Cisco CCNP ENARSI 300-410 (300-410) — Questions 10511125

2152 questions total · 29pages · All types, answers revealed

Page 14

Page 15 of 29

Page 16
1051
MCQmedium

Router R4 has the following DHCPv6 configuration: ipv6 dhcp pool DHCP6_POOL2 address prefix 2001:db8:2::/64 dns-server 2001:db8::1 ! interface GigabitEthernet0/1 ipv6 address 2001:db8:2::1/64 ipv6 dhcp server DHCP6_POOL2 ipv6 nd managed-config-flag no shutdown What is the effect of this configuration?

A.Hosts will use DHCPv6 to obtain both their IPv6 address and other configuration parameters like DNS.
B.Hosts will use SLAAC for addressing and DHCPv6 for DNS only.
C.The DHCPv6 pool is missing a domain-name, so it will not provide any configuration.
D.The ipv6 nd managed-config-flag command is incompatible with the DHCPv6 server and will cause an error.
AnswerA

The managed-config-flag indicates stateful DHCPv6, and the pool provides an address prefix, so hosts get addresses and other info from DHCPv6.

Why this answer

The configuration uses the `ipv6 nd managed-config-flag` command, which sets the Managed Address Configuration flag (M flag) in Router Advertisement (RA) messages. When the M flag is set to 1, hosts are instructed to use DHCPv6 (stateful DHCPv6) to obtain their IPv6 addresses, not SLAAC. Additionally, the DHCPv6 pool provides DNS server information, so hosts will use DHCPv6 for both addressing and other configuration parameters like DNS.

This matches option A.

Exam trap

Cisco often tests the distinction between the M flag (managed-config-flag) and the O flag (other-config-flag), where candidates mistakenly think the M flag only affects DNS or that SLAAC is still used for addressing when the M flag is set.

How to eliminate wrong answers

Option B is wrong because the `ipv6 nd managed-config-flag` sets the M flag to 1, which tells hosts to use DHCPv6 for addressing, not SLAAC; SLAAC is used when the M flag is 0 and the O flag (Other Configuration flag) may be set for DHCPv6-only DNS. Option C is wrong because a DHCPv6 pool does not require a domain-name to function; it can provide an address prefix and DNS server without a domain name, and the configuration will still work. Option D is wrong because the `ipv6 nd managed-config-flag` command is fully compatible with the DHCPv6 server configuration; it is designed to work together to signal hosts to use stateful DHCPv6.

1052
MCQhard

An EIGRP network with routers R1, R2, and R3 is experiencing frequent Stuck-in-Active (SIA) events for the prefix 172.16.1.0/24. R1 is the successor, R2 is the feasible successor. R3 is a query originator. 'show ip eigrp topology 172.16.1.0/24' on R1 shows the route in active state. 'show ip eigrp interfaces' on R2 shows the link to R3 is up but with high packet loss. What is the root cause?

A.High packet loss on the link between R2 and R3 causes EIGRP queries or replies to be dropped, leading to SIA.
B.R3 has a route summarization that causes the query to be sent to the Null0 interface.
C.The EIGRP active timer is set too low on R1, causing premature SIA.
D.R2 has a distribute-list that filters the prefix, preventing the reply from being sent.
AnswerA

EIGRP relies on reliable transport; packet loss can cause queries to remain unanswered, triggering SIA after the active timer expires.

Why this answer

The SIA condition occurs when a query is sent to neighbors and the reply is not received within the active timer. High packet loss on the link between R2 and R3 causes queries or replies to be lost, leading to the route staying active. The root cause is the unreliable link causing query/reply loss.

The fix is to improve the link reliability or adjust EIGRP timers.

1053
MCQhard

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:05:23.123: IP: s=192.168.1.10 (FastEthernet0/0), d=10.1.1.100, len 100, policy match *Mar 1 00:05:23.123: IP: s=192.168.1.10 (FastEthernet0/0), d=10.1.1.100, len 100, policy rejected What does this output indicate?

A.The packet matched the route-map but was not forwarded due to a failed next-hop check.
B.The packet was successfully policy-routed to the next-hop.
C.The route-map does not have a match clause for this packet.
D.The packet was dropped due to an ACL deny.
AnswerA

'policy rejected' indicates the packet matched but the set action could not be applied, often due to next-hop unreachability.

Why this answer

The debug output shows a packet from 192.168.1.10 to 10.1.1.100 that matches the policy but is then rejected. This typically occurs when the set clause specifies a next-hop that is unreachable or when verify-availability fails.

1054
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF drops: R1# show ipv6 traffic | include verify 0 verify source drops, 0 verify source suppressed drops What does this output indicate?

A.No IPv6 packets have been dropped by uRPF checks.
B.uRPF is not configured on any interface.
C.uRPF is dropping all packets.
D.The router is not processing IPv6 traffic.
AnswerA

Correct. Zero drops indicate that all packets passed uRPF verification.

Why this answer

The output shows counters for uRPF drops. Both counters are zero, indicating no packets have been dropped due to uRPF verification.

1055
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from source 10.1.2.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-TEST' is configured with 'match ip address 101' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for most traffic, but traffic from a specific host (10.1.2.100) is not being policy-routed. The engineer checks the ACL 101 and confirms it includes 10.1.2.0/24. What is the most likely cause?

A.The router is using CEF switching, and PBR is not applied to CEF-switched traffic without the 'ip route-cache policy' command.
B.The host 10.1.2.100 is sending traffic with a different source IP than expected.
C.The 'set ip next-hop' command requires the next-hop to be directly connected, and 192.168.1.2 is not reachable.
D.The route map is missing a 'sequence 10' statement; PBR requires explicit sequence numbers.
AnswerA

Correct because by default, PBR only affects process-switched packets; CEF-switched packets ignore PBR unless 'ip route-cache policy' is enabled.

Why this answer

If PBR is working for most traffic but not for a specific host, it could be due to the route map being applied to a subinterface while the host traffic arrives on a different subinterface, or the host traffic is being fast-switched and bypassing PBR. However, a common cause is that the host's traffic is being processed by CEF and the 'ip policy route-map' command does not affect CEF-switched packets unless 'ip route-cache policy' is enabled. In modern IOS, PBR by default only applies to process-switched packets unless 'ip route-cache policy' is configured.

1056
MCQmedium

Which statement correctly describes the behavior of the 'logging synchronous' command on a Cisco IOS device?

A.It disables all syslog messages on the console line.
B.It causes syslog messages to be displayed only after a carriage return.
C.It changes the severity level of messages sent to the console.
D.It enables logging to a synchronous serial interface.
AnswerB

Syslog messages are held until the user presses Enter, preventing interruption.

Why this answer

The 'logging synchronous' command prevents syslog messages from interrupting console command output by buffering them until the user finishes typing.

1057
MCQhard

An enterprise uses IP SLA to track a route to a remote site via two ISPs. Router R1 has: ip sla 3 icmp-echo 8.8.8.8 source-ip 10.0.0.1 frequency 10 ip sla schedule 3 life forever start-time now track 3 ip sla 3 reachability ip route 10.10.10.0 255.255.255.0 10.0.0.2 track 3 ip route 10.10.10.0 255.255.255.0 10.0.1.2 10 When the primary ISP fails, the backup route is used, but traffic to 10.10.10.0/24 is intermittently lost. Show output on R1: show ip route 10.10.10.0 Routing entry for 10.10.10.0/24 Known via "static", distance 1, metric 0 Last update from 10.0.0.2 on GigabitEthernet0/0 * 10.0.1.2, via GigabitEthernet0/1 What is the root cause?

A.The IP SLA probe to 8.8.8.8 is successful via the backup path, so the track remains up, but the primary next-hop 10.0.0.2 is down, causing traffic to be sent to a dead next-hop.
B.The backup route has a higher administrative distance, so it is not installed until the primary route is removed, but the track is not removing the primary route.
C.The IP SLA frequency is too low, causing a delay in track state change.
D.The track should be configured with 'ip sla 3 state' instead of 'reachability' to monitor the next-hop.
AnswerA

The track monitors reachability to 8.8.8.8, not the next-hop. If the backup path can reach 8.8.8.8, the track stays up, and the primary route remains installed even though the next-hop is unreachable.

Why this answer

The tracked route is still present in the routing table even though the track is down. This happens because the track is only removed if the track state is 'down', but the show output shows the route is still there. The likely cause is that the track is not properly associated with the route, or the route has a higher administrative distance that is not being overridden.

However, the correct answer is that the track 3 is configured with 'reachability' but the IP SLA probe may be successful due to a different path, so the track remains up, but the primary next-hop is actually unreachable, causing packet loss.

1058
MCQmedium

Examine this OSPF configuration on router R5: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 passive-interface default no passive-interface GigabitEthernet0/0 What is the effect of the passive-interface default command?

A.All interfaces except GigabitEthernet0/0 will be passive; GigabitEthernet0/0 will send and receive OSPF hellos.
B.All interfaces are passive, including GigabitEthernet0/0, because the no passive-interface command is ignored.
C.Only interfaces with network statements will be affected; other interfaces remain active.
D.The configuration is invalid because passive-interface default cannot be used with OSPF.
AnswerA

Correct. The default passive is overridden for GigabitEthernet0/0.

Why this answer

The passive-interface default command sets all interfaces as passive by default, meaning they will not send OSPF hello packets or form adjacencies. The no passive-interface command then overrides this for the specified interface, allowing it to form adjacencies.

1059
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 180 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (50 matches) 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 (30 matches) 30 deny ip any any (5 matches) Based on this output, what is the problem?

A.Traffic from 192.168.1.0/24 to port 80 is permitted.
B.Traffic from 192.168.2.0/24 to port 443 is denied.
C.All traffic from 192.168.1.0/24 is permitted.
D.The ACL is correctly configured to allow only specific web traffic.
AnswerA

Line 10 permits that traffic with 50 matches.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80, as shown by the first entry with 50 matches. The output confirms that this traffic is being allowed, so there is no problem with that specific rule.

