Cisco CCNP ENARSI 300-410 (300-410) — Questions 76150

2152 questions total · 29pages · All types, answers revealed

Page 1

Page 2 of 29

Page 3
76
MCQmedium

What is the problem with this NAT configuration? interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255

A.The ACL is too permissive; it should only permit specific hosts.
B.The interface GigabitEthernet0/1 is missing the 'ip nat outside' command.
C.The 'overload' keyword is unnecessary for this configuration.
D.The inside interface should be GigabitEthernet0/1.
AnswerB

Without 'ip nat outside', the router does not know which interface is the outside for NAT.

Why this answer

The outside interface (GigabitEthernet0/1) is missing the 'ip nat outside' command, which is required for NAT to function.

77
MCQeasy

An engineer applies a CoPP policy to a router to protect the control plane from a DDoS attack. The policy includes a class-map matching UDP traffic to port 123 (NTP) and polices it to 1000 bps. After the policy is applied, the engineer notices that the router's clock is not synchronizing with its NTP server. The NTP server is reachable via ping. What is the most likely cause?

A.The CoPP policy is dropping NTP packets because the police rate is too low.
B.The NTP server is not responding because of the DDoS attack.
C.The CoPP class-map is not matching NTP packets because it uses the wrong port number.
D.The router's NTP configuration has a wrong server IP address.
AnswerA

NTP packets are small, but if the police rate is too low, they can be dropped, causing synchronization failure.

Why this answer

NTP uses UDP port 123. The CoPP policy is rate-limiting NTP traffic to 1000 bps, which may be too low for NTP packets, especially if there are multiple NTP packets or if the burst is high. This causes NTP packets to be dropped, preventing clock synchronization.

78
MCQeasy

A network engineer runs the following command to verify DHCPv4 server bindings on router R1: R1# show ip dhcp binding Output: Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.1.10 0050.7966.6800 Mar 01 2025 12:00 PM Automatic 192.168.1.11 0063.6973.636f.2d30 Mar 01 2025 01:00 PM Automatic 192.168.1.12 0100.1a.2b.3c.4d.5e Mar 01 2025 02:00 PM Automatic What does this output indicate?

A.The DHCP server has three static bindings configured.
B.The DHCP server has dynamically assigned three IP addresses to clients.
C.The DHCP server is out of IP addresses because all bindings are in use.
D.The DHCP server is using relay agents because the client IDs are long hexadecimal strings.
AnswerB

Each entry shows an IP address, client identifier, lease expiration, and type 'Automatic', confirming dynamic assignments.

Why this answer

The show ip dhcp binding command displays active DHCP bindings. The output shows three active leases with IP addresses, client identifiers (MAC addresses or relay-agent IDs), lease expiration times, and the type (Automatic meaning dynamically assigned).

79
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel comes up and pings succeed, but OSPFv3 over the tunnel fails to form an adjacency, stuck in EXSTART state. MTU is set to 1500 on all physical interfaces. What is the most likely cause?

A.The tunnel interface MTU must be explicitly set to 1500 to match the physical interface.
B.The tunnel mode is incorrectly set to ipv6ip instead of gre; GRE adds additional overhead.
C.OSPFv3 uses the tunnel MTU (1460) for its packet size, but the physical interface MTU is 1500, causing the adjacency to stall.
D.The tunnel source interface has a different OSPF area than the tunnel interface, preventing adjacency.
AnswerC

OSPFv3 uses the interface MTU for database description packets. The tunnel MTU is 1460, but the physical path can only handle 1500 bytes including the outer header, leading to a mismatch.

Why this answer

In an IPv6 manual tunnel (IPv6-in-IPv4), the tunnel interface has a default MTU of 1480 bytes (1500 minus 20-byte IPv4 header). OSPFv3 uses the tunnel MTU to determine the size of Database Description (DBD) packets during the EXSTART state. When the physical interface MTU is 1500, the tunnel MTU of 1480 causes OSPFv3 DBD packets to be fragmented or dropped, preventing the adjacency from progressing beyond EXSTART.

Setting the tunnel MTU to 1480 or adjusting OSPFv3's ipv6 mtu-ignore can resolve this.

Exam trap

Cisco often tests the subtlety that OSPFv3 adjacency stalls in EXSTART due to MTU mismatch, where candidates mistakenly think the issue is with tunnel mode or OSPF area configuration rather than the default tunnel MTU reduction from encapsulation overhead.

How to eliminate wrong answers

Option A is wrong because setting the tunnel MTU to 1500 would exceed the physical interface's ability to encapsulate the IPv4 header, causing fragmentation or packet loss; the tunnel MTU must be reduced to account for encapsulation overhead. Option B is wrong because 'ipv6ip' is the correct tunnel mode for an IPv6 manual tunnel (RFC 4213), and GRE is not required; GRE would add additional overhead (4 bytes) and is not the default for manual tunnels. Option D is wrong because OSPFv3 adjacency formation does not require the tunnel source interface and tunnel interface to be in the same OSPF area; the tunnel interface is a separate OSPF interface, and area mismatch between interfaces does not cause EXSTART state issues.

80
MCQhard

An engineer configures iBGP between two routers in the same AS. The routes learned via iBGP are not being installed in the routing table, even though the next-hop is reachable. The IGP is OSPF and the routes are present in the BGP table. Which is the most likely explanation?

A.The next-hop-self command is missing on the iBGP neighbor configuration.
B.The BGP synchronization rule is enabled, and the IGP does not have a route for the same prefix.
C.The administrative distance of iBGP (200) is higher than OSPF (110), so OSPF routes are preferred.
D.The BGP table indicates the route is valid but the best path selection fails due to missing MED.
AnswerB

With synchronization enabled, iBGP routes are not installed unless the IGP also knows about the prefix.

Why this answer

BGP synchronization rule (disabled by default in modern IOS) requires that for a route learned via iBGP to be considered valid, the same prefix must be present in the IGP routing table. If synchronization is enabled and the IGP does not carry the prefix, the route is not installed.

81
MCQhard

A network engineer configures a 6to4 tunnel between two sites. The tunnel works for traffic from Site A to Site B, but return traffic from Site B to Site A fails. Both sites have IPv4 connectivity. What is the most likely explanation?

