Which TWO configuration steps are required to enable OSPFv3 on a Cisco IOS router for IPv6 routing? (Choose TWO.)
This is required for any IPv6 routing, including OSPFv3.
Why this answer
2152 questions total · 29pages · All types, answers revealed
Page 1 of 29
Page 2Which TWO configuration steps are required to enable OSPFv3 on a Cisco IOS router for IPv6 routing? (Choose TWO.)
This is required for any IPv6 routing, including OSPFv3.
Why this answer
Which TWO statements about NetFlow version 9 and Flexible NetFlow are true? (Choose TWO.)
Flexible NetFlow uses NetFlow v9 templates to define variable-length flow records.
Why this answer
NetFlow version 9 uses a template-based design, allowing flexible field definitions, which is the foundation for Flexible NetFlow. Flexible NetFlow extends this by allowing user-defined flow records and support for multiple protocols. Option A is false because NetFlow v5 is fixed-format and does not support templates.
Option C is false because Flexible NetFlow can export using NetFlow v9 or IPFIX (NetFlow v10). Option E is false because Flexible NetFlow supports both IPv4 and IPv6.
Which TWO configuration steps are required to apply an IPv4 extended access list to an interface in Cisco IOS? (Choose TWO.)
The ACL must be defined first with permit/deny entries.
Why this answer
Option A is correct because an IPv4 extended ACL must first be defined using either the numbered `access-list` command or the named `ip access-list extended` command before it can be applied. Option B is correct because the `ip access-group` command is the only way to bind a configured ACL to an interface in Cisco IOS, specifying the direction (in or out) and optionally the VLAN filter.
Exam trap
Cisco often tests the distinction between `ip access-group` (for interfaces) and `access-class` (for VTY lines), leading candidates to mistakenly choose `access-class` when the question specifies an interface.
A network engineer redistributes OSPF routes into BGP on router R1. R1 has: router bgp 65001, redistribute ospf 1 route-map RM_OSPF. The route-map RM_OSPF sets metric 100. OSPF routes from area 0 are redistributed, but routes from area 1 are missing in BGP. R1 shows: show ip ospf database shows area 1 routes as inter-area (IA). What is the root cause?
Inter-area routes are internal but the prefix-list restricts to area 0 prefixes only.
Why this answer
By default, when redistributing OSPF into BGP, only intra-area and inter-area routes are redistributed, but external routes (type 5/7) are not. However, the missing routes are inter-area (IA) from area 1, which should be redistributed. The issue is that the route-map RM_OSPF may have a match clause that inadvertently filters IA routes, or the redistribute command may be missing the match internal keyword.
In this case, the redistribute ospf 1 command without any match option defaults to match internal, which includes intra-area and inter-area. But if the route-map has a match ip address prefix-list that only permits specific prefixes, it could filter others. The root cause is that the route-map RM_OSPF uses match ip address prefix-list PL_INTRA which only permits prefixes from area 0, thus filtering inter-area routes from area 1.
An engineer is troubleshooting IPv6 connectivity issues on a switch that has IPv6 First Hop Security features enabled. Clients are unable to obtain a valid IPv6 address via SLAAC. Which TWO configuration changes could resolve this issue? (Choose TWO.)
Correct. If RA Guard is blocking legitimate RAs, permitting the trusted port resolves the issue.
Why this answer
SLAAC relies on Router Advertisements (RAs) from a router. If RA Guard is blocking legitimate RAs, or if ND inspection is dropping them, clients cannot obtain addresses. Option A is correct: if RA Guard is blocking RAs from the legitimate router, adjusting the policy to permit that router's port will fix the issue.
Option D is correct: if ND inspection is enabled and the router's MAC is not in the allowed list, adding it will allow RAs to pass. Option B is incorrect: disabling DHCPv6 snooping would not help SLAAC, as SLAAC does not use DHCPv6. Option C is incorrect: enabling IPv6 Source Guard would not help; it filters source addresses, not RAs.
Option E is incorrect: configuring a DHCPv6 pool is for stateful DHCPv6, not SLAAC.
A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-TEST R1# show route-map PBR-TEST route-map PBR-TEST, permit, sequence 10 Match clauses: ip address (access-lists): 110 Set clauses: ip next-hop 192.168.100.1 Policy routing matches: 0 packets, 0 bytes R1# show access-lists 110 Extended IP access list 110 10 permit tcp 10.0.0.0 0.255.255.255 any eq 80 20 permit tcp 10.0.0.0 0.255.255.255 any eq 443 R1# show ip route 192.168.100.1 Routing entry for 192.168.100.1/32 Known via "ospf 1", distance 110, metric 20 Last update from 10.1.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely reason for zero policy routing matches?
Zero matches indicate that no packets matching the ACL have been received on the interface where PBR is applied.
Why this answer
The access list 110 matches TCP traffic from 10.0.0.0/8 to any destination on ports 80 and 443. The route map is applied to GigabitEthernet0/0, but traffic arriving on that interface may not match these conditions. The next-hop is reachable, so the issue is likely that no traffic matching ACL 110 is entering GigabitEthernet0/0.
A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.10.10.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(192.168.1.1) for 10.10.10.0/24 State: Passive, Reply status: 0, Originating router: 192.168.1.1 Routing Descriptor Blocks: 0.0.0.0 (Null0) from 0.0.0.0, Send flag: 0x0 Composite metric: (2560000000/0), Route is Internal Vector metric: Minimum bandwidth: 100000 Kbit Total delay: 100 microseconds Reliability: 255/255 Load: 1/255 Minimum MTU: 1500 Hop count: 0 Based on this output, what is the problem?
EIGRP automatically installs a null0 route for summary addresses to prevent loops.
Why this answer
The route to 10.10.10.0/24 is a local summary or null0 route (via Null0). This is typical for a summary route or a route to a directly connected network. The composite metric of 2560000000/0 indicates a very high metric, which is normal for a null0 route.
There is no problem; this is a common configuration.
Drag and drop the steps to troubleshoot suboptimal routing due to incorrect Administrative Distance values into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct order begins by identifying the routing table entries to see which routes are preferred, then checking the AD values of the competing protocols, verifying the configuration of the protocol with the lower AD, adjusting the AD on the desired protocol to make it preferred, and finally confirming the routing table update.
Which BGP message type is used to advertise, withdraw, and update routes?
Correct. UPDATE messages carry route information.
Why this answer
BGP UPDATE messages carry path attributes and NLRI for route advertisements and withdrawals.
Consider the following partial EIGRP configuration on router R1: router eigrp 100 network 10.0.0.0 network 192.168.1.0 summary-address 10.0.0.0 255.255.255.0 5 What is the effect of the 'summary-address 10.0.0.0 255.255.255.0 5' command?
