C, D

Correct. Multi-segment pseudowires can be configured with a backup path for redundancy.

Why this answer

Multi-segment PW (MS-PW) with backup is a valid protection method because it allows a pseudowire to be established across multiple MPLS segments, with a backup PW path that can take over if the primary MS-PW fails. This provides end-to-end pseudowire redundancy by using a secondary switched path, ensuring service continuity in multi-domain or multi-area MPLS networks.

Exam trap

Cisco often tests the distinction between fault detection tools (like LSP ping or Ethernet OAM) and actual protection mechanisms (like FRR or PW redundancy), leading candidates to mistakenly select detection methods as valid protection answers.

479
MCQmedium

A network engineer is troubleshooting a BGP convergence issue in a large service provider network. After a link failure in the core, BGP sessions between route reflectors take a long time to reconverge. The RRs are receiving updates from many clients. Which technology can be implemented to improve convergence time? The network currently uses standard BGP with default timers.

A.BGP Add-Path
B.BGP TCP MD5 authentication
C.BGP route-refresh
D.BGP next-hop-self
AnswerA

Add-Path allows multiple paths per prefix, enabling fast failover.

Why this answer

BGP Add-Path allows a route reflector to advertise multiple paths for the same prefix to its clients, which reduces the need for clients to re-advertise updates after a failure. This speeds up convergence by enabling the route reflector to immediately select and propagate an alternate path without waiting for BGP reconvergence from other clients. In large service provider networks with many clients, this minimizes the delay caused by the route reflector having only a single best path per prefix.

Exam trap

Cisco often tests the misconception that BGP route-refresh or next-hop-self speeds up convergence, but the key is that Add-Path directly reduces reconvergence time by providing pre-computed alternate paths, while the other options address security, soft reconfiguration, or next-hop manipulation without affecting convergence speed.

How to eliminate wrong answers

Option B (BGP TCP MD5 authentication) is wrong because it secures BGP sessions against spoofing but does not affect convergence time or path selection. Option C (BGP route-refresh) is wrong because it triggers a soft reconfiguration to request updates from a peer, which is a manual or triggered operation that does not proactively improve convergence after a failure. Option D (BGP next-hop-self) is wrong because it modifies the next-hop attribute on routes advertised to eBGP peers, typically used in iBGP to ensure reachability, but it does not reduce the number of updates or speed up convergence in a route reflector topology.

480
MCQmedium

A large enterprise uses MPLS L3VPN to connect multiple sites. They want to implement inter-AS option B (ASBR-to-ASBR MP-eBGP) for scalability. Which statement about this model is correct?

A.Each ASB router maintains VRFs for all attached customers
B.Inter-AS option B requires a full mesh of MP-iBGP between all PEs
C.MP-eBGP sessions are established per VRF between ASBRs
D.ASBRs exchange IPv4 labeled unicast routes using MP-eBGP
AnswerD

MP-eBGP with label is used for inter-AS option B.

Why this answer

In Inter-AS Option B, ASBRs exchange IPv4 labeled unicast routes using MP-eBGP (Multiprotocol BGP) with the IPv4 labeled unicast address family. This allows the ASBRs to pass VPNv4 routes between autonomous systems without requiring per-VRF sessions or VRFs on the ASBRs, enabling scalable inter-AS connectivity.

Exam trap

Cisco often tests the misconception that ASBRs need VRFs or per-VRF sessions in Option B, when in fact they operate at the VPNv4 address family level without any customer-specific configuration.

How to eliminate wrong answers

Option A is wrong because ASBRs in Option B do not maintain VRFs for attached customers; VRFs are only configured on PE routers, while ASBRs simply forward labeled VPNv4 routes using MP-eBGP. Option B is wrong because Inter-AS Option B does not require a full mesh of MP-iBGP between all PEs; it relies on MP-eBGP between ASBRs and MP-iBGP within each AS between PEs and route reflectors. Option C is wrong because MP-eBGP sessions between ASBRs are not established per VRF; they are established per address family (IPv4 labeled unicast or VPNv4) and carry all VPN routes in a single session.

481
MCQmedium

Refer to the exhibit. A network engineer notices that the local label 19 for prefix 10.4.4.0/24 shows 'Untagged' in the outgoing label column. What is the most likely cause?

