Cisco CCNP ENARSI 300-410 (300-410) — Questions 901975

2152 questions total · 29pages · All types, answers revealed

Page 12

Page 13 of 29

Page 14
901
MCQhard

An engineer configures ERSPAN on Router R1 to monitor traffic from VLAN 100 to a remote collector at 192.168.10.10 via a GRE tunnel. The source interface is GigabitEthernet0/0/0. After configuration, the collector receives no mirrored packets. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 100 ip address 192.168.10.10 origin ip address 10.1.1.1 no shutdown. R1's routing table shows a default route via 10.1.1.2, and a static route to 192.168.10.0/24 via 10.1.1.2. The tunnel interface Tunnel0 is up/up with IP 10.1.1.1/30. What is the most likely root cause?

A.The monitor session is administratively down due to a missing 'no shutdown' command.
B.The ERSPAN destination IP address is in a different VRF that is not reachable from the source VRF.
C.The GRE tunnel interface is used for the ERSPAN source IP, causing a recursive routing loop because the destination IP is routed via the tunnel's next-hop.
D.The ERSPAN session ID 100 conflicts with an existing GRE key on the tunnel.
AnswerC

The source IP 10.1.1.1 is the tunnel interface IP, and the destination 192.168.10.10 is routed via 10.1.1.2, which is the tunnel's next-hop. This recursion causes the encapsulated packet to be dropped.

Why this answer

ERSPAN encapsulates mirrored packets in GRE with a destination IP of the collector. The router must have a route to the collector IP, but the encapsulated packets use the routing table of the default VRF. If the destination IP is reachable via a route that points to a next-hop that is not directly connected, the router may attempt to use the GRE tunnel interface itself, causing a recursive routing loop.

The GRE tunnel interface IP (10.1.1.1) is used as the source, but the destination 192.168.10.10 is routed via 10.1.1.2, which is the tunnel's next-hop. This creates a recursion: the packet is encapsulated with destination 192.168.10.10, then routed, which again matches the tunnel, leading to a loop and packet drop. The fix is to use a separate source IP or ensure the route to the collector does not point back through the tunnel.

902
MCQhard

An engineer configures IPsec between two routers using a site-to-site VPN with IKEv1. The configuration uses `crypto isakmp policy 10` with authentication pre-share and encryption aes. On the peer, the policy is configured with authentication pre-share and encryption 3des. Unexpectedly, the IKE phase 1 negotiation fails. Which is the most likely explanation?

A.The encryption algorithms (AES vs 3DES) do not match, causing IKE phase 1 to fail.
B.The pre-shared key must be configured globally, not under the policy.
C.The IKE policy must have the same priority number on both ends.
D.The authentication method must be `rsa-sig` for site-to-site VPNs.
AnswerA

IKEv1 requires exact match of all parameters in the proposal.

Why this answer

IKEv1 requires that the encryption algorithm, hash, authentication method, and Diffie-Hellman group match exactly between peers. The encryption algorithm mismatch (AES vs 3DES) causes the IKE proposal to be rejected. Even though both use pre-shared keys, the encryption mismatch is a common edge case.

903
MCQhard

R1 and R2 are OSPF neighbors with BFD enabled. R1#show ip ospf neighbor shows R2 as 'FULL/DR'. R1#show bfd neighbors shows the session as 'Up' with R2. R2#show bfd neighbors shows the session as 'Up' with R1. However, R1#show ip route shows that the route to 10.1.1.0/24 via R2 is missing. R1 has 'summary-address 10.1.1.0 255.255.255.0' configured under OSPF. What is the root cause?

A.The OSPF summary-address on R1 is suppressing the more specific route from R2.
B.BFD is causing the route to be removed due to fast detection.
C.R2 is not advertising the route due to a filtering policy.
D.The OSPF cost on R1 is too high, causing the route to be ignored.
AnswerA

The summary-address command causes OSPF to advertise only the summary and suppress more specific routes, so the specific route from R2 is not installed.

Why this answer

OSPF summary-address on an ABR or ASBR suppresses more specific routes. If R1 is an ABR and has a summary-address for 10.1.1.0/24, it will not install the specific route from R2, even though BFD and OSPF adjacency are fine. The summary route may be advertised instead, but the specific route is missing from the routing table.

904
Multi-Selecthard

Which THREE commands can be used to verify IPv6 traffic filtering and uRPF operation on a Cisco IOS-XE router? (Choose THREE.)

Select 3 answers
A.show ipv6 interface
B.show ipv6 access-list
C.show ipv6 route
D.show ipv6 traffic
E.show ipv6 neighbors
AnswersA, B, C

Correct. This command shows whether an IPv6 access-group or uRPF is applied on the interface, including packet statistics.

Why this answer

Verification commands for IPv6 filtering include 'show ipv6 interface' (displays access-group and uRPF status), 'show ipv6 access-list' (displays hit counts), and 'show ipv6 route' (checks FIB for uRPF). 'show ipv6 traffic' shows packet statistics but not filtering details. 'show ipv6 neighbors' shows ND cache, not filtering.

905
Drag & Dropmedium

Drag and drop the steps to apply a route-map to filter BGP prefix advertisements into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the route-map with a permit or deny clause and match criteria. Second, configure the set actions to modify attributes. Third, apply the route-map to the BGP neighbor using the neighbor route-map command.

Fourth, clear the BGP session to activate the filter. Finally, verify the filtered prefixes using show ip bgp.

906
MCQmedium

An engineer is troubleshooting a router that is generating syslog messages with incorrect timestamps. The router has 'service timestamps log datetime msec' configured, but the timestamps show the wrong time zone. The router's clock is set correctly via NTP. What is the most likely cause?

A.The 'clock timezone' command is not configured on the router.
B.The NTP server is not providing timezone information.
C.The 'service timestamps log' command should use 'localtime' instead of 'datetime'.
D.The syslog server is overwriting the timestamps with its own.
AnswerA

Correct because without a timezone configuration, the router uses UTC, so timestamps will be offset from the local time even if NTP is synced.

Why this answer

The 'service timestamps log datetime msec' command uses the router's local time, but if the time zone is not configured, the timestamps will appear in UTC (the default). To show the correct local time, the 'clock timezone' command must be configured to set the appropriate offset.

907
MCQmedium

A network engineer runs the following command to verify EIGRP routes over DMVPN: R1# show ip eigrp topology all-links P 10.10.10.0/24, 1 successors, FD is 128256 via 10.0.0.2 (128256/128256), Tunnel0 via 10.0.0.3 (131072/128256), Tunnel0 What does this output indicate?

A.The route 10.10.10.0/24 has two equal-cost paths via Tunnel0.
B.The route has a successor via 10.0.0.2 and a feasible successor via 10.0.0.3.
C.Both paths are in active state and being queried.
D.The route is not reachable because both paths are down.
AnswerB

Correct: The successor has the lowest FD, and the other path has a reported distance equal to the FD, making it a feasible successor.

Why this answer

The output shows two paths for 10.10.10.0/24: one via 10.0.0.2 with feasible distance 128256 (successor), and one via 10.0.0.3 with reported distance 128256 (feasible successor).

908
MCQmedium

A network engineer is troubleshooting an EIGRP network where route summarization is configured. Router R1 has the 'ip summary-address eigrp 100 10.0.0.0 255.0.0.0' command on its interface facing R2. After the configuration, R2 loses connectivity to the 10.1.0.0/16 subnet, which is one of the component routes. The engineer checks the routing table on R2 and sees the summary route 10.0.0.0/8 but not the specific route. What is the most likely cause?

A.The summary route 10.0.0.0/8 is being advertised with a metric of infinity, causing it to be ignored.
B.The 10.1.0.0/16 subnet is not directly connected to R1, so it cannot be summarized.
C.The summary address command was applied on the wrong interface, causing the summary to be sent out all interfaces, including the one facing the 10.1.0.0/16 subnet's origin.
D.The 10.1.0.0/16 subnet is not included in the summary range because the summary mask is /8, but the subnet's network address is 10.1.0.0, which is within the range, but the EIGRP process may have a split-horizon issue or the component route is not in the EIGRP topology table.
AnswerD

Correct. If the component route is not in the EIGRP topology table (e.g., due to a missing network statement or a passive interface), the summary route may still be generated, but the specific route is not advertised, causing loss of connectivity.

Why this answer

In EIGRP, the summary address command suppresses the advertisement of more specific routes and generates the summary. However, if the summary route is not installed in the routing table (e.g., due to a missing component), the specific routes may still be suppressed, causing a black hole.

909
MCQhard

Which CoPP feature allows the control plane to process packets from a specific source IP address without rate limiting?

A.CoPP aggregate policer
B.Control Plane Protection (CPPr) exception
C.QoS pre-classify
D.Policy-map 'set' action
AnswerB

CPPr allows defining exceptions to bypass CoPP for trusted sources, such as management stations or routing peers.

Why this answer

Control Plane Protection (CPPr) allows the creation of exceptions for specific source IP addresses or subnets using the 'exception' keyword within a class-map.

910
MCQhard

A network engineer configures an ERSPAN session on a Cisco router to monitor traffic on interface GigabitEthernet0/0/0 and send it to a monitoring server at 172.16.1.100. The engineer uses the command 'monitor session 1 type erspan-source' and configures the tunnel. The monitoring server receives packets, but the packets contain only the original source and destination IP addresses of the monitored traffic, not the encapsulated GRE headers. What is the most likely cause?