Exam trap

Cisco often tests the ability to interpret ACL match counters and recognize that a working ACL with expected matches does not indicate a problem, leading candidates to incorrectly assume a misconfiguration when none exists.

How to eliminate wrong answers

Option B is wrong because the ACL permits TCP traffic from 192.168.2.0/24 to any destination on port 443, as shown by the second entry with 30 matches, so it is not denied. Option C is wrong because the ACL does not permit all traffic from 192.168.1.0/24; it only permits TCP traffic to port 80, and any other traffic from that subnet would be denied by the implicit deny all at the end of the ACL (or the explicit deny ip any any entry). Option D is wrong because the ACL is not correctly configured to allow only specific web traffic; it permits HTTP (port 80) and HTTPS (port 443) but also includes an explicit deny ip any any, which is redundant and does not cause a problem, but the question asks for the problem, and there is no problem with the configuration as shown—the ACL is functioning as designed.

1060
MCQhard

A network engineer runs the following command to debug NAT with route maps: R1# debug ip nat policy NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: route-map RM-NAT permit 10 match ip address 100 set ip next-hop 10.0.0.1 What does this output indicate?

A.NAT is using a route map to redirect traffic for translation.
B.The route map is blocking all traffic.
C.NAT is not configured.
D.The route map is used for routing, not NAT.
AnswerA

Policy NAT uses route maps to match and redirect traffic.

Why this answer

The debug shows that a route map is being used for NAT policy-based routing. The 'set ip next-hop' indicates traffic is being redirected, possibly for NAT purposes.

1061
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using eBGP with the CEs. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 and the output interface as GigabitEthernet0/0. The show mpls forwarding-table 192.168.1.2 detail command on PE1 shows a label but the outgoing interface is 'aggregate'. What is the most likely cause?

A.The PE2 loopback address is accidentally configured on PE1.
B.LDP is not enabled on the core-facing interfaces.
C.The VRF route-target import is misconfigured.
D.The MP-BGP session is using the wrong update-source.
AnswerA

Correct: If PE1 has the same loopback IP, it will treat itself as the egress for that prefix, causing 'aggregate' in the LFIB.

Why this answer

The label for the BGP next-hop is pointing to 'aggregate', which means the router is the egress LSR for that prefix. This occurs when the PE2 loopback is also configured on PE1, causing the router to think it is the destination. The traffic is then dropped or looped because the router tries to process the packet locally instead of forwarding it.

1062
MCQmedium

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 192.168.1.2:0, Local LDP Ident: 192.168.0.1:0 TCP connection: 192.168.1.2.646 - 192.168.0.1.49876 State: Oper; Msgs sent/rcvd: 100/105; Downstream on demand Up time: 00:10:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident: 192.168.1.2 10.1.1.2 Based on this output, what is the state of the LDP session?

A.The LDP session is down due to a TCP connection issue.
B.The LDP session is operational and exchanging label information.
C.The LDP session is in the process of being established.
D.The LDP session is using downstream on demand mode, which is a problem.
AnswerB

State Oper indicates the session is up and running.

Why this answer

The output shows the LDP session state as 'Oper' (Operational), with messages exchanged and an uptime. This indicates the session is established and functioning correctly.

1063
MCQmedium

Which loop prevention mechanism is inherent to 6to4 tunneling?

A.Split horizon
B.Reverse path forwarding (RPF) check
C.Embedded IPv4 address validation
D.TTL decrement
AnswerC

6to4 validates that the source IPv6 address's embedded IPv4 matches the tunnel source to prevent spoofing and loops.

Why this answer

6to4 tunneling uses an embedded IPv4 address in the IPv6 prefix (2002::/16) to automatically derive the tunnel destination. This inherent validation prevents routing loops by ensuring that a 6to4 router only accepts packets whose source IPv4 address matches the embedded address in the IPv6 source prefix, rejecting mismatched or spoofed traffic that could cause loops.

Exam trap

Cisco often tests the distinction between generic loop prevention mechanisms (like TTL or split horizon) and the specific, inherent validation unique to 6to4 tunneling, leading candidates to overlook the embedded IPv4 address check.

How to eliminate wrong answers

Option A is wrong because split horizon is a mechanism used in distance-vector routing protocols (e.g., RIP, EIGRP) to prevent routing loops by not advertising routes back out the interface they were learned on; it is not inherent to 6to4 tunneling. Option B is wrong because reverse path forwarding (RPF) check is used in multicast routing and unicast reverse path forwarding (uRPF) for anti-spoofing, but it is not a built-in loop prevention mechanism specific to 6to4 tunnels. Option D is wrong because TTL decrement is a standard IP mechanism to prevent packets from looping indefinitely by limiting their hop count, but it is not unique or inherent to 6to4 tunneling; it applies to all IP packets.

1064
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite CoPP issue: R1# show policy-map control-plane input class CoPP-ACL vrf CUSTOMER_I Output: Class-map: CoPP-ACL (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is dropping all packets that match access-group 100.
B.The CoPP policy is rate-limiting traffic to 8000 bps, but no traffic has matched the class yet.
C.The CoPP policy has matched many packets and is dropping them due to exceeding the rate.
D.The CoPP policy is not applied to the control plane for this VRF.
AnswerB

Correct. The police rate is 8000 bps, but all counters are zero, so no matching traffic has been seen.

Why this answer

The 'show policy-map control-plane input class vrf' command displays CoPP policy statistics for a specific VRF. The output shows class CoPP-ACL matching access-group 100, with a police rate of 8000 bps. All counters are zero, indicating no traffic has matched this class.

This could mean the ACL is not matching any packets, or no traffic is being sent to the control plane for this VRF.

1065
MCQeasy

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip route 172.16.0.0 255.255.0.0 Routing entry for 172.16.0.0/16 Known via "ospf 1", distance 110, metric 20, type intra area Last update from 10.1.1.2 on GigabitEthernet0/0, 00:00:05 ago Routing Descriptor Blocks: * 10.1.1.2, from 2.2.2.2, 00:00:05 ago, via GigabitEthernet0/0 Route metric is 20, traffic share count is 1 What does this output indicate?

A.The route is an OSPF intra-area route with administrative distance 110, which is the default for OSPF.
B.The route is an OSPF external route with administrative distance 110.
C.The route has an administrative distance of 20 because it is an OSPF route.
D.The route is preferred over an EIGRP route with AD 90.
AnswerA

OSPF routes have a default AD of 110.

Why this answer

The output shows an OSPF intra-area route with administrative distance 110, which is the default for OSPF. The metric is 20, and the route is learned from neighbor 2.2.2.2.

1066
MCQeasy

In a standard IPv4 ACL, what is the range of valid numbers for the access-list number?

A.1-99 and 1300-1999
B.100-199 and 2000-2699
C.1-99 only
D.1-199
AnswerA

Correct. These are the standard ACL number ranges.

Why this answer

Standard IPv4 ACLs use access-list numbers 1-99 and 1300-1999 to filter traffic based solely on source IP address. The expanded range 1300-1999 was introduced to provide additional standard ACL identifiers beyond the original 1-99, allowing more granular control without overlapping with extended ACL ranges.

Exam trap

Cisco often tests the expanded standard ACL range (1300-1999) to catch candidates who only memorize the original 1-99 range, assuming standard ACLs are limited to that smaller set.

How to eliminate wrong answers

Option B is wrong because 100-199 and 2000-2699 are the valid ranges for extended IPv4 ACLs, not standard ACLs. Option C is wrong because it omits the expanded standard ACL range 1300-1999, which is also valid per Cisco IOS. Option D is wrong because 100-199 is reserved for extended ACLs, and standard ACLs do not include numbers 100-199.

1067
MCQmedium

A network engineer runs the following command on Router R1: R1# show logging Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, small buffer) Console logging: level debugging, 37 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level informational, 5 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 0 message lines logged Logging to 192.168.1.100 (udp port 514, audit disabled, link up), 0 message lines logged, xml disabled, filtering disabled Logging Source Interface: Loopback0 Log Buffer (4096 bytes): *Mar 1 00:01:23.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up *Mar 1 00:02:34.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up Based on this output, which statement is correct?

A.The syslog server at 192.168.1.100 is receiving messages because the link is up.
B.Buffer logging is set to debugging level, so all debug messages are stored in the buffer.
C.Console logging is set to debugging level, meaning all debug messages will appear on the console.
D.The logging buffer size is 4096 bytes, which is sufficient to store all messages without overwriting.
AnswerC

The output explicitly shows 'Console logging: level debugging', so all messages at debugging level and below will be displayed on the console.

Why this answer

The output shows that buffer logging is set to level informational, but the buffer only contains 4096 bytes and has logged only 5 messages. The trap logging (syslog server) is set to informational but has logged 0 messages, and the server 192.168.1.100 is reachable (link up). The key issue is that the syslog server is not receiving messages despite being configured correctly, likely due to the source interface being Loopback0 which may not have a route to the server or the server is not processing the messages.

However, the question asks for a correct statement based on the output. The correct answer is that console logging is set to debugging, which is the most detailed level, and this is confirmed by the output showing 'level debugging' for console logging.

1068
Multi-Selectmedium

Which TWO configuration steps are required to successfully redistribute OSPF routes into EIGRP on a Cisco router? (Choose TWO.)

Select 2 answers
A.Enter EIGRP router configuration mode using the 'router eigrp <as-number>' command.
B.Configure a route-map under OSPF to match OSPF routes for redistribution.
C.Use the 'redistribute eigrp <as-number>' command under OSPF router configuration mode.
D.Set a seed metric for EIGRP using the 'default-metric' command or specify metric in the redistribute command.
E.Issue the 'default-information originate' command under OSPF to advertise redistributed routes.
AnswersA, D

Correct: You must be in EIGRP configuration mode to issue the redistribute command.

