Cisco CCNP ENARSI 300-410 (300-410) — Questions 11261200

2152 questions total · 29pages · All types, answers revealed

Page 15

Page 16 of 29

Page 17
1126
MCQmedium

A network engineer runs the following command to troubleshoot an EIGRP issue: R1# show ip eigrp topology 10.1.1.0/24 IP-EIGRP (AS 100): Topology entry for 10.1.1.0/24 State: Passive, Query origin flag: 1, 1 Successor(s), FD is 131072 Routing Descriptor Blocks: 10.1.2.2 (GigabitEthernet0/0), from 10.1.2.2, Send flag: 0x0 Composite metric: (131072/130816), Route is Internal Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 10.1.3.3 (GigabitEthernet0/1), from 10.1.3.3, Send flag: 0x0 Composite metric: (131328/131072), Route is Internal Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 200 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 2 What does this output indicate?

A.Only one path is available; the second path is a backup that is not used.
B.Both paths are feasible successors, but only the first is installed in the routing table.
C.Both paths are installed in the routing table for load balancing.
D.The route is in active state, indicating a query is in progress.
AnswerB

The first entry is the successor (FD 131072), and the second has RD 131072, which equals FD, so it is a feasible successor. Only the successor is installed in the routing table.

Why this answer

The output shows two feasible successors for 10.1.1.0/24. The first entry (via 10.1.2.2) is the successor with FD 131072, and the second (via 10.1.3.3) is a feasible successor with RD 131072, which is equal to the FD, so it meets the feasibility condition.

1127
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 192.168.1.2 Gi0/0 192.168.2.2 1 2WAY/DROTHER 00:00:38 192.168.2.2 Gi0/1 10.10.10.2 1 FULL/BDR 00:00:32 10.10.10.2 Gi0/2 Based on this output, what is a potential issue?

A.Neighbor 192.168.2.2 is stuck in 2WAY state, indicating a problem.
B.The DR election is incomplete on Gi0/0.
C.All OSPF neighbors are in appropriate states for their roles.
D.Neighbor 10.10.10.2 should be in FULL/DR state.
AnswerC

Each neighbor is in the correct state based on its role (DR, BDR, DROTHER).

Why this answer

On interface Gi0/1, the neighbor is in 2WAY/DROTHER state, which is normal for a non-DR/BDR router on a multi-access network. However, the question asks for a potential issue; the output itself shows no problem. The correct answer is that all neighbors are in expected states.

1128
MCQhard

In OSPFv3, which authentication method is supported by default?

A.MD5 authentication
B.Simple password authentication
C.IPsec authentication
D.No authentication is supported
AnswerC

Correct. OSPFv3 relies on IPsec for authentication and integrity.

Why this answer

OSPFv3 uses IPsec for authentication and encryption, as defined in RFC 4552. It does not support the simple password or MD5 authentication used in OSPFv2.

1129
MCQmedium

Given the following configuration on Router R2: router eigrp 200 redistribute ospf 1 metric 10000 100 255 1 1500 default-metric 10000 100 255 1 1500 What is the effect of having both the 'metric' keyword in the redistribute command and the 'default-metric' command?

A.The 'metric' keyword is ignored; the default-metric is used for all redistributed routes.
B.Both metrics are applied, causing a conflict and potential routing issues.
C.The 'metric' keyword overrides the default-metric for routes redistributed from OSPF into EIGRP.
D.The default-metric command is not needed and can be removed without any effect.
AnswerC

The explicit metric in the redistribute command takes precedence over the default-metric.

Why this answer

The 'metric' keyword in the redistribute command overrides the default-metric for that specific redistribution. The default-metric applies to all other redistribution without an explicit metric.

1130
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# show ip nhrp detail 10.0.0.0/16 via 10.1.1.2, Tunnel0 created 00:01:00, expire 01:59:00 Type: summary, Flags: used NBMA address: 192.168.1.2 Registration: never What does this output indicate?

A.The summary route 10.0.0.0/16 is learned via NHRP and is active, with the next hop being 192.168.1.2 over Tunnel0.
B.The summary route is not being used because the 'used' flag is not set.
C.The summary route is learned via EIGRP, not NHRP.
D.The summary route is a static route configured on the router.
AnswerA

The 'summary' type and 'used' flag confirm this is an active NHRP summary route.

Why this answer

This output shows an NHRP cache entry for the summary route 10.0.0.0/16. The type is 'summary', indicating that this is a summary route learned via NHRP. The 'used' flag and NBMA address show that the route is active and pointing to a specific tunnel destination.

1131
MCQmedium

Which statement about PBR and the 'set interface' command is correct?

A.The 'set interface' command can only be used with point-to-point interfaces.
B.If the specified interface is down, the router uses the routing table.
C.The 'set interface' command requires a next-hop IP address to be specified.
D.The 'set interface' command forces the packet out the specified interface, and if the interface is down, the packet is dropped.
AnswerD

This is correct; PBR with 'set interface' does not fall back to the routing table if the interface is down.

Why this answer

The 'set interface' command forces the packet out a specific interface, overriding the routing table. If the interface is down, the packet is dropped unless a fallback is configured.

1132
MCQmedium

Examine this configuration: interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 198.51.100.1 255.255.255.0 ip nat outside ! ip nat inside source static tcp 10.0.0.10 80 198.51.100.10 8080 extendable Which statement is true?

A.All traffic from 10.0.0.10 is translated to 198.51.100.10.
B.Incoming traffic to 198.51.100.10:8080 is forwarded to 10.0.0.10:80.
C.The 'extendable' keyword is invalid for static NAT.
D.This translation will not work unless 'ip nat inside source list' is also configured.
AnswerB

Static NAT/PAT maps the outside address/port to the inside address/port bidirectionally.

Why this answer

This is a static NAT for TCP port 80 on inside host 10.0.0.10 to outside address 198.51.100.10 port 8080. The 'extendable' keyword allows multiple static translations to the same outside IP.

1133
MCQeasy

What is the default timeout for NAT translation entries in Cisco IOS?

A.60 seconds
B.300 seconds
C.86400 seconds (24 hours)
D.Never expires
AnswerC

The default timeout for NAT entries is 24 hours.

Why this answer

The default timeout for dynamic NAT translations is 24 hours (86400 seconds). This can be changed with the 'ip nat translation timeout' command.

1134
MCQhard

BGP is used between two ISPs. Router R1 has: neighbor 10.0.0.2 route-map SET-MED in, route-map SET-MED permit 10, set metric 50. Router R2 shows: show ip bgp 172.16.0.0 includes MED 50 but the path is not preferred. What is the root cause?

A.The MED value is too low to influence path selection.
B.The route-map should be applied outbound, not inbound.
C.MED is only compared when paths are from the same neighboring AS.
D.The neighbor has a higher local preference overriding MED.
AnswerC

BGP default behavior ignores MED from different ASes.

Why this answer

Option C is correct because BGP's MED (Multi-Exit Discriminator) attribute is only compared between paths that originate from the same neighboring AS. In this scenario, even though R2 receives a route with MED 50 from R1, the path is not preferred because the competing path likely comes from a different neighboring AS, making the MED comparison invalid. MED is a non-transitive attribute that influences inbound traffic only when comparing multiple exit points from the same AS.

Exam trap

Cisco often tests the nuance that MED is only compared between paths from the same neighboring AS, leading candidates to mistakenly think MED always influences path selection or that the value itself is the issue.

How to eliminate wrong answers

Option A is wrong because a MED value of 50 is not inherently too low; MED is a metric where lower values are preferred, so a low MED would actually make the path more preferred, not less. Option B is wrong because applying the route-map inbound on R1 correctly sets the MED on routes received from R2; applying it outbound would affect routes sent to R2, which is not the intended behavior for influencing R2's path selection. Option D is wrong because while local preference does override MED in BGP path selection order, the question states the MED is 50 but the path is not preferred, and there is no evidence that local preference is configured or higher; the most direct root cause is the AS path comparison rule for MED.

1135
Drag & Dropmedium

Drag and drop the steps to configure and verify Policy-Based Routing (PBR) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the route map with a sequence number. Next, match the interesting traffic using an ACL or prefix list. Then, set the next-hop or interface.

Apply the route map under the interface in the inbound direction. Finally, verify with 'show route-map' or 'show ip policy'.

1136
Multi-Selectmedium

Which TWO commands would a network engineer use to verify NAT translations and their statistics on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip nat translations
B.show ip nat statistics
C.show ip nat verbose
D.show running-config | include nat
E.debug ip nat
AnswersA, B

This command lists all current NAT/PAT translations, including inside local, inside global, outside local, and outside global addresses.

Why this answer

The show ip nat translations command displays active NAT/PAT translation entries, while show ip nat statistics provides counters and configuration details. The other commands either do not exist or serve different purposes.

1137
MCQhard

An engineer configures PBR on a router to route traffic from subnet 10.1.1.0/24 to next-hop 192.168.1.2. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. However, the engineer notices that PBR is not working for multicast traffic from that subnet. What is the most likely explanation?

A.PBR is not supported for multicast traffic; multicast uses its own forwarding mechanisms.
B.The ACL in the route-map is blocking multicast addresses.
C.The next-hop 192.168.1.2 is not a multicast-capable router.
D.The route-map is missing a 'set ip next-hop verify-availability' command.
AnswerA

Multicast traffic is handled by multicast routing, not PBR, unless explicitly configured.

Why this answer

PBR does not process multicast traffic by default. Multicast packets are forwarded using multicast routing protocols (e.g., PIM) and are not subject to PBR. To apply PBR to multicast, special configuration (e.g., 'ip multicast policy route-map') is required.