A.The ERSPAN session is misconfigured, causing the router to forward the original packets instead of encapsulated copies.
B.The monitoring server is stripping the GRE headers before capturing.
C.The ERSPAN session is configured with the 'ip access-group' command that filters the encapsulated traffic.
D.The router is not running the correct IOS version that supports ERSPAN.
AnswerA

Correct because the router should send GRE-encapsulated packets; if it sends raw packets, the session configuration is incorrect.

Why this answer

ERSPAN encapsulates the original packet with a GRE header. If the monitoring server receives packets without GRE encapsulation, it means the router is not encapsulating the traffic correctly, possibly because the ERSPAN session is not configured with the correct tunnel source or destination.

911
MCQmedium

A router is configured with 'logging host 10.1.1.100' and 'logging trap informational'. The engineer notices that syslog messages with severity 5 (notice) are being sent, but messages with severity 6 (informational) are not. What is the most likely cause?

A.The 'logging trap' command is set to 5 (notice) rather than 6 (informational).
B.The syslog server is dropping severity 6 messages due to its own configuration.
C.The 'logging console' command is overriding the remote logging level.
D.The router's clock is not synchronized, causing timestamp issues.
AnswerA

Correct because if the trap level is 5, only messages severity 0-5 are sent; severity 6 messages are excluded.

Why this answer

The 'logging trap informational' command sets the severity threshold to 6, meaning messages of severity 0-6 are sent. However, if the engineer sees that severity 5 messages are sent but severity 6 are not, the issue is likely that the specific informational messages are not being generated by the router, or they are being filtered by a different mechanism such as 'logging filter' or 'exception' settings. But the most common cause is that the 'logging trap' level is actually set to 5 (notice) instead of 6.

A misconfiguration or misunderstanding of the command is typical.

912
Multi-Selectmedium

Which TWO commands verify the application and content of an IPv4 access control list on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip interface
B.show access-lists
C.show running-config | include access-list
D.show ip route
E.debug ip packet
AnswersA, B

This command shows which ACLs are applied inbound/outbound on each interface.

Why this answer

The 'show ip interface' command displays the access lists applied to an interface, including the direction (inbound/outbound) and the specific ACL name or number. The 'show access-lists' command shows the detailed content of all ACLs, including the exact permit/deny statements, sequence numbers, and hit counts, verifying both the application and the rules.

Exam trap

Cisco often tests the distinction between commands that verify ACL application (show ip interface) versus content (show access-lists), and candidates mistakenly choose 'show running-config | include access-list' thinking it shows both, but it only shows the configuration lines without interface binding or hit counts.

913
Drag & Drophard

Drag and drop the steps to troubleshoot DHCP (IPv4 and IPv6) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the DHCP client's interface for an IP address and DHCP state. Then, verify that the relay agent is configured and reachable. Next, confirm that the DHCP server is reachable from the relay.

After that, inspect access lists or firewall rules that might block DHCP traffic. Finally, review debug output to isolate the failure point.

914
MCQmedium

An engineer is troubleshooting a router that fails to write its running configuration to startup configuration using 'copy running-config startup-config'. The command returns 'Destination filename [startup-config]?' and then the prompt returns without error. 'show startup-config' shows an empty configuration. What is the most likely cause?

A.The router is configured to boot from a TFTP server using the 'boot host' command, and the TFTP server is unreachable or does not allow writes.
B.The NVRAM is full and the router cannot save the configuration.
C.The 'file prompt quiet' command is configured, suppressing prompts.
D.The router is running in ROMMON mode.
AnswerA

When 'boot host' points to a remote file, 'copy running-config startup-config' tries to write to that remote server; if it fails, the local startup-config remains empty.

Why this answer

The router may have insufficient space in NVRAM or the startup configuration file may be corrupted. However, a common issue is that the router is booting from a network server (TFTP) and the 'boot host' command points to a remote file, so 'copy running-config startup-config' attempts to write to the remote server but fails silently.

915
MCQmedium

An engineer is troubleshooting a BGP peering issue between two routers, R1 and R2, connected via a serial link. The BGP session is established, but routes are not being exchanged. The engineer checks the BGP configuration and sees that both routers have the 'neighbor' commands correctly configured. The output of 'show ip bgp summary' shows the session is in the Established state, but the prefix counts are zero. What is the most likely cause?

A.Neither router has any network statements or redistribution commands configured to inject prefixes into BGP.
B.The BGP session is using MD5 authentication, but the passwords do not match.
C.The routers have mismatched BGP versions.
D.The update-source command is missing, causing the session to use the wrong interface.
AnswerA

Correct because BGP only advertises prefixes that are explicitly injected via network statements, redistribution, or aggregation.

Why this answer

If the BGP session is established but no prefixes are exchanged, the most common cause is that there are no networks configured under the BGP process or no redistribution. Alternatively, outbound filters could be blocking all prefixes. The stem says routes are not being exchanged, so the issue is on the advertisement side.

916
MCQmedium

A network engineer runs the following command to verify IPv6 First Hop Security operation: R1# show ipv6 nd raguard policy TRUSTED Policy: TRUSTED Status: Active Device role: host Trusted ports: Fa0/1 Untrusted ports: none RA Guard: enabled RA Guard policy: allow ND inspection: enabled ND inspection policy: INSPECT What does this output indicate?

A.The policy TRUSTED allows RAs on Fa0/1 and performs ND inspection using policy INSPECT.
B.The policy TRUSTED blocks all RAs on Fa0/1 and disables ND inspection.
C.The policy TRUSTED only applies to untrusted ports and has no effect on Fa0/1.
D.The policy TRUSTED is inactive and not applied to any interface.
AnswerA

The output shows RA Guard is enabled with allow action, and ND inspection is enabled with policy INSPECT on the trusted port.

Why this answer

The show command displays the RA Guard policy configuration. The policy TRUSTED is active, applied to port Fa0/1 as trusted, with RA Guard allowing RAs and ND inspection enabled.

917
MCQmedium

A network engineer runs the following command to troubleshoot SNMP trap generation: R1# show snmp mib sysDescr.0 = Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M sysObjectID.0 = .1.3.6.1.4.1.9.1.1 sysUpTime.0 = 123456789 sysContact.0 = admin@example.com sysName.0 = R1 sysLocation.0 = Lab What does this output indicate?

A.The router's system MIB is populated with correct values, including contact and location.
B.The router's sysContact is not configured, causing SNMP traps to fail.
C.The router is not responding to SNMP queries.
D.The router uses SNMPv3 only.
AnswerA

All system MIB objects have values, indicating proper configuration.

Why this answer

The show snmp mib command displays the system MIB objects. The output shows standard system group values: sysDescr (description), sysObjectID (enterprise OID), sysUpTime (uptime), sysContact, sysName, and sysLocation.

918
MCQhard

A network engineer is troubleshooting a route redistribution issue between OSPF and BGP. Router R1 runs both OSPF and BGP, and redistributes OSPF routes into BGP. The engineer notices that OSPF external routes are not appearing in the BGP table on R1. The show ip bgp command does not list these prefixes. The redistribute ospf 1 match external command is configured under BGP. What is the most likely cause?

A.The redistribute ospf 1 match external command under BGP is missing the subnets keyword.
B.OSPF has a higher administrative distance than BGP.
C.The OSPF process on R1 has a distribute-list blocking these routes.
D.BGP requires the network command to advertise routes, not redistribution.
AnswerA

Correct: Without subnets, only classful networks are redistributed, causing missing routes.

Why this answer

When redistributing OSPF into BGP, the subnets keyword is required to redistribute classless subnets. Without it, only classful networks are redistributed, which may cause many routes to be missing.

919
MCQhard

R1 and R2 are iBGP peers in AS 65001. R1 has: neighbor 10.1.1.2 route-reflector-client. R2 advertises a prefix 192.168.1.0/24 with next-hop 10.1.1.2. R3, another iBGP speaker not a client of R1, receives the prefix but the next-hop is unchanged (10.1.1.2) and R3 cannot reach it because 10.1.1.2 is not directly connected. R1 has no other configuration. What is the root cause?

A.R1 is missing the next-hop-self configuration for its non-client peer R3, so the next-hop remains R2, which is not reachable by R3.
B.R2 should have sent the route with next-hop-self to R1.
C.R3 is missing a static route to 10.1.1.2.
D.The route-reflector-client command should be applied on R2 instead.
AnswerA

Route reflectors do not change next-hop for reflected routes; next-hop-self is needed on the reflector for non-clients.

Why this answer

When a route reflector reflects a route from a client to a non-client, it does not modify the next-hop attribute by default. The next-hop remains the original router (R2). If the non-client (R3) does not have a route to that next-hop, the prefix is considered unreachable.

The fix is to use next-hop-self on the route reflector for non-client peers, or ensure reachability to the next-hop. The root cause is that R1 is not configured with neighbor 10.1.1.3 next-hop-self for the non-client peer.

920
MCQeasy

What is the default OSPF dead interval on a broadcast multi-access network (e.g., Ethernet) when the hello interval is 10 seconds?

A.40 seconds
B.30 seconds
C.20 seconds
D.10 seconds
AnswerA

The dead interval is 4 * hello interval (10 seconds) = 40 seconds.

Why this answer

On broadcast multi-access networks like Ethernet, OSPF defaults to a hello interval of 10 seconds. The dead interval is calculated as 4 times the hello interval, resulting in a default dead interval of 40 seconds. This ensures that a router has multiple missed hello opportunities before being declared dead, providing stability against transient network issues.