A.The next-hop router 192.168.3.3 is unreachable.
B.Penultimate Hop Popping is enabled on the next-hop router.
C.The MTU on interface Gi0/0/2 is too small.
D.LDP is not enabled on the interface toward 192.168.3.3.
AnswerD

If LDP is not enabled, no label is received from the next-hop, resulting in 'Untagged'.

Why this answer

When LDP is not enabled on the interface toward the next-hop router (192.168.3.3), the local router cannot exchange label bindings with that neighbor. As a result, the local label for prefix 10.4.4.0/24 remains in the LIB but is not programmed into the LFIB with an outgoing label, showing 'Untagged' because the router must pop the label (or forward as IP) when sending traffic to that next hop.

Exam trap

Cisco often tests the distinction between 'Untagged' (no label from LDP neighbor) and 'Pop tag' (implicit-null from PHP), leading candidates to mistakenly attribute 'Untagged' to PHP when it actually indicates a missing LDP adjacency.

How to eliminate wrong answers

Option A is wrong because if the next-hop router 192.168.3.3 were unreachable, the route itself would not be in the routing table, and the label entry would not appear at all or would show 'no route' rather than 'Untagged'. Option B is wrong because Penultimate Hop Popping (PHP) causes the next-hop router to advertise an implicit-null label (label 3), which results in 'Pop tag' or 'Untagged' in the outgoing label column only when PHP is explicitly negotiated; however, PHP is a normal LDP behavior and would not indicate a problem—the question implies a fault, not normal operation. Option C is wrong because a small MTU on interface Gi0/0/2 would cause fragmentation or packet drops, but it would not affect the label binding or cause the outgoing label to show 'Untagged' in the LFIB.

482
MCQmedium

An engineer is troubleshooting an MPLS L3VPN where customers behind CE1 cannot reach a specific prefix behind CE2. The PE routers are using OSPF as the IGP and LDP for label distribution. On PE2, the prefix is present in the VRF routing table, but not in the VRF forwarding table. What is the most likely cause?

A.MTU mismatch is causing the VPN label to be dropped.
B.OSPF is not redistributing the BGP routes into the IGP on PE2.
C.The VRF is not properly configured on PE2's interface toward CE2.
D.The route is missing a label in the LFIB on PE2.
AnswerD

If the label is missing, the route cannot be installed in the VRF forwarding table.

Why this answer

The prefix is present in the VRF routing table (RIB) but missing from the VRF forwarding table (FIB) on PE2. This indicates that the route has been learned via BGP and installed in the RIB, but the MPLS VPN label (the inner label) required to forward the packet across the MPLS core is absent. Without a valid label in the LFIB, the CEF (FIB) cannot install the route, causing the reachability failure.

Option D correctly identifies this missing label in the LFIB as the root cause.

Exam trap

Cisco often tests the distinction between the routing table (RIB) and the forwarding table (FIB) in MPLS VPNs, trapping candidates who assume that a route present in the RIB automatically means it is usable for forwarding, when in fact the FIB requires a valid label binding to install the route.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch would cause packet fragmentation or drop at the IP layer, not prevent a route from being installed in the VRF forwarding table; the route would still appear in both the RIB and FIB. Option B is wrong because OSPF redistribution of BGP routes into the IGP is not required for MPLS L3VPN operation; the PE routers exchange VPNv4 routes via MP-BGP, and the IGP (OSPF) is only used for core reachability and LDP label distribution, not for carrying customer prefixes. Option C is wrong because if the VRF were not properly configured on PE2's interface toward CE2, the CE-facing interface would not be associated with the VRF, and the prefix would likely not appear in the VRF routing table at all; the issue is specifically that the route is in the RIB but not the FIB, pointing to a label problem, not a VRF interface misconfiguration.

483
MCQmedium

An engineer is troubleshooting a BGP route propagation issue. The customer is receiving a default route from upstream provider, but the route is not being installed in the routing table. The BGP table shows the route is valid but not best. What is the most likely cause?

A.The next-hop is unreachable
B.The route is filtered by an inbound route-map
C.The BGP session is not established
D.A static default route with lower administrative distance exists
AnswerD

Static route AD 1 < BGP AD 20, so BGP route is not best.

