Which THREE are valid SRv6 endpoint behaviors for VPN services? (Choose three.)
Decapsulation and L2VPN forwarding.
Why this answer
End.DT4 for IPv4 L3VPN, End.DT6 for IPv6 L3VPN, and End.DT2U for L2VPN are defined SRv6 behaviors.
988 questions total · 14pages · All types, answers revealed
Which THREE are valid SRv6 endpoint behaviors for VPN services? (Choose three.)
Decapsulation and L2VPN forwarding.
Why this answer
End.DT4 for IPv4 L3VPN, End.DT6 for IPv6 L3VPN, and End.DT2U for L2VPN are defined SRv6 behaviors.
In BGP route selection, if two routes have the same weight, local preference, and are both locally originated, which attribute is considered next?
Shorter AS_PATH is preferred.
Why this answer
After weight, local pref, and locally originated, BGP compares AS_PATH length (shorter is preferred).
An ISP is implementing BGP PIC (Prefix Independent Convergence) for edge routers. Which BGP feature must be enabled to support PIC for core-facing failures?
This allows installation of backup paths for PIC.
Why this answer
BGP PIC relies on installing a backup path in the FIB. For core-facing failures, BGP Fast External Fallover and BGP PIC with backup paths are used; specifically, 'bgp additional-paths install' is needed to install backup paths.
A service provider is designing a BGP-based network. Which TWO are characteristics of BGP within a service provider core?
iBGP does not advertise routes learned from another iBGP peer to prevent loops; thus full mesh or RR is needed.
Why this answer
Option A is correct because iBGP requires either a full mesh of sessions or route reflectors to prevent routing loops. The BGP split-horizon rule states that routes learned from an iBGP peer are not advertised to another iBGP peer, so without a full mesh or route reflectors, reachability information cannot propagate within the AS. Route reflectors break this rule by allowing selected iBGP speakers to re-advertise routes, but they must be deployed with proper cluster and originator ID attributes to avoid loops.
Exam trap
Cisco often tests the misconception that iBGP uses the AS path for loop prevention, but in reality, iBGP relies on the split-horizon rule and attributes like originator ID and cluster list, while the AS path is only used for eBGP loop prevention.
What is the default range of the Segment Routing Global Block (SRGB) on Cisco IOS XR?
Correct. This is the default SRGB.
Why this answer
Default SRGB is 16000-23999, but can be configured. The label range is global across SR domain.
An engineer is configuring an MPLS L3VPN and needs to ensure that the PE router installs VPNv4 routes from a remote PE into the VRF of a customer. The remote PE sends a VPNv4 route with route-target 100:1. Which configuration on the local PE causes the route to be imported into the VRF?
This imports routes with RT 100:1 into the VRF.
Why this answer
Option C is correct because the `route-target import 100:1` command under the VRF definition configures the local PE to accept VPNv4 routes that carry the specified route-target (100:1) from the remote PE. This import RT must match the export RT of the remote PE for the route to be installed into the VRF's routing table. The `rd 100:1` defines the route distinguisher, which is separate from the RT and ensures uniqueness of the VPNv4 prefix.
Exam trap
Cisco often tests the distinction between `route-target import` and `route-target export`, and the trap here is that candidates may select the export-only option (D) or misplace the RT command under BGP (A), failing to recognize that import must be explicitly configured under the VRF definition to receive routes from a remote PE.
How to eliminate wrong answers
Option A is wrong because the `route-target import 100:1` command is placed under `address-family ipv4 vrf CUSTOMER` within BGP, which is not a valid configuration; route-target import/export is configured under the VRF definition, not under the BGP address-family for the VRF. Option B is wrong because it uses the `route-target both 100:1 route-map IMPORT` syntax; while `route-target both` is valid, appending a route-map to the import/export RT statement is not supported in standard IOS/IOS-XE — route-maps can only be applied to `import` or `export` individually, not to `both`, and the syntax is incorrect. Option D is wrong because `route-target export 100:1` only configures the local PE to attach that RT to outgoing VPNv4 routes; it does not cause the import of incoming routes from the remote PE, which requires the `import` keyword.
A large service provider is migrating its L2VPN services (VPWS and VPLS) to EVPN-based solutions to improve scalability and support multi-homing. During the rollout for a customer using VLAN-based EVPN for a data center interconnect, the operations team notices frequent MAC address flapping and broadcast storms on one of the attachment circuits connected to a PE router. The PE is configured for EVPN-MPLS with ESI multihoming using all-active mode. The customer has two PEs (PE1 and PE2) connected to the same CE via two separate Ethernet links. The MAC table on PE1 shows the same MAC address alternating between the local AC interface and the remote EVPN peers. What is the most likely cause and the correct action to resolve this issue?
Proper ESI configuration and DF election prevent duplicate MACs and loops; per-flow load balancing can help but the key is correct ESI.
Why this answer
Option C is correct because in all-active multihoming, split-horizon is required to prevent loops, but if the ESI is misconfigured (e.g., different ESI on each PE), the designated forwarder (DF) election may fail, causing both PEs to forward traffic and create loops, leading to MAC flapping. Implementing ESI multihoming with per-flow load balancing (option C) is not a direct fix; the correct action is to ensure ESI values match and that split-horizon is enabled. However, the options are designed such that option C is the only one that addresses the root cause (incorrect ESI configuration).
Option A (disable split-horizon) would worsen the problem. Option B (enable selective multicast) is for multicast, not MAC flapping. Option D (use MPLS encapsulation instead of VXLAN) does not affect MAC learning loops.
Therefore, the correct answer is C.
A network engineer is troubleshooting slow BGP convergence after a link failure in an MPLS core. Which feature can be enabled on the PE routers to fast-failover traffic upon BGP next-hop unreachability?
BGP PIC pre-installs backup paths for fast failover.
Why this answer
BGP Prefix Independent Convergence (PIC) enables fast failover by pre-installing backup paths into the forwarding table, so when a BGP next-hop becomes unreachable, traffic is immediately switched to the backup path without waiting for BGP reconvergence. This is critical in MPLS cores where slow BGP convergence after a link failure can cause prolonged traffic loss.
Exam trap
Cisco often tests the distinction between fast detection (BFD) and fast failover (PIC), so candidates mistakenly choose BFD thinking it alone solves slow convergence, but BFD only detects failure faster—it does not pre-install backup paths.
How to eliminate wrong answers
Option A is wrong because Route Reflector clustering reduces the number of iBGP sessions and improves scalability, but does not provide fast failover upon next-hop unreachability. Option B is wrong because BFD provides fast link failure detection, but it does not pre-install backup forwarding paths; it only speeds up the detection of failure, after which BGP still needs to reconverge. Option C is wrong because Local Preference manipulation influences BGP path selection but does not enable fast failover; it is a policy tool, not a convergence acceleration mechanism.
An SP is deploying IS-IS fast convergence using Partial Route Computation (PRC). Under which condition does PRC occur?
PRC handles prefix changes only.
Why this answer
PRC is triggered when a prefix changes but the topology remains unchanged. It recalculates only the affected prefixes, not the entire SPF tree.
In MPLS, which forwarding table is used to determine the outgoing label and interface for a labeled packet?
Correct. LFIB is used for label switching.
Why this answer
The LFIB (Label Forwarding Information Base) is the MPLS forwarding table that maps incoming labels to outgoing labels and interfaces.
In the context of SR-PCE, which protocol does the PCE use to communicate with the path computation client (PCC) to set up SR-TE policies?