Exam trap

The trap here is that candidates often confuse the default dead interval multiplier (thinking it is 3 instead of 4) or mistakenly apply the NBMA dead interval logic to broadcast networks, leading them to select 30 or 20 seconds.

How to eliminate wrong answers

Option B (30 seconds) is wrong because it incorrectly assumes a multiplier of 3, but the OSPF standard (RFC 2328) specifies a multiplier of 4 for broadcast networks. Option C (20 seconds) is wrong because it suggests a multiplier of 2, which is used for NBMA networks (e.g., Frame Relay) where the hello interval is 30 seconds and the dead interval is 120 seconds, not for Ethernet. Option D (10 seconds) is wrong because it confuses the hello interval with the dead interval; the dead interval must be longer to allow for missed hellos.

921
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, the router becomes unreachable via SSH, and OSPF neighbor adjacencies go down. The engineer checks the CoPP policy and sees that the class-map for SSH and OSPF traffic is configured with a police rate. Which is the most likely explanation?

A.The class-default is set to drop all traffic not matched by explicit classes
B.The police rate for OSPF traffic is too high
C.The CoPP policy is applied to the wrong interface
D.The class-map for SSH uses the wrong match criteria
AnswerA

Correct. If class-default drops traffic, OSPF and SSH packets that are not explicitly permitted will be dropped.

Why this answer

A common edge case with CoPP is that the default class (class-default) is often configured with an explicit deny or a very low rate, which can drop all traffic not matched by other classes. If the engineer does not include a 'class class-default' with an appropriate action (e.g., 'police' with a conform action of 'transmit'), all unmatched traffic, including critical control plane traffic, may be dropped. Additionally, if the police rate is too low for OSPF hello packets, adjacencies can fail.

922
MCQhard

A network engineer is troubleshooting IPv6 redistribution between EIGRP and OSPFv3 on Router R1. Routes from OSPFv3 are being redistributed into EIGRP, but they are not appearing in the EIGRP topology table. Router R1 has the following relevant configuration: router eigrp Test address-family ipv6 unicast redistribute ospf 1 metric 10000 100 255 1 1500 ! Router R2 shows: show ipv6 eigrp topology output does not include any OSPF-derived routes. What is the root cause?

A.The EIGRP metric values are too high, causing the routes to be considered unreachable.
B.The OSPFv3 process ID in the redistribute command does not match the actual OSPFv3 process ID running on the router.
C.The routes from OSPFv3 are external, and EIGRP does not redistribute external OSPF routes by default.
D.The EIGRP address-family is not configured with a router ID, preventing redistribution.
AnswerB

If the process ID is wrong, the redistribution command does not match any OSPFv3 process, and no routes are redistributed.

Why this answer

The 'redistribute ospf 1' command under EIGRP IPv6 address-family requires that the OSPFv3 process is correctly specified and that the metrics are appropriate. However, a common issue is that the OSPFv3 process is not running or that the routes are not in the OSPFv3 database. The correct answer identifies that the OSPFv3 process ID is missing or incorrect, causing redistribution to fail silently.

923
MCQmedium

A network engineer is troubleshooting a PBR configuration on a Cisco router. The engineer has configured a route map named 'PBR-MAP' with a match statement matching traffic from source IP 10.1.1.0/24 and a set statement to forward the traffic to next-hop 192.168.1.2. The engineer applies the route map to the incoming interface GigabitEthernet0/0 using 'ip policy route-map PBR-MAP'. However, traffic from 10.1.1.0/24 is still being forwarded using the routing table instead of the PBR next-hop. What is the most likely cause?

A.The route map is applied to the outgoing interface instead of the incoming interface.
B.The 'set ip next-hop' command requires the 'verify-availability' keyword to activate PBR.
C.The route map sequence number is missing; PBR requires sequence numbers to be explicitly defined.
D.The 'ip policy route-map' command must be applied globally under 'ip route-cache policy'.
AnswerA

Correct because PBR must be applied to the incoming interface to intercept traffic before routing decision.

Why this answer

The 'ip policy route-map' command must be applied to the incoming interface where the traffic is received. If it is applied to the outgoing interface, PBR will not function. The symptom indicates the route map is not being evaluated, which typically occurs when the policy is applied to the wrong interface or not applied at all.

924
MCQmedium

An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using OSPF with the CEs. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 and the output interface as GigabitEthernet0/0. The show mpls forwarding-table 192.168.1.2 detail command on PE1 shows a label with outgoing interface GigabitEthernet0/0. The show ip route 192.168.1.2 command on PE1 shows the route with a next-hop of 10.0.0.2 and output interface GigabitEthernet0/0. The show ip cef 192.168.1.2 command on PE1 shows the next-hop as 10.0.0.2 and output interface GigabitEthernet0/0. What is the most likely cause?

A.The VRF route-target import on PE2 is misconfigured.
B.The PE2 router does not have a label for the CE1 prefix in its LFIB.
C.The OSPF process on PE1 is not redistributing BGP routes into OSPF.
D.The MP-BGP session is using an incorrect update-source.
AnswerB

Correct: If PE2 cannot forward return traffic due to missing label, traffic will be dropped.

Why this answer

All forwarding components on PE1 are correct. The issue is likely on the remote side, such as PE2 not having a label for the return traffic or CE2 not having a route back. The engineer should check PE2's forwarding table for the CE1 prefix.

925
Drag & Dropmedium

Drag and drop the steps to verify and validate route summarization operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the routing table on the summarizing router to see the summary route. Then, inspect the OSPF database to confirm the summary LSA. Next, verify that the summary is not causing suboptimal routing by checking for more specific routes.

After that, use show ip protocols to confirm summarization is enabled. Finally, test reachability to a host within the summarized range.

926
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp binding Client: FE80::A8BB:CCFF:FE01:0200 DUID: 00030001AABBCC010200 Username: unassigned IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::1000 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 08 2020 12:00 AM (2592000 seconds) Client: FE80::A8BB:CCFF:FE01:0300 DUID: 00030001AABBCC010300 Username: unassigned IA NA: IA ID 0x00010001, T1 302400, T2 483840 Address: 2001:DB8:1::1001 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 08 2020 12:00 AM (2592000 seconds) Based on this output, which statement is correct?

A.The DHCPv6 server has assigned duplicate addresses to the clients.
B.The DHCPv6 server is functioning correctly with two active bindings.
C.The DHCPv6 server is not using a pool; addresses are statically assigned.
D.The DHCPv6 server has a DUID conflict.
AnswerB

Both clients have unique bindings and valid lifetimes.

Why this answer

The output shows two DHCPv6 clients with unique link-local addresses and DUIDs, each assigned a distinct IPv6 address from the 2001:DB8:1::/64 prefix. The presence of valid lifetimes and T1/T2 timers indicates the DHCPv6 server is operating normally, maintaining two active bindings. Option B correctly identifies this as proper server behavior.

Exam trap

Cisco often tests the distinction between duplicate addresses and unique addresses in DHCPv6 binding output, where candidates may mistakenly think two different addresses are duplicates because they share the same prefix or IA ID.

How to eliminate wrong answers

Option A is wrong because the addresses 2001:DB8:1::1000 and 2001:DB8:1::1001 are different, not duplicates; duplicate addresses would show the same IPv6 address for both clients. Option C is wrong because the output shows dynamically assigned addresses with lifetimes and timers, which are characteristics of pool-based DHCPv6 assignment, not static configuration. Option D is wrong because each client has a unique DUID (00030001AABBCC010200 vs 00030001AABBCC010300), so there is no DUID conflict.

927
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 access-list DENY-REMOTE IPv6 access list DENY-REMOTE deny ipv6 2001:DB8:2::/48 any sequence 10 permit ipv6 any any sequence 20 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It denies all IPv6 traffic from 2001:DB8:2::/48 and permits everything else
C.It permits only IPv6 traffic from 2001:DB8:2::/48
D.It denies all IPv6 traffic
AnswerB

Sequence 10 denies the prefix, sequence 20 permits all other traffic.

Why this answer

The access list DENY-REMOTE explicitly denies IPv6 traffic sourced from the prefix 2001:DB8:2::/48 (sequence 10) and then permits all other IPv6 traffic (sequence 20). When applied to an interface, this results in only traffic from that specific prefix being blocked, while all other IPv6 traffic is allowed. This matches option B.

Exam trap

Cisco often tests the concept that an ACL with an explicit permit any any at the end overrides the implicit deny, so candidates mistakenly think the ACL only denies or only permits based on the first line, ignoring the sequence of entries.

How to eliminate wrong answers

Option A is wrong because the access list does not permit all IPv6 traffic; it specifically denies traffic from 2001:DB8:2::/48. Option C is wrong because the access list denies, not permits, traffic from 2001:DB8:2::/48. Option D is wrong because the access list does not deny all IPv6 traffic; it only denies traffic from the specified prefix and permits everything else.

928
Multi-Selecthard

Which TWO statements about the operation of DMVPN Phase 2 are true? (Choose TWO.)

Select 2 answers
A.Spoke routers can dynamically establish direct tunnels with each other.
B.The hub router must be configured with the 'ip nhrp redirect' command.
C.The hub router must use a point-to-point GRE tunnel interface.
D.All spoke-to-spoke traffic must traverse the hub router.
E.NHRP is not required for Phase 2 operation.
AnswersA, B

This is a key feature of Phase 2: spokes can build direct tunnels using NHRP redirect/shortcut.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are built dynamically using NHRP redirect and shortcut routes. The spoke router learns the NBMA address of another spoke via an NHRP redirect from the hub, and then initiates a direct tunnel. Phase 2 uses the 'ip nhrp redirect' command on the hub and 'ip nhrp shortcut' on spokes.