Why this answer

Option D is correct because a static default route with a lower administrative distance (e.g., 1) will be preferred over a BGP default route (AD 20 for eBGP). Even though the BGP route is valid in the BGP table, it is not installed in the routing table because the static route is more trustworthy. This is a common scenario where the routing table already has a better path, preventing the BGP route from becoming 'best' and being installed.

Exam trap

Cisco often tests the distinction between a route being 'valid' in the BGP table versus being 'best' and installed in the routing table, trapping candidates who assume a valid BGP route is automatically used for forwarding.

How to eliminate wrong answers

Option A is wrong because if the next-hop were unreachable, the BGP route would be marked as invalid in the BGP table, not 'valid but not best'. Option B is wrong because an inbound route-map filtering the route would prevent it from appearing in the BGP table at all, whereas the question states the route is present and valid. Option C is wrong because if the BGP session were not established, no routes would be received from the upstream provider, contradicting the fact that the route is in the BGP table.

484
MCQmedium

A service provider is troubleshooting an MPLS L3VPN scenario where a customer in VRF Blue cannot reach a server in VRF Blue at a remote site. The PEs are running MPLS with LDP. The VRF on both PEs shows the remote prefix. The PE at the local site shows the label from the remote PE for the prefix in the BGP table. However, when pinging from the CE, the packets are dropped. A packet capture on the core shows MPLS packets with the correct VPN label, but the transport label is missing. Further investigation shows that the LDP session between the two PEs is up, but the LDP label binding for the remote PE's loopback is not present. What is the most likely cause and correct action?

A.Increase the TTL on the MPLS packets
B.Change the transport address in LDP to the loopback IP
C.Configure the remote PE's loopback to be advertised via BGP
D.Check MPLS LDP interface configuration and enable LDP on all core interfaces
AnswerD

LDP must be enabled on each core interface to exchange label bindings for loopbacks.

Why this answer

The LDP session is up, but the label binding for the remote loopback is missing. This could be because LDP is not enabled on the underlying interfaces between the PEs, or because the label space is configured incorrectly. Typically, if LDP is enabled on all core interfaces, label bindings for loopbacks are automatically exchanged.

The missing binding suggests that either LDP is not configured on some interfaces, or an access-list is blocking LDP. The most direct action is to verify that LDP is enabled on all core interfaces using the command 'show mpls ldp interface'.

485
Multi-Selectmedium

A network engineer is implementing QoS on a Cisco ASR 1000 for a customer with multiple service classes. The customer requires that mission-critical data not be starved when voice traffic bursts. Which two actions should the engineer take? (Choose two.)

Select 2 answers
A.Configure a policer on the voice class to limit its bandwidth
B.Enable WRED on the voice class
C.Use tail drop with a high threshold for the data class
D.Allocate a minimum bandwidth guarantee to the data class
E.Configure a shape on the voice class to 75% of interface bandwidth
AnswersA, D

Policing the voice class prevents it from exceeding a set rate, protecting other classes from starvation.

Why this answer

Option A is correct because policing the voice class limits its bandwidth to a configured rate (e.g., using the `police` command under the class-map), preventing voice bursts from starving mission-critical data. This ensures that voice traffic does not exceed its allocated share, leaving enough bandwidth for other classes. Option D is correct because allocating a minimum bandwidth guarantee to the data class (e.g., using the `bandwidth` command under the class-map) ensures that even when voice bursts occur, the data class receives a reserved amount of bandwidth, preventing starvation.

Together, these actions enforce admission control and bandwidth reservation, aligning with the customer's requirement.

Exam trap

Cisco often tests the distinction between policing (which limits bandwidth) and shaping (which buffers and smooths traffic), and between bandwidth guarantees (which reserve capacity) and WRED (which manages congestion but does not prevent starvation), leading candidates to confuse these mechanisms.

486
MCQhard

An SP is deploying EVPN with VXLAN encapsulation in a data center interconnect. The design requires that the control plane for MAC/VTEP learning is based on BGP. Which BGP address family must be configured?

A.l2vpn evpn
B.l2vpn vpls-vpws
C.vpnv4
D.ipv4 unicast
AnswerA

The l2vpn evpn address family is used for EVPN control plane with BGP.

Why this answer

The l2vpn evpn address family is used for EVPN. Option A is vpnv4 for L3VPN, Option B is l2vpn vpls-vpws (legacy), Option C is ipv4 unicast. Thus D is correct.

