Cisco CCNP ENARSI 300-410 (300-410) — Questions 12761350

2152 questions total · 29pages · All types, answers revealed

Page 17

Page 18 of 29

Page 19
1276
MCQhard

An engineer configures a route reflector cluster with two route reflectors in the same cluster ID. After convergence, some iBGP routes are missing on clients, and 'show ip bgp' shows the path with 'r' flag. What is the most likely explanation?

A.The cluster ID is misconfigured and should be unique per route reflector.
B.The route reflectors have different BGP AS numbers, causing the 'r' flag to indicate a routing loop.
C.The clients have 'no bgp default route-reflector-client' configured, preventing them from receiving reflected routes.
D.The route reflectors have 'bgp cluster-id' set to 0.0.0.0, which disables cluster-based loop prevention.
AnswerA

Route reflectors with the same cluster ID will reject routes from each other to prevent loops, leading to missing routes on clients.

Why this answer

When two route reflectors share the same cluster ID, they treat each other's updates as if from the same cluster. The route reflector loop prevention mechanism drops routes learned from another RR in the same cluster, causing route loss if the clients are not fully meshed.

1277
MCQhard

An engineer configures a DMVPN Phase 2 network with IPsec protection. Spoke-to-spoke tunnels form, but traffic between spokes is not being forwarded directly; it still goes through the hub. The engineer verifies that NHRP registrations are successful and that the spoke-to-spoke IPsec sessions are established. What is the most likely explanation?

A.The hub router is not configured with the 'no ip split-horizon' command for EIGRP or the 'neighbor' command for OSPF, preventing spoke-to-spoke route propagation.
B.The IPsec transform set on the spokes uses different encryption algorithms, preventing the spoke-to-spoke tunnel from passing traffic.
C.The NHRP authentication string is mismatched between spokes, causing NHRP resolution to fail.
D.The spoke routers have a static default route pointing to the hub, overriding the dynamic routes.
AnswerA

In DMVPN Phase 2, the hub must disable split horizon (EIGRP) or use a network type that allows route propagation (OSPF) so that spokes learn each other's subnets. Without this, spokes only have a default route via the hub, so traffic goes through the hub.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke traffic requires that each spoke learns the remote spoke's prefix via the hub. For EIGRP, the hub must disable split horizon with 'no ip split-horizon eigrp <as>' to propagate routes learned from one spoke to other spokes. Without this, the hub advertises only its own routes, so spokes lack the necessary routing information to forward traffic directly, causing it to be sent through the hub despite working NHRP and IPsec.

Exam trap

Cisco often tests the subtle distinction between NHRP resolution success and actual routing table propagation—candidates assume that if NHRP and IPsec are working, traffic must flow directly, but they overlook the hub's routing protocol configuration that prevents spoke-to-spoke route advertisement.

How to eliminate wrong answers

Option B is wrong because mismatched IPsec transform sets would prevent the spoke-to-spoke IPsec session from establishing, but the scenario states that spoke-to-spoke IPsec sessions are already established. Option C is wrong because mismatched NHRP authentication would cause NHRP registrations and resolutions to fail, but the scenario confirms NHRP registrations are successful. Option D is wrong because a static default route pointing to the hub does not override dynamic routes for specific spoke prefixes; spokes would still use the dynamically learned routes for direct forwarding if they exist.

1278
Multi-Selecthard

Which TWO statements about IPv6 manual tunnels (IPv6-in-IPv4) are true? (Choose TWO.)

Select 2 answers
A.The tunnel mode must be configured as tunnel mode ipv6ip.
B.The tunnel interface requires both an IPv4 address and an IPv6 address.
C.Manual tunnels support multicast traffic natively.
D.The tunnel destination can be a multicast IPv4 address.
E.The IPv4 address of the tunnel source is automatically embedded in the IPv6 prefix.
AnswersA, B

Correct. Manual IPv6-in-IPv4 tunnels use tunnel mode ipv6ip.

Why this answer

Option A is correct because the `tunnel mode ipv6ip` command explicitly configures the tunnel interface for IPv6-in-IPv4 manual tunneling. This mode encapsulates IPv6 packets directly into IPv4 packets using protocol type 41, as defined in RFC 4213. Without this mode, the tunnel interface would not properly handle the encapsulation and decapsulation of IPv6 traffic over an IPv4 infrastructure.

Exam trap

Cisco often tests the distinction between manual tunnels and automatic 6to4 tunnels, where candidates mistakenly think the IPv4 source address is embedded in the IPv6 prefix (true for 6to4) or that multicast destinations are allowed (true for GRE tunnels, not manual IPv6-in-IPv4).

1279
MCQmedium

Given this configuration: ``` interface GigabitEthernet0/4 ip access-group BLOCK_FTP in ! ip access-list extended BLOCK_FTP deny tcp any any eq 21 deny tcp any any eq 20 permit ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/4?

A.It blocks all FTP traffic entering the interface, but permits all other IP traffic.
B.It blocks all FTP traffic leaving the interface.
C.It permits FTP traffic and blocks all other IP traffic.
D.It has no effect because the ACL is missing a sequence number.
AnswerA

Correct. The ACL denies FTP ports and permits everything else.

Why this answer

The ACL is applied inbound on GigabitEthernet0/4, meaning it filters traffic as it enters the interface. The first two deny statements block TCP traffic destined for ports 21 (FTP control) and 20 (FTP data), which are the standard ports for FTP. The final permit ip any any allows all other IP traffic.

Thus, only FTP traffic is blocked, and all other IP traffic is permitted.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and the trap here is that candidates may confuse the direction (in vs out) and incorrectly think the ACL blocks outbound traffic, or they may overlook that the explicit permit ip any any is required to allow other traffic after the deny statements.

How to eliminate wrong answers

Option B is wrong because the ACL is applied inbound (ip access-group BLOCK_FTP in), so it filters traffic entering the interface, not leaving it; outbound filtering would require the out keyword. Option C is wrong because the ACL explicitly denies FTP traffic (ports 20 and 21) and permits all other IP traffic, so it blocks FTP, not permits it. Option D is wrong because Cisco IOS extended ACLs do not require sequence numbers; sequence numbers are optional and used for editing, not for the ACL to function.

1280
MCQeasy

Which RFC defines the IPv6 Neighbor Discovery Protocol that is the basis for many First Hop Security features?

A.RFC 4861
B.RFC 2460
C.RFC 4291
D.RFC 4443
AnswerA

RFC 4861 is the standard for IPv6 Neighbor Discovery.

Why this answer

RFC 4861 defines the Neighbor Discovery Protocol for IPv6, which includes Neighbor Solicitations, Advertisements, Router Solicitations, and Advertisements.

1281
MCQmedium

A network engineer configures SPAN on a Cisco Catalyst switch to monitor traffic between two hosts. The engineer configures the source interface as GigabitEthernet0/1 and the destination interface as GigabitEthernet0/2. After the configuration, the engineer notices that the monitored traffic is not being forwarded to the destination port. What is the most likely cause?

A.The destination port is not in the same VLAN as the source port.
B.The destination port is configured as a trunk port.
C.The destination port is in a blocking state due to Spanning Tree Protocol.
D.The source interface is not in the same VLAN as the destination interface.
AnswerC

Correct because SPAN destination ports are not expected to participate in STP; they should be configured with 'spanning-tree portfast' to avoid blocking.

Why this answer

SPAN destination ports must be configured with the 'spanning-tree portfast' command to avoid being blocked by Spanning Tree Protocol (STP). Without this, the destination port may remain in a blocking state.

1282
MCQhard

A network engineer configures Flexible NetFlow on a router to monitor traffic on a trunk interface with multiple VLANs. The flow monitor is applied to the physical interface. The engineer notices that all flows show the same VLAN ID in the collector, even though traffic from different VLANs is present. What is the most likely cause?

A.The flow record does not include any VLAN match fields.
B.The trunk interface is not configured with 'switchport trunk encapsulation dot1q'.
C.The flow monitor is applied only to the physical interface, not the subinterfaces.
D.The collector does not support VLAN fields.
AnswerA

Without 'match dot1q vlan' in the flow record, VLAN information is not captured, so all flows appear with the same (or zero) VLAN ID.

Why this answer

To capture VLAN information in Flexible NetFlow, the flow record must include 'match dot1q vlan' or 'match vlan' fields. Without these, the VLAN ID is not recorded, and the collector may show a default or incorrect value.

1283
MCQeasy

A network engineer runs the following command to verify IPsec transform sets on a DMVPN hub: R1# show crypto ipsec transform-set Transform set combined: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, }, Transform set TS1: { esp-aes 256 esp-sha-hmac } will negotiate = { Transport, }, What does this output indicate?

A.Both transform sets are configured with the same encryption and authentication algorithms.
B.The transform set 'combined' is used for DMVPN because it uses tunnel mode.
C.The transform set 'TS1' is used for DMVPN because it uses transport mode.
D.No transform sets are configured; the output is empty.
AnswerA, C

Correct: Both use esp-aes 256 and esp-sha-hmac, differing only in mode.

Why this answer

The output shows two transform sets: 'combined' uses tunnel mode, 'TS1' uses transport mode. DMVPN typically uses transport mode for mGRE tunnels.

1284
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the NHRP registration status of a spoke router in a DMVPN Phase 2 network? (Choose TWO.)

Select 2 answers
A.show dmvpn
B.show ip nhrp
C.show crypto isakmp sa
D.show ip route
E.show ip eigrp neighbors
AnswersA, B

This command shows the DMVPN tunnel status, including the NHRP registration state (e.g., 'UP/UP' with registration status).