1138
MCQhard

A network engineer configures RSPAN on a switch to monitor traffic from VLAN 10 to a remote switch via VLAN 100 as the RSPAN VLAN. The source switch has: monitor session 1 source vlan 10 rx monitor session 1 destination remote vlan 100. The remote switch has: monitor session 2 source remote vlan 100 monitor session 2 destination interface Gi0/1. The remote switch's Gi0/1 is connected to a network analyzer. The analyzer sees no traffic. The RSPAN VLAN 100 is configured on all intermediate switches with the 'remote-span' command. However, the intermediate switches run MST and VLAN 100 is mapped to a different MST instance than the native VLAN. What is the root cause?

A.The RSPAN VLAN is not allowed on the trunk ports between switches.
B.MST maps VLAN 100 to a different instance, causing the port to be in a blocking state for that instance, thus dropping RSPAN traffic.
C.The 'remote-span' command is missing on the source and destination switches.
D.The RSPAN VLAN must be the native VLAN on all trunks.
AnswerB

MST can block VLANs in different instances, preventing RSPAN traffic from traversing.

Why this answer

RSPAN relies on flooding the mirrored traffic across the RSPAN VLAN. In MST, if the RSPAN VLAN is mapped to a different MST instance than the native VLAN, the spanning-tree topology may block the RSPAN VLAN on some ports. Specifically, if the RSPAN VLAN is in a different MST instance, the port may be in a blocking state for that instance, preventing the mirrored traffic from reaching the destination.

The 'remote-span' command does not override MST behavior. The fix is to map the RSPAN VLAN to the same MST instance as the native VLAN or use a single spanning-tree region.

1139
Multi-Selecthard

Which THREE commands can be used to verify the status of a DMVPN Phase 2 spoke-to-spoke tunnel? (Choose THREE.)

Select 3 answers
A.show dmvpn
B.show ip nhrp
C.show crypto isakmp sa
D.show ip route
E.show crypto ipsec sa
AnswersA, B, C

Correct. This command displays DMVPN tunnel status, including the state of spoke-to-spoke tunnels.

Why this answer

To verify a spoke-to-spoke tunnel, 'show dmvpn' displays the tunnel status including peers and up/down state. 'show ip nhrp' shows NHRP cache entries, including the /32 host route for the remote spoke. 'show crypto isakmp sa' shows the IKE phase 1 SA, which must be active for the IPsec tunnel. 'show ip route' shows the routing table but does not specifically show tunnel status. 'show crypto ipsec sa' shows IPsec phase 2 SAs, but the question asks for commands that verify the tunnel, and 'show crypto isakmp sa' is more fundamental for the initial establishment. However, both are valid; we choose three that are most direct. 'show ip route' is not specific enough, and 'show crypto ipsec sa' is also valid but we need exactly three. The correct set is 'show dmvpn', 'show ip nhrp', and 'show crypto isakmp sa'.

1140
MCQhard

R1 and R2 are BGP peers with BFD enabled. R1#show bgp neighbors 10.1.1.2 shows BGP state 'Active' and BFD session 'Down'. R2#show bfd neighbors shows the session as 'Up' with R1. R1 has 'neighbor 10.1.1.2 fall-over bfd' configured. R2 has 'neighbor 10.1.1.1 fall-over bfd' configured. The link between them is stable. What is the root cause?

A.R1 is missing 'bfd interval' configuration on the interface facing R2.
B.BGP requires 'neighbor 10.1.1.2 ebgp-multihop' for BFD to work.
C.R2 has a higher BFD multiplier causing session failure.
D.The BGP update-source is not set to the interface IP.
AnswerA

Without BFD interval configuration on the interface, R1 cannot establish a BFD session, causing BGP fall-over to keep BGP in Active state.

Why this answer

BFD for BGP fall-over requires that the BFD session be established before BGP can form. If the BFD session is up on R2 but down on R1, it indicates a unidirectional issue. This can happen if R1 has an ACL blocking BFD control packets from R2, or if R1's BFD configuration is missing.

Here, R1 likely lacks 'bfd interval' configuration on the interface, causing BFD to not initiate.

1141
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp interface GigabitEthernet0/1 GigabitEthernet0/1 is in server mode Using pool: POOL6 Preference value: 0 Hint from client: ignored Rapid-Commit: disabled Based on this output, which statement is correct?

A.The interface is configured as a DHCPv6 client.
B.The interface is configured as a DHCPv6 server using pool POOL6.
C.The interface is using rapid-commit for faster address assignment.
D.The interface is in DHCPv6 relay mode.
AnswerB

Server mode with pool specified.

Why this answer

The command output explicitly states 'GigabitEthernet0/1 is in server mode' and 'Using pool: POOL6', which confirms that the interface is acting as a DHCPv6 server. The DHCPv6 server assigns IPv6 addresses and other configuration parameters from the specified pool to requesting clients.

Exam trap

Cisco often tests the ability to read the exact output of 'show ipv6 dhcp interface' and distinguish between server, client, and relay modes, where candidates may misinterpret 'server mode' as client mode or overlook the 'Rapid-Commit: disabled' line.

How to eliminate wrong answers

Option A is wrong because the output shows 'server mode', not client mode; a DHCPv6 client would show 'client mode' or 'in client mode'. Option C is wrong because the output shows 'Rapid-Commit: disabled', meaning rapid-commit is not enabled, so the interface is not using it for faster address assignment. Option D is wrong because the output does not indicate relay mode; a DHCPv6 relay interface would show 'relay mode' or similar, not 'server mode'.

1142
MCQmedium

Consider the following configuration: ipv6 access-list BLOCK-ICMP deny icmp any any echo-request deny icmp any any echo-reply permit ipv6 any any interface GigabitEthernet0/2 ipv6 traffic-filter BLOCK-ICMP in Which statement is true?

A.The ACL blocks ICMP echo-request and echo-reply, but permits all other IPv6 traffic inbound.
B.The ACL blocks all ICMPv6 traffic because the deny statements are too broad.
C.The ACL must be applied outbound to filter echo-request.
D.The ACL is missing the 'log' keyword to be effective.
AnswerA

The deny statements match the specified ICMP types; the final permit allows everything else.

Why this answer

Option A is correct because the IPv6 ACL explicitly denies ICMPv6 echo-request and echo-reply messages (types 128 and 129) while the final permit ipv6 any any statement allows all other IPv6 traffic. The ipv6 traffic-filter command applied inbound on GigabitEthernet0/2 filters traffic as it enters the interface, so only the specified ICMP types are blocked, and all other IPv6 traffic is permitted.

Exam trap

Cisco often tests the misconception that an ACL applied inbound cannot block echo-reply because it is a response, but in IPv6, echo-reply is a separate ICMP type that can be filtered inbound on the interface where it arrives.

How to eliminate wrong answers

Option B is wrong because the ACL does not block all ICMPv6 traffic; it only denies two specific ICMPv6 message types (echo-request and echo-reply), and the permit ipv6 any any statement allows all other ICMPv6 types and all other IPv6 traffic. Option C is wrong because the ACL can filter echo-request and echo-reply when applied inbound; ICMP echo-request is typically sent from a source to a destination, so applying the ACL inbound on the destination interface will block the incoming echo-request, and echo-reply is also blocked inbound on the source interface if needed. Option D is wrong because the 'log' keyword is optional and not required for the ACL to be effective; the ACL will deny or permit traffic based on the configured entries without logging.

1143
MCQhard

A redistribution setup between OSPF and EIGRP is causing a routing loop for subnet 10.1.1.0/24. Router R1 runs OSPF and EIGRP with redistribution. R1's configuration: router ospf 1 redistribute eigrp 100 subnets ! router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip summary-address eigrp 100 10.1.0.0 255.255.255.0 ! Router R2 (EIGRP neighbor) shows: R2# show ip route 10.1.1.0 Routing entry for 10.1.0.0/24, supernet Known via "eigrp 100", distance 90, metric 30720, type internal Last update from 10.1.1.1 on GigabitEthernet0/0, 00:00:05 ago What is the root cause?

A.The summary route 10.1.0.0/24 is less specific and can cause routing loops when combined with redistribution because R2 may send traffic for 10.1.1.0/24 back to R1.
B.The redistribution metric is too high, causing EIGRP to prefer the OSPF route via another path.
C.OSPF does not support subnets keyword, so the route is not redistributed correctly.
D.EIGRP is not enabled on the interface, so the summary is not advertised.
AnswerA

The summary creates a less specific route that can be redistributed, leading to a loop.

Why this answer

The summary route 10.1.0.0/24 is being advertised via EIGRP, but it is a less specific prefix than the actual /24. When R1 redistributes OSPF into EIGRP, the summary may cause R2 to prefer the summary over a more specific route, and if R2 sends traffic back to R1 for 10.1.1.0/24, R1 might forward it to R2 again if the OSPF route is not present, creating a loop. The summary should match the exact subnet or be more specific to avoid loops.

1144
MCQhard

An engineer is troubleshooting a missing BGP route on R3. R3 has an eBGP session with R4 (AS 65004) and an iBGP session with R1 (AS 65003). R4 advertises a prefix 192.168.1.0/24 to R3, and R3's BGP table shows the route with next-hop 10.1.4.4. However, R3 does not install this route in its routing table. The output of 'show ip bgp 192.168.1.0/24' on R3 shows the route as valid but not best. What is the most likely cause?

A.The route is not installed because the next-hop 10.1.4.4 is not reachable via any routing table entry.
B.The route is not installed because BGP synchronization is enabled and the IGP does not have the route.
C.The route is not installed because the prefix length is too long for the routing table.
D.The route is not installed because R3 has a higher administrative distance for eBGP routes.
AnswerA

Correct because BGP requires the next-hop to be reachable; otherwise, the route is not considered best.