487
MCQmedium

An engineer needs to ensure that a core router can forward MPLS packets without checking the IP header. Which forwarding mechanism should be enabled?

A.Link Fragmentation and Interleaving (LFI)
B.CEF switching
C.Per-packet load balancing
D.Penultimate Hop Popping (PHP)
AnswerD

PHP pops label at penultimate hop, so last hop forwards without IP check.

Why this answer

Option B is correct because Penultimate Hop Popping (PHP) removes the label before the final hop, allowing forwarding based on label only. Option A is wrong because CEF is IP-based. Option C is wrong because LFI is for link fragmentation and interleaving.

Option D is wrong because load balancing is distribution, not label-only.

488
MCQeasy

A network engineer is troubleshooting an OSPF adjacency failure between two directly connected routers, R1 and R2. Both routers are configured with the same OSPF process ID and area. The engineer verifies that the interfaces are up and IP connectivity exists. Which configuration mismatch is most likely causing the adjacency to fail?

A.MTU mismatch between the interfaces
B.Passive interface configuration on one router
C.Area ID mismatch on the interfaces
D.OSPF network type mismatch between the interfaces
AnswerD

Network type mismatch (e.g., broadcast vs. point-to-point) causes the routers to disagree on DR/BDR election and hello behavior, preventing adjacency.

Why this answer

Option C is correct because OSPF network type mismatch, such as one side configured as point-to-point and the other as broadcast, prevents adjacency formation. Option A is wrong because an MTU mismatch would cause the adjacency to form but show problems during LSA exchange. Option B is wrong because area mismatch would cause a mismatch in area ID.

Option D is wrong because a passive interface would allow the neighbor to be seen but not become full.

489
MCQmedium

An SP uses model-driven telemetry to monitor queue depths on core interfaces. They observe periodic spikes in the queue depth for EF traffic, causing increased latency. Which automation technique could dynamically adjust the QoS policy to mitigate the spikes?

A.Use a Python script that consumes telemetry data and adjusts the EF bandwith percentage via NETCONF when queue depth exceeds a threshold.
B.Deploy NETCONF YANG modules for VRF configuration.
C.Configure WRED on the EF queue.
D.Implement streaming telemetry to collect data every 5 seconds.
AnswerA

Closed-loop automation enables dynamic QoS adjustment.

Why this answer

Option A is correct because it combines model-driven telemetry (to detect queue depth spikes in real time) with a closed-loop automation approach: a Python script consumes the telemetry data, and when the EF queue depth exceeds a threshold, it dynamically adjusts the EF bandwidth percentage via NETCONF. This directly addresses the periodic spikes by modifying the QoS policy on the fly, reducing latency without manual intervention.

Exam trap

Cisco often tests the distinction between monitoring (telemetry) and active remediation (automation), so the trap here is that candidates see 'streaming telemetry' in Option D and think it solves the problem, but it only provides data—not the dynamic adjustment needed to mitigate the spikes.

How to eliminate wrong answers

Option B is wrong because deploying NETCONF YANG modules for VRF configuration does nothing to monitor or adjust queue depths or QoS policies; it is focused on VRF provisioning, not dynamic QoS tuning. Option C is wrong because configuring WRED on the EF queue would drop packets during congestion, which is inappropriate for EF (Expedited Forwarding) traffic that requires low loss and low latency; WRED is typically used for best-effort or AF traffic, not for EF. Option D is wrong because implementing streaming telemetry to collect data every 5 seconds only provides monitoring data—it does not include any mechanism to dynamically adjust the QoS policy; it is a passive observation tool, not an active remediation technique.

490
MCQhard

An SP is troubleshooting an MPLS L2VPN VPLS network where MAC flapping is occurring between two PEs. Which mechanism in VPLS prevents loops and ensures that a broadcast frame from one PE is not reflected back to the originating PE?

A.Split horizon
B.Spanning Tree Protocol (STP)
C.Rapid Spanning Tree Protocol (RSTP)
D.MAC address aging
AnswerA

Split horizon prevents forwarding out of incoming pseudowire.

Why this answer

Option D is correct. Split horizon in VPLS means a PE will not forward a frame received from one pseudowire out another pseudowire within the same VFI, preventing loops. Option A (STP) is used at the CE side but not inside the VPLS core.