The other statements are incorrect: Phase 2 does not require a multipoint GRE tunnel on the hub (it can be point-to-multipoint), and spoke-to-spoke traffic does not always go through the hub after the shortcut is established.

929
MCQeasy

A network engineer runs the following command to verify Flexible NetFlow cache entries: R1# show flow monitor FLOW-MONITOR-1 cache format record Cache entry for flow 1: ipv4 source address: 10.0.0.1 ipv4 destination address: 192.168.1.100 ip protocol: 6 counter bytes: 1500 counter packets: 10 timestamp sys-uptime first: 123456 timestamp sys-uptime last: 123556 Cache entry for flow 2: ipv4 source address: 10.0.0.2 ipv4 destination address: 192.168.1.101 ip protocol: 17 counter bytes: 500 counter packets: 5 timestamp sys-uptime first: 123457 timestamp sys-uptime last: 123557 What does this output indicate?

A.Both flows are TCP connections.
B.The cache shows two flows with source/destination IP, protocol, byte/packet counts, and timestamps.
C.The cache does not include protocol information.
D.The flows are being exported immediately.
AnswerB

The output correctly displays all the fields defined in the flow record for both flows.

Why this answer

The output shows two active flows in the Flexible NetFlow cache. Flow 1 is a TCP (protocol 6) flow from 10.0.0.1 to 192.168.1.100 with 1500 bytes and 10 packets. Flow 2 is a UDP (protocol 17) flow from 10.0.0.2 to 192.168.1.101 with 500 bytes and 5 packets.

The timestamps show the first and last packet times.

930
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.2.2.0/24 BGP routing table entry for 10.2.2.0/24, version 5 Paths: (1 available, best #1, table default) Not advertised to any peer Refresh Epoch 1 65002 10.1.12.2 from 10.1.12.2 (10.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, what is a potential issue with this route?

A.The route has a low local preference of 100.
B.The route is not being advertised to any BGP peer, possibly due to outbound filtering.
C.The next hop 10.1.12.2 is unreachable.
D.The route is not installed in the routing table.
AnswerB

The output explicitly states 'Not advertised to any peer', indicating a filtering or configuration issue preventing advertisement.

Why this answer

The route is valid and best, but it is 'Not advertised to any peer'. This could be due to outbound filtering, such as a route-map, prefix-list, or the neighbor not being configured to receive the route. The route is learned from an eBGP peer but not being propagated.

931
Multi-Selecthard

Which THREE symptoms indicate a misconfiguration in the MPLS L3VPN control plane between two PEs? (Choose THREE.)

Select 3 answers
A.The command 'show ip bgp vpnv4 vrf CUSTOMER_A' shows no prefixes on the remote PE.
B.The command 'show mpls forwarding-table vrf CUSTOMER_A' shows no labels for remote prefixes.
C.The MP-BGP session between PEs is in the 'Idle' or 'Active' state.
D.Ping from CE1 to CE2 fails, but ping from CE1 to the local PE succeeds.
E.The IGP adjacency between PE and P routers is down.
AnswersA, B, C

Indicates that VPNv4 routes are not being received, a control plane issue.

Why this answer

Common control plane issues include missing VPNv4 prefixes in BGP, lack of MPLS labels for VPN routes, and failure to establish the MP-BGP session. Correct routing table entries on the PE but no labels suggests a label allocation problem. Ping failure from CE to CE could be due to many issues, not specifically control plane.

IGP adjacency down affects the underlay but is not a direct VPN control plane symptom.

932
MCQhard

A network engineer is troubleshooting a scenario where BFD sessions are not forming between two routers running IS-IS. Both routers have BFD configured under the IS-IS process and on the interfaces. The engineer checks the BFD session and sees it is 'Down'. The IS-IS adjacency is up and operational. What is the most likely cause?

A.The IS-IS process is configured with 'bfd all-interfaces' but the interface is not configured with 'isis bfd'.
B.The BFD session is using the wrong source IP address; IS-IS BFD requires the interface IP to be used.
C.The IS-IS metric is set to a high value, causing BFD to be ignored.
D.The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor is not configured for BFD.
AnswerB

BFD sessions for IS-IS must use the interface IP address as the source; if the router is using a loopback or other IP, the session will fail.

Why this answer

IS-IS BFD requires that the BFD session be established on the same interface as the IS-IS adjacency. If the IS-IS adjacency is up but BFD is down, the issue is often that the BFD configuration is not applied to the correct interface or that the BFD timers are not compatible.

933
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager history applet TRACK-INTERFACE Applet TRACK-INTERFACE: Time Created : Mar 1 00:00:12 2025 Time Last Triggered : Mar 1 00:15:30 2025 Time Last Executed : Mar 1 00:15:30 2025 Trigger Count : 5 Execution Count : 5 Last Event Type : syslog Last Event Detail : OSPF-5-ADJCHG Last Action Executed : show ip route Last Action Result : Success What does this output indicate?

A.The applet 'TRACK-INTERFACE' has been triggered 5 times and executed successfully each time, with the last trigger at 00:15:30.
B.The applet 'TRACK-INTERFACE' has failed to execute 5 times.
C.The applet 'TRACK-INTERFACE' has not been triggered since it was created.
D.The applet 'TRACK-INTERFACE' executed the action 'show ip route' but the output was not captured.
AnswerA

Correct. The trigger count and execution count are both 5, and the last action result is 'Success'.

Why this answer

The output shows the history for a specific EEM applet. It includes creation time, last trigger and execution times, trigger and execution counts, the last event that triggered it, the last action executed, and the result. This helps in determining if the applet is being triggered and executing successfully.

934
MCQeasy

What is the default behavior of a route-map when a route does not match any match clause in any sequence?

A.The route is permitted by default.
B.The route is denied by default.
C.The route is processed by the last sequence regardless of match.
D.The route is forwarded to the next route-map if one exists.
AnswerB

Correct. If a route does not match any sequence, it is implicitly denied.

Why this answer

A route-map consists of sequences with permit or deny actions. If a route does not match any match clause in any sequence, it is implicitly denied. This is similar to an access-list: there is an implicit deny at the end of the route-map.

935
MCQhard

A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?

A.ND Inspection is configured to drop Neighbor Solicitations with an unspecified source address (::) because it has no binding for that address.
B.RA Guard is configured to drop all multicast traffic, including Neighbor Solicitations.
C.DHCPv6 Guard is blocking the DAD messages because they are considered DHCPv6 traffic.
D.IPv6 Source Guard is dropping the DAD messages because the source address :: is not in the binding table.
AnswerA

Correct because ND Inspection typically requires a valid binding for the source address; DAD uses :: as source, which is not in the binding table, causing drops.

Why this answer

ND Suppress is a feature that suppresses Neighbor Advertisements for addresses that are in the binding table. However, if ND Inspection is misconfigured, it may drop Neighbor Solicitations that are part of DAD because the source address is the unspecified address (::) and the switch may not have a binding for it.

936
MCQmedium

Consider this configuration on router R2: ``` interface GigabitEthernet0/0 ip access-group RESTRICT_ACCESS in ! ip access-list extended RESTRICT_ACCESS permit ip 10.0.0.0 0.255.255.255 any deny ip any any ``` What traffic will be permitted inbound on GigabitEthernet0/0?

A.Only traffic from source 10.0.0.0/24.
B.All traffic from the 10.0.0.0/8 network.
C.All traffic from any source.
D.Only traffic from source 10.0.0.0/16.
AnswerB

Correct. The wildcard mask 0.255.255.255 matches the 10.0.0.0/8 range.

Why this answer

The access list RESTRICT_ACCESS uses a wildcard mask of 0.255.255.255, which matches the first octet exactly and ignores the remaining three octets. This effectively permits all traffic from the 10.0.0.0/8 network (10.0.0.0 through 10.255.255.255). The explicit deny ip any any at the end blocks all other traffic, so only traffic sourced from the 10.0.0.0/8 range is permitted inbound on GigabitEthernet0/0.

Exam trap

Cisco often tests the distinction between prefix length and wildcard mask, leading candidates to misinterpret 0.255.255.255 as a /24 or /16 mask instead of the correct /8 range.

How to eliminate wrong answers

Option A is wrong because a wildcard mask of 0.255.255.255 matches the entire /8 range, not just the /24 subnet (which would require a wildcard mask of 0.0.0.255). Option C is wrong because the access list ends with a deny ip any any statement, which blocks all traffic not explicitly permitted by earlier entries. Option D is wrong because a /16 prefix would require a wildcard mask of 0.0.255.255, not 0.255.255.255; the given mask matches the full /8 range.

937
Multi-Selecthard

Which THREE symptoms indicate that an IP SLA operation is failing or not responding? (Choose THREE.)

Select 2 answers
A.The 'show ip sla statistics' output shows 'Timeout' in the latest RTT field.
B.The 'show ip sla statistics' output shows a return code of 0.
C.The 'show track' output shows the tracked object as 'Down'.
D.The 'show ip sla statistics' output shows a zero RTT value.
E.The 'show ip sla configuration' output shows the operation state as 'Active'.
AnswersA, C

A timeout indicates that the probe did not receive a reply within the configured timeout.