Why this answer

To redistribute OSPF into EIGRP, you must enter EIGRP configuration mode and use the redistribute command. Additionally, you must set a seed metric for EIGRP because EIGRP does not have a default metric for redistributed routes. Option A is correct because you need to enter EIGRP router configuration.

Option D is correct because you must set a metric (e.g., bandwidth, delay) for the redistributed routes. Option B is incorrect because you do not need to explicitly match routes in OSPF; you can redistribute all OSPF routes. Option C is incorrect because the redistribute command is under EIGRP, not OSPF.

Option E is incorrect because the default-information originate command is for OSPF to inject a default route, not for redistribution.

1069
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 100 packets, 5000 bytes 5 minute offered rate 0 bps police: 8000 bps, 1500 limit, 1500 extended limit conformed 95 packets, 4750 bytes; action: transmit exceeded 5 packets, 250 bytes; action: drop conformed 0 bps, exceed 0 bps class-map: ROUTING (match-all) 200 packets, 10000 bytes 5 minute offered rate 0 bps police: 16000 bps, 3000 limit, 3000 extended limit conformed 200 packets, 10000 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop conformed 0 bps, exceed 0 bps Based on this output, what is happening to traffic matching the MANAGEMENT class?

A.All management traffic is being transmitted without any drops.
B.Some management traffic is being dropped because it exceeds the configured police rate.
C.The management traffic is being rate-limited but no packets are dropped.
D.The police rate is too high, causing all traffic to be dropped.
AnswerB

The exceeded counter shows 5 packets dropped.

Why this answer

The output shows that for the MANAGEMENT class, 100 packets were offered, 95 conformed and were transmitted, but 5 exceeded the police rate and were dropped. This indicates some management traffic is being dropped due to policing.

1070
MCQmedium

Which of the following is true regarding the default behavior of NAT in Cisco IOS when handling ICMP traffic?

A.ICMP traffic is not translated by NAT unless explicitly configured.
B.ICMP NAT entries use the same timeout as TCP entries by default.
C.ICMP NAT entries timeout after 60 seconds by default.
D.ICMP NAT entries are permanent and do not time out.
AnswerC

Correct. The default timeout for ICMP NAT entries is 60 seconds in Cisco IOS.

Why this answer

Cisco IOS NAT translates ICMP traffic by default. ICMP query types (such as echo request/reply) are translated using the ICMP identifier field as a pseudo-port, and the default timeout for ICMP NAT entries is 60 seconds.

1071
MCQmedium

A network engineer is troubleshooting an IPv6 connectivity issue between two sites connected via a 6to4 tunnel. The tunnel is configured on both routers and shows as up/up, but the engineer cannot ping the IPv6 address of the remote tunnel endpoint. The engineer checks the routing table and sees no route to the remote IPv6 prefix. What is the most likely cause of this problem?

A.The tunnel source interface is configured with a private IPv4 address, causing the 6to4 prefix to be invalid.
B.The tunnel mode is incorrectly set to ipv6ip instead of 6to4.
C.The tunnel destination is misconfigured with the remote router's IPv6 address instead of its IPv4 address.
D.The IPv6 address on the tunnel interface is not in the 2002::/16 range.
AnswerA

Correct because 6to4 requires a global IPv4 address to form a valid 2002::/16 prefix. A private address leads to an invalid 6to4 address, preventing proper routing.

Why this answer

For a 6to4 tunnel, the IPv6 address on the tunnel interface must be derived from the tunnel source's public IPv4 address using the 2002:IPv4-address::/48 prefix format. If the tunnel source interface has a private IPv4 address (e.g., 10.0.0.1), the resulting 6to4 prefix (2002:0a00:0001::/48) is non-routable over the public Internet because private addresses are not globally unique. This causes the remote router to have no route to the invalid prefix, breaking connectivity even though the tunnel interface is up/up.

Exam trap

Cisco often tests the misconception that a 6to4 tunnel only requires the tunnel to be up/up, but the real issue is the routability of the derived 2002::/48 prefix when the source IPv4 address is private.

How to eliminate wrong answers

Option B is wrong because setting the tunnel mode to 'ipv6ip' creates a manually configured IPv6-over-IPv4 tunnel, which requires explicit IPv4 destination and static routes, but the question describes a 6to4 tunnel that uses automatic address derivation; the mode mismatch would not cause a missing route to the remote IPv6 prefix in the same way. Option C is wrong because the tunnel destination in a 6to4 tunnel is not configured at all (it is derived from the destination IPv6 address), so misconfiguring it with the remote router's IPv6 address would be syntactically incorrect or ignored, but the core issue is the invalid source address, not the destination. Option D is wrong because while 6to4 addresses must be in the 2002::/16 range, the problem states the engineer cannot ping the remote tunnel endpoint and sees no route to the remote IPv6 prefix; if the local IPv6 address were outside 2002::/16, the tunnel might still be up but the remote router would not have a route back, but the most likely cause given the missing route is the private source address making the prefix non-routable.

1072
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/BDR 00:00:35 FE80::2 GigabitEthernet0/0 10.1.1.3 1 FULL/DR 00:00:32 FE80::3 GigabitEthernet0/1 Based on this output, which statement is correct regarding OSPFv3?

A.Router R1 is the DR on the segment connected to GigabitEthernet0/0.
B.Router R1 has a full adjacency with both neighbors in OSPFv3.
C.The OSPFv3 process is using IPv4 addresses as router IDs.
D.Router R1 is not receiving hello packets from 10.1.1.3.
AnswerB

Both neighbors show FULL state, indicating complete adjacency in OSPFv3.

Why this answer

The output shows OSPFv3 neighbors. The neighbor 10.1.1.2 is in state FULL/BDR, meaning it is the Backup Designated Router. The neighbor 10.1.1.3 is in state FULL/DR, meaning it is the Designated Router.

The addresses are link-local IPv6 addresses.

1073
Multi-Selecthard

Which TWO statements about Flexible NetFlow flow monitors and flow exporters are true? (Choose TWO.)

Select 2 answers
A.A flow monitor can reference only one flow record, but multiple flow monitors can reference the same flow record.
B.A flow exporter can be referenced by only one flow monitor to avoid export conflicts.
C.The default export format for Flexible NetFlow is NetFlow version 5.
D.The flow monitor is applied to an interface using the 'ip flow-export' command.
E.A flow exporter can be referenced by multiple flow monitors simultaneously.
AnswersA, E

Correct. Each flow monitor is configured with a single flow record, but that record can be reused in multiple monitors.

Why this answer

Flexible NetFlow separates flow monitoring into three components: flow record (defines what to collect), flow monitor (applies the record and associates an exporter), and flow exporter (defines export parameters). A flow monitor can reference only one flow record, but multiple flow monitors can reference the same flow record. A flow exporter can be shared by multiple flow monitors.

The default export format is NetFlow version 9, not v5. The flow monitor is applied to an interface using the 'ip flow monitor' command, not 'ip flow-export'.

1074
Multi-Selecthard

An engineer is troubleshooting an issue where an SNMPv2c NMS cannot poll interface counters on a Cisco router. Which THREE commands can be used to verify the SNMP configuration and connectivity? (Choose THREE.)

Select 3 answers
A.show snmp
B.show snmp mib ifmib ifindex
C.show ip snmp
D.show snmp community
E.debug snmp packet
AnswersA, B, D

This command displays SNMP configuration, including community strings, trap receivers, and packet statistics.

Why this answer

To verify SNMP configuration, 'show snmp' displays community strings, trap receivers, and statistics. 'show snmp mib ifmib ifindex' shows interface indices used by SNMP. 'show snmp community' displays configured community strings and their access (RO/RW). 'show ip snmp' is not a valid command. 'debug snmp packet' shows SNMP packets in real time but is not a verification command; it is a troubleshooting tool that can impact performance.

1075
MCQhard

A network engineer configures Control Plane Policing (CoPP) on a DMVPN hub router to protect the control plane. The policy includes a class-map matching NHRP traffic and a police rate of 1000 pps. Unexpectedly, after applying the policy, NHRP registrations from spokes fail intermittently, and debug shows packets being dropped by CoPP. Which is the most likely explanation?

A.The CoPP policy's class-default has a lower police rate or is set to drop, and NHRP traffic is not explicitly matched in a higher class, causing it to fall into class-default and be dropped.
B.The police rate of 1000 pps is too high for the hub's CPU, causing the router to drop packets due to CPU overload.
C.The CoPP policy is applied to the wrong interface; it should be applied to the tunnel interface, not the physical interface.
D.The NHRP packets are being classified as 'critical' traffic, and the CoPP policy has a lower priority for critical traffic.
AnswerA

If NHRP traffic is not classified in a specific class, it matches class-default, which may have a restrictive policy, leading to drops.

Why this answer

CoPP rate-limits control plane traffic. If the police rate is set in packets per second (pps), but the actual NHRP registration traffic is bursty (e.g., multiple spokes registering simultaneously), the policer may drop packets. The corner case is that the default CoPP class-default may also match NHRP traffic if not explicitly classified, and the class-default may have a lower rate or be set to drop.

Additionally, CoPP uses a token bucket; if the rate is too low or the burst size is insufficient, packets are dropped. The engineer should ensure that NHRP traffic is matched in a dedicated class with appropriate rate and burst.