Option B (RSTP) same. Option C (MAC aging) is for learning, not loop prevention.

491
MCQhard

Refer to the exhibit. An engineer configures MPLS LDP on a router. The router has two interfaces with IP addresses 10.0.0.1/30 and 10.0.0.5/30. The engineer notices that LDP sessions are not established. The OSPF neighbor adjacencies are up. What is the most likely cause?

A.The OSPF network statements do not cover the interfaces correctly
B.The MPLS MTU is set to 1500, which is too low
C.The label range is too small
D.LDP is not enabled on the interfaces
AnswerD

The 'mpls ip' command does not enable LDP; LDP requires 'mpls ldp' or explicit configuration.

Why this answer

D is correct because MPLS LDP requires explicit interface-level activation under the `mpls ip` command. Even if OSPF adjacencies are up and the global LDP process is configured, LDP will not form sessions on interfaces where `mpls ip` is missing. The engineer likely enabled LDP globally but forgot to enable it on the specific interfaces, which is a common oversight.

Exam trap

Cisco often tests the distinction between global LDP configuration and interface-level activation, leading candidates to assume that enabling LDP globally is sufficient for session establishment.

How to eliminate wrong answers

Option A is wrong because OSPF network statements are unrelated to LDP session establishment; OSPF adjacencies are already up, proving the interfaces are correctly covered. Option B is wrong because an MPLS MTU of 1500 is standard and does not prevent LDP session establishment; MTU issues typically cause label-switched path (LSP) problems, not LDP hello or session failures. Option C is wrong because a small label range would cause label allocation failures, not prevent LDP sessions from forming; LDP sessions use TCP port 646 and are independent of label range size.

492
MCQeasy

An engineer is configuring MPLS VPN and needs to ensure that customer traffic is automatically marked with a specific QoS policy based on the VPN. Which method should be used to propagate QoS markings across the MPLS network?

A.Use 802.1p CoS on the CE-PE link and preserve it across the MPLS backbone
B.Use MPLS EXP bits to mark traffic at the ingress PE and map to QoS at egress
C.Use IP ToS bits to mark traffic and rely on MPLS to preserve them
D.Set DSCP at the ingress PE and preserve it across the MPLS backbone
AnswerB

MPLS EXP bits are designed to carry QoS information across the MPLS network.

Why this answer

In an MPLS VPN environment, QoS markings must be preserved across the MPLS backbone. MPLS EXP (Experimental) bits are the standard mechanism to carry QoS information within the MPLS label stack. At the ingress PE, customer traffic is classified and marked with the appropriate EXP bits based on the VPN or other criteria.

The egress PE then uses these EXP bits to map traffic to the correct QoS policy, ensuring end-to-end QoS treatment.

Exam trap

Cisco often tests the misconception that IP ToS or DSCP markings are automatically preserved across an MPLS backbone, when in fact MPLS EXP bits are the dedicated field for QoS propagation and must be explicitly set and mapped.

How to eliminate wrong answers

Option A is wrong because 802.1p CoS is a Layer 2 marking used on Ethernet links; it is not preserved across an MPLS backbone where the original Ethernet header is removed. Option C is wrong because IP ToS bits (including DSCP) are not automatically preserved when MPLS labels are imposed; the MPLS label stack replaces the IP header for forwarding, and ToS bits are not copied to EXP bits by default unless explicitly configured. Option D is wrong because DSCP is an IP-layer marking; while it can be preserved if the MPLS backbone is configured to copy DSCP to EXP bits, simply setting DSCP at the ingress PE does not guarantee propagation across the MPLS network without an explicit mapping mechanism like MPLS EXP.

493
Multi-Selecteasy

Which TWO are characteristics of Segment Routing?

Select 2 answers
A.Uses only IPv6 data plane
B.Source routing capability
C.Requires RSVP-like signaling for path setup
D.No per-flow state on transit routers
E.Requires a centralized SDN controller
AnswersB, D

SR specifies path in the packet header.

Why this answer

Options B and C are correct. Segment Routing uses source routing and does not require per-flow state. Option A is wrong because it does have a path selection mechanism.

Option D is wrong because it uses MPLS or IPv6 data plane. Option E is wrong because it works with distributed control plane.