A.Site B's IPv4 address is private and not reachable from Site A; 6to4 requires public IPv4 addresses on both ends.
B.The tunnel mode on Site B is configured as GRE IPv6 instead of 6to4.
C.The IPv6 MTU on the tunnel is set too high, causing fragmentation of return packets.
D.Site A has a firewall blocking incoming IPv4 protocol 41 packets.
AnswerA

6to4 requires globally routable IPv4 addresses on both tunnel endpoints. If Site B uses a private address behind NAT, the return traffic cannot be encapsulated correctly.

Why this answer

6to4 tunnels require both endpoints to have globally routable public IPv4 addresses because the tunnel encapsulation uses the IPv4 address to derive the IPv6 prefix (2002::/16). If Site B has a private IPv4 address (e.g., 10.x.x.x or 192.168.x.x), Site A cannot route return traffic to it, as private addresses are not reachable over the public Internet. This explains why traffic from Site A to Site B works (Site A's public address is reachable), but return traffic fails.

Exam trap

Cisco often tests the misconception that 6to4 tunnels can work with private IPv4 addresses if NAT is involved, but 6to4 does not support NAT traversal because the IPv4 address is embedded in the IPv6 prefix, making it incompatible with address translation.

How to eliminate wrong answers

Option B is wrong because GRE IPv6 tunnel mode (tunnel mode gre ipv6) encapsulates IPv6 packets in GRE over IPv4, which is a different mechanism than 6to4; it does not use the 2002::/16 prefix or require public IPv4 addresses, so it would not cause the described asymmetric failure. Option C is wrong because an MTU mismatch causing fragmentation would typically result in packet drops or ICMP fragmentation-needed messages in both directions, not a unidirectional failure; 6to4 tunnels have a default MTU of 1280 bytes, and while fragmentation can occur, it would not selectively block return traffic. Option D is wrong because if Site A's firewall were blocking incoming IPv4 protocol 41 (the 6to4 encapsulation protocol), then traffic from Site B to Site A would fail, but the question states that traffic from Site A to Site B works, which also uses protocol 41 in the opposite direction; a firewall blocking inbound protocol 41 would affect return traffic, but this scenario is less likely than the fundamental addressing issue described in option A.

82
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: strict mode (allow default route) Based on this output, what is the uRPF configuration on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode with allow-default
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF with the allow-default option.

Why this answer

The command output explicitly shows 'IPv6 uRPF: strict mode (allow default route)', which confirms that uRPF is enabled in strict mode with the allow-default option. This configuration validates that the source address of incoming packets must have a matching route in the FIB pointing back to the same interface, and the allow-default keyword permits the use of a default route as a valid reverse path, which is necessary in scenarios where a default route is the only route to the source.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates may overlook the 'allow default route' phrase and incorrectly assume that strict mode always drops packets matching a default route, or they may confuse strict mode with loose mode when the output explicitly states 'strict'.

How to eliminate wrong answers

Option A is wrong because the output clearly shows 'IPv6 uRPF: strict mode', indicating uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode only requires a matching route in the FIB regardless of the incoming interface. Option D is wrong because uRPF is applied to all IPv6 unicast traffic, not only multicast; multicast uRPF is a separate feature and is not indicated in the output.

83
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF on an interface: R1# show ipv6 interface GigabitEthernet0/0 | include verify|suppress IPv6 verify source: strict IPv6 verify source suppress: disabled What does this output indicate?

A.Strict uRPF is enabled, and no suppression is configured, so all incoming packets are subject to strict verification.
B.Loose uRPF is enabled with suppression.
C.uRPF is disabled on this interface.
D.Suppression is enabled, so uRPF checks are bypassed.
AnswerA

Correct. Strict uRPF is active and no exceptions are configured.

Why this answer

The output shows strict uRPF is enabled and the suppress feature is disabled. Suppress allows uRPF to be bypassed for certain traffic (e.g., from known sources).

84
MCQmedium

A network engineer configures the following on a router: ``` router eigrp 100 distance 150 10.0.0.0 0.255.255.255 ``` What is the intended effect?

A.It sets the administrative distance for all EIGRP routes to 150.
B.It sets the administrative distance to 150 for routes learned from any neighbor whose source IP matches the wildcard mask 0.255.255.255.
C.It sets the administrative distance to 150 for all routes in the routing table with destination 10.0.0.0/8.
D.It sets the administrative distance to 150 for EIGRP external routes only.
AnswerB

The ACL is applied to the source IP of the route.

Why this answer

The `distance` command with an access-list qualifier sets AD for routes matching the ACL. Here, routes from the 10.0.0.0/8 range will have AD 150.

85
MCQmedium

What is the default EIGRP hold time multiplier relative to the hello interval?

A.Hold time equals hello interval
B.Hold time is twice the hello interval
C.Hold time is three times the hello interval
D.Hold time is four times the hello interval
AnswerC

Correct. Default hold time = 3 * hello interval (e.g., 15 seconds for 5-second hello).

Why this answer

By default, EIGRP sets the hold time to three times the hello interval. This ensures that a few missed hellos do not immediately cause neighbor loss.

86
Multi-Selecthard

Which THREE commands can be used to verify the operational state of a BFD session? (Choose THREE.)

Select 3 answers
A.show bfd neighbors
B.show bfd interface details
C.show bfd session
D.show ip ospf bfd
E.show bfd peer
AnswersA, B, C

Correct. This command lists all BFD neighbors and their current session state (Up, Down, etc.).

Why this answer

The show bfd neighbors command displays all BFD neighbors and their session states. show bfd interface details shows BFD configuration and state per interface. show bfd session displays detailed session information including timers and statistics. show ip ospf bfd is not a valid command; the correct command is show ip ospf [interface] to see BFD status. show bfd peer is a valid command on some platforms but is less common; show bfd neighbors is preferred.

87
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access lists: R1# show snmp access Access-list: 10 Community: public View: v1default Access-list: 20 Community: private View: v1default What does this output indicate?