Why this answer

The 'show dmvpn' command displays the current DMVPN tunnel status, including the NHRP registration state of each peer. The 'show ip nhrp' command shows the NHRP cache entries, which include the registration status and mapping information. The other commands either do not show NHRP registration details or are for different purposes.

1285
Multi-Selectmedium

Which TWO statements are true regarding the use of VRF-Lite in a Cisco Enterprise network? (Choose TWO.)

Select 2 answers
A.VRF-Lite enables multiple virtual routing tables on a single router, providing traffic separation without MPLS.
B.VRF-Lite supports dynamic routing protocols such as OSPF and EIGRP within each VRF.
C.VRF-Lite requires MPLS to exchange VPNv4 routes between routers.
D.VRF-Lite can automatically encrypt traffic between VRFs using IPsec.
E.VRF-Lite can only be used with static routing.
AnswersA, B

VRF-Lite creates separate routing tables per VRF, isolating traffic at Layer 3 without needing MPLS.

Why this answer

VRF-Lite allows multiple routing tables on a single router, enabling traffic separation without MPLS. It relies on static routes or dynamic routing protocols like OSPF, EIGRP, or BGP within each VRF. The incorrect options: MPLS is not required for VRF-Lite; VRF-Lite does not support MPLS VPNv4 route exchange (that requires MPLS); and VRF-Lite does not inherently provide encryption.

1286
MCQhard

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# show ip bgp vpnv4 vrf CUSTOMER routes And sees the following output: Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf CUSTOMER) *> 192.168.10.0/24 10.1.1.2 0 100 0 65001 i *> 192.168.20.0/24 10.1.1.2 0 100 0 65001 i What does this output indicate?

A.The VRF CUSTOMER has two routes learned via BGP from AS 65001.
B.The routes are redistributed from OSPF into BGP within the VRF.
C.The VRF is not receiving any routes because of a redistribution issue.
D.The routes are locally originated within the VRF.
AnswerA

The output shows two routes with next hop 10.1.1.2 and AS path 65001.

Why this answer

The show ip bgp vpnv4 vrf output shows routes in a VRF. The routes are learned from neighbor 10.1.1.2 with AS path 65001. This indicates that the VRF is receiving routes via BGP, possibly from a PE router.

If redistribution is expected from another protocol into BGP within the VRF, these routes may be the result.

1287
MCQeasy

Which statement about PBR and the 'set ip precedence' command is correct?

A.It sets the DSCP value.
B.It can only be used with 'set ip next-hop'.
C.It modifies the IP header of the packet.
D.It is used for load-balancing.
AnswerC

The command changes the ToS field in the IP header.

Why this answer

The 'set ip precedence' command sets the IP precedence bits in the Type of Service (ToS) field of the IP header, which can be used for QoS classification.

1288
MCQeasy

Which of the following is true about the SPAN source interface configuration?

A.By default, both ingress and egress traffic are monitored.
B.By default, only ingress traffic is monitored.
C.By default, only egress traffic is monitored.
D.The direction must always be specified; there is no default.
AnswerB

When configuring a SPAN source interface without specifying direction, only ingress traffic is mirrored.

Why this answer

A SPAN source interface can be configured to monitor both ingress and egress traffic, or either direction. By default, only ingress traffic is monitored if no direction is specified.

1289
MCQmedium

A network engineer runs the following command on Router R3: R3# show ip route 172.16.1.0 Routing entry for 172.16.1.0/24 Known via "bgp 65000", distance 20, metric 0 Redistributing via bgp 65000 Last update from 192.168.1.1 00:00:15 ago Routing Descriptor Blocks: * 192.168.1.1, from 192.168.1.1, 00:00:15 ago Route metric is 0, traffic share count is 1 Based on this output, what can be concluded about the administrative distance?

A.The route is an iBGP route with a manually configured distance of 20.
B.The route is an eBGP route, as the distance 20 is the default for eBGP.
C.The route is redistributed from OSPF into BGP.
D.The administrative distance of 20 is non-standard and must have been changed.
AnswerB

eBGP routes have a default administrative distance of 20, matching this output.

Why this answer

The default administrative distance for BGP is 20 for eBGP routes and 200 for iBGP routes. A distance of 20 indicates this is an eBGP route. The metric of 0 is typical for eBGP routes.

1290
MCQhard

A network engineer is troubleshooting IPv6 BGP path selection on Router R1. Router R1 is receiving a prefix from two different BGP peers, but it is not selecting the expected best path. Router R1 has the following relevant configuration: router bgp 65000 address-family ipv6 unicast neighbor 2001:DB8:1::2 route-map SET_LOCAL_PREF in neighbor 2001:DB8:2::2 route-map SET_MED in ! route-map SET_LOCAL_PREF permit 10 set local-preference 200 ! route-map SET_MED permit 10 set metric 50 ! Router R2 shows: show bgp ipv6 unicast 2001:DB8:3::/64 output indicates that the path from 2001:DB8:1::2 has local preference 200, but the path from 2001:DB8:2::2 is selected. What is the root cause?

A.The route-map SET_LOCAL_PREF is applied outbound instead of inbound, so it does not affect the received prefix.
B.The MED value of 50 is lower than the default, causing it to be preferred over local preference.
C.The prefix is not being advertised by the neighbor with the higher local preference route-map.
D.The BGP table has a route from an iBGP peer with a lower IGP metric to the next-hop, overriding the local preference.
AnswerA

If the route-map is applied outbound, it modifies routes sent to the neighbor, not received from it, so the local preference is not set.

Why this answer

BGP path selection first compares local preference; the path with higher local preference should win. If the path with lower local preference is selected, there may be an issue with the route-map application or the neighbor configuration. The correct answer identifies that the route-map SET_LOCAL_PREF is not applied inbound to the correct neighbor, or the neighbor is not sending the prefix, causing the path with lower local preference to be the only path available.

1291
MCQhard

In a VRF-Lite environment running EIGRP, what is the default hello timer value on a Frame Relay multipoint interface?

A.5 seconds
B.10 seconds
C.60 seconds
D.30 seconds
AnswerC

EIGRP defaults to a 60-second hello timer on low-speed NBMA interfaces (e.g., Frame Relay multipoint with bandwidth < T1).

Why this answer

By default, EIGRP uses a hello timer of 60 seconds on NBMA networks with bandwidth less than T1, including Frame Relay multipoint interfaces, and 5 seconds on high-speed NBMA links.

1292
MCQhard

A company uses IP SLA to track a route to a remote network via a DMVPN tunnel. Router R1 (hub) has: ip sla 5 icmp-echo 172.16.0.1 source-ip 10.0.0.1 frequency 10 ip sla schedule 5 life forever start-time now track 5 ip sla 5 reachability ip route 192.168.1.0 255.255.255.0 Tunnel0 track 5 Tunnel0 is a DMVPN tunnel to spoke R2. The tunnel is up, but the route is intermittently removed. Show output on R1: show ip route 192.168.1.0 % Subnet not in table show track 5 Track 5 IP SLA 5 reachability Reachability is Down 2 changes, last change 00:00:05 What is the root cause?

A.The source IP of the IP SLA probe is not the tunnel source, so the probe is sent out the physical interface and does not reach the destination.
B.The DMVPN tunnel is down because the spoke is not reachable.
C.The IP SLA frequency is too low, causing the track to go down after 10 seconds of no response.
D.The route is removed because the track is down, but the track is down due to a routing loop in the DMVPN network.
AnswerA

The probe should be sourced from the tunnel source IP to ensure it goes through the tunnel; otherwise, it may be dropped or not reach the target.

Why this answer

The IP SLA probe is sent to 172.16.0.1, which is the tunnel IP of R2. However, the DMVPN tunnel might be using a different encapsulation (e.g., mGRE) and the probe might be sent over the physical interface instead of the tunnel, or the tunnel might be in a VRF. The correct answer is that the IP SLA probe is sourced from 10.0.0.1, which is not the tunnel source, so the probe goes out the physical interface and may not reach 172.16.0.1, causing the track to go down.

1293
MCQhard

A network engineer is troubleshooting an IPv6 multicast issue on a router. The router is receiving multicast traffic from a source, but the traffic is not being forwarded to downstream receivers. The engineer checks the interface and finds an inbound IPv6 ACL that permits only certain multicast groups. The ACL permits the group address FF1E::1, but the source address is 2001:db8:1::1. The engineer also notices that uRPF is enabled on the interface in strict mode. The router has a route to the source's network via a different interface. What is the most likely cause of the multicast forwarding failure?

A.The uRPF strict mode check fails because the route to the source's network points out a different interface than the one on which the multicast packet was received.
B.The ACL is blocking the multicast traffic because the source address is not permitted.
C.The multicast routing is not enabled globally.
D.The downstream receivers are not in the multicast group.
AnswerA

Correct because multicast uRPF requires the source address to be reachable via the receiving interface; otherwise, the packet is dropped to prevent spoofing.

Why this answer

The correct answer is A. With uRPF strict mode enabled, the router checks that the source address of the incoming packet is reachable via the same interface on which the packet was received. Since the route to 2001:db8:1::1 points out a different interface, the uRPF check fails and the packet is dropped before any multicast forwarding can occur.

This explains why the multicast traffic is not forwarded to downstream receivers despite the ACL permitting the group address.

Exam trap

The trap here is that candidates often focus on the ACL or multicast configuration and overlook the uRPF strict mode check, which silently drops packets before multicast forwarding logic is applied.

