Cisco CCNP ENARSI 300-410 (300-410) — Questions 751825

2152 questions total · 29pages · All types, answers revealed

Page 10

Page 11 of 29

Page 12
751
Multi-Selecthard

Which TWO statements about EEM environment variables and their scoping are true? (Choose TWO.)

Select 2 answers
A.Environment variables defined using the 'event manager environment' global configuration command are available to all EEM applets on the device.
B.Variables set within an applet using the 'action set' command are automatically available to other applets running on the same device.
C.The '$_cli_msg' variable, when used with 'event cli', contains the full command line that triggered the event, including any parameters.
D.The '$_event_pub_sec' variable provides the priority and severity of the event that triggered the applet.
E.The '$_syslog_msg' variable is available only when the applet is triggered by a syslog event.
AnswersA, C

Correct. These are global variables that persist across applets and reboots.

Why this answer

EEM environment variables set with 'event manager environment' are global and persist across applets. Variables set with 'action set' are local to the applet. The '$_cli_msg' variable is populated by 'event cli' with the full command line.

The '$_event_pub_sec' variable is not a standard EEM variable. The '$_syslog_msg' variable is available only in syslog-triggered applets.

752
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# show ip access-lists CoPP-ACL extended IP access list CoPP-ACL 10 permit eigrp any any (100 matches) 20 permit ospf any any (50 matches) 30 permit bgp any any (200 matches) 40 deny ip any any (0 matches) What does this output indicate?

A.CoPP is permitting routing protocol traffic, including EIGRP, OSPF, and BGP, which are used for route summarization. No drops indicate CoPP is not blocking summarization.
B.CoPP is dropping all routing protocol traffic, preventing route summarization.
C.CoPP is only allowing BGP traffic, blocking EIGRP and OSPF summarization.
D.CoPP is not configured because the access list is empty.
AnswerA

The permit statements with matches show that routing protocol traffic is allowed, and no drops mean CoPP is not interfering.

Why this answer

This output shows an access list used for Control Plane Policing (CoPP). The match counts indicate that EIGRP, OSPF, and BGP traffic are being permitted. The absence of matches on the deny statement suggests that no traffic is being dropped, which could indicate that CoPP is not affecting route summarization traffic.

753
Multi-Selecthard

Which TWO statements about the 'distance' command in Cisco IOS routing protocols are true? (Choose TWO.)

Select 2 answers
A.Under EIGRP, the 'distance eigrp <internal-distance> <external-distance>' command sets different ADs for internal and external routes.
B.Under OSPF, the 'distance ospf <intra-area> <inter-area> <external>' command sets AD for different route types.
C.The 'distance' command can be used to change the AD of connected routes.
D.The 'distance' command requires a route-map to match specific prefixes in all routing protocols.
E.The 'distance' command can be used to set an AD of 0 for a specific route.
AnswersA, B

Correct. EIGRP allows separate AD configuration for internal and external routes using the 'distance eigrp' command.

Why this answer

The distance command can be used to modify the administrative distance for routes learned via a routing protocol. It can be applied globally or with an access-list or prefix-list to match specific routes. The command does not affect the AD of routes from other protocols.

The distance value must be between 1 and 255. The command can be used under EIGRP, OSPF, RIP, and BGP, but the syntax varies slightly.

754
MCQhard

In an MPLS L3VPN environment, what is the default maximum number of routes that can be installed from a single BGP peer?

A.1000
B.Unlimited
C.10000
D.5000
AnswerB

Correct. By default, there is no maximum prefix limit.

Why this answer

By default, there is no maximum limit on the number of routes from a BGP peer. The 'maximum-prefix' command is optional and not configured by default.

755
MCQhard

OSPF network type mismatch on a multi-access link is causing route summarization issues. Router R1 and R2 are connected via Ethernet, but R1 has: interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip ospf network point-to-point ip ospf 1 area 0 ! Router R2 has default OSPF network type (broadcast). R1 is configured with: router ospf 1 area 0 range 10.0.0.0 255.255.255.0 ! R2 shows: R2# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 0 FULL/ - 00:00:30 10.0.0.1 GigabitEthernet0/0 But R2 does not have the summary route in its routing table. What is the root cause?

A.R1 is not an ABR (only area 0), so the area range command does not generate a summary route.
B.The network type mismatch causes OSPF to not exchange LSAs correctly, preventing the summary.
C.The summary route is suppressed because the interface is point-to-point.
D.R2 has a static route that overrides the summary.
AnswerA

Area range only works on ABRs that connect multiple areas.

Why this answer

The network type mismatch (point-to-point on R1, broadcast on R2) prevents proper adjacency formation. Although the neighbor state shows FULL, the DR/BDR election is affected. R1's point-to-point setting means it does not participate in DR election, and R2 expects a DR.

This can cause LSA flooding issues, and the area range summary may not be advertised correctly. The summary route is generated by the ABR, but if R1 is not an ABR (area 0 only), the range command has no effect. The root cause is that R1 is not an ABR, so area range does not apply.

756
MCQeasy

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE Based on this output, which statement is correct?

A.IKE phase 1 is complete; the ISAKMP SA is established.
B.IKE phase 2 is complete; the IPsec SA is active.
C.The ISAKMP SA is in MM_NO_STATE; negotiation has failed.
D.The tunnel is down; the SA is in a dead state.
AnswerA

QM_IDLE means the SA is up and ready for quick mode (phase 2).

Why this answer

QM_IDLE indicates that IKE phase 1 (ISAKMP) is complete and the SA is idle, waiting for phase 2 negotiation. This is the normal state for an established ISAKMP SA.

757
MCQeasy

A network engineer runs the following command on Router R1: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Based on this output, which statement is correct?

A.The router has two IKE policies configured; policy 10 will be preferred.
B.The router has no IKE policies configured; the output is empty.
C.The router uses certificate-based authentication.
D.The Diffie-Hellman group is group 2 (1024 bit).
AnswerA

Lower priority number is preferred; policy 10 with AES-256 will be tried first.

Why this answer

The output shows the configured IKE policies. Both use pre-shared key authentication. This is a normal configuration for IPsec VPN.

758
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip bgp 10.1.1.0/24 BGP routing table entry for 10.1.1.0/24, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.2.2.2 from 10.2.2.2 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 Community: 100:200 Based on this output, what is the problem?

A.The route 10.1.1.0/24 is learned via an eBGP session and has a local preference of 100.
B.The route 10.1.1.0/24 is redistributed from an IGP into BGP, as indicated by the 'Local' path.
C.The community 100:200 is automatically assigned by BGP for all redistributed routes.
D.The route is not being advertised to any peers because it is not marked as best.
AnswerB

The 'Local' path attribute in BGP indicates the route was originated locally via network statement or redistribution from an IGP.

Why this answer

The output shows a BGP route with 'Local' as the path, meaning it was redistributed into BGP locally. The origin is IGP, and the community is 100:200. The route is valid and best.

However, the 'Local' path indicates redistribution from an IGP into BGP, which is common in redistribution scenarios.

759
MCQhard

A network engineer runs the following command to debug IPv6 uRPF: R1# debug ipv6 verify IPv6 verify debugging is on *Mar 1 00:02:34.567: IPv6 verify: source 2001:DB8:4::1 on GigabitEthernet0/0 *Mar 1 00:02:34.567: no route to source What does this output indicate?

A.The packet will be dropped because uRPF cannot find a route to the source address.
B.The packet will be forwarded because uRPF only checks the destination.
C.The packet will be forwarded because the source is on the same interface.
D.The router will add a route to the source address.
AnswerA

Correct. uRPF requires a route to the source; if none exists, the packet is dropped.

Why this answer

The debug output shows that a packet with source address 2001:DB8:4::1 arrived on GigabitEthernet0/0, but the router has no route to that source address. With uRPF enabled, this packet will be dropped.

760
MCQmedium

A network engineer runs the following command on Router PE2: PE2# show ip bgp vpnv4 vrf CUSTOMER_A 10.10.10.0 24 BGP routing table entry for 10.10.10.0/24, version 15 Paths: (1 available, best #1, table CUSTOMER_A) Advertised to update-groups: 1 Refresh Epoch 1 Local, imported path from 10.10.10.0/24 10.1.1.1 (metric 20) from 10.1.1.1 (10.1.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:100 mpls labels in/out 18/19 Based on this output, what is the problem?

A.The route is not being advertised to any BGP peer.
B.The route is missing the required Route Target community.
C.The route is functioning correctly with no issues.
D.The route has an incorrect label binding.
AnswerC

All fields indicate a valid, best route with labels and RT.

Why this answer

The output shows a VPNv4 route for VRF CUSTOMER_A. The route is marked as 'imported path from 10.10.10.0/24', which indicates it was imported from the global table or another VRF. The route is valid and best, with labels assigned.

No problem is indicated; the route is functioning correctly.

761
MCQmedium

In Cisco IOS-XE, what is the default behavior of the 'route-map' command when no 'match' or 'set' clauses are configured?

A.It denies all routes by default.
B.It permits all routes and applies no changes.
C.It permits all routes and sets the metric to 0.
D.It denies all routes and logs the action.
AnswerB

Correct. An empty permit route-map matches everything and does nothing.

Why this answer

A route-map without any match or set clauses is a permit statement that matches all routes and performs no modifications. This is a common source of unintended route filtering.

762
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip packet Output: IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 3 IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 4 IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 5 What does this output indicate?

