Cisco CCNP ENARSI 300-410 (300-410) — Questions 826900

2152 questions total · 29pages · All types, answers revealed

Page 11

Page 12 of 29

Page 13
826
MCQmedium

A network engineer is troubleshooting a router that is not responding to ICMP echo requests from a management station at 10.10.10.1. The router has an ACL applied to the VTY lines that permits only 10.10.10.0/24. The engineer can telnet to the router from the management station. What is the most likely cause?

A.The VTY ACL also applies to ICMP traffic.
B.An inbound ACL on the interface denies ICMP from 10.10.10.1.
C.The router has 'no ip icmp echo' configured globally.
D.The management station is not in the routing table of the router.
AnswerB

Since Telnet works, the VTY ACL is not the issue; an interface ACL blocking ICMP is the likely cause.

Why this answer

Telnet is permitted by the VTY ACL, but ICMP is controlled by an interface ACL or the global 'ip icmp rate-limit' feature. The most likely cause is an inbound ACL on the interface that denies ICMP from the management station.

827
MCQeasy

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's remote discriminator?

A.The remote discriminator is 3.
B.The remote discriminator is 1.
C.The remote discriminator is 10.1.1.2.
D.The remote discriminator is 10.1.1.1.
AnswerA

The RD (Remote Discriminator) is 3 as shown in the output.

Why this answer

The remote discriminator is the RD value shown in the output. In this case, it is 3.

828
MCQhard

An engineer configures a BGP route reflector with two clients. One client advertises a prefix to the route reflector. The route reflector reflects the prefix to the other client, but the second client does not install it in its routing table. The second client has a lower administrative distance for the same prefix from another protocol. Which is the most likely explanation?

A.The second client has a route from another protocol (e.g., OSPF) with a lower administrative distance for the same prefix, so BGP route is not installed.
B.The route reflector does not set the next-hop-self, so the next-hop is unreachable from the second client.
C.The route reflector is not configured as a client on the second router.
D.The BGP synchronization rule is enabled and the prefix is not in the IGP.
AnswerA

Administrative distance is used to select the best route when multiple protocols provide the same prefix; a lower AD wins.

Why this answer

BGP route reflectors do not modify the path attributes, including the next-hop. If the next-hop is not reachable from the second client, the route will not be installed. However, a more subtle edge case is that the route reflector may reflect the route with the originator ID, but the client may have a route from another protocol with a lower AD, preventing the BGP route from being installed.

829
MCQhard

An MPLS network with routers R1, R2, and R3 is experiencing label distribution failures. R1 and R2 are LDP neighbors, but R2 shows: 'show mpls ldp neighbor' shows R1 in state OPERATIONAL, but 'show mpls forwarding-table' shows no labels for prefixes from R3. R3 is connected to R2 via a different interface. R2 configuration: mpls ip on both interfaces. R1 shows: 'show mpls ldp bindings' includes prefixes from R3. What is the root cause?

A.The interface between R2 and R3 is missing the 'mpls ip' command, preventing LDP from establishing a session and exchanging labels.
B.The LDP router ID on R2 is set to a loopback that is not reachable from R3.
C.R3 is using a different label distribution protocol, such as TDP.
D.The MPLS label range on R2 is exhausted, preventing new label bindings.
AnswerA

LDP must be enabled on each interface where label exchange is desired; without it, no session forms, and no labels are exchanged.

Why this answer

The issue is that LDP is working between R1 and R2, but R2 is not receiving labels for prefixes from R3. This could be due to LDP not being enabled on the link between R2 and R3, or a mismatch in LDP router IDs. The fact that R1 has bindings for R3's prefixes suggests that R3 is advertising them to R1, but R2 is not receiving them.

The root cause is likely that the LDP session between R2 and R3 is not established due to a missing 'mpls ip' on the interface or an LDP router ID issue.

830
MCQhard

In a VRF-Lite network, redistribution is configured between OSPF and EIGRP. The engineer notices that some routes are being redistributed in a loop, causing instability. The network uses route tagging, but the loop persists. Which is the most likely explanation?

A.The route tag is not being propagated correctly because OSPF uses a 32-bit tag and EIGRP uses a 32-bit tag, but the tag is lost during redistribution.
B.The seed metric for EIGRP is set to a low value (e.g., 1), causing the redistributed route to be preferred over the original OSPF route, leading to a loop.
C.The administrative distance of OSPF (110) is lower than EIGRP (90), so the redistributed route is always preferred.
D.The 'redistribute connected' command is used under OSPF, which redistributes all connected interfaces, including the loopback used for router ID.
AnswerB

If the seed metric is too low, the redistributed route may have a lower composite metric than the original, causing it to be selected and re-redistributed, creating a loop.

Why this answer

Mutual redistribution can cause routing loops if routes are not properly tagged and filtered. However, even with tags, if the seed metric is not set correctly, the redistributed route may have a lower metric than the original, causing it to be preferred and re-redistributed. The edge case here is that the seed metric for EIGRP (default is infinity) must be set, but if set too low, it can cause loops.

Additionally, if the same prefix exists in both protocols, the administrative distance comparison may cause the redistributed route to be preferred over the original, leading to a loop.

831
MCQhard

An engineer configures IPsec on a DMVPN Phase 2 network using a transform set with ESP-AES-256-SHA. The hub and spokes are configured identically. Unexpectedly, the IPsec tunnel fails to establish, and debug output shows 'no matching crypto map entry' on the spoke. Which is the most likely explanation?

A.The crypto map on the spoke uses a dynamic map, but the hub is configured with a static crypto map entry for the spoke, causing a mismatch in the IPsec negotiation.
B.The transform set uses ESP-AES-256-SHA, but the hub is configured with ESP-AES-256-SHA-HMAC, causing a mismatch in the authentication algorithm.
C.The IPsec pre-shared key is configured correctly, but the ISAKMP policy uses aggressive mode, which is incompatible with DMVPN.
D.The spoke's tunnel interface is not in 'ip nhrp network-id' mode, causing NHRP to fail and IPsec to not trigger.
AnswerA

In DMVPN, the hub typically uses a static crypto map with multiple peers, while spokes use a dynamic crypto map to accept connections from any hub. If the spoke incorrectly uses a static map, or the hub uses a dynamic map, the negotiation fails.

Why this answer

In DMVPN, the crypto map is applied to the tunnel interface. However, if the spoke's crypto map does not match the hub's due to a missing or mismatched 'match address' access-list (interesting traffic definition), the IPsec tunnel will not initiate. The corner case is that in DMVPN, the interesting traffic is typically defined by the tunnel network itself (e.g., IPsec protects traffic between tunnel IPs).

If the access-list uses the wrong source/destination, or if the crypto map is not correctly applied to the tunnel interface, the IPsec negotiation fails. Additionally, if the crypto map uses dynamic maps for the spoke, but the hub is configured with a static map, a mismatch can occur.

832
MCQmedium

Consider this partial configuration: ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/2 ip address 172.16.0.1 255.255.255.0 ip nat inside What is true about traffic from the 172.16.0.0/24 network?

A.It is translated using PAT to 203.0.113.1.
B.It is not translated and will be forwarded with its original source IP.
C.It is dropped because NAT is required for all inside interfaces.
D.It is translated using a different pool because it is on a separate inside interface.
AnswerB

Traffic not matching the ACL is not subject to NAT; it is routed normally.

Why this answer

The ACL (access-list 1) only permits 192.168.1.0/24. Traffic from 172.16.0.0/24 is not matched and therefore not translated.

833
MCQhard

A network uses PBR to route traffic from a specific subnet (172.16.1.0/24) through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being sent to the WAN link but is not reaching the destination. Router R1 shows: 'show route-map' shows the route-map is applied, 'debug ip policy' shows traffic being forwarded to 10.10.10.2, but 'show ip route' on R1 shows a route to the destination via a different next-hop (10.20.20.2). What is the root cause?

A.The next-hop 10.10.10.2 does not have a route to the destination, causing traffic to be dropped. Ensure the next-hop has a route to the destination or use a next-hop that does.
B.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing PBR to use an unreachable next-hop.
C.The routing table on R1 has a better route to the destination via 10.20.20.2, but PBR is overriding it incorrectly.
D.The ACL in the route-map is matching traffic from the wrong subnet, causing PBR to be applied to the wrong traffic.
AnswerA

PBR forwards traffic to the set next-hop, but if that next-hop does not have a route to the destination, the traffic will be dropped. This is a common issue when PBR is used to steer traffic through a specific path that does not have full routing information.

Why this answer

PBR forwards traffic to the set next-hop (10.10.10.2), but the routing table on R1 shows a different route to the destination. This indicates that PBR is overriding the routing table, but the next-hop 10.10.10.2 may not have a route to the destination, causing the traffic to be dropped. The solution is to ensure the next-hop has a route to the destination or use a different next-hop.

834
MCQeasy

What is the default seed metric used by Cisco IOS when redistributing routes into RIP?

A.0
B.1
C.15
D.16
AnswerA

RIP uses a default metric of 0 for redistributed routes, meaning they are not advertised until a metric is set.

Why this answer

By default, RIP assigns a seed metric of 0 to redistributed routes, which makes them unreachable unless a metric is explicitly configured.