Why this answer

When an IP SLA operation fails, the 'show ip sla statistics' output will show 'Timeout' or 'No connection' in the latest RTT field. The return code in the detailed output will be non-zero (e.g., 1 for timeout). The tracking object will show 'Down' if it is configured to track reachability.

A zero RTT value is not typical for a failure; it might indicate a misconfiguration. The operation state 'Active' means it is running, not failing.

938
MCQhard

When redistributing OSPF into EIGRP, which EIGRP metric components are used to calculate the default metric?

A.Bandwidth and delay only
B.Bandwidth, delay, reliability, load, and MTU
C.No default metric is assigned; redistribution fails unless a metric is configured.
D.The OSPF cost is converted to an EIGRP metric using a default formula.
AnswerC

EIGRP does not assign a default metric for redistributed routes; if no metric is specified, the route is not redistributed.

Why this answer

EIGRP requires all five K-values (bandwidth, delay, reliability, load, MTU) for metric calculation, but by default, only bandwidth and delay are used; the default metric for redistribution is not automatically derived and must be explicitly set.

939
MCQmedium

Consider the ERSPAN configuration on a router: monitor session 1 type erspan-source source interface GigabitEthernet0/0/1 both destination erspan-id 1 ip address 192.168.1.100 origin ip address 192.168.1.1 What is the primary purpose of the 'origin ip address' command?

A.It specifies the IP address of the monitoring device.
B.It defines the source IP address used in the ERSPAN GRE encapsulation.
C.It sets the IP address of the interface being monitored.
D.It enables ERSPAN on the specified interface.
AnswerB

This is the correct function of the origin IP address.

Why this answer

The origin IP address is the source IP used in the ERSPAN encapsulated packets, allowing the destination to identify the source of the mirrored traffic.

940
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers using OSPF as the routing protocol. The OSPF neighbor forms, but routes are not being exchanged. The engineer verifies that the IPsec tunnel is up and that OSPF packets are being encrypted. The OSPF network type on the tunnel interface is set to broadcast. What is the most likely explanation for the missing routes?

A.The OSPF network type broadcast requires a DR/BDR election, but the tunnel is point-to-point, so the DR election fails and routes are not exchanged.
B.The IPsec crypto map is configured to encrypt only unicast traffic, and OSPF hello packets are multicast (224.0.0.5), so they are dropped before encryption.
C.The OSPF hello and dead intervals are mismatched, preventing the neighbor from forming.
D.The IPsec tunnel is using transport mode, which does not support multicast traffic.
AnswerB

If the crypto ACL only permits unicast traffic (e.g., 'permit ip host A host B'), multicast OSPF packets are not matched and are sent in clear text or dropped, depending on the configuration. This is a common edge case where the interesting traffic definition does not include multicast.

Why this answer

Option B is correct because OSPF hello packets are sent to the multicast address 224.0.0.5, but IPsec crypto maps by default only encrypt unicast traffic. Since the crypto map does not match multicast packets, OSPF hellos are dropped before encryption, preventing OSPF neighbor adjacency from forming even though the IPsec tunnel is up and other packets are encrypted.

Exam trap

Cisco often tests the misconception that an IPsec tunnel being up guarantees all traffic is encrypted, but the trap here is that OSPF multicast packets are not matched by the default crypto ACL, causing OSPF to fail silently.

How to eliminate wrong answers

Option A is wrong because OSPF network type broadcast on a tunnel interface does not inherently fail; DR/BDR election can occur over a point-to-point tunnel if the network type is set to broadcast, but the real issue is that multicast OSPF hellos are not encrypted. Option C is wrong because the question states that the OSPF neighbor forms, which would not happen if hello/dead intervals were mismatched. Option D is wrong because IPsec transport mode does not inherently block multicast traffic; the limitation is that crypto maps only match unicast traffic, regardless of transport or tunnel mode.

941
MCQhard

According to RFC 4787 (NAT Behavioral Requirements for UDP), what is the recommended default timeout for UDP NAT mappings?

A.60 seconds
B.300 seconds
C.600 seconds
D.86400 seconds
AnswerB

Correct. RFC 4787 recommends and Cisco IOS defaults to 300 seconds for UDP NAT mappings.

Why this answer

RFC 4787 recommends a default UDP mapping timeout of 5 minutes (300 seconds). Cisco IOS defaults to this value for UDP NAT translations.

942
MCQhard

A network engineer is troubleshooting a multi-homed BGP setup. R1 receives the prefix 10.1.1.0/24 from two eBGP peers: R2 (AS 100) and R3 (AS 200). The engineer configures the distance bgp 20 20 20 command on R1 to make all BGP routes have the same AD. However, R1 still prefers the route from R2 over R3. What is the most likely reason?

A.The route from R2 has a lower MED than the route from R3.
B.The route from R2 has a higher local preference than the route from R3.
C.The route from R2 is the oldest BGP route.
D.The AS path for the route from R2 is shorter than that from R3.
AnswerB

Local preference is compared before AS path and MED; if R2's route has a higher local preference (e.g., 150 vs 100), it will be preferred even with equal AD.

Why this answer

The distance bgp command sets AD for eBGP, iBGP, and local routes. With AD equal, the router uses other BGP path attributes, such as local preference, AS path length, or MED. The most common tie-breaker is local preference (default 100) or the oldest route.

943
MCQhard

In a multi-area OSPF network, Router R1 (ABR) is redistributing a static default route into OSPF with 'default-information originate always metric 10'. Router R2, an internal router in Area 1, receives the default route but also learns a more specific route to 0.0.0.0/0 via EIGRP from Router R3 with administrative distance 170. The 'show ip route 0.0.0.0' on R2 shows the EIGRP route as the best path. However, R2's 'show ip ospf database external' shows the OSPF external default route. What is the root cause of R2 preferring the EIGRP route?

A.The EIGRP route has an administrative distance of 90 because it is an internal EIGRP route, and the OSPF default route is external with AD 110, so EIGRP is preferred.
B.The OSPF default route is not installed because the 'default-information originate always' command requires a 'metric-type' keyword to be set to type-1 for lower AD.
C.R2 has a static route with AD 1 that is overriding both dynamic routes.
D.The EIGRP route is learned from a different VRF, and VRF routes have lower AD by default.
AnswerA

Internal EIGRP routes have AD 90, which is lower than OSPF external routes (AD 110). The redistribution on R3 is injecting the route as internal, causing the preference.

Why this answer

OSPF external routes have an administrative distance of 110, while EIGRP external routes have an administrative distance of 170. Since 110 < 170, OSPF should be preferred. However, if the EIGRP route is internal (AD 90) due to redistribution settings or if the OSPF route is not installed due to a mismatched metric type or route filtering, the EIGRP route might be chosen.

The correct answer is that the OSPF default route is an NSSA external route (Type N2) with AD 110, but the EIGRP route is internal (AD 90) because it was redistributed as internal via a route-map that changed the administrative distance. The candidate must check the redistribution configuration on R3.

944
Multi-Selecthard

Which TWO statements about EEM applet debugging and verification are correct? (Choose TWO.)

Select 2 answers
A.The command 'show event manager policy available' displays all configured EEM applets on the device.
B.The 'debug event manager action cli' command enables debugging output for CLI actions executed by EEM applets.
C.The 'show event manager history events' command displays a log of recent events that have triggered applets.
D.The 'show event manager policy active' command shows all applets that are currently running or have run recently.
E.The 'show event manager applet' command is not a valid IOS command.
AnswersB, C

Correct. This debug command shows the CLI commands being executed by applet actions.

Why this answer

'show event manager policy available' lists registered Tcl policies, not applets. 'debug event manager action cli' debugs CLI actions. 'show event manager history events' shows recent event occurrences. 'show event manager policy active' shows running policies. 'show event manager applet' is a valid command.

945
MCQhard

A network engineer is troubleshooting a VRF-Lite setup where two routers are connected via a serial link. Each router has VRF_SALES configured. The engineer configures EIGRP in VRF_SALES. The 'show ip eigrp vrf VRF_SALES neighbors' shows no neighbors. The 'show ip eigrp vrf VRF_SALES interfaces' shows the serial interface is passive. What is the most likely cause?

A.The 'passive-interface default' command is configured under the EIGRP process for VRF_SALES.
B.The 'network' command for the serial interface's subnet is missing.
C.The 'autonomous-system' number is different on the two routers.
D.The 'metric weights' command is misconfigured.
AnswerA

This command makes all interfaces passive by default, and if the serial interface is not explicitly set to no passive, it will remain passive.

Why this answer

If an interface is marked as passive in EIGRP, it will not send or receive hello packets, preventing neighbor formation. This is a common misconfiguration.

946
MCQhard

What is the default inter-packet interval (in milliseconds) for an IP SLA UDP Jitter operation?

A.10 ms
B.20 ms
C.50 ms
D.100 ms
AnswerB

Correct. The default inter-packet interval is 20 ms.

Why this answer

The default inter-packet interval for UDP Jitter is 20 milliseconds. This is the delay between sending successive packets within a single probe.

947
MCQhard

What is the default OSPF reference bandwidth used in the metric calculation on Cisco IOS-XE?

A.100 Mbps
B.1000 Mbps
C.10 Mbps
D.10000 Mbps
AnswerA

Correct. The default reference bandwidth is 100 Mbps.

Why this answer

Cisco IOS-XE uses a default reference bandwidth of 100 Mbps for OSPF metric calculation (cost = reference bandwidth / interface bandwidth).