A.The router is experiencing a routing loop, as indicated by the repeated packets with the same source and destination.
B.The router is functioning normally; these are just normal IP packets being forwarded.
C.The router is receiving multicast traffic and showing each packet individually.
D.The debug command is not working correctly because the output is too repetitive.
AnswerA

Repeated identical packets suggest a loop; debug ip packet should be used cautiously and stopped with 'undebug all'.

Why this answer

The output shows repeated packets from the same source to the same destination, which may indicate a routing loop or excessive traffic. The engineer should use 'undebug all' to stop the debug and then investigate the routing table.

763
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip dhcp pool POOL1 Pool POOL1 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 10 Leased addresses : 10 Pending event : none 1 subnet is currently in the pool : Current index IP address range Leased addresses 192.168.1.11 192.168.1.10 - 192.168.1.19 10 Based on this output, which statement is correct?

A.The DHCP pool has available addresses for new clients.
B.The DHCP pool is fully utilized; no more addresses are available.
C.The DHCP pool is configured with a /24 subnet.
D.The DHCP server has a pending event causing address allocation to fail.
AnswerB

Leased addresses equal total addresses.

Why this answer

The output shows that all 10 addresses in the pool (192.168.1.10–192.168.1.19) are leased, and the current index is 192.168.1.11, which is beyond the first address. This means no free addresses remain, so the pool is fully utilized. Option B correctly states this condition.

Exam trap

The trap here is that candidates often misinterpret the 'Current index' as the next available address, but it merely indicates the last allocation point; the true indicator of exhaustion is the 'Leased addresses' equaling 'Total addresses'.

How to eliminate wrong answers

Option A is wrong because the 'Leased addresses' count equals the 'Total addresses' (10), indicating zero available addresses for new clients. Option C is wrong because the IP address range 192.168.1.10–192.168.1.19 contains only 10 addresses, which corresponds to a /28 subnet mask (255.255.255.240), not a /24. Option D is wrong because the 'Pending event' field shows 'none', meaning there is no pending event causing allocation failures.

764
Multi-Selectmedium

Which TWO commands can be used to verify the operational status of a manually configured IPv6 tunnel on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show interfaces tunnel 0
B.show ipv6 interface tunnel 0
C.show ipv6 route
D.show ipv6 tunnel 0
E.show running-config interface tunnel 0
AnswersA, B

Displays tunnel interface status, encapsulation, and counters.

Why this answer

The 'show interfaces tunnel 0' command displays the operational status, line protocol state, and encapsulation details of the tunnel interface, which directly verifies whether the manually configured IPv6 tunnel is up/up. The 'show ipv6 interface tunnel 0' command shows IPv6-specific information such as the IPv6 address, link-local address, and whether IPv6 is enabled on the tunnel interface, confirming that IPv6 traffic can be processed. Both commands provide essential operational verification for a manually configured IPv6 tunnel, such as a 6in4 or GRE tunnel carrying IPv6.

Exam trap

Cisco often tests the distinction between configuration verification commands (like 'show running-config') and operational status commands (like 'show interfaces' and 'show ipv6 interface'), leading candidates to mistakenly choose 'show running-config interface tunnel 0' as a verification tool for operational status.

765
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP table shows the prefix, but it is not installed in the routing table. The next-hop is reachable via an IGP route. Which is the most likely explanation?

A.BGP synchronization is enabled, and the prefix is not present in the IGP.
B.The next-hop-self command is missing on the iBGP peer.
C.The prefix is filtered by an inbound route-map.
D.The maximum-paths limit is exceeded.
AnswerA

Correct. Synchronization prevents route installation if IGP does not have the prefix.

Why this answer

In iBGP, by default, the next-hop is not changed when advertising to iBGP peers (next-hop-self is not set). If the next-hop is not reachable via an IGP route (e.g., because the IGP does not carry the connected subnet of the eBGP peer), the route is not installed. However, the scenario says the next-hop is reachable, so another common issue is the BGP synchronization rule (when enabled) requiring the prefix to be present in the IGP before installing it.

766
MCQhard

An engineer configures SNMPv2c with a community string 'public' and an ACL that permits the NMS. The NMS can poll the router. The engineer then applies a CoPP policy that drops SNMP packets (UDP port 161) from all sources except the NMS. The NMS now fails to poll. Which is the most likely explanation?

A.The CoPP policy's ACL does not include the NMS IP address, so SNMP packets from the NMS are dropped by the class-default.
B.CoPP only affects routing protocol traffic, not SNMP.
C.The SNMP community string ACL is overridden by the CoPP policy.
D.The router requires a reload for the CoPP policy to take effect.
AnswerA

CoPP policies typically have a class that matches traffic to be permitted; if the NMS is not matched, its packets fall into class-default, which may be set to drop.

Why this answer

CoPP applies to control plane traffic. If the CoPP policy is misconfigured, it may drop SNMP packets even from permitted sources. Additionally, the ACL in the CoPP policy must match the source IP of the NMS; if the ACL is incorrect or if the CoPP class-default drops all traffic, polling fails.

767
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke-to-spoke tunnels are expected to form dynamically. However, when a spoke tries to reach another spoke, traffic is still sent through the hub. The engineer verifies that NHRP is working and that the spoke-to-spoke tunnel is up. Which is the most likely explanation?

A.The spokes are missing the 'ip nhrp shortcut' command on the tunnel interface, so they do not install the direct route.
B.The hub is configured with 'ip nhrp redirect' but the spokes are configured with 'ip nhrp server-only', which prevents them from sending redirects.
C.The tunnel interface has 'ip mtu' set too low, causing fragmentation and preventing the NHRP registration.
D.The spoke-to-spoke tunnel uses IPsec, and the transform set is mismatched, causing the tunnel to fail.
AnswerA

The 'ip nhrp shortcut' command is required on spokes to allow them to use the NHRP-learned direct path. Without it, the spoke will continue to use the hub as the next hop.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spokes have a direct route to each other's tunnel IP addresses. This is achieved through NHRP redirect and shortcut routes. However, a common edge case is that the spoke routers are configured with 'ip nhrp redirect' on the hub but the spokes are missing 'ip nhrp shortcut' on their tunnel interfaces.

Without the shortcut command, the spoke will not install the NHRP-learned route into the routing table, so traffic continues to go through the hub.

768
Multi-Selecthard

Which THREE commands are used to troubleshoot VRF-Lite connectivity issues on a Cisco IOS-XE router? (Choose THREE.)

Select 3 answers
A.show ip route vrf <vrf-name>
B.ping vrf <vrf-name> <destination>
C.show vrf
D.traceroute <destination>
E.show ip cef
AnswersA, B, C

Shows the routing table for the specified VRF, critical for verifying route presence.

Why this answer

These three commands provide essential troubleshooting information: 'show ip route vrf' displays the VRF routing table, 'ping vrf' tests connectivity from within a VRF, and 'show vrf' shows VRF status and interfaces. The other options: 'traceroute' without VRF context may not work correctly, and 'show ip cef' without VRF shows global CEF, not VRF-specific.

769
MCQeasy

A network engineer is troubleshooting a router that is sending duplicate SNMP traps for interface state changes. The engineer finds two EEM applets that both trigger on the same syslog pattern 'LINK-3-UPDOWN' and both send SNMP traps. What should the engineer do to resolve the duplicate traps?

A.Disable syslog logging for interface state changes.
B.Remove one of the duplicate EEM applets.
C.Change the SNMP trap destination to a different host for one applet.
D.Increase the SNMP trap queue size.
AnswerB

Correct because removing one applet eliminates the duplicate trap generation.

Why this answer

The duplicate traps are caused by two applets performing the same action. The engineer should remove one of the applets or combine them into one.

770
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# debug ip sla monitor trace IP SLAs Monitor trace debugging is on *Mar 1 12:34:56.789: IP SLAs Monitor: Starting operation 10 *Mar 1 12:34:56.789: IP SLAs Monitor: Sending ICMP echo request to 192.168.1.1 *Mar 1 12:34:56.790: IP SLAs Monitor: Received ICMP echo reply from 192.168.1.1 *Mar 1 12:34:56.790: IP SLAs Monitor: RTT = 12 ms *Mar 1 12:34:56.790: IP SLAs Monitor: Operation 10 completed successfully *Mar 1 12:35:56.789: IP SLAs Monitor: Starting operation 10 *Mar 1 12:35:56.789: IP SLAs Monitor: Sending ICMP echo request to 192.168.1.1 *Mar 1 12:35:56.790: IP SLAs Monitor: Received ICMP echo reply from 192.168.1.1 *Mar 1 12:35:56.790: IP SLAs Monitor: RTT = 14 ms *Mar 1 12:35:56.790: IP SLAs Monitor: Operation 10 completed successfully What does this output indicate?

A.The IP SLA monitor operation is failing because the RTT values are increasing.
B.The IP SLA monitor operation is successfully sending and receiving ICMP echo probes.
C.The IP SLA monitor operation is not configured because no configuration is shown.
D.The IP SLA monitor operation is timing out because no reply is received.
AnswerB

Each cycle shows request, reply, and 'completed successfully'.

Why this answer

This debug output shows the IP SLA monitor trace for operation 10. Each cycle shows a successful ICMP echo request/reply with RTT values, indicating the probe is working correctly.

771
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 10.2.2.2 advertised-routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.1.1.0/24 0.0.0.0 0 32768 i *> 10.2.2.0/24 0.0.0.0 0 32768 i Total number of prefixes 2 Based on this output, what is the problem?

A.The routes are correctly advertised with next hop 0.0.0.0, which is normal for locally originated routes.
B.The routes are not being advertised to eBGP peers because the next hop is 0.0.0.0, which is invalid for eBGP.
C.The routes are being advertised to iBGP peers only, as indicated by the next hop 0.0.0.0.
D.The routes are redistributed from an IGP into BGP, and the next hop is correctly set to 0.0.0.0.
AnswerB

For eBGP, the next hop must be reachable; 0.0.0.0 is not a valid next hop for eBGP advertisements, so the routes may not be installed by the peer.