PCEP is used for path computation requests and responses.
Why this answer
PCEP is the protocol used between PCE and PCC for path computation and setup.
A service provider is configuring BGP route reflectors to scale iBGP. Which two mechanisms are used to prevent routing loops in a route reflector environment? (Choose two.)
Correct. CLUSTER_LIST contains the cluster-ids and prevents loops.
Why this answer
In MPLS, which label operation is performed by a Penultimate Hop Popping (PHP) router?
Correct: PHP removes the label.
Why this answer
In PHP, the penultimate router pops the label before forwarding to the egress, reducing the egress router's work.
Which BGP attribute is used to prefer a specific entry point into an AS when multiple ASBRs are advertising the same prefix to a neighboring AS?
MED is exchanged between ASes to influence inbound traffic.
Why this answer
MED (Multi-Exit Discriminator) is used to influence the inbound traffic by suggesting the preferred entry point.
Which encapsulation technology is commonly used in service provider networks to separate subscriber traffic in an Ethernet aggregation network?
Double tagging separates subscriber from service VLAN.
Why this answer
Q-in-Q (802.1ad) is the correct encapsulation technology because it allows service providers to stack an outer service VLAN tag (S-Tag) on top of a customer's inner VLAN tag (C-Tag), effectively separating subscriber traffic in an Ethernet aggregation network. This double-tagging mechanism preserves the customer's VLAN space while enabling the provider to aggregate multiple subscribers over a single physical port, which is essential for Metro Ethernet and DSLAM aggregation scenarios.
Exam trap
Cisco often tests the distinction between 802.1Q (single tagging) and 802.1ad (Q-in-Q) in aggregation networks, where candidates mistakenly choose 802.1Q because they overlook the need to preserve customer VLANs while scaling beyond 4096 VLANs.
How to eliminate wrong answers
Option B (VXLAN) is wrong because it is an overlay encapsulation that uses UDP and a 24-bit VNI to tunnel Layer 2 over Layer 3 networks, typically in data center fabrics, not for simple subscriber separation in an Ethernet aggregation network. Option C (802.1Q) is wrong because it provides only a single VLAN tag (12-bit VID), which cannot separate overlapping customer VLANs in an aggregation environment without exhausting the 4096 VLAN limit. Option D (MPLS) is wrong because it is a label-switching technology used for traffic engineering and VPNs in the core, not a direct encapsulation for separating subscriber traffic at the Ethernet aggregation layer.
A network engineer is using Cisco NSO to create a managed L3VPN service. After deploying the service, the engineer notices that the configuration on the devices is not being updated. What is the most likely cause?
In NSO, commit is required to push the configuration to devices; without it, the configuration remains in the candidate.
Why this answer
In NSO, services are committed to push configuration changes to devices. If the commit is not performed, the changes remain in the candidate database and are not applied. Other options are less likely given the symptom.
In SP automation, which protocol is used by NSO to communicate with network devices for configuration management?
NETCONF is the standard protocol for device configuration in NSO.
Why this answer
NSO uses NETCONF as the southbound protocol to communicate with devices. NETCONF provides transactional configuration operations like edit-config and get-config.
To secure NTP in a service provider network, which feature should be enabled on IOS XR routers to prevent time synchronization with unauthorized NTP servers?
Authentication verifies the identity of the NTP server.
Why this answer
NTP authentication ensures that the router only synchronizes with trusted servers that have the correct key. Access lists can also limit, but authentication provides cryptographic verification. NTP broadcast mode is less secure; symmetric mode is for peer-to-peer.
A service provider is designing an OSPF network with multiple areas. Which TWO area types allow external routes (Type 5 LSAs) to be injected into the area? (Choose two.)
Standard area (non-stub) accepts Type 5 LSAs.
Why this answer
Standard areas and the backbone area (Area 0) allow Type 5 LSAs. Stub, totally stubby, and NSSA do not accept Type 5 LSAs (NSSA converts Type 7 to Type 5 at ABR, but internally uses Type 7).
Which two statements about MPLS label distribution are correct? (Choose two)
Targeted LDP allows LDP sessions between non-adjacent routers.
Why this answer
Option B is correct because LDP can establish sessions with non-directly connected neighbors using targeted LDP, which uses UDP discovery (port 646) and TCP (port 646) to form a session even when the peers are not directly connected at Layer 3. This is defined in RFC 5036 and is commonly used in MPLS VPN inter-AS options and AToM scenarios.
Exam trap
Cisco often tests the distinction between LDP and TDP, and candidates mistakenly think TDP is a version of LDP, but TDP is a separate, obsolete protocol that was replaced by the standards-based LDP.
An SP uses NSO with a YANG service model to provision L3VPNs. Which database in NSO stores the configuration and state for all managed devices?
CDB is the central database in NSO.
Why this answer
NSO's CDB (Configuration Database) holds the configuration and state of all managed devices, acting as the authoritative data store.
Which label distribution protocol is replaced by segment routing in SR-MPLS deployments?
Correct: SR replaces LDP.
Why this answer
In SR-MPLS deployments, segment routing replaces LDP as the label distribution protocol. LDP traditionally distributes labels for each prefix in the IGP, while segment routing uses the IGP itself to advertise prefix-SIDs and adjacency-SIDs, eliminating the need for a separate label distribution protocol. This simplifies the control plane and removes the dependency on LDP.
Exam trap
Cisco often tests the misconception that segment routing replaces RSVP-TE for traffic engineering, but the question specifically asks about the label distribution protocol replaced by SR-MPLS, which is LDP, not RSVP-TE.
How to eliminate wrong answers
Option A is wrong because RSVP-TE is a traffic engineering protocol that provides explicit path setup and bandwidth reservation, not a general label distribution protocol replaced by segment routing; segment routing can actually replace RSVP-TE for traffic engineering using segment lists, but the question specifically asks about the label distribution protocol replaced by SR-MPLS. Option C is wrong because the IGP itself is not a label distribution protocol; segment routing leverages the IGP to distribute SIDs, but the IGP is not replaced—it is enhanced. Option D is wrong because BGP is used for inter-domain label distribution (e.g., BGP-LU) and is not replaced by segment routing; segment routing can work with BGP for inter-domain scenarios, but BGP remains in use.
A service provider is designing a QoS policy for a business VPN service that carries voice, video, and data. The policy must ensure that voice (EF) is never dropped even during congestion, while video (AF41) and data (AF21) share the remaining bandwidth in a ratio 2:1. Which queuing strategy should be used?
LLQ provides strict priority; CBWFQ allocates bandwidth as needed.
Why this answer
Option B is correct because LLQ provides strict priority queuing for voice (EF), ensuring it is never dropped during congestion, while CBWFQ allows the remaining bandwidth to be shared among video (AF41) and data (AF21) in a 2:1 ratio. LLQ is designed to guarantee low latency for real-time traffic, and CBWFQ enables explicit bandwidth allocation for non-real-time classes. This combination meets the requirement of zero-drop for voice and proportional sharing for video and data.
Exam trap
Cisco often tests the misconception that LLQ can be applied to multiple traffic classes simultaneously without understanding that only one strict priority queue is supported, and that CBWFQ alone cannot guarantee zero-drop for real-time traffic.