835
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic on interface GigabitEthernet0/0/0 and send it to a monitoring server at 192.168.1.100. The engineer configures the ERSPAN session with a tunnel source of 10.0.0.1 and a tunnel destination of 192.168.1.100. The monitoring server receives no packets. The engineer pings 192.168.1.100 from the router and succeeds. What is the most likely cause?

A.The monitoring server does not have a route to the tunnel source IP 10.0.0.1.
B.The ERSPAN session is configured with the wrong direction.
C.The router does not support ERSPAN.
D.The monitoring server is not listening on the correct TCP port.
AnswerA

Correct because the server needs to be able to respond to or process GRE packets; if it cannot reach the tunnel source, the packets may be discarded.

Why this answer

ERSPAN uses GRE encapsulation, and the tunnel destination must be the IP address of the monitoring server that can decapsulate GRE. However, the tunnel source IP must be reachable from the server; if the server does not have a route back to the tunnel source, the encapsulated packets may be dropped.

836
Multi-Selecthard

Which THREE symptoms indicate that EIGRP is experiencing a neighbor relationship issue due to an MTU mismatch? (Choose THREE.)

Select 3 answers
A.The neighbor adjacency repeatedly goes up and down.
B.The 'show ip eigrp neighbors' command shows a high retransmission count (Retrans) for the neighbor.
C.The 'show ip eigrp topology' command shows routes in active state.
D.The neighbor may become stuck-in-active (SIA) during route convergence.
E.The 'show ip eigrp interfaces' command shows a hold time of zero.
AnswersA, B, D

MTU mismatch causes packet loss, leading to hold time expiration and neighbor resets.

Why this answer

An MTU mismatch causes EIGRP packets to be fragmented or dropped, leading to repeated retransmissions and neighbor flapping. The 'show ip eigrp neighbors' output shows increasing retransmission counts and possibly a stuck-in-active (SIA) state. The neighbor may repeatedly go up and down.

Option C is false because the 'show ip eigrp topology' shows routes, not neighbor state. Option E is false because the hold time is a timer, not a direct symptom of MTU issues.

837
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router that is part of an IPsec site-to-site VPN. After the configuration, routing loops occur intermittently. The engineer has not used any route tagging. What is the most likely cause of the routing loops?

A.The seed metric for EIGRP redistribution is set to a low value, causing EIGRP routes to be preferred over OSPF routes.
B.Routes redistributed from OSPF into EIGRP are re-distributed back into OSPF because there is no route tagging to identify them as OSPF-originated.
C.The IPsec tunnel is using transport mode, which causes routing protocol packets to be dropped.
D.The OSPF process has a higher administrative distance than EIGRP, causing route flapping.
AnswerB

Without route tagging, the router sees the redistributed routes as EIGRP routes and redistributes them back into OSPF, causing the same prefix to be advertised back to the original OSPF domain, leading to loops.

Why this answer

Without route tagging, routes redistributed from OSPF into EIGRP are not marked as OSPF-originated. When EIGRP redistributes these routes back into OSPF, OSPF accepts them as external routes, creating a mutual redistribution loop. This occurs because OSPF has no mechanism to distinguish between its own routes and those learned from EIGRP without explicit tagging (e.g., using a route-map with a tag).

Exam trap

Cisco often tests the concept that mutual redistribution without route tagging or filtering is the primary cause of routing loops, and candidates mistakenly focus on metric or administrative distance differences instead of the re-injection mechanism.

How to eliminate wrong answers

Option A is wrong because the seed metric for EIGRP redistribution affects route selection within EIGRP, not the cause of routing loops in mutual redistribution; loops arise from re-injection, not metric preference. Option C is wrong because IPsec transport mode does not drop routing protocol packets; transport mode only affects the IP header encapsulation and is unrelated to routing loop formation. Option D is wrong because administrative distance differences influence route preference but do not directly cause routing loops; route flapping is a symptom, not the root cause, and the scenario describes intermittent loops, not flapping.

838
Multi-Selecthard

Which TWO statements about the interaction between MP-BGP and the VRF routing table in an MPLS L3VPN PE router are correct? (Choose TWO.)

Select 2 answers
A.A VPNv4 route received from a remote PE is installed in the VRF routing table only if its Route Target matches an import RT configured under the VRF.
B.The Route Distinguisher (RD) is automatically removed from the VPNv4 prefix before the route is placed into the VRF routing table.
C.When a PE originates a VPNv4 route, it uses the export RT of the VRF to tag the route, and the receiving PE uses the export RT to decide whether to accept the route.
D.The next-hop of a VPNv4 route received from a remote PE is always changed to the local PE's loopback interface address before installation into the VRF.
E.The Route Distinguisher (RD) ensures that overlapping IPv4 prefixes from different customers remain unique within the MPLS VPN network.
AnswersA, E

Correct. The import RT controls which routes are accepted into the VRF.

Why this answer

In MPLS L3VPN, MP-BGP (Multiprotocol BGP) is used to exchange VPNv4 routes between PE routers. The VRF routing table is populated via the 'import' and 'export' route target (RT) mechanism. The RD makes routes unique across VRFs.

The correct statements are that a route is installed in the VRF routing table only if the received VPNv4 route's RT matches an import RT configured in the VRF, and that the RD is prepended to the IPv4 prefix to form a VPNv4 prefix. The incorrect statements describe wrong behaviors: the export RT is not used for receiving routes, the RD is not stripped before installation (it remains in the VRF as part of the prefix), and the next-hop is not changed to the PE's loopback by default unless 'next-hop-self' is configured.

839
MCQmedium

Given the following configuration: ip cef ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 mpls ip ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.252 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! mpls ldp router-id Loopback0 force ! interface Loopback0 ip address 192.168.0.1 255.255.255.255 A network engineer notices that LDP sessions are not establishing. What is the most likely cause?

A.The OSPF network statement is too broad and causes routing issues.
B.The LDP router ID is not reachable because the loopback is not advertised in OSPF.
C.The 'mpls ip' command is missing on Loopback0.
D.The 'force' keyword prevents LDP from using any other interface if Loopback0 is down.
AnswerB

The loopback 192.168.0.1 is not in the OSPF domain, so neighbors cannot route to it. LDP uses the router ID as the transport address, and without reachability, sessions cannot establish.

Why this answer

The loopback is not advertised in OSPF because the network statement 10.0.0.0 0.255.255.255 does not include 192.168.0.1. The neighbor cannot reach the LDP router ID, so LDP sessions fail. This is a common oversight.

840
MCQeasy

What is the default IKE (ISAKMP) lifetime value in Cisco IOS for IPsec Site-to-Site VPN?

A.3600 seconds (1 hour)
B.86400 seconds (24 hours)
C.28800 seconds (8 hours)
D.180 seconds (3 minutes)
AnswerB

Cisco IOS defaults IKE lifetime to 86400 seconds.

Why this answer

The default IKE (ISAKMP) lifetime in Cisco IOS for IPsec Site-to-Site VPN is 86400 seconds (24 hours). This value is defined in the ISAKMP policy and controls how long the IKE Phase 1 security association (SA) remains active before requiring re-authentication. A longer lifetime reduces the overhead of re-establishing the Phase 1 tunnel, balancing security with performance.

Exam trap

Cisco often tests the distinction between IKE Phase 1 and IPsec Phase 2 default lifetimes, and the trap here is that candidates confuse the 3600-second default of IPsec SA (Phase 2) with the 86400-second default of IKE SA (Phase 1).

How to eliminate wrong answers

Option A is wrong because 3600 seconds (1 hour) is the default IPsec (Phase 2) SA lifetime, not the IKE (Phase 1) lifetime. Option C is wrong because 28800 seconds (8 hours) is a common custom value but not the Cisco IOS default for IKE. Option D is wrong because 180 seconds (3 minutes) is far too short and would cause excessive rekeying overhead, and it is not a default for any phase in Cisco IOS.

841
MCQmedium

Which of the following protocols has the lowest default administrative distance on a Cisco router?

A.eBGP
B.OSPF
C.Connected
D.EIGRP internal
AnswerC

Connected routes have AD 0.

Why this answer

Connected routes have an AD of 0, which is the lowest. Static routes are 1, eBGP is 20, EIGRP internal is 90.

842
MCQhard

An engineer configures BGP on a PE router in an MPLS L3VPN to advertise a customer prefix. The engineer notices that the prefix is not being advertised to the BGP neighbor, even though the prefix is in the routing table and the BGP session is up. The engineer checks the BGP configuration and sees that the 'network' command is configured correctly. The engineer also verifies that the prefix is not being filtered by any route-map. What is the most likely explanation?

A.BGP synchronization is enabled, and the prefix is not present in the IGP, so BGP does not advertise it.
B.The 'network' command is missing the 'mask' keyword, so BGP advertises the classful network instead.
C.The BGP neighbor is configured with 'next-hop-self', which prevents the prefix from being advertised.
D.The prefix is a connected route, and BGP requires the 'network' command to include the 'route-map' to advertise connected routes.
AnswerA

Correct. If synchronization is enabled, BGP will not advertise a prefix unless it is also in the IGP. This is a common edge case.

Why this answer

In BGP, the 'network' command advertises a prefix only if it exists in the routing table with the exact same prefix length and next-hop. A common edge case is that the prefix in the routing table has a different prefix length (e.g., a /24 is in the routing table but the 'network' command specifies a /25) or the prefix is learned via a different protocol with a different administrative distance. Another edge case is that the BGP synchronization rule (if enabled) requires the prefix to be in the IGP before it is advertised.