How to eliminate wrong answers

Option B is wrong because the ACL permits the group address FF1E::1, and IPv6 multicast ACLs filter on the destination (group) address, not the source address; the source address 2001:db8:1::1 is irrelevant to the ACL match. Option C is wrong because if multicast routing were not enabled globally, the router would not be receiving multicast traffic at all, and the engineer would likely see no multicast routes or PIM neighbors. Option D is wrong because the downstream receivers' membership in the multicast group is irrelevant to the forwarding failure; the issue is that the router drops the packet due to uRPF before it can even consult the multicast forwarding table.

1294
MCQmedium

What is the default timeout value for a NAT translation entry that is not using Port Address Translation (PAT) in Cisco IOS?

A.60 seconds
B.300 seconds
C.86400 seconds
D.3600 seconds
AnswerC

Correct. Basic NAT translations default to 24 hours (86400 seconds) in Cisco IOS.

Why this answer

The default timeout for a basic NAT translation (no PAT) is 86400 seconds (24 hours). This is defined in RFC 2663 and implemented as the default in Cisco IOS.

1295
MCQeasy

In IPv6, what is the default action for an access-list entry that does not specify a protocol?

A.The ACE defaults to 'permit ipv6'.
B.The ACE is invalid and ignored.
C.The ACE defaults to 'deny ipv6'.
D.The ACE matches all IPv6 traffic.
AnswerB

Cisco IOS requires a protocol in each IPv6 ACL entry; without it, the entry is invalid.

Why this answer

IPv6 ACLs require a protocol keyword (e.g., tcp, udp, icmp, ipv6). If omitted, the ACE is invalid and ignored.

1296
Multi-Selectmedium

Which TWO commands verify the operational status and packet statistics of a Control Plane Policing (CoPP) policy on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show policy-map control-plane
B.show control-plane host open-ports
C.show ip interface brief
D.show access-lists
E.show running-config | section policy-map
AnswersA, B

This command displays the CoPP policy applied to the control plane and per-class packet counters, essential for verifying CoPP operation.

Why this answer

The 'show policy-map control-plane' command displays per-class packet statistics (conform/exceed/violate) for the CoPP policy applied to the control plane. The 'show control-plane host open-ports' command lists listening ports and their associated CoPP class maps, aiding in verification. 'show ip interface brief' shows interface status, not CoPP. 'show access-lists' only shows ACL hit counts, not full CoPP statistics. 'show running-config | section policy-map' shows configuration but not operational statistics.

1297
MCQmedium

A network engineer runs the following command on switch SW3: SW3# show monitor session 3 Session 3 --------- Type : Remote Destination Session Source Ports : RX Only : Gi0/6 Destination Ports : Gi0/7 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The session is an RSPAN destination session, and traffic from the RSPAN VLAN is received on Gi0/6 and sent to Gi0/7.
B.The session is an ERSPAN destination session because it uses RX only.
C.The session is a local SPAN session with source port Gi0/6.
D.The session is misconfigured because the destination port has ingress disabled.
AnswerA

The type 'Remote Destination Session' confirms RSPAN destination, with Gi0/6 as source and Gi0/7 as destination.

Why this answer

This is an RSPAN destination session. It receives mirrored traffic from the RSPAN VLAN via source port Gi0/6 (RX only) and sends it to destination port Gi0/7 for analysis. The source port is typically a trunk port carrying the RSPAN VLAN.

1298
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) Device Tracking are true? (Choose TWO.)

Select 2 answers
A.Device Tracking uses Neighbor Discovery (ND) probes to determine if a host is still reachable.
B.Device Tracking relies on DHCPv6 lease expiration to remove stale bindings.
C.Device Tracking creates binding entries for hosts that are discovered via ND.
D.Device Tracking can be enabled on a per-interface basis using the 'ipv6 device-track' command.
E.Device Tracking only supports IPv6 hosts.
AnswersA, D

Correct. Device Tracking sends ND probes to verify host reachability and updates the binding table accordingly.

Why this answer

Device Tracking monitors the presence of IPv6 hosts by tracking their reachability. It can be used to update the binding table when a host goes offline. Option A is correct: Device Tracking uses ND and ARP probes to verify host reachability.

Option D is correct: it can be enabled per interface or globally. Option B is incorrect: Device Tracking does not use DHCPv6 lease times; it uses probes. Option C is incorrect: it does not create bindings; it updates existing ones.

Option E is incorrect: Device Tracking is used for both IPv4 and IPv6 hosts.

1299
MCQmedium

Examine the following CoPP configuration on a Cisco IOS-XE router: !--- ACL to match traffic access-list 100 permit tcp any any eq 22 access-list 100 permit tcp any any eq 23 access-list 100 permit icmp any any echo ! !--- Class-map class-map match-all COPP-MGMT match access-group 100 ! !--- Policy-map policy-map COPP-POLICY class COPP-MGMT police 8000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! !--- Apply to control-plane control-plane service-policy input COPP-POLICY What is the effect of this configuration?

A.SSH, Telnet, and ICMP echo packets are rate-limited to 8000 bps; all other control-plane traffic is rate-limited to 64000 bps.
B.Only SSH and Telnet are rate-limited to 8000 bps; ICMP echo is not affected because it is matched by a different class.
C.All control-plane traffic is rate-limited to 64000 bps, because the class-default overrides the COPP-MGMT class.
D.The configuration is invalid because the class-map must be named 'COPP-CLASS' to be used in the policy-map.
AnswerA

Correct. The class COPP-MGMT matches the ACL traffic and applies a 8000 bps policer. The class-default applies a 64000 bps policer to all other traffic.

Why this answer

The policy limits SSH, Telnet, and ICMP echo traffic to 8000 bps, dropping excess. All other control-plane traffic is limited to 64000 bps. This protects the router from control-plane overload.

1300
MCQhard

In Cisco IOS, what is the default IKEv1 phase 1 authentication method when using a pre-shared key and no explicit authentication is configured?

A.RSA encrypted nonces
B.Pre-shared key
C.Digital signatures (RSA-SIG)
D.No default; authentication must be explicitly set
AnswerB

IOS defaults to pre-shared key authentication when not specified.

Why this answer

When no explicit authentication method is configured for IKEv1 phase 1 and a pre-shared key is used, Cisco IOS defaults to 'pre-shared key' authentication. This is because the pre-shared key itself defines the authentication mechanism; the router automatically selects the appropriate authentication method based on the configured key material.

Exam trap

Cisco often tests the misconception that authentication must always be explicitly configured, leading candidates to choose 'No default' when in fact the default is pre-shared key for pre-shared key configurations.

How to eliminate wrong answers

Option A is wrong because RSA encrypted nonces is a distinct IKEv1 authentication method that requires explicit configuration using the 'authentication rsa-encr' command; it is not the default when a pre-shared key is used. Option C is wrong because digital signatures (RSA-SIG) require a PKI certificate and the 'authentication rsa-sig' command; it is never the default for pre-shared key configurations. Option D is wrong because Cisco IOS does have a default authentication method for IKEv1 when a pre-shared key is configured; the default is pre-shared key, so authentication does not need to be explicitly set.

1301
MCQeasy

Which of the following is a mandatory field in a Flexible NetFlow flow record for IPv4 traffic?

A.Destination port
B.Protocol type
C.Source IP address
D.TCP flags
AnswerC

Correct. The source IP address is mandatory for IPv4 flow records.

Why this answer

The source IP address is a mandatory field in any IPv4 flow record; other fields like destination port are optional.

1302
Multi-Selecthard

Which TWO configuration changes are required to enable inter-VRF route leaking between VRF A and VRF B using static routes? (Choose TWO.)

Select 2 answers
A.Configure a static route in VRF B with the 'vrf A' keyword to specify the source VRF for the next-hop.
B.Use the 'ip route vrf B <prefix> <mask> <next-hop> source-vrf A' command syntax.
C.The next-hop IP address must be the interface address of the destination VRF.
D.The next-hop IP address must be reachable in the source VRF (VRF A).
E.A dynamic routing protocol must be configured in both VRFs to redistribute the leaked routes.
AnswersA, D

Correct. Example: 'ip route vrf B 10.1.2.0 255.255.255.0 10.1.1.1 vrf A' leaks the route from VRF A to VRF B.

Why this answer

Route leaking between VRFs can be done using static routes with the 'global' or 'vrf' keywords. To leak a route from VRF A to VRF B, you configure a static route in VRF B pointing to the next-hop in VRF A, and use the 'vrf' keyword to specify the source VRF. Option A is correct because the static route must specify the source VRF.

Option D is correct because the next-hop must be reachable in the source VRF. Option B is incorrect because the 'ip route' command does not use 'source-vrf'; it uses 'vrf'. Option C is incorrect because the destination network is the one being leaked, not the next-hop.

Option E is incorrect because route leaking does not require a routing protocol; static routes are sufficient.

1303
MCQeasy

A network engineer is troubleshooting an EIGRP issue where a router is not learning any routes from a neighbor, but the neighbor adjacency is up. The engineer checks the EIGRP topology table and sees that the neighbor is listed, but no routes are present. The engineer also checks the interface configuration and sees that the interface is configured as a passive interface under the EIGRP process. What is the most likely cause of the issue?

A.The passive-interface command is preventing the router from sending updates, but not receiving them.
B.The neighbor is configured with a distribute-list that filters all routes.
C.The EIGRP process is configured with the 'no auto-summary' command.
D.The router ID is not configured, so EIGRP is using the highest loopback IP.
AnswerB

Correct because if the adjacency is up but no routes are received, the neighbor is likely filtering the routes it sends.

Why this answer

If an interface is configured as passive under EIGRP, the router will not send or receive hello packets on that interface, which prevents adjacency formation. However, if the adjacency is up, the passive-interface command is not the issue. In this case, the adjacency is up, so passive-interface is not the cause.

1304
MCQmedium

Examine this configuration snippet: ``` router rip distance 120 ``` Which statement is true about the effect of this command?