A.SNMP access is controlled by ACLs: ACL 10 for 'public' and ACL 20 for 'private'.
B.No ACLs are applied to SNMP, so all access is allowed.
C.The router uses SNMPv3 exclusively.
D.The 'public' community has read-write access.
AnswerA

The output shows the mapping between ACLs and communities.

Why this answer

The show snmp access command displays SNMP access control lists. The output shows that access-list 10 is used for community 'public' and access-list 20 for community 'private', both using view 'v1default'.

88
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec using a crypto map. The tunnel works for unicast traffic, but OSPFv3 over the tunnel fails to form adjacency. The engineer checks the crypto map and sees that it only matches traffic with a specific access-list. What is the most likely explanation?

A.The crypto map access-list must include IPv6 protocol 89 (OSPF) to encrypt OSPFv3 packets; otherwise, they are sent in the clear and may be dropped.
B.OSPFv3 cannot be encrypted with IPsec; it requires a separate encryption mechanism.
C.The GRE tunnel interface must be configured with 'tunnel protection ipsec' instead of a crypto map.
D.The crypto map is applied to the physical interface instead of the tunnel interface.
AnswerA

OSPFv3 uses IPv6 protocol 89. If the access-list does not match this protocol, OSPFv3 packets are not protected and may be discarded by the remote IPsec policy.

Why this answer

OSPFv3 uses IPv6 protocol number 89 for its packets. When a crypto map is applied with an access-list that only matches specific traffic (e.g., unicast data), OSPFv3 packets (protocol 89) are not matched and are sent unencrypted. If the IPsec peer is configured to drop unencrypted traffic or if the GRE tunnel requires all traffic to be encrypted, OSPFv3 adjacency fails.

Adding protocol 89 to the access-list ensures OSPFv3 packets are encrypted and processed correctly.

Exam trap

Cisco often tests the misconception that OSPFv3 cannot be encrypted with IPsec or that the crypto map must be applied to the tunnel interface, when the real issue is that the access-list used by the crypto map must explicitly include the OSPFv3 protocol (89) to encrypt routing updates.

How to eliminate wrong answers

Option B is wrong because OSPFv3 can be encrypted with IPsec; in fact, IPsec is commonly used to protect OSPFv3 routing updates over tunnels. Option C is wrong because 'tunnel protection ipsec' is a valid alternative to a crypto map, but using a crypto map is also correct; the issue is the access-list not matching OSPFv3, not the method of applying IPsec. Option D is wrong because the crypto map is correctly applied to the physical interface (the tunnel source/destination) to protect GRE-encapsulated traffic; applying it to the tunnel interface would not encrypt the outer IP headers.

89
MCQhard

An engineer configures DMVPN Phase 2 on a hub-and-spoke network for an MPLS L3VPN customer. The spokes are configured with a single tunnel interface and use NHRP to register with the hub. The engineer notices that spoke-to-spoke traffic is not being established, even though the spokes have each other's NHRP mappings. The engineer verifies that the tunnel interfaces are up and that the hub can reach all spokes. What is the most likely explanation?

A.The spokes have a default route pointing to the hub, which prevents them from using the direct spoke-to-spoke tunnel.
B.The 'ip nhrp authentication' string is mismatched between the spokes.
C.The tunnel mode is set to 'gre multipoint' on the spokes, which is not supported in Phase 2.
D.The 'ip nhrp map multicast' command is missing on the spokes, preventing multicast traffic.
AnswerA

Correct. In Phase 2, spokes must have a route that allows them to use the tunnel for direct communication; a default route to the hub will force traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established dynamically using NHRP redirect and shortcut. However, a common edge case is that the spokes must have a route that points to the destination network via the tunnel interface. If the spokes have a default route or a summary route that points to the hub (Phase 1 behavior), they will not use the direct spoke-to-spoke tunnel.

In Phase 2, the hub must send an NHRP redirect to the source spoke, and the source spoke must then send an NHRP resolution request to the destination spoke. If the spokes have a static route that forces traffic through the hub, the NHRP redirect will not work. Additionally, the 'ip nhrp redirect' command must be configured on the hub, and 'ip nhrp shortcut' on the spokes.

90
MCQmedium

What is the default administrative distance for a route learned via the Enhanced Interior Gateway Routing Protocol (EIGRP) summary route?

A.90
B.170
C.5
D.1
AnswerC

Cisco IOS assigns an AD of 5 to EIGRP summary routes to ensure they are preferred over other routes.

Why this answer

EIGRP summary routes have a default administrative distance of 5, which is lower than the standard EIGRP internal distance of 90 and EIGRP external distance of 170.

91
MCQhard

A router is configured with uRPF (Unicast Reverse Path Forwarding) in strict mode on an interface that belongs to a VRF. The network uses asymmetric routing for load balancing. The engineer notices that legitimate traffic from a customer is being dropped. Which is the most likely explanation?

A.The uRPF strict mode requires that the source IP address be reachable via the same interface, but asymmetric routing causes the return path to use a different interface.
B.The uRPF loose mode is configured instead of strict mode, which only checks that a route exists for the source IP, not the interface.
C.The VRF has a default route that points to the incoming interface, causing uRPF to always succeed.
D.The 'ip verify unicast source reachable-via any' command is used, which is the loose mode, not strict.
AnswerA

Strict uRPF fails if the best route to the source is not via the incoming interface. Asymmetric routing violates this assumption.

Why this answer

Strict uRPF checks that the source IP address of incoming packets has a route in the routing table that points back to the same interface. In asymmetric routing, the return path may be different (e.g., out another interface), so the source IP may not have a route back to the incoming interface. This causes legitimate traffic to be dropped.

The edge case is that uRPF strict mode does not account for asymmetric routing, while loose mode does.

92
MCQhard

A network engineer enables IPv6 First Hop Security with 'ipv6 dhcp guard' on a switch port connected to a legitimate DHCPv6 server. Clients on other ports receive DHCPv6 replies, but the server's port is being err-disabled repeatedly. The engineer checks the logs and sees DHCPv6 server advertisements being dropped. What is the most likely cause?