948
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. After configuration, routing loops occur. Which is the most likely explanation?

A.The administrative distance of the redistributed routes is not modified, causing the redistributed route to be preferred over the original.
B.The seed metric is not configured for EIGRP redistribution.
C.The OSPF process ID is mismatched.
D.The redistribute command is missing the subnets keyword.
AnswerA

Without adjusting the administrative distance (e.g., using 'distance' command on redistributed routes), the redistributed route may have a lower AD than the original, leading to a routing loop.

Why this answer

Mutual redistribution without route tagging or filtering can cause routing loops. When a route redistributed from OSPF into EIGRP is then redistributed back into OSPF, it can be preferred over the original route if the administrative distance is lower, creating a loop. This is a classic edge case that requires careful use of route tags and distribute-lists.

949
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp user User name: monitor Engine ID: 800000090300001122334455 storage-type: nonvolatile Authentication Protocol: MD5 Privacy Protocol: DES Group-name: readonly User name: admin Engine ID: 800000090300AABBCCDDEEFF storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: admin Based on this output, which statement is correct?

A.The 'monitor' user uses deprecated authentication and privacy protocols.
B.The 'admin' user can only read MIB objects.
C.Both users use the same engine ID.
D.The 'monitor' user cannot authenticate because MD5 is not supported.
AnswerA

MD5 and DES are deprecated in favor of SHA and AES due to security vulnerabilities.

Why this answer

The output shows two SNMPv3 users. The 'monitor' user uses MD5 authentication and DES privacy, which are considered weak and deprecated. The 'admin' user uses stronger SHA authentication and AES256 privacy.

The group names indicate the SNMP access level, but the group configuration is not shown here.

950
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp interfaces detail GigabitEthernet0/0 IP-EIGRP interfaces for process 100 Interface Peers Xmit Queue Mean Pacing Time Multicast Pending Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/0 1 0/0 10 0/10 50 0 Hello interval: 5 sec, Hold time: 15 sec Split horizon is enabled Summary address: 10.0.0.0/8 Next xmit serial <none> Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions: 0 Retry timer: 15 Hello packets sent: 100, received: 99 Based on this output, what is the purpose of the summary address configured on this interface?

A.It filters all routes in the 10.0.0.0/8 range.
B.It advertises a summary route 10.0.0.0/8 to neighbors.
C.It redistributes connected routes.
D.It disables split horizon.
AnswerB

The summary address configuration causes R1 to advertise a summary route 10.0.0.0/8 on this interface.

Why this answer

The 'Summary address: 10.0.0.0/8' line shows that a manual summary route is configured on this interface, which will be advertised to EIGRP neighbors.

951
MCQhard

A network engineer runs the following command on Router PE6: PE6# show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 10.0.0.1/32 0 Gi0/0 10.1.1.1 17 20 10.0.0.2/32 0 Gi0/1 10.2.2.2 18 Untagged 10.0.0.3/32 0 Gi0/2 10.3.3.3 Based on this output, what is the problem?

A.MPLS is not enabled on interface Gi0/2.
B.The router has run out of local labels.
C.Penultimate Hop Popping is misconfigured.
D.The prefix 10.0.0.3/32 is not reachable.
AnswerA

The 'Untagged' label indicates MPLS is not enabled on the outgoing interface or the next hop is not an MPLS router.

Why this answer

The MPLS forwarding table shows three entries. The third entry for prefix 10.0.0.3/32 has 'Untagged' as the outgoing label. This means the outgoing interface for that prefix does not have MPLS enabled, or the next hop does not support MPLS.

This is a problem because MPLS packets cannot be forwarded with an untagged label.

952
MCQmedium

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?

A.The local router does not have a route to the remote LAN subnet in its routing table.
B.The crypto map access list does not include the local LAN subnet.
C.The GRE tunnel keepalive is disabled.
D.The IPsec transform set is missing authentication.
AnswerA

Correct because the router can ping the remote LAN using its own IP, but if there is no route for the remote LAN subnet, traffic from LAN hosts will be dropped.

Why this answer

The GRE tunnel and routing protocol are working, but traffic from the LAN is failing. This indicates that the routing table on the local router does not have a route to the remote LAN subnet, or the route points to the wrong next-hop. The ping from the router succeeds because the router uses its own IP as source, which is directly connected to the tunnel.

953
MCQhard

An engineer configures OSPFv2 with a virtual link to connect a non-backbone area to area 0. The virtual link is up, but routes from the non-backbone area are not being advertised into area 0. Which is the most likely explanation?

A.The virtual link is configured only on one router.
B.The transit area is a stub area.
C.The OSPF process is configured with 'no-virtual-link' command.
D.The router IDs are not reachable via the transit area.
AnswerA

A virtual link must be configured on both endpoints to function properly.

Why this answer

A virtual link in OSPF is used to connect a non-backbone area to the backbone. However, the virtual link must be configured on both endpoints, and the transit area must have full connectivity. If the virtual link is up but routes are not being advertised, it could be because the virtual link is not stable or the routers are not acting as ABRs correctly.

Additionally, the virtual link does not automatically make the router an ABR; the router must have a direct connection to area 0 via the virtual link.

954
MCQhard

An engineer configures EIGRP named mode on a router. After a link failure, a route becomes stuck-in-active (SIA). The engineer checks the EIGRP topology and notices that the route has a feasible successor. Which is the most likely explanation?

A.The router received a query from a neighbor and must reply, but the reply is delayed because the feasible successor's route is also being queried.
B.The feasible successor is not used because the route is in passive mode, and the router must wait for the active timer to expire.
C.The named mode EIGRP does not support feasible successors, so the router must always go active.
D.The feasible successor's metric is higher than the successor's, so it is not considered as a backup.
AnswerA

Even with a feasible successor, the router must reply to queries from neighbors. If the reply is delayed (e.g., due to a unidirectional link), the local router may become SIA.

Why this answer

In EIGRP, if a route has a feasible successor, the router will immediately use it without going active. However, if the feasible successor's route is also invalidated (e.g., due to a metric change) or if the query process is triggered by a neighbor that does not have a feasible successor, the router may still go active. A common corner case is when the feasible successor is not used because the route is in a 'stuck-in-active' state due to a query from a neighbor that did not receive a reply, even though the local router has a feasible successor.

This can happen if the router receives a query from a neighbor and must reply, but the reply is delayed.

955
MCQmedium

Consider the following partial configuration: ip access-list extended SECURE_ACCESS permit icmp any any echo permit icmp any any echo-reply permit tcp any host 192.168.1.1 eq 22 permit tcp any host 192.168.1.1 eq 443 deny ip any any ! interface GigabitEthernet0/0 ip access-group SECURE_ACCESS in ! interface GigabitEthernet0/1 ip access-group SECURE_ACCESS out What is a potential issue with this ACL placement?

A.The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.
B.The ACL is missing a 'permit ip any any' statement, so all traffic is denied.
C.The ACL should be applied only inbound on both interfaces.
D.The ACL permits ICMP echo and echo-reply, which could allow ping floods.
AnswerA

Traffic from Gi0/0 to Gi0/1 is filtered inbound on Gi0/0 and outbound on Gi0/1, potentially blocking non-matching traffic.

Why this answer

The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1.

If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.

Exam trap

Cisco often tests the concept that applying an ACL in both directions (inbound on one interface and outbound on another) can cause unintended filtering of traffic that must pass through the router, leading candidates to overlook the fact that the ACL is evaluated twice and that the permit entries may not cover all necessary flows.

How to eliminate wrong answers

Option B is wrong because the ACL already ends with 'deny ip any any', which is an explicit deny-all; adding 'permit ip any any' would defeat the purpose of the ACL by allowing all traffic, and the issue is not about missing a permit-all but about the ACL being applied in both directions causing double filtering. Option C is wrong because applying the ACL inbound on both interfaces would still filter traffic entering each interface, but it would not solve the problem of traffic being filtered twice when crossing from one interface to the other; the issue is the dual-direction application, not the direction of application. Option D is wrong because while permitting ICMP echo and echo-reply could theoretically allow ping floods, that is not the primary issue described in the question; the question asks about a potential issue with the ACL placement, and the correct answer focuses on the blocking of traffic due to bidirectional application, not the security risk of ICMP.

956
MCQhard

An enterprise uses EIGRP for IPv6 with route summarization. Router R1 has a summary route 2001:db8:1::/48 via Null0 redistributed into EIGRP. Router R2 receives this summary and has a more specific route 2001:db8:1:1::/64 learned via a different interface. R2's IPv6 uRPF is configured in strict mode on the interface facing R1. Traffic from a host behind R2 destined to 2001:db8:1:2::1 is being dropped. R2 shows 'ipv6 cef' indicates the summary route points to R1, but uRPF checks fail. What is the root cause?

A.The summary route 2001:db8:1::/48 on R1 causes R2 to have a less specific route pointing to R1, making uRPF think the source address is not reachable via the incoming interface.
B.R2's uRPF is configured in loose mode, which requires a matching route in the FIB, but the summary route is not installed.
C.EIGRP redistribution of the summary route creates a routing loop, causing uRPF to fail.
D.The host behind R2 has an incorrect source address, causing uRPF to drop all traffic.
AnswerA

uRPF strict mode requires the source address to be reachable via the same interface. The summary route points to R1, but the source is directly connected, causing a mismatch.