A.It changes the administrative distance for RIP routes to 120, which is the same as the default, so no change occurs.
B.It changes the administrative distance for RIP routes to 120, which is lower than the default of 130.
C.It changes the administrative distance for RIP routes to 120, but only for routes learned from RIP neighbors.
D.It changes the administrative distance for RIP routes to 120, but only for routes with a hop count greater than 1.
AnswerA

RIP default AD is 120, so setting it to 120 has no effect.

Why this answer

The `distance` command under RIP sets the administrative distance for all RIP routes to 120, overriding the default of 120? Actually default is 120, so this command would have no effect if set to the same value.

1305
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP without route tagging. After convergence, some routes oscillate between the two protocols. What is the most likely explanation?

A.Routes redistributed from OSPF into EIGRP are re-redistributed back into OSPF, and the OSPF route is preferred over the original due to administrative distance, causing a loop.
B.The seed metric for EIGRP is not set, so redistributed routes are dropped.
C.OSPF has a higher administrative distance than EIGRP, so OSPF routes are always preferred.
D.The 'redistribute ospf' command under EIGRP automatically sets a tag, preventing loops.
AnswerA

Without tagging, the router cannot distinguish between the original and redistributed route, leading to feedback loops.

Why this answer

Without route tagging, redistributed routes can be re-injected back into the original protocol, creating a routing loop. The administrative distance comparison can cause the route to be preferred from the wrong protocol, leading to oscillation.

1306
MCQmedium

Given this configuration on Router R3: ``` interface Tunnel0 no ip address ipv6 address 2001:DB8:5::1/64 tunnel source 192.168.1.1 tunnel destination 192.168.2.2 tunnel mode ipv6ip ``` What is missing or incorrect?

A.The tunnel mode should be 'gre ipv6' because the source and destination are IPv6 addresses.
B.The tunnel interface must have an IPv4 address.
C.The tunnel source should be an interface, not an IP address.
D.The configuration is correct and will function as an IPv6 over IPv4 tunnel.
AnswerA

ipv6ip requires IPv4 source and destination; for IPv6 transport, use 'gre ipv6'.

Why this answer

Option A is correct because the tunnel mode 'ipv6ip' is used for IPv6-over-IPv4 manual tunnels, which require the tunnel source and destination to be IPv4 addresses. However, in this configuration, the tunnel source and destination are IPv4 addresses (192.168.1.1 and 192.168.2.2), but the tunnel mode should be 'gre ipv6' only if the payload is IPv6 and the transport is IPv4 using GRE encapsulation. Actually, the correct mode for a manually configured IPv6-over-IPv4 tunnel is 'tunnel mode ipv6ip', which is already set.

The real issue is that the tunnel source and destination are IPv4 addresses, which is correct for 'ipv6ip' mode. Option A states the mode should be 'gre ipv6', which is incorrect because 'gre ipv6' is used when both the tunnel source and destination are IPv6 addresses (IPv6 transport). Therefore, the configuration is actually correct for an IPv6-over-IPv4 manual tunnel, making option D the correct answer, not A.

The question's answer key is flawed; the correct answer should be D.

Exam trap

Cisco often tests the distinction between tunnel modes where candidates incorrectly assume that IPv6 addresses in the tunnel source/destination require 'ipv6ip' mode, when in fact 'ipv6ip' requires IPv4 transport and 'gre ipv6' requires IPv6 transport.

How to eliminate wrong answers

Option A is wrong because the tunnel mode 'ipv6ip' is the correct mode for an IPv6-over-IPv4 manual tunnel when the source and destination are IPv4 addresses; 'gre ipv6' is used only when the transport is IPv6. Option B is wrong because a tunnel interface does not require an IPv4 address; it only needs an IPv6 address (as configured) and the underlying transport addresses are specified via tunnel source/destination. Option C is wrong because the tunnel source can be either an interface name or an IP address; using an IP address is perfectly valid and commonly used.

Option D is correct because the configuration is valid for an IPv6-over-IPv4 manual tunnel (RFC 4213), with IPv4 source/destination and IPv6 address on the tunnel interface.

1307
Multi-Selecthard

Which TWO statements correctly describe the behavior of Control Plane Policing (CoPP) when applied to a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.CoPP policies are applied using the Modular QoS CLI (MQC) and can be attached to the control-plane interface with the 'service-policy input' command.
B.CoPP can be applied to the aggregate control plane or separately to the IPv4, IPv6, and MPLS control plane subinterfaces.
C.CoPP policies are applied using the 'policy-map' command under the interface configuration mode for each physical interface.
D.CoPP polices all traffic that enters the router, including traffic that is process-switched after being forwarded.
E.CoPP uses the 'class-map' command to match traffic based on ACLs, NBAR, or DSCP values, and the 'police' command to enforce rate limits.
AnswersA, B

Correct. CoPP uses MQC class-maps and policy-maps, and is applied under the control-plane configuration with 'service-policy input'.

Why this answer

CoPP uses MQC to classify and rate-limit traffic destined to the control plane. The control plane is a separate logical entity, and CoPP policies can be applied to the aggregate control plane or per-subinterface. The 'service-policy input' command is used under the control-plane configuration.

CoPP does not affect traffic that is process-switched after being forwarded; it only polices traffic destined to the control plane itself.

1308
MCQeasy

Which statement about PBR and the 'match ip address' command is correct?

A.It can only match on source IP addresses.
B.It can reference a named or numbered ACL.
C.It can match on MAC addresses.
D.It matches packets before routing table lookup.
AnswerB

Both named and numbered ACLs are supported.

Why this answer

The 'match ip address' command references an access-list (standard or extended) to match packets based on source/destination IP addresses.

1309
MCQmedium

Which statement about the SPAN destination port behavior is correct?

A.The SPAN destination port operates in full-duplex mode by default.
B.The SPAN destination port can participate in Spanning Tree Protocol (STP) if configured.
C.The SPAN destination port is automatically placed in a forwarding state and does not run STP.
D.The SPAN destination port can be used as a normal switch port after removing the SPAN configuration.
AnswerC

The destination port is put into a forwarding state and STP is disabled to avoid loops; it only transmits mirrored traffic.

Why this answer

By default, a SPAN destination port does not participate in any Layer 2 protocols (like STP, CDP, DTP) and does not forward or receive normal traffic; it only transmits mirrored packets.

1310
MCQhard

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 0 High Watermark: 0 Flows added: 0 Flows aged: 0 - Active timeout (1800 secs) 0 - Inactive timeout (15 secs) 0 - Event aged 0 - Watermark aged 0 - Emergency aged 0 R1# show flow interface GigabitEthernet0/1 Interface GigabitEthernet0/1 FNF: monitor Monitor: FLOW-MONITOR-1 direction: Input traffic-statistics: enabled Based on both outputs, what is the most likely problem?

A.The flow monitor is attached, but no traffic is flowing through the interface.
B.The flow monitor is not attached to the interface.
C.The cache size is too small.
D.The flow exporter is misconfigured.
AnswerA

The monitor is correctly applied, but 0 flows added indicates no packets are being processed, likely due to no traffic.

Why this answer

The flow monitor is attached to the interface, but the cache shows 0 flows added. This suggests that no traffic is being received on that interface, or the flow record does not match any packets (e.g., record type mismatch).

1311
Multi-Selecthard

Which TWO statements about IPsec transform sets and security associations (SAs) are true? (Choose TWO.)

Select 2 answers
A.A transform set can specify ESP encryption and ESP authentication simultaneously.
B.In tunnel mode, the original IP header is preserved and a new IP header is added.
C.Transport mode adds a new IP header to the packet.
D.The command 'crypto ipsec security-association lifetime' sets the IKE SA lifetime.
E.A single IPsec SA provides bidirectional secure communication.
AnswersA, B

Correct. For example, 'transform-set myset esp-aes esp-sha-hmac' provides both.

Why this answer

Option A is correct because an IPsec transform set can specify both ESP encryption (e.g., AES) and ESP authentication (e.g., HMAC-SHA256) simultaneously. This is a standard configuration where ESP provides both confidentiality and integrity/authentication in a single transform set, as defined in RFC 4303.

Exam trap

Cisco often tests the misconception that a single SA is bidirectional, but in reality, IPsec SAs are unidirectional and must be paired for two-way communication.

1312
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# show ip eigrp topology 10.0.0.0/16 IP-EIGRP topology entry for 10.0.0.0/16 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128576 Routing Descriptor Blocks: 10.1.1.2 (Serial0/0/0), from 10.1.1.2, Send flag is 0x0 Composite metric is (128576/156160), Route is Internal Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 2000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 2 What does this output indicate?

A.The summary route 10.0.0.0/16 is installed in the routing table and reachable via 10.1.1.2.
B.The summary route is in active state, indicating a query is in progress.
C.The summary route is not being advertised because the FD is too high.
D.The summary route is learned via redistribution, not summarization.
AnswerA

The output shows a valid successor and passive state, confirming the route is installed and reachable.

Why this answer

This output shows the EIGRP topology table entry for the summary route 10.0.0.0/16. The state is Passive, meaning the route is stable and reachable. The presence of a successor and the metric details indicate that the summary route is being advertised and learned via EIGRP.

1313
MCQmedium

A network engineer runs the following command to verify DMVPN tunnel status: R1# show ip nhrp detail 10.0.0.2/32 via Tunnel0 Created: 00:10:15, Expire: 01:49:45 Type: dynamic, Flags: unique registered NBMA: 192.168.1.2 (no socket) What does this output indicate?