In MPLS L3VPN, synchronization is disabled by default, but if it is enabled, the prefix must be in the IGP. The most likely explanation is that synchronization is enabled and the prefix is not in the IGP.

843
MCQmedium

Given the following partial configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is the effect of this configuration?

A.IPsec tunnel is established when traffic from 10.1.1.0/24 to 10.2.2.0/24 triggers it.
B.The tunnel will only be established if the peer initiates first.
C.The transform set uses AES 256 with MD5 authentication, which is incorrect.
D.ISAKMP lifetime is set to 86400 seconds, which is too short for a site-to-site VPN.
AnswerA

ACL 101 defines interesting traffic; once matched, IKE and IPsec negotiations begin.

Why this answer

Option A is correct because the configuration uses a crypto map with 'match address 101' referencing an ACL that permits traffic from 10.1.1.0/24 to 10.2.2.0/24. This triggers IPsec SA negotiation via ISAKMP (IKEv1) only when interesting traffic is detected. The tunnel is established dynamically upon matching traffic, which is the standard behavior for a site-to-site VPN using a crypto map.

Exam trap

Cisco often tests the misconception that a crypto map tunnel requires the peer to initiate first, but the default behavior is that the local router initiates when interesting traffic is sent, unless 'responder-only' is configured.

How to eliminate wrong answers

Option B is wrong because the configuration does not include 'set passive' or 'responder-only' mode; the crypto map is applied to the interface, so R1 will actively initiate the tunnel when interesting traffic is sent, not wait for the peer. Option C is wrong because the transform set 'TSET' uses 'esp-sha-hmac', which specifies SHA (HMAC variant) for authentication, not MD5; MD5 would be 'esp-md5-hmac'. Option D is wrong because an ISAKMP lifetime of 86400 seconds (24 hours) is a standard and valid default for site-to-site VPNs; it is not too short and is commonly used.

844
MCQeasy

A network engineer is troubleshooting a BGP route advertisement issue. Router R1 (AS 65001) has an eBGP session with R2 (AS 65002). R1 is advertising the prefix 192.168.1.0/24 to R2. On R2, the route appears in the BGP table but is not installed in the routing table. The output of 'show ip bgp 192.168.1.0/24' on R2 shows the route as valid, best, but with the 'r' flag (RIB-failure). The routing table on R2 shows a static route for 192.168.1.0/24 with administrative distance 1. What is the most likely cause?

A.The BGP route is not installed because a static route with a lower administrative distance exists for the same prefix.
B.The BGP route is not installed because the next-hop is unreachable.
C.The BGP route is not installed because BGP synchronization is enabled.
D.The BGP route is not installed because the prefix length is too long.
AnswerA

Correct because the static route (AD 1) is better than eBGP (AD 20), causing RIB-failure.

Why this answer

RIB-failure occurs when BGP tries to install a route but a route with a lower administrative distance already exists. Here, the static route (AD 1) is preferred over the eBGP route (AD 20).

845
Multi-Selecthard

Which TWO statements about the 'logging buffered' command and its interaction with other logging commands are correct? (Choose TWO.)

Select 2 answers
A.The command 'logging buffered 4096' sets the buffer size to 4096 bytes and enables logging to the buffer.
B.Disabling console logging with 'no logging console' also disables buffered logging.
C.If 'logging buffered' is configured, the buffer can be viewed using the 'show logging' command.
D.The 'logging buffered' command requires 'logging on' to be configured first; otherwise, it has no effect.
E.The 'no logging buffered' command clears the buffer and stops all logging to the buffer.
AnswersA, C

Correct. This command enables buffered logging with a buffer size of 4096 bytes.

Why this answer

The 'logging buffered' command enables logging to an internal buffer. The size can be specified in bytes. The 'logging console' and 'logging buffered' are independent; disabling one does not affect the other.

The 'logging monitor' controls terminal line logging. The 'logging on' command globally enables logging output; without it, no logging occurs. The 'no logging buffered' command disables buffer logging but does not clear the buffer.

846
MCQhard

An engineer is troubleshooting an IPv6 manual tunnel between two routers that are not directly connected (the tunnel endpoints are separated by an IPv4 network). The tunnel is up, but the engineer notices that the tunnel interface flaps every few minutes. The show interfaces tunnel output shows input errors and CRC errors. What is the most likely cause?

A.The IPv4 path between the tunnel endpoints has a lower MTU than the tunnel interface MTU plus 20 bytes (IP header), causing fragmentation and packet loss.
B.The tunnel keepalive is set too low, causing the tunnel to go down when a keepalive is lost.
C.The tunnel source interface is a loopback that is not reachable from the remote router.
D.The tunnel is using GRE encapsulation, but the remote router is configured for ipv6ip.
AnswerA

Correct because the tunnel MTU is typically 1500, but the IPv4 path may have an MTU of 1500 or less, leading to fragmentation when the 20-byte IP header is added. This causes errors and flapping.

Why this answer

The tunnel interface shows input errors and CRC errors, which are classic signs of fragmentation and reassembly issues. When the IPv4 path between tunnel endpoints has a lower MTU than the tunnel interface MTU plus 20 bytes (the IPv4 header), packets exceeding the path MTU are fragmented. Fragmentation increases the risk of packet loss and CRC errors, causing the tunnel to flap as the interface resets or routing reconverges.

Exam trap

Cisco often tests the concept that tunnel flapping with CRC errors points to MTU/fragmentation issues, not reachability or encapsulation mismatches, which would prevent the tunnel from coming up at all.

How to eliminate wrong answers

Option B is wrong because a low keepalive would cause the tunnel to go down due to missed keepalives, not input/CRC errors; keepalive failures result in a 'down/down' state, not flapping with CRC errors. Option C is wrong because if the loopback source were unreachable, the tunnel would not come up at all, not flap with input errors. Option D is wrong because GRE encapsulation and ipv6ip are both valid IPv6-over-IPv4 tunnel modes; a mismatch would prevent the tunnel from establishing, not cause flapping with CRC errors.

847
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured. R2's tunnel interface has 'ip nhrp redirect' enabled. R3 (another spoke) can ping R2's tunnel IP, but when R3 tries to reach a subnet behind R2, traffic is forwarded to R1 instead of directly to R2. What is the root cause?

A.R1 (hub) does not have 'ip nhrp redirect' enabled on its tunnel interface, so it does not send redirect messages to R3, preventing direct spoke-to-spoke tunnel establishment.
B.R2 has 'ip nhrp shortcut' disabled, preventing direct tunnel establishment.
C.R3 has a static route pointing to R1 for the subnet behind R2.
D.EIGRP is not redistributing the subnet behind R2 to R3.
AnswerA

Correct. In Phase 2, the hub must have NHRP redirect enabled to inform spokes of direct paths. Without it, spokes forward traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established using NHRP redirect. However, if the hub does not have 'ip nhrp redirect' enabled, it will not send redirect messages to spokes. Without redirect, spokes will not learn the direct path to other spokes and will forward traffic through the hub.

848
Drag & Dropmedium

Drag and drop the steps to troubleshoot Administrative Distance adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify the physical connectivity and layer 1/2 status, then check the routing protocol neighbor adjacency, next examine the AD values of the routes learned from the neighbor, then review any route filtering or redistribution policies, and finally test end-to-end connectivity to confirm the fix.

849
MCQmedium

Which EEM event type uses a default polling interval of 60 seconds when no interval is explicitly configured?

A.event syslog
B.event timer
C.event snmp
D.event cli
AnswerC

The default polling interval for SNMP events is 60 seconds.

Why this answer

The 'event snmp' type polls at a default interval of 60 seconds if the 'interval' keyword is omitted.

850
MCQhard

A network engineer is troubleshooting a route redistribution issue between OSPF and EIGRP. Routers R1 (OSPF) and R2 (EIGRP) are redistributing routes. The engineer notices that some OSPF routes are appearing in the EIGRP topology table on R2, but traffic to those destinations is being dropped. The show ip route command on R2 shows the redistributed routes with a next-hop of the R1 interface, but the route is not installed in the routing table. What is the most likely cause?

A.The redistribute ospf command under EIGRP is missing the default-metric configuration.
B.OSPF has a higher administrative distance than EIGRP.
C.The EIGRP process on R2 has a distribute-list blocking these routes.
D.The OSPF process on R1 has a route filter blocking these routes.
AnswerA

Correct: Without a default-metric, EIGRP may not install redistributed routes if the metric is not set properly.

Why this answer

When redistributing from OSPF into EIGRP, the redistributed routes may have a next-hop that is not reachable via EIGRP, causing the route to be not installed in the routing table. This is often due to the default-metric not being set, causing EIGRP to use an incorrect metric.

851
MCQmedium

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip eigrp topology 192.168.3.0/24 all-links IP-EIGRP (AS 100): Topology entry for 192.168.3.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 30720 Routing Descriptor Blocks: 10.1.1.2 (GigabitEthernet0/0), from 10.1.1.2, Send flag is 0x0 Composite metric is (30720/28160), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 2000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 10.1.2.2 (GigabitEthernet0/1), from 10.1.2.2, Send flag is 0x0 Composite metric is (30720/28160), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 2000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 What does this output indicate?