Why this answer

The output shows that R1 is advertising two routes to neighbor 10.2.2.2: 10.1.1.0/24 and 10.2.2.0/24, both with next hop 0.0.0.0. In BGP, a next hop of 0.0.0.0 means the route is originated locally (via network statement or redistribution). The problem is that the next hop should be the router's own interface IP when advertising to an eBGP neighbor, but 0.0.0.0 is used for local routes.

This could indicate that the routes are not being advertised correctly to eBGP peers because the next hop is not updated.

772
MCQhard

After redistributing OSPF into EIGRP, an EIGRP router becomes stuck-in-active (SIA) for certain routes. Router R1 config: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 ! router ospf 1 redistribute eigrp 100 subnets R1# show ip eigrp topology 10.0.0.0/8 IP-EIGRP (AS 100): Topology entry for 10.0.0.0/8 State: Active, 0:01:15, Reply count: 0 Originating router: 10.1.1.1 Last sent query: 10.1.1.2 What is the root cause?

A.The redistributed OSPF route is a summary that causes EIGRP queries to go unanswered, leading to SIA.
B.The EIGRP metric is too high, causing the route to be unreachable.
C.The OSPF redistribution is missing the subnets keyword, causing classful behavior.
D.The EIGRP AS number is mismatched between routers.
AnswerA

Summary routes can cause queries to propagate widely; if a neighbor has no route, the query times out.

Why this answer

The EIGRP route for 10.0.0.0/8 is in Active state, meaning it is waiting for replies from neighbors. The redistribution from OSPF may be injecting a summary route that causes a query to be sent to all neighbors, but one neighbor may not have a route back, causing the query to be unanswered. The fix is to ensure that the redistributed routes are not summarized or to use a stub router to limit query scope.

773
MCQmedium

Consider the following configuration snippet: ip cef ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 mpls ip ! interface GigabitEthernet0/1 ip address 10.0.1.1 255.255.255.252 mpls ip ! router ospf 1 network 10.0.0.0 0.0.0.3 area 0 network 10.0.1.0 0.0.0.3 area 0 ! mpls ldp router-id Loopback0 force ! interface Loopback0 ip address 192.168.0.1 255.255.255.255 What will happen when this router attempts to establish an LDP session with a neighbor on GigabitEthernet0/0?

A.LDP will use the IP address of GigabitEthernet0/0 as the transport address because Loopback0 is not in OSPF.
B.LDP will use Loopback0 (192.168.0.1) as the transport address, but the neighbor must have a route to 192.168.0.1 for the session to establish.
C.LDP will not use Loopback0 because the interface is not configured with 'mpls ip'.
D.LDP will use the IP address of GigabitEthernet0/1 because it has the highest IP among MPLS-enabled interfaces.
AnswerB

The 'force' keyword sets the LDP router ID to Loopback0. However, the loopback is not included in the OSPF network statements, so the neighbor may not have reachability to 192.168.0.1, causing LDP session failure. This is a common misconfiguration.

Why this answer

The configuration is correct. LDP will use Loopback0 (192.168.0.1) as its router ID and transport address. The neighbor must be able to reach 192.168.0.1 via the IGP.

Since OSPF advertises the loopback, it should work. The question tests understanding of LDP transport address usage.

774
MCQhard

Router R1 and R2 are running OSPF in area 0. R1 has a loopback interface with IP 192.168.1.1/32 advertised into OSPF. R2 learns this route as an intra-area route (AD 110). R2 also runs RIP and learns the same prefix from R3 with AD 120. R2's 'show ip route 192.168.1.1' shows the RIP route. What is the root cause?

A.R2's OSPF process has 'distance 130' configured, making OSPF routes have AD 130, which is higher than RIP's AD 120.
B.The RIP route has a better metric than the OSPF route.
C.R2 has a static route with AD 1 that overrides both.
D.The OSPF route is an external route with AD 170 due to redistribution.
AnswerA

If OSPF distance is set to 130, RIP (120) becomes preferred.

Why this answer

RIP has AD 120, OSPF has AD 110, so OSPF should be preferred. If the OSPF route is not installed, it could be due to a higher metric or a filter. The correct answer is that the OSPF route is an external route (type-5) because it was redistributed from another protocol, not an intra-area route.

The scenario says intra-area, but if the loopback is not directly connected to OSPF (e.g., it is in a different VRF), it might be redistributed as external. The question states it is advertised into OSPF, but the AD for external is 110, same as intra-area. The trick is that the OSPF route might have a higher metric than the RIP route, but AD is checked first.

The most likely cause is that the OSPF route is not in the routing table due to a distribute-list or because the OSPF process has 'distance 130' configured for all routes.

775
MCQhard

An engineer configures an IPv4 ACL on a router's interface to permit only HTTP traffic (TCP port 80) from a specific subnet. The ACL is applied inbound. After applying, the router's web interface (HTTPS) becomes unreachable from the same subnet. What is the most likely explanation?

A.The ACL denies HTTPS traffic because it is not explicitly permitted.
B.The ACL is applied outbound, filtering traffic to the web server.
C.The router's web server uses HTTP, not HTTPS.
D.The ACL is blocking TCP port 80 due to a typo.
AnswerA

The ACL only permits HTTP; HTTPS (port 443) is denied by the implicit deny, blocking management access.

Why this answer

The ACL is applied inbound on the router interface and only permits TCP port 80 (HTTP). HTTPS uses TCP port 443, which is not explicitly permitted. Since IPv4 ACLs end with an implicit deny any, all traffic not matching a permit statement, including HTTPS, is denied.

This causes the router's web interface (HTTPS) to become unreachable from the subnet.

Exam trap

Cisco often tests the implicit deny any behavior of ACLs and the fact that management protocols (like HTTPS, SSH, SNMP) use different ports than the permitted traffic, causing candidates to overlook the need to explicitly permit those ports.

How to eliminate wrong answers

Option B is wrong because the ACL is explicitly stated as applied inbound, not outbound; an outbound ACL would filter traffic leaving the interface, not traffic entering from the subnet. Option C is wrong because the router's web interface is accessed via HTTPS (TCP 443), not HTTP (TCP 80), and the question confirms it is HTTPS. Option D is wrong because the issue is not a typo on port 80; the ACL correctly permits HTTP, but HTTPS is blocked by the implicit deny, not by a misconfiguration of the permit statement.

776
MCQmedium

Consider the following configuration on a PE router: ip vrf CUSTOMER-B rd 100:1 route-target export 100:1 route-target import 100:2 ! interface GigabitEthernet0/2 ip vrf forwarding CUSTOMER-B ip address 192.168.2.1 255.255.255.252 What is the effect of this configuration?

A.The PE will export routes from VRF CUSTOMER-B with RT 100:1 and import routes with RT 100:2.
B.The PE will export routes with RT 100:2 and import routes with RT 100:1.
C.The VRF will not work because the RD and RT must be identical.
D.The VRF will not work because route-target import and export must be configured under the BGP VRF address-family.
AnswerA

The route-target export sets the RT on exported VPNv4 routes; the route-target import filters incoming VPNv4 routes to only those with RT 100:2.

Why this answer

The VRF has a route distinguisher and route-targets. The export RT is 100:1, meaning routes from this VRF are exported with that RT. The import RT is 100:2, so only routes with RT 100:2 are imported.

This is a common setup for hub-and-spoke or inter-AS options.

777
MCQmedium

Which EIGRP packet type is used to confirm receipt of an update during reliable transport?

A.Hello
B.Update
C.ACK
D.Query
AnswerC

Correct: ACK packets are sent to confirm reliable delivery of updates, queries, and replies.

Why this answer

EIGRP uses Reliable Transport Protocol (RTP). When a router receives an update, it sends an ACK packet (a hello packet with no data) to confirm receipt. ACKs are always sent unreliably (unicast).

778
MCQhard

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa interface: Tunnel0 Crypto map tag: DMVPN, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150 #pkts decaps: 145, #pkts decrypt: 145, #pkts verify: 145 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500, ip mtu idb Tunnel0 current outbound spi: 0x12345678(305419896) PFS (Y/N): N, DH group: none Based on this output, what is the problem?

A.There is packet loss on the IPsec tunnel.
B.The IPsec SA is using PFS.
C.The tunnel is not encrypting traffic.
D.The remote peer is 10.1.1.1.
AnswerA

Encaps count (150) is higher than decaps count (145), indicating loss.

Why this answer

The output shows IPsec SA details for a DMVPN tunnel. The protect identity uses GRE protocol (47) and the SA is between two spoke routers (172.16.0.0/24). The packet counts show 150 encapsulated but only 145 decapsulated, indicating packet loss on the tunnel.

This could be due to MTU issues or routing problems.

779
MCQhard

An enterprise is using IPv6-to-IPv4 translation tunneling (NAT64) but users report that they cannot reach IPv6-only servers. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 nat64 enable. Router R2 shows: R2# show nat64 translations % No translations. R2# debug nat64 all NAT64: No mapping found for packet. What is the root cause?

A.The NAT64 prefix is not configured under the tunnel interface.
B.The tunnel mode should be ipv6ip for NAT64 to work.
C.The IPv4 address of the destination server is not reachable.
D.NAT64 is not supported on tunnel interfaces.
AnswerA

Without a NAT64 prefix, the router cannot create mappings for translation.