Correct. The summary-address command creates a summary route and the optional distance value sets the administrative distance for that summary.
Why this answer
The 'summary-address' command in EIGRP creates a summary route and advertises it out all interfaces enabled for EIGRP. The administrative distance value (5) is optional and sets the distance for the summary route.
A network engineer is troubleshooting an OSPFv2 issue where a router R1 is not receiving a specific route for 10.0.0.0/8 from a neighbor R2. The adjacency is FULL, and 'show ip ospf database' on R1 shows the LSA for 10.0.0.0/8 as a type 5 LSA. However, the route is not in the routing table. 'show ip route 10.0.0.0' shows no route. What is the most likely cause?
A distribute-list can prevent a route from being installed in the routing table even if the LSA is in the database.
Why this answer
If the LSA is in the database, the route should be installed unless there is a filtering mechanism or a routing table issue. One common cause is that the router has a route map that filters the route from being installed. Another possibility is that the router has a static route that is being preferred, but the stem says no route is present.
The most likely cause is that the router has a distribute-list that filters the route.
Which BGP attribute is used as the first tie-breaker in the route selection process when comparing routes from different peers?
Correct. WEIGHT is the first tie-breaker in Cisco BGP.
Why this answer
BGP selects the route with the highest WEIGHT (Cisco proprietary) first, then LOCAL_PREF.
What is the default timeout value (in milliseconds) for an IP SLA operation?
The default timeout is 5000 ms.
Why this answer
The default timeout for IP SLA operations is 5000 milliseconds (5 seconds). If no response is received within this time, the probe is considered failed.
Which TWO configuration steps are required to enable IPv6 RA Guard on a Cisco switch interface? (Choose TWO.)
The policy defines the role (router or host) and other parameters; it is a mandatory step.
Why this answer
RA Guard requires defining a policy that specifies the device role (router or host) and then applying that policy to the interface. Simply enabling 'ipv6 nd raguard' without a policy is not sufficient. The other options are either for different features or incorrect.
A network engineer runs the following command on Router R1: R1# show snmp statistics SNMP packets input: 150 Bad SNMP version errors: 0 Unknown community name: 25 Illegal operation for community name: 0 Encoding errors: 0 Number of requested variables: 300 Number of altered variables: 0 Get-request PDUs: 120 Get-next PDUs: 30 Set-request PDUs: 0 SNMP packets output: 200 Too big errors: 0 No such name errors: 10 Bad values errors: 0 General errors: 0 Response PDUs: 200 Trap PDUs: 0 Based on this output, which statement is correct?
The 'Unknown community name' counter of 25 indicates that many requests used community strings not recognized by the router.
Why this answer
The output shows SNMP statistics. There are 25 'Unknown community name' errors, indicating that some SNMP requests are using community strings not configured on the router. Additionally, there are 10 'No such name errors' in the output, meaning the requested MIB objects do not exist.
No set requests were received.
Which TWO actions will prevent IPv6 traffic with a spoofed source address from being forwarded in a network where BGP is used for routing? (Choose TWO.)
Correct. uRPF loose mode drops packets if the source address is not in the FIB, which helps prevent spoofing.
Why this answer
To prevent spoofed IPv6 traffic, you can use uRPF on edge interfaces to verify source addresses. Additionally, you can use BGP prefix filtering to ensure that only legitimate prefixes are advertised, reducing the chance of spoofed traffic being routed. Another method is to use an inbound IPv6 ACL on the edge interface to block traffic from private or reserved source addresses.
The question asks for two actions among the options.
A large enterprise network uses EIGRP with route summarization. Router R1 has the following configuration: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.252.0. Router R2 shows: show ip route eigrp includes 10.0.0.0/22 but not 10.0.3.0/24. What is the root cause?
EIGRP summary addresses automatically suppress more specific routes, causing the missing /24.
Why this answer
Option C is correct because the EIGRP `ip summary-address` command on R1 creates a summary route (10.0.0.0/22) that is advertised to R2, and by default EIGRP suppresses the advertisement of all more specific routes that fall within the summary range (10.0.0.0/22 includes 10.0.3.0/24). This is the intended behavior of EIGRP route summarization: the summary route replaces the component routes to reduce routing table size and update overhead.
Exam trap
Cisco often tests the misconception that EIGRP summarization simply advertises a summary route in addition to the more specific routes, when in fact the default behavior is to suppress all component routes within the summary range.
How to eliminate wrong answers
Option A is wrong because the summary address 10.0.0.0/22 is correctly configured to cover the range 10.0.0.0–10.0.3.255; changing it to /24 would only cover 10.0.0.0/24 and would not suppress 10.0.3.0/24. Option B is wrong because there is no evidence of a route filter; the absence of 10.0.3.0/24 is a direct result of the summary address suppression, not a filter. Option D is wrong because if R1's interface were down, R2 would not see the 10.0.0.0/22 summary route either, but the output shows 10.0.0.0/22 is present in R2's routing table.
A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.5.5.0/24 BGP routing table entry for 10.5.5.0/24, version 12 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 65007 10.1.17.7 from 10.1.17.7 (10.7.7.7) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, what does the 'r' in the status codes indicate if present? (Not shown here, but the engineer notices a similar route with 'r' status.)
RIB-failure (r) indicates the BGP route is valid but not installed in the RIB due to a better route from another source.
Why this answer
The 'r' status code stands for RIB-failure, meaning the route is valid in BGP but not installed in the routing table because a route with a lower administrative distance (e.g., from OSPF or EIGRP) already exists.
An engineer configures EIGRP named mode with `address-family ipv4 unicast autonomous-system 100` and applies an offset-list to a neighbor using `offset-list 1 out 1000` under the `af-interface` configuration. Unexpectedly, the offset-list does not affect the feasible distance (FD) as expected, but the advertised distance (AD) is increased. Which is the most likely explanation?
Named mode separates interface-specific and address-family-level offset-lists; only the latter adjusts FD.
Why this answer
In EIGRP named mode, offset-lists applied under the `af-interface` affect only the AD (the metric sent to neighbors), not the FD. To affect the FD, the offset-list must be applied under the `address-family` section using `offset-list <acl> {in|out} <metric>`. This is a subtle difference from classic mode where offset-lists always affect the FD for incoming updates.
Which TWO statements about MPLS label imposition (push) are true? (Choose TWO.)
The ingress LSR pushes a label onto an incoming IP packet to begin MPLS forwarding.
Why this answer
Label imposition occurs at the ingress LSR, which pushes a label onto an unlabeled IP packet. The label is based on the FEC (Forwarding Equivalence Class) derived from the IP destination. The egress LSR pops the label, not imposes it.