1076
MCQmedium

Examine the following configuration on a PE router: ip vrf CUSTOMER-E rd 400:1 route-target export 400:1 route-target import 400:2 ! interface GigabitEthernet0/5 ip vrf forwarding CUSTOMER-E ip address 10.4.4.1 255.255.255.252 ! router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended exit-address-family ! address-family ipv4 vrf CUSTOMER-E neighbor 10.4.4.2 remote-as 65003 neighbor 10.4.4.2 activate neighbor 10.4.4.2 route-map SET-COMMUNITY in exit-address-family ! route-map SET-COMMUNITY permit 10 set community 100:100 What is the effect of the route-map on the incoming routes from the CE?

A.The route-map will set the standard community 100:100 on the routes received from the CE, but the RT is still determined by the route-target export command.
B.The route-map will override the route-target export and set the RT to 100:100.
C.The route-map will cause the BGP session to reset because the community format is incorrect.
D.The route-map will have no effect because the community is not sent to the CE.
AnswerA

The route-map modifies the standard community, which is a different attribute. The RT is set by the VRF configuration and is not affected by this route-map.

Why this answer

The route-map is applied inbound on the eBGP session from the CE. It sets a standard community on the routes. However, for MPLS L3VPN, the extended community (route-target) is what matters for VRF import/export.

The standard community set here does not affect the RT. The route-map will modify the standard community attribute, but the RT is still set by the route-target export command. The route-map does not interfere with the VPNv4 process.

1077
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic from a tunnel interface. The mirrored traffic shows the tunnel's inner IP headers, but the outer encapsulation is missing. What is the most likely cause?

A.ERSPAN on a tunnel interface captures the inner IP packet, not the encapsulated GRE/IPsec packet.
B.The ERSPAN session is configured with 'erspan-type' that strips the outer header.
C.The collector is not configured to decode GRE headers.
D.The tunnel interface is in a VRF, causing the outer header to be removed.
AnswerA

The tunnel interface processes the inner packet; the outer encapsulation is added later on the physical interface.

Why this answer

When monitoring a tunnel interface with ERSPAN, the router captures the traffic at the point where it enters the tunnel (before encapsulation) or exits (after decapsulation). To capture the encapsulated packets, the source must be the physical egress interface, not the tunnel interface. By default, ERSPAN on a tunnel interface shows the inner packet.

1078
MCQmedium

What is the default SNMP trap queue length on Cisco IOS?

A.10
B.100
C.Unlimited
D.5
AnswerA

The default queue length is 10.

Why this answer

The default trap queue length is 10 messages. If the queue is full, new traps may be dropped. This can be adjusted with the 'snmp-server queue-length' command.

1079
Multi-Selecthard

Which THREE commands are used to troubleshoot a SPAN session on a Cisco Catalyst switch? (Choose THREE.)

Select 3 answers
A.show monitor session 1
B.show monitor
C.debug monitor
D.show running-config | include monitor
E.show ip interface brief
AnswersA, B, C

Displays the operational status and configuration of a specific SPAN session.

Why this answer

'show monitor session 1' provides details of the session. 'show monitor' lists all sessions. 'debug monitor' enables debugging for SPAN operations. 'show running-config | include monitor' shows the configuration but is not a direct troubleshooting command for operational issues. 'show ip interface brief' shows IP status, not SPAN.

1080
MCQmedium

Consider the following configuration: ipv6 access-list FILTER permit ipv6 2001:db8:3::/48 any deny ipv6 any any interface GigabitEthernet0/5 ipv6 traffic-filter FILTER in ipv6 verify unicast source reachable-via rx A packet arrives on GigabitEthernet0/5 with source 2001:db8:3::100 and destination 2001:db8:4::1. The route for 2001:db8:3::/48 points out interface GigabitEthernet0/6. What happens?

A.The packet is permitted because the ACL matches and uRPF is not applied.
B.The packet is dropped by uRPF because strict mode requires the source to be reachable via the receiving interface.
C.The packet is dropped by the ACL because the deny statement blocks all traffic.
D.The packet is permitted because uRPF only checks destination addresses.
AnswerB

Strict uRPF (rx) fails because the return route uses a different interface.

Why this answer

The ACL permits the packet (source matches prefix). However, uRPF in strict mode (rx) checks that the source is reachable via the same interface the packet arrived on. Since the route points to a different interface, uRPF drops the packet.

1081
MCQeasy

In OSPF, what is the default hello interval on a point-to-point network type?

A.10 seconds
B.30 seconds
C.5 seconds
D.40 seconds
AnswerA

Correct. Point-to-point and broadcast networks use a 10-second hello interval.

Why this answer

OSPF default hello interval is 10 seconds for broadcast and point-to-point networks, and 30 seconds for NBMA networks. This is defined in RFC 2328.

1082
MCQhard

An MPLS network is experiencing label distribution failures. Router R1 (LSR) has the following configuration: mpls ldp neighbor 10.0.0.2 password cisco. Router R2 shows: 'show mpls ldp neighbor' lists R1 as 'Oper Down' with reason 'TCP MD5 authentication failure'. R1's 'show mpls ldp neighbor' shows R2 as 'Oper Down' with the same reason. Both routers have the same password configured. What is the root cause?

A.The LDP neighbor IP address configured on R1 does not match R2's LDP transport address, causing MD5 authentication to fail.
B.The password is not configured globally under 'mpls ldp password' on both routers.
C.The MPLS LDP session is using a different port number, causing authentication to be ignored.
D.The interface between R1 and R2 has 'mpls ip' disabled.
AnswerA

The 'mpls ldp neighbor' command expects the neighbor's LDP transport address (usually the router ID). If R1 uses 10.0.0.2 but R2's transport address is different (e.g., 10.0.0.3), the TCP connection uses a different IP, and MD5 authentication fails because the password is associated with the wrong IP.

Why this answer

LDP uses TCP for session establishment, and MD5 authentication is configured via the 'mpls ldp neighbor' command. However, the password must match on both ends, and the command must specify the correct neighbor IP. If the IP address specified is incorrect (e.g., using a loopback IP instead of the transport address), the authentication will fail.

Additionally, the 'mpls ldp password' command under the interface or global configuration may be required. In this scenario, the root cause is likely that the neighbor IP in the command does not match the actual LDP transport address (e.g., R1 uses 10.0.0.2 but R2's LDP transport address is 10.0.0.3).

1083
MCQmedium

Consider this IP SLA configuration on router R6: ip sla 60 udp-echo 203.0.113.1 2000 source-ip 198.51.100.1 frequency 20 ip sla schedule 60 life forever start-time now What is the purpose of this configuration?

A.It tests UDP connectivity by sending a UDP packet and expecting a response.
B.It tests ICMP echo instead of UDP.
C.It measures jitter and packet loss.
D.It will only work if the destination is a Cisco router.
AnswerA

UDP echo operation sends a UDP datagram and waits for a reply to measure round-trip time.

Why this answer

The configuration sends UDP packets to destination 203.0.113.1 on port 2000, sourced from 198.51.100.1, every 20 seconds. It tests UDP connectivity and response time.

1084
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an NHRP adjacency with a spoke. The spoke router is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1, and the physical interface IP is 192.168.1.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. However, 'show ip nhrp' on the spoke shows no NHRP entries. What is the most likely cause?

A.The hub router has 'ip nhrp authentication DMVPN' configured, but the spoke does not.
B.The spoke's tunnel interface is in a different VRF than the hub's.
C.The hub's tunnel interface has 'no ip nhrp server-only' configured.
D.The spoke's NHRP map is incorrect; it should map the hub's tunnel IP to the hub's tunnel IP.
AnswerA

Correct because NHRP authentication must match between hub and spoke for registration to succeed.

Why this answer

NHRP registration requires the spoke to send a Registration Request to the hub. If the hub does not respond, the spoke will not have NHRP entries. A common cause is that the hub's NHRP authentication is configured with a password, but the spoke's NHRP authentication is missing or mismatched.

1085
MCQhard

A network engineer runs the following command on Router R1: R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog EIGRP_Neighbor_Down 2 00:01:31 UTC Mar 1 syslog OSPF_Neighbor_Flap 3 00:01:32 UTC Mar 1 syslog EIGRP_Neighbor_Down 4 00:01:33 UTC Mar 1 syslog OSPF_Neighbor_Flap Based on this output, what is the most likely problem?

A.The EEM policies are not configured correctly.
B.The router is experiencing network instability causing repeated neighbor state changes.
C.The EEM applet policies are disabled.
D.The syslog server is not reachable.
AnswerB

The repeated events within seconds indicate flapping, likely due to link issues or routing problems.

Why this answer

The 'show event manager history events' command shows the last triggered events. The output shows repeated syslog events for EIGRP neighbor down and OSPF neighbor flap within a short timeframe, indicating a flapping condition. The correct answer is that the router is experiencing network instability causing repeated neighbor state changes.

1086
MCQhard

A network engineer is troubleshooting a DHCPv4 relay scenario where clients on subnet 10.1.1.0/24 are unable to obtain IP addresses from a DHCP server at 192.168.1.10. The router interface Gi0/0 (10.1.1.1/24) has 'ip helper-address 192.168.1.10' configured. The engineer captures packets and sees DHCP DISCOVER messages sourced from 10.1.1.1 being sent to 192.168.1.10, but no replies are seen. The server is reachable via ping from the router. What is the most likely cause?

A.The DHCP server does not have a route to 10.1.1.0/24.
B.The DHCP server is not configured with a scope for subnet 10.1.1.0/24.
C.The 'ip helper-address' command should be configured on the server-facing interface, not the client-facing interface.
D.The router needs the 'ip dhcp relay information option' command.
AnswerB

Correct because if the server has no scope for the client subnet, it will ignore the DISCOVER message and not send any reply, even though the relayed packet reaches the server.

Why this answer

The DHCP server may not have a route back to the client subnet (10.1.1.0/24) or the server's default gateway does not have a route. The relay agent sets the gateway IP address (giaddr) to the interface IP (10.1.1.1), and the server sends the OFFER back to that giaddr. If the server cannot reach 10.1.1.1, the reply is lost.