Why this answer

Option A is correct because NAT64 requires a NAT64 prefix to be explicitly configured under the tunnel interface using the 'nat64 prefix' command. Without this prefix, the router cannot construct the IPv6 representation of IPv4 destinations, so no translation mappings are created, and packets are dropped. The debug output confirms 'No mapping found for packet', which directly points to the missing prefix configuration.

Exam trap

Cisco often tests the distinction between enabling NAT64 on an interface and actually configuring the required NAT64 prefix, leading candidates to assume that 'nat64 enable' alone is sufficient.

How to eliminate wrong answers

Option B is wrong because NAT64 uses the default tunnel mode (GRE/IPv6) or 'ipv6ip' is not a valid mode for NAT64; NAT64 operates at the network layer and does not require a specific tunnel encapsulation mode beyond what is already configured. Option C is wrong because the issue is not about IPv4 reachability; the debug shows no NAT64 mappings exist, which occurs before any routing or reachability check. Option D is wrong because NAT64 is fully supported on tunnel interfaces; the problem is the missing prefix configuration, not a lack of support.

780
Multi-Selecthard

Which THREE commands can be used to verify the current NTP synchronization status and configuration on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show ntp status
B.show ntp associations
C.show ntp packets
D.show ntp statistics
E.show clock detail
AnswersA, B, D

Correct. This command displays the NTP synchronization status, including whether the clock is synchronized, the stratum level, and the reference clock.

Why this answer

The 'show ntp status' displays the clock synchronization state, stratum, and reference. The 'show ntp associations' shows configured NTP peers/servers and their reachability. The 'show ntp packets' is not a valid command.

The 'show ntp statistics' provides packet statistics. The 'show clock' shows the current time but not NTP details. The 'debug ntp packets' is a debug command, not a show command.

781
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# debug eigrp packets EIGRP: Sending HELLO on Serial0/0/0 src 10.1.1.1, dst 224.0.0.10 EIGRP: Received UPDATE on Serial0/0/0 from 10.1.1.2 src 10.1.1.2, dst 224.0.0.10 update type: route prefix 10.0.0.0/16 metric 128576 EIGRP: Sending UPDATE on Serial0/0/0 to 10.1.1.2 update type: summary prefix 10.0.0.0/16 metric 128576 What does this output indicate?

A.R1 is receiving and re-advertising the summary route 10.0.0.0/16, likely configured with a summary address.
B.R1 is only receiving the summary route and not advertising it.
C.The summary route is being suppressed due to a route filter.
D.The summary route is learned via OSPF and redistributed into EIGRP.
AnswerA

The 'summary' update type indicates R1 is actively summarizing and advertising the route.

Why this answer

The debug output shows EIGRP packet exchanges. R1 receives an UPDATE for prefix 10.0.0.0/16 and then sends an UPDATE with type 'summary' for the same prefix. This indicates that R1 is both learning and advertising a summary route.

782
MCQhard

R1 and R2 are iBGP peers in AS 65001. R1 has: neighbor 10.1.1.2 route-reflector-client. R2 advertises a prefix 10.0.0.0/8 with a community of no-export. R1 reflects this prefix to its other client R3. R3 is in a different AS (65002) via eBGP. R3 receives the prefix but does not advertise it to its eBGP neighbor R4 in AS 65003. What is the root cause?

A.The no-export community on the prefix prevents R3 from advertising it to eBGP neighbor R4.
B.R1 should have stripped the community before reflecting to R3.
C.R3 is missing the send-community command to its eBGP neighbor.
D.The route-reflector-client command on R1 should be on R2 instead.
AnswerA

no-export community means the route should not be advertised to any eBGP peers.

Why this answer

The community no-export attached to the prefix prevents it from being advertised to any eBGP peers. When R1 reflects the prefix to R3 (iBGP), the community is preserved. R3, upon advertising to R4 (eBGP), checks the community and withholds the advertisement because of the no-export community.

The root cause is that the no-export community is present on the prefix, which blocks eBGP advertisement.

783
MCQhard

An engineer configures EIGRP named mode on a router. A route is learned via EIGRP, but the router does not install it in the routing table. The show ip eigrp topology shows the route in passive state with a feasible distance. Which is the most likely explanation?

A.The route is an external route and the EIGRP administrative distance is set to 255.
B.The router is configured as an EIGRP stub with 'receive-only', which prevents it from installing any EIGRP routes.
C.The 'metric weights' command is misconfigured, causing incorrect metric calculation.
D.The route is a summary route that is not advertised due to 'summary-address' configuration.
AnswerB

Stub receive-only blocks all EIGRP routes from being installed.

Why this answer

In named mode, EIGRP uses address-family configuration. The route may be learned but not installed if the 'no ip route-cache' or 'no ip routing' is misconfigured, or if the route is suppressed by a route-map. However, a common edge case is that the route is an internal route but the router is configured as a stub with 'receive-only', which prevents installing any routes.

784
MCQeasy

Which LDP message type is used to request label bindings from a neighbor?

A.Label Request message
B.Label Mapping message
C.Label Withdraw message
D.Label Release message
AnswerA

The Label Request message is used to request label bindings for a FEC.

Why this answer

The Label Request message is sent by an LDP router to request a label binding for a specific FEC from its neighbor.

785
Multi-Selecthard

Which TWO statements correctly describe the behavior of TTL propagation in MPLS networks? (Choose TWO.)

Select 2 answers
A.Disabling TTL propagation prevents traceroute from revealing the internal LSR hops.
B.The command 'no mpls ip propagate-ttl' is used to disable TTL propagation on a Cisco IOS router.
C.The command 'no mpls ip ttl-propagate' is used to disable TTL propagation.
D.When TTL propagation is disabled, traceroute shows every LSR hop in the MPLS core.
E.When TTL propagation is disabled, the TTL value is decremented normally at each LSR hop.
AnswersA, B

Correct. With TTL propagation disabled, traceroute shows only the ingress and egress LSRs, hiding the core.

Why this answer

In MPLS, TTL propagation can be disabled for security or to hide the core topology. When disabled, the IP TTL is copied to the MPLS label only at the ingress LSR, and at the egress LSR the MPLS TTL is copied back to the IP header. By default, TTL propagation is enabled.

The command 'no mpls ip propagate-ttl' disables it. Option A is correct because disabling TTL propagation hides the core hops from traceroute. Option B is correct because the command to disable is indeed 'no mpls ip propagate-ttl'.

Option C is false: the command is not 'no mpls ip ttl-propagate'. Option D is false: traceroute shows only the ingress and egress LSRs, not all hops. Option E is false: when disabled, the TTL is not decremented across the MPLS core.

786
MCQmedium

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip route 192.168.1.0 255.255.255.0 Routing entry for 192.168.1.0/24 Known via "eigrp 100", distance 170, metric 30720, type internal Redistributing via eigrp 100 Last update from 10.1.1.2 on GigabitEthernet0/0, 00:00:05 ago Routing Descriptor Blocks: * 10.1.1.2, from 10.1.1.2, 00:00:05 ago, via GigabitEthernet0/0 Route metric is 30720, traffic share count is 1 Total delay is 2000 microseconds, minimum bandwidth is 100000 Kbit Reporting 1 hops What does this output indicate?

A.The route is an EIGRP internal route with a default administrative distance of 90.
B.The route is an EIGRP external route with administrative distance 170, which is the default for external EIGRP routes.
C.The route is redistributed from OSPF into EIGRP, hence the distance of 170.
D.The route is learned via EIGRP but the administrative distance has been manually changed to 170.
AnswerB

EIGRP external routes have a default AD of 170, as shown in the output.

Why this answer

The output shows the route's administrative distance, which is 170 for EIGRP external routes. This is important for understanding route selection when multiple routing protocols are redistributed.

787
MCQmedium

A network engineer is troubleshooting an issue where IPv6 hosts are receiving multiple Router Advertisements from different routers, causing routing instability. The switch is configured with IPv6 First Hop Security features. The engineer wants to ensure that only the primary router's RAs are accepted by hosts. What is the most effective solution?

A.Configure RA Guard with a policy that includes the primary router's MAC address in the allowed list and apply it to all ports.
B.Enable DHCPv6 Guard to block DHCPv6 messages from the secondary router.
C.Use IPv6 Source Guard to filter traffic from the secondary router.
D.Configure the switch to act as a router and send its own RAs with a higher priority to override the secondary router.
AnswerA

Correct because RA Guard will drop RAs from any router not in the allowed list, preventing multiple routers from sending RAs.

Why this answer

RA Guard can be used to allow only authorized routers to send RAs. By configuring an RA Guard policy that permits only the primary router's MAC address, RAs from other routers will be dropped, ensuring stability.

788
Multi-Selecthard

An engineer must configure a GRE tunnel to transport IPv6 traffic over an IPv4-only network. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Configure tunnel mode gre ip on the tunnel interface.
B.Assign an IPv6 address to the tunnel interface.
C.Configure tunnel mode ipv6ip on the tunnel interface.
D.Set the tunnel destination to the remote IPv6 address.
E.Place the tunnel interface in a VRF to separate IPv6 traffic.
AnswersA, B

Correct. GRE is the default tunnel mode for IPv6 transport; explicit configuration ensures correct operation.

Why this answer

Option A is correct because 'tunnel mode gre ip' configures the tunnel interface to use Generic Routing Encapsulation (GRE) over IPv4, which is the standard method for encapsulating any Layer 3 protocol (including IPv6) inside IPv4 packets. This mode sets the tunnel to use IP protocol 47 (GRE) and allows the transport of IPv6 traffic across an IPv4-only network.