A.The port is not configured as 'trusted' for DHCPv6 Guard, causing all server advertisements to be dropped.
B.The DHCPv6 server is sending messages with an invalid DUID.
C.DHCPv6 Guard only works with stateful DHCPv6, not stateless.
D.The switch is running an older IOS version that does not support DHCPv6 Guard.
AnswerA

DHCPv6 Guard requires explicit trust for server ports.

Why this answer

DHCPv6 Guard by default blocks all DHCPv6 server advertisements (Reply and Advertise messages) from untrusted ports. If the port connected to the legitimate DHCPv6 server is not explicitly configured as 'trusted', the switch will drop the server's messages and may err-disable the port due to violation. The edge case is that the default behavior for DHCPv6 Guard is to treat all ports as untrusted, so even a legitimate server must be manually trusted.

93
MCQeasy

A network engineer runs the following command to troubleshoot a BGP prefix issue: R1# show bgp ipv4 unicast 192.168.10.0/24 BGP routing table entry for 192.168.10.0/24, version 5 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 What does this output indicate?

A.The prefix is learned via eBGP and is the best path.
B.The prefix is learned via iBGP and is not the best path.
C.The prefix is suppressed and not advertised to peers.
D.The prefix is invalid due to missing next-hop reachability.
AnswerA

The output shows 'valid, external, best', confirming it is the best eBGP route.

Why this answer

The output shows that the prefix 192.168.10.0/24 is learned via eBGP from neighbor 10.1.1.2 (router ID 2.2.2.2). It is marked as valid, external, and best, meaning it is installed in the routing table.

94
MCQhard

An engineer configures MPLS forwarding on a router. The MPLS LDP neighbors are established, but some prefixes are not being assigned labels. The engineer checks the 'show mpls ldp bindings' and sees that the prefixes are missing. What is the most likely explanation?

A.The prefix is learned via BGP, and LDP does not assign labels to BGP routes by default.
B.The 'mpls ldp advertise-labels' command is configured to deny the prefix.
C.The 'mpls ldp label' command is missing on the interface.
D.The 'tag-switching' is not enabled globally.
AnswerA

LDP by default only assigns labels to IGP routes (OSPF, EIGRP, IS-IS). BGP routes are not labeled unless 'mpls ldp autoconfig bgp' or 'label-distribution' is configured for BGP.

Why this answer

MPLS LDP assigns labels to prefixes that are in the routing table and are IGP routes. If a prefix is learned via BGP, LDP will not assign a label to it by default unless the 'mpls ldp autoconfig' or 'label-distribution' is configured for BGP. Additionally, if the prefix is a connected route or a static route, LDP may not assign a label unless explicitly configured.

The edge case is that the prefix is a BGP route, and LDP does not label BGP routes by default.

95
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy active No. Class Type Version Time Created Name 1 applet system 1.0 Mar 1 00:00:12 2025 TRACK-INTERFACE Event Type: syslog (pattern OSPF-5-ADJCHG) Action: cli command 'show ip route' What does this output indicate?

A.The EEM applet 'TRACK-INTERFACE' is active and will execute 'show ip route' when a syslog message matching 'OSPF-5-ADJCHG' is generated.
B.The EEM applet 'TRACK-INTERFACE' is currently executing and has run 'show ip route'.
C.The EEM applet 'TRACK-INTERFACE' has been triggered and the output of 'show ip route' is displayed.
D.The EEM applet 'TRACK-INTERFACE' is inactive and needs to be enabled.
AnswerA

Correct. The output shows the applet is active, triggered by syslog pattern OSPF-5-ADJCHG, and will execute the CLI command 'show ip route'.

Why this answer

The output shows active EEM policies that are currently enabled and waiting for their trigger events. It displays the applet name, class, type, version, creation time, the event that triggers it, and the actions it will execute. This helps verify that an applet is active and what it does.

96
Multi-Selecthard

Which TWO configuration changes are required to enable IPsec site-to-site VPN with IKEv2 and pre-shared keys on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.Configure an IKEv2 keyring with the pre-shared key and peer IP address.
B.Apply the 'crypto isakmp key' command globally for the peer.
C.Create an IKEv2 profile that references the keyring.
D.Define a transform set under the IKEv2 policy.
E.Use the 'crypto map' command to reference the IKEv2 profile.
AnswersA, C

Correct. The keyring defines the pre-shared key and associates it with the peer.

Why this answer

A is correct because IKEv2 uses a keyring to store pre-shared keys (PSKs) and associate them with specific peer IP addresses, replacing the legacy 'crypto isakmp key' command used in IKEv1. The keyring is then referenced by an IKEv2 profile, which binds the authentication method and other parameters to the VPN session.

Exam trap

Cisco often tests the distinction between IKEv1 and IKEv2 commands, and the trap here is that candidates familiar with IKEv1 mistakenly select the 'crypto isakmp key' or 'crypto map' options, not realizing IKEv2 requires a keyring and IPsec profile instead.

97
MCQhard

R1 and R2 are running EIGRP with IPsec site-to-site VPN over a WAN link. The tunnel interface is used for the VPN. R1's EIGRP configuration includes a distribute-list out that filters prefix 192.168.1.0/24. R2's show ip eigrp topology shows the prefix as active but never transitions to passive. R2's show ip route does not have 192.168.1.0/24. What is the root cause?

A.R1's distribute-list out under EIGRP is filtering the prefix 192.168.1.0/24 from being advertised to R2.
B.EIGRP split-horizon is enabled on the tunnel interface.
C.The IPsec tunnel is dropping EIGRP multicast packets.
D.R2 has a passive interface configured for the tunnel.
AnswerA

The distribute-list out on R1 prevents the prefix from being sent to R2, so R2 never receives the route and the prefix stays in active state.

Why this answer

The distribute-list out command on R1 filters the prefix 192.168.1.0/24 from being included in EIGRP updates sent to R2. Since R2 never receives the route, it remains in an active state (query state) because it is still waiting for a reply from R1, and it never transitions to passive. This directly explains why the prefix is missing from R2's routing table.

Exam trap

Cisco often tests the distinction between a route being filtered out (distribute-list) versus a neighbor relationship failing (passive interface or multicast drop), leading candidates to incorrectly attribute the active state to connectivity issues rather than a route advertisement filter.