However, the engineer confirms the server is reachable via ping, so the issue is likely that the server is not configured with a scope for the 10.1.1.0/24 subnet, causing it to drop the DISCOVER.

1087
MCQhard

An engineer is troubleshooting a DMVPN phase 2 deployment with IPv6 over mGRE tunnels. The spoke routers can ping the hub's tunnel IPv6 address, but cannot reach IPv6 networks behind other spokes. The engineer verifies that NHRP is configured and that the hub has a route to the spoke's internal networks. What is the most likely cause?

A.The spoke routers are missing a static route for the remote spoke's internal network pointing to the mGRE tunnel interface.
B.The NHRP authentication key is mismatched between the spokes.
C.The tunnel key is not configured on the mGRE interface.
D.The hub is not configured with 'ip nhrp redirect' and the spokes with 'ip nhrp shortcut'.
AnswerA

Correct because without a route to the remote spoke's network via the tunnel, the spoke will send traffic to the hub, which may not forward it correctly, or the spoke may use a default route that does not use the tunnel.

Why this answer

In a DMVPN Phase 2 deployment, spoke routers must have a route to remote spoke networks pointing to the mGRE tunnel interface. Without this static route, the spoke will not know to send traffic for the remote spoke's internal network over the tunnel, even though NHRP resolves the next-hop. The hub has a route to the spoke's internal networks, but that does not enable direct spoke-to-spoke communication without proper routing on the spokes themselves.

Exam trap

Cisco often tests the distinction between Phase 2 and Phase 3 DMVPN behavior, and the trap here is that candidates assume NHRP alone handles spoke-to-spoke routing, forgetting that a route pointing to the tunnel interface is required in Phase 2 for the spoke to initiate the NHRP resolution process.

How to eliminate wrong answers

Option B is wrong because an NHRP authentication key mismatch between spokes would prevent NHRP registration and resolution, causing the spoke to be unable to ping the hub's tunnel IPv6 address, which is not the case here. Option C is wrong because the tunnel key is used for security and to identify the mGRE tunnel, but its absence would not specifically prevent spoke-to-spoke reachability if NHRP is working and routes are present. Option D is wrong because 'ip nhrp redirect' and 'ip nhrp shortcut' are used in DMVPN Phase 3 to enable dynamic shortcut creation; in Phase 2, spoke-to-spoke traffic is forwarded via the hub by default, and the issue is a missing route, not the absence of redirect/shortcut.

1088
MCQeasy

A network engineer configures SNMPv2c on router R3 with 'snmp-server community cisco RO' and 'snmp-server community cisco RW'. The NMS can poll read-only data but fails when trying to write a configuration value. The NMS uses the RW community string. What is the most likely cause?

A.The community string 'cisco' is used for both RO and RW; the router applies the first matching community, which is RO.
B.The NMS is sending the community string in uppercase, but the router expects lowercase.
C.The router needs the 'snmp-server enable traps' command to allow write operations.
D.The NMS must use SNMPv3 for write operations; SNMPv2c does not support writes.
AnswerA

Correct because identical community strings cause the router to use the RO access, preventing writes.

Why this answer

The RW community string is 'cisco', but the RO community string is also 'cisco'. When both are identical, the router treats the community as read-only, ignoring the RW privilege. The engineer must use different community strings for RO and RW.

1089
MCQmedium

Which IPv6 access-list entry will deny traffic from any source to the destination prefix 2001:db8:1::/48?

A.deny ipv6 any 2001:db8:1::/48
B.deny ipv6 2001:db8:1::/48 any
C.deny ipv6 any host 2001:db8:1::1
D.deny ipv6 2001:db8:1::/48 2001:db8:1::/48
AnswerA

This correctly denies all IPv6 traffic from any source to the specified destination prefix.

Why this answer

The 'any' keyword matches any source, and the destination prefix is specified after the deny keyword.

1091
MCQmedium

In BGP, what is the effect of using a route-map with a set community command but without the additive keyword?

A.The specified community is added to the existing communities.
B.The existing communities are overwritten by the specified community.
C.The community attribute is not modified; the set command is ignored.
D.The route is denied if it already has communities.
AnswerB

Correct. Without additive, set community replaces the community attribute.

Why this answer

When set community is used without the additive keyword, it replaces any existing community attributes on the route with the specified community. With the additive keyword, the specified community is added to the existing communities.

1092
MCQhard

A network engineer runs the following command on Router R1: R1# show ip sla configuration 1 IP SLAs Infrastructure Engine-II Entry number: 1 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.1.1 Source address: 0.0.0.0 Source interface: none Type Of Service parameter: 0 Verify data: No Operation timeout (milliseconds): 5000 Request size (ARR data block): 28 Threshold (milliseconds): 100 Frequency (seconds): 10 Life (seconds): Forever Ageout (seconds): 0 Based on this output, what is the primary problem with this IP SLA configuration?

A.The threshold value is too low, causing frequent threshold violations.
B.The source address is set to 0.0.0.0, which may cause the probe to fail if the router does not have a valid route.
C.The frequency is set to 10 seconds, which is too fast for accurate measurements.
D.The operation timeout is too high, causing delays in failure detection.
AnswerB

A source address of 0.0.0.0 means the router uses the IP of the egress interface, but if that interface is down or has no IP, the probe may fail. This is a common misconfiguration.

Why this answer

The source address is 0.0.0.0 and no source interface is configured. This means the router will use the outgoing interface's IP address, which might not be routable or expected. However, the key clue is that the threshold is set to 100 ms, but the operation timeout is 5000 ms.

If the RTT exceeds 100 ms, the operation will report 'Over threshold' but not necessarily fail. The question focuses on configuration issues; the source address being 0.0.0.0 is a common misconfiguration that can cause problems if the router cannot reach the target.

1093
MCQhard

R1 and R2 are eBGP peers. R1 advertises a summary route 10.0.0.0/8 via aggregate-address 10.0.0.0 255.0.0.0 summary-only. R2 receives the summary but also expects to receive more specific routes (e.g., 10.1.0.0/16) for traffic engineering. R2's BGP table shows only the summary, and the more specific routes are missing. R1's configuration includes: router bgp 65001, network 10.1.0.0 mask 255.255.0.0, and aggregate-address 10.0.0.0 255.0.0.0 summary-only. What is the root cause?

A.The summary-only keyword suppresses all more specific routes, including the network 10.1.0.0/16, from being advertised to R2.
B.The network 10.1.0.0/16 is not in the routing table of R1, so it cannot be advertised.
C.R2 must have a route-map to accept the more specific route.
D.The aggregate-address should be configured with the as-set keyword to include more specifics.
AnswerA

summary-only causes all more specific routes to be suppressed, even if they are explicitly configured with network statements.

Why this answer

The aggregate-address with summary-only suppresses all more specific routes from being advertised to neighbors. Even though the network 10.1.0.0/16 is injected into BGP, the summary-only keyword causes it to be suppressed from advertisements. To allow the more specific route to be advertised alongside the summary, the summary-only keyword should be removed, or the more specific route should be explicitly permitted via a route-map.

The root cause is that summary-only suppresses the more specific routes.

1094
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 1 Type of operation: icmp-echo Latest RTT: 20 milliseconds Latest operation start time: 12:00:00 UTC Mon Mar 1 2021 Latest operation return code: OK Number of successes: 100 Number of failures: 0 Based on this output, which statement is correct?

A.The IP SLA probe is successfully reaching the target with no failures.
B.The IP SLA probe has failed 100 times.
C.The IP SLA probe is using UDP jitter.
D.The IP SLA probe is not configured because the operation ID is 1.
AnswerA

The return code is OK, and there are 100 successes with 0 failures.

Why this answer

The output shows 100 successes and 0 failures for the ICMP echo operation, with a latest return code of OK, confirming that the IP SLA probe is successfully reaching the target without any failures. The 'Number of successes: 100' and 'Number of failures: 0' directly indicate a 100% success rate for the probe.

Exam trap

Cisco often tests the ability to interpret the 'Number of successes' and 'Number of failures' fields correctly, where candidates may mistakenly associate the count with failures instead of successes, or confuse the operation type (ICMP echo vs. UDP jitter) based on the operation ID alone.

How to eliminate wrong answers

Option B is wrong because the output shows 100 successes, not 100 failures; the 'Number of failures: 0' explicitly contradicts this claim. Option C is wrong because the 'Type of operation: icmp-echo' clearly indicates ICMP echo, not UDP jitter, which would require a different operation type (e.g., 'udp-jitter'). Option D is wrong because operation ID 1 is present and has statistics, meaning the IP SLA probe is configured and active; an unconfigured operation would not display any statistics.

1095
MCQeasy

Which default administrative distance is assigned to a directly connected interface route?

A.0
B.1
C.5
D.110
AnswerA

A directly connected route has an AD of 0, meaning it is always preferred over any learned route.

Why this answer

Directly connected routes have a default administrative distance of 0, indicating the highest preference.

1096
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured. R2's tunnel interface has an ACL applied inbound that denies ICMP. R2 can ping R1's tunnel IP, but R1 cannot ping R2's tunnel IP. What is the root cause?

A.R2's tunnel interface has an inbound ACL that denies ICMP, blocking R1's ping requests.
B.R1's tunnel interface has an outbound ACL that denies ICMP.
C.NHRP is not resolving R2's tunnel IP to its physical IP on R1.
D.EIGRP is not advertising R2's tunnel IP to R1.
AnswerA

Correct. Inbound ACLs filter traffic entering the interface. ICMP echo requests from R1 are denied, so R1 cannot ping R2.

Why this answer

The ACL on R2's tunnel interface inbound denies ICMP. When R1 sends an ICMP echo request to R2, it is denied by the ACL. However, R2 can ping R1 because the ACL does not affect outbound traffic.