Exam trap

Cisco often tests the distinction between GRE (tunnel mode gre ip) and IPv6-in-IPv4 manual tunneling (tunnel mode ipv6ip), where candidates mistakenly choose ipv6ip for IPv6 transport, forgetting that GRE is the standard for multiprotocol encapsulation and is required when the question explicitly mentions 'GRE tunnel'.

789
Drag & Dropmedium

Drag and drop the steps to verify and validate NAT and PAT operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification should start with a high-level overview of translations, then check for active translations with details, then verify interface configurations, then confirm statistics for drops or failures, and finally test end-to-end connectivity.

790
MCQhard

An engineer configures DHCPv6 prefix delegation on a router with multiple requesting interfaces. The router receives a /48 prefix from the server, but only one interface gets a /64 sub-prefix. Which is the most likely explanation?

A.Only one interface is configured with 'ipv6 address prefix-name ::1:0:0:0:1/64' using the delegated prefix; other interfaces lack this configuration.
B.The DHCPv6 server only delegates a single /64 prefix, not a /48.
C.The router's 'ipv6 dhcp client pd' command is missing the 'rapid-commit' option.
D.The router has 'ipv6 dhcp client information refresh' set to a high value, delaying updates.
AnswerA

Correct: The delegated prefix must be explicitly used on each interface with the appropriate 'ipv6 address' command referencing the prefix name.

Why this answer

When using DHCPv6 PD, the router can delegate sub-prefixes to downstream interfaces using the 'ipv6 dhcp client pd' command with a hint. If only one interface has the 'ipv6 address' command with the prefix, only that interface gets an address. The other interfaces may not have the correct configuration to use the delegated prefix.

791
MCQhard

An enterprise uses VRF-lite with IPv6. VRF A on R1 leaks routes to VRF B using route-target import/export. R1 has an IPv6 ACL applied inbound on the interface in VRF A that permits only OSPFv3 and denies all other traffic. R1's VRF B has a static default route pointing to a next-hop in VRF A. Traffic from VRF B to the internet fails. R1 shows 'ping vrf B 2001:db8:2::1' fails, but 'ping vrf A 2001:db8:2::1' succeeds. What is the root cause?

A.The ACL on the VRF A interface blocks data traffic from VRF B, which is forwarded via the leaked route.
B.Route leaking is not configured correctly; the route-target import/export is missing.
C.The static default route in VRF B has an incorrect next-hop address.
D.uRPF is enabled on the VRF A interface and drops traffic from VRF B due to source address mismatch.
AnswerA

Traffic from VRF B is forwarded into VRF A and hits the inbound ACL, which permits only OSPFv3.

Why this answer

The ACL in VRF A blocks all traffic except OSPFv3. When VRF B sends traffic to the leaked default route, the packet enters VRF A and is subject to the ACL. The ACL drops the data traffic because it is not OSPFv3.

The ping from VRF A works because the source is in VRF A and not filtered by the inbound ACL.

792
Multi-Selecthard

Which TWO statements about the default administrative distances for different route sources are correct? (Choose TWO.)

Select 2 answers
A.The default administrative distance for a connected interface is 0.
B.The default administrative distance for internal BGP (iBGP) is 20.
C.The default administrative distance for external EIGRP routes is 170.
D.The default administrative distance for RIP is 100.
E.The default administrative distance for OSPF is 90.
AnswersA, C

Correct. Connected routes have the highest trustworthiness with an AD of 0.

Why this answer

Cisco IOS assigns default AD values to various route sources. Connected interfaces have an AD of 0, static routes have 1, EIGRP summary routes have 5, internal BGP has 200, and external EIGRP has 170. OSPF has 110, and RIP has 120.

Knowing these defaults is critical for troubleshooting route selection.

793
MCQmedium

An engineer configured IP SLA 60 to monitor the reachability of a WAN link's next-hop (203.0.113.1) using ICMP echo. The IP SLA is used in a track object for a floating static route. The engineer notices that the primary route (EIGRP) is present, but the floating static route is not installed when the primary fails. The track object shows 'Down' after the primary fails. What should the engineer check?

A.Verify that the static route's administrative distance is higher than the EIGRP route (e.g., 170 vs 90).
B.Check if the IP SLA probe is configured with a timeout greater than the frequency.
C.Ensure the primary route is removed from the routing table before the static route is installed.
D.Reboot the router to clear the routing table.
AnswerA

If the static route has an AD lower than EIGRP (e.g., 1), it would be installed even when the primary is up, causing issues. For a floating static, AD must be higher.

Why this answer

A floating static route with tracking requires the administrative distance to be higher than the primary route. If the AD is lower or equal, the static route will not be installed as a backup. Also, the track object must be correctly referenced.

794
Multi-Selectmedium

Which TWO commands would a network engineer use to verify that syslog messages are being sent to a remote syslog server? (Choose TWO.)

Select 2 answers
A.show logging
B.debug logging
C.show running-config | include logging
D.ping <syslog-server-ip>
E.show ip route
AnswersA, C

This command shows the syslog server status, buffer contents, and logging configuration.

Why this answer

The 'show logging' command displays the current logging configuration, including the syslog server address and whether logging is enabled. The 'debug logging' command is not valid; the correct command to see real-time syslog messages is 'terminal monitor' after enabling logging. 'show run | include logging' shows the running config lines for logging. 'ping' tests reachability but not syslog functionality. 'show ip route' checks routing but not logging.

795
MCQeasy

What is the default OSPF dead timer interval on a point-to-point interface within a VRF-Lite configuration?

A.30 seconds
B.40 seconds
C.120 seconds
D.10 seconds
AnswerB

The default OSPF dead timer is 40 seconds on point-to-point and broadcast interfaces.

Why this answer

OSPF defaults to a dead timer of 40 seconds on point-to-point and broadcast interfaces, which is four times the default hello timer of 10 seconds.

796
MCQhard

Which MPLS label value is reserved for the Explicit NULL label and what is its purpose?

A.Label 0; used for the Explicit NULL label to indicate that the penultimate hop should pop the label.
B.Label 1; used for the Router Alert label.
C.Label 2; used for the Implicit NULL label.
D.Label 3; used for the Implicit NULL label.
AnswerA

Label 0 is the IPv4 Explicit NULL per RFC 3032.

Why this answer

Label value 0 is the IPv4 Explicit NULL label, used to signal the penultimate hop to pop the label stack and forward the packet based on the IP header.

797
MCQmedium

An engineer configures Flexible NetFlow on a Cisco router to monitor traffic on GigabitEthernet0/1. The flow record is defined with 'match ipv4 source address' and 'collect counter bytes'. The flow exporter sends data to 192.168.1.10:2055. After applying the monitor to the interface, 'show flow monitor name MONITOR cache' shows zero entries. What is the most likely root cause?

A.The flow exporter is not configured with a source interface.
B.The flow monitor is applied in the wrong direction.
C.The flow record does not include 'match ipv4 protocol'.
D.The collector is unreachable, causing the router to stop caching flows.
AnswerB

If the monitor is applied ingress but traffic is egress, no flows are recorded. The engineer should check the direction.

Why this answer

Flexible NetFlow requires a flow monitor to be applied to an interface in the correct direction (ingress or egress). If the direction is not specified, the default is ingress. If traffic is only egress, the monitor will not capture any flows.

798
MCQmedium

Consider this configuration on Router R5: ``` interface Tunnel0 ipv6 address 2001:DB8:7::1/64 tunnel source 192.168.10.1 tunnel destination 192.168.20.2 tunnel mode ipv6ip tunnel ttl 64 ``` What is the effect?

A.The tunnel will not work because the tunnel source is an IP address, not an interface.
B.The tunnel will work, and the TTL field in the outer IPv4 header will be set to 64.
C.The tunnel mode should be 'gre ip' for IPv6 over IPv4.
D.The tunnel will use the IPv6 TTL for the outer header.
AnswerB

The 'tunnel ttl' command sets the TTL in the outer IPv4 header.

Why this answer

Option B is correct because the configuration creates an IPv6-over-IPv4 manual tunnel (tunnel mode ipv6ip). The tunnel source is specified as an IP address, which is valid; the router uses that address as the source of the outer IPv4 header. The 'tunnel ttl 64' command explicitly sets the Time-to-Live field in the outer IPv4 header to 64, overriding the default value.

Exam trap

Cisco often tests the misconception that the tunnel source must be an interface name, or that the outer header's TTL is inherited from the inner packet, leading candidates to incorrectly eliminate the correct answer.

How to eliminate wrong answers

Option A is wrong because the tunnel source can be either an interface name or an IP address; specifying an IP address is perfectly valid and the router will use that address as the source of the outer IPv4 header. Option C is wrong because 'tunnel mode ipv6ip' is the correct mode for IPv6-over-IPv4 manual tunnels (RFC 4213), not 'gre ip', which is used for generic routing encapsulation and does not carry the IPv6 protocol type natively. Option D is wrong because the outer IPv4 header uses its own TTL field, which is set by the 'tunnel ttl' command; the inner IPv6 packet's Hop Limit is not copied to the outer header.

799
MCQhard

An engineer configures IPsec with a transform set that includes ESP-SHA-HMAC and ESP-AES-256. The VPN tunnel fails to establish, and debug shows 'transform set mismatch'. What is the most likely explanation?

A.The peer has the transform set with the same protocols but in a different order (ESP-AES-256 then ESP-SHA-HMAC), which is considered a mismatch.
B.The peer uses ESP-AES-256 with a different key length, such as 128-bit.
C.The peer has 'crypto ipsec transform-set' with 'esp-sha-hmac' and 'esp-aes 256' but also includes 'comp-lzs'.
D.The peer uses 'esp-sha-hmac' as authentication and 'esp-aes 256' as encryption, but the mode is set to transport instead of tunnel.
AnswerA

IPsec transform sets are matched exactly, including the order of protocols.