Why this answer

For an eBGP route to be installed, the next-hop must be reachable via an IGP or static route. If the next-hop is not reachable, BGP marks the route as valid but not best.

1145
Multi-Selecthard

An engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Which TWO actions will prevent routing loops in a mutual redistribution scenario? (Choose TWO.)

Select 2 answers
A.Configure a higher administrative distance for routes learned via redistribution (e.g., distance 200 for OSPF external routes) to prefer the original protocol's routes.
B.Use the 'default-metric' command to set a consistent seed metric for redistributed routes, ensuring all routes have the same metric.
C.Apply route tags to redistributed routes and use distribute lists or route maps to prevent re-redistribution of tagged routes back into the original protocol.
D.Enable 'auto-summary' on both routing protocols to summarize routes at classful boundaries, reducing the number of routes and loop potential.
E.Configure 'passive-interface' on all interfaces where redistribution is performed to prevent routing updates from being sent.
AnswersA, C

Correct. By increasing the administrative distance for redistributed routes, you ensure that the original protocol's routes (with lower AD) are preferred, reducing the chance of a loop where a redistributed route is preferred over the original.

Why this answer

To prevent routing loops during mutual redistribution, you must ensure that routes redistributed from one protocol are not re-injected back into the source protocol. Common methods include setting administrative distance values (e.g., using 'distance' command) or using route tagging with distribute lists or route maps to filter. Simply increasing the metric for redistributed routes does not prevent loops, and disabling auto-summary is unrelated to loop prevention.

1146
MCQhard

Which authentication method is used by default in IKEv1 main mode for IPsec site-to-site VPN on Cisco IOS?

A.RSA signatures
B.Pre-shared keys
C.Elliptic Curve Digital Signature Algorithm (ECDSA)
D.No default; authentication must be explicitly configured
AnswerB

PSK is the default authentication method for IKEv1.

Why this answer

In Cisco IOS, IKEv1 main mode for IPsec site-to-site VPN defaults to pre-shared keys (PSK) as the authentication method. This is because PSK is the simplest to configure and does not require a public key infrastructure (PKI), making it the default choice when no other authentication method is explicitly specified. The configuration commands like 'crypto isakmp key' directly implement PSK authentication.

Exam trap

Cisco often tests the misconception that IKEv1 has no default authentication method, leading candidates to choose 'No default; authentication must be explicitly configured' when in fact pre-shared keys are the default.

How to eliminate wrong answers

Option A is wrong because RSA signatures require digital certificates and a PKI, which is not the default; they must be explicitly configured with commands like 'crypto isakmp identity' and certificate enrollment. Option C is wrong because ECDSA is not supported as an authentication method in IKEv1 on Cisco IOS; it is only available in IKEv2 with the 'authentication ecdsa-sig' command. Option D is wrong because there is a default authentication method (pre-shared keys) in IKEv1 main mode; authentication does not need to be explicitly configured unless a different method is desired.

1147
MCQmedium

A network engineer is troubleshooting a BGP session that is flapping. The routers are connected via a direct Ethernet cable. BFD is configured for the BGP session. The engineer checks the BFD session and sees it is 'Up'. However, the BGP session goes down every 30 seconds. The BGP configuration includes 'neighbor 10.0.0.2 fall-over bfd'. What is the most likely cause?

A.The BGP hold timer is set to 30 seconds on one router and 90 seconds on the other.
B.The BFD session is using echo mode, which is not supported for BGP fall-over.
C.The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor is configured with 'bfd interval 100 min_rx 100 multiplier 3'.
D.The BGP session is using EBGP multihop, and the TTL is set to 2.
AnswerA

A mismatch in BGP hold timer can cause the session to reset when the hold timer expires; the BFD session being up does not affect BGP's own keepalive mechanism.

Why this answer

The BGP fall-over bfd command causes BGP to monitor the BFD session. If the BFD session is up but BGP is flapping, the issue is likely a BGP configuration problem, such as a mismatch in hold timer or update-source.

1148
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a customer network. The customer has a default route pointing to the router. After enabling uRPF, the router drops traffic from the customer that has a source IP address that is not in the routing table as a directly connected or static route. What is the most likely explanation?

A.Strict mode uRPF requires a specific route for the source IP; a default route is not sufficient.
B.The customer's default route causes asymmetric routing, which breaks strict mode.
C.The uRPF mode should be loose mode to allow the default route.
D.The router has an ACL that is blocking the traffic before uRPF checks.
AnswerA

Strict mode checks for a matching route with the same incoming interface; a default route does not provide a specific interface match.

Why this answer

Strict mode uRPF verifies that the source IP address of an incoming packet matches a specific route in the routing table, and that the interface used to reach that source IP is the same as the incoming interface. A default route (0.0.0.0/0) is a catch-all entry and does not provide a specific, directly connected or static route for the customer's source IP. Therefore, the router drops the traffic because it cannot find an exact match for the source IP in the routing table, which is a fundamental requirement of strict mode.

Exam trap

Cisco often tests the misconception that a default route satisfies strict mode uRPF requirements, but the trap is that strict mode demands a specific route (not a default) for the source IP, and the incoming interface must match the route's outgoing interface.

How to eliminate wrong answers

Option B is wrong because asymmetric routing is not the core issue; strict mode uRPF drops packets even with symmetric routing if the source IP lacks a specific route. Option C is wrong because loose mode uRPF only checks that a route exists for the source IP in the routing table (including a default route), but it does not require the incoming interface to match; however, the question describes strict mode behavior, not a need to switch modes. Option D is wrong because the problem is explicitly caused by uRPF strict mode, not by an ACL; ACLs are processed after uRPF checks, so they would not be the reason for the drops described.

1149
MCQhard

A network engineer configures iBGP between DMVPN hub and spokes using the hub as a route reflector. On the hub, the BGP configuration includes 'neighbor <spoke-ip> next-hop-self'. Unexpectedly, spokes receive routes from other spokes with the next-hop set to the hub's tunnel IP, but the spokes cannot reach that next-hop because it is not in their routing table. Which is the most likely explanation?

A.The hub's 'next-hop-self' command is configured under the BGP neighbor statement for the spoke, but the route reflector behavior overrides it, causing the hub to not modify the next-hop for routes reflected between spokes.
B.The spokes are not configured as route-reflector clients, so the hub does not reflect routes between them, and the next-hop remains unchanged.
C.The iBGP session between hub and spokes is using loopback interfaces, and the next-hop is set to the loopback IP, which is not reachable via the tunnel.
D.The 'next-hop-self' command is only applicable for eBGP sessions, not iBGP, so it has no effect on the reflected routes.
AnswerA

In a route reflector setup, 'next-hop-self' must be configured under the address-family for the neighbor; otherwise, the reflector does not change the next-hop for reflected routes.

Why this answer

In a DMVPN Phase 2 or 3 network, the hub typically sets the next-hop to itself using 'next-hop-self' for routes advertised to spokes. However, if the hub is a route reflector, it does not change the next-hop for routes received from one spoke and advertised to another spoke, unless 'next-hop-self' is explicitly configured. The corner case is that 'next-hop-self' must be applied under the address-family or neighbor configuration, and if it is misapplied or missing for the route-reflector client sessions, the spoke-to-spoke routes retain the original next-hop (the other spoke's tunnel IP), which may not be reachable if NHRP redirect or shortcuts are not enabled.

1150
MCQmedium

Given this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?

A.The traffic will be dropped because the ACL denies it.
B.The traffic will be forwarded normally without encryption.
C.The router will attempt to establish an IPsec tunnel but fail because the crypto map is missing.
D.The router will create a dynamic crypto map entry automatically.
AnswerB

Since the crypto map is not applied, the router treats the traffic as normal and forwards it based on routing.

Why this answer

Option B is correct because the crypto map is not applied to any interface. Without the `crypto map CMAP` command under GigabitEthernet0/1, the router has no IPsec policy to enforce on that interface. Traffic matching access-list 101 will simply be forwarded normally as clear-text IP packets, since no encryption is triggered.

Exam trap

The trap here is that candidates often assume a crypto map is automatically applied to the interface it references (e.g., via the peer IP), but Cisco explicitly tests that the `crypto map` command under the interface is required for IPsec to function.

How to eliminate wrong answers

Option A is wrong because access-list 101 is a permit ACL used to identify interesting traffic for IPsec, not a deny ACL; it does not drop traffic. Option C is wrong because the crypto map is fully configured (with peer, transform-set, and match address), but it is not missing—it is simply not applied to any interface, so no tunnel establishment is attempted. Option D is wrong because dynamic crypto maps are used for responder-only scenarios (e.g., when the peer IP is unknown) and are not automatically created; a static crypto map must be explicitly applied to an interface.

1151
MCQmedium

A network engineer is troubleshooting an EIGRP issue where a router is not installing a route in the routing table, even though the route is present in the EIGRP topology table. The route is a feasible successor, but it is not being used. What is the most likely reason for this?

A.The feasible successor has a higher metric than the current successor.
B.The route is a summary route that is being suppressed.
C.The route is being filtered by a distribute-list in.
D.The EIGRP variance command is set to 1, preventing unequal-cost load balancing.
AnswerA

Correct because EIGRP installs only the route with the lowest metric (successor) into the routing table; feasible successors are kept as backup routes.

Why this answer

EIGRP only installs the best route (successor) into the routing table. If a route is in the topology table as a feasible successor but not installed, it means that the feasible distance for that route is higher than the current successor's metric, so it is not the best path.