In BGP, what is the default administrative distance for eBGP routes?
eBGP routes have a default AD of 20.
Why this answer
The default administrative distance for eBGP is 20, while for iBGP it is 200. This means eBGP routes are more trusted than iBGP routes.
A network engineer runs the following command on Router R1: R1# show ip ospf database summary 172.16.0.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Summary Net Link States (Area 0) LS age: 100 Options: (No TOS-capability, DC) LS Type: Summary Links(Network) Link State ID: 172.16.0.0 (Summary Network Number) Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 28 Network Mask: /20 TOS: 0 Metric: 10 Based on this output, what does this LSA represent?
This Type 3 LSA advertises a summary route for 172.16.0.0/20 from ABR 2.2.2.2.
Why this answer
This is a Type 3 Summary LSA, which is used to advertise inter-area routes. The Advertising Router is 2.2.2.2, an ABR.
Consider the following configuration: ``` ip vrf CUSTOMER_E rd 200:1 route-target export 200:1 route-target import 200:1 ! interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_E ip address 172.16.0.1 255.255.255.0 ! interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_E ip address 172.16.1.1 255.255.255.0 ``` What is the effect of the route-target commands in this VRF-Lite scenario?
This is correct. In VRF-Lite, route-targets are not processed unless there is an MP-BGP configuration.
A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 170 10 permit icmp any any echo (100 matches) 20 permit icmp any any echo-reply (80 matches) 30 deny ip any any (10 matches) Based on this output, which statement is correct?
Line 30 denies all other IP traffic, including other ICMP types.
Why this answer
The ACL 170 explicitly permits only ICMP echo (type 8) and echo-reply (type 0) traffic, as shown by the match counters. The final deny ip any any statement blocks all other IP traffic, including other ICMP types and non-ICMP IP protocols. Therefore, only ICMP echo and echo-reply are permitted; all other IP traffic is denied, making option B correct.
How to eliminate wrong answers
Option A is wrong because the ACL does not permit all ICMP traffic; it only permits ICMP echo and echo-reply, while other ICMP types (e.g., destination unreachable, time-exceeded) are denied by the final deny ip any any statement. Option C is wrong because the ACL explicitly denies all IP traffic with the last statement, so it does not permit all IP traffic. Option D is wrong because the show ip access-lists output displays match counters (100 and 80 matches), which indicate the ACL is applied to an interface and actively processing traffic; an unapplied ACL would show zero matches.
A network engineer runs the following command on Router R1: R1# show ip sla statistics 1 IPSLAs Latest Operation Statistics IPSLA operation id: 1 Type of operation: icmp-echo Latest RTT: 10 milliseconds Latest operation start time: 00:15:30 UTC Mon Mar 1 2021 Latest operation return code: OK Number of successes: 100 Number of failures: 0 Operation time to live: Forever Based on this output, which statement is correct?
Return code OK, RTT 10 ms, 100 successes.
Why this answer
The output shows an IP SLA operation of type icmp-echo with a return code 'OK', 100 successes, and 0 failures. This indicates the operation is functioning correctly.
A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 192.168.2.2:0, Local LDP Ident: 192.168.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:45:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.2 Addresses bound to peer LDP Ident: 10.1.1.2 192.168.2.2 Based on this output, what is the state of the LDP session?
The 'State: Oper' indicates the session is operational, and the message counts confirm label exchange.
Why this answer
The output shows 'State: Oper', which indicates the LDP session is operational. The 'Downstream' label distribution mode and the fact that messages have been sent and received (100/100) confirm that the session is actively exchanging label information. This matches the correct answer that the LDP session is operational and exchanging label information.
How to eliminate wrong answers
Option B is wrong because the state is 'Oper' (operational), not down; a TCP reset would show a different state like 'Down' or 'Initialized'. Option C is wrong because the 'Oper' state indicates the session is fully established and labels are being exchanged, not in an initialization state where no labels have been exchanged. Option D is wrong because LDP uses TCP (port 646) for session establishment and label exchange, as shown in the output (TCP connection: 10.1.1.2.646 - 10.1.1.1.646); UDP is used only for LDP discovery (hello messages).
Consider the following EIGRP configuration on Router R1: router eigrp 100 network 10.0.0.0 passive-interface default no passive-interface GigabitEthernet0/0 What is the effect of this configuration?
The no passive-interface command on GigabitEthernet0/0 allows neighbor formation only on that interface.
Why this answer
The configuration sets all interfaces to passive by default, then re-enables EIGRP on GigabitEthernet0/0. This means only GigabitEthernet0/0 will send and receive EIGRP hello packets and form adjacencies; all other interfaces will only advertise networks without forming neighbors.
A network engineer runs the following command to verify BFD operation: R1# show bfd neighbors detail IPv4 Sessions NeighAddr LD/RD RH/RS State Int 10.1.1.2 1/2 Up Up Gi0/0 Session state is UP and not using echo function. Session type: single-hop Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 0 (0), Hello (hits): 1000/5 Rx Count: 1000, Rx Interval (ms) min/max/avg: 900/1100/1000 Tx Count: 1000, Tx Interval (ms) min/max/avg: 900/1100/1000 What does this output indicate?
MinTxInt and MinRxInt are 1,000,000 microseconds (1 second), no echo, and session is UP.
Why this answer
The output shows a BFD session in UP state with consistent transmit and receive intervals around 1000 ms, no echo function, and a multiplier of 3. The session is healthy.
Examine this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is missing from this configuration to ensure the tunnel works correctly?
All necessary components: ISAKMP policy, key, transform set, crypto map with peer and ACL, and interface application.
Why this answer
The configuration is complete for a site-to-site IPsec VPN. ISAKMP policy 10 specifies AES-256 encryption, pre-shared key authentication, Diffie-Hellman group 14, and a lifetime of 86400 seconds (the default is 86400, so explicitly setting it is fine). The crypto map CMAP binds the transform set TSET (AES-256, SHA-HMAC) to peer 192.168.1.2 and matches interesting traffic via access-list 101 (10.1.1.0/24 to 10.2.2.0/24).
The interface GigabitEthernet0/1 applies the crypto map. A route to the remote LAN is not required because IPsec encrypts traffic based on the crypto ACL; routing only needs to reach the peer's public IP (192.168.1.2), which is directly connected on the same subnet.
How to eliminate wrong answers
Option B is wrong because a route to the remote LAN 10.2.2.0/24 is not required for IPsec; the crypto ACL defines which traffic is encrypted, and the router only needs a route to the peer's public IP (192.168.1.2), which is directly connected. Option C is wrong because the ISAKMP policy already includes a 'lifetime' value of 86400 seconds, which is valid and matches the default; no lifetime is missing. Option D is wrong because the transform set uses 'mode tunnel' (the default for site-to-site VPNs), which is correct; 'mode transport' is used for host-to-host or GRE-over-IPsec, not for site-to-site.