How to eliminate wrong answers

Option B is wrong because EIGRP split-horizon is disabled by default on tunnel interfaces (since they are point-to-point), and even if enabled, it would prevent routes learned from the tunnel from being advertised back out the same interface, not block a locally connected prefix from being advertised. Option C is wrong because if the IPsec tunnel were dropping EIGRP multicast packets (224.0.0.10), R2 would not see any EIGRP neighbors or updates, but the topology table shows the prefix as active, indicating neighbor adjacency is up and queries are being exchanged. Option D is wrong because a passive interface on R2 would prevent EIGRP from sending or receiving hellos on the tunnel, breaking the neighbor relationship entirely, yet the active topology entry proves the neighbor adjacency exists.

98
MCQmedium

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 ip nhrp map multicast dynamic tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! router eigrp 100 network 10.0.0.0 0.0.0.255 ! What is a potential issue with this configuration?

A.EIGRP split-horizon is enabled by default on the tunnel interface, preventing spokes from learning routes from other spokes.
B.The NHRP authentication is missing on the spokes.
C.The tunnel mode should be 'gre ip' instead of 'gre multipoint'.
D.The EIGRP network statement is too broad.
AnswerA

Split-horizon prevents the hub from advertising routes learned from one spoke to another spoke, which is a common issue in DMVPN.

Why this answer

EIGRP over DMVPN requires split-horizon to be disabled on the hub's tunnel interface to allow spokes to learn routes from other spokes.

99
MCQmedium

Given the following partial configuration on a Cisco IOS-XE router: logging host 10.1.1.1 transport tcp port 514 logging source-interface GigabitEthernet0/1 logging on What is missing or incorrect in this configuration?

A.The configuration is correct; no changes are needed.
B.The 'logging on' command is redundant because logging is enabled by default.
C.The syslog server must support TCP syslog, which is not defined in RFC 3164.
D.The port number should be 5140 for TCP syslog.
AnswerC

RFC 3164 defines syslog over UDP. TCP syslog is defined in RFC 6587 but is not universally supported. This configuration may fail if the server does not accept TCP.

Why this answer

By default, syslog uses UDP port 514. When using TCP transport, the syslog server must be configured to accept TCP connections, and this is not a common configuration. The configuration itself is syntactically correct, but the question tests knowledge that TCP transport for syslog is non-standard and may not work with typical syslog servers.

100
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router running OSPF. After applying the policy, OSPF neighbors intermittently drop and recover. The CoPP policy includes a class-map matching OSPF traffic with a police rate of 64000 bps. The router has multiple OSPF neighbors and the link utilization is normal. Which is the most likely explanation?

A.The CoPP policy uses the default class class-default, which drops OSPF packets.
B.The police rate is in bits per second, but OSPF hello packets are small; the packet-per-second rate is exceeded, causing drops.
C.OSPF uses UDP, and CoPP only filters TCP traffic.
D.The CoPP policy is applied to the wrong interface; it should be applied to the management interface.
AnswerB

OSPF hello packets are small, so bps rate limiting can be misleading; pps is more appropriate for protocol packets.

Why this answer

CoPP rate-limits control plane traffic in bits per second (bps) by default, but OSPF packets are small and frequent. The rate limit in bps may be insufficient for the packet rate, causing drops of OSPF hello packets. The engineer should use packets per second (pps) for protocol packets like OSPF to avoid this issue.

101
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. However, the engineer notices that PBR is not working for traffic that is fragmented. What is the most likely reason?

A.PBR only matches the first fragment; subsequent fragments are forwarded based on the routing table because they lack Layer 4 headers.
B.The route-map is missing a 'match fragment' command.
C.Fragmented packets are always dropped by PBR.
D.The ACL in the route-map is using a 'deny' statement for fragmented packets.
AnswerA

Fragments after the first do not have Layer 4 info, so ACLs with port matching fail; PBR may not apply.

Why this answer

PBR processes only the first fragment of a fragmented packet; subsequent fragments do not contain Layer 4 information (e.g., TCP/UDP ports) and may not match the ACL if it includes Layer 4 criteria. Additionally, PBR may not be applied to non-initial fragments by default, causing them to be forwarded normally.

102
MCQmedium

Examine the following partial configuration on Router R1: ``` interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel destination 2001:DB8:2::2 tunnel mode ipv6ip ``` What is the effect of this configuration?

A.The tunnel will successfully encapsulate IPv6 packets in IPv4 and forward them.
B.The tunnel will not come up because the tunnel destination is an IPv6 address instead of an IPv4 address.
C.The tunnel will use IPv6 as the transport protocol, encapsulating IPv4 packets.
D.The configuration is correct for a 6to4 tunnel.
AnswerB

In ipv6ip mode, both tunnel source and destination must be IPv4 addresses.

Why this answer

The tunnel mode ipv6ip requires an IPv4 address as the tunnel destination because it encapsulates IPv6 packets inside IPv4 packets for transport over an IPv4 network. In this configuration, the tunnel destination is set to an IPv6 address (2001:DB8:2::2), which is invalid for this tunnel mode, preventing the tunnel interface from coming up.

Exam trap

Cisco often tests the distinction between tunnel transport and passenger protocols, trapping candidates who confuse the tunnel destination address family with the tunnel mode requirements.

How to eliminate wrong answers

Option A is wrong because the tunnel will not successfully encapsulate and forward packets due to the invalid IPv6 destination address; the tunnel interface will remain down. Option C is wrong because tunnel mode ipv6ip uses IPv4 as the transport protocol to carry IPv6 packets, not IPv6 as the transport. Option D is wrong because a 6to4 tunnel uses a special IPv4-embedded IPv6 address format (2002::/16) and does not use the tunnel mode ipv6ip command; this configuration lacks the required 6to4 parameters.

103
MCQmedium

A network engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Routers R1 (EIGRP) and R2 (OSPF) are redistributing routes. The engineer notices that some EIGRP external routes (redistributed into EIGRP from another protocol) are not appearing in the OSPF database on R2. The show ip ospf database external command on R2 does not list these prefixes. What is the most likely cause?