1152
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 snooping binding IPv6 Address MAC Address VLAN Interface State 2001:DB8:1::100 aaaa.bbbb.cccc 10 Gi0/0/0 ACTIVE 2001:DB8:1::101 aaaa.bbbb.cccd 10 Gi0/0/0 ACTIVE 2001:DB8:1::102 aaaa.bbbb.ccce 10 Gi0/0/1 ACTIVE 2001:DB8:1::103 aaaa.bbbb.cccf 10 Gi0/0/1 ACTIVE Based on this output, which statement is correct?

A.All entries are in the ACTIVE state, meaning they are valid bindings.
B.The binding for 2001:DB8:1::103 is invalid.
C.The table shows only IPv6 addresses from SLAAC.
D.There are no entries for VLAN 10.
AnswerA

ACTIVE state indicates the binding is valid and being used.

Why this answer

The snooping binding table shows the IPv6 addresses and corresponding MAC addresses for devices on VLAN 10. All entries are ACTIVE, meaning they have been validated. This is used for source guard and other first-hop security features.

1153
MCQhard

A network engineer is troubleshooting a BGP session that is not establishing. The routers are connected via a Layer 3 switch. BFD is configured for BGP. The engineer checks the BFD session and sees it is 'Down'. The BGP configuration appears correct. The interface between the routers is up/up. What is the most likely cause?

A.The BGP neighbor is not directly connected; BFD requires a directly connected interface or a static route pointing to the neighbor's IP.
B.The Layer 3 switch is not configured for BFD, causing it to drop BFD packets.
C.The BGP session is using EBGP multihop, and the TTL is set to 1.
D.The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor is not configured for BFD.
AnswerA

BFD sessions over multihop BGP require special configuration (bfd all-interfaces under BGP) and a route to the neighbor; if the neighbor is not directly connected, BFD will fail without proper setup.

Why this answer

BFD sessions require that the destination IP address be reachable via a directly connected interface or a static route. If the BGP neighbor is not directly connected (e.g., via a loopback), BFD may fail if the next hop is not directly connected or if there is a routing issue.

1154
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip vrf CUSTOMER Name Default RD Interfaces CUSTOMER 65001:100 Gi0/0.100 Gi0/1.100 Based on this output, which statement is correct?

A.The VRF CUSTOMER is configured with two subinterfaces.
B.The VRF CUSTOMER has no route distinguisher configured.
C.The VRF CUSTOMER is not active because no routes are shown.
D.The VRF CUSTOMER is using OSPF as the routing protocol.
AnswerA

The output lists two interfaces under the VRF.

Why this answer

The output of 'show ip vrf CUSTOMER' displays the VRF name, its default route distinguisher (RD) of 65001:100, and the interfaces assigned to it. The interfaces listed are Gi0/0.100 and Gi0/1.100, which are both subinterfaces (indicated by the .100 suffix). Therefore, the VRF CUSTOMER is correctly configured with two subinterfaces.

Exam trap

Cisco often tests the distinction between VRF configuration output and routing information; the trap here is that candidates may assume a VRF is inactive or misconfigured because no routes are shown, when in fact 'show ip vrf' only displays the VRF name, RD, and interface assignments.

How to eliminate wrong answers

Option B is wrong because the output clearly shows a default RD of 65001:100, so a route distinguisher is configured. Option C is wrong because the VRF is active; the absence of routes in this output is normal, as 'show ip vrf' only displays VRF configuration and interface assignments, not routing information. Option D is wrong because the output does not indicate any routing protocol; VRF configuration is independent of the routing protocol used (OSPF, EIGRP, BGP, etc.) and no protocol is shown here.

1155
MCQhard

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are not being established dynamically. The hub router has NHRP redirect enabled, and spokes have NHRP shortcut enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic but does not send an NHRP redirect. The hub's NHRP configuration includes the command 'ip nhrp redirect'. What is the most likely cause?

A.The spoke does not have 'ip nhrp shortcut' enabled.
B.The hub router does not have a route to the spoke's LAN subnet.
C.The tunnel interface on the hub has 'no ip nhrp redirect' configured.
D.The spoke's NHRP registration does not include the LAN subnet.
AnswerB

Correct because the hub must have a route to the spoke's subnet to generate an NHRP redirect; without it, the hub forwards traffic without sending a redirect.

Why this answer

In DMVPN phase 3, the hub must have 'ip nhrp redirect' enabled on the tunnel interface, and the spoke must have 'ip nhrp shortcut' enabled. Additionally, the hub must have a route to the spoke's subnet; otherwise, the hub will not send an NHRP redirect. The issue is that the hub does not have a route to the spoke's subnet.

1156
MCQeasy

Which statement accurately describes the behavior of the ip nat inside source static command when configuring static NAT for a single inside host?

A.It dynamically allocates the global address from a pool and removes the entry after an idle timeout.
B.It creates a permanent mapping that remains in the NAT table until the configuration is removed.
C.It requires the use of an access list to define which traffic is translated.
D.It translates only TCP and UDP traffic by default.
AnswerB

Correct. Static NAT entries are permanent and do not age out.

Why this answer

The ip nat inside source static command creates a permanent one-to-one mapping between an inside local IP address and an inside global IP address. This translation is always present in the NAT table and does not time out.

1157
MCQmedium

What is the default ERSPAN encapsulation type on Cisco IOS-XE devices?

A.ERSPAN Type I
B.ERSPAN Type II
C.ERSPAN Type III
D.ERSPAN Type IV
AnswerB

Type II is the default, with a 4-byte GRE header and 4-byte ERSPAN header, including a sequence number.

Why this answer

ERSPAN defaults to Type II encapsulation, which uses a 4-byte GRE header with a 4-byte ERSPAN header (8 bytes total). Type III is optional and requires explicit configuration.

1158
MCQmedium

A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?

A.The IPsec transform set on one router does not match the transform set on the other.
B.The pre-shared key is incorrect on one of the routers.
C.The tunnel interface is down.
D.The IKE proposal is mismatched.
AnswerA

Correct because during phase 2, the routers negotiate the transform set; if they do not match, the IPsec SA cannot be established.

Why this answer

An active IKE SA indicates that IKE phase 1 completed successfully, but no IPsec SAs means phase 2 failed. The most common cause is a mismatch in the IPsec transform set or the crypto map access list between the two routers.

1159
Multi-Selecthard

Which TWO configuration changes will prevent IPv6 traffic from being forwarded from a specific source prefix in a BGP environment without using a prefix list? (Choose TWO.)

Select 2 answers
A.Apply an inbound IPv6 access-list on the interface that denies traffic from the source prefix.
B.Configure a route map that matches the source prefix and sets a BGP community, then apply it inbound on the BGP neighbor to filter the prefix from being advertised.
C.Use the 'ipv6 route' command to install a discard route for the source prefix.
D.Apply an outbound IPv6 access-list on the interface to block traffic from the source prefix.
E.Configure uRPF strict mode on the interface to drop packets from the source prefix if the prefix is not in the FIB.
AnswersA, B

Correct. An IPv6 access-list applied inbound on an interface can filter traffic based on source prefix.

Why this answer

To block IPv6 traffic from a source prefix, you can use an inbound IPv6 access-list on the interface or leverage BGP path filtering with a route map that matches the source prefix and sets a community that is denied. Another method is to use a route policy to filter the prefix from being installed in the routing table, but that affects routing, not traffic filtering. The question asks for traffic filtering without a prefix list (but an access-list is allowed).

Using 'ipv6 access-list' and applying it inbound is valid. Also, using BGP community-based filtering can block traffic at the edge.

1160
MCQmedium

Examine the following partial IPv6 DHCP guard configuration: ipv6 dhcp guard policy DHCP_GUARD device-role server match server access-list SERVER_ACL interface GigabitEthernet0/2 ipv6 dhcp guard policy DHCP_GUARD Which statement is true about this configuration?

A.The interface will allow DHCP server messages only from sources matching SERVER_ACL.
B.The interface will block all DHCP server messages.
C.The interface will allow all DHCP client messages.
D.The interface will drop all DHCP messages.
AnswerA

The 'match server' clause restricts which servers are trusted, and the policy is applied to the interface.

Why this answer

DHCP guard policy with device-role server allows DHCP server messages only if they match the access-list. The interface applies the policy to filter DHCP messages.

1161
MCQhard

A BGP-speaking router R1 is redistributing BGP routes into EIGRP. R1 has configuration: router bgp 100 redistribute eigrp 100. Router R2, an EIGRP neighbor, shows: 'show ip route eigrp' includes some BGP routes but with high metrics. Traffic to those destinations is suboptimal. What is the root cause?

A.R1 has no default-metric configured for EIGRP, so redistributed BGP routes use the default metric of infinity, causing them to be unreachable.
B.R1 has a route-map that sets the metric to 100000 1000 255 1 1500, which is too high, causing suboptimal path selection.
C.BGP routes have a lower administrative distance than EIGRP, so they are not installed.
D.R2 has a route filter that increases the metric for BGP-originated routes.
AnswerB

High metric values make the route less preferred, leading to suboptimal routing.

Why this answer

When redistributing BGP into EIGRP, the metric must be set explicitly; otherwise, EIGRP uses default metric values (if configured) or rejects the routes. If the metric is set via a route-map or default-metric, incorrect values can cause high metrics.

1162
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches) 20 deny tcp any host 10.1.1.1 eq 22 (5 matches) 30 permit icmp any any (2 matches) 40 deny ip any any (1 match) Based on this output, which statement is correct?