A.The spoke 10.0.0.2 has registered with the hub and its NBMA address is 192.168.1.2.
B.The spoke 10.0.0.2 is using a static NBMA mapping.
C.The NHRP entry is about to expire and needs re-registration.
D.The spoke has not registered; the entry is incomplete.
AnswerA

Correct: The entry is dynamic, unique, registered, and shows the NBMA address.

Why this answer

The output shows a dynamic NHRP cache entry for a spoke (10.0.0.2) with NBMA address 192.168.1.2, indicating the spoke has registered and the entry is valid.

1314
MCQhard

An engineer configures an EEM applet to monitor DMVPN tunnel events using the event syslog pattern 'NHRP-3-REGISTRATION'. The applet is supposed to send an email when a spoke registers with the NHS. The DMVPN network uses Phase 2 with spoke-to-spoke tunnels. A spoke registers successfully, but the EEM applet does not trigger. Which is the most likely explanation?

A.Successful NHRP registration generates a syslog message with severity 6 (informational), not severity 3 (error).
B.The EEM applet must be configured with 'event nhrp' to capture NHRP events.
C.The DMVPN Phase 2 does not generate syslog messages for spoke registration.
D.The NHS must be configured with 'ip nhrp registration no-syslog' to suppress messages.
AnswerA

Correct. The pattern 'NHRP-3-REGISTRATION' is for errors; successful registration uses 'NHRP-6-REGISTRATION'.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established dynamically, but the NHRP registration event generates a syslog message only when the spoke registers with the NHS. However, the syslog pattern 'NHRP-3-REGISTRATION' is for error-level messages, while successful registration generates an informational message (NHRP-6-REGISTRATION). The EEM applet is looking for severity level 3, but the actual syslog is severity level 6, so the pattern does not match.

1315
MCQmedium

A network engineer runs the following command to troubleshoot DHCPv6 address assignment on router R1: R1# show ipv6 dhcp binding Output: Client: FE80::21A:2BFF:FE3C:4D01 DUID: 0003000121A2B3C4D5E6 Username: unassigned VRF: default IA NA: IA ID 0x00040001, T1 302400, T2 483840 Address: 2001:DB8:1::100 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 01 2025 12:00 PM (2592000 seconds) IA PD: IA ID 0x00040002, T1 302400, T2 483840 Prefix: 2001:DB8:1::/48 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 01 2025 12:00 PM (2592000 seconds) What does this output indicate?

A.The DHCPv6 server has assigned only an IPv6 address to the client.
B.The DHCPv6 server has assigned both an IPv6 address and a prefix delegation to the client.
C.The DHCPv6 client is using stateless autoconfiguration (SLAAC) because no address is shown.
D.The DHCPv6 server has a pool with only one prefix available.
AnswerB

The IA NA section shows an address assignment, and the IA PD section shows a prefix delegation, both with lifetimes.

Why this answer

The show ipv6 dhcp binding command displays DHCPv6 bindings. This client has both a non-temporary address (IA NA) and a prefix delegation (IA PD). The address 2001:DB8:1::100 and prefix 2001:DB8:1::/48 are assigned with lifetimes.

1316
MCQmedium

What is the default behavior of an IPv4 ACL regarding the order of evaluation when multiple entries match a packet?

A.The most specific entry is used regardless of order.
B.The first matching entry in the list is applied.
C.All matching entries are evaluated and the most permissive action is taken.
D.The last matching entry in the list overrides earlier ones.
AnswerB

Cisco ACLs process entries in order; the first match wins.

Why this answer

Cisco IOS processes IPv4 ACL entries in sequential order, from top to bottom. When a packet matches an entry, the associated permit or deny action is applied immediately, and no further entries are evaluated. This first-match rule is fundamental to ACL design and troubleshooting.

Exam trap

Cisco often tests the misconception that ACLs use longest-prefix matching like routing tables, but ACLs strictly use first-match order, not specificity.

How to eliminate wrong answers

Option A is wrong because ACLs do not use longest-prefix or most-specific matching; they use first-match logic, regardless of specificity. Option C is wrong because ACL evaluation stops at the first match; it does not continue to evaluate all entries or combine actions. Option D is wrong because the first matching entry is applied, not the last; later entries are never reached if a match occurs earlier.

1317
MCQhard

What is the default retransmission timeout for SNMP informs on a Cisco IOS device?

A.5 seconds
B.30 seconds
C.60 seconds
D.10 seconds
AnswerB

Cisco IOS defaults to a 30-second timeout for inform acknowledgments.

Why this answer

The default timeout is 30 seconds; this is the time the agent waits for a Response before retransmitting.

1318
MCQhard

An engineer configures BGP between two routers in the same AS. The iBGP session is established, but the routes learned from eBGP are not being advertised to the iBGP neighbor. The engineer verifies that the next-hop is reachable via IGP. Which is the most likely explanation?

A.BGP synchronization is enabled, and the route is not present in the IGP routing table, so BGP does not advertise it to iBGP peers.
B.The iBGP session is using a loopback interface that is not reachable via the IGP.
C.The BGP table shows the route as 'valid' but 'not best' due to a higher local preference.
D.The router is configured with 'bgp bestpath med missing-as-worst', which affects MED comparison but not advertisement.
AnswerA

With synchronization enabled, BGP will not advertise iBGP routes unless the route is also present in the IGP. This is a common edge case in older configurations.

Why this answer

In iBGP, the next-hop-self command is often required because the next-hop of eBGP routes is the eBGP neighbor's IP, which may not be reachable by iBGP peers. However, even if the next-hop is reachable, BGP will not advertise routes to an iBGP neighbor if the route is learned from another iBGP peer (split horizon rule). Additionally, if the route is learned from an eBGP peer, the next-hop must be reachable via IGP or a static route.

A common edge case is when the next-hop is reachable, but the BGP table shows the route as 'not advertised to any peer' because the router is not synchronized with the IGP (if synchronization is enabled) or because the route is not in the routing table due to a missing network statement or redistribution.

1319
MCQmedium

Given the following partial configuration on a router: ip access-list standard FILTER_SNMP permit 192.168.1.0 0.0.0.255 deny any ! snmp-server community public RO FILTER_SNMP snmp-server location DataCenter snmp-server contact admin@example.com What is the effect of this configuration?

A.Only SNMP requests from the 192.168.1.0/24 network are allowed with the community string 'public'.
B.SNMP requests from any source are allowed because the ACL is not applied correctly.
C.The community string 'public' allows read-write access.
D.The ACL is applied outbound, so SNMP responses are filtered.
AnswerA

The ACL permits the specified subnet, and the community string is tied to that ACL.

Why this answer

The configuration applies the standard ACL 'FILTER_SNMP' to the SNMP community string 'public' with read-only (RO) access. The ACL permits only the 192.168.1.0/24 network, so SNMP requests (e.g., GET, GETNEXT) from that subnet are allowed, while all other sources are denied. This is the intended effect of using an ACL to restrict SNMP access by source IP.

Exam trap

Cisco often tests the distinction between applying an ACL to an SNMP community versus applying it to an interface; the trap here is that candidates may think the ACL filters outbound SNMP responses or that the ACL is not applied correctly, but in reality, it filters incoming SNMP requests based on source IP.

How to eliminate wrong answers

Option B is wrong because the ACL is correctly applied to the SNMP community string via the 'snmp-server community public RO FILTER_SNMP' command, which filters incoming SNMP requests. Option C is wrong because the 'RO' keyword explicitly grants read-only access, not read-write (RW). Option D is wrong because the ACL is applied to incoming SNMP requests, not outbound responses; standard ACLs on SNMP communities filter the source of the request, not the direction of the response.

1320
MCQhard

R1 and R2 are eBGP peers. R1 advertises a prefix 172.16.1.0/24 with AS_PATH 65001 65002. R2 receives the prefix and its BGP table shows AS_PATH 65001 65002. R2 has a route-map applied inbound that sets local-preference 150 for routes with AS_PATH containing 65002. R2 also has another eBGP peer R3 that advertises the same prefix with AS_PATH 65001 65003. R2's BGP best path selection chooses the path via R3 because of shorter AS_PATH length (2 vs 3). However, the network engineer expects the path via R1 to be preferred due to the higher local-preference. What is the root cause?

A.The route-map applied inbound on R2 from R1 has a match ip address prefix-list that does not include 172.16.1.0/24, so local-preference is not set.
B.AS_PATH length is always preferred over local-preference in BGP best path selection.
C.The route-map should be applied outbound on R1 instead.
D.R2's BGP table shows the local-preference as 150 for the path via R1, but the best path selection ignores it due to a bug.
AnswerA

If the match condition fails, the set commands are not executed, and the default local-preference (100) applies.

Why this answer

Local-preference is evaluated before AS_PATH length in BGP best path selection. If the local-preference is set to 150 on the path via R1, it should be preferred over the path via R3 (which likely has default local-preference 100). The fact that R2 chooses R3 indicates that the local-preference was not applied correctly.

The root cause is that the route-map is applied inbound on R2 from R1, but the route-map may have a match clause that does not match the prefix, or the set local-preference command is missing. In this scenario, the route-map is applied but the set local-preference is not executed because the match condition fails (e.g., match ip address prefix-list that does not include 172.16.1.0/24).

1321
MCQmedium

In MPLS L3VPN, which LSA type is used by OSPF to advertise prefix information from a PE router into a customer VRF instance?

A.Type 1 (Router LSA)
B.Type 2 (Network LSA)
C.Type 3 (Summary LSA)
D.Type 5 (External LSA)
AnswerC

Correct. PE routers inject VPN routes as Type 3 LSAs into the customer OSPF domain.

Why this answer

When OSPF is used as the PE-CE protocol, the PE router redistributes VPN routes into OSPF as Type 3 LSAs (Summary LSAs) by default, unless the 'capability vrf-lite' command is configured.