How to eliminate wrong answers
Option A is wrong because using LLQ for all three classes would give all traffic strict priority, defeating the purpose of bandwidth sharing and potentially starving video and data during congestion. Option C is wrong because CBWFQ does not provide strict priority queuing; voice (EF) would compete with other classes and could be dropped during congestion, violating the requirement that voice is never dropped. Option D is wrong because FIFO queuing with WRED does not offer any bandwidth guarantees or priority treatment; voice would be subject to the same drop probability as other traffic, and the 2:1 ratio for video and data cannot be enforced.
An SP engineer is designing a QoS policy for a customer with three traffic classes: voice (priority), premium data (bandwidth guarantee), and best effort. The total bandwidth is 10 Mbps, with voice limited to 1 Mbps, premium data to 4 Mbps, and best effort to the remaining. Which policy-map configuration correctly uses LLQ and CBWFQ?
Correct: voice uses priority, premium uses bandwidth, default uses fair-queue.
Why this answer
LLQ is used for voice (priority), CBWFQ for premium data (bandwidth), and default class for best effort.
Which TWO statements about MPLS label operations are correct? (Choose two.)
Correct. The ingress adds the label.
Why this answer
At the ingress, a label is pushed; at the egress, the label is popped. Swap occurs at intermediate routers.
Class-maps define match conditions for traffic classification.
Why this answer
Class-maps define match criteria (e.g., match ip dscp 46) to classify traffic in MQC.
Which THREE steps are required when configuring MPLS L3VPN on a PE router? (Choose three.)
The VRF must be created on the PE.
Why this answer
Creating a VRF definition on the PE router is required to separate customer routing tables and forwarding instances in an MPLS L3VPN. The VRF provides the logical isolation needed to keep each customer's routes and traffic distinct, and it is the foundation for associating interfaces, route targets, and VRF-specific routing processes.
Exam trap
Cisco often tests the distinction between configuring route-target values directly under the VRF versus using a route-map; candidates mistakenly think a route-map is required for RT import/export, but route-maps are only used for advanced filtering or attribute modification, not for setting the RT values themselves.
Which architecture feature of IOS XR ensures that a failure in one routing protocol process does not affect other processes on the same router?
Process separation isolates failures.
Why this answer
IOS XR uses a distributed OS with process separation; each protocol runs as a separate process in its own memory space, providing fault isolation.
An engineer is designing an MPLS L3VPN for a customer with multiple sites. The customer requires overlapping IP addresses between sites. Which method allows the provider to support overlapping customer addresses?
Each VRF has its own routing table, and the RD makes routes globally unique even with overlapping IPs.
Why this answer
B is correct because a separate VRF per site with a unique route distinguisher (RD) allows the provider to maintain isolated routing tables for each customer site. This isolation enables overlapping IP addresses between sites, as each VRF treats its prefixes as unique within the MPLS L3VPN backbone, regardless of address duplication.
Exam trap
Cisco often tests the misconception that route targets alone solve overlapping address issues, but the trap here is that route targets control route propagation, not address uniqueness—only the route distinguisher (RD) within a VRF provides the necessary prefix uniqueness.
How to eliminate wrong answers
Option A is wrong because VPLS is a Layer 2 VPN technology that provides Ethernet multipoint connectivity, not IP routing; it does not inherently support overlapping IP addresses without additional mechanisms like VLAN segmentation. Option C is wrong because BGP communities control route distribution and policy (e.g., filtering or preference), but they do not create separate routing tables or address space isolation required for overlapping IPs. Option D is wrong because using the same VRF for all sites with different route targets would merge routes into a single routing table, causing conflicts with overlapping addresses; route targets control import/export policies, not address uniqueness.
An engineer is configuring SR-MPLS in an IS-IS network. Which IS-IS TLV is used to advertise the Segment Routing Global Block (SRGB) and Node-SID assignments?
TLV 242 contains SR-Capabilities and SR-Algorithm.
Why this answer
The IS-IS SR-Capabilities sub-TLV (TLV 242) advertises the SRGB range, while the SR-Algorithm sub-TLV (TLV 242) and Prefix-SID sub-TLV (TLV 135) advertise Node-SIDs.
Which THREE YANG data nodes are part of the Cisco-IOS-XR-qos-ma-cfg module for defining a QoS policy-map? (Choose three.)
Correct: The 'class' node groups match and actions.
Why this answer
Option A is correct because the 'class' YANG data node is defined in the Cisco-IOS-XR-qos-ma-cfg module to specify a traffic class within a QoS policy-map. This node allows you to associate a class-map with the policy, enabling differentiated treatment of traffic based on classification criteria.
Exam trap
Cisco often tests the distinction between YANG data nodes and module metadata (like namespace URIs), tricking candidates into selecting the namespace as a valid data node when it is merely a module identifier.
When implementing RPKI for BGP origin validation, which three states can a route be marked as? (Choose three.)
Route origin conflicts with a ROA.
Why this answer
RPKI validation results in three states: valid (matches a ROA), invalid (conflicts with a ROA), and not-found (no ROA exists). These states are used to influence BGP decision.
In SR-MPLS, which mechanism replaces LDP for label distribution?
Correct: IGP distributes SIDs.
Why this answer
Segment Routing replaces LDP by using IGP extensions (IS-IS or OSPF) to advertise Prefix-SIDs and Adjacency-SIDs, eliminating the need for a separate label distribution protocol.
Which THREE of the following are key characteristics of Cisco IOS XR operating system?
Process separation enhances stability.
Why this answer
IOS XR is a distributed OS (A), uses commit/rollback (B), and runs each protocol as a separate process (E). It does not have a monolithic kernel (C) and uses modular packages (D is true but not listed; actually IOS XR uses RPM packages, but 'single image' is false).
A service provider is automating QoS policy deployment using Cisco NSO and YANG. During validation, the engineer discovers that the pushed policy is not taking effect. Which three possible causes should be investigated? (Choose three.)
If the device lacks the required YANG modules, the configuration push may succeed but the policy may not be effective.
Why this answer
Option B is correct because Cisco NSO uses YANG models to translate service definitions into device-specific CLI or NETCONF operations. If the target device does not support the YANG model referenced in the service package, the NETCONF or CLI operations will fail silently or produce no effect, as the device cannot interpret the configuration intent. This is a common validation failure when using model-driven orchestration with heterogeneous device populations.
Exam trap
Cisco often tests the distinction between a configuration that is accepted by the device (no commit errors) versus one that actually takes effect, trapping candidates who assume a successful commit means the policy is active.
An SP is deploying BGP FlowSpec (RFC 8955) to distribute traffic filtering rules. Which component is responsible for disseminating FlowSpec rules to routers in the network?
MP-BGP carries FlowSpec NLRI in address family IPv4/IPv6 FlowSpec.
Why this answer
BGP FlowSpec uses a separate BGP address family (AFI 1, SAFI 133) to carry flow specifications. The rules are encoded as BGP NLRIs and distributed via BGP sessions.
In Cisco IOS XR architecture, using Secure Domain Routers (SDRs) allows partitioning a physical router into multiple logical routers. Which statement about admin plane and SDRs is correct?
Admin plane is dedicated to system management; default SDR is for data plane and control plane services.
Why this answer
The admin plane is a special SDR used for managing the system (e.g., hardware inventory, shared resources). Default SDR is the primary forwarding SDR, but admin SDR is separate.
A service provider wants to ensure that customer traffic is not impacted during a planned maintenance on a core LSR in an MPLS network. Which MPLS feature should be used?
FRR provides sub-50ms protection by pre-computing backup paths.