A.Traffic matching line 10 is permitted and counted correctly.
B.All traffic is permitted because line 40 has only 1 match.
C.Line 20 denies SSH traffic to host 10.1.1.1, and 5 packets matched.
D.The ACL has no effect because it is not applied to an interface.
AnswerA, C

Line 10 has 10 matches and is a permit statement, so traffic matching it is permitted.

Why this answer

Option A is correct because the ACL shows 10 matches for line 10, which permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80 (HTTP). The match counter accurately reflects the number of packets that have matched this specific entry, confirming that permitted traffic is being counted correctly.

Exam trap

Cisco often tests the misconception that an ACL's match counters indicate the action taken (permit or deny) rather than just the number of packets that matched the entry, and that an ACL must be applied to an interface to have any effect, but the show access-lists output does not reveal whether it is applied.

How to eliminate wrong answers

Option B is wrong because the presence of a deny ip any any statement at line 40 does not permit all traffic; it denies all unmatched traffic, and the single match indicates that only one packet has been denied so far. Option D is wrong because the ACL can still be applied to an interface (e.g., via the ip access-group command) and the show access-lists output does not indicate whether it is applied or not; the ACL's effect depends on its application, but the output alone does not confirm it has no effect.

1163
MCQhard

An engineer configures BFD on a DMVPN Phase 2 spoke-to-spoke tunnel. The BFD session between two spokes comes up, but the spoke-to-spoke dynamic IPsec tunnel fails to establish. What is the most likely explanation?

A.The BFD session is using the mGRE tunnel interface, but the IPsec crypto map is applied to the physical interface, causing a mismatch in the path.
B.The spoke routers have different BFD minimum intervals, causing the session to flap and reset the IPsec tunnel.
C.The NHRP authentication string is mismatched between spokes, preventing NHRP from resolving the destination.
D.The IPsec transform-set uses ESP with SHA-1, but BFD requires MD5 authentication.
AnswerA

Correct. In DMVPN, BFD should be configured on the tunnel interface, but IPsec is applied to the physical interface. If BFD is misconfigured to use the physical interface, it will not detect failures of the tunnel path, and the IPsec tunnel may not be triggered correctly.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are triggered by NHRP redirects. BFD can cause the NHRP redirect to be lost or delayed if the BFD interval is too aggressive, causing the spoke to believe the path is down before the IPsec tunnel is established. Additionally, BFD over the mGRE tunnel requires that the tunnel destination be reachable via the underlying IP network; if the spoke's public IP is not reachable due to NAT, BFD may come up but IPsec may fail due to NAT traversal issues.

1164
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP session comes up, but the routes learned from the eBGP neighbor are not installed in the routing table. The IGP does not carry the BGP next-hop address. Which is the most likely explanation?

A.The BGP next-hop is not reachable because the IGP does not advertise it, and no static route exists.
B.The BGP synchronization rule is enabled, causing the route to be suppressed until the IGP learns it.
C.The next-hop-self command is missing on the eBGP neighbor, so the iBGP router sees the external next-hop.
D.The BGP table shows the route as valid, but the routing table does not install it due to administrative distance.
AnswerA

BGP checks the reachability of the next-hop before installing the route. Without reachability, the route is hidden from the routing table.

Why this answer

The correct answer is A because for a BGP route to be installed in the routing table, the next-hop address must be reachable via the IGP or a static route. Since the IGP does not carry the BGP next-hop address and no static route exists, the next-hop is unreachable, causing the route to remain in the BGP table but not be installed in the routing table.

Exam trap

Cisco often tests the distinction between BGP table validity and routing table installation, where candidates mistakenly think a valid BGP route automatically installs, ignoring the next-hop reachability requirement.

How to eliminate wrong answers

Option B is wrong because BGP synchronization is disabled by default in modern IOS versions (Cisco IOS 12.2(8)T and later) and is rarely used; even if enabled, it would require the IGP to have a route to the prefix, not the next-hop. Option C is wrong because the next-hop-self command is typically configured on an eBGP neighbor to change the next-hop to the router's own IP when advertising to iBGP peers, but its absence does not prevent route installation if the next-hop is reachable via IGP or static route. Option D is wrong because administrative distance (e.g., 200 for iBGP) affects route selection among different protocols but does not prevent installation of a valid route; the route is not installed due to next-hop unreachability, not administrative distance.

1166
MCQmedium

What is the default size of the logging buffer in Cisco IOS-XE when 'logging buffered' is enabled without specifying a size?

A.1024 bytes
B.4096 bytes
C.8192 bytes
D.16384 bytes
AnswerB

The default buffer size is 4096 bytes.

Why this answer

The default logging buffer size is 4096 bytes (4 KB) on most Cisco IOS-XE platforms.

1167
Multi-Selectmedium

Which TWO statements about syslog message severity levels are true? (Choose TWO.)

Select 2 answers
A.Severity level 0 (emergencies) is the most critical and indicates system instability.
B.Severity level 5 (warnings) is less severe than level 4 (notifications).
C.Severity level 7 (debugging) includes all messages from lower severity levels.
D.Severity level 6 (informational) is used for system error messages.
E.Severity level 3 (errors) is more critical than level 2 (critical).
AnswersA, C

Level 0 is the highest severity, used for system-wide emergencies.

Why this answer

Syslog severity levels range from 0 (emergencies) to 7 (debugging). Level 0 is the most critical, and level 7 is the least critical. Level 5 is 'notifications', not 'warnings'; warnings are level 4.

Level 6 is 'informational'. Level 3 is 'errors'.

1168
MCQhard

CoPP is rate-limiting legitimate routing traffic. Router R1 has: class-map match-any ROUTING, match protocol bgp, match protocol ospf, policy-map COPP, class ROUTING, police 10000 conform-action transmit exceed-action drop. BGP sessions flap. What is the root cause?

A.The class-map should match only BGP, not OSPF.
B.The police rate is too low, causing drops of BGP packets.
C.CoPP should be applied to the control plane, not the data plane.
D.BGP sessions flap due to MTU mismatch, not CoPP.
AnswerB

10 kbps is insufficient for BGP keepalives and updates, leading to flaps.

Why this answer

B is correct because the police rate of 10,000 bps (10 kbps) is too low for BGP traffic. BGP uses TCP port 179 and can generate bursts of packets during keepalive and update exchanges; if the policer drops BGP packets, the TCP session times out and flaps. The class-map correctly matches both BGP and OSPF, but the rate limit is insufficient for the combined control-plane traffic.

Exam trap

Cisco often tests the misconception that CoPP class-map matching must be exclusive, when in fact the root cause is an overly restrictive police rate that drops essential control-plane packets like BGP keepalives.

How to eliminate wrong answers

Option A is wrong because the class-map uses match-any logic, so matching both BGP and OSPF is valid; the issue is not the match criteria but the police rate. Option C is wrong because CoPP is specifically designed to be applied to the control plane via 'service-policy input CoPP' under 'control-plane' configuration; applying it to the data plane would not protect the control plane. Option D is wrong because MTU mismatch would cause packet fragmentation or loss at Layer 3, but the question explicitly states CoPP is rate-limiting traffic, and BGP flapping due to dropped keepalives is a classic symptom of policer drops, not MTU issues.

1169
MCQmedium

Consider the following BGP configuration with BFD: router bgp 65000 neighbor 10.1.1.2 remote-as 65001 neighbor 10.1.1.2 fall-over bfd ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 bfd interval 200 min_rx 200 multiplier 4 ! What is the effect of the 'neighbor fall-over bfd' command?

A.BGP will use BFD to detect link failures, but the BGP hold timer still applies.
B.BGP will ignore the BFD session and continue using its own keepalive/hold mechanism.
C.BGP will use BFD for fast failure detection; if BFD goes down, BGP will reset the session immediately.
D.The 'fall-over bfd' command is only needed if BFD timers are less than 100 ms.
AnswerC

Correct. BGP registers with BFD and upon BFD session failure, BGP tears down the neighbor without waiting for the hold timer.

Why this answer

The 'neighbor fall-over bfd' command enables BGP to use BFD for fast failure detection. When BFD detects a failure, BGP will immediately tear down the peering session without waiting for the hold timer.

1170
MCQmedium

A router running EIGRP has a CoPP policy that includes a class-map matching EIGRP packets with a police rate of 2000 bps. The network engineer notices that EIGRP neighbor adjacencies are flapping. The EIGRP network has 100 routes. The engineer checks the CoPP statistics and sees that the EIGRP class has dropped 500 packets in the last hour. What is the most likely root cause?

A.The EIGRP hello interval is set too low, causing excessive hello packets that exceed the police rate.
B.The CoPP police rate of 2000 bps is insufficient for EIGRP hello and update traffic, causing packet drops.
C.The EIGRP authentication is causing larger packets that exceed the police rate.
D.The CoPP class-map is matching EIGRP packets incorrectly, causing them to be dropped by a default class.
AnswerB

EIGRP packets, though small, can be dropped if the police rate is too low, leading to adjacency flapping.

Why this answer

EIGRP hello packets are small and sent every 5 seconds by default. With 100 routes, the update traffic is also small. However, if the police rate is too low, even small packets can be dropped.

The drop count of 500 packets in an hour indicates that EIGRP packets are being policed, causing adjacencies to flap.

1171
MCQmedium

Interface GigabitEthernet0/1 is configured as shown: interface GigabitEthernet0/1 ipv6 address 2001:db8:1::1/64 ipv6 nd raguard ipv6 nd prefix default no-autoconfig What is the effect of this configuration?

A.The interface drops all incoming Router Advertisements from other routers.
B.The interface sends RAs with the autonomous flag set to allow SLAAC.
C.The interface only allows RAs from a specific authorized router.
D.The interface drops all Neighbor Solicitations.
AnswerA

The 'ipv6 nd raguard' command blocks RAs received on this interface, enforcing first-hop security.