The issue is that the ACL is applied inbound, blocking incoming ICMP packets.

1097
MCQmedium

A network engineer runs the following command to troubleshoot Control Plane Policing (CoPP): R1# show policy-map control-plane input class class-default Class-map: class-default (match-any) 140091 packets, 12345678 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any police: cir 8000 bps, bc 1500 bytes conformed 140091 packets, 12345678 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.CoPP is dropping all traffic to the control plane.
B.CoPP is rate-limiting traffic to 8000 bps and not dropping any packets.
C.CoPP is not configured; the class-default shows no action.
D.CoPP is dropping packets due to exceeding the rate.
AnswerB

The police cir is 8000 bps, and all packets conform, so they are transmitted.

Why this answer

The output shows that the CoPP policy on the control-plane input class-default is policing traffic to 8000 bps. All packets are conforming and being transmitted, with no drops.

1098
MCQhard

A network engineer configures SPAN on a switch to monitor traffic from VLAN 20 to a local analyzer on interface Gi0/1. The configuration: monitor session 1 source vlan 20 rx monitor session 1 destination interface Gi0/1. The analyzer sees no traffic. The switch runs OSPF and has a route to 0.0.0.0/0 via a neighbor. The Gi0/1 interface is configured as a trunk port with native VLAN 1. The analyzer is connected to a hub that also connects to another device. The other device sends traffic that causes the switch to learn MAC addresses on Gi0/1. What is the root cause?

A.The destination interface Gi0/1 is a trunk port, which is not supported for SPAN destinations; it must be an access port.
B.The source VLAN 20 is not allowed on the trunk port Gi0/1.
C.The analyzer is connected via a hub, causing a loop that disables the port.
D.The monitor session is missing the 'no shutdown' command.
AnswerA

SPAN destination ports must be access ports; trunk ports are not allowed as SPAN destinations.

Why this answer

SPAN destination ports should not be used for normal traffic; they are dedicated to monitoring. If the destination port is configured as a trunk, it may participate in spanning tree and learn MAC addresses. However, the key issue is that SPAN does not work if the destination port is a trunk port that is also used for other traffic.

The switch may be forwarding traffic from other VLANs to the analyzer, but the mirrored traffic from VLAN 20 may be dropped because the destination port is not in the correct VLAN. Specifically, the destination port should be an access port in the same VLAN as the source, or if it is a trunk, the mirrored traffic is sent as untagged or tagged depending on the configuration. The analyzer may not receive traffic if the native VLAN mismatch occurs.

The correct root cause is that the destination port is a trunk with native VLAN 1, but the mirrored traffic from VLAN 20 is tagged with VLAN 20, and the analyzer may not understand the tag. However, the more subtle issue is that the switch may not allow the destination port to be a trunk for SPAN; it must be an access port. The correct answer is that SPAN destination ports cannot be trunk ports.

1099
Drag & Dropmedium

Drag and drop the steps to verify and validate route redistribution operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification of redistribution starts with checking the routing table for redistributed routes, then examining the specific protocol database, followed by verifying the redistribution configuration, then checking for administrative distance issues, and finally using traceroute to validate the path. This order confirms routes are present, correctly sourced, and reachable.

1100
Drag & Dropmedium

Drag and drop the steps to configure an ERSPAN session for remote traffic capture into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you must define the source interface and traffic direction. Next, specify the ERSPAN ID and destination IP address. Then, configure the ERSPAN origin IP address on the source switch.

After that, enable the ERSPAN session globally. Finally, verify the session is active.

1101
MCQhard

An engineer applies an IPv6 ACL to filter traffic between two VLANs on a switch using a router-on-a-stick configuration. The ACL is applied inbound on the subinterface. Traffic from VLAN 10 to VLAN 20 is permitted, but return traffic from VLAN 20 to VLAN 10 is dropped. Which is the most likely explanation?

A.The ACL is applied only on the VLAN 10 subinterface, so return traffic from VLAN 20 is not filtered but the ACL on VLAN 10 drops it because the source address matches a deny entry.
B.The ACL on the VLAN 20 subinterface is missing a permit entry for the return traffic, or the ACL is applied outbound on VLAN 10, which does not affect incoming return traffic.
C.The router has 'ipv6 unicast-routing' disabled, preventing inter-VLAN routing.
D.The ACL uses 'deny ipv6 any any' which blocks all traffic, but the permit statement for VLAN 10 to VLAN 20 is placed after the deny, causing it to be ignored.
AnswerB

Correct. The return traffic must be permitted by the ACL on the VLAN 20 subinterface (inbound) or on the VLAN 10 subinterface (outbound). If missing, traffic is dropped.

Why this answer

In router-on-a-stick, each VLAN has a separate subinterface. If the ACL is applied inbound on the subinterface for VLAN 10, it filters traffic entering that subinterface from VLAN 10. Return traffic from VLAN 20 enters the subinterface for VLAN 20, not VLAN 10.

The ACL on VLAN 10 subinterface does not affect traffic from VLAN 20. The issue is likely that the ACL on the VLAN 20 subinterface is missing or configured incorrectly, or the engineer applied the ACL only on one subinterface. The edge case: engineers often apply ACLs only on one side, forgetting that traffic is bidirectional and each subinterface needs its own ACL.

1102
MCQhard

A BGP-speaking router R1 is experiencing unexpected path selection for prefix 10.0.0.0/8. R1 receives two BGP updates: one from neighbor 192.168.1.2 with local preference 150, AS path 65001 65002, and MED 50; another from neighbor 192.168.2.2 with local preference 100, AS path 65001, and MED 100. R1's BGP configuration includes: bgp always-compare-med. The show ip bgp 10.0.0.0/8 output shows the path via 192.168.1.2 as best, but the network team expects the path via 192.168.2.2 to be best due to shorter AS path. What is the root cause?

A.The bgp always-compare-med command causes MED comparison across different AS paths, making the path with lower MED (50) preferred over the shorter AS path.
B.The local preference on the path via 192.168.1.2 is higher (150 vs 100), overriding AS path length.
C.The MED value of 50 on the first path is lower, but without always-compare-med, the second path would be best due to shorter AS path. However, the command is not present, so the behavior is normal.
D.The AS path length is not considered because the paths have different neighbor AS; BGP prefers the path with the lower neighbor AS.
AnswerA

This command forces MED comparison regardless of AS path length, contradicting the expectation that shorter AS path should win.

Why this answer

The `bgp always-compare-med` command forces BGP to compare MED values even when the paths originate from different neighboring ASes. In this scenario, the path via 192.168.1.2 has MED 50 and the path via 192.168.2.2 has MED 100. Without this command, MED would not be compared because the AS paths differ (65001 65002 vs. 65001), and the shorter AS path (65001) would be preferred.

However, with `bgp always-compare-med` enabled, the lower MED (50) overrides the AS path length, making the path via 192.168.1.2 the best.

Exam trap

Cisco often tests the interaction between `bgp always-compare-med` and the AS path length tie-breaker, trapping candidates who forget that MED comparison occurs after AS path length only when the command is enabled, or who mistakenly think local preference is always overridden by AS path length.

How to eliminate wrong answers

Option B is wrong because local preference is compared before AS path length in the BGP best-path selection process, but here both paths have local preference values (150 and 100) that are compared first; however, the higher local preference (150) would normally win, but the question states the network team expects the shorter AS path to be best, implying they believe AS path length should override local preference, which is incorrect because local preference is a higher-priority criterion. Option C is wrong because the `bgp always-compare-med` command is explicitly stated as present in the configuration, so the behavior is not normal without it; the command is present, causing MED to be compared across ASes. Option D is wrong because BGP does not prefer a path based on lower neighbor AS; the neighbor AS is not a standard BGP path selection criterion, and AS path length is compared as a whole, not the first AS in the path.

1103
Multi-Selecthard

Which TWO statements about MPLS label stack operations in a Layer 3 VPN (L3VPN) are true? (Choose TWO.)

Select 2 answers
A.A P router (core router) performs label swapping only on the top label in the label stack.
B.The ingress PE router imposes two labels: an outer LDP label and an inner VPN label.
C.The P router pops the inner VPN label before forwarding the packet to the egress PE.
D.The egress PE router swaps the VPN label with a new label before forwarding to the CE.
E.The P router uses the inner VPN label to make forwarding decisions.
AnswersA, B

Correct. The P router swaps the outer IGP label; it does not process the inner VPN label.

Why this answer

In MPLS L3VPN, the P router (core router) performs label swapping based on the top label (IGP label). The PE router (ingress) imposes two labels: the outer IGP label for transport and the inner VPN label for identifying the egress VRF. The P router does not look at the inner VPN label.

Option A is correct: the P router swaps only the top label. Option B is correct: the ingress PE imposes two labels. Option C is false: the P router does not pop the VPN label; it swaps the transport label.

Option D is false: the egress PE pops the VPN label, not the P router. Option E is false: the P router does not look at the VPN label; it only swaps the outer label.

1104
MCQhard

A network engineer configures EEM to monitor CPU usage on R1. R1 has: event manager applet CPU-MONITOR event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1 get-type exact entry-op gt entry-val 80 poll-interval 5 action 1.0 cli command "enable" action 2.0 cli command "show processes cpu sorted" action 3.0 syslog msg "High CPU usage detected". After a few hours, the engineer notices that the applet triggers repeatedly, but the show command output is truncated. Router R2 shows: no issues. What is the root cause?

A.The EEM applet runs too frequently (every 5 seconds), consuming CPU and causing output truncation.
B.The SNMP OID is for 5-second CPU, not 1-minute average, causing false positives.
C.The 'show processes cpu sorted' command requires a terminal length setting.
D.The applet should use 'event manager applet CPU-MONITOR trigger' to start.
AnswerA

Frequent execution of the show command increases CPU load, worsening the condition.