A.Both paths are feasible successors and will be used for load balancing.
B.Only the first path is used because it has a lower administrative distance.
C.The second path is a feasible successor but not used because the first path has a better metric.
D.The output indicates a routing loop because there are two paths with the same metric.
AnswerA

Both paths have the same metric and meet the feasibility condition (reported distance less than FD), so they are successors and will be used for load balancing.

Why this answer

The output shows two equal-cost paths to the same network, both with the same composite metric and FD. This indicates that EIGRP is load balancing across these two links, but the administrative distance is not directly shown here; it's about the topology table.

852
Drag & Dropmedium

Drag and drop the steps to configure and schedule an IP SLA ICMP-echo operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins by entering IP SLA configuration mode, then defining the ICMP-echo operation with target and source, setting optional parameters like frequency, scheduling the operation to start immediately or at a specific time, and finally verifying the configuration with show commands.

853
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip sla statistics 5 Round Trip Time (RTT) for Index 5 Latest RTT: 50 ms Latest RTT (milliseconds): 50 Latest RTT (microseconds): 50000 Number of successes: 100 Number of failures: 0 Operation time to live: Forever Output: OK R1# show track 3 Track 3 IP SLA 5 reachability Reachability is Up 1 change, last change 00:10:00 Latest operation return code: OK Latest RTT (milliseconds): 50 Tracked by: ip route 0.0.0.0 0.0.0.0 192.168.3.1 track 3 R1# show ip route 0.0.0.0 0.0.0.0 Routing entry for 0.0.0.0/0, supernet Known via "static", distance 1, metric 0, candidate default path Last update from 192.168.3.1 on GigabitEthernet0/0 Routing Descriptor Blocks: * 192.168.3.1, via GigabitEthernet0/0 Route metric is 0, traffic share count is 1 Based on this output, which statement is correct?

A.The static route is not installed because the track is up.
B.The IP SLA operation is failing, causing the track to go down.
C.The static route is active and reachable via 192.168.3.1.
D.The IP SLA operation has a threshold violation.
AnswerC

The routing table shows the static route is installed with next-hop 192.168.3.1, and the track confirms reachability.

Why this answer

The track is up, and the static route is present in the routing table. The IP SLA has 100% success. This indicates everything is working correctly.

854
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route 172.16.0.0 255.255.240.0 Routing entry for 172.16.0.0/20 Known via "ospf 1", distance 110, metric 20, type intra area Last update from 192.168.1.2 on GigabitEthernet0/0, 00:00:15 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:15 ago, via GigabitEthernet0/0 Route metric is 20, traffic share count is 1 Based on this output, what can be concluded about the route 172.16.0.0/20?

A.The route is a default route.
B.The route is an inter-area summary route.
C.The route is an external route.
D.The route is a connected route.
AnswerB

The metric of 20 and intra-area type suggest it is a summary route from an ABR (type 3 LSA).

Why this answer

The OSPF route is learned via intra-area (type intra area) with a metric of 20, which is characteristic of a summary LSA type 3, but the output shows intra area, indicating it is a summary route from an ABR.

855
MCQhard

A network engineer configures a DHCP snooping trusted port on a switch to allow a legitimate DHCP server. However, clients connected to untrusted ports on the same VLAN cannot obtain IP addresses. The DHCP server is reachable and the switch shows no DHCP snooping drops. Which is the most likely explanation?

A.The DHCP server is not configured to trust the relay agent information option (option 82), causing it to discard the requests.
B.The trusted port is in the wrong VLAN; DHCP snooping only works when the trusted port is in the same VLAN as the clients.
C.The switch has 'ip dhcp snooping verify mac-address' enabled, causing MAC address mismatches.
D.The DHCP server is not configured with the correct subnet for the client VLAN.
AnswerA

Correct: By default, DHCP snooping inserts option 82. Many servers reject packets with option 82 unless configured to trust it.

Why this answer

DHCP snooping requires IP source guard or DHCP snooping binding to be populated. If the switch has 'ip dhcp snooping information option' enabled, the DHCP server may drop packets due to option 82 being inserted, unless the server is configured to trust it.

856
Multi-Selecteasy

Which TWO commands would a network engineer use to verify the results of route redistribution from OSPF into EIGRP? (Choose TWO.)

Select 2 answers
A.show ip route eigrp
B.show ip ospf database
C.show ip protocols
D.show ip eigrp topology
E.show ip eigrp traffic
AnswersA, D

Correct: This shows EIGRP routes in the routing table, including redistributed routes.

Why this answer

To verify redistribution, you can check the routing table to see if redistributed routes appear, and you can check the EIGRP topology table to see if they are learned via redistribution. Option A is correct because 'show ip route eigrp' displays EIGRP routes, including redistributed ones. Option D is correct because 'show ip eigrp topology' shows all EIGRP routes and their sources.

Option B is incorrect because 'show ip ospf database' shows OSPF LSAs, not redistributed routes. Option C is incorrect because 'show ip protocols' shows routing protocol parameters but not specific redistributed routes. Option E is incorrect because 'show ip eigrp traffic' shows packet statistics, not route information.

857
MCQeasy

What is the default frequency (in seconds) for an IP SLA operation if not explicitly configured?

A.60 seconds
B.10 seconds
C.30 seconds
D.120 seconds
AnswerA

The default frequency is 60 seconds.

Why this answer

The default frequency for IP SLA operations is 60 seconds. This means probes are sent every 60 seconds unless overridden with the frequency command.

858
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa detail Codes: C - IKE, M - IKEv2, P - IPsec C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 2 10.1.1.1 10.1.1.3 ACTIVE aes sha md5 2 86400 Based on this output, what is the problem?

A.The IKE policy uses weak authentication (MD5) and DH group 2.
B.The IKE SAs are not active.
C.The IPsec SAs are missing.
D.The lifetime is too short.
AnswerA

MD5 and DH group 2 are cryptographically weak.

Why this answer

The output shows IKE phase 1 SAs with encryption aes, hash sha, authentication md5, and DH group 2. The problem is that MD5 is used for authentication, which is considered weak and insecure. Modern DMVPN deployments should use stronger algorithms like SHA-256.

Additionally, DH group 2 is weak.

859
MCQhard

A network engineer runs the following command on Router R1: R1# show route-map VRF_RED_MAP route-map VRF_RED_MAP, permit, sequence 10 Match clauses: ip address prefix-list RED_PREFIXES Set clauses: tag 100 Policy routing matches: 0 packets, 0 bytes Based on this output, what is the problem?

A.The route-map is not applied to any interface.
B.The prefix-list RED_PREFIXES is empty.
C.The set clause is incorrect.
D.The route-map sequence is invalid.
AnswerA

The 0 packets matched suggests the route-map is not being used, likely because it is not applied.

Why this answer

The route-map VRF_RED_MAP has a match clause for prefix-list RED_PREFIXES and a set clause to tag 100. The policy routing matches show 0 packets, meaning the route-map has never been used. This could indicate that the route-map is not applied to any interface or that no traffic matches the prefix-list.

860
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 2.2.2.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) Based on this output, what is the problem?

A.The router is the DR, which is normal, but the neighbor count of 1 indicates only one OSPF neighbor is present.
B.The interface is in area 0, but redistribution of external routes requires a route-map to set the metric.
C.The output shows no external routes are being redistributed, but this is a normal interface status.
D.The router ID is 1.1.1.1, which is not reachable from other routers.
AnswerC

The interface output is normal; redistribution status is not shown here. The candidate must understand that this command does not show redistribution information.

Why this answer

The output shows R1 is the Designated Router (DR) on a broadcast network. The neighbor count is 1, which is normal. However, the problem might be that redistribution is not happening because the interface is in area 0, but no external routes are seen.

The output itself does not show a direct problem; it is a normal OSPF interface state. The question likely expects the candidate to note that the interface is functioning correctly, but the context of redistribution might imply that redistribution is configured but not working due to other issues.

861
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# debug event manager action syslog EEM Action Syslog debugging is on R1# Mar 1 00:20:45.789: %HA_EM-6-ACTION: applet TRACK-INTERFACE: action syslog msg: 'OSPF adjacency change detected' What does this output indicate?

A.The EEM applet 'TRACK-INTERFACE' executed a syslog action and generated the message 'OSPF adjacency change detected'.
B.The EEM applet 'TRACK-INTERFACE' received a syslog message 'OSPF adjacency change detected'.
C.The debug output shows the configuration of the syslog action for applet 'TRACK-INTERFACE'.
D.The syslog message was generated by the system, not by the EEM applet.
AnswerA

Correct. The debug output shows the applet generating the syslog message.

Why this answer

The debug output shows the execution of syslog actions within an EEM applet. It displays the applet name and the syslog message being generated. This is useful for verifying that syslog actions are working correctly.

862
MCQmedium

Which of the following is true regarding the use of prefix-lists versus access-lists for route filtering?

A.Access-lists can match on prefix length using the 'ge' and 'le' keywords.
B.Prefix-lists can match on both network address and prefix length, while access-lists match only on network address.
C.Access-lists are more efficient than prefix-lists for route filtering.
D.Prefix-lists can only be used with BGP, while access-lists can be used with any protocol.
AnswerB

Correct. Prefix-lists can specify both the prefix and a range of prefix lengths.