Why this answer
MPLS TE Fast Reroute (FRR) is the correct feature because it provides local protection against link or node failures by pre-computing backup paths (bypass tunnels) that are activated within 50 milliseconds of a failure. This ensures that customer traffic is not impacted during planned maintenance on a core LSR, as the backup path is already in place and can be triggered by a manual administrative action (e.g., shutting down the interface) to seamlessly redirect traffic before the maintenance begins.
Exam trap
The trap here is that candidates often confuse MPLS TE FRR with MPLS LDP synchronization or MPLS OAM, mistakenly thinking that any 'protection' or 'monitoring' feature can handle planned maintenance, when only FRR provides the sub-50 ms local repair capability required for hitless maintenance.
How to eliminate wrong answers
Option B (MPLS TTL propagation) is wrong because it controls how the TTL field is copied between the IP and MPLS headers for traceroute and hop-count visibility, and it has no role in traffic protection or maintenance scenarios. Option C (MPLS LDP synchronization) is wrong because it ensures that IGP and LDP are synchronized to prevent black-holing during link restoration, but it does not provide fast local protection or pre-computed backup paths for planned maintenance. Option D (MPLS OAM) is wrong because it is a set of tools for fault detection, connectivity verification, and performance monitoring (e.g., LSP ping/traceroute, VCCV), not a mechanism to reroute traffic during maintenance.
A network engineer needs to automate configuration of multiple Cisco routers and wants to use a protocol that supports both datastore operations and selective retrieval of configuration. Which protocol should be used?
NETCONF supports full datastore operations and selective retrieval using XPath filters.
Why this answer
NETCONF (RFC 6241) is the correct choice because it is designed specifically for network configuration management, supporting full datastore operations (e.g., <get-config>, <edit-config>, <copy-config>) and selective retrieval of configuration data using subtree or XPath filtering. This aligns directly with the engineer's requirement for both datastore operations and selective retrieval.
Exam trap
Cisco often tests the distinction between NETCONF and RESTCONF, where candidates may pick RESTCONF because it is simpler or more modern, but the question's emphasis on 'selective retrieval' and 'datastore operations' points to NETCONF's richer filtering and transactional capabilities.
How to eliminate wrong answers
Option A (SNMPv3) is wrong because it is primarily a monitoring and fault-management protocol that uses MIBs and OIDs for data retrieval, not a configuration protocol with native datastore operations or selective configuration retrieval. Option B (gRPC) is wrong because it is a high-performance RPC framework that can stream telemetry but lacks standardized datastore operations and selective configuration retrieval as defined in NETCONF. Option D (OpenFlow) is wrong because it is a southbound protocol for controlling forwarding tables in SDN switches, not for managing device configurations or datastores.
Option E (RESTCONF) is wrong because while it supports datastore operations and selective retrieval via RESTful APIs, it is a lightweight alternative to NETCONF that uses HTTP methods and JSON/YANG, but the question specifically asks for a protocol that supports both datastore operations and selective retrieval—NETCONF is the more mature, full-featured protocol for this purpose, and RESTCONF is not the best answer when NETCONF is listed.
Which two are requirements for deploying Segment Routing in a service provider network? (Choose two.)
The IGP must support SR extensions.
Why this answer
Segment Routing (SR) relies on an IGP (OSPF or IS-IS) that has been extended to advertise prefix-SIDs and adjacency-SIDs. The IGP extensions (RFC 8665 for IS-IS, RFC 8666 for OSPF) enable routers to compute source-routed paths without a separate signaling protocol. This is a fundamental requirement because SR-MPLS encodes the path as a stack of labels derived directly from the IGP SIDs.
Exam trap
The trap here is that candidates often assume LDP is still required for MPLS forwarding, but SR-MPLS replaces LDP entirely by using IGP-distributed SIDs, so the correct answer requires recognizing that LDP must be disabled, not enabled.
Which Cisco router platform is designed for the aggregation layer and runs IOS XR, supporting both L2 and L3 services at high density?
ASR 9000 is optimized for the aggregation layer with IOS XR.
Why this answer
The ASR 9000 is a widely used aggregation router with IOS XR and supports L2/L3 services. CRS is core, NCS 5500 is edge/aggregation but more focused on 100GE, and ISR is enterprise.
In MPLS-TE, what is the purpose of the Explicit Route Object (ERO) in the RSVP PATH message?
Correct.
Why this answer
ERO specifies the strict or loose hops that the TE LSP must traverse. It allows the headend to enforce a specific path through the network.
An engineer is troubleshooting BGP convergence. The router has multiple paths for a prefix, but it selects a path with a lower local preference over a path with a higher local preference. The higher local preference path is from an EBGP peer. What could cause this?
Correct. Weight is checked before local preference.
Why this answer
B is correct because BGP selects the path with the highest weight first, before considering local preference. Weight is a Cisco-proprietary attribute that is local to the router and takes precedence over all other BGP attributes. Therefore, a path with a lower local preference but a higher weight will be preferred over a path with a higher local preference but a lower weight, even if the higher local preference path comes from an EBGP peer.
Exam trap
Cisco often tests the BGP path selection order by presenting a scenario where a lower-priority attribute (like local preference) is overridden by a higher-priority attribute (like weight), and candidates mistakenly assume that local preference is always the deciding factor because it is the first global attribute in the algorithm.
How to eliminate wrong answers
Option A is wrong because 'bgp deterministic-med' ensures that MED is compared only among paths from the same neighboring AS, but it does not override the weight or local preference comparison order; it affects MED handling, not the local preference selection issue described. Option C is wrong because router ID is used as a tie-breaker only after comparing weight, local preference, AS-path length, origin code, and MED; it cannot override a higher local preference unless all higher-priority attributes are equal. Option D is wrong because MED is compared after local preference in the BGP best-path selection algorithm; a lower MED would only matter if local preference were equal, so it cannot cause a path with lower local preference to be selected over one with higher local preference.
A network engineer is designing an MPLS core using Segment Routing. They want to minimize label stack depth while still providing fast convergence using TI-LFA. Which prefix-SID assignment strategy should be used?
Prefix-SIDs enable TI-LFA with minimal label depth.
Why this answer
Option D is correct because advertising prefix-SIDs for all IGP prefixes allows TI-LFA to compute backup paths using any prefix in the network, not just loopbacks. This minimizes label stack depth by enabling TI-LFA to use a single prefix-SID for the repair path, avoiding the need for additional labels or explicit path constructs. Fast convergence is achieved because TI-LFA precomputes a backup next-hop that can be activated immediately upon failure, and having all prefixes as SIDs ensures the backup path can be expressed with minimal label imposition.
Exam trap
Cisco often tests the misconception that node-SIDs (loopbacks) are sufficient for TI-LFA, but the trap is that TI-LFA requires prefix-SIDs for all prefixes to achieve optimal label stack depth and fast convergence, as node-SIDs alone may force deeper stacks or suboptimal backup paths.
How to eliminate wrong answers
Option A is wrong because assigning a node-SID only to loopback interfaces restricts TI-LFA to using only those loopback addresses as repair targets, which may force deeper label stacks or suboptimal backup paths when the failure involves a non-loopback prefix. Option B is wrong because per-interface label mode from SRGB is used for adjacency-SIDs, not for prefix-SIDs, and TI-LFA relies on prefix-SIDs for fast reroute; adjacency-SIDs would increase label stack depth and are not designed for TI-LFA's loop-free alternate computation. Option C is wrong because per-VRF label allocation on PE routers is a BGP/MPLS VPN concept unrelated to Segment Routing prefix-SID assignment and does not affect TI-LFA convergence or label stack depth in the MPLS core.