A large enterprise network is experiencing intermittent reachability to a specific /24 subnet (192.168.10.0/24) from remote sites. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 10.0.1.1 255.255.255.0 ! router eigrp 100 network 10.0.0.0 network 192.168.0.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip summary-address eigrp 100 192.168.0.0 255.255.252.0 ! Router R2 shows: R2# show ip route 192.168.10.0 Routing entry for 192.168.0.0/22, supernet Known via "eigrp 100", distance 90, metric 30720, type internal Last update from 10.0.1.1 on GigabitEthernet0/0, 00:00:15 ago * 10.0.1.1, via GigabitEthernet0/0, 00:00:15 ago What is the root cause?
The summary covers only 192.168.0.0-192.168.3.255, excluding 192.168.10.0/24.
Why this answer
The summary route 192.168.0.0/22 is being advertised by R1, but it blocks the more specific /24 route 192.168.10.0/24 if that subnet is not within the summary range (192.168.0.0/22 covers 192.168.0.0 to 192.168.3.255). Since 192.168.10.0/24 is outside this range, it is not summarized and is not advertised separately, causing reachability failure. The correct fix is to adjust the summary prefix to include the missing subnet, or to not summarize.
An engineer configures EIGRP named mode on a DMVPN Phase 3 hub with 'eigrp stub' on the spoke routers. Unexpectedly, when a spoke loses its WAN connection to the hub, the hub's EIGRP table shows the spoke's routes as active (stuck-in-active) for an extended period. Which is the most likely explanation?
In named mode, the stub command only limits the routes the spoke advertises, but the hub still sends queries to the spoke for all routes. If the spoke is unreachable, the query remains active until the active timer expires.
Why this answer
In EIGRP named mode, the stub feature by default includes 'connected' and 'summary' routes, but not 'static' or 'redistributed'. If the spoke is configured as a stub with the default settings, it does not advertise any routes beyond its connected interfaces. However, if the spoke has a loopback or other network that is not directly connected to the EIGRP process, the hub may still query the spoke for those routes, and if the spoke is unreachable, the query times out, causing a stuck-in-active.
The corner case is that the stub configuration in named mode does not suppress query propagation for all routes unless explicitly configured with 'leak-map' or 'receive-only'.
What is the default behavior of an IPv4 access control list (ACL) when no explicit permit or deny statement matches a packet?
Correct. All ACLs have an implicit deny any at the end.
Why this answer
By default, IPv4 ACLs have an implicit deny any statement at the end. If a packet does not match any explicit permit or deny entry, the implicit deny any is applied, causing the packet to be dropped. This behavior is fundamental to ACL security, ensuring that only explicitly permitted traffic is allowed.
Exam trap
Cisco often tests the misconception that an ACL with no matching entries will permit traffic by default, or that the ACL is simply ignored, when in fact the implicit deny any silently drops all unmatched packets.
How to eliminate wrong answers
Option A is wrong because the default behavior is to deny, not permit; an ACL does not permit unmatched packets. Option C is wrong because logging is not a default action for unmatched packets; logging is only performed if explicitly configured with a log keyword on a permit or deny statement. Option D is wrong because the ACL is never ignored; the implicit deny any is always present and enforced, so unmatched packets are dropped, not forwarded.
A network administrator configures an ACL to filter routes during redistribution, but management traffic stops working. Router R1 config: access-list 100 permit ip 10.0.0.0 0.255.255.255 any ! router eigrp 100 redistribute ospf 1 route-map FILTER ! route-map FILTER permit 10 match ip address 100 R1# show ip route 10.1.1.1 Routing entry for 10.1.1.1/32 Known via "connected", distance 0, metric 0 Redistributing via eigrp 100 What is the root cause?
The implicit deny at the end of the ACL filters out management routes, causing them not to be redistributed.
Why this answer
The ACL only permits 10.0.0.0/8, but the management traffic may use a different source or destination. The implicit deny at the end of the ACL blocks all other routes, including management prefixes. The fix is to add a permit statement for the management network or use a more specific ACL.
A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-BGP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 120 police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show ip bgp summary BGP router identifier 1.1.1.1, local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 200 10 10 1 0 0 00:05:00 5 Based on this output, what is the most likely problem?
The zero packet count indicates the class is not matching, but BGP is working, so traffic is matched by class-default.
Why this answer
The CoPP-BGP class shows zero packets, but the BGP session is established and exchanging messages. This indicates that BGP traffic is not being classified by the CoPP-BGP class, likely because the access-group 120 is not matching the BGP packets. The BGP session is up, so the traffic is being processed by the class-default instead.
Without tagging, the router cannot prevent re-redistribution of its own routes, leading to a loop.
Why this answer
Mutual redistribution without route tagging can cause a routing loop because a route redistributed from OSPF into EIGRP may be redistributed back into OSPF, creating a feedback loop. Without a tag to mark the origin, the router cannot distinguish between a route it originated and one it learned from another protocol.
Review the following OSPF configuration on router R4: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 area 1 range 10.0.0.0 255.255.255.0 What is missing or incorrect in this configuration for proper route summarization?
Correct. The area range command only works if the router is an ABR, meaning it has interfaces in multiple areas.
Why this answer
The area range command is used on an ABR to summarize routes from one area into another. Here, area 1 is specified, but router R4 only has network statements in area 0, so it is not an ABR for area 1. The command will have no effect.
A company uses EIGRP with route redistribution from OSPF. After configuring Flexible NetFlow to monitor traffic, engineers notice that some routes are missing from the routing table. Router R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map FILTER-OSPF. The route-map FILTER-OSPF uses a match ip address prefix-list ALLOWED. The prefix-list ALLOWED permits 10.0.0.0/8 le 24. However, a specific route 10.1.0.0/16 is not being redistributed. What is the root cause?
If the route-map uses match flow monitor, it will not match any route because routes are not flows. This is a common misconfiguration when combining NetFlow with route-maps.
Why this answer
The prefix-list permits 10.0.0.0/8 le 24, meaning it allows prefixes with a length up to /24. The route 10.1.0.0/16 has a prefix length of /16, which is less than 24, so it should be permitted. However, the issue may be that the route-map also has a match statement for a flow monitor or NetFlow parameters that inadvertently filter the route.
Alternatively, the redistribution may be affected by the order of operations: the route-map is applied to redistribution, but if the route-map also references a flow monitor (e.g., match flow monitor), it will not match routes. The correct answer is that the route-map includes a match flow monitor statement that only matches traffic flows, not routes, causing the route to be denied.