Why this answer

The 'ipv6 nd raguard' command enables Router Advertisement guard on the interface, which filters RAs. The 'ipv6 nd prefix default no-autoconfig' suppresses the autonomous address configuration flag in RAs, preventing hosts from using SLAAC.

1172
Multi-Selecthard

Which THREE symptoms indicate that NAT is misconfigured or failing on a Cisco router? (Choose THREE.)

Select 3 answers
A.Inside hosts can ping the outside interface IP but cannot reach hosts beyond it.
B.Traffic flows in one direction only (e.g., inside-to-outside works, but return traffic fails).
C.The show ip nat translations output shows many translations with the same inside global address but different ports, and new connections fail.
D.The router's CPU utilization is high due to BGP process.
E.The show ip route command shows a default route pointing to the ISP next hop.
AnswersA, B, C

This often indicates that NAT is not translating the source address for packets going out, or the return traffic is not being untranslated.

Why this answer

Common NAT failure symptoms include: inability to ping from inside to outside (no translation), asymmetric routing causing one-way traffic, and translation table exhaustion. The other options describe unrelated issues.

1173
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel is up and both routers can ping each other's tunnel IPv6 addresses. However, when the engineer tries to redistribute a connected IPv6 route from the tunnel into OSPFv3, the route is not advertised. The OSPFv3 process includes the tunnel interface. What is the most likely cause?

A.The tunnel interface does not have an IPv6 address configured; manual tunnels require an IPv6 address on the tunnel interface for the connected route to exist.
B.OSPFv3 does not support redistribution of connected routes from tunnel interfaces.
C.The 'redistribute connected' command must include the 'metric-type' keyword to be effective.
D.The tunnel interface is in a different OSPFv3 process than the one where redistribution is configured.
AnswerA

Without an IPv6 address on the tunnel interface, there is no connected route to redistribute. The tunnel may still pass traffic using the tunnel source/destination, but no IPv6 subnet is directly connected.

Why this answer

For a manual IPv6 tunnel, the tunnel interface must have an IPv6 address configured. Without an IPv6 address on the tunnel interface, there is no connected IPv6 route for that interface, so the 'redistribute connected' command under OSPFv3 has no route to advertise. The tunnel being up and pingable between tunnel IPv6 addresses indicates the tunnel itself is operational, but the absence of an IPv6 address on the tunnel interface means no connected route exists to redistribute.

Exam trap

Cisco often tests the misconception that a tunnel being up and pingable implies a connected IPv6 route exists, but in manual tunnels, the tunnel interface must have its own IPv6 address for a connected route to be present and redistributable.

How to eliminate wrong answers

Option B is wrong because OSPFv3 fully supports redistribution of connected routes from tunnel interfaces, provided the tunnel interface has an IPv6 address and is included in the OSPFv3 process. Option C is wrong because the 'metric-type' keyword is optional; its absence does not prevent redistribution from occurring—it only affects the metric type (E1 vs E2) of the redistributed routes. Option D is wrong because the tunnel interface is explicitly stated to be part of the OSPFv3 process where redistribution is configured, so a process mismatch is not the issue.

1174
MCQeasy

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog EIGRP_Neighbor_Down Based on this output, which statement is correct?

A.The EIGRP neighbor down event has occurred once.
B.The EIGRP neighbor is currently down.
C.The EEM policy is disabled.
D.The EIGRP neighbor is flapping.
AnswerA

The event history shows a single entry for EIGRP_Neighbor_Down.

Why this answer

The output shows one registered EEM applet policy and one triggered event. The correct answer is that the EIGRP neighbor down event has occurred once.

1175
Multi-Selecthard

Which THREE symptoms indicate a potential MPLS label switching issue on a Cisco router? (Choose THREE.)

Select 3 answers
A.The output of 'show mpls forwarding-table' shows 'no label' for a specific prefix.
B.The output of 'show mpls ldp neighbor' shows 'state: OPERATIONAL' for all neighbors.
C.The output of 'debug mpls ldp errors' shows 'Label bindings not received from peer'.
D.The output of 'show mpls forwarding-table' shows 'Pop tag' for a prefix on a router that is not the egress LSR.
E.The output of 'show mpls interfaces' shows 'IP' only for an interface configured for MPLS.
AnswersA, C, D

This indicates that the router has not received a label binding for that prefix from its LDP neighbor, causing packets to be forwarded without MPLS.

Why this answer

MPLS issues often manifest as incorrect label operations. 'show mpls forwarding-table' showing 'no label' for a route indicates a missing label binding. 'show mpls ldp neighbor' showing 'state: OPERATIONAL' is normal, not a symptom. 'debug mpls ldp errors' showing 'Label bindings not received' indicates a problem. 'show mpls forwarding-table' showing 'Pop tag' for a non-egress router suggests a misconfiguration. 'show mpls interfaces' showing 'IP' only (not MPLS) indicates MPLS is not enabled on the interface.

1176
MCQmedium

A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# debug mpls ldp transport Output: *Mar 1 00:01:23.456: mpls_ldp_transport: LDP transport connection from 10.0.0.2:646 to 10.0.0.1:1025 *Mar 1 00:01:23.456: mpls_ldp_transport: LDP transport connection from 10.0.0.2:646 to 10.0.0.1:1025 is accepted *Mar 1 00:01:23.456: mpls_ldp_transport: LDP transport connection from 10.0.0.2:646 to 10.0.0.1:1025 is established *Mar 1 00:01:23.456: mpls_ldp_transport: LDP transport connection from 10.0.0.2:646 to 10.0.0.1:1025 is up What does this output indicate?

A.LDP session is being established between 10.0.0.1 and 10.0.0.2
B.LDP session is being torn down between 10.0.0.1 and 10.0.0.2
C.LDP is using UDP for transport
D.LDP label bindings are being exchanged
AnswerA

The output shows the TCP connection for LDP is accepted, established, and up, indicating a successful LDP session setup.

Why this answer

The debug output shows LDP transport connections between two routers. The messages indicate that a TCP connection from 10.0.0.2 (LDP port 646) to 10.0.0.1 (ephemeral port 1025) was accepted, established, and is now up. This confirms LDP adjacency is forming at the transport layer.

1177
MCQhard

A large enterprise network is experiencing intermittent reachability from a specific subnet (10.1.1.0/24) to a critical server (192.168.10.10). Router R1 has PBR configured to forward traffic from 10.1.1.0/24 to next-hop 10.2.2.2, but traffic is also being load-balanced via the routing table to 10.3.3.3. Router R2 shows: 'show ip route 192.168.10.10' returns a route via 10.4.4.4, but 'show ip policy' on R1 shows the route-map is applied. What is the root cause?

A.The route-map is missing the 'set ip next-hop verify-availability' command, causing PBR to forward traffic to an unreachable next-hop.
B.The ACL in the route-map is incorrectly matching traffic from 10.1.1.0/24, causing PBR to be applied to the wrong traffic.
C.The routing table on R1 has a higher administrative distance for the route to 192.168.10.10 via 10.3.3.3, causing PBR to be ignored.
D.The next-hop 10.2.2.2 is reachable but the path is congested, causing intermittent packet drops.
AnswerA

Without 'verify-availability', PBR does not check if the next-hop is reachable. Adding this command ensures PBR only uses the next-hop if it is reachable, falling back to the routing table otherwise.

Why this answer

PBR uses a route-map to match traffic and set next-hop. If the route-map does not have a 'set ip next-hop verify-availability' command, PBR will forward traffic to the next-hop even if it is not reachable. In this scenario, the next-hop 10.2.2.2 is not reachable, but PBR still forwards traffic to it, causing intermittent reachability.

The routing table load-balancing to 10.3.3.3 works, but PBR overrides it for matched traffic.

1178
MCQhard

A network engineer configures PBR on a router to route traffic from subnet 10.1.1.0/24 via next-hop 192.168.1.2. The route-map uses match ip address and set ip next-hop commands. However, traffic sourced from 10.1.1.5 still follows the routing table instead of the PBR policy. What is the most likely cause?

A.The route-map is applied to the wrong interface (outbound instead of inbound).
B.The router is generating the traffic locally (e.g., ping from the router), and PBR does not apply to local packets without 'ip local policy route-map'.
C.The ACL in the route-map is missing a permit statement for subnet 10.1.1.0/24.
D.The next-hop 192.168.1.2 is not reachable via any directly connected interface.
AnswerB

Local packets require 'ip local policy route-map' to be influenced by PBR.

Why this answer

PBR processes only transit traffic; locally generated packets (e.g., from the router itself) are not affected by PBR unless the 'ip local policy route-map' command is used. The engineer must apply PBR globally for local packets.

1179
Drag & Dropmedium

Drag and drop the steps to troubleshoot OSPF DR/BDR election on a multi-access segment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order ensures that the OSPF DR/BDR election is properly influenced. First, verify the current DR/BDR roles using show ip ospf interface. Next, set the OSPF priority on the desired router to a higher value than the current DR.

Then, clear the OSPF process on all routers to force a new election. After that, verify the new DR/BDR roles have been elected as expected. Finally, confirm that adjacencies are formed with the new DR/BDR.

1180
Multi-Selecthard

An engineer must prevent a VRF on a PE router from learning routes from a specific remote site in an MPLS L3VPN. Which TWO configuration changes on the local PE can achieve this? (Choose TWO.)