In a VXLAN EVPN deployment, a host sends a broadcast ARP request. Which component in the fabric is responsible for replying on behalf of the target host to reduce flooding?
ARP suppression allows VTEP to proxy-reply.
Why this answer
In VXLAN EVPN, ARP suppression is a feature implemented on the ingress VTEP (the VTEP that receives the broadcast ARP request). The ingress VTEP maintains a local ARP/ND cache populated via EVPN Type-2 routes (MAC/IP advertisement routes). When a broadcast ARP request arrives, the ingress VTEP checks its local cache for the target IP; if found, it replies directly on behalf of the target host, suppressing the broadcast and preventing unnecessary flooding across the fabric.
Option C correctly identifies this VTEP as the component responsible for the reply.
Exam trap
Cisco often tests the misconception that the spine switch or the default gateway handles ARP suppression, when in fact it is the ingress VTEP that performs this function using its locally cached EVPN-learned MAC/IP entries.
How to eliminate wrong answers
Option A is wrong because the VTEP that receives the broadcast is the ingress VTEP, which performs ARP suppression only if it has the target host's MAC address in its local table; it does not automatically reply simply because it received the broadcast. Option B is wrong because spine switches in a VXLAN EVPN fabric operate as pure IP underlay routers (typically running an IGP like OSPF or IS-IS) and do not participate in the overlay control plane or maintain ARP caches for tenant hosts. Option D is wrong because the default gateway (anycast IP) is used for routing traffic between subnets, not for replying to intra-subnet ARP requests; ARP suppression is a function of the VTEP, not the gateway.
Which label operation is performed on a router when an MPLS packet arrives with a top label that matches a local label assigned to a directly connected prefix?
Correct operation for directly connected prefix.
Why this answer
If the top label corresponds to a directly connected prefix, the router will pop the label (penultimate hop popping or explicit null) and forward the packet based on the inner header.
An SP is deploying Inter-AS MPLS VPN option B. Which design characteristic is unique to Option B compared to Option A?
Option B uses MP-EBGP between ASBRs to exchange VPNv4 routes.
Why this answer
Exam trap
Cisco often tests the misconception that Option B requires a full mesh of MP-IBGP sessions (like Option A), when in fact it uses MP-EBGP between ASBRs to eliminate that requirement.
How to eliminate wrong answers
Option B is wrong because a full mesh of MP-IBGP sessions between all PEs is a requirement for Option A (Inter-AS MPLS VPN Option A), not Option B; Option B uses MP-EBGP between ASBRs to avoid this full mesh. Option C is wrong because ASBRs in Option B do not maintain separate VRFs for each VPN; they use a single global routing table with VPNv4 prefixes and label forwarding, whereas Option A requires per-VPN VRFs on ASBRs. Option D is wrong because traffic in Option B is forwarded using MPLS labels (not IP) between ASBRs, leveraging label stacking for end-to-end transport; IP forwarding would be used in Option A or in non-MPLS scenarios.
A network engineer is designing a new MPLS core. Which three of the following are recommended best practices for MPLS LDP configuration? (Choose three.)
LDP authentication protects against spoofing and is a security best practice.
Why this answer
C is correct because enabling LDP authentication using MD5 protects the LDP session from spoofing and tampering by verifying the integrity of TCP segments exchanged between LDP peers. This is a recommended security best practice in MPLS networks to prevent unauthorized label distribution and route hijacking.
Which TWO QoS mechanisms are used to provide congestion avoidance? (Choose two.)
RED (Random Early Detection) is a congestion avoidance mechanism.
Why this answer
RED (Random Early Detection) and WRED (Weighted Random Early Detection) are congestion avoidance mechanisms that proactively drop packets before a queue becomes full, signaling TCP senders to reduce their transmission rate. Unlike congestion management tools (like CBWFQ or LLQ) that queue packets during congestion, RED/WRED monitor average queue depth and drop packets probabilistically to prevent tail drops and global TCP synchronization.
Exam trap
Cisco often tests the distinction between congestion management (queuing/scheduling) and congestion avoidance (active queue management), so the trap here is that candidates confuse mechanisms like CBWFQ or LLQ (which manage congestion after it occurs) with RED/WRED (which avoid congestion by dropping packets early).
In SRv6 micro-SID (uSID) compression, which part of the SID is used to carry a compressed instruction set, enabling efficient forwarding with a shorter SID list?
The function part encodes the behavior in compressed form.
Why this answer
The micro-SID block consists of a locator followed by compressed function and argument, reducing the SID list size.
In a Carrier Supporting Carrier (CSC) architecture, which condition is necessary for the customer carrier's BGP routes to be carried over the provider carrier's MPLS backbone?
For the provider carrier to switch MPLS packets, the BGP next-hop must be reachable via the IGP and have a label binding.
Why this answer
In a Carrier Supporting Carrier (CSC) architecture, the provider carrier's MPLS backbone must be able to forward packets toward the BGP next-hop of the customer carrier's routes. For this to happen, the BGP next-hop (typically a loopback interface on the customer carrier's PE router) must be reachable via an IGP (e.g., OSPF or IS-IS) running within the provider carrier's core. Without IGP reachability to that next-hop, the provider carrier's P routers cannot perform MPLS label switching to deliver traffic to the customer carrier's egress router, breaking end-to-end connectivity.
Exam trap
Cisco often tests the misconception that route-target matching (Option B) is required for CSC, when in fact the critical requirement is IGP reachability to the BGP next-hop, not VRF route-target alignment.
How to eliminate wrong answers
Option B is wrong because route-target matching is used in MPLS Layer 3 VPNs to control route import/export between VRFs, but in CSC the customer carrier's BGP routes are carried as VPNv4 routes across the provider carrier's backbone; the provider carrier does not need its VRF to match the customer carrier's route-target — instead, the provider carrier uses its own VRF to import/export routes based on configured policies. Option C is wrong because the provider carrier and customer carrier can be in different autonomous systems; CSC explicitly supports inter-AS scenarios where the customer carrier operates its own AS and runs eBGP with the provider carrier. Option D is wrong because LDP is used for label distribution within the provider carrier's MPLS core, but the customer carrier can use any label distribution protocol (e.g., LDP, RSVP-TE, or even BGP-labeled unicast) — LDP is not a mandatory condition for the customer carrier's BGP routes to be carried over the provider carrier's backbone.
In an MPLS L3VPN network, a customer has overlapping IP addresses between two VPNs. The provider edge routers are configured with VRF instances. Which method ensures that traffic from one VPN does not leak into the other when using MPLS labels?
RTs control which routes are imported into a VRF, preventing leakage.
Why this answer
Route targets (RTs) control the import and export of VPNv4 routes between VRFs on a PE router. By assigning distinct import and export RTs per VRF, the PE ensures that routes from one VPN are not installed into the routing table of another VPN, even if the customer uses overlapping IP addresses. MPLS labels are allocated per VRF forwarding instance, but the isolation is enforced by the RT-based filtering of BGP VPNv4 routes, not by label ranges or route distinguishers alone.