494
MCQmedium

An SP engineer notices that BGP routes from a CE are not being installed in the VRF routing table, although the BGP session is established. The VRF configuration includes route-target import 100:1. The CE is sending routes with RT 100:1. What is the most likely cause?

A.The BGP route is suppressed due to route update delay
B.The route is not matching any import map
C.The VRF name does not match
D.The RD is not configured
AnswerB

If an import map is configured, only routes matching the map are imported.

Why this answer

Even with matching RT, an import map can block routes. If no import map is configured, routes with matching RT should be imported. However, if an import map is applied but doesn't permit the route, it will not be installed.

Option A is irrelevant; Option B: RD is required for VRF but usually configured; Option C: suppression due to delay is not typical; Option D is the most likely.

495
MCQhard

Based on the exhibit, what is the purpose of the 'mpls ldp neighbor ... password cisco' commands?

A.To synchronize LDP and IGP convergence.
B.To control the label allocation for prefixes from that neighbor.
C.To authenticate the LDP session using MD5.
D.To enable LDP session protection for the neighbor.
AnswerC

The password command enables MD5 authentication for the LDP session.

Why this answer

The 'mpls ldp neighbor ... password cisco' command configures a Message Digest 5 (MD5) authentication password for the LDP session with a specific neighbor. This ensures that the TCP connection used for LDP exchanges is authenticated, preventing spoofed or unauthorized LDP messages from being accepted, as defined in RFC 5036.

Exam trap

Cisco often tests the distinction between LDP authentication (password) and LDP session protection (holdtime/graceful restart), so the trap here is confusing the 'password' keyword with session protection features that maintain adjacency state.

How to eliminate wrong answers

Option A is wrong because synchronizing LDP and IGP convergence is achieved through LDP-IGP synchronization (e.g., 'mpls ldp sync' on an interface), not by setting a password. Option B is wrong because controlling label allocation for prefixes from a neighbor is done via label filtering (e.g., 'mpls ldp neighbor ... label accept' or 'mpls ldp neighbor ... label advertise'), not by a password. Option D is wrong because LDP session protection (e.g., 'mpls ldp session protection') is a separate feature that maintains LDP hello adjacencies and re-establishes sessions after link flaps, unrelated to authentication.

496
MCQeasy

A large service provider operates an MPLS L3VPN network with multiple Route Reflectors (RRs) in the core. The network uses BGP as the control plane for both IPv4 unicast and VPNv4 routes. Recently, one of the RRs started flapping, causing route withdrawals to many clients. The network architect wants to improve stability. The RRs are fully meshed with each other and clients are configured as route-reflector clients. The RRs have both IPv4 and VPNv4 address families enabled. Which action should be taken to minimize the impact of an RR failure?

A.Configure BGP prefix-independent convergence (PIC) on all PE routers.
B.Implement BGP add-paths capability on RRs to advertise multiple paths to clients.
C.Deploy redundant RRs with the same cluster ID and use the 'bgp cluster-id' command to ensure clients only accept routes from one RR at a time.
D.Configure client-to-client reflection on the RRs and ensure that each PE is a client of at least two RRs.
AnswerD

This provides redundancy; clients receive routes from multiple RRs, and if one RR fails, routes are still available via the other.

Why this answer

Configuring client-to-client reflection on the RRs and ensuring each PE is a client of at least two RRs provides redundancy; if one RR fails, routes are still available via the other RR. BGP PIC helps fast failover but does not prevent route withdrawal impact; add-paths increases paths but not redundancy; same cluster ID reduces redundancy.

497
MCQhard

During a maintenance window, an automation script pushed a QoS policy that inadvertently changed the marking for all inbound traffic on a core interface. The change was rolled back, but performance reports show that some traffic is still being marked incorrectly. What is the most logical explanation?

A.The automation script used RESTCONF which requires a commit to finalize
B.The device requires a reload to clear the old marking
C.The rollback script only applied to the outbound direction
D.The rolled back policy was applied inbound, but the outbound policy that also applies marking was not rolled back
AnswerD

The automation may have only rolled back the inbound policy, leaving the outbound marking policy active, which continues to mark traffic.