Why this answer

The transform set must match exactly on both peers, including the order of protocols. ESP-SHA-HMAC is an authentication protocol, and ESP-AES-256 is encryption. If the peer has them in a different order or uses a different combination, the negotiation fails.

800
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-TRACK R1# show route-map PBR-TRACK route-map PBR-TRACK, permit, sequence 10 Match clauses: ip address (access-lists): 170 Set clauses: ip next-hop verify-availability 10.0.0.2 10 track 2 Policy routing matches: 100 packets, 8000 bytes R1# show track 2 Track 2 IP SLA 2 reachability Reachability is Up 2 changes, last change 00:01:30 Latest operation return code: ok Tracked by: ROUTE-MAP 0 R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "eigrp 1", distance 90, metric 28160 Last update from 192.168.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely behavior for packets matching ACL 170?

A.Packets are forwarded to 10.0.0.2.
B.Packets are forwarded using the routing table because the next-hop is not reachable.
C.Packets are dropped because the track object is not configured correctly.
D.Packets are load-balanced between the next-hop and the routing table.
AnswerA

Since track 2 is Up, the next-hop is verified as available and used for policy routing.

Why this answer

The route map uses 'ip next-hop verify-availability' with track 2. Track 2 is Up (IP SLA 2 reachability is ok). Therefore, the next-hop 10.0.0.2 is considered available, and packets matching ACL 170 are forwarded to 10.0.0.2.

801
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip bgp vpnv4 vrf RED summary BGP router identifier 192.168.0.1, local AS number 65001 BGP table version is 5, main routing table version 5 4 network entries using 576 bytes of memory 4 path entries using 320 bytes of memory 2/1 BGP path/bestpath attribute entries using 320 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1216 total bytes of memory BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65001 23 25 5 0 0 00:12:34 2 10.1.2.2 4 65002 18 20 5 0 0 00:10:15 1 Based on this output, which statement is correct?

A.Both BGP neighbors are in the Established state.
B.Neighbor 10.1.2.2 is in the Idle state.
C.The local AS number is 65002.
D.Neighbor 10.1.1.2 is in AS 65002.
AnswerA

The State/PfxRcd column shows numbers (2 and 1), indicating established state with prefixes received.

Why this answer

The 'show bgp vpnv4 vrf RED summary' command displays BGP neighbors for VRF RED. It shows two neighbors: 10.1.1.2 (AS 65001) and 10.1.2.2 (AS 65002). Both are in the Established state with prefixes received.

The neighbor 10.1.1.2 has received 2 prefixes, and 10.1.2.2 has received 1 prefix.

802
MCQmedium

In DMVPN Phase 3, which NHRP feature allows spokes to learn the NBMA address of other spokes without sending a resolution request?

A.NHRP redirect
B.NHRP shortcut
C.NHRP registration
D.NHRP resolution
AnswerA

NHRP redirect is the mechanism that tells a spoke to resolve the NBMA address of another spoke directly.

Why this answer

NHRP redirect is used in Phase 3 to inform spokes about better paths. The hub sends a redirect message to a spoke when it forwards a packet to another spoke, allowing the first spoke to learn the NBMA address of the second spoke.

803
MCQmedium

Consider the following EEM applet configuration: !--- event manager applet INTERFACE_DOWN event syslog pattern "%LINEPROTO-5-UPDOWN" action 1.0 if $syslog_severity eq 5 action 2.0 cli command "enable" action 3.0 cli command "clear counters" !--- What will happen when a syslog message matching the pattern is generated?

A.The applet will execute the CLI commands only if the syslog severity is exactly 5.
B.The applet will execute the CLI commands unconditionally because the 'if' action is misconfigured.
C.The applet will fail to register because the 'if' action requires an 'else' clause.
D.The applet will clear the counters only for the interface that generated the syslog message.
AnswerB

Correct. Without the 'end' statement, the 'if' block is not properly closed, and the CLI commands will be executed regardless of the condition in many IOS versions.

Why this answer

The applet uses an 'if' action to check the syslog severity. If the severity is 5 (notification), the CLI commands are executed. However, the 'if' action is not closed with an 'end' statement, which is required.

As a result, the applet will encounter a syntax error and may not execute correctly, or the CLI commands may be executed unconditionally depending on the IOS version.

804
MCQhard

A network engineer configures CoPP on a router that is a DMVPN hub. The policy includes a class-map to match NHRP traffic and police it. After deployment, spoke-to-spoke tunnels fail to establish, although spoke-to-hub tunnels work. Which is the most likely explanation?

A.The CoPP policy drops IPsec packets, which are used for spoke-to-spoke encryption.
B.The CoPP policy polices NHRP traffic, causing NHRP redirect packets from the hub to be dropped, so spokes cannot learn each other's addresses.
C.The CoPP policy is applied to the tunnel interface, not the control plane.
D.The CoPP policy uses the default class class-default, which blocks NHRP.
AnswerB

NHRP redirects are essential for spoke-to-spoke communication; policing them breaks the dynamic tunnel setup.

Why this answer

In DMVPN Phase 2, NHRP traffic between spokes is redirected through the hub. If CoPP polices NHRP traffic too aggressively, the NHRP redirect packets from the hub are dropped, preventing spoke-to-spoke tunnel establishment.

805
MCQhard

A router has CoPP configured with a class-map that matches all traffic and polices it to 10000 pps. The router also has IPsec configured for a site-to-site VPN. After applying CoPP, the IPsec tunnel goes up, but traffic through the tunnel is intermittently dropped. Which is the most likely explanation?

A.CoPP drops ESP packets, which are data plane traffic.
B.CoPP drops IKE packets during rekey, causing the IPsec tunnel to fail temporarily.
C.IPsec uses TCP, and CoPP only polices UDP.
D.The CoPP policy is applied to the tunnel interface, not the control plane.
AnswerB

IKE packets are control plane; if dropped, the tunnel may not rekey properly, causing traffic loss.

Why this answer

IPsec uses control plane packets for IKE (UDP 500) and ESP/AH. CoPP polices all traffic to the control plane, including IKE packets. If IKE packets are dropped, the tunnel may rekey incorrectly, causing traffic drops.

Additionally, encapsulated traffic may be subject to CoPP if it hits the control plane.

806
MCQeasy

Which DHCPv4 message type does a client send to request a specific IP address previously offered?

A.DHCPDISCOVER
B.DHCPOFFER
C.DHCPREQUEST
D.DHCPACK
AnswerC

DHCPREQUEST is sent by the client to request the offered IP address.

Why this answer

The DHCPREQUEST message is used by the client to accept an offer and request the offered IP address, as defined in RFC 2131.

807
MCQhard

A network engineer is troubleshooting suboptimal routing in a DMVPN Phase 2 deployment. Hub router R1 has the following configuration: route-map SET-NEXT-HOP permit 10 match ip address prefix-list SPOKE-NET set ip next-hop 10.0.0.1. Spoke R2 shows: 'show ip route 192.168.1.0' points to the hub (R1) instead of directly to another spoke (R3). R2's NHRP shows 'show dmvpn' with no spoke-to-spoke tunnels established. What is the root cause?

A.The route-map SET-NEXT-HOP incorrectly sets the next-hop to the hub, preventing NHRP from establishing direct spoke-to-spoke tunnels.
B.The prefix-list SPOKE-NET does not include the network 192.168.1.0.
C.The NHRP authentication is mismatched between R2 and R3.
D.The tunnel interface on R2 is not configured with ip nhrp redirect.
AnswerA

By setting the next-hop to the hub, R2 sees R1 as the next-hop for 192.168.1.0, so it does not attempt to build a direct tunnel to R3. NHRP requires the next-hop to be the remote spoke's tunnel IP.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the next-hop in the routing table not be changed to the hub. The route-map SET-NEXT-HOP on R1 is setting the next-hop to the hub's tunnel IP (10.0.0.1) for routes matching SPOKE-NET. This causes spokes to see the hub as the next-hop for other spoke networks, preventing NHRP from triggering a spoke-to-spoke tunnel.

The correct behavior is to not set the next-hop (or set it to itself) so that spokes use the original next-hop (the other spoke's tunnel IP) and NHRP can resolve it.

808
MCQmedium

A network engineer is troubleshooting a router that is not sending SNMP traps for a specific interface down event. The engineer has an EEM applet configured to send an SNMP trap when the interface goes down. The applet uses event syslog pattern 'LINK-3-UPDOWN' and action snmp-trap. The interface goes down, but no trap is sent. What is the most likely cause?

A.The syslog pattern 'LINK-3-UPDOWN' is incorrect; the correct pattern is 'LINK-5-CHANGED'.
B.The EEM applet is not registered with the SNMP agent.
C.The SNMP trap action requires an SNMP community string to be specified in the applet.
D.The SNMP trap destination is not configured globally.
AnswerD

Correct because the EEM applet's SNMP trap action sends traps to the configured SNMP trap receivers; if none are configured, the trap is not sent.

Why this answer

The EEM applet is triggered by a syslog message, but the syslog message may not be generated for that specific interface, or the SNMP trap action may require additional configuration such as an SNMP community or target host.

809
MCQeasy

A network engineer runs the following command to troubleshoot IPsec with route-maps: R1# show crypto ipsec transform-set Transform set combined: { esp-aes 256 esp-sha-hmac } will negotiate = { Transport, } Transform set ESP-AES: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, } What does this output indicate?