How to eliminate wrong answers
Option A is wrong because MPLS label ranges are allocated per forwarding equivalence class (FEC) or per platform, not per VRF; different label ranges do not prevent route leakage since labels are only locally significant and do not filter route distribution. Option B is wrong because BGP community strings are used for route policy and attribute manipulation, but they do not provide the mandatory import/export filtering mechanism that RTs enforce; communities are optional and can be overridden. Option D is wrong because route distinguishers (RDs) make IPv4 prefixes unique across VPNs, but they do not control route import/export; two VRFs with different RDs can still leak routes if they share the same RTs.
This community specifically carries the OSPF domain ID.
Why this answer
In an MPLS L3VPN where OSPF is the PE-CE protocol, the OSPF Domain ID extended community is used to signal the OSPF domain identifier between PE routers. This allows the receiving PE to determine whether the OSPF route originated from the same OSPF domain (and thus should be redistributed as an intra-area or inter-area route) or from a different domain (requiring a Type 5 LSA). The OSPF Domain ID is carried as a BGP extended community (type 0x0005 or 0x8005) and is critical for maintaining OSPF route type semantics across the MPLS backbone.
Exam trap
Cisco often tests the confusion between the OSPF Domain ID and the OSPF Route Type extended communities, where candidates mistakenly think the Route Type carries the domain information, but in reality the Route Type only encodes the OSPF path type and metric, while the Domain ID identifies the originating OSPF domain.
How to eliminate wrong answers
Option A is wrong because the Site of Origin (SoO) extended community is used to prevent routing loops in MPLS L3VPN environments, not to signal the OSPF domain ID. Option C is wrong because the OSPF Route Type extended community carries the OSPF route type (e.g., intra-area, inter-area, external) and the metric type, but it does not convey the domain identifier. Option D is wrong because the Route Target extended community controls VPN route import/export between VRF instances and has no role in signaling OSPF domain identity.
Refer to the exhibit. An engineer is troubleshooting packet loss in the MPLS core. For prefix 10.3.3.0/24, the outgoing label is 'Untagged'. What does this indicate?
Untagged means no label.
Why this answer
When the outgoing label for a prefix in the MPLS forwarding table shows 'Untagged', it means that for packets destined to that prefix, no MPLS label is imposed. The router will forward the packet as a standard IP packet (without an MPLS header) out the egress interface. This typically occurs when the next-hop router has signaled an implicit null label (label 3) via LDP, instructing the upstream router to pop the label stack and send the packet as IP.
Exam trap
Cisco often tests the distinction between 'Untagged' (meaning no label is imposed, typically due to PHP with implicit null) and 'Pop' (which explicitly indicates the label is removed), leading candidates to confuse the two or incorrectly associate 'Untagged' with unreachability.
How to eliminate wrong answers
Option A is wrong because an implicit null label (label 3) causes the upstream router to pop the top label and forward the packet without any label, not to impose label 3. Option B is wrong because 'Untagged' does not indicate unreachability; the prefix is reachable and packets are forwarded as IP. Option C is wrong because the outgoing label being the same as the local label (label 18) would be described as 'Pop' or 'Implicit Null', not 'Untagged'.
Correct. 6VPE uses AFI=2, SAFI=128, and the next-hop is an IPv4 address mapped to IPv6.
A service provider is deploying EVPN-MPLS for L2VPN services. The customer requires that MAC addresses learned from one PE are not advertised to other PEs unless they are active. Which EVPN route type is used for MAC address withdrawal?
MAC addresses are advertised in Type 2 routes; withdrawal is done by withdrawing the route.
Why this answer
Option C is correct because EVPN Route Type 2 (MAC/IP Advertisement) carries both MAC addresses and their associated IP addresses, and it supports a 'sticky' or 'withdraw' mechanism via the BGP Withdraw message. When a MAC address becomes inactive on a PE, the PE sends a BGP Withdraw for the specific Route Type 2 route, effectively removing that MAC from the control plane of other PEs. This ensures that only active MAC addresses are advertised, meeting the customer requirement.
Exam trap
Cisco often tests the distinction between Route Type 2 for individual MAC withdrawal and Route Type 1 for mass Ethernet segment withdrawal, leading candidates to confuse the two when the question specifies 'MAC addresses learned from one PE' rather than a segment-level failure.
How to eliminate wrong answers
Option A is wrong because Route Type 5 (IP Prefix) is used for inter-subnet forwarding (EVPN-VPN) to advertise IP prefixes, not for MAC address withdrawal. Option B is wrong because Route Type 1 (Ethernet Auto-Discovery) is used for mass withdrawal of all MAC addresses associated with an Ethernet segment (e.g., during link failure) or for aliasing/backup paths, not for individual MAC address withdrawal. Option D is wrong because Route Type 3 (Inclusive Multicast Ethernet Tag) is used to advertise multicast tunnel endpoints for BUM traffic, not for MAC address withdrawal.
A network operator is deploying Segment Routing with TI-LFA across an OSPF network. After configuring OSPF with 'segment-routing mpls' and 'fast-reroute per-prefix', they notice that backup paths are not being installed for some prefixes. 'Show ip ospf segment-routing protected' shows 'No FRR backup' for those prefixes. What is a possible reason?
TI-LFA uses adjacency-SIDs to create the repair path.
Why this answer
Option D is correct because TI-LFA (Topology Independent Loop-Free Alternate) for per-prefix fast-reroute in OSPF requires that adjacency-SIDs be configured on neighboring routers. Without adjacency-SIDs, OSPF cannot compute the necessary repair paths to provide backup protection, resulting in 'No FRR backup' for those prefixes.
Exam trap
Cisco often tests the misconception that TI-LFA works automatically with just 'fast-reroute per-prefix', when in fact adjacency-SIDs are a prerequisite for the repair path computation in OSPF.
How to eliminate wrong answers
Option A is wrong because LDP label distribution being active does not prevent OSPF from installing TI-LFA backup paths; OSPF Segment Routing and LDP can coexist, and the issue is specifically about SR-TI-LFA operation. Option B is wrong because a non-globally unique prefix-SID index would cause label conflicts or forwarding issues, but it would not prevent the installation of backup paths via TI-LFA; the 'No FRR backup' output indicates a failure in repair path computation, not a label allocation problem. Option C is wrong because OSPF does support TI-LFA for per-prefix prefixes when properly configured with adjacency-SIDs; the statement that OSPF does not support it is incorrect.
A service provider is deploying MPLS L3VPN and wants to ensure that routes from a specific customer VRF are only advertised to a specific remote PE. Which mechanism should be used?
Correct. A route-map on export can filter routes before they are advertised to other PEs via VPNv4.
Why this answer
A route-map applied to the VRF export statement allows granular control over which routes are advertised to specific BGP VPNv4 neighbors. By matching on route targets or other attributes, the route-map can filter outbound routes per neighbor, ensuring that routes from a specific customer VRF are only sent to a designated remote PE.
Exam trap
Cisco often tests the misconception that route-distinguishers or next-hop-self control route advertisement scope, when in fact they serve entirely different purposes (prefix uniqueness and next-hop resolution, respectively).
How to eliminate wrong answers
Option B is wrong because configuring a separate VPNv4 address-family for that PE does not inherently restrict which VRF routes are advertised; it merely creates a separate BGP session, but without additional filtering, all VPNv4 routes would still be exchanged. Option C is wrong because a unique route-distinguisher per VRF is used to make IPv4 prefixes unique across VRFs, not to control advertisement scope; it does not filter which routes are sent to specific PEs. Option D is wrong because setting next-hop-self on the PE changes the next-hop IP address in BGP updates but does not limit which routes are advertised to a particular remote PE.