A network engineer is troubleshooting a route redistribution issue between OSPF and EIGRP. Routers R1 (OSPF) and R2 (EIGRP) are redistributing routes into each other. The engineer notices that some OSPF external routes are not appearing in the EIGRP topology table on R2, although the redistribution is configured. The show ip eigrp topology command on R2 does not list the missing prefixes. What is the most likely cause?
Correct: Without match external, OSPF external routes are not redistributed into EIGRP.
A network engineer configures IPv6 Source Guard on an interface: interface GigabitEthernet0/3 ipv6 verify source What is the immediate effect of this command?
IPv6 Source Guard checks source IPv6 and MAC against the binding table; unmatched traffic is dropped.
Why this answer
IPv6 Source Guard with no additional parameters uses the DHCPv6 snooping binding table to validate source addresses. It filters traffic based on source IPv6 and MAC addresses.
A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: loose mode Based on this output, what is the operational state of uRPF on this interface?
The output confirms loose mode uRPF.
Why this answer
The command 'show ipv6 interface gigabitethernet 0/0 | include uRPF' returns 'IPv6 uRPF: loose mode', which directly indicates that unicast Reverse Path Forwarding (uRPF) is enabled and operating in loose mode on this interface. Loose mode checks only that a source address exists in the routing table, without requiring that the incoming interface matches the best return path.
Exam trap
Cisco often tests the distinction between 'loose mode' and 'strict mode' by presenting output that clearly states the mode, but candidates may confuse 'loose' with 'disabled' or incorrectly assume that any uRPF output implies strict mode.
How to eliminate wrong answers
Option A is wrong because the output explicitly shows 'IPv6 uRPF: loose mode', which means uRPF is enabled, not disabled. Option B is wrong because the output specifies 'loose mode', not 'strict mode'; strict mode would require both a matching routing table entry and that the incoming interface is the best return path. Option D is wrong because the command is specific to IPv6 (as indicated by 'ipv6 interface'), and the output confirms IPv6 uRPF is active; uRPF for IPv4 is configured separately under the 'ip verify unicast source reachable-via' command.
An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface. Traffic from a legitimate source IP is being dropped. The network has asymmetric routing. Which is the most likely explanation?
Strict uRPF requires the incoming interface to be the same as the outgoing interface for the source IP; asymmetric routing violates this.
Why this answer
Strict uRPF checks that the source IP of incoming traffic matches the best reverse route via the same interface. In asymmetric routing, traffic may arrive on an interface different from the one the router would use to send traffic back to that source, causing strict uRPF to drop the traffic.
A network engineer is troubleshooting a route summarization issue in a network using RIP. Router R1 is configured with the 'ip summary-address rip 192.168.0.0 255.255.252.0' command on its serial interface. After the configuration, R2, which is connected via that interface, can no longer reach the 192.168.1.0/24 subnet, although other subnets within the summary are reachable. What is the most likely cause?
Correct. In RIP, split horizon prevents a route from being advertised out the interface it was learned on. If the 192.168.1.0/24 subnet was learned on the same interface where the summary is applied, it will not be advertised, causing loss of connectivity.
What is the default BFD hello timer interval on Cisco IOS-XE when BFD is configured on an interface without any explicit timer settings?
The default BFD hello interval is 1000 ms (1 second) on Cisco IOS-XE.
Why this answer
The default BFD hello interval on Cisco IOS-XE is 1000 milliseconds (1 second) unless overridden by the bfd interval command.
An engineer configures SNMPv2c with a community string 'public' and an ACL that permits only the NMS IP address. The NMS can poll the router successfully. Later, the engineer adds a second community string 'monitor' with a different ACL that permits a second NMS. The first NMS now fails to poll. Which is the most likely explanation?
If the engineer used the 'no snmp-server community public' command to reconfigure, the ACL might have been removed; the new configuration might not include the ACL, allowing all IPs or none.
Why this answer
When multiple community strings are configured, the router matches the community string from the request. If the first NMS sends the community string 'public', it should still work. However, if the ACL for 'public' is inadvertently removed or modified, or if the second community string's ACL inadvertently blocks the first NMS, issues can arise.
A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp neighbors 10.1.1.2 received-routes BGP table version is 14, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 10.1.1.2 0 100 0 65001 i *> 192.168.1.0/24 10.1.1.2 0 100 0 65001 i Total number of prefixes 2 What does this output indicate?
The output shows two prefixes with path AS 65001, received from the neighbor.
Why this answer
The show bgp neighbors received-routes command displays routes received from the neighbor 10.1.1.2. Both routes have next hop 10.1.1.2 and originate from AS 65001. The 'valid' and 'best' status indicates they are installed in the routing table.
What is the default maximum hop count for RIP routes in Cisco IOS?
Correct. 15 is the maximum hop count; 16 is considered infinity.
Two routers R1 and R2 are connected via Ethernet. R1 has: interface GigabitEthernet0/0 ip ospf network point-to-point R2 has default OSPF network type (broadcast). R1 shows: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.2.2.2 0 FULL/ - 00:00:35 10.1.1.2 GigabitEthernet0/0 R2 shows: R2# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 1 FULL/DR 00:00:30 10.1.1.1 GigabitEthernet0/0 R1 is not installing OSPF routes from R2. What is the root cause?
R1 is configured as point-to-point, R2 as broadcast. This causes R1 to not process Type 2 LSAs from R2.
Why this answer
OSPF network type mismatch: R1 is point-to-point, R2 is broadcast. On the point-to-point side, R1 expects no DR/BDR election and uses a different LSA format. The broadcast side sees R1 as DR (because R1's priority is 0? Actually R1 has priority 0? Output shows R1's neighbor has priority 0, but R2 shows R1 as DR.
This inconsistency causes adjacency but routes are not exchanged properly due to LSA type mismatch. The fix is to match network types.
Which of the following is a valid 'set' action in a PBR route-map?
This is a standard PBR action to override the routing table.
Why this answer
PBR supports 'set ip next-hop', 'set interface', 'set ip default next-hop', 'set default interface', and 'set ip tos/precedence'. 'set metric' is not a PBR action.
An engineer is troubleshooting a network where R1 and R2 are running iBGP, and R1 learns the prefix 192.168.1.0/24 from R2 with an AD of 200. R1 also learns the same prefix via OSPF from R3 with AD 110. The engineer notices that R1 uses the iBGP route. What configuration change would cause this?
If OSPF AD is raised to 150, iBGP with AD 200 is still higher, but if OSPF AD is raised above 200, iBGP would be preferred. However, raising OSPF to 150 still leaves OSPF preferred. To make iBGP preferred, OSPF AD must be >200 or iBGP AD lowered. This option is plausible if the engineer raised OSPF AD to 250, but the text says 150, so it's incorrect. Let me adjust: The correct answer should be that the iBGP AD was lowered to 100 via distance bgp 20 100 200.