1322
MCQhard

A router configured as a DHCPv4 server uses a pool with 'bootfile' and 'next-server' options for PXE boot. Clients receive the DHCP offer with the correct bootfile, but they fail to download it. Which is the most likely explanation?

A.The 'next-server' is configured with a hostname, but the client does not have DNS resolution capabilities at boot time.
B.The 'bootfile' name is case-sensitive, and the client is requesting a different case.
C.The DHCP server is not configured with the 'option 150' for TFTP server.
D.The client's subnet does not have a route to the TFTP server, but the DHCP server cannot control that.
AnswerA

Correct: PXE clients typically cannot resolve hostnames; they need an IP address in the 'next-server' field.

Why this answer

The 'next-server' option specifies the TFTP server IP address. If the TFTP server is not reachable from the client's subnet, or if the client cannot route to it, the download fails. A subtle edge case is that the 'next-server' is set to a hostname instead of an IP address, and the client cannot resolve it.

1323
MCQhard

A network engineer runs the following command to troubleshoot Flexible NetFlow cache usage: R1# show flow monitor FLOW-MONITOR-1 statistics Cache type: Normal Cache size: 1000 Current entries: 900 High Watermark: 950 Flows added: 50000 Flows aged: 49100 - Active timeout ( 1800 secs): 40000 - Inactive timeout ( 15 secs): 9000 - Event aged: 100 - Watermark aged: 0 - Emergency aged: 0 What does this output indicate?

A.The cache is mostly empty and flows are aging normally.
B.The cache is nearly full, with many long-lived flows causing active timeout aging. No watermark or emergency aging has occurred yet.
C.Emergency aging is occurring because the cache is full.
D.Watermark aging has occurred, indicating the cache size needs to be increased.
AnswerB

900 entries used out of 1000, and 40000 flows aged due to active timeout, indicating long flows. Watermark and emergency aging counters are zero.

Why this answer

The cache is nearly full (900 out of 1000 entries). The high watermark is 950, which is close to the cache size. Most flows are aged due to active timeout (40000), indicating long-lived flows.

The cache is under pressure but not yet experiencing watermark or emergency aging.

1324
MCQmedium

An engineer is troubleshooting a DMVPN phase 3 network where spokes are unable to reach the hub's LAN subnet. The hub router is running EIGRP over the DMVPN tunnel interface, and the spokes are learning the hub's LAN route. However, pings from a spoke to the hub's LAN IP fail. The engineer checks the hub's routing table and sees the spoke's LAN route. The hub's tunnel interface has 'ip nhrp redirect' and 'ip nhrp shortcut' enabled. What is the most likely cause?

A.The hub's EIGRP is not configured to advertise the LAN subnet.
B.The spoke's tunnel interface has 'ip nhrp shortcut' disabled.
C.The hub's tunnel interface has 'no ip nhrp redirect' configured.
D.The spoke's NHRP registration is not reaching the hub.
AnswerA

Correct because if the hub's LAN subnet is not advertised via EIGRP, the spokes will not have a route to it.

Why this answer

In DMVPN phase 3, the hub's NHRP redirect and shortcut features can cause the hub to forward traffic to the spoke's LAN via the spoke's tunnel IP, but if the spoke's LAN subnet is not advertised via EIGRP, the hub may not have a route. However, the issue is that the hub's EIGRP is not advertising the hub's LAN subnet to the spokes, or the spokes are not receiving the route. The most common cause is that the hub's EIGRP network statement does not include the LAN subnet.

1325
MCQeasy

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set myset: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set strong: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, }, What does this output indicate?

A.All transform sets are using strong encryption and are acceptable for production.
B.The transform set 'combined-des-sha' uses DES, which is not recommended due to security vulnerabilities.
C.The transform sets are not configured correctly because they do not specify the mode.
D.The transform set 'strong' is not supported because it uses AES 256.
AnswerB

DES is deprecated and insecure; AES should be used instead.

Why this answer

The output shows three transform sets, including 'combined-des-sha', which uses DES (Data Encryption Standard) with a 56-bit key. DES is considered cryptographically weak and has been deprecated due to known vulnerabilities, such as susceptibility to brute-force attacks. Cisco recommends using AES or 3DES as a minimum for production IPsec VPNs, making option B correct.

Exam trap

Cisco often tests the candidate's awareness of deprecated or weak cryptographic algorithms (like DES) versus strong ones (like AES), and the trap here is assuming that all listed transform sets are equally valid or that the missing mode keyword indicates a misconfiguration.

How to eliminate wrong answers

Option A is wrong because not all transform sets use strong encryption; 'combined-des-sha' uses DES, which is insecure and not recommended for production. Option C is wrong because the transform sets do specify the mode implicitly; the output shows 'will negotiate = { Tunnel, }', indicating that the default tunnel mode is used, and the configuration is valid without explicitly stating the mode in the output. Option D is wrong because AES 256 is fully supported by Cisco IOS and is a strong, recommended encryption algorithm for IPsec.

1326
MCQeasy

What is the default OSPF dead interval on a point-to-point network when the hello interval is set to 10 seconds?

A.10 seconds
B.20 seconds
C.30 seconds
D.40 seconds
AnswerD

Correct: OSPF dead interval defaults to 4 times the hello interval (4 x 10 = 40 seconds).

Why this answer

By default, the OSPF dead interval is four times the hello interval. On point-to-point networks, the default hello interval is 10 seconds, so the dead interval is 40 seconds.

1327
MCQhard

An engineer configures a route-map to filter OSPF routes using a distribute-list. The distribute-list is applied inbound on an OSPF interface. Unexpectedly, the router still installs the filtered routes. Which is the most likely explanation?

A.The distribute-list is applied to the wrong direction; it should be outbound to filter routes being advertised.
B.The route is also learned via another OSPF neighbor that is not filtered by the distribute-list.
C.The distribute-list uses an ACL that does not match the route exactly, so the route is permitted.
D.The distribute-list is applied after the route is already installed in the routing table, so it has no effect.
AnswerB

A distribute-list only affects routes received on the specific interface. If the same route is learned from another neighbor, it will still be installed.

Why this answer

When a distribute-list is applied inbound on an OSPF interface, it filters routes received from that specific neighbor only. If the same route is also learned from another OSPF neighbor (or via a different OSPF process) that is not covered by the distribute-list, the router will still install that route from the unfiltered source. This is because OSPF installs the best route based on metric, regardless of the filtering applied to a single neighbor.

Exam trap

Cisco often tests the misconception that a distribute-list applied inbound on one interface will globally prevent a route from being installed, when in fact it only filters routes from that specific neighbor, and the route may still be installed from another neighbor.

How to eliminate wrong answers

Option A is wrong because the distribute-list applied inbound on an interface filters routes received from that neighbor, which is the correct direction to prevent installation; applying it outbound would affect routes being advertised to others, not incoming routes. Option C is wrong because if the ACL does not match the route exactly, the route would be denied (if the ACL is used in a permit/deny context) or permitted only if the ACL explicitly permits it; a non-matching ACL entry typically results in an implicit deny, which would filter the route, not permit it. Option D is wrong because a distribute-list applied inbound on an OSPF interface is processed before the route is installed in the routing table; it filters the route during the OSPF update processing, so it does have effect if applied correctly.

1328
MCQmedium

Analyze the following partial configuration: access-list 101 permit tcp any any eq 179 access-list 101 permit udp any any eq 646 access-list 101 permit ospf any any ! class-map match-all COPP-BGP match access-group 101 ! policy-map COPP-POLICY class COPP-BGP police 48000 conform-action transmit exceed-action drop class class-default police 128000 conform-action transmit exceed-action drop ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ! control-plane service-policy input COPP-POLICY Which statement is true?

A.The ACL matches OSPF, BGP, and LDP traffic, and all are rate-limited to 48000 bps.
B.The ACL is missing 'permit eigrp any any' to include EIGRP traffic.
C.The class-map must use 'match-all' to match all protocols simultaneously, but the ACL uses 'permit' which is OR logic, so the class-map will not work.
D.The policy-map should be applied to the interface, not the control-plane.
AnswerA

Correct. The ACL permits OSPF (protocol 89), BGP (TCP 179), and LDP (UDP 646). The class-map matches all three and applies the 48000 bps policer.

Why this answer

The ACL includes OSPF, BGP (TCP port 179), and LDP (UDP port 646). These are all control-plane protocols. The policer rate of 48000 bps may be insufficient for BGP updates but the configuration is valid.

1329
MCQmedium

A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?

A.The crypto map is not applied to the tunnel interface.
B.The access list in the crypto map does not match the LAN-to-LAN traffic.
C.The IPsec transform set is missing the esp-aes encryption algorithm.
D.The IKE phase 1 proposal is mismatched between the two routers.
AnswerB

Correct because the crypto map uses an access list to define which traffic is encrypted; if it does not match the actual LAN subnets, traffic will be sent unencrypted and may be dropped by the remote router.

Why this answer

The tunnel interface being up/up indicates the GRE tunnel is operational, but traffic may still fail if the crypto map is not correctly triggering IPsec encryption for the actual data traffic. The most common cause is a missing or incorrect access list in the crypto map that defines interesting traffic.

1330
MCQmedium

Which statement correctly describes the behavior of the 'subnets' keyword when redistributing into OSPF?

A.It causes OSPF to redistribute only classful network routes.
B.It allows OSPF to redistribute subnetted routes in addition to classful networks.
C.It changes the metric of redistributed routes to the interface cost.
D.It is required only when redistributing BGP routes into OSPF.
AnswerB

The 'subnets' keyword enables redistribution of routes with subnet masks, ensuring all prefixes are advertised.