Which BGP attribute is used to influence inbound traffic to an AS by advertising a preferred path to a neighbor AS?
MED is used to influence inbound traffic from a neighbor AS.
Why this answer
MED (Multi-Exit Discriminator) is sent to a neighboring AS to suggest the best entry point into the local AS. Lower MED is preferred.
A service provider is migrating from a legacy MPLS network using LDP to Segment Routing (SR-MPLS). They have enabled SR on all routers and are using IS-IS. The migration plan is to keep LDP running alongside SR during the transition. After enabling SR, some traffic is being forwarded using the SR path, but the network operator notices that some CEs in an L2VPN are experiencing packet loss during failover scenarios. Troubleshooting shows that the primary pseudowire is using SR labels, but the backup pseudowire is still using LDP labels. The backup path is not working correctly. What is the most likely cause?
If LDP sessions are down for the backup path, the backup pseudowire cannot use SR labels, leading to packet loss.
Why this answer
During coexistence of LDP and SR, there might be a mismatch in label switching. The backup pseudowire might be using LDP labels that are not consistent with the SR forwarding plane. The most likely cause is that the backup path is not properly programmed to use SR labels, or the LDP session for the backup path is down.
The correct action is to ensure that the pseudowire's backup signaling is using the same transport mechanisms as the primary, or to disable LDP gradually.
A service provider is experiencing intermittent multicast issues in their core network. They use PIM-SM with a static RP at 10.1.1.1. The multicast traffic originates from a source connected to PE1 and is received by customers connected to PE2. Recently, after a firewall upgrade between the PE routers and the core, some multicast streams stopped working, while others continue. The network team notices that 'show ip mroute' on PE2 shows the (*, G) entry but not the (S, G) entry for the affected groups. The RP is reachable via OSPF. The firewall logs show no dropped packets for known multicast addresses. Which action should the engineer take to restore full multicast forwarding?
A static RP on PE2 ensures that the source's registration reaches the RP even if the firewall blocks unicast PIM register messages. This allows the (S,G) to be formed.
Why this answer
Option B is correct. The firewall upgrade likely blocked PIM register messages from PE1 to the RP, preventing the RP from learning about the source. By configuring a static RP on the customer-facing interface or using a different RP that can receive registration, the (S,G) state can be built.
Option A is wrong because PIM-SM is correct for sparse-mode groups. Option C is wrong because adjusting timers would not fix the absence of (S,G). Option D is wrong because Auto-RP would add complexity and might be blocked by the firewall as well.
Correct; DSCP 46 (EF) is used for voice.
Why this answer
DSCP 46 (binary 101110) corresponds to the Per-Hop Behavior (PHB) of Expedited Forwarding (EF), which is defined in RFC 3246 for low-loss, low-latency, and low-jitter treatment. Voice traffic requires the highest priority in a DiffServ domain, and EF (DSCP 46) is the standard marking for voice bearer packets to ensure they receive strict priority queuing.
Exam trap
Cisco often tests the distinction between voice bearer (DSCP 46/EF) and voice signaling (DSCP 26/AF31), so the trap here is that candidates may confuse DSCP 26 (signaling) with the highest priority for voice payloads.
How to eliminate wrong answers
Option A (DSCP 26) is wrong because DSCP 26 (binary 011010) corresponds to Assured Forwarding (AF31), which is used for data traffic requiring a guaranteed bandwidth but not the strict priority needed for real-time voice. Option C (DSCP 34) is wrong because DSCP 34 (binary 100010) corresponds to AF41, which is a high-priority data class but still not the Expedited Forwarding PHB required for voice. Option D (DSCP 0) is wrong because DSCP 0 is the default Best Effort (BE) PHB, which provides no priority treatment and would cause voice packets to be dropped or delayed under congestion.
A service provider deploys BGP route reflectors in the core. Which mechanism prevents routing loops within the route reflector cluster?
Originator-id identifies the originator; if a router receives its own originator-id, it discards the route.
Why this answer
The originator-id attribute is set by the route reflector to the router-id of the originating router, preventing loops by checking if the originator-id matches the local router-id.
A service provider operates a large MPLS VPN network using OSPF as the IGP and LDP for label distribution. The PE routers (PE1, PE2, PE3) are connected to a core of P routers. Recently, a new link was added between P2 and P3. After the link came up, the engineering team noticed that several VPN routes that were previously reachable via PE2 are now being blackholed when traffic is sent from PE1 to those prefixes. The teams verify that the VPNv4 routes are present in the BGP table on PE1 with valid next-hops, but traffic fails. The traceroute from PE1 to the CE behind PE2 stops at P2. The show mpls forwarding-table on P2 shows the correct label for the VPN prefix, but the outgoing interface is null. Which action should the engineer take to resolve the issue without causing additional disruption?
Correct. This forces LDP to re-establish and exchange labels, likely resolving the missing label.
Why this answer
The issue is that P2 has a label for the VPN prefix but a null outgoing interface, indicating an LDP label mapping problem. Clearing LDP neighbor sessions on P2 forces re-establishment of LDP sessions and re-exchange of label bindings, which should resolve the missing or incorrect label mapping for the BGP next-hop without disrupting other services.
How to eliminate wrong answers
Option B is wrong because adding a static route to Null0 for the BGP next-hop would blackhole all traffic to that next-hop, worsening the issue. Option C is wrong because shutting down the new link between P2 and P3 is a disruptive workaround that does not address the root cause (LDP label inconsistency) and may cause routing loops or suboptimal paths. Option D is wrong because clearing BGP sessions on PE1 would only re-advertise VPN routes but does not fix the underlying MPLS label forwarding issue on P2; the VPNv4 routes are already present with valid next-hops in BGP.
An SP is designing a QoS policy for a customer VPN that carries voice, video conferencing, and bulk data. The voice traffic requires low latency, video conferencing requires assured bandwidth, and bulk data should use any remaining bandwidth. Which queuing strategy should be applied on the PE-CE link?
LLQ provides strict priority for voice, and CBWFQ allows bandwidth guarantees for video and bulk data.
Why this answer
LLQ provides a strict priority queue for voice (low latency) and CBWFQ for other classes with bandwidth guarantees. Video conferencing can be assigned to a class with a bandwidth percent, and bulk data to the default class with fair queuing.
A network engineer is automating BGP configuration using the Cisco IOS-XE YANG model. They want to enable the 'always-compare-med' feature under BGP. Which XPath expression correctly targets this leaf?
Correct path according to Cisco IOS-XE YANG model.
Why this answer
Option B is correct because the Cisco IOS-XE native YANG model (urn:cisco:params:xml:ns:yang:cisco-native) structures BGP configuration under /native/router/bgp/scope/global/always-compare-med. The 'scope' container is required to differentiate between global and VRF-specific BGP settings, and 'always-compare-med' is a leaf within the global scope. This path accurately reflects the hierarchical model used by Cisco for BGP automation.
Exam trap
Cisco often tests the exact hierarchical path in the native YANG model, and the trap here is that candidates assume a simplified path like /bgp/global/always-compare-med or forget the mandatory 'scope' container, leading them to choose an incomplete or incorrect XPath expression.