In EIGRP, what is the default behavior of auto-summary in IOS-XE versions 15.0 and later?
Cisco changed the default to disabled starting with IOS-XE 15.0.
Why this answer
Cisco IOS-XE 15.0 and later have auto-summary disabled by default for EIGRP, unlike older IOS versions where it was enabled by default.
A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?
Correct because IPv6 Source Guard relies on ND snooping to learn static addresses; without it, the host's traffic is dropped.
Why this answer
IPv6 Source Guard requires a valid binding entry (learned via DHCPv6 snooping or ND snooping) to permit traffic. If the host is using a static IPv6 address, ND snooping must be enabled to learn the binding; otherwise, traffic is dropped.
A network engineer runs the following command on Router PE3: PE3# show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/0 10.1.1.1 CUSTOMER_C up Gi0/1 10.2.2.1 CUSTOMER_D up Based on this output, which statement is correct?
The output shows both interfaces are up and assigned to VRFs.
Why this answer
The show ip vrf interfaces command displays VRF-to-interface mappings. Both interfaces are up and assigned to VRFs CUSTOMER_C and CUSTOMER_D respectively. This indicates proper VRF configuration.
DMVPN network with hub R1 and spoke R2. R1 has: interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp authentication cisco123 R2 has: interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 172.16.1.1 ip nhrp authentication cisco123 R2 shows: R2# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete NHRP domain: 1 Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHC:172.16.1.2, NBMA:10.2.2.2 (no NHRP mappings) R2# ping 172.16.1.1 source 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What is the root cause?
Without this command, the hub does not accept NHRP registrations from spokes, so the spoke cannot build a mapping.
Why this answer
The NHRP authentication strings do not match: R1 has 'cisco123', R2 has 'cisco123'? They match. But the output shows no NHRP mappings. The issue is that the spoke R2 has not registered with the hub.
This could be due to a mismatch in NHRP network ID, but they match. Another possibility is that the hub's tunnel interface is not configured with 'ip nhrp map multicast dynamic' to accept registrations. Without that, the hub does not add the spoke to its NHRP database, and the spoke cannot resolve the hub's NBMA address.
The ping fails because the spoke has no NHRP mapping for the hub.
An MPLS network is experiencing label distribution failures. Router R1 is an LSR connected to R2. R1's show mpls ldp neighbor shows R2 in OPERATIONAL state, but show mpls ldp bindings shows no label bindings for prefixes learned via OSPF from R2. R1's mpls ldp router-id is 1.1.1.1, and R2's is 2.2.2.2. The OSPF process on R1 advertises the loopback0 interface with ip address 1.1.1.1 255.255.255.255, and R2's loopback0 is 2.2.2.2. The link between them is 192.168.1.0/30. What is the root cause?
If the router-id is not reachable, LDP session may form using the link address, but label bindings for prefixes learned via OSPF may fail because the transport address is not routable.
Why this answer
R1 shows R2 as an LDP neighbor in OPERATIONAL state, meaning the LDP session (TCP port 646) is established. However, no label bindings are exchanged for OSPF-learned prefixes from R2. LDP uses the router-id (1.1.1.1) as the transport address for label binding exchange.
If OSPF does not advertise R1's loopback0 (1.1.1.1/32), R2 cannot reach this address, so LDP cannot complete the label mapping exchange, even though the neighbor session is up. The correct root cause is that R1's LDP router-id is not reachable from R2.
Exam trap
Cisco often tests the distinction between LDP neighbor adjacency (which can form using link-local addresses) and the actual exchange of label bindings, which requires the LDP router-id to be reachable via the IGP; candidates mistakenly assume an OPERATIONAL neighbor state guarantees full label exchange.
How to eliminate wrong answers
Option B is wrong because 'per-prefix' vs 'per-interface' label allocation affects how labels are assigned to FECs, not the exchange of label bindings between LDP peers; the issue is reachability of the transport address. Option C is wrong because there is no evidence of a route-map filtering the loopback route; the question states OSPF advertises the loopback0 interface, and a missing route is more likely due to OSPF not including the loopback in the routing process (e.g., not configured under router ospf). Option D is wrong because LDP sessions use the LDP router-id (not the interface IP) as the transport address by default; even if the interface network is advertised, the session transport address must be reachable, and the problem is specifically the loopback route.
What is missing from this RSPAN configuration on a switch? monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination remote vlan 100 Assume VLAN 100 exists but is not configured as an RSPAN VLAN.
This is required to designate the VLAN as an RSPAN VLAN.
Why this answer
For RSPAN to work, the VLAN used as the destination remote VLAN must be configured with the 'remote-span' command. Without it, the session will not function correctly.
A network engineer runs the following command to troubleshoot an EIGRP issue: R1# debug eigrp packets update *Mar 1 00:10:15.456: EIGRP: received packet with opcode = 2 (Update) on GigabitEthernet0/0, src 10.1.2.2 dst 10.1.2.1 *Mar 1 00:10:15.456: EIGRP: Update contains 5 routes, version 145, seq 10 *Mar 1 00:10:15.456: EIGRP: Update update/interval, 10.1.1.0/24 metric 131072 *Mar 1 00:10:15.456: EIGRP: Update update/interval, 10.2.2.0/24 metric 131072 *Mar 1 00:10:15.456: EIGRP: Update update/interval, 10.3.3.0/24 metric 131072 *Mar 1 00:10:15.456: EIGRP: Update update/interval, 10.4.4.0/24 metric 131072 *Mar 1 00:10:15.456: EIGRP: Update update/interval, 10.5.5.0/24 metric 131072 What does this output indicate?
EIGRP sends periodic updates (every 90 seconds by default) to maintain neighbor state, and this debug shows such an update.
Why this answer
The debug shows an EIGRP Update packet received from 10.1.2.2 containing five routes. This is a normal update, likely sent as a periodic or triggered update. The 'update/interval' indicates the update is being sent due to the periodic update timer.
What is the default EIGRP hello interval on a point-to-point serial interface with bandwidth 1544 Kbps?
Correct. EIGRP default hello interval for point-to-point interfaces with bandwidth >= 1544 Kbps is 5 seconds.
Why this answer
EIGRP uses a default hello interval of 5 seconds on high-speed interfaces (bandwidth >= 1544 Kbps) and 60 seconds on low-speed interfaces (bandwidth <= 1544 Kbps).
Which statement correctly describes the behavior of PBR when the next-hop specified in a 'set ip next-hop' command is unreachable?
If the PBR next-hop is unreachable, the router performs a normal routing table lookup.