Why this answer

uRPF strict mode checks that the source address of incoming packets is reachable via the same interface. For traffic sourced from R2's subnet (e.g., 2001:db8:1:1::/64), the return route via the summary points to R1, but the source is directly connected. This asymmetry causes uRPF to drop the packet because the source is not reachable via the incoming interface.

957
MCQhard

A network engineer is troubleshooting a route redistribution issue between EIGRP and BGP. Router R1 runs both EIGRP and BGP, and redistributes EIGRP routes into BGP. The engineer notices that some EIGRP routes are not appearing in the BGP table on R1. The show ip bgp command does not list these prefixes. The redistribute eigrp command is configured under BGP. What is the most likely cause?

A.The redistribute eigrp command under BGP is missing the subnets keyword.
B.The EIGRP routes are not present in the IP routing table on R1.
C.BGP has a higher administrative distance than EIGRP.
D.The EIGRP process on R1 has a route filter blocking these routes.
AnswerB

Correct: BGP only redistributes routes that are in the routing table; if they are missing, redistribution fails.

Why this answer

When redistributing into BGP, by default only classful networks are redistributed unless the subnets keyword is used. Additionally, BGP does not redistribute routes that are not in the routing table. However, a common cause is that the EIGRP routes are not in the global routing table due to administrative distance or other reasons.

958
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the ingress interface of a PE router in an MPLS L3VPN. The router is receiving VPN traffic from a customer edge (CE) router. The engineer notices that some legitimate traffic is being dropped by uRPF. The engineer verifies that the CE router has a route back to the source address in its routing table. What is the most likely explanation?

A.Asymmetric routing is causing the return path to use a different interface, violating the strict uRPF check.
B.The uRPF 'allow-default' option is not configured, so default routes are not considered.
C.The CE router is not advertising the source network to the PE via BGP.
D.The uRPF mode is set to 'loose' instead of 'strict', causing all traffic to be dropped.
AnswerA

Correct. uRPF strict mode requires that the return path uses the same interface; asymmetric routing causes legitimate traffic to be dropped.

Why this answer

uRPF strict mode checks that the source address of an incoming packet has a route in the routing table that points back to the same interface on which the packet was received. If there is asymmetric routing (i.e., the return path takes a different interface), uRPF strict mode will drop the packet. In an MPLS L3VPN, traffic from the CE to the PE may take one path, but return traffic from the PE to the CE may take a different path (e.g., due to load balancing or different routing policies).

This is a common edge case. The solution is to use uRPF loose mode or to ensure symmetric routing.

959
MCQeasy

Which syslog severity level is used for informational messages that are not errors but may be useful for monitoring?

A.Severity 5 (Notice)
B.Severity 6 (Informational)
C.Severity 7 (Debug)
D.Severity 0 (Emergency)
AnswerB

Severity 6 is 'Informational' and is used for normal but significant conditions.

Why this answer

Severity 6 is defined as 'Informational' in RFC 5424, used for non-error messages.

960
MCQhard

An MPLS network uses OSPF as the IGP. After redistributing BGP routes into OSPF, some LDP neighbors fail to establish. Router R1 config: router ospf 1 redistribute bgp 65001 subnets ! router bgp 65001 redistribute ospf 1 R1# show mpls ldp neighbor Peer LDP Ident: 10.1.1.2:0, Local LDP Ident: 10.1.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.646 State: Oper, Msg sent: 100, Msg rcvd: 80 Downstream on demand R2# show mpls ldp neighbor Peer LDP Ident: 10.1.1.1:0, Local LDP Ident: 10.1.1.2:0 TCP connection: 10.1.1.1.646 - 10.1.1.2.646 State: Oper, Msg sent: 80, Msg rcvd: 100 What is the root cause?

A.The redistributed BGP routes have a higher administrative distance, causing them to not be installed in the routing table, breaking LDP label binding.
B.The LDP router-id is misconfigured, causing neighbor failure.
C.The OSPF process is missing the mpls ldp autoconfig command.
D.The BGP redistribution is missing the route-map to set the metric.
AnswerA

LDP uses the routing table; if the route is not installed, LDP cannot assign a label.

Why this answer

The redistribution of BGP into OSPF may cause OSPF routes to have a high metric or be external, which LDP may not use for label binding if the route is not in the routing table as an IGP route. LDP requires the route to be in the routing table with a next-hop that is reachable via an IGP. If the redistributed routes have a higher administrative distance or are not installed, LDP may fail to assign labels.

The fix is to ensure that the IGP routes are preferred or use route-target filtering.

961
Multi-Selecthard

Which TWO statements about EEM applet actions and their behavior are correct? (Choose TWO.)

Select 2 answers
A.The 'action cli command' can execute any EXEC mode command, including 'show' commands and 'ping'.
B.The 'action syslog' command sends a syslog message with a default facility of local7 and severity of informational.
C.The 'action snmp-trap' command can send an SNMP trap without any additional configuration if the device has an SNMP community set.
D.The 'action mail' command can be used to send an email notification from an EEM applet.
E.The 'action cli command' can be used to enter global configuration mode and execute configuration commands directly.
AnswersA, B

Correct. 'action cli command' can execute any valid EXEC command.

Why this answer

'action cli command' can run any exec command. 'action syslog' sends a syslog message with facility local7 by default. 'action snmp-trap' requires an SNMP community. 'action mail' is not supported in EEM. 'action cli command' cannot run config commands directly without entering config mode.

962
MCQmedium

A network engineer is troubleshooting a scenario where a router is dropping IPv6 packets that are destined for a server on a directly connected network. The engineer checks the interface and finds that uRPF is enabled in loose mode. The router has a default route pointing to an upstream router. The source address of the packets is 2001:db8:100::1, which is not in the routing table (the router has no route to that prefix). What is the most likely cause of the packet drops?

A.The uRPF loose mode check fails because there is no route to the source address in the routing table.
B.The uRPF loose mode check fails because the source address is not reachable via the same interface.
C.The router has an ACL that blocks traffic from that source.
D.The uRPF mode should be strict mode to allow the traffic.
AnswerA

Correct because loose mode requires at least one route to the source address in the FIB; if no route exists, the packet is dropped.

Why this answer

With uRPF loose mode enabled, the router checks whether a route to the source address exists in the routing table, but it does not verify that the incoming interface matches the reverse path. Since the source address 2001:db8:100::1 is not present in the routing table, the loose mode check fails and the packets are dropped. The presence of a default route does not help because uRPF requires an exact match for the source prefix, not a default route.

Exam trap

Cisco often tests the misconception that a default route satisfies uRPF loose mode, but in reality, uRPF requires a route to the specific source prefix, not a default route.

How to eliminate wrong answers

Option B is wrong because loose mode does not check that the source address is reachable via the same interface; that behavior is specific to strict mode. Option C is wrong because the question provides no evidence of an ACL, and the described behavior is consistent with uRPF dropping packets, not an ACL. Option D is wrong because strict mode would impose an additional interface check and would also fail if there is no route to the source; the issue here is the missing route, not the mode.

963
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks O 10.1.1.0/24 [110/20] via 192.168.1.2, 00:15:30, GigabitEthernet0/0 O 10.2.2.0/24 [110/30] via 192.168.1.2, 00:15:30, GigabitEthernet0/0 Based on this output, which statement is correct?

A.The router has a default route via OSPF.
B.The router has two OSPF routes to different subnets.
C.The OSPF neighbor is down.
D.The metric for 10.2.2.0/24 is 20.
AnswerB

Two OSPF routes are listed: 10.1.1.0/24 and 10.2.2.0/24.

Why this answer

The output shows two OSPF routes via the same next hop. The administrative distance is 110 (default for OSPF), and the metrics are 20 and 30. No problems are indicated; the routes are present and valid.

964
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set Based on this output, which statement is correct?

A.ACL 101 filters traffic entering the interface.
B.ACL 101 filters traffic leaving the interface.
C.The interface has no ACL applied.
D.ACL 101 is applied in both directions.
AnswerB

The output shows 'Outgoing access list is 101', so traffic exiting is filtered.

Why this answer

The command output shows 'Outgoing access list is 101', which indicates that ACL 101 is applied to filter traffic leaving the GigabitEthernet0/1 interface. This is confirmed by the absence of an 'Inbound access list' entry, meaning no ACL is applied to incoming traffic. Therefore, ACL 101 filters traffic leaving the interface.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application by showing only one direction in the output, leading candidates to assume no ACL is applied or that it applies to both directions.

How to eliminate wrong answers

Option A is wrong because the output shows 'Inbound access list is not set', meaning ACL 101 is not applied to incoming traffic; it is applied to outgoing traffic. Option C is wrong because the output explicitly shows 'Outgoing access list is 101', indicating an ACL is applied. Option D is wrong because the output shows ACL 101 is only applied to outgoing traffic, not inbound, so it is not applied in both directions.

965
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy registered No. Class Type Version Time Created Name 1 applet system 1.0 Mar 1 00:00:12 2025 TRACK-INTERFACE 2 applet system 1.0 Mar 1 00:00:15 2025 BGP-RESET 3 applet user 1.0 Mar 1 00:02:30 2025 LOG-ERROR What does this output indicate?

A.Three EEM applets are registered, including two system-defined and one user-defined.
B.Three EEM applets are registered, all user-defined.
C.Three EEM applets are registered, all system-defined.
D.The output shows the EEM applets that are currently executing.
AnswerA

Correct. The output shows two applets with class 'system' (TRACK-INTERFACE and BGP-RESET) and one with class 'user' (LOG-ERROR).