Why this answer

Prefix-lists are designed specifically for route filtering and can match on prefix length using ge and le operators. Access-lists match on source/destination IP and wildcard mask but do not have the ability to specify prefix length ranges. Prefix-lists are more efficient and flexible for route filtering.

863
MCQeasy

A network engineer runs the following command to verify BGP route filtering: R1# show bgp ipv4 unicast 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 2 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local, (received & used) 10.1.1.2 (metric 20) from 10.1.1.2 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, internal, best rx pathid: 0, tx pathid: 0x0 Community: no-export What does the 'Community: no-export' indicate?

A.The route will not be advertised to any iBGP peers.
B.The route will not be advertised to any eBGP peers.
C.The route is filtered by an inbound route-map.
D.The route is not installed in the routing table.
AnswerB

The no-export community tells BGP not to advertise the route to any eBGP peers.

Why this answer

The community 'no-export' indicates that this route should not be advertised to any eBGP peers. This is a well-known community that controls route propagation.

864
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn detail Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Addr State UpDn Tm Attrb ----- --------------- ---------------- ----- -------- ----- 1 10.1.1.1 172.16.0.1 UP 00:10:00 S Based on this output, what is the problem?

A.The spoke has a static NHRP mapping for the hub, which is correct for phase 1 DMVPN.
B.The spoke has dynamically learned the hub.
C.The hub is not reachable.
D.The spoke is configured as a hub.
AnswerA

In phase 1, spokes only communicate via hub; static mapping is normal.

Why this answer

The output shows a spoke router with one NHRP peer (the hub) marked as static (S). The spoke is only seeing the hub, which is normal for a spoke. However, the problem is that the spoke is not seeing any other spokes, which is expected in a DMVPN phase 2 or 3 where spokes should see each other dynamically.

But here the peer is static, indicating the spoke is configured with a static NHRP mapping for the hub, and no dynamic spoke-to-spoke tunnels are established.

865
MCQhard

An MPLS network uses LDP for label distribution. After enabling Flexible NetFlow on the core routers, some LDP sessions fail to establish. Router R1 shows: show mpls ldp neighbor | include (Peer|State) Peer LDP Ident: 10.0.0.2:0, State: OPERATIONAL. Router R2 shows: show mpls ldp neighbor | include (Peer|State) Peer LDP Ident: 10.0.0.1:0, State: INIT. What is the root cause?

A.The flow monitor is using a sampler that samples only 1 out of 100 packets, causing LDP hello messages to be missed.
B.The LDP router-id is misconfigured, causing a conflict with the flow exporter.
C.The MPLS MTU is set too low, causing LDP packets to be fragmented.
D.The flow exporter is configured to use TCP port 646, conflicting with LDP.
AnswerA

LDP hellos are sent every 5 seconds; if they are sampled out, the neighbor will not receive them, and the session will stay in INIT.

Why this answer

Flexible NetFlow can consume CPU resources or change the way packets are processed. In this case, the LDP session is stuck in INIT state, which typically indicates a problem with the transport connection or hello messages. If a flow monitor is applied to the interface used for LDP (e.g., the core-facing interface), it might be using a sampler that samples only a fraction of packets, causing LDP hello messages to be missed.

Alternatively, the flow monitor might be configured to use a flow record that includes the 'ipv4 ttl' field, which could cause the router to process LDP packets differently. The correct answer is that a flow sampler is configured on the interface, causing LDP hello packets to be sampled and potentially dropped, preventing the LDP session from moving to OPERATIONAL.

866
MCQmedium

In IPv6 FHS, what is the default action for 'RA Guard' when a rogue RA is detected on a switch port?

A.Forward the RA to the CPU for inspection
B.Drop the RA and generate a syslog message
C.Shut down the port
D.Send a notification to the network management system
AnswerB

Correct. The default action is to drop the RA and log the event.

Why this answer

The default action for RA Guard on Cisco IOS-XE is to 'drop' the offending RA message and optionally log the event. This is configured via the 'ipv6 nd raguard' command.

867
MCQhard

An engineer configures IPsec between two routers using a site-to-site VPN. The tunnel does not come up, and the debug output shows 'received unexpected payload type'. Both routers are configured with pre-shared keys. Which is the most likely explanation?

A.The pre-shared keys do not match on both sides.
B.The IKE phase 1 transform sets are mismatched; one router uses AES-256 while the other uses AES-128.
C.The IPsec phase 2 transform sets are mismatched.
D.The access-list defining interesting traffic is missing on one router.
AnswerB

Mismatched encryption or hash algorithms cause the IKE negotiation to fail with 'unexpected payload type' because the proposals do not align.

Why this answer

The 'received unexpected payload type' error typically indicates a mismatch in the IKE phase 1 parameters, such as encryption, hash, or DH group. Even if the pre-shared key matches, a mismatch in transform sets or IKE proposals causes the error.

868
MCQmedium

Consider the following partial configuration: ipv6 nd inspection policy ND_INSPECT device-role host trusted-port interface GigabitEthernet0/4 ipv6 nd inspection policy ND_INSPECT What is the effect of the 'trusted-port' command in this policy?

A.The interface is trusted, so Neighbor Discovery messages are not inspected.
B.The interface only allows Neighbor Advertisements from trusted sources.
C.The interface drops all Neighbor Discovery messages.
D.The interface requires a valid binding for each ND message.
AnswerA

Trusted ports bypass ND inspection checks.

Why this answer

The 'trusted-port' command marks the interface as trusted for Neighbor Discovery inspection, meaning ND messages are not validated. This is often used on ports connecting to other routers or switches.

869
MCQeasy

Which DHCPv6 message is used by a server to respond to a SOLICIT with available configuration parameters?

A.REPLY
B.ADVERTISE
C.RECONFIGURE
D.INFORMATION-REQUEST
AnswerB

ADVERTISE is the response to SOLICIT in DHCPv6.

Why this answer

The ADVERTISE message is sent by the DHCPv6 server in response to a SOLICIT, offering configuration parameters, per RFC 8415.

870
MCQeasy

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip ospf interface detail GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 2.2.2.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Can be protected by per-prefix Loop-Free Fast Reroute Can be used for per-prefix Loop-Free Fast Reroute remote-LFA tunnels Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) What does this output indicate?

A.The interface is an OSPF broadcast interface with a cost of 1, and the router is the Designated Router.
B.The interface has an administrative distance of 110.
C.The neighbor 2.2.2.2 is not fully adjacent because it is a backup designated router.
D.The OSPF process ID is 100.
AnswerA

The output clearly states State DR, indicating this router is the Designated Router on this segment.

Why this answer

The output shows detailed OSPF interface information, including the cost, timers, and neighbor state. It does not directly show administrative distance, but it is relevant for understanding OSPF operation.

871
MCQhard

Router R5 is configured with SNMPv3 for secure management. The configuration includes: snmp-server group mygroup v3 priv, snmp-server user myuser mygroup v3 auth sha myauth priv aes 128 mypriv. The NMS is configured with the same credentials. However, the NMS cannot poll R5. The debug snmp packet shows: 'Authentication failure'. The NMS and R5 have correct time synchronization via NTP. What is the root cause?

A.The NMS is configured to use MD5 authentication, but the router is configured with SHA.
B.The SNMP engine ID on the router has changed due to a hardware replacement, causing the NMS to have a stale engine ID.
C.The NMS is using SNMPv2c community string instead of SNMPv3.
D.The router's clock is not synchronized with NTP, causing authentication key mismatch.
AnswerA

SNMPv3 authentication failure occurs if the authentication protocol mismatches. The debug shows authentication failure, not privacy, so the issue is auth protocol mismatch.

Why this answer

SNMPv3 authentication failure can be due to incorrect passwords, but the debug shows 'Authentication failure' specifically. Even with correct passwords, the SNMPv3 engine ID must match. The engine ID is generated from the router's MAC address or configured manually.

If the NMS has a different engine ID, authentication fails. However, the most common subtle issue is that the SNMPv3 user is configured with a different authentication protocol than the NMS expects. The debug shows authentication failure, not privacy failure.

The correct answer is: 'The NMS is configured to use MD5 authentication, but the router is configured with SHA.'

872
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 rcv UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0, path 65002 BGP(0): 10.1.1.2 rcv UPDATE about 192.168.1.0/24 -- DENIED due to: community no-export; What does this output indicate?

A.The route 192.168.1.0/24 is accepted and installed in the BGP table because the community is no-export.
B.The route 192.168.1.0/24 is denied because of the no-export community, which prevents it from being advertised to any peer.
C.The route 192.168.1.0/24 is denied because of an inbound prefix-list filter.
D.The route 192.168.1.0/24 is accepted but marked with no-export for outbound filtering.
AnswerB

The no-export community causes the route to be denied from being advertised to any eBGP peer; this debug confirms the denial.

Why this answer

The debug output explicitly states 'DENIED due to: community no-export'. The no-export community (0xFFFFFF01) prevents the route from being advertised to any eBGP peer, but it does not prevent the route from being received or installed in the local BGP table. However, in this context, the router is denying the incoming update because of an inbound policy that matches the no-export community and rejects the route.

Option B correctly identifies that the route is denied due to the no-export community, which stops it from being advertised to any peer.