A.The redistribute eigrp command under OSPF is missing the subnets keyword.
B.The redistribute eigrp command under OSPF is missing the match external keyword.
C.EIGRP has a higher administrative distance than OSPF, causing route suppression.
D.The OSPF process on R2 has a distribute-list blocking these routes.
AnswerB

Correct: Without match external, EIGRP external routes are not redistributed into OSPF.

Why this answer

When redistributing from EIGRP into OSPF, by default only EIGRP internal routes are redistributed; EIGRP external routes are not included unless the match external keyword is specified.

104
MCQhard

What is the default behavior of EEM when multiple policies are registered for the same event?

A.All policies run simultaneously in parallel.
B.Only the first registered policy runs.
C.Policies run in order of priority (lower number = higher priority), then alphabetically by name.
D.Policies run in reverse order of registration.
AnswerC

Priority is the primary sort; ties are broken by policy name.

Why this answer

EEM policies are executed in order of their priority; if priorities are equal, the policy with the lowest name (alphanumeric) runs first.

105
MCQmedium

A network engineer runs the following debug command to troubleshoot a DHCPv4 issue on router R1: R1# debug ip dhcp server events Output: DHCPD: DHCPDISCOVER received from 0050.7966.6800 on interface GigabitEthernet0/0 DHCPD: Sending DHCPOFFER to 0050.7966.6800 via GigabitEthernet0/0 DHCPD: DHCPREQUEST received from 0050.7966.6800 DHCPD: No binding found for client 0050.7966.6800 DHCPD: Adding binding for client 0050.7966.6800 DHCPD: Sending DHCPACK to 0050.7966.6800 via GigabitEthernet0/0 DHCPD: DHCPINFORM received from 0050.7966.6800 DHCPD: Sending DHCPACK to 0050.7966.6800 via GigabitEthernet0/0 What does this output indicate?

A.The DHCP server failed to create a binding for the client.
B.The DHCP server successfully assigned an IP address to the client, and the client sent a DHCPINFORM to request additional parameters.
C.The DHCP client is using a relay agent because the DISCOVER was received on a different interface.
D.The DHCP server rejected the DHCPREQUEST because no binding was found.
AnswerB

The sequence shows a successful DORA process (DISCOVER, OFFER, REQUEST, ACK) followed by an INFORM, which is used to get additional options like DNS servers.

Why this answer

The debug output shows the DHCP server successfully processing a DISCOVER, OFFER, REQUEST, and ACK sequence, followed by an INFORM message. The 'No binding found' message is normal for a new client, and the binding is created. The INFORM is used by the client to obtain additional configuration parameters after the address is assigned.

106
MCQhard

Which statement correctly describes the default authentication behavior for EEM policy files stored in flash?

A.EEM requires all policy files to be signed with a digital certificate.
B.EEM uses MD5 hash verification by default.
C.EEM does not perform any authentication or integrity check on policy files by default.
D.EEM uses the device's AAA configuration to authenticate policy execution.
AnswerC

By default, EEM trusts the file system and executes policies without authentication.

Why this answer

EEM does not enforce any authentication by default; policy files are executed as-is without integrity checks.

107
MCQhard

A network engineer runs the following command on Router R7: R7# show logging | include %SYS-2-MALLOCFAIL *Mar 1 00:05:10.123: %SYS-2-MALLOCFAIL: Memory allocation failed for size 1024, from process 0x12345678, pool Processor *Mar 1 00:06:20.456: %SYS-2-MALLOCFAIL: Memory allocation failed for size 2048, from process 0x12345678, pool Processor *Mar 1 00:07:30.789: %SYS-2-MALLOCFAIL: Memory allocation failed for size 512, from process 0x12345678, pool Processor Based on this output, what is the most likely problem?

A.The router has a memory leak or is running out of memory in the Processor pool.
B.The router is experiencing high CPU utilization due to routing protocol updates.
C.The router's logging buffer is full and cannot store new messages.
D.The router has a hardware failure in the memory module.
AnswerA

Multiple MALLOCFAIL messages indicate that the router cannot allocate memory, which is a sign of memory exhaustion or a leak.

Why this answer

The output shows memory allocation failures in the Processor pool. This indicates that the router is running low on memory, which can cause various issues including process crashes, inability to allocate buffers, and overall instability. The process ID 0x12345678 is likely a specific process that is consuming memory or failing to allocate.

108
Multi-Selecthard

Which THREE statements about MPLS label operations (push, swap, pop) are true? (Choose THREE.)

Select 3 answers
A.The ingress LSR performs a label push operation.
B.The transit LSR performs a label swap operation.
C.The egress LSR always performs a label pop operation.
D.The penultimate hop router (PHP) performs a label pop operation.
E.Label operations are determined by the IP routing table.
AnswersA, B, D

The ingress LSR adds a label to an unlabeled IP packet to begin MPLS forwarding.

Why this answer

In MPLS, the ingress LSR pushes a label, transit LSRs swap labels, and the penultimate hop router (PHP) pops the label. The egress LSR does not perform label operations if PHP is used. Label operations are based on the label forwarding table, not the routing table directly.

109
MCQhard

A network engineer runs the following command on Router R1: R1# show ip sla statistics 3 Round Trip Time (RTT) for Index 3 Latest RTT: 150 ms Latest RTT (milliseconds): 150 Latest RTT (microseconds): 150000 Number of successes: 80 Number of failures: 20 Operation time to live: Forever Output: OK R1# show track 1 Track 1 IP SLA 3 reachability Reachability is Up 2 changes, last change 00:00:10 Latest operation return code: OK Latest RTT (milliseconds): 150 Tracked by: ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1 Based on this output, which statement is correct?

A.The static route is removed because the IP SLA operation has failures.
B.The IP SLA operation is considered reachable, and the tracked static route is active.
C.The IP SLA operation has a 20% failure rate, so the track should be down.
D.The IP SLA operation is using a wrong source address.
AnswerB

The track shows 'Up', meaning the IP SLA is reachable, and the static route is installed.

Why this answer

The track shows 'Reachability is Up' based on IP SLA 3. The IP SLA statistics show successes and failures, but the latest return code is OK, so the track is up. This means the static route is active.