Select 2 answers
A.Remove the import RT that corresponds to the remote site's export RT from the VRF configuration.
B.Remove the export RT from the VRF configuration.
C.Apply a route map with a 'match ip address' prefix-list to the VRF's import direction to deny the remote site's prefixes.
D.Change the Route Distinguisher (RD) of the VRF to a different value.
E.Configure 'neighbor <remote-PE> default-originate' under the VRF address-family.
AnswersA, C

Correct. Without a matching import RT, the PE will not install the remote site's VPNv4 routes into the VRF.

Why this answer

To block routes from a specific remote site, the engineer can either remove the import RT that matches the remote site's export RT, or configure a route map with a 'match ip address' clause to deny specific prefixes and apply it to the import direction. Removing the export RT from the local VRF would affect how the local site's routes are advertised, not what is received. Changing the RD does not affect route acceptance.

The 'neighbor ... default-originate' command is unrelated to filtering VPNv4 routes.

1181
MCQmedium

A network engineer runs the following command on Router R2: R2# show logging | include %SYS-5-CONFIG_I *Mar 1 00:10:15.123: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:12:45.678: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:15:30.001: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:20:00.999: %SYS-5-CONFIG_I: Configured from console by console Based on this output, what is the most likely problem?

A.The router has a memory leak causing frequent reloads.
B.The router is being reconfigured repeatedly from the console, which could indicate unauthorized access or a script issue.
C.The logging buffer is full and messages are being overwritten.
D.The syslog server is not reachable, so messages are only logged locally.
AnswerB

Multiple %SYS-5-CONFIG_I messages from the console suggest repeated configuration changes, which is abnormal and could be a security issue or a misconfigured automation script.

Why this answer

The output shows multiple configuration changes being made from the console in a short period of time. This could indicate unauthorized access or a misconfiguration that is causing repeated configuration changes. However, the most likely problem is that the logging level is set too low, and these messages are being generated due to a loop or automated script.

But the key clue is that the messages are from the console, suggesting someone is making changes repeatedly. The correct answer is that the router is being reconfigured frequently, possibly due to a configuration loop or an attacker.

1182
Multi-Selectmedium

Which TWO statements about OSPFv3 (OSPF for IPv6) are true when comparing it to OSPFv2? (Choose TWO.)

Select 2 answers
A.OSPFv3 uses link-local IPv6 addresses for neighbor discovery.
B.OSPFv3 uses the same LSA types as OSPFv2.
C.OSPFv3 supports authentication using MD5 or SHA within the OSPF packet.
D.OSPFv3 uses the 'network' command to enable OSPF on interfaces.
E.OSPFv3 operates on a per-link basis rather than per-IP-subnet.
AnswersA, E

OSPFv3 routers form adjacencies using their link-local IPv6 addresses.

Why this answer

OSPFv3 runs on a per-link basis (not per-subnet) and uses link-local addresses for neighbor discovery. OSPFv3 still uses areas and LSAs, and authentication is handled by IPsec, not OSPF itself. OSPFv3 does not use the 'network' command; it uses 'ipv6 ospf' under the interface.

1183
MCQmedium

What is the default CoPP classification for ARP packets on a Cisco IOS-XE device?

A.Normal
B.Critical
C.Management
D.Best-effort
AnswerB

ARP is classified as critical to ensure that address resolution is not starved by CoPP.

Why this answer

ARP packets are essential for Layer 2 connectivity and are typically classified as 'critical' in CoPP to prevent ARP spoofing or flooding from disrupting network operations.

1184
MCQmedium

A network engineer is troubleshooting a DHCPv4 issue where a router configured as a DHCP server is not assigning addresses to clients on a subnet that is reachable via a different router (relay). The relay router (R2) has 'ip helper-address 10.1.1.1' on its client-facing interface, and the DHCP server is at 10.1.1.1 (R1). The engineer sees that R2 is sending DHCP DISCOVER messages with giaddr set to the client-facing interface IP, but R1 is not responding. R1 has a DHCP pool for the client subnet. The engineer pings 10.1.1.1 from R2 successfully. What is the most likely cause?

A.The DHCP server does not have a route to the client subnet (the giaddr subnet).
B.The relay agent R2 is missing the 'ip dhcp relay information option' command.
C.The DHCP pool on R1 is missing the 'default-router' command.
D.The 'ip helper-address' on R2 should point to the server's loopback address, not the interface IP.
AnswerA

Correct because the server sends the OFFER to the giaddr IP, which is on a different subnet; without a route back, the OFFER is lost.

Why this answer

The DHCP server may not have a route back to the client subnet (the giaddr subnet). Even though the server's interface IP is reachable, the server needs to send the OFFER to the giaddr (which is the relay agent's interface IP). If the server does not have a route to that subnet, the OFFER will be dropped.

The ping from R2 to R1 succeeds because R1's interface is directly connected, but the return traffic from R1 to the giaddr (which is on a different subnet) may fail if R1 does not have a route.

1185
MCQhard

Which of the following is a limitation of NAT as defined in RFC 2663?

A.NAT cannot translate UDP traffic.
B.NAT is incompatible with TCP traffic.
C.NAT breaks end-to-end IP connectivity and can interfere with application-layer protocols.
D.NAT requires all traffic to be encrypted.
AnswerC

Correct. This is a well-known limitation of NAT as per RFC 2663.

Why this answer

RFC 2663 describes NAT and its limitations. One key limitation is that NAT breaks end-to-end IP connectivity because it modifies IP addresses and possibly port numbers in packets, which can interfere with protocols that embed IP addresses in the payload (e.g., FTP, SIP).

1186
MCQhard

What is the default maximum number of route-map entries that can be processed in a single PBR policy on Cisco IOS-XE?

A.255
B.65535
C.1000
D.Unlimited
AnswerB

The default maximum number of route-map entries for PBR is 65535.

Why this answer

The default maximum number of route-map entries in a PBR policy is 65535, but the practical limit is often lower due to memory and performance constraints.

1187
Multi-Selecthard

Which TWO statements about route summarization in EIGRP are true? (Choose TWO.)

Select 2 answers
A.EIGRP automatic summarization is enabled by default for classful networks.
B.Manual summarization can be configured using the 'ip summary-address eigrp' command under interface configuration.
C.EIGRP supports automatic summarization for all types of networks, including discontiguous subnets.
D.Route summarization in EIGRP requires the use of a route-map to define the summary prefix.
E.Manual summarization can only be applied to serial interfaces.
AnswersA, B

By default, EIGRP summarizes routes at classful boundaries when automatic summarization is enabled.

Why this answer

EIGRP supports manual summarization on any interface using the 'ip summary-address eigrp' command, and automatic summarization is enabled by default for classful networks. EIGRP does not support automatic summarization at the classful boundary for all networks; it is only for major network boundaries. Summarization in EIGRP does not require a route-map, and it can be configured on any interface, not just serial interfaces.

1188
MCQhard

A DMVPN Phase 3 network with MPLS LDP configured on the tunnel interfaces experiences label distribution failures. R1 (hub) and R2 (spoke) have LDP neighborships established, but R2 is not receiving labels for prefixes behind R3 (another spoke). What is the root cause?

A.LDP is not enabled on the tunnel interface of R3, so R2 cannot receive labels for prefixes behind R3.
B.R2 has a higher LDP router ID, causing it to become the LDP session initiator.
C.NHRP is not resolving R3's tunnel IP to its physical IP, preventing LDP hello packets from reaching R3.
D.The MPLS label range on R2 is exhausted, preventing new label bindings.
AnswerA

Correct. LDP must be enabled on all tunnel interfaces for label distribution. If R3 does not have 'mpls ip' on its tunnel interface, it will not distribute labels.

Why this answer

In DMVPN Phase 3, the tunnel interface is a multipoint interface. LDP uses the primary IP address of the interface for neighbor discovery. If the tunnel interface is configured with 'ip mtu' or 'ip tcp adjust-mss' that differs between routers, or if the LDP hello packets are not reaching the other routers due to NHRP resolution issues, label distribution may fail.

The most common cause is that LDP is not enabled on the tunnel interface or the label space is not correctly configured for DMVPN.

1189
MCQeasy

Which SNMPv2c PDU type is used by the manager to request a large amount of data efficiently, such as an entire routing table?

A.GetRequest
B.GetNextRequest
C.GetBulkRequest
D.SetRequest
AnswerC

GetBulkRequest allows retrieval of multiple variable bindings in one request, ideal for large tables.

Why this answer

GetBulkRequest is designed to retrieve multiple rows of a table in a single request.

1190
Drag & Dropmedium

Drag and drop the steps for MPLS LDP label discovery and distribution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LDP begins by establishing a TCP connection between peers, then sends Hello messages to discover neighbors, forms an adjacency, exchanges label mappings, and finally populates the LIB with learned labels.

1191
MCQmedium

Given this configuration: ip nat pool GLOBAL 203.0.113.1 203.0.113.10 prefix-length 28 ip nat inside source list 10 pool GLOBAL overload access-list 10 permit 10.0.0.0 0.255.255.255 What is the effect?

A.All inside hosts are translated to the first pool address only.
B.Each inside host gets a unique pool address without port translation.
C.Inside hosts matching ACL 10 are translated to addresses in the pool using PAT.
D.The prefix-length 28 is invalid; a netmask must be used instead.
AnswerC

This correctly describes the configuration: dynamic NAT with overload.

Why this answer

This uses a pool of addresses with PAT (overload). Inside hosts matching ACL 10 are translated to one of the pool addresses with port multiplexing.

1192
MCQmedium

A network engineer runs the following command to troubleshoot IPv6 source guard: R1# debug ipv6 source-guard *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, IPv6 packet from 2001:db8::5, src MAC 0011.2233.4455, dst 2001:db8::1 *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Binding lookup: 2001:db8::5 not found in binding table *Mar 1 00:04:56.789: IPv6-Source-Guard: R1, Fa0/0, Packet dropped: source 2001:db8::5 not allowed What does this output indicate?