Why this answer
If the next-hop is unreachable, PBR will fall back to the normal routing table lookup, unless a 'set ip default next-hop' is configured.
An EIGRP network is experiencing a stuck-in-active (SIA) condition for a route 192.168.1.0/24. R1 has the following configuration: router eigrp 100 network 10.0.0.0 distribute-list prefix PL-FILTER in. R2 shows: 'show ip eigrp topology 192.168.1.0/24' is in active state, and 'show ip eigrp events' shows that R1 sent a query but never received a reply. R1's prefix-list PL-FILTER permits only 10.0.0.0/8. What is the root cause?
EIGRP distribute-lists applied inbound also filter queries. Since the prefix 192.168.1.0/24 is not permitted by PL-FILTER, R1 drops the query and does not send a reply, leaving R2 in active state.
Why this answer
The distribute-list prefix PL-FILTER in on R1 filters incoming routes, but it also affects queries. When R2 sends a query for 192.168.1.0/24, R1 receives it but the distribute-list filters the query (since the prefix is not permitted), so R1 does not process it and does not send a reply. This causes R2 to wait indefinitely for a reply, leading to an SIA condition.
The distribute-list should be applied outbound or should permit the necessary prefixes to allow queries to be processed.
MPLS network: LDP neighbors are down between R1 and R2. R1 shows: show mpls ldp neighbor includes nothing. R2 has: interface GigabitEthernet0/0, mpls ip, but R1 has no mpls ip on its interface. What is the root cause?
mpls ip enables LDP on the interface; missing it stops LDP.
Why this answer
The root cause is that R1's interface is missing the 'mpls ip' command. This command is required on each interface to enable MPLS forwarding and to send LDP hello messages (UDP port 646) to neighbors. Without it, R1 cannot discover R2 as an LDP neighbor, so the LDP session never forms, and 'show mpls ldp neighbor' returns nothing on R1.
Exam trap
Cisco often tests the specific requirement of the 'mpls ip' interface command for LDP neighbor discovery, leading candidates to incorrectly focus on reachability or protocol version issues when the problem is a missing interface-level command.
How to eliminate wrong answers
Option A is wrong because MPLS domains are not a standard concept; LDP operates within a single routing domain (e.g., OSPF or IS-IS area), and mismatched domains would not prevent LDP hellos if interfaces are correctly configured. Option C is wrong because LDP router IDs not being reachable would prevent the TCP session from establishing after hellos are exchanged, but here no hellos are sent at all due to the missing 'mpls ip' command. Option D is wrong because TDP is a Cisco proprietary protocol (pre-standard) that is not used in modern IOS; even if TDP were configured, it would still require the 'mpls ip' command on the interface to send TDP hellos.
A network engineer configures a DMVPN Phase 3 network with EIGRP and uses the 'ip nhrp redirect' and 'ip nhrp shortcut' commands on the hub and spokes. Unexpectedly, spoke-to-spoke traffic still goes through the hub even after the shortcut is established, based on show ip nhrp shortcut output. Which is the most likely explanation?
The NHRP shortcut creates a host route or /32 route, but if the EIGRP route has a lower administrative distance or better metric, the router will use the hub path.
Why this answer
In DMVPN Phase 3, the shortcut is created when the spoke receives a redirect from the hub and sends a resolution request to the target spoke. However, for the shortcut to be used, the routing table must have a route that points to the shortcut next-hop. EIGRP, by default, installs routes with the hub as the next-hop.
The corner case is that the spoke's routing table still prefers the hub as the next-hop because the EIGRP metric for the hub route is lower than the shortcut. The fix is to use 'ip nhrp shortcut' with 'ip nhrp redirect' and ensure that the routing protocol's metric is adjusted (e.g., using offset-list) or that the shortcut is installed with a better metric via NHRP.
What is the default administrative distance for OSPF routes in Cisco IOS?
Correct: OSPF routes have a default administrative distance of 110.
Why this answer
The default administrative distance for OSPF is 110. This is a Cisco IOS default value used when comparing routes from different routing protocols.
In a DMVPN phase 3 network, Router R1 (hub) and R2 (spoke) have an mGRE tunnel. R1 has EIGRP configured over the tunnel with 'no ip split-horizon' and 'distance eigrp 90 100'. R2 has default EIGRP configuration. R2 learns a route to 192.168.1.0/24 via the tunnel with AD 90. Later, R2 also learns the same route via a physical interface from another spoke R3 using EIGRP with AD 90. R2's 'show ip route 192.168.1.0' shows the route via R3. What is the root cause?
Equal AD routes are compared by metric; the tunnel may have higher delay/bandwidth.
Why this answer
EIGRP uses metric (composite) to choose between routes with equal AD. The route via R3 might have a better metric. However, if the distance is changed on R1 to 100 for external routes, the route via R1 might have AD 100, but the question says AD 90.
The correct answer is that the route via R3 is an internal route (AD 90) with a lower metric than the route via R1 (also AD 90), so metric decides. But the trick is that the tunnel interface on R2 might have a higher delay, causing a worse metric.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 172.16.1.0/24 should be forwarded to next-hop 10.10.10.2. The route map 'PBR-172' is applied to interface GigabitEthernet0/0. The engineer notices that the PBR policy is not working at all. The engineer checks the route map configuration and sees 'match ip address 110' and 'set ip next-hop 10.10.10.2'. The engineer also checks the ACL 110 and confirms it matches 172.16.1.0/24. The engineer then checks the interface configuration and sees 'ip policy route-map PBR-172' applied. What should the engineer do next to isolate the issue?
Correct because PBR requires the next-hop to be reachable; if not, traffic uses the routing table.
Why this answer
The engineer should verify that the next-hop 10.10.10.2 is reachable via a directly connected interface or a static route. PBR will not forward traffic to a next-hop that is not in the routing table or not directly connected, and will fall back to the routing table. The engineer can use 'show ip route 10.10.10.2' to check reachability.
Two VRFs on router R1: VRF A and VRF B. R1 has: ip vrf A rd 100:1 route-target export 100:1 route-target import 100:2 ip vrf B rd 100:2 route-target export 100:2 route-target import 100:1 R1 shows: R1# show ip route vrf A B 10.1.1.0/24 [200/0] via 10.2.2.2, 00:00:10 R1# show ip route vrf B B 10.1.1.0/24 [200/0] via 10.2.2.2, 00:00:10 Router R2 (in VRF A) can ping 10.1.1.1, but router R3 (in VRF B) cannot. What is the root cause?
The route is present, but the next hop is not in VRF B, so the route is not usable.
Why this answer
The route targets are misconfigured for route leaking. VRF A exports with RT 100:1 and imports RT 100:2. VRF B exports with RT 100:2 and imports RT 100:1.