Why this answer

Without the 'subnets' keyword, OSPF redistributes only classful network routes; the 'subnets' keyword allows redistribution of subnetted routes, which is essential for proper routing.

1331
MCQeasy

In IPsec site-to-site VPN, what is the purpose of the 'match address' command under a crypto map?

A.It specifies the peer IP address for the tunnel.
B.It defines the encryption and authentication algorithms.
C.It identifies the traffic that will be encrypted and sent through the tunnel.
D.It sets the lifetime for the IPsec SA.
AnswerC

The ACL defines interesting traffic; only that traffic is protected.

Why this answer

The 'match address' command under a crypto map references an access list (ACL) that defines which traffic should be protected by IPsec. When a packet matches a permit entry in that ACL, it triggers the IPsec process to encrypt and tunnel the traffic to the remote peer. This is the fundamental mechanism for selecting interesting traffic in a site-to-site VPN.

Exam trap

Cisco often tests the distinction between 'match address' (traffic selection) and 'set peer' (tunnel endpoint), leading candidates to confuse the purpose of these two commands under a crypto map.

How to eliminate wrong answers

Option A is wrong because the peer IP address for the tunnel is specified using the 'set peer' command under the crypto map, not 'match address'. Option B is wrong because encryption and authentication algorithms are defined using the 'set transform-set' command, which references an IPsec transform set. Option D is wrong because the lifetime for the IPsec SA is set using the 'set security-association lifetime' command, either globally or under the crypto map, not by 'match address'.

1332
MCQhard

What is the default OSPF network type for a serial interface configured with HDLC encapsulation on Cisco routers?

A.Broadcast
B.Non-broadcast (NBMA)
C.Point-to-point
D.Point-to-multipoint
AnswerC

Correct: Serial HDLC defaults to point-to-point, enabling faster convergence without DR/BDR election.

Why this answer

By default, Cisco IOS sets serial interfaces with HDLC or PPP encapsulation to OSPF network type point-to-point. This is because these encapsulations typically indicate a direct link between two routers.

1333
MCQhard

In EIGRP, what is the default hello timer on a point-to-point interface?

A.5 seconds
B.10 seconds
C.15 seconds
D.60 seconds
AnswerA

Correct. Point-to-point links use a 5-second hello interval by default.

Why this answer

EIGRP uses a default hello interval of 5 seconds on high-speed interfaces (including point-to-point) and 60 seconds on low-speed NBMA interfaces (T1 or slower).

1334
MCQhard

A VRF-aware network has VRF BLUE on routers R1 and R2. Routes are leaked between VRF BLUE and the global table on R1 using route-replicate. R2 shows: 'show ip route vrf BLUE' includes a route 10.10.10.0/24 learned via OSPF, but 'show ip route' (global) on R1 does not include this route. R1 configuration: ip vrf BLUE, rd 100:1, route-target export 100:1, route-target import 100:1, and 'route-replicate from vrf BLUE to global unicast 10.10.10.0 255.255.255.0'. What is the root cause?

A.The 'route-replicate' command is not configured under the VRF, so it does not take effect; it must be placed under 'ip vrf BLUE'.
B.The OSPF route in VRF BLUE has a tag that prevents it from being leaked.
C.The route 10.10.10.0/24 is not in the VRF BLUE table on R1 because it is learned via R2.
D.The route-replicate command requires a route-map to specify the prefix, but none is provided.
AnswerA

The route-replicate command is a subcommand of the VRF configuration; if entered in global configuration mode, it is ignored or causes an error.

Why this answer

The route-replicate command is used to leak routes from VRF to global table. However, the command syntax requires a route-map or specific prefix to be matched. The configuration shown uses a prefix list implicitly, but the route-replicate command may not be correctly applied under the VRF or may require a route-map.

Additionally, the route must be in the VRF table to be replicated. The root cause is that the route-replicate command is misconfigured; it should be under the VRF configuration, not as a standalone command.

1335
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface tunnel 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:1 No global unicast address is configured Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfiguration for addresses. Based on this output, what is a likely problem?

A.The tunnel interface is down.
B.The tunnel is not configured with a global IPv6 address, which may prevent routing of IPv6 traffic.
C.The MTU is too small for IPv6.
D.IPv6 is not enabled on the tunnel.
AnswerB

No global unicast address means the tunnel cannot be used for IPv6 routing beyond link-local.

Why this answer

The output shows that the tunnel interface has no global unicast address configured, only a link-local address. Without a global IPv6 address, the router cannot route IPv6 traffic beyond the local link, as global reachability requires a globally routable address. This is a common misconfiguration in IPv6 tunneling scenarios where the tunnel source and destination are set but the interface itself lacks a global IPv6 address.

Exam trap

Cisco often tests the misconception that a link-local address alone is sufficient for IPv6 routing, but in fact, global unicast addresses are required for traffic to be routable beyond the local segment.

How to eliminate wrong answers

Option A is wrong because the output clearly states 'Tunnel0 is up, line protocol is up', so the interface is not down. Option C is wrong because the MTU of 1480 bytes is typical for IPv6 tunnels (e.g., GRE or IPv6-in-IPv4) and is not too small; IPv6 requires a minimum MTU of 1280 bytes, so 1480 is sufficient. Option D is wrong because the output explicitly says 'IPv6 is enabled' and shows the link-local address and joined multicast groups, confirming IPv6 is operational on the tunnel.

1336
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# show ip bgp 10.0.0.0/16 BGP routing table entry for 10.0.0.0/16, version 2 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local, (aggregated by 65000 1.1.1.1) 10.1.1.2 from 10.1.1.2 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best Atomic-aggregate What does this output indicate?

A.The route 10.0.0.0/16 is an aggregate route, and the atomic-aggregate attribute indicates that the AS path may be incomplete.
B.The route is a normal BGP learned route without summarization.
C.The route is suppressed and not advertised to neighbors.
D.The route is learned via redistribution from OSPF.
AnswerA

The 'aggregated' keyword and 'Atomic-aggregate' attribute confirm this is a summary route with potential AS path loss.

Why this answer

This output shows the BGP table entry for prefix 10.0.0.0/16. The path is marked as 'aggregated', indicating it is a summary route. The 'Atomic-aggregate' attribute suggests that the route is an aggregate and may have lost some AS path information.

1337
MCQmedium

A network engineer runs the following command to verify IPv6 access-list hits: R1# show ipv6 access-list FILTER | include matches permit ipv6 2001:DB8:1::/48 any sequence 10 (10 matches) deny ipv6 2001:DB8:2::/48 any sequence 20 (5 matches) permit ipv6 any any sequence 30 (100 matches) What does this output indicate?

A.5 packets from 2001:DB8:2::/48 have been denied, and 110 packets have been permitted.
B.All packets from 2001:DB8:2::/48 have been permitted.
C.The access list has been applied to an interface but not used.
D.The access list is invalid because of the order of entries.
AnswerA

Correct. 5 matches on the deny entry, and 10+100=110 matches on permit entries.

Why this answer

The output shows the number of packets matching each entry. Sequence 10 has 10 matches, sequence 20 has 5 matches (denied), and sequence 30 has 100 matches (permitted).

1338
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 10 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 2 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 2 Based on this output, what is the problem?

A.NAT translations exist but no packets are being translated (0 hits), indicating a possible routing or ACL issue.
B.The NAT pool is exhausted.
C.PAT is enabled but not working.
D.The inside and outside interfaces are reversed.
AnswerA

The 0 hits with 10 misses suggest that translations are created but no successful data flow; packets are missing or not returning.

Why this answer

The output shows 2 dynamic translations but 0 hits and 10 misses. This indicates that NAT translations are being created (perhaps due to control plane traffic or initial packets), but no data packets are being translated successfully. The misses suggest that packets are arriving that do not match existing translations, and new translations are being created, but hits are zero, meaning no return traffic or successful data flow.

This could be due to routing issues, ACL misconfiguration, or asymmetric routing.

1339
MCQmedium

What is the default LDP keepalive timer value on Cisco IOS-XE routers?

A.180 seconds
B.120 seconds
C.60 seconds
D.300 seconds
AnswerA

The default LDP keepalive timer is 180 seconds.

Why this answer

The default LDP keepalive timer is 180 seconds, which is used to maintain the LDP session if no other messages are exchanged.

1340
MCQhard

In a multi-VRF environment, Router R1 is leaking routes between VRF A and VRF B using route-target import/export. Hosts in VRF A can ping hosts in VRF B, but traffic from VRF B to VRF A fails when NAT is applied on the VRF A egress interface. Configuration: ip nat inside source list 100 interface GigabitEthernet0/1 vrf A overload. Router R1 shows: show ip nat translations vrf A: no entries. What is the root cause?

A.The NAT command is missing the 'vrf A' keyword; it should be ip nat inside source list 100 interface GigabitEthernet0/1 vrf A overload.
B.The route leaking is misconfigured; use route-map to filter routes.
C.The access-list 100 is blocking VRF B traffic.
D.The interface GigabitEthernet0/1 is not in VRF A.
AnswerA

Adding the VRF keyword ensures NAT operates within the correct VRF context.

Why this answer

NAT configuration for VRF A requires the 'vrf' keyword to be specified in the NAT command. Without it, NAT does not operate within the VRF context. The missing 'vrf A' in the NAT configuration means that traffic from VRF B to VRF A is not translated, causing asymmetric routing or unreachability.

1341
Multi-Selectmedium

Which TWO statements about configuring login enhancements for device access control on a Cisco IOS router are true? (Choose TWO.)