A.There are two transform sets configured, one using transport mode and one using tunnel mode.
B.The transform set 'combined' is not valid.
C.IPsec is not configured because no transform set is active.
D.The transform set 'ESP-AES' is used for route-map filtering.
AnswerA

The output shows two transform sets with different modes: transport and tunnel.

Why this answer

The output shows two IPsec transform sets: 'combined' and 'ESP-AES'. The 'combined' set uses transport mode, while 'ESP-AES' uses tunnel mode. This indicates that different transform sets are configured for different purposes.

810
MCQhard

MPLS LDP neighbors are not forming between two directly connected routers. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 mpls ip Router R2 shows: show mpls ldp neighbor No LDP neighbors show mpls ldp discovery Local LDP Identifier: 10.1.1.1:0 Discovery Sources: Interfaces: GigabitEthernet0/0 (ldp): xmit/recv LDP: no Hello adjacencies What is the root cause?

A.An ACL or CoPP is blocking LDP UDP port 646 or TCP session.
B.The mpls ip command is missing on R2's interface.
C.The LDP router ID is not reachable; check loopback interfaces.
D.The label distribution method is different; use 'label distribution cdp' instead.
AnswerA

LDP uses UDP 646 for hellos and TCP 646 for session; if blocked, no adjacency forms.

Why this answer

LDP hello packets are being sent and received (xmit/recv), but no adjacency forms. This could be due to ACL blocking UDP 646, or CoPP rate-limiting LDP packets. The correct fix is to check ACLs and CoPP policies that may drop LDP hello or session packets.

811
MCQhard

What is the default DHCPv4 client lease time on a Cisco IOS-XE router configured as a DHCP client?

A.3600 seconds (1 hour)
B.43200 seconds (12 hours)
C.86400 seconds (1 day)
D.1800 seconds (30 minutes)
AnswerC

Cisco IOS-XE DHCP client requests a lease time of 86400 seconds by default.

Why this answer

Cisco IOS-XE defaults to a DHCPv4 lease time of 86400 seconds (1 day) when acting as a client, per RFC 2131 and Cisco implementation.

812
MCQmedium

A network engineer is troubleshooting an MPLS L2VPN (VPWS) where the pseudowire between two PE routers is down. The show mpls l2transport vc command displays state 'down' and the VC ID is correct on both ends. The engineer checks the MPLS LDP session and sees it is up, but the targeted LDP session for the pseudowire is not established. What is the most likely cause?

A.The mpls ldp neighbor command is missing on one or both PEs.
B.The VC ID does not match on both ends.
C.The IGP is not converging, causing reachability issues.
D.The mpls label protocol ldp command is missing globally.
AnswerA

Correct because targeted LDP sessions require explicit configuration using the mpls ldp neighbor command to initiate the session for pseudowire signaling.

Why this answer

For a pseudowire to be established, a targeted LDP session is required between the two PE routers. If the targeted LDP session is not established, the pseudowire cannot exchange labels. The most common cause is that the mpls ldp neighbor command is missing or misconfigured on one or both PEs.

813
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 access-list PERMIT-ONLY IPv6 access list PERMIT-ONLY permit ipv6 2001:DB8:3::/48 any sequence 10 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It permits only IPv6 traffic from 2001:DB8:3::/48 and denies everything else
C.It denies all IPv6 traffic from 2001:DB8:3::/48
D.It permits all IPv6 traffic except from 2001:DB8:3::/48
AnswerB

The permit statement allows the prefix, and the implicit deny denies all other traffic.

Why this answer

Option B is correct because an IPv6 access list, like its IPv4 counterpart, has an implicit deny all at the end. The single permit entry for source 2001:DB8:3::/48 allows only traffic from that prefix; all other IPv6 traffic is denied by the implicit deny ipv6 any any rule.

Exam trap

Cisco often tests the implicit deny any any behavior in IPv6 ACLs, tricking candidates into thinking that a single permit entry allows all traffic or that the ACL only filters the specified prefix without affecting other traffic.

How to eliminate wrong answers

Option A is wrong because the access list does not permit all IPv6 traffic; it only permits traffic from 2001:DB8:3::/48, and the implicit deny blocks everything else. Option C is wrong because the permit action explicitly allows traffic from 2001:DB8:3::/48, not denies it. Option D is wrong because the access list permits only the specified prefix, not all traffic except that prefix; the implicit deny blocks all other traffic, including traffic from 2001:DB8:3::/48 is permitted, not denied.

814
MCQhard

An engineer configures an IPsec site-to-site VPN. The tunnel comes up, but no traffic passes. The engineer checks the crypto map and access-lists. Which is the most likely explanation?

A.The crypto map is applied to the wrong interface, causing the traffic to bypass encryption.
B.The access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow.
C.The IPsec transform set uses ESP with no encryption, so traffic is sent in clear.
D.The IKE phase 1 policy uses aggressive mode, which is incompatible with the crypto map.
AnswerB

IPsec only encrypts traffic that matches the permit statements in the crypto access-list. If the traffic is not matched, it is sent in clear or dropped, depending on the crypto map configuration.

Why this answer

Option B is correct because the access-list defining interesting traffic for the crypto map must explicitly include a 'permit' statement for the traffic that should be encrypted. Without this permit, the router will not classify the traffic as interesting, so IPsec will not attempt to encrypt it, and the traffic will be dropped or sent in clear depending on the crypto map configuration. The tunnel can still come up because IKE and IPsec SA negotiation is triggered by interesting traffic, but if the access-list is missing the permit, no traffic triggers the SA establishment, and existing SAs may remain idle.

Exam trap

Cisco often tests the misconception that a crypto map applied to an interface automatically encrypts all traffic, when in reality the access-list must explicitly permit the traffic to be encrypted, and a missing permit causes the tunnel to appear up but pass no traffic.

How to eliminate wrong answers

Option A is wrong because if the crypto map is applied to the wrong interface, the tunnel would likely not come up at all, or traffic on the correct interface would not be encrypted, but the question states the tunnel comes up, indicating the crypto map is correctly applied to at least one interface. Option C is wrong because an IPsec transform set using ESP with no encryption (ESP-NULL) still provides authentication and integrity, but the traffic would be sent in clear only if encryption is disabled; however, the tunnel coming up and no traffic passing is not explained by this, as traffic would still pass (in clear) if the transform set were misconfigured. Option D is wrong because IKE phase 1 aggressive mode is compatible with crypto maps; it is a negotiation mode that exchanges more information in fewer packets, but it does not prevent traffic from passing once the tunnel is established.

815
MCQeasy

Which SNMPv3 message type is used by an SNMP agent to send unsolicited notifications to a manager?

A.GetRequest
B.Response
C.Trap or Inform
D.GetBulkRequest
AnswerC

Traps and informs are unsolicited notifications from agent to manager; informs require acknowledgment.

Why this answer

SNMPv3 uses the same PDU types as v2c; traps and informs are both used for unsolicited notifications.

816
MCQhard

An engineer configures EIGRP named mode on a router. The neighbor adjacency forms, but the router does not install any routes from the neighbor. The engineer checks and confirms that the neighbor is not configured as a stub. What is the most likely explanation?

A.The 'default-information' is not allowed in named mode by default, so default routes are not accepted.
B.The 'af-interface' has 'split-horizon' enabled by default, preventing the neighbor from advertising routes learned from the same interface.
C.The 'metric weights' are mismatched between the two routers.
D.The 'log-neighbor-changes' command is missing, causing route installation to be suppressed.
AnswerB

In EIGRP named mode, split horizon is enabled by default on the af-interface. If the neighbor is reachable via the same interface that the router uses to send updates, split horizon can block the neighbor from advertising routes back, causing no routes to be installed.

Why this answer

In EIGRP named mode, the default behavior for the 'af-interface' is to have 'no passive-interface' but the default for 'hello-interval' and 'hold-time' may differ from classic mode. However, a common edge case is that the 'af-interface' default for 'split-horizon' is enabled, which can prevent the neighbor from advertising routes back if the same interface is used for multiple neighbors. But the key issue here is that named mode uses a different default for 'default-information'—it is not allowed unless explicitly configured, and the neighbor may be sending a default route that is not accepted.

817
Multi-Selectmedium

Which THREE commands can be used to troubleshoot DHCPv6 client address assignment issues on a Cisco IOS router acting as a DHCPv6 client? (Choose THREE.)

Select 3 answers
A.show ipv6 dhcp interface
B.debug ipv6 dhcp detail
C.show ipv6 interface
D.show ip dhcp binding
E.show ipv6 dhcp pool
AnswersA, B, C

Displays DHCPv6 client state, server address, and lease information.

Why this answer

Option A is correct because 'show ipv6 dhcp interface' displays the DHCPv6 client state, including the assigned IPv6 address, prefix, and server information for a specific interface. This command directly shows whether the client has successfully obtained an address via DHCPv6.

Exam trap

Cisco often tests the distinction between DHCPv4 and DHCPv6 commands, expecting candidates to know that 'show ip dhcp binding' is IPv4-only and 'show ipv6 dhcp pool' is server-side, not client-side.

818
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-DEFAULT R1# show route-map PBR-DEFAULT route-map PBR-DEFAULT, permit, sequence 10 Match clauses: ip address (access-lists): 150 Set clauses: ip next-hop 10.0.0.2 Policy routing matches: 0 packets, 0 bytes route-map PBR-DEFAULT, deny, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes R1# show access-lists 150 Extended IP access list 150 10 permit ip 192.168.1.0 0.0.0.255 any R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "ospf 1", distance 110, metric 20 Last update from 10.1.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely problem?