The failures (20) indicate some probes failed, but the track still considers it reachable because the threshold for reachability is likely based on a percentage or consecutive failures.

110
Drag & Dropmedium

Drag and drop the steps to verify and validate Route Maps and Route Filtering operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, display the route-map configuration and statistics with show route-map. Second, check which route-map is applied to interfaces or routing protocols using show ip policy. Third, verify the filtered prefixes in the BGP table with show ip bgp.

Fourth, confirm the impact on routing table entries with show ip route. Finally, test connectivity end-to-end using ping or traceroute.

111
MCQmedium

Given the following partial DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map multicast dynamic ip nhrp redirect ! What is the purpose of the 'ip nhrp redirect' command?

A.It enables the hub to send redirect messages to spokes, telling them to use a direct tunnel to another spoke.
B.It causes the hub to redirect all traffic through the hub itself.
C.It enables the hub to dynamically map multicast addresses.
D.It disables NHRP on the tunnel interface.
AnswerA

This is the correct function of NHRP redirect in Phase 3 DMVPN.

Why this answer

In DMVPN Phase 3, the hub uses NHRP redirect to inform spokes about better paths to other spokes, enabling spoke-to-spoke direct tunnels.

112
MCQhard

An engineer configures OSPF between two PE routers in an MPLS L3VPN backbone. Both routers are directly connected via a GigabitEthernet link. The OSPF adjacency forms and then repeatedly flaps between FULL and EXSTART. The engineer verifies that both routers have matching OSPF network types (broadcast), matching area IDs, and no authentication mismatch. What is the most likely cause of the flapping?

A.The MTU on one of the interfaces is lower than the other, causing DBD packet fragmentation.
B.The OSPF hello interval is mismatched between the two routers.
C.The OSPF dead interval is too short, causing the neighbor to be declared dead prematurely.
D.The OSPF router ID is duplicated on the segment.
AnswerA

Correct. A lower MTU on one side causes DBD packets to be dropped, preventing the adjacency from leaving EXSTART.

Why this answer

In OSPF, if the MTU of the interface on one side is smaller than the size of a Database Description (DBD) packet, the neighbor will be stuck in EXSTART or the adjacency will flap. This is because OSPF uses the interface MTU to determine the maximum size of DBD packets, and if a router receives a DBD packet larger than its interface MTU, it drops it and the neighbor relationship cannot progress. This is a common edge case when one interface has a reduced MTU (e.g., due to MPLS overhead or misconfiguration) while the other uses the default 1500 bytes.

113
MCQhard

A network engineer configures EEM to monitor interface state changes on R1. R1 has: event manager applet INT-MONITOR event syslog pattern "%LINEPROTO-5-UPDOWN" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Interface state change detected". After a link flap on interface GigabitEthernet0/1, the engineer notices that the EEM applet runs multiple times, but the show ip route output is incomplete. Router R2 shows: routing table updates are delayed. What is the root cause?

A.The EEM applet executes before the routing protocol has converged, showing incomplete routing information.
B.The syslog pattern matches too many events, causing the applet to run excessively.
C.The 'show ip route' command requires privileged mode, but the applet is already in privileged mode.
D.The interface flap is causing routing protocol instability, not the EEM applet.
AnswerA

The applet runs immediately, but routing updates take time; adding a delay ensures accurate output.

Why this answer

The EEM applet runs immediately upon the syslog message, but the routing protocol may not have converged yet. The show ip route command may show stale or incomplete routes because the routing table update occurs asynchronously. The correct fix is to add a delay using 'action wait' before executing the show command.

114
MCQhard

An engineer configures OSPF on two routers connected via a point-to-point link. The routers are stuck in EXSTART state. 'show ip ospf neighbor' shows neighbor state EXSTART/EXCHANGE. Which is the most likely explanation?

A.The OSPF network type is mismatched (point-to-point vs broadcast).
B.The MTU on the interfaces is mismatched.
C.The OSPF router IDs are identical.
D.The hello/dead intervals are mismatched.
AnswerB

An MTU mismatch prevents DBD packets from being exchanged, causing the adjacency to remain in EXSTART.

Why this answer

In OSPF, the EXSTART state involves negotiating the master/slave relationship and the Database Description (DBD) packet size. If the MTU on the interfaces differs, the larger DBD packet from the router with the larger MTU will be dropped by the router with the smaller MTU, causing the adjacency to remain stuck in EXSTART. This is a common edge case that is often overlooked.

115
Multi-Selecthard

Which TWO actions will prevent an SNMPv2c NMS from receiving traps from a Cisco router? (Choose TWO.)

Select 3 answers
A.The NMS is configured with a community string that does not match the community string used in the 'snmp-server host' command on the router.
B.The router has an ACL applied to its VTY lines that denies UDP port 162.
C.The 'snmp-server enable traps' command is missing from the router configuration.
D.The NMS is listening on UDP port 161 instead of UDP port 162.
E.The 'snmp-server host' command specifies the IP address of a different NMS.
AnswersA, C, E

The NMS must use the same community string as the router's trap community; otherwise, the NMS will discard the traps.

Why this answer

To receive traps, the NMS must be configured as a trap receiver with the correct community string, and the router must send traps to the correct IP and UDP port 162. If the community string on the NMS does not match the router's trap community, traps are discarded. If the router is configured to send traps to a different IP than the NMS, the NMS never receives them.

The 'snmp-server enable traps' command enables trap generation; without it, no traps are sent. The 'snmp-server host' command specifies the destination; if omitted, traps are not sent. ACLs applied to the router's VTY lines do not affect SNMP trap traffic, which uses UDP port 162.

116
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.50.0/24 should be forwarded to next-hop 10.50.50.2. The route map 'PBR-50' is configured with 'match ip address 160' and 'set ip next-hop 10.50.50.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.50.0/24, but the router is also policy-routing traffic from other subnets that should not be affected. The engineer checks the ACL 160 and confirms it only matches 192.168.50.0/24. What is the most likely cause?