Select 2 answers
A.The 'login block-for' command specifies the duration (in seconds) that login access is blocked after a threshold of failed attempts is exceeded.
B.The 'login delay' command sets a mandatory delay (in milliseconds) between successive login attempts on a line.
C.The 'login on-failure log' command must be configured for the 'login block-for' command to function.
D.The 'login quiet-mode access-class' command is used to allow only specific IP addresses during the quiet period.
E.The 'login block-for' command can be applied per-line to override global settings.
AnswersA, B

This is correct; 'login block-for <seconds>' defines the quiet period after the failure threshold is reached.

Why this answer

Option A is correct because the 'login block-for' command specifies the duration in seconds that login access is blocked after a threshold of failed attempts is exceeded. This command is part of the login enhancements feature that provides brute-force attack mitigation by enforcing a quiet period when the number of failed login attempts reaches a configured value within a specified watch period.

Exam trap

Cisco often tests the misconception that 'login on-failure log' is a prerequisite for 'login block-for' to work, but in reality, the blocking function is independent of logging, and the logging command only adds syslog messages for failed attempts.

1342
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not learning the loopback interface routes from the spokes via EIGRP. The spokes have EIGRP configured on the tunnel interface and are advertising their loopback0 interface. The hub's EIGRP neighbor relationship with the spokes is established. However, the hub's routing table does not contain the loopback routes. The engineer checks the spoke's EIGRP configuration and sees that the loopback interface is not included in any network statement. What is the most likely cause?

A.The spoke's EIGRP network statement does not include the loopback subnet.
B.The hub's EIGRP is configured with a distribute-list that filters the loopback routes.
C.The tunnel interface on the spoke has 'no ip split-horizon' configured.
D.The loopback interface on the spoke is in a different VRF than the tunnel interface.
AnswerA

Correct because EIGRP must have a network statement that matches the loopback subnet to advertise it.

Why this answer

EIGRP only advertises networks that are included in a network statement or configured under the EIGRP process. If the loopback interface is not included in a network statement, EIGRP will not advertise it.

1343
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto map Crypto Map "VPN-MAP" 10 ipsec-isakmp Peer = 10.1.1.2 Extended IP access list 100 access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,} Interfaces using crypto map VPN-MAP: Tunnel0 Based on this output, which statement is correct?

A.The crypto map is applied to interface Tunnel0 and uses ACL 100 to define interesting traffic.
B.Perfect Forward Secrecy (PFS) is enabled.
C.The crypto map uses dynamic IPsec peer discovery.
D.The crypto map is not applied to any interface.
AnswerA

The output shows Tunnel0 uses this crypto map and ACL 100 defines the traffic.

Why this answer

The crypto map is applied to Tunnel0 and uses ACL 100 to match traffic from 10.1.1.0/24 to 192.168.1.0/24. This is a typical site-to-site VPN configuration.

1344
Multi-Selecthard

An engineer must configure a Cisco IOS router to log messages to a syslog server at 192.168.1.100 with a severity level of 3 (errors) and above, while also ensuring that console messages are limited to severity 5 (notifications) and above. Which TWO configuration changes are required? (Choose TWO.)

Select 2 answers
A.Configure 'logging host 192.168.1.100' and 'logging trap errors'.
B.Configure 'logging console debugging' to ensure all messages are seen on console.
C.Configure 'logging console notifications'.
D.Configure 'logging buffered errors' to store logs locally.
E.Configure 'logging source-interface Loopback0' to use a specific source IP.
AnswersA, C

Correct. 'logging host 192.168.1.100' specifies the syslog server, and 'logging trap errors' sets the global trap severity to errors (level 3), so messages of severity 3 and higher are sent.

Why this answer

The 'logging host' command specifies the syslog server and optionally the severity level. The 'logging console' command sets the console logging level. The 'logging trap' command sets the severity for syslog server messages, but when using 'logging host' with a level, it overrides the global trap level for that host.

The 'logging buffered' command affects buffer logging, not console or syslog. The 'logging source-interface' sets the source IP but does not affect severity.

1345
MCQhard

What is the default behavior for an IPv4 ACL applied to an outbound interface when the packet is generated by the router itself (e.g., ping from the router)?

A.The outbound ACL filters the packet normally.
B.The packet bypasses the outbound ACL and is forwarded directly.
C.The packet is dropped by the implicit deny.
D.The ACL is applied only if the packet matches a permit statement.
AnswerB

Locally generated packets are not subject to outbound ACL filtering.

Why this answer

When a router generates a packet (e.g., from a ping sourced from its own IP address), the packet is not subject to outbound ACL filtering. Instead, it is forwarded directly out the interface because the ACL is applied only to packets that are routed through the router, not to locally generated traffic. This behavior is consistent with Cisco IOS, where outbound ACLs inspect packets entering the router from another interface, not those originating from the router itself.

Exam trap

Cisco often tests the misconception that outbound ACLs apply to all traffic leaving an interface, including locally generated packets, leading candidates to incorrectly select Option A or C.

How to eliminate wrong answers

Option A is wrong because outbound ACLs do not filter locally generated packets; they only filter packets that are routed through the router from another interface. Option C is wrong because the implicit deny at the end of an ACL applies only to packets that are actually processed by the ACL; locally generated packets bypass the ACL entirely, so they are not dropped by the implicit deny. Option D is wrong because the ACL is not applied at all to locally generated packets, regardless of whether they match a permit statement; the packet is forwarded without ACL inspection.

1346
MCQmedium

Which of the following is the correct formula for EIGRP composite metric calculation using default K values?

A.metric = bandwidth + delay
B.metric = bandwidth * delay
C.metric = bandwidth + delay + reliability
D.metric = bandwidth + delay + load
AnswerA

Correct. Default K values make the metric simply bandwidth (scaled) plus delay (scaled).

Why this answer

With default K values (K1=1, K2=0, K3=1, K4=0, K5=0), the composite metric reduces to metric = bandwidth + delay.

1347
MCQhard

A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are established, but traffic between spokes is intermittently dropped. The engineer captures packets and sees that IPsec packets are being fragmented. The tunnel interface MTU is set to 1400 bytes, and the physical interface MTU is 1500 bytes. The engineer also notices that the IPsec transform set uses ESP with AES-256 and SHA-256. What is the most likely cause of the intermittent drops?

A.The IPsec transform set uses AES-256, which requires more CPU and causes performance drops.
B.The tunnel MTU is set too high for the IPsec overhead, causing fragmentation and potential drops.
C.The physical interface MTU is set to 1500, which is too high for DMVPN.
D.The spokes have different IPsec transform sets configured.
AnswerB

Correct because the tunnel MTU of 1400 bytes does not account for IPsec overhead, leading to fragmentation and drops.

Why this answer

IPsec adds overhead (ESP header, trailer, and authentication data). With AES-256 and SHA-256, the overhead can be around 50-60 bytes. If the tunnel MTU is set to 1400, the effective payload MTU is lower.

Fragmentation can cause drops if the DF bit is set or if intermediate routers drop fragments. The issue is that the tunnel MTU is too high for the IPsec overhead, causing fragmentation.

1348
MCQmedium

A network engineer runs the following command to troubleshoot an EIGRP issue: R1# debug eigrp packets hello *Mar 1 00:05:23.123: EIGRP: received packet with MD5 authentication, key id = 1 *Mar 1 00:05:23.123: EIGRP: int GigabitEthernet0/0, src 10.1.1.2 dst 224.0.0.10, seq 0, ttl 1, opcode = 1 (Hello) *Mar 1 00:05:23.123: EIGRP: authentication failed for packet from 10.1.1.2, key id = 1, integrity check failed What does this output indicate?

A.The EIGRP neighbor relationship is up, but authentication is failing intermittently.
B.The MD5 key ID or key string does not match between R1 and 10.1.1.2, preventing neighbor formation.
C.EIGRP is using plain-text authentication and the key is incorrect.
D.The neighbor 10.1.1.2 is not configured for EIGRP authentication.
AnswerB

The integrity check failure indicates a key mismatch, which blocks neighbor adjacency.

Why this answer

The debug shows a received EIGRP Hello packet with MD5 authentication, but the integrity check fails. This indicates a mismatch in the authentication key or key string between R1 and the neighbor 10.1.1.2.

1349
Multi-Selecthard

Which THREE commands can be used to verify the operation and effectiveness of a CoPP policy on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show policy-map control-plane
B.show control-plane
C.show access-lists
D.show ip route
E.show interfaces
AnswersA, B, C

Correct. This command displays the CoPP policy and per-class packet/drop statistics.

Why this answer

Common verification commands for CoPP include 'show policy-map control-plane' to view per-class statistics, 'show control-plane' to see aggregate control plane statistics, and 'show access-lists' to verify that ACLs used in CoPP are matching the intended traffic. 'show ip route' shows routing information, not CoPP statistics. 'show interfaces' shows interface counters, not control plane policing details.

1350
MCQhard

An engineer configures a distribute-list on an OSPF router to filter routes. However, the routes are still being advertised to neighbors. Which is the most likely explanation?

A.The distribute-list filters routes in the routing table, not the LSAs sent in OSPF updates.
B.The distribute-list is applied to the wrong interface.
C.The distribute-list uses an incorrect prefix-list.
D.The OSPF process needs to be restarted for the distribute-list to take effect.
AnswerA

Distribute-lists in OSPF only control which routes are installed in the local routing table, not which LSAs are advertised.

Why this answer

A distribute-list in OSPF filters routes in the inbound or outbound direction of the routing table, but it does not filter the actual LSA advertisements. OSPF uses LSAs to propagate routes; filtering with distribute-list only affects the local routing table, not the LSAs sent to neighbors.

Page 17

Page 18 of 29

Page 19