A.IPv6 source guard is dropping packets from sources not in the binding table, preventing spoofing.
B.IPv6 source guard is allowing the packet because the source MAC matches.
C.IPv6 source guard is not configured; the debug output is from default IPv6 forwarding.
D.IPv6 source guard is learning the binding from the packet and will allow future packets.
AnswerA

The packet is dropped because the source address is not found in the binding table.

Why this answer

The debug shows IPv6 source guard dropping a packet because the source address 2001:db8::5 is not in the binding table, indicating an unauthorized source.

1193
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the DMVPN hub's physical interface facing the WAN. Unexpectedly, spokes are unable to communicate with each other via the hub, even though direct spoke-to-spoke tunnels are working. Which is the most likely explanation?

A.uRPF strict mode on the physical interface drops packets from spokes because the reverse path to the spoke's tunnel IP is via the DMVPN tunnel interface, not the physical interface.
B.uRPF strict mode on the physical interface drops packets because the source IP of the spoke is not in the routing table at all.
C.uRPF strict mode is incompatible with DMVPN because the tunnel interface uses GRE encapsulation, which modifies the source IP.
D.The 'allow-default' option is not configured, which is required for uRPF to work with DMVPN.
AnswerA

The hub routes traffic to spoke tunnel IPs through the tunnel interface, so the reverse path check fails on the physical interface, causing drops.

Why this answer

uRPF strict mode checks that the source IP address of incoming packets has a route back to the source via the same interface. In a DMVPN network, when a spoke sends traffic to another spoke via the hub, the source IP is the spoke's tunnel IP. The hub's routing table may have a route to that spoke's tunnel IP via the DMVPN tunnel interface, not the physical WAN interface.

Therefore, uRPF strict mode on the physical interface drops the packet because the reverse path is not through the same interface. The fix is to use uRPF loose mode or allow-default option, or apply uRPF on the tunnel interface.

1194
Multi-Selecthard

Which TWO actions will prevent a CoPP policy from inadvertently dropping legitimate routing protocol packets during a traffic spike? (Choose TWO.)

Select 2 answers
A.Create a class-map that matches routing protocol packets (e.g., OSPF, EIGRP, BGP) and assign a police rate with conform-action transmit and exceed-action drop.
B.Create a class-map that matches routing protocol packets and assign a police rate with conform-action transmit and violate-action transmit.
C.Place routing protocol traffic into a class with a 'drop' action to prevent it from overwhelming the control plane.
D.Use the 'police' command with a high committed information rate (CIR) and burst size, and apply 'conform-action transmit' and 'exceed-action set-dscp cs6'.
E.Apply the CoPP policy only to the 'control-plane host' subinterface, which processes all routing protocol packets.
AnswersB, D

Correct. Using transmit for both conform and violate actions ensures routing protocol packets are never dropped, even during spikes.

Why this answer

To protect routing protocols, CoPP should classify routing protocol traffic into a high-priority class with a conform-action of 'transmit' and a violate-action of 'transmit' (or a high bandwidth guarantee). Using a 'police' with 'conform-action transmit' and 'exceed-action drop' is too aggressive. The 'drop' action in any class that matches routing protocols is dangerous. 'set-dscp' does not prevent drops.

1195
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.0.2.10:5678 10.0.0.10:5678 198.51.100.20:80 198.51.100.20:80 --- 192.0.2.11 10.0.0.11 --- --- R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 100 Misses: 0 CEF Translated packets: 100, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 3 map-id 1 overload [Id] ip nat inside source list ACL1 pool POOL1 overload refcount 3 Based on this output, what is the problem?

A.The third translation is not using PAT, indicating a possible ACL or route-map misconfiguration.
B.The pool is exhausted because 192.0.2.10 is used twice.
C.The outside interface is misconfigured as inside.
D.The NAT translations are all static.
AnswerA

The overload configuration should create PAT entries with protocol/port. The third entry without protocol suggests the traffic from 10.0.0.11 is not being matched by the same ACL or is using a different pool.

Why this answer

The output shows two PAT translations (UDP and TCP) for 10.0.0.10 using the same inside global address 192.0.2.10, plus a dynamic NAT translation for 10.0.0.11 without protocol/port. The problem is that the third translation (10.0.0.11) is not using PAT (no port), which could indicate a misconfiguration or that ACL1 does not match traffic from 10.0.0.11 properly, or that the pool is misapplied. However, the key clue is that the third entry lacks a protocol, meaning it is a basic NAT translation, not PAT, which is inconsistent with the overload configuration.

This could be due to a route-map or ACL issue.

1196
MCQhard

Router R6 is configured to send SNMP inform requests to the NMS at 192.168.1.1. Configuration: snmp-server host 192.168.1.1 informs version 2c public, snmp-server enable traps. The NMS receives no informs. R6's show snmp statistics shows InformRequestsSent: 0, and show snmp pending shows no pending. The NMS can poll R6 successfully. The network has a firewall between R6 and the NMS that allows UDP 162. What is the root cause?

A.The 'snmp-server host' command for informs requires the 'informs' keyword to be placed correctly, but the router may not support informs with v2c; informs are only supported with SNMPv3.
B.The NMS is not configured to send SNMP responses to informs.
C.The firewall is blocking UDP 162 from the NMS to the router.
D.The router's SNMP agent is not enabled due to a missing 'snmp-server' command.
AnswerA

SNMPv2c does not support informs; it only supports traps. Informs require SNMPv3. The configuration uses v2c, so no informs are sent.

Why this answer

SNMP informs require a response from the NMS. The NMS must be configured to send an SNMP response to the inform. If the NMS does not support informs or is not configured to respond, the router will not send informs.

However, the show statistics shows 0 sends, meaning the router is not even attempting. The issue is that the router's SNMP agent is not generating the inform because the trap source is not reachable or the inform timeout is too low. But the NMS can poll, so reachability is fine.

The correct answer is: 'The 'snmp-server host' command for informs requires the 'informs' keyword to be placed correctly, but the router may not support informs with v2c; informs are only supported with SNMPv3.'

1197
MCQmedium

A network engineer is troubleshooting a BGP route advertisement issue. Router R1 in AS 65001 is configured to redistribute connected routes into BGP. The route 10.10.10.0/24 is learned via BGP on R2 (AS 65002), but R2's iBGP neighbor R3 (AS 65002) does not receive this route. R2 and R3 have a full iBGP mesh, and the BGP session is established. The output of 'show ip bgp' on R2 shows the route with the 'r' flag (RIB-failure). What is the most likely cause?

A.The route is marked as RIB-failure because a route with a lower administrative distance already exists in the routing table for the same prefix.
B.The route is marked as RIB-failure because the next-hop is unreachable.
C.The route is marked as RIB-failure because BGP synchronization is enabled and the IGP does not have the route.
D.The route is marked as RIB-failure because the prefix is being filtered by an outbound route map.
AnswerA

Correct because RIB-failure occurs when another routing source (e.g., OSPF, EIGRP, static) has a better route, preventing BGP from installing its route.

Why this answer

RIB-failure indicates that BGP learned a route but it was not installed in the routing table because a better route (e.g., from an IGP or static) already exists. This prevents the route from being advertised to iBGP peers.

1198
MCQhard

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?

A.The remote router has a misconfigured route that sends return traffic out the wrong interface.
B.The IPsec SA lifetime is set too low, causing frequent rekeying.
C.The crypto map on the local router is applied to the wrong interface.
D.The access list in the crypto map on the remote router is too permissive, encrypting extra traffic.
AnswerA

Correct because if the remote router does not have a route to the local LAN that points to the tunnel interface, the return traffic will be sent out the physical interface without encryption, and the local router will not see corresponding decrypted packets.

Why this answer

A significant mismatch between encrypted and decrypted packet counts suggests that some packets are being lost or dropped after encryption. The most common cause is a routing issue where the return traffic from the remote side is not taking the VPN tunnel, so the remote router does not decrypt those packets.

1199
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-DEFAULT (match-any) 5000 packets, 300000 bytes 5 minute offered rate 4000 bps, drop rate 2000 bps Match: any police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 3000 packets, 180000 bytes; actions: transmit exceeded 1000 packets, 60000 bytes; actions: drop violated 1000 packets, 60000 bytes; actions: drop Based on this output, what is the most likely impact on the router?

A.All control plane traffic is being transmitted without issues.
B.Some control plane traffic is being dropped, which could cause routing protocol instability.
C.The police rate is set to 64000 bps.
D.Only ICMP traffic is being dropped.
AnswerB

Dropped packets in the class-default can affect critical control plane traffic.

Why this answer

The class-default is matching all traffic not matched by other classes, and it is rate-limiting with a CIR of 32000 bps. Since there are drops, some control plane traffic (e.g., routing updates, management traffic) may be dropped, potentially causing issues like BGP session flapping or SSH timeouts.

1200
MCQmedium

snmp-server ifindex persist What is the effect of this configuration?

A.Interface indices are preserved after a device reload.
B.Interface statistics are cleared on reload.
C.SNMP traps are sent for interface state changes.
D.The ifIndex is based on the interface name.
AnswerA

The 'snmp-server ifindex persist' command ensures that ifIndex values remain consistent across reboots.

Why this answer

This command makes SNMP interface indices persistent across reboots. Without it, interface indices may change after a reload, which can cause issues for NMS systems that rely on consistent ifIndex values.

Page 15

Page 16 of 29

Page 17