This creates a two-way leak, but the route 10.1.1.0/24 is learned via BGP from R2. If R2 is in VRF A, the route is exported with RT 100:1. VRF B imports RT 100:1, so VRF B should have the route.
However, the issue might be that the route is not being advertised to R3 due to BGP next-hop resolution or VRF interface issues. The output shows both VRFs have the route, so the problem is likely that R3 cannot reach the next hop 10.2.2.2 because it is in a different VRF or the interface is not in VRF B. The root cause is that the next hop is not reachable from VRF B.
Which loop prevention mechanism is used by default in RIP within a VRF-Lite configuration?
Split horizon is enabled by default on RIP interfaces.
Why this answer
RIP uses split horizon as a default loop prevention mechanism, which prevents a route from being advertised out the interface from which it was learned.
What is the default size of the logging buffer on a Cisco IOS-XE router if not explicitly configured?
The default buffer size is 4096 bytes.
Why this answer
The default logging buffer size on most Cisco IOS-XE platforms is 4096 bytes. This is a standard default value that candidates should know.
Router R1 and R2 are iBGP peers. R1 learns a route 10.10.10.0/24 from an eBGP peer with local preference 200. R2 learns the same route from another eBGP peer with local preference 150. Both routers redistribute the route into OSPF with default settings. R3, an OSPF router, receives two type-5 LSAs for 10.10.10.0/24: one from R1 with metric 20, one from R2 with metric 10. R3's 'show ip route 10.10.10.0' shows the route via R1. What is the root cause?
OSPF route selection prefers intra-area, then inter-area, then external type-1, then external type-2. Inter-area is preferred over external.
Why this answer
OSPF external routes are compared by metric (cost) first for type-5 routes. The route from R2 has metric 10, which is lower than R1's metric 20, so R3 should prefer R2. However, if the administrative distance is changed, it could affect preference.
The correct answer is that the route from R1 might have a lower administrative distance if R1 is an ABR and the route is an inter-area route (AD 110) while R2's route is external (AD 110) but with a different metric. But both are external. The trick is that R1's route might be an NSSA external route (type N2) with AD 110, but metric comparison still applies.
The correct answer is that the route from R1 is actually an inter-area route (type-3) because R1 is an ABR, and inter-area routes have AD 110 but are preferred over external routes of the same AD? No, OSPF prefers intra-area > inter-area > external. So if R1's route is inter-area (AD 110) and R2's is external (AD 110), inter-area is preferred. This is the most likely.
Router R4 is configured as an SNMP agent for a large network. The NMS is at 10.10.10.10. The configuration includes: snmp-server community mycom RO, snmp-server host 10.10.10.10 version 2c mycom, snmp-server enable traps. However, the NMS receives no traps. R4's show snmp statistics shows TrapsSent: 0, and show snmp pending shows no pending. The NMS can poll R4 using the community string 'mycom'. What is the root cause?
In certain IOS versions, traps are only sent if the community string has RW privileges. The RO community cannot be used for trap generation.
Why this answer
The community string 'mycom' is used for both read-only access and trap notification. However, the 'snmp-server host' command uses the community string as a key for trap authentication. If the community string is configured as RO, it may not be allowed to send traps because traps require RW access in some implementations.
But more commonly, the issue is that the trap source interface is not configured, and the router uses the outgoing interface IP, which may not be reachable from the NMS. However, the NMS can poll, so reachability is fine. The correct answer is: 'The community string 'mycom' is configured as read-only (RO), but SNMP trap notifications require a read-write (RW) community string on some IOS versions.'
Which TWO commands would a network engineer use to verify the operation of an Embedded Event Manager (EEM) applet that triggers on a syslog pattern? (Choose TWO.)
This command shows the history of EEM events, including syslog-triggered events, allowing verification that the applet fired.
Why this answer
The 'show event manager history events' command displays recent EEM events, including those triggered by syslog patterns, while 'show event manager policy active' lists currently registered and active EEM applets. The other options either show unrelated EEM data or require additional configuration to be useful.
In OSPFv3, what is the purpose of the link-local address in the neighbor adjacency process?
Correct. OSPFv3 packets are sourced from the link-local address, and next hops are link-local addresses.
Why this answer
OSPFv3 uses link-local addresses for neighbor discovery and as the source address for OSPF packets. This is a change from OSPFv2, which uses the interface's IPv4 address. The link-local address is used for next-hop resolution and adjacency formation.
A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp ipv4 unicast 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 12 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65001 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, external, best Refresh Epoch 2 65002 10.2.2.2 from 10.2.2.2 (10.2.2.2) Origin IGP, metric 0, localpref 50, valid, external What does this output indicate?
Local preference is a weight attribute; higher values are preferred. The path with localpref 100 is selected as best.
Why this answer
The show bgp ipv4 unicast command displays BGP paths for a specific prefix. Here, two paths are available: one from AS 65001 with local preference 100, and one from AS 65002 with local preference 50. The path with higher local preference (100) is selected as best.
A router has the following BFD configuration for a static route: ip route 10.0.0.0 255.255.255.0 192.168.1.2 bfd map 192.168.1.2 10.0.0.0 255.255.255.0 interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 bfd interval 100 min_rx 100 multiplier 3 ! What is the purpose of the 'bfd map' command in this context?
Correct. The 'bfd map' command creates a BFD session to the specified next-hop and ties it to the static route so that the route is withdrawn if BFD goes down.
Why this answer
For static routes, BFD must be explicitly mapped to the next-hop and destination prefix. The 'bfd map' command associates a BFD session with a static route so that if BFD detects a failure, the static route is removed from the routing table.
An engineer configured IP SLA 40 with a UDP echo probe to monitor a remote server port 80. The IP SLA is used in a track object for a backup static route. The engineer observes that the IP SLA state is 'Timeout' even though the server is reachable via ping from the router. What is the most likely cause?
UDP echo probes expect a UDP service on the target port. Port 80 is typically TCP, so the probe times out.
A router has CoPP configured with a class-map that matches OSPF traffic and polices it to 2000 pps. The router is also configured with an OSPF distribute-list in to filter routes. After applying CoPP, OSPF neighbors form, but routes from a specific neighbor are missing. The distribute-list permits all routes. Which is the most likely explanation?
LSUs carry the actual routes; if dropped, routes are missing even though the neighbor is up.
Why this answer
CoPP polices OSPF packets, but OSPF uses different packet types (hello, DBD, LSR, LSU, LSAck). If the police rate is exceeded, LSU packets may be dropped while hello packets pass. The distribute-list is not the issue; the missing routes are due to dropped LSUs.
Page 1 of 29
Page 2Practice 300-410 by domain
Target a specific domain to shore up weak areas.