Why this answer

The EEM applet triggers every 5 seconds when CPU exceeds 80%, and each execution runs the show command, which itself consumes CPU. This can create a feedback loop where the applet increases CPU usage, causing more triggers. Additionally, the show command output may be truncated if the applet runs too frequently or the buffer is insufficient.

The correct fix is to increase the poll interval or add a throttle.

1105
MCQhard

A network engineer runs the following command to verify OSPF database on a DMVPN hub: R1# show ip ospf database router 2.2.2.2 OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 100 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 2.2.2.2 Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 48 Number of Links: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 10.0.0.1 (Link Data) Router Interface address: 10.0.0.2 Number of MTID metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.The router 2.2.2.2 is advertising a stub network via Tunnel0.
B.The router 2.2.2.2 is connected to the DR at 10.0.0.1 over the DMVPN tunnel with cost 10.
C.The router 2.2.2.2 is the DR for the DMVPN network.
D.The OSPF database is empty; no LSAs have been received.
AnswerB

Correct: The LSA shows a transit link to DR 10.0.0.1 with metric 10.

Why this answer

The output shows the router LSA from 2.2.2.2, advertising a link to a transit network (the DMVPN tunnel) with metric 10, indicating the spoke is connected to the hub's DR.

1106
MCQhard

What is the default dead interval multiplier for OSPFv3?

A.3
B.4
C.5
D.2
AnswerB

The default dead interval multiplier is 4, resulting in a dead interval of 40 seconds on broadcast networks.

Why this answer

The dead interval is calculated as the hello interval multiplied by the dead interval multiplier, which defaults to 4.

1107
Multi-Selectmedium

Which TWO commands can be used to verify the administrative distance of a route in a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip route
B.show ip protocols
C.show ip interface brief
D.show running-config | include distance
E.show ip ospf interface
AnswersA, B

This command shows the routing table, where each entry includes the administrative distance (e.g., [110/20]).

Why this answer

The show ip route command displays the routing table including the administrative distance for each route. The show ip protocols command displays routing protocol parameters including the default and any configured administrative distances. The other options either do not show administrative distance or are incorrect commands.

1108
MCQhard

An engineer configures IP SLA with an ICMP echo operation and tracks it with a static route. The IP SLA operation is configured with a source interface of Loopback0. The engineer notices that when the remote host becomes unreachable, the static route is removed, but when the remote host becomes reachable again, the static route is not reinstalled immediately. The show ip sla statistics shows the operation is 'Active' and 'Success'. Which is the most likely explanation?

A.The static route has a higher administrative distance than the default route, so it is not installed.
B.The track object has a 'delay up' configured, causing a delay before the route is reinstalled.
C.The IP SLA operation uses a source interface that is not reachable from the remote host, causing asymmetric routing.
D.The IP SLA operation has a frequency that is too high, causing the router to ignore the results.
AnswerB

The delay up command in the track object introduces a hold-down period before the object state changes to up, so the route is not reinstalled immediately.

Why this answer

When an IP SLA operation uses a source interface, the operation may fail if that interface is down, but more importantly, the track object may have a delay configured for up transitions. Additionally, the static route may have a higher administrative distance that prevents it from being reinstalled if another route to the same prefix exists. However, the most common edge case is that the track object has a 'delay up' configured, which delays the route installation after the operation recovers.

1109
MCQmedium

Which MPLS label is used for the Router Alert function, and what is its purpose?

A.Label 1; used to alert the router to examine the packet in the control plane.
B.Label 0; used to alert the router to examine the packet.
C.Label 2; used to alert the router to examine the packet.
D.Label 3; used to alert the router to examine the packet.
AnswerA

Label 1 is the Router Alert label per RFC 3032.

Why this answer

Label 1 is the Router Alert label, used to indicate that the packet should be examined by the router's control plane, typically for OAM or RSVP-TE messages.

1110
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip bgp updates Output: BGP(0): 10.0.0.2 rcvd UPDATE w/ attr: nexthop 10.0.0.2, origin i, path 65002 BGP(0): 10.0.0.2 rcvd 10.1.1.0/24 BGP(0): 10.0.0.2 rcvd UPDATE w/ attr: nexthop 10.0.0.2, origin i, path 65002 65003 BGP(0): 10.0.0.2 rcvd 10.2.2.0/24 What does this output indicate?

A.The router is receiving BGP updates for prefixes 10.1.1.0/24 and 10.2.2.0/24 from neighbor 10.0.0.2.
B.The router is sending BGP updates to neighbor 10.0.0.2.
C.The router is experiencing a BGP route flap.
D.The router is filtering BGP updates due to a prefix list.
AnswerA

The debug shows received updates with prefixes and AS paths.

Why this answer

The output shows BGP updates being received from neighbor 10.0.0.2, including prefixes and AS path information. This indicates successful BGP peering and route exchange.

1111
MCQhard

What is the default value of the 'limit' parameter in the 'ipv6 nd prefix' command for the number of prefixes advertised in RA messages?

A.8
B.16
C.32
D.64
AnswerB

Correct. The default limit is 16 prefixes.

Why this answer

The default limit for the number of IPv6 prefixes advertised in RA messages on Cisco IOS-XE is 16. This is a Cisco-specific default, not defined in RFC 4861.

1112
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager history events Event History: Event Type : syslog Time : Mar 1 00:05:23 Pattern : OSPF-5-ADJCHG Trigger count : 1 Event Type : timer Time : Mar 1 00:06:00 Timer Type : absolute Timer Name : MY-TIMER Trigger count : 1 What does this output indicate?

A.Two events have triggered EEM applets: a syslog event matching 'OSPF-5-ADJCHG' and an absolute timer named 'MY-TIMER'.
B.Two EEM applets are currently registered: one for syslog and one for timer.
C.The OSPF-5-ADJCHG syslog event triggered an applet that executed a timer.
D.The timer event is a countdown timer that triggered after 5 minutes and 23 seconds.
AnswerA

Correct. The output shows two events: one syslog event with pattern OSPF-5-ADJCHG triggered once, and one absolute timer named MY-TIMER triggered once.

Why this answer

The output shows the event history for EEM. It lists events that have triggered EEM applets. Each entry shows the event type (syslog, timer, etc.), the time it occurred, specific details (pattern for syslog, timer type and name for timer), and the number of times that event triggered an applet.

This helps in troubleshooting which events are being matched.

1113
MCQhard

An engineer configures IP SLA with an ICMP echo operation to track a remote host, but the IP SLA responder is not configured on the remote router. The IP SLA operation shows 'Timeout' in the show ip sla statistics output. The engineer expects the operation to succeed because the remote host is reachable via ping. Which is the most likely explanation?

A.The IP SLA operation uses a different source address than the ping command, causing the remote router to drop the packets due to uRPF.
B.The IP SLA ICMP echo operation requires the IP SLA responder to be enabled on the remote router; without it, the operation may time out even if standard ping succeeds.
C.The IP SLA operation is blocked by an ACL on the local router that permits ICMP but denies IP SLA packets.
D.The IP SLA operation has a frequency that is too high, causing the router to rate-limit the probes.
AnswerB

IP SLA ICMP echo uses a specific protocol format that differs from standard ping; the responder is needed for proper operation.

Why this answer

IP SLA ICMP echo operations require the IP SLA responder to be enabled on the remote device for accurate round-trip time measurement; without it, the operation may still work but can time out due to packet processing differences, or the operation may fail entirely if the remote device does not respond to ICMP echo requests in a timely manner as per IP SLA expectations.

1114
MCQhard

A network engineer runs the following command to verify MPLS LDP label bindings for a specific prefix: R1# show mpls ldp bindings 10.0.0.0 255.0.0.0 Output: lib entry: 10.0.0.0/8, rev 10 local binding: label: imp-null remote binding: lsr: 10.0.0.2:0, label: imp-null remote binding: lsr: 10.0.0.3:0, label: 302 What does this output indicate?

A.R1 will pop the label for 10.0.0.0/8 before forwarding to the next hop
B.R1 will swap the label for 10.0.0.0/8
C.All neighbors are using implicit null for this prefix
D.The prefix 10.0.0.0/8 is not in the routing table
AnswerA

Implicit null (imp-null) means the router will pop the label (PHP - Penultimate Hop Popping).

Why this answer

The output shows label bindings for prefix 10.0.0.0/8. R1 has assigned implicit null label (label 3) locally, meaning it will pop the label before forwarding. Neighbor 10.0.0.2 also uses implicit null, while 10.0.0.3 uses label 302.

1116
MCQmedium

Consider the following DHCPv6 configuration on router R2: ipv6 dhcp pool DHCP6_POOL dns-server 2001:db8::1 domain-name example.com ! interface GigabitEthernet0/0 ipv6 address 2001:db8:1::1/64 ipv6 dhcp server DHCP6_POOL ipv6 nd other-config-flag no shutdown What is the effect of this configuration?

A.Hosts on this subnet will use SLAAC to obtain their IPv6 address and then use DHCPv6 to get DNS and domain information.
B.Hosts will obtain both their IPv6 address and DNS information from the DHCPv6 pool.
C.The DHCPv6 pool is missing the address prefix, so it will not provide any configuration to clients.
D.The ipv6 nd other-config-flag command is ignored because the DHCPv6 server is configured on the interface.
AnswerA

The other-config-flag indicates that hosts should use SLAAC for addressing and DHCPv6 for additional parameters, which is stateless DHCPv6.

Why this answer

Option A is correct because the configuration uses the `ipv6 nd other-config-flag` command, which sets the 'Other Configuration' flag (O-flag) in Router Advertisement (RA) messages. This tells hosts to use Stateless Address Autoconfiguration (SLAAC) for their IPv6 address (based on the prefix in the RA) and then use DHCPv6 (stateless DHCPv6) only to obtain additional parameters like DNS server and domain name, as defined in the DHCPv6 pool.