Exam trap

Cisco often tests the distinction between a route being denied due to an inbound filter versus being accepted but then restricted from outbound advertisement; the trap here is assuming that the no-export community only affects outbound behavior, when in fact it can be used in inbound policies to reject routes entirely.

How to eliminate wrong answers

Option A is wrong because the route is explicitly denied (not accepted) due to the no-export community, and the no-export community does not cause acceptance—it restricts outbound advertisement. Option C is wrong because the debug output clearly states the denial reason is 'community no-export', not a prefix-list filter; if a prefix-list were the cause, the message would indicate 'DENIED due to: prefix-list' or similar. Option D is wrong because the route is denied (not accepted), and the no-export community is applied inbound, not outbound; the debug shows the update is received and denied, not accepted and marked.

873
MCQmedium

An engineer configures RSPAN on a Cisco switch to monitor traffic from VLAN 10 across multiple switches. The engineer creates an RSPAN VLAN (VLAN 100) on the source switch and configures the source as VLAN 10. On the remote switch, the engineer configures the destination port as GigabitEthernet0/1 in VLAN 100. However, the destination port does not forward any monitored traffic. What is the most likely cause?

A.The RSPAN VLAN is not allowed on the trunk links between the switches.
B.The destination port is configured as an access port in VLAN 100.
C.The source switch does not have the RSPAN VLAN configured as a remote-span VLAN.
D.The destination port is not configured with 'monitor session' on the remote switch.
AnswerA

Correct because the RSPAN VLAN must be permitted on all intermediate trunks for the monitored traffic to traverse the network.

Why this answer

RSPAN requires that the RSPAN VLAN be allowed on all trunk links between the source and destination switches. If the RSPAN VLAN is not allowed on the trunk, the traffic will not reach the destination.

874
MCQhard

An engineer configured IP SLA 20 to monitor the reachability of a next-hop router (192.168.1.1) using UDP jitter probes. The goal is to use the IP SLA with a track object to influence EIGRP route selection. However, the EIGRP route is not being affected by the IP SLA state. The engineer verifies that the IP SLA is 'Active' and the track object shows 'Up'. What is the most likely misconfiguration?

A.The IP SLA probe type (UDP jitter) is not supported for tracking EIGRP routes.
B.The track object is not configured to influence the EIGRP route; EIGRP does not support direct tracking of IP SLA for route metrics.
C.The EIGRP route has a higher administrative distance than the tracked route.
D.The IP SLA threshold is set too low, causing flapping.
AnswerB

EIGRP does not have a mechanism to directly track IP SLA states. The engineer must use a tracked static route or policy-based routing to influence traffic.

Why this answer

EIGRP does not natively react to IP SLA track objects unless the route is redistributed or a static route with tracking is used. The engineer likely expected EIGRP to automatically adjust metric based on IP SLA, which is not supported.

875
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using eBGP with the CEs. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route. However, traffic from CE1 to CE2 fails. The show ip bgp vpnv4 vrf CUSTOMER 10.2.2.0/24 command on PE1 shows the route is received and best, but the show ip bgp vpnv4 vrf CUSTOMER 10.2.2.0/24 command on PE1 also shows the route has the 'r' flag (RIB-failure). What is the most likely cause?

A.There is a static route in the VRF for 10.2.2.0/24 with a lower administrative distance.
B.The route-target import on PE1 is misconfigured.
C.The MP-BGP session is not using the loopback interface.
D.The VRF on PE1 has a different route-target export.
AnswerA

Correct: A static route or IGP route with lower AD will prevent the BGP route from being installed.

Why this answer

A RIB-failure indicates that the route is received and best in BGP but is not installed in the routing table because another route with a lower administrative distance exists. This could be due to a static route or an IGP route for the same prefix in the VRF.

876
MCQhard

A network engineer runs the following command to debug IPv6 traffic filtering: R1# debug ipv6 packet access-list FILTER detail IPv6 packet debugging is on for access list FILTER (detail) *Mar 1 00:01:23.456: IPv6: source 2001:DB8:2::1 (GigabitEthernet0/0) *Mar 1 00:01:23.456: dest 2001:DB8:3::1 (GigabitEthernet0/1) *Mar 1 00:01:23.456: traffic class 0, flowlabel 0, hlim 64, next header 6 (TCP) *Mar 1 00:01:23.456: denied by access-list FILTER What does this output indicate?

A.The packet is denied because the source address 2001:DB8:2::1 matches the deny entry in the access list.
B.The packet is permitted because it is a TCP packet.
C.The packet is denied because of uRPF check failure.
D.The packet is permitted because the destination is not in the access list.
AnswerA

Correct. The debug clearly states the packet is denied by the access list, which has a deny for that source prefix.

Why this answer

The debug output shows an IPv6 packet from 2001:DB8:2::1 to 2001:DB8:3::1 being denied by access-list FILTER. This matches the deny statement for the 2001:DB8:2::/48 prefix.

877
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. After the configuration, a routing loop occurs for a specific prefix. The engineer checks and confirms that route tagging is not used. What is the most likely explanation?

A.The redistribution is not filtered, so the same prefix is redistributed back and forth, causing a loop.
B.The 'default-metric' command is missing in both protocols, causing the seed metric to be inconsistent.
C.The 'subnets' keyword is missing in the OSPF redistribution command.
D.The 'distance' command is used to change AD, causing OSPF and EIGRP to have the same AD.
AnswerA

Without route tagging or filtering, mutual redistribution can lead to a feedback loop where a route redistributed from OSPF to EIGRP is then redistributed back into OSPF, creating a loop.

Why this answer

Without route tagging, mutual redistribution can cause a routing loop when the same prefix is redistributed back and forth. The edge case is that OSPF and EIGRP have different administrative distances (AD). OSPF external routes have AD 110, and EIGRP external routes have AD 170.

If the prefix is learned via both protocols, the router prefers the lower AD (OSPF external). However, if the router redistributes the EIGRP route into OSPF, and then receives it back via OSPF, it may prefer the OSPF route and cause a loop. The loop is exacerbated if the redistribution is not filtered.

878
MCQmedium

A router experiences high CPU utilization due to SSH login attempts from an external attacker. The network engineer implements a CoPP policy to rate-limit SSH traffic to 10000 bps. After applying the policy, the engineer notices that legitimate SSH sessions from the management network are also being dropped intermittently. The CoPP policy uses a class-map that matches TCP port 22 traffic. What should the engineer do to fix this issue?

A.Increase the police rate for the SSH class to 100000 bps to allow all SSH traffic.
B.Modify the class-map to match only SSH traffic from the attacker's source IP addresses using an access-list.
C.Create a separate class for legitimate SSH traffic from the management network with a higher police rate, and police the attacker's traffic more aggressively.
D.Remove the CoPP policy and implement an ACL on the interface to block the attacker's IP address.
AnswerC

This allows legitimate SSH sessions to pass while still protecting the control plane from the attacker.

Why this answer

The CoPP policy is rate-limiting all SSH traffic, including legitimate sessions. The engineer should create a more specific class-map that matches only the attacker's source IP addresses or uses a more granular approach, such as matching traffic from the management network with a higher police rate.

879
MCQhard

A network engineer configures 'ipv6 snooping' globally on a switch and applies 'ipv6 verify source' on a port connected to a router running OSPFv3. The router's OSPFv3 neighborship with another router across the switch fails. The switch logs show that OSPFv3 packets are being dropped. The engineer checks the binding table and sees no entries for the router's link-local address. What is the most likely reason?

A.Source Guard does not learn link-local addresses via ND snooping, so OSPFv3 packets are dropped.
B.OSPFv3 uses multicast addresses that are blocked by Source Guard.
C.The router must be configured as a static binding for its link-local address.
D.The switch must have 'ipv6 snooping' enabled on the VLAN, not globally.
AnswerA

Link-local addresses are not populated in the binding table by default.

Why this answer

IPv6 Snooping and Source Guard typically rely on ND snooping to populate the binding table. However, OSPFv3 uses link-local addresses for communication, and link-local addresses are not learned via ND snooping because they are derived from the interface MAC address and are not advertised in NAs. The switch does not create binding entries for link-local addresses unless explicitly configured.

Therefore, Source Guard drops OSPFv3 packets because the source link-local address is not in the binding table. The edge case is that IPv6 First Hop Security features often overlook link-local addresses, causing routing protocol failures.

880
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke-to-spoke tunnels are not forming. Which is the most likely explanation?

A.NHRP redirect is not configured on the hub.
B.The spoke routers have different tunnel keys.
C.The NHRP authentication string is mismatched.
D.The IPsec transform-set is mismatched.
AnswerA

In Phase 2, the hub must send NHRP redirect messages to trigger spoke-to-spoke tunnel establishment. Without it, traffic will always go through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spoke routers have a route to the destination network via the tunnel interface, and that NHRP redirect is enabled on the hub. Without NHRP redirect, the hub will not send redirect messages to the spoke, and the spoke will not initiate a direct tunnel to the other spoke.

881
MCQhard

R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running BGP over the tunnel interface. R1's show ip bgp summary shows the BGP session with R2 as established, but R1's show ip bgp shows no routes from R2. R2's show ip bgp shows routes from R1. What is the root cause?

A.R1 has a route-map applied to the BGP neighbor inbound that denies all routes.
B.BGP next-hop-self is missing on R2.
C.The IPsec tunnel is not encrypting BGP traffic.
D.R2 is not advertising any networks.
AnswerA

An inbound route-map can filter all incoming BGP updates, preventing routes from being installed in the BGP table.