Why this answer

Option D is correct because QoS policies can be applied independently in the inbound and outbound directions on an interface. If the original automation script modified the inbound marking policy, and the rollback only reverted that inbound policy, any outbound policy that also performs marking would remain unchanged and continue to incorrectly mark traffic. This explains why some traffic still shows incorrect marking after the rollback.

Exam trap

Cisco often tests the concept that QoS policies are directional and that a rollback must consider both inbound and outbound policies independently, leading candidates to overlook the possibility of a separate outbound marking policy still being active.

How to eliminate wrong answers

Option A is wrong because RESTCONF does not require a separate commit operation; it uses HTTP methods (POST, PUT, PATCH, DELETE) that take effect immediately on the device, unlike NETCONF which uses a commit. Option B is wrong because QoS policies in modern Cisco IOS/IOS-XE are applied dynamically and do not require a reload to take effect or clear; a simple 'no service-policy' or removal of the policy class-map is sufficient. Option C is wrong because the rollback script was applied to the same inbound direction where the original change was made; the issue is not about direction mismatch in the rollback but about a separate outbound policy that was never touched by the rollback.

498
MCQmedium

A service provider uses a centralized automation system to manage QoS policies via NETCONF and YANG. When attempting to push a new policy-map, the device returns an error indicating that the policy-map type is not supported in the specified location. What is the most likely cause?

A.The YANG module for QoS is not installed on the device
B.The NETCONF session is not authenticated
C.The automation system is using the wrong namespace
D.The policy-map is being applied to an interface that does not support hierarchical QoS
AnswerD

Some interface types, like tunnel interfaces, do not support hierarchical QoS policies; applying one results in this error.

Why this answer

The error indicates that the policy-map type is not supported in the specified location. This typically occurs when a policy-map is applied to an interface that does not support hierarchical QoS (HQoS), such as a physical interface that requires a service-policy under a parent policy-map. The NETCONF/YANG operation succeeds in syntax but fails due to device-level capability constraints.

Exam trap

Cisco often tests the distinction between YANG schema validation and device capability enforcement, leading candidates to incorrectly blame namespace or module issues when the real problem is a hardware or software feature limitation.

How to eliminate wrong answers

Option A is wrong because if the YANG module for QoS were not installed, the NETCONF server would return a 'data-missing' or 'operation-not-supported' error, not a location-specific policy-map type error. Option B is wrong because an unauthenticated NETCONF session would fail at the session establishment phase with an 'access-denied' error, not during a policy-map push. Option C is wrong because using the wrong namespace would cause a 'bad-attribute' or 'unknown-element' error during XML parsing, not a runtime error about policy-map type support.

499
Multi-Selecthard

Which THREE of the following L3VPN services require the use of a dedicated control plane per VPN instance?

Select 3 answers
A.VPLS
B.6VPE
C.MPLS L3VPN
D.Carrier Supporting Carrier (CSC) VPN
E.MDT VPN
AnswersB, C, D

Why this answer

6VPE (IPv6 VPN Provider Edge) requires a dedicated control plane per VPN instance because it uses separate per-VPN routing tables and a distinct BGP session (typically MP-BGP with the IPv6 address family) to exchange IPv6 VPN routes. This ensures that each customer's IPv6 routing information is isolated and processed independently, which is a core requirement for L3VPN services that maintain per-VPN forwarding and control plane separation.

Exam trap

Cisco often tests the misconception that all MPLS-based VPN services (including VPLS and MDT VPN) require per-VPN control planes, but only L3VPN services that maintain per-VPN routing tables and separate routing protocol instances (like MPLS L3VPN, 6VPE, and CSC VPN) actually need dedicated control planes per VPN instance.

500
MCQmedium

Refer to the exhibit. Based on the exhibit, what is the most likely reason for no label bindings?

A.The local router has disabled label advertisements
B.The IGP routes are not present in the routing table
C.The LDP session is not fully established
D.The remote peer has label filtering applied
AnswerD

Label filtering on the remote peer can prevent advertisement of labels.

Why this answer

The LDP session is operational, but no label bindings are received. A common cause is that the remote peer has label filtering configured, preventing label advertisement. Option B: local disabling would not show session up with label bindings none? Actually local disabling might prevent sending, but receiving? Option C: IGP routes present? Not directly indicated.

Option D: session is up, so not fully established is false.

Page 6

Page 7 of 7

All pages