How to eliminate wrong answers
Option A is wrong because /bgp/global/always-compare-med does not match the Cisco IOS-XE native YANG model; the root must be /native/router/bgp and the 'scope' container is mandatory. Option C is wrong because /native/router/bgp/always-compare-med omits the 'scope/global' container, which is required to correctly target the global BGP configuration leaf. Option D is wrong because /router/bgp/global/always-compare-med lacks the /native root and the 'scope' container, and does not follow the Cisco native YANG model structure.
In Segment Routing for MPLS (SR-MPLS), which TLV is used in IS-IS to advertise the Node SID?
Correct: TLV 149 is SR-MPLS SID/Label Binding.
Why this answer
IS-IS uses the SR-Capabilities sub-TLV and the SR-Algorithm sub-TLV, but the Node SID is advertised in the SR-MPLS SID/Label Binding TLV (TLV 149) with a sub-TLV. The exact TLV is 149 for SR-MPLS.
A service provider wants to provide IPv6 connectivity over an existing MPLS IPv4 core using BGP extensions. Which technology should be used?
6PE uses BGP to carry IPv6 over MPLS with IPv4 next-hop.
Why this answer
6PE (IPv6 Provider Edge) uses BGP to carry IPv6 prefixes with an IPv4 next-hop over an MPLS core, avoiding the need for IPv6 in the core.
An MPLS network is experiencing micro-loops during convergence after a link failure. The network uses LDP and IS-IS as IGP. Which of the following solutions can prevent micro-loops during IGP convergence without requiring additional protocols?
LFA computes backup paths that avoid loops during convergence.
Why this answer
Option C is correct because LFA (Loop-Free Alternate) is a feature built directly into IGPs like IS-IS and OSPF that precomputes a backup next-hop that does not loop back to the failed link. This prevents micro-loops during IGP convergence without requiring any additional protocols such as RSVP-TE or BGP, making it a lightweight, protocol-integrated solution.
Exam trap
Cisco often tests the distinction between IGP-integrated solutions (LFA) and overlay protocols (RSVP-TE, BGP), so the trap here is assuming that any fast-reroute mechanism requires an additional protocol like RSVP-TE, when LFA is a native IGP feature.
How to eliminate wrong answers
Option A is wrong because MPLS-TE FRR using bypass tunnels requires RSVP-TE, an additional protocol beyond the IGP, and is designed for link/node protection in MPLS-TE, not specifically for preventing micro-loops during IGP convergence. Option B is wrong because BGP PIC (Prefix Independent Convergence) is a BGP feature that improves convergence for BGP routes, not for IGP routes, and does not address micro-loops caused by IGP convergence. Option D is wrong because RSVP-TE with fast-reroute also requires RSVP-TE as an additional protocol and is focused on MPLS-TE tunnel protection, not on preventing micro-loops during IGP convergence.
Which OSPF network type elects a Designated Router (DR) and Backup Designated Router (BDR) to reduce the number of adjacencies on a multi-access segment?
Broadcast elects DR and BDR.
Why this answer
Broadcast network type uses DR/BDR election. Point-to-point and NBMA do not elect DR/BDR (NBMA does elect DR/BDR but is less common).
A service provider is deploying MPLS L2VPN using Virtual Private Wire Service (VPWS). After configuration, the two CEs cannot ping each other. The PE routers show the xconnect interface is up, but no MAC addresses are learned. What is the most likely cause?
VC ID must match for the pseudowire to be established.
Why this answer
In MPLS L2VPN VPWS, the VC ID (Virtual Circuit ID) must match on both PE routers to establish the pseudowire between them. A mismatch prevents the pseudowire from coming up, so even though the local xconnect interface shows as up (because the attachment circuit is operational), no MAC learning can occur because the pseudowire control plane (e.g., LDP or BGP signaled) fails to bind the two endpoints. This directly explains why the CEs cannot ping and no MAC addresses are learned.
Exam trap
Cisco often tests the distinction between local interface status (attachment circuit up) and pseudowire status (VC ID match required), leading candidates to mistakenly focus on MTU or encapsulation issues when the real problem is a control plane mismatch.
How to eliminate wrong answers
Option A is wrong because an MTU less than 1500 on core links would cause fragmentation or drop of large packets, but it would not prevent the pseudowire from being established or MAC learning; the xconnect interface would still show up and MACs could be learned if the control plane is functional. Option B is wrong because the control word is an optional feature for operations like sequencing or fragmentation; a mismatch in its configuration does not prevent pseudowire establishment or MAC learning—it may cause packet corruption or drop, but the pseudowire would still come up and MACs could be learned. Option D is wrong because the encapsulation type on the attachment circuit (e.g., Ethernet, VLAN, PPP) must match the CE-facing configuration, but a mismatch between the two PEs would affect how traffic is encapsulated on the local AC, not the pseudowire signaling or MAC learning across the MPLS core; the pseudowire itself would still be established if VC IDs match.
A service provider is troubleshooting an L2VPN where a CE is unable to ping the remote CE. The PE-CE interfaces are up, and the pseudowire status shows 'up'. Which two actions should be taken to further isolate the issue? (Choose two.)
Mismatched VC IDs can cause traffic to be dropped despite pseudowire being up.
Why this answer
Option D is correct because the VC ID (Virtual Circuit ID) must match on both PEs for the pseudowire to be established correctly. If the VC IDs are mismatched, the pseudowire status may show as 'up' due to local signaling, but traffic will not be forwarded between the CEs because the pseudowire endpoints are not logically connected. Verifying the VC ID ensures that the L2VPN circuit is properly configured end-to-end.
Exam trap
Cisco often tests the misconception that a pseudowire status of 'up' guarantees end-to-end connectivity, when in fact control-plane up does not ensure data-plane forwarding if parameters like VC ID or MTU are mismatched.
Which OSPF adjacency type requires DR/BDR election on a multi-access network?
Broadcast networks use DR/BDR election.
Why this answer
On broadcast and NBMA networks, OSPF elects a Designated Router (DR) and Backup Designated Router (BDR) to reduce adjacencies.
Which TWO are characteristics of Segment Routing (SR-MPLS)? (Choose two.)
SR performs source routing by encoding the path as a segment list.
Why this answer
Option A is correct because Segment Routing (SR-MPLS) is a source routing paradigm where the ingress node encodes a list of segment identifiers (SIDs) into the packet header, specifying the path the packet must take through the network. This eliminates the need for per-hop signaling protocols like LDP or RSVP-TE, as each intermediate node simply forwards based on the top SID.
Exam trap
Cisco often tests the misconception that SR-MPLS requires a centralized controller for traffic engineering, but the distributed IGP-based control plane is fully capable of steering traffic using segment lists without any controller.
A service provider is migrating from LDP to Segment Routing in its MPLS core. The team has enabled IS-IS as the IGP and configured segment routing under the IS-IS process on all core routers. However, after the migration, some LSPs are not being signaled correctly and traffic is blackholing. Which action should be taken to ensure seamless interworking between LDP and SR during the migration?
This ensures the router prefers SR labels but still allocates LDP labels for backward compatibility.
Why this answer
Option C is correct because during migration, both LDP and SR need to signal the same labels. The 'segment-routing mpls sr-prefer' command tells the router to prefer SR labels but still maintain LDP forwarding entries for fallback. Option A is incorrect because removing LDP globally would cause loss of LDP sessions for routers not yet SR-capable.
Option B is incorrect because 'mpls ldp igp sync' is for LDP-IGP synchronization, not SR-LDP interworking. Option D is incorrect because OSPF is not the IGP in use.
Practice 350-501 by domain
Target a specific domain to shore up weak areas.