Why this answer

The output shows three registered EEM applets. The 'Class' column indicates whether the applet is system-defined or user-defined. 'Type' is always 'applet' for EEM applets. 'Time Created' shows when the applet was registered. The 'Name' is the applet name.

This output confirms that the applets are registered and available for execution.

966
MCQhard

A network engineer runs the following command on Router PE4: PE4# show bgp vpnv4 unicast all summary BGP router identifier 10.0.0.4, local AS number 65001 BGP table version is 25, main routing table version 25 5 network prefixes using 640 bytes of memory 5 path entries using 400 bytes of memory 3/3 BGP path/bestpath attribute entries using 360 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1424 total bytes of memory BGP activity 15/10 prefixes, 20/15 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.5 4 65001 1020 1015 25 0 0 00:12:34 5 10.0.0.6 4 65002 500 495 25 0 0 00:06:20 0 Based on this output, what is the problem?

A.Neighbor 10.0.0.5 is not exchanging prefixes.
B.Neighbor 10.0.0.6 is not sending any prefixes.
C.Both neighbors are in the Idle state.
D.The BGP table is empty.
AnswerB

The 'State/PfxRcd' column shows 0 for 10.0.0.6, indicating no prefixes received.

Why this answer

The BGP summary shows two neighbors: 10.0.0.5 (AS 65001) with 5 prefixes received, and 10.0.0.6 (AS 65002) with 0 prefixes received. The neighbor 10.0.0.6 has been up for 6 minutes but has not sent any prefixes. This indicates a problem with prefix advertisement from that neighbor.

967
Multi-Selecthard

Which THREE commands can be used to verify the MPLS label assigned to a specific prefix in a VRF on a PE router? (Choose THREE.)

Select 3 answers
A.show ip bgp vpnv4 vrf CUSTOMER 10.1.1.0/24
B.show ip route vrf CUSTOMER 10.1.1.0/24
C.show mpls forwarding-table vrf CUSTOMER 10.1.1.0/24
D.show ip cef vrf CUSTOMER 10.1.1.0/24 detail
E.show mpls ldp bindings prefix 10.1.1.0/24
AnswersA, C, D

Correct. This command displays the BGP table entry for the prefix, including the MPLS label.

Why this answer

To check the MPLS label for a VRF prefix, an engineer can use 'show ip bgp vpnv4 vrf <name> <prefix>' to see the BGP label, 'show mpls forwarding-table vrf <name> <prefix>' to see the label used in forwarding, and 'show ip cef vrf <name> <prefix> detail' to see the label in the CEF entry. 'show ip route vrf' does not show MPLS labels. 'show mpls ldp bindings' shows local and remote label bindings, but not specifically for a VRF prefix without additional filtering.

968
MCQhard

A network engineer runs the following command to troubleshoot SNMP statistics: R1# show snmp statistics 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 Input queue drops 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Get-response PDUs 0 SNMP trap PDUs What does this output indicate?

A.No SNMP traffic has been processed, which may indicate a configuration or connectivity issue.
B.SNMP is working correctly with many successful requests.
C.The router is sending many SNMP traps.
D.There are errors due to bad community names.
AnswerA

All counters at zero suggest no SNMP communication has occurred.

Why this answer

The show snmp statistics command displays SNMP packet counters. All counters are zero, indicating that no SNMP packets have been processed since the last counter reset or router reload.

969
Multi-Selecthard

Which TWO configuration steps are required to enable IPsec site-to-site VPN with IKEv2 on a Cisco router? (Choose TWO.)

Select 2 answers
A.Configure an IKEv2 keyring with the pre-shared key.
B.Configure an IKEv2 proposal specifying encryption and integrity algorithms.
C.Configure a crypto isakmp policy for phase 1.
D.Configure an IKEv2 profile and bind it to the crypto map.
E.Configure the 'crypto ipsec transform-set' command.
AnswersA, B

The keyring stores the pre-shared key used for authentication in IKEv2.

Why this answer

Option A is correct because an IKEv2 keyring stores the pre-shared key (PSK) used for authenticating the remote peer during IKEv2 SA establishment. Without a keyring, the router has no local credential to present or verify against the peer. Option B is correct because an IKEv2 proposal defines the mandatory encryption (e.g., AES-256) and integrity (e.g., SHA-256) algorithms that both peers must agree on for the IKEv2 Phase 1 (IKE SA) negotiation.

Exam trap

Cisco often tests the distinction between IKEv1 and IKEv2 commands, so the trap here is that candidates mistakenly select 'crypto isakmp policy' (IKEv1) instead of the IKEv2-specific 'crypto ikev2 proposal' and 'crypto ikev2 keyring' commands.

970
MCQmedium

An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?

A.The switch has Private VLAN configured on VLAN 20, and the hosts are on isolated ports, which prevents direct communication.
B.IPv6 Source Guard is blocking inter-host traffic because the hosts' bindings are not in the binding table.
C.RA Guard is blocking Neighbor Advertisements between hosts.
D.DHCPv6 Guard is blocking DHCPv6 messages between hosts.
AnswerA

Correct because PVLAN isolates traffic between hosts on isolated ports within the same VLAN.

Why this answer

Private VLAN (PVLAN) isolates ports within the same VLAN, preventing communication between hosts unless they are in the same community or are promiscuous ports. If the switch has PVLAN configured, hosts on isolated ports cannot communicate directly.

971
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa interface: Tunnel0 Crypto map tag: VPN-MAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0 Based on this output, what is the problem?

A.The IPsec SA is not established; phase 1 is still pending.
B.The tunnel is up but no traffic is being encrypted; the crypto ACL may not match the traffic.
C.The remote peer is unreachable; the SA is in a dead state.
D.The tunnel interface is down; the SA cannot be used.
AnswerB

Zero packet counts indicate no traffic has been encapsulated; check the crypto ACL and routing.

Why this answer

The IPsec SA is present but the packet counters are all zero. This indicates that the tunnel is established but no interesting traffic is being sent through it. The likely cause is that the crypto ACL does not match the actual traffic or routing is not directing traffic into the tunnel.

972
MCQmedium

What is the default hello interval for the Label Distribution Protocol (LDP) on a Cisco IOS-XE router?

A.5 seconds
B.10 seconds
C.15 seconds
D.3 seconds
AnswerA

The default LDP hello interval is 5 seconds.

Why this answer

LDP hello messages are sent every 5 seconds by default on Cisco IOS-XE routers to discover and maintain adjacencies.

973
MCQmedium

What is the default value of the Router Advertisement (RA) interval in IPv6 First Hop Security (FHS) when using the 'ipv6 nd ra-interval' command on an IOS-XE interface?

A.100 seconds
B.200 seconds
C.600 seconds
D.300 seconds
AnswerB

Correct. The default RA interval on Cisco IOS-XE is 200 seconds.

Why this answer

The default RA interval on Cisco IOS-XE is 200 seconds, as per RFC 4861, but Cisco defaults to a lower value for faster convergence. The default is actually 600 seconds for the maximum RA interval, but the 'ipv6 nd ra-interval' command defaults to 200 seconds when not specified.

974
MCQhard

R1 and R2 are IS-IS neighbors with BFD enabled. R1#show clns is-neighbors shows R2 as 'Up'. R1#show bfd neighbors shows the session as 'Down'. R2#show bfd neighbors shows the session as 'Up' with R1. R1 has 'bfd interval 50 min_rx 50 multiplier 3' on the interface. R2 has 'bfd interval 100 min_rx 100 multiplier 3'. The link is stable. What is the root cause?

A.R1 has an ACL blocking UDP port 3784 from R2.
B.IS-IS requires 'bfd all-interfaces' to work with BFD.
C.The BFD multiplier on R1 is too low.
D.The IS-IS metric must be set to 1 for BFD.
AnswerA

BFD uses UDP port 3784; if R1 blocks incoming BFD packets, the session appears down on R1 but up on R2 because R2 receives R1's packets.

Why this answer

IS-IS BFD requires that the BFD session be established between the same IP addresses used for IS-IS. If R1's BFD session is down but R2's is up, it indicates a unidirectional issue. This can be due to an MTU mismatch where R1's BFD packets are fragmented and dropped, or a firewall blocking inbound BFD packets on R1.

Here, the most likely cause is that R1 has an ACL denying UDP port 3784 from R2.

975
Multi-Selecthard

Which THREE statements about NAT and PAT behavior in Cisco IOS are true? (Choose THREE.)

Select 3 answers
A.PAT allows multiple inside hosts to share a single public IP address by using unique source port numbers.
B.The NAT translation table for PAT includes the inside global IP and port, and the outside global IP and port.
C.The command 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' enables PAT using the interface IP.
D.The 'ip nat inside source static' command automatically enables PAT when multiple inside hosts are configured.
E.The 'ip nat pool' command is required for all PAT configurations.
AnswersA, B, C

Correct. PAT multiplexes many inside addresses to one outside address by differentiating TCP/UDP ports.

Why this answer

PAT (overload) uses unique port numbers to distinguish multiple inside hosts sharing a single public IP. The NAT table stores five tuples (protocol, inside local IP:port, inside global IP:port, outside local IP:port, outside global IP:port). 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' is the correct syntax for PAT with an interface. The 'ip nat inside source static' command creates a one-to-one mapping and does not use overload.

The 'ip nat pool' command defines a range of addresses, but PAT can also use a single interface IP.

Page 12

Page 13 of 29

Page 14