Exam trap

Cisco often tests the distinction between the M-flag (stateful DHCPv6) and O-flag (stateless DHCPv6), and the trap here is that candidates confuse the `other-config-flag` with the `managed-config-flag`, leading them to incorrectly think DHCPv6 provides addresses when it only provides other parameters.

How to eliminate wrong answers

Option B is wrong because it describes stateful DHCPv6, where both the IPv6 address and other parameters are obtained from the DHCPv6 server; however, the `ipv6 nd other-config-flag` (O-flag) explicitly instructs hosts to use SLAAC for addressing, not DHCPv6 for addresses. Option C is wrong because a DHCPv6 pool does not require an `address prefix` for stateless DHCPv6; the pool only needs to provide options like DNS and domain name, and the prefix for SLAAC is advertised via Router Advertisements. Option D is wrong because the `ipv6 nd other-config-flag` command is not ignored; it is fully functional and works in conjunction with the DHCPv6 server configuration to signal stateless DHCPv6 to clients.

1117
MCQhard

A network engineer configures Flexible NetFlow to export traffic statistics for a VRF named CUSTOMER_A. The configuration includes 'flow exporter EXPORTER' with destination 10.10.10.10:2055 and 'vrf CUSTOMER_A' under the exporter. The flow monitor is applied to the VRF interface. However, 'show flow monitor name MONITOR cache' shows no entries for VRF traffic. What is the most likely cause?

A.The exporter is missing the 'source' interface command.
B.The flow monitor is applied to the global routing table interface instead of the VRF interface.
C.The VRF is not configured with 'ip flow-export' commands.
D.The flow record does not match any VRF-specific fields.
AnswerB

The monitor must be applied under the VRF interface (e.g., interface GigabitEthernet0/1.100 with encapsulation dot1q and VRF forwarding CUSTOMER_A). Applying it to the physical interface without VRF will not capture VRF traffic.

Why this answer

For VRF-aware NetFlow, the flow monitor must be applied using the 'ip flow monitor MONITOR input' command under the VRF interface, and the exporter must reference the VRF. A common mistake is forgetting to apply the monitor to the interface in the VRF context.

1118
MCQmedium

In OSPF, what is the default administrative distance for intra-area routes on a Cisco IOS-XE router?

A.90
B.110
C.115
D.120
AnswerB

Correct. OSPF uses a default administrative distance of 110 for all route types.

Why this answer

Cisco IOS-XE assigns an administrative distance of 110 to all OSPF routes, including intra-area, inter-area, and external routes, unless modified.

1119
MCQmedium

A network engineer runs the following command on Router P1: P1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.48632 State: Oper, Msgs sent/rcvd: 120/118, Downstream Up time: 00:12:34 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, which statement is correct?

A.The LDP session is down.
B.The LDP session is up and functioning correctly.
C.The router is not receiving label bindings from the neighbor.
D.The LDP router ID is misconfigured.
AnswerB

All indicators show a normal, operational LDP session.

Why this answer

The show mpls ldp neighbor output shows a single LDP neighbor with IP 10.0.0.2. The state is 'Oper' (operational), and the neighbor has been up for 12 minutes. The output indicates a healthy LDP session.

1120
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 130 Extended IP access list 130 10 deny ip host 10.1.1.1 host 10.2.2.2 20 permit ip any any Then the engineer runs: R1# debug ip packet 130 IP packet debugging is on for access list 130 *Mar 1 00:20:10.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto ICMP, access list 130: matched line 10 deny ip host 10.1.1.1 host 10.2.2.2 What does this output indicate?

A.ICMP traffic from 10.1.1.1 to 10.2.2.2 is being denied by ACL 130.
B.ICMP traffic from 10.1.1.1 to 10.2.2.2 is being permitted by ACL 130.
C.ACL 130 is applied outbound on GigabitEthernet0/0.
D.ACL 130 is not matching any packets.
AnswerA

The debug shows the match on the deny line.

Why this answer

The debug output explicitly shows that the packet with source 10.1.1.1 and destination 10.2.2.2 matched line 10 of ACL 130, which is a deny statement. Since the ACL is evaluated sequentially and the first match is a deny, the ICMP traffic is denied. The debug message confirms the match, so option A is correct.

Exam trap

Cisco often tests the misconception that a debug message showing a packet matched an ACL line implies the packet was permitted, when in fact the action (deny or permit) is determined by the matched line's action.

How to eliminate wrong answers

Option B is wrong because the debug output shows the packet matched line 10 (deny), not line 20 (permit), so the traffic is denied, not permitted. Option C is wrong because the debug output does not indicate the direction (inbound or outbound) of the ACL application; the interface shown (GigabitEthernet0/0) is the source interface of the packet, not where the ACL is applied. Option D is wrong because the debug output explicitly states 'matched line 10', proving that ACL 130 is matching packets.

1121
MCQeasy

A network engineer runs the following command to troubleshoot EIGRP over DMVPN: R1# debug eigrp packets EIGRP: Received HELLO on Tunnel0 nbr 10.0.0.2 EIGRP: New peer 10.0.0.2 What does this output indicate?

A.EIGRP neighbor adjacency with 10.0.0.2 is established over Tunnel0.
B.EIGRP is not enabled on Tunnel0.
C.The EIGRP neighbor is in a stuck-in-active state.
D.EIGRP authentication is failing between the routers.
AnswerA

Correct: Receiving a hello and creating a new peer indicates adjacency formation.

Why this answer

The debug output shows that R1 has received an EIGRP hello from 10.0.0.2 on Tunnel0 and has formed a new neighbor adjacency.

1122
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show ip local policy Interface Route-map local PBR-LOCAL What does this output indicate?

A.Local PBR is enabled for packets originated by the router.
B.PBR is applied to all incoming interfaces.
C.The route-map PBR-LOCAL is not configured.
D.PBR is applied to all outgoing interfaces.
AnswerA

'ip local policy route-map PBR-LOCAL' applies to locally generated traffic.

Why this answer

The output shows that local PBR is configured using route-map PBR-LOCAL. This applies PBR to locally generated packets on the router.

1123
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers running EIGRP. The EIGRP neighbor forms, but routes are not being exchanged. The engineer notices that the EIGRP neighbor is stuck in active state for certain routes. What is the most likely explanation?

A.The EIGRP hello packets are being encrypted but the reply is not, causing asymmetric routing.
B.The IPsec ACL is permitting EIGRP packets (protocol 88) only in one direction, so queries are sent but replies are dropped by the remote router's crypto map.
C.The EIGRP K-values are mismatched between the two routers.
D.The IPsec tunnel is using aggressive mode, which does not support multicast traffic.
AnswerB

If the crypto ACL on one router permits only certain traffic (e.g., TCP/179 for BGP) but not EIGRP, EIGRP packets may be dropped. If the other router's ACL permits EIGRP, the neighbor forms partially, but queries may not be replied to, causing SIA.

Why this answer

When EIGRP neighbors form but routes are not exchanged and the neighbor is stuck in active (SIA) state, it indicates that EIGRP queries are being sent but replies are not received. In an IPsec VPN, if the crypto ACL permits EIGRP (protocol 88) only in one direction, queries from one router are encrypted and sent, but the remote router's crypto map does not match the reply packets, so they are dropped. This prevents the EIGRP query/reply process from completing, causing routes to remain in active state and not be exchanged.

Exam trap

Cisco often tests the misconception that EIGRP neighbor formation implies full route exchange, but the trap here is that a one-way crypto ACL permits neighbor formation (since hellos are multicast and may be permitted) but blocks query/reply unicast traffic, causing SIA routes.

How to eliminate wrong answers

Option A is wrong because EIGRP hello packets are multicast (224.0.0.10) and are encrypted by IPsec; asymmetric routing would cause a different issue (e.g., packet loss), not specifically SIA routes. Option C is wrong because K-value mismatch prevents neighbor formation entirely, not just route exchange; the neighbor forms here, so K-values must match. Option D is wrong because aggressive mode is an IKE phase 1 mode that does not affect multicast traffic; IPsec tunnels can transport multicast regardless of IKE mode, and EIGRP uses multicast for hellos, which would still work.

1124
MCQhard

A network engineer configures an EEM applet to monitor redistribution events using the event syslog pattern 'IP-4-ROUTING'. The applet is intended to log when a route is redistributed from OSPF into EIGRP. The redistribution is configured without a seed metric for EIGRP, and the route is not redistributed. The EEM applet does not trigger. Which is the most likely explanation?

A.Redistribution into EIGRP without a seed metric fails silently, and no syslog message is generated.
B.The EEM applet must use 'event routing' to capture redistribution events.
C.The syslog pattern 'IP-4-ROUTING' is incorrect; it should be 'IP-5-ROUTING'.
D.The redistribution is blocked by route tagging, preventing the syslog.
AnswerA

Correct. EIGRP requires a seed metric; without it, the route is not redistributed and no syslog is generated.

Why this answer

When redistributing routes into EIGRP without a seed metric, the redistribution fails silently—no syslog message is generated. The EIGRP process drops the redistributed route because the default metric is not set. The 'IP-4-ROUTING' syslog message is only generated when a routing table change occurs due to redistribution, but since the route is not installed, no syslog is produced.

The EEM applet will not trigger because there is no matching syslog event.

1125
MCQhard

In MPLS L3VPN, which OSPF network type is used by default on a Frame Relay point-to-point subinterface when OSPF is enabled?

A.Broadcast
B.Non-broadcast
C.Point-to-point
D.Point-to-multipoint
AnswerC

Correct. Point-to-point subinterfaces default to point-to-point network type.

Why this answer

On a point-to-point subinterface over Frame Relay, the default OSPF network type is point-to-point, which does not require DR/BDR election.

Page 14

Page 15 of 29

Page 16