Why this answer

The correct answer is A because R1's BGP session is established (TCP port 179 is up), but no routes are received from R2. This indicates that an inbound route-map on R1 is filtering all incoming BGP updates. The route-map is applied to the neighbor inbound direction, which matches the symptom: R1 sees the session as established but has zero routes from R2, while R2 sees routes from R1 (since outbound filtering on R2 is not the issue).

Exam trap

Cisco often tests the distinction between a BGP session being established (TCP state) and routes being exchanged (NLRI processing), so candidates may incorrectly assume that an established session guarantees route exchange, overlooking inbound route-map filtering.

How to eliminate wrong answers

Option B is wrong because missing next-hop-self on R2 would cause R1 to reject routes due to an unreachable next-hop (if the next-hop is not reachable via the tunnel), but the session would still show routes in the BGP table (they would be hidden, not absent). Option C is wrong because the IPsec tunnel not encrypting BGP traffic would not prevent BGP routes from being received; BGP would still exchange routes over the unencrypted link, and the session would likely flap or fail due to mismatched security policies, not silently drop routes. Option D is wrong because R2's show ip bgp shows routes from R1, proving R2 is advertising networks (otherwise R2's table would be empty for those prefixes).

882
MCQmedium

Given the following partial configuration: ip cef ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 mpls ip ! router ospf 1 network 10.0.0.1 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0 ! mpls ldp router-id Loopback0 force What is missing from this configuration to ensure proper MPLS LDP operation?

A.The 'mpls label protocol ldp' command is missing globally or on the interface.
B.The 'mpls ldp neighbor' command is needed to specify the neighbor's IP address.
C.Nothing is missing; the configuration is complete for basic MPLS LDP operation.
D.The 'mpls ip' command must also be applied under the OSPF process.
AnswerC

All required components are present: CEF, interface MPLS enablement, IGP for reachability, and a stable LDP router ID.

Why this answer

The configuration appears correct: CEF enabled, MPLS enabled on the interface, OSPF advertising all networks, and LDP router-id set to a loopback. There is no missing element for basic LDP operation. However, some might think 'mpls label protocol ldp' is needed, but it is default.

The question tests if the candidate can identify that nothing is missing.

883
MCQmedium

A network engineer runs the following command on Router R6: R6# show logging | include %SEC-6-IPACCESSLOGP *Mar 1 00:01:15.123: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12345) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:20.456: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12346) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:25.789: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12347) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:30.012: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12348) -> 192.168.1.1(80), 1 packet Based on this output, what is the most likely problem?

A.The ACL ACL_INBOUND is permitting traffic from 10.0.0.100 to 192.168.1.1 on port 80.
B.A host at 10.0.0.100 is attempting to access a web server at 192.168.1.1 and is being blocked by the ACL.
C.The router is experiencing a DoS attack from 192.168.1.1.
D.The ACL ACL_INBOUND is not configured on any interface.
AnswerB

The log messages clearly indicate that packets from 10.0.0.100 to 192.168.1.1 port 80 are being denied by ACL ACL_INBOUND.

Why this answer

The output shows repeated denied packets from source 10.0.0.100 to destination 192.168.1.1 on port 80 (HTTP). This indicates that a host at 10.0.0.100 is trying to access a web server at 192.168.1.1 but is being blocked by ACL ACL_INBOUND. The pattern suggests a possible scan or attack, or a legitimate access that is being denied due to misconfiguration.

884
Multi-Selecthard

Which THREE symptoms indicate a misconfiguration in a VRF-Lite deployment where two routers are connected via a trunk link and each VRF should have connectivity? (Choose THREE.)

Select 3 answers
A.Pings between hosts in the same VRF across the trunk link fail.
B.The 'show ip route vrf <vrf-name>' command shows no routes for the connected subnet.
C.The interface assigned to the VRF is in 'up/down' state.
D.The global routing table contains a default route pointing to the ISP.
E.The router CPU utilization is consistently above 90%.
AnswersA, B, C

Indicates that the VRF forwarding or subinterface configuration may be incorrect.

Why this answer

Common symptoms include: pings failing between devices in the same VRF across the link, missing routes in the VRF routing table, and the VRF interface showing up/down due to misconfiguration. The incorrect options: a default route in the global table is not a VRF-Lite symptom; high CPU is not specific to VRF-Lite.

885
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route summary IP routing table maximum-paths: 32 IP routing table has 15 routes, using 900 bytes of memory Number of prefixes: /8: 1, /16: 2, /20: 3, /24: 9 Route types: Connected: 4, Static: 1, OSPF: 10 Route sources: OSPF: 10, Connected: 4, Static: 1 Based on this output, what is a potential issue regarding route summarization?

A.The routing table is too small.
B.There are too many /24 prefixes, suggesting poor summarization.
C.There are too many OSPF routes.
D.The routing table is empty.
AnswerB

Having 9 /24 prefixes indicates that more specific routes are present, and summarization could reduce the table size.

Why this answer

The routing table has many /24 prefixes (9), indicating that route summarization is not being used effectively, leading to a larger routing table.

886
MCQhard

A network engineer is troubleshooting a redistribution loop between OSPF and EIGRP. Router R7 is redistributing EIGRP routes into OSPF, and also redistributing OSPF routes into EIGRP. The engineer notices that some OSPF routes are appearing in the EIGRP topology table with a higher metric than expected, causing suboptimal routing. What is the most likely cause?

A.Routes are being re-redistributed due to missing route tags; a route-map with 'set tag' should be used to prevent loops.
B.The OSPF process has a 'default-information originate' command that is injecting a default route into EIGRP.
C.The EIGRP process has a 'variance' command that is causing unequal-cost load balancing.
D.The route-map applied to redistribution is missing a 'match tag' statement to filter out redistributed routes.
AnswerA

Correct because route tags allow filtering to prevent redistribution loops.

Why this answer

Redistribution loops can cause routes to be re-injected with different metrics. The most common fix is to use route-maps with tags to prevent re-redistribution. Without proper tagging, routes can loop between the two protocols.

887
MCQeasy

Which of the following is true regarding the use of the 'transport input' command on a VTY line?

A.If 'transport input' is not configured, the VTY line defaults to allowing both Telnet and SSH.
B.The 'transport input ssh' command allows only SSH connections, blocking Telnet.
C.The 'transport input none' command allows all protocols.
D.The 'transport input' command applies to both inbound and outbound VTY connections.
AnswerB

This restricts the VTY to SSH only, enhancing security.

Why this answer

Option B is correct because the 'transport input ssh' command explicitly restricts the VTY line to accept only SSH connections, blocking Telnet and other protocols. This is a common security best practice to ensure encrypted remote administration.

Exam trap

Cisco often tests the default behavior of 'transport input' — many candidates mistakenly believe it defaults to allowing both Telnet and SSH, but the actual default is to allow only Telnet (or 'all' on some platforms, but not both).

How to eliminate wrong answers

Option A is wrong because if 'transport input' is not configured, the VTY line defaults to allowing only Telnet (not SSH) on Cisco IOS devices. Option C is wrong because 'transport input none' blocks all inbound connections, including Telnet and SSH, rather than allowing all protocols. Option D is wrong because the 'transport input' command applies only to inbound VTY connections (i.e., connections initiated to the router), not outbound connections.

888
Drag & Dropmedium

Drag and drop the steps to verify and validate VRF-Lite operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by listing all configured VRFs. Then confirm which interfaces belong to each VRF. Next, check the VRF-specific routing table for expected routes.

After that, test reachability to a remote destination within the VRF. Finally, validate end-to-end connectivity with extended ping or traceroute using the VRF.

889
Multi-Selecthard

Which TWO commands are used to troubleshoot SNMPv3 authentication or encryption failures? (Choose TWO.)

Select 2 answers
A.debug snmp packets
B.show snmp user
C.show snmp group
D.show running-config | include snmp
E.ping <NMS-IP>
AnswersA, B

Shows detailed SNMP packet exchanges, including authentication failures.

Why this answer

To troubleshoot SNMPv3 issues, 'debug snmp packets' shows the actual SNMP packets being sent/received, including authentication and encryption details. 'show snmp user' displays the configured users and their authentication/privacy settings. 'show snmp group' shows group-level security, but not user-specific details. 'show running-config | include snmp' is too broad, and 'ping' is irrelevant.

890
MCQeasy

Which statement correctly describes the default behavior of the Embedded Event Manager (EEM) when an event occurs and no action is explicitly defined?

A.EEM will generate a syslog message by default.
B.EEM will execute the default action of reloading the device.
C.EEM will take no action and the event is silently ignored.
D.EEM will send an SNMP trap by default.
AnswerC

Without an action configured, EEM does nothing upon event detection.

Why this answer

By default, EEM does not perform any action if none is configured; it simply logs the event occurrence.

891
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show policy-map control-plane input class class-default Output: Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any police: cir 1000000 bps, bc 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is policing control plane traffic at 1 Mbps, but no packets have been matched yet.
B.The CoPP policy is dropping all control plane traffic.
C.The CoPP policy is not applied to the control plane.
D.The CoPP policy is using a class-map that matches all traffic.
AnswerA

The policer is configured with CIR 1 Mbps, but counters show 0 packets.