A.The deny sequence 20 is blocking all traffic from being policy-routed.
B.No traffic matching ACL 150 is arriving on GigabitEthernet0/0.
C.The next-hop 10.0.0.2 is unreachable.
D.The route map is missing a permit statement.
AnswerB

Zero matches on both sequences indicate no packets are being evaluated by the route map.

Why this answer

The route map has a deny sequence 20 with no match clause, which means it matches all packets. Since route maps are processed in order, if sequence 10 does not match (zero matches), sequence 20 will match all remaining packets and deny them (i.e., not apply PBR), causing them to be routed normally. However, the counters show zero for both sequences, indicating no traffic is being processed at all, likely because no traffic matching ACL 150 arrives on the interface.

819
MCQeasy

In IPsec site-to-site VPN, what is the default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers?

A.3600 seconds (1 hour)
B.86400 seconds (24 hours)
C.28800 seconds (8 hours)
D.1800 seconds (30 minutes)
AnswerB

This is the Cisco default for ISAKMP lifetime.

Why this answer

The default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers is 86400 seconds (24 hours). This is defined in the Cisco IOS default configuration for the `crypto isakmp policy` and is the recommended value to balance security and performance by reducing the frequency of re-authentication and Diffie-Hellman key exchanges.

Exam trap

Cisco often tests the distinction between IKE phase 1 and IPsec phase 2 default lifetimes, so the trap here is confusing the 86400-second (24-hour) default for ISAKMP with the 3600-second (1-hour) default for IPsec SAs.

How to eliminate wrong answers

Option A is wrong because 3600 seconds (1 hour) is the default lifetime for IPsec (IKE phase 2) security associations, not for ISAKMP phase 1. Option C is wrong because 28800 seconds (8 hours) is a common user-configured value but is not the Cisco IOS default for ISAKMP. Option D is wrong because 1800 seconds (30 minutes) is too short for phase 1 and is typically used for aggressive rekeying scenarios, not the default.

820
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) RA Guard are true? (Choose TWO.)

Select 2 answers
A.The default RA Guard policy action is to block Router Advertisements from unauthorized ports.
B.RA Guard validates the source MAC address of Router Advertisements against the IPv6 source address.
C.The default RA Guard policy action is to log Router Advertisements from unauthorized ports.
D.RA Guard can be applied on a per-interface or per-VLAN basis using a policy map.
E.RA Guard is typically enabled on trunk ports to protect against rogue RAs from other VLANs.
AnswersA, D

Correct. The default action for an RA Guard policy is 'block', which drops unauthorized RAs.

Why this answer

RA Guard is a feature that blocks unauthorized Router Advertisement messages. It relies on policy enforcement based on port and VLAN, not on source MAC or a trust boundary per se. The default policy action is 'block', and the feature can be applied globally or per interface.

Option A is correct because the default action is to block RAs from unauthorized ports. Option D is correct because RA Guard operates on Layer 2 interfaces and can be applied to a range of VLANs. Option B is incorrect because the feature does not validate source MAC; it checks the router preference and hop limit.

Option C is incorrect because the default policy action is 'block', not 'log'. Option E is incorrect because RA Guard is typically applied on access ports, not trunk ports, and trunk ports often carry multiple VLANs where RA Guard might interfere with legitimate routers.

821
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip bgp vpnv4 vrf CUSTOMER-A 10.10.10.0/24 BGP routing table entry for 10.10.10.0/24, version 2 Paths: (1 available, best #1, table CUSTOMER-A) Not advertised to any peer Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:100 mpls labels in/out nolabel/101 What does this output indicate?

A.The route 10.10.10.0/24 is installed in VRF CUSTOMER-A with an MPLS label of 101 for forwarding.
B.The route 10.10.10.0/24 is not installed because it is not advertised to any peer.
C.The route 10.10.10.0/24 is learned from an external BGP peer.
D.The route 10.10.10.0/24 has no MPLS label and will be forwarded using IP lookup.
AnswerA

The output shows the route is best and has an MPLS label of 101 for outbound forwarding.

Why this answer

The output shows that the route 10.10.10.0/24 is installed in VRF CUSTOMER-A (table CUSTOMER-A) with an MPLS label of 101 for outgoing forwarding, as indicated by 'mpls labels in/out nolabel/101'. The route is valid, internal, and best, meaning it is used for forwarding despite not being advertised to any peer. This confirms that the MPLS label is applied for forwarding within the VRF context.

Exam trap

Cisco often tests the misconception that 'not advertised to any peer' means the route is not installed or usable, but in MPLS VPN contexts, a route can be installed and used for forwarding even if it is not advertised to BGP peers.

How to eliminate wrong answers

Option B is wrong because the route is marked as 'best' and installed in the VRF table, so it is used for forwarding even though it is not advertised to any peer; non-advertisement does not prevent installation. Option C is wrong because the path is labeled 'Local' and 'internal', and the neighbor 10.1.1.2 is an iBGP peer (same AS), not an external BGP peer. Option D is wrong because the output explicitly shows an MPLS label of 101 for outgoing packets, so forwarding will use label switching, not IP lookup.

822
MCQmedium

What is the default value for the 'active flow timeout' in a Flexible NetFlow monitor on Cisco IOS-XE?

A.15 minutes
B.30 minutes
C.60 minutes
D.5 minutes
AnswerB

Correct. The default active flow timeout is 30 minutes.

Why this answer

The default active flow timeout is 30 minutes, after which long-lived flows are exported regardless of activity.

823
MCQhard

Two routers R1 and R2 are connected via Ethernet link, but OSPF adjacency is not forming. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 ip ospf network point-to-multipoint ip ospf 1 area 0 Router R2 shows: show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 But R2's configuration: interface GigabitEthernet0/0 ip address 10.1.1.2 255.255.255.252 ip ospf network broadcast ip ospf 1 area 0 What is the root cause?

A.Network type mismatch; change both to point-to-point or broadcast.
B.The subnet mask is /30, which is not supported with point-to-multipoint.
C.The OSPF area is mismatched; both are area 0.
D.The IP addresses are on different subnets; both are 10.1.1.0/30.
AnswerA

Point-to-multipoint and broadcast have different hello and DR election behaviors, causing adjacency failure.

Why this answer

OSPF network type mismatch: R1 is configured as point-to-multipoint, which does not elect DR/BDR and uses multicast 224.0.0.5 for all neighbors. R2 is broadcast, expecting DR/BDR election and using 224.0.0.6 for DR/BDR communication. This mismatch prevents proper adjacency formation, though R2 sees R1 as FULL due to unidirectional hello.

The correct fix is to match network types.

824
MCQmedium

A network engineer is troubleshooting a manual IPv6-in-IPv4 tunnel between two Cisco routers. The tunnel is up, and both routers can ping each other's tunnel IPv6 addresses. However, traffic from a host behind Router A to a host behind Router B fails. The engineer notices that Router A has a route to the remote IPv6 prefix via the tunnel, but Router B does not have a route to the local IPv6 prefix. What is the most likely cause?

A.Router B is missing a static route pointing the local IPv6 prefix to the tunnel interface.
B.The tunnel mode is set to 'ipv6ip 6to4' instead of 'ipv6ip'.
C.The tunnel source on Router B is misconfigured with the wrong IPv4 address.
D.The IPv6 access-list on Router B is blocking incoming traffic from the local prefix.
AnswerA

Correct because without a return route, Router B cannot forward packets destined to the local prefix, breaking bidirectional communication.

Why this answer

The tunnel is up and both routers can ping each other's tunnel IPv6 addresses, confirming that the tunnel itself is operational. However, traffic from a host behind Router A to a host behind Router B fails because Router B lacks a route back to the local IPv6 prefix (the network behind Router A). For bidirectional communication, both routers must have a route to the remote IPv6 prefix pointing to the tunnel interface.

Since Router B is missing this static route, it cannot forward return traffic into the tunnel, causing the failure.

Exam trap

Cisco often tests the distinction between tunnel reachability (Layer 3 connectivity between tunnel endpoints) and prefix reachability (routing of actual user networks), leading candidates to overlook the missing static route on the return path.

How to eliminate wrong answers

Option B is wrong because 'ipv6ip 6to4' is a 6to4 tunnel mode that uses an automatic addressing scheme (2002::/16) and requires a different configuration; the question describes a manual IPv6-in-IPv4 tunnel, which uses 'tunnel mode ipv6ip' (or 'tunnel mode ipv6ip [ipv4]'). Option C is wrong because if the tunnel source on Router B were misconfigured with the wrong IPv4 address, the tunnel would not be up and the routers could not ping each other's tunnel IPv6 addresses. Option D is wrong because the problem states that Router B does not have a route to the local IPv6 prefix; an IPv6 access-list blocking traffic would cause a different symptom (e.g., packets dropped at the interface) but the routing table would still contain the route.

825
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 0 High Watermark: 0 Flows added: 0 Flows aged: 0 - Active timeout (1800 secs) 0 - Inactive timeout (15 secs) 0 - Event aged 0 - Watermark aged 0 - Emergency aged 0 Based on this output, what is the most likely problem?

A.The cache size is too small at 1000 entries.
B.The flow monitor is not applied to any interface.
C.The active timeout is too long at 1800 seconds.
D.The cache type is Normal, which requires a sampler.
AnswerB

With 0 flows added and 0 current entries, the monitor is not receiving traffic. This is typical when it is not attached to an interface.

Why this answer

The cache shows 0 current entries and 0 flows added, indicating no traffic is being captured. This often means the flow monitor is not applied to any interface.

Page 10

Page 11 of 29

Page 12