Why this answer

The output shows the CoPP policy for the control plane, with a policer that limits traffic to 1 Mbps. The counters show no traffic has been matched, which may indicate that the policy is not effective or no traffic is hitting the control plane.

892
MCQhard

A network engineer is troubleshooting a VRF-Lite scenario where a router is configured with two VRFs (VRF_X and VRF_Y). The engineer notices that routes from VRF_X are not being advertised to the neighbor router via eBGP. The BGP configuration includes 'neighbor 10.1.1.2 remote-as 65002' under the VRF_X BGP address-family. The 'show bgp vpnv4 unicast all neighbors' command shows the BGP session is established. What is the most likely cause?

A.The 'network' command for the prefix is configured under the global BGP configuration, not under the VRF address-family.
B.The BGP session is not using the correct update-source interface.
C.The 'maximum-paths' command is set to 1.
D.The 'bgp router-id' command is missing.
AnswerA

For VRF-Lite, the network command must be under the VRF address-family to advertise routes from that VRF.

Why this answer

In VRF-Lite with BGP, routes must be explicitly injected into the VRF BGP table. Missing the 'network' command or redistribution under the VRF address-family is a common issue.

893
MCQmedium

Consider the following EEM applet configuration: !--- event manager applet HIGH_CPU event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact entry-op gt entry-val 90 poll-interval 10 action 1.0 syslog msg "CPU utilization exceeded 90%" !--- What is the problem with this configuration?

A.The OID is a scalar, so 'entry-op' and 'entry-val' cannot be used; they are only for table entries.
B.The 'poll-interval' is too short and will cause high CPU usage.
C.The applet will work correctly and generate a syslog message when CPU exceeds 90%.
D.The 'get-type exact' is incorrect; it should be 'get-type next'.
AnswerA

Correct. For scalar OIDs, the 'entry-op' and 'entry-val' are not applicable; the applet should use a different event type or specify the OID correctly.

Why this answer

The 'event snmp oid' command requires a 'get-type' of 'exact' or 'next', but the OID specified is for a specific instance (cpmCPUTotal5sec). However, the OID is not complete; it should include the instance index. Additionally, the 'entry-op' and 'entry-val' are used for table entries, but this OID is a scalar.

The correct approach is to use 'event snmp oid' with a scalar OID and use 'poll-interval' with 'entry-op' and 'entry-val' only for table entries. This configuration may cause the applet to not trigger correctly.

894
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map FastEthernet0/0 PBR_MAP R1# show route-map PBR_MAP route-map PBR_MAP, permit, sequence 10 Match clauses: ip address prefix-list MATCH_HTTP Set clauses: ip next-hop 10.10.10.2 Policy routing matches: 0 packets, 0 bytes Based on this output, what is the most likely problem?

A.The route-map is not being applied to any interface.
B.The prefix-list MATCH_HTTP may not be matching any traffic, causing no policy routing.
C.The next-hop 10.10.10.2 is unreachable.
D.The route-map is configured with the wrong sequence number.
AnswerB

0 packets matched indicates no traffic matches the prefix-list.

Why this answer

The route-map PBR_MAP is applied to FastEthernet0/0 for policy routing, but the match counter shows 0 packets matched. This indicates that either the prefix-list MATCH_HTTP is not matching any traffic, or no traffic is hitting the interface. The correct answer is that the prefix-list may be misconfigured or not matching desired traffic.

895
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic matching ACL 100. The engineer also configures 'set ip default next-hop 10.0.0.3' in the same route-map sequence. Traffic that matches ACL 100 is forwarded to 10.0.0.2, but traffic that does not match ACL 100 is forwarded to 10.0.0.3 only if there is no route in the routing table. However, the engineer expects all unmatched traffic to go to 10.0.0.3 regardless of the routing table. What is the misunderstanding?

A.The 'set ip default next-hop' command overrides the routing table only when no route exists; the engineer wants unconditional forwarding.
B.The route-map sequence order is incorrect; the default next-hop should be in a separate sequence.
C.The ACL 100 is blocking all traffic, so no traffic matches the set commands.
D.The 'set ip default next-hop' command requires a 'set interface' command to work.
AnswerA

'set ip default next-hop' is conditional on the absence of a route; 'set ip next-hop' is unconditional.

Why this answer

The 'set ip default next-hop' command is used only when the packet does not have a matching route in the routing table. If a route exists (even a default route), the packet follows the routing table. The engineer should use 'set ip next-hop' instead of 'set ip default next-hop' to force all unmatched traffic to the next-hop.

896
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow exporter EXPORTER-1 Flow Exporter EXPORTER-1: Description: Exports to collector Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 0 Collector Configuration: VRFs: Default Options Configuration: Sampler: Not configured Export Statistics: Number of Flows exported: 5000 Number of Packets exported: 250 Number of Source IP address unreachable: 10 Number of Packets dropped: 0 Based on this output, what is the most likely issue?

A.The destination IP address is unreachable.
B.The source IP address 10.0.0.1 is not reachable from the destination, causing some packets to fail.
C.The UDP port 2055 is blocked.
D.The exporter is not sending any packets.
AnswerB

The 'Source IP address unreachable' counter indicates that the source IP is not reachable from the destination, likely due to a missing route or interface issue.

Why this answer

The exporter has exported flows, but there are 10 Source IP address unreachable errors. This indicates that the source IP address (10.0.0.1) is not reachable from the destination at times, possibly due to routing issues or interface flapping.

897
Multi-Selecthard

Which TWO statements about MPLS label imposition, disposition, and swapping are true? (Choose TWO.)

Select 2 answers
A.Penultimate Hop Popping (PHP) reduces the processing load on the egress LSR by having the penultimate LSR pop the label.
B.An intermediate LSR performs a label swap operation: it replaces the incoming label with an outgoing label.
C.The egress LSR performs label imposition (push) before forwarding the IP packet to the destination.
D.PHP is enabled only when the egress LSR is not directly connected to the penultimate LSR.
E.By default, PHP is disabled on Cisco IOS routers and must be explicitly configured.
AnswersA, B

Correct. PHP offloads the label removal to the penultimate LSR, reducing egress LSR work.

Why this answer

In MPLS forwarding, label imposition (push) occurs at the ingress LSR, disposition (pop) at the egress LSR, and swapping (swap) at intermediate LSRs. The PHP (Penultimate Hop Popping) feature causes the penultimate LSR to pop the label before the egress LSR receives the packet, so the egress LSR sees only the IP packet. Option A is correct: PHP reduces the load on the egress LSR.

Option B is correct: an intermediate LSR typically swaps the top label. Option C is false: the egress LSR does not impose a label; it removes it. Option D is false: PHP is the default behavior for directly connected egress LSRs.

Option E is false: PHP is not disabled by default; it is enabled.

898
MCQmedium

Which IP SLA operation type is used to measure one-way delay, jitter, and packet loss?

A.udp-jitter
B.icmp-echo
C.udp-echo
D.tcp-connect
AnswerA

udp-jitter is designed to measure delay, jitter, and packet loss.

Why this answer

The udp-jitter operation type measures one-way delay, jitter, and packet loss by sending a stream of UDP packets and analyzing the responses.

899
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from VLAN 100 (192.168.10.0/24) should be forwarded to next-hop 10.10.10.2 via a route map named 'VLAN100-PBR'. The engineer has applied the route map to interface GigabitEthernet0/0.100 (subinterface) using 'ip policy route-map VLAN100-PBR'. The engineer verifies that the route map is correctly configured with 'match ip address 100' and 'set ip next-hop 10.10.10.2', and the access list 100 matches the source subnet. However, traffic from VLAN 100 is still forwarded using the routing table. What is the most likely cause?

A.The traffic is arriving on the physical interface GigabitEthernet0/0 instead of the subinterface GigabitEthernet0/0.100.
B.The access list 100 is missing the 'permit' keyword; PBR only processes permit statements.
C.The 'set ip next-hop' command must be followed by 'force' to override the routing table.
D.The route map must be applied to the VLAN interface (SVI) instead of the subinterface.
AnswerA

Correct because PBR is applied per-interface; traffic must ingress the subinterface where the policy is configured.

Why this answer

PBR applied to a subinterface will only process traffic that arrives on that specific subinterface. If the traffic is arriving on the physical interface or another subinterface, it will not be matched. The engineer must ensure the traffic actually enters the subinterface where the policy is applied.

900
Multi-Selecthard

Which THREE commands can be used to verify the operational state and configuration of an IPv6 tunnel? (Choose THREE.)

Select 3 answers
A.show interfaces tunnel 0
B.show ipv6 interface tunnel 0
C.show running-config interface tunnel 0
D.show ip route
E.show ipv6 route
AnswersA, B, C

Correct. This command displays the tunnel interface status, MTU, and packet counters.

Why this answer

Option A is correct because 'show interfaces tunnel 0' displays the operational state of the tunnel interface, including line protocol status, MTU, and encapsulation type (e.g., GRE/IPv6). This command verifies whether the tunnel is up/up and confirms the underlying transport is functioning.

Exam trap

Cisco often tests that candidates confuse general routing table commands (show ip route, show ipv6 route) with interface-specific verification commands, leading them to select options that show reachability but not the tunnel's operational state or configuration.

Page 11

Page 12 of 29

Page 13