A.The route map has a sequence with no match condition, which matches all traffic.
B.The ACL 160 has a 'permit ip any any' statement at the end.
C.The 'ip policy route-map' command is applied to multiple interfaces, and traffic from other subnets is entering those interfaces.
D.The router is using CEF switching, and PBR is applied to all traffic regardless of ACL.
AnswerA, B

Correct because a route map sequence without a match condition will match all packets, causing PBR to apply to all traffic.

Why this answer

If PBR is affecting traffic from other subnets despite the ACL being correct, it could be because the route map has a permit statement without a match condition, or the route map is applied to multiple interfaces. However, a common cause is that the route map has a 'match ip address' that references an ACL with a 'permit ip any any' statement at the end, or the route map has a sequence that matches all traffic. The engineer should check the route map for any sequence that does not have a match statement.

117
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# debug ip ospf adj OSPF adjacency debugging is on R1# *Mar 1 00:05:23.123: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 1 (Hello) *Mar 1 00:05:23.123: OSPF: 2 Way Communication to 10.1.1.2 on FastEthernet0/0, state 2WAY *Mar 1 00:05:23.124: OSPF: Send immediate hello to nbr 10.1.1.2, src address 10.1.1.1, on FastEthernet0/0 *Mar 1 00:05:23.124: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 2 (DBD) *Mar 1 00:05:23.125: OSPF: Rcv DBD from 10.1.1.2, seq 0x1234, opts 0x2, flag 0x7, mtu 1500 state EXSTART *Mar 1 00:05:23.126: OSPF: Nbr 10.1.1.2 has state FULL What does this output indicate?

A.OSPF adjacency is failing due to CoPP dropping Hello packets.
B.OSPF adjacency is established successfully, indicating CoPP is not blocking OSPF traffic.
C.OSPF is experiencing packet loss due to MTU mismatch.
D.OSPF is stuck in EXSTART state due to CoPP.
AnswerB

The adjacency reached FULL state, meaning OSPF packets are being processed correctly.

Why this answer

The debug output shows OSPF adjacency formation with neighbor 10.1.1.2. The sequence of packets (Hello, DBD) and the transition to FULL state indicate that the adjacency is established successfully. This can be used to verify that CoPP is not dropping OSPF packets.

118
MCQhard

MPLS LDP neighbor mismatch is causing label distribution failures for summary routes. Router R1 and R2 are LDP peers. R1 has: mpls ip ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.0.0.255 area 0 area 0 range 10.0.0.0 255.255.252.0 ! R2 shows: R2# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0, Transport address: 10.0.0.2 TCP connection: 10.0.0.2.646 - 10.0.0.1.646 State: Oper, Msgs sent/rcvd: 10/10 R2# show mpls forwarding-table 10.0.0.0/22 Local tag outgoing tag prefix tag(s) next-hop 16 Untagged 10.0.0.0/22 0 10.0.0.1 But R2 cannot forward traffic for 10.0.1.0/24. What is the root cause?

A.The OSPF summary suppresses the /24 routes, so LDP does not assign labels to them, causing forwarding failures.
B.LDP is not enabled on the interface, so no labels are exchanged.
C.The OSPF area range command is not supported with MPLS.
D.R2 has a static route for 10.0.1.0/24 that overrides LDP.
AnswerA

LDP only labels routes present in the routing table; the /24 routes are missing.

Why this answer

The OSPF area range command creates a summary route 10.0.0.0/22 in the routing table, but LDP assigns labels only to routes that are in the routing table. The more specific /24 routes are suppressed by the summary, so LDP does not have labels for them. When R2 receives a packet for 10.0.1.0/24, it looks up the route, finds the summary, and forwards it to R1 with a label, but R1 may not have a label for the specific /24, causing a label mismatch or blackholing.

The fix is to not summarize or to use label binding for more specific prefixes.

119
MCQhard

An engineer configures route summarization in OSPF using the 'area range' command. After configuration, some routes are missing from the routing table of other routers. Which is the most likely explanation?

A.The 'area range' command is configured with the 'not-advertise' keyword, suppressing the summary.
B.The summary route is being filtered by a distribute-list on the receiving router.
C.The component routes are not present in the OSPF database.
D.The summary route is being advertised with a metric that is too high.
AnswerA

The 'not-advertise' keyword explicitly prevents the summary route from being advertised, which would cause the routes to be missing.

Why this answer

The 'area range' command in OSPF creates a summary route that is advertised as a Type 3 LSA. However, if the 'not-advertise' keyword is used, the summary route is suppressed. Additionally, if the summary route is more specific than the component routes, it may be rejected by the receiving router due to OSPF's route selection rules.

Another edge case is that the summary route may be created but the component routes are still advertised individually if the 'advertise' keyword is not explicitly used (default is advertise).

120
MCQhard

A network engineer is troubleshooting an OSPF network where routers R1, R2, and R3 are in area 0. R1 has a summary route 192.168.0.0/22 configured on its interface to R2, summarizing four /24 subnets (192.168.0.0/24 through 192.168.3.0/24). After the configuration, R3 loses connectivity to the 192.168.0.0/24 subnet, although other subnets are reachable. What is the most likely cause?

A.The summary route 192.168.0.0/22 is being advertised with a metric of 0, causing R3 to prefer a less specific route from another source.
B.The summary-address command was applied on R1 as an ABR, but R1 is not an ABR because it is in area 0 only; the command is ignored.
C.The 192.168.0.0/24 subnet is not included in the summary because the summary mask is /22, but the subnet mask of 192.168.0.0/24 is not contiguous with the others due to a configuration error.
D.The summary-address command on R1 is configured with the 'not-advertise' keyword, suppressing the summary but not the specific routes, causing a routing black hole for the 192.168.0.0/24 subnet.
AnswerD

Correct. The 'not-advertise' keyword in OSPF summary-address prevents the summary from being advertised, but the specific routes may still be suppressed if the command is misapplied, leading to loss of connectivity to the specific subnet.

Why this answer

The issue is that the summary route may be suppressing the more specific routes, but the summary itself might not be installed due to a mismatch or missing component. In OSPF, the summary-address command on an ASBR or ABR can cause issues if the metric or type is misconfigured.

121
MCQmedium

snmp-server enable traps\nsnmp-server host 192.168.1.100 traps version 2c public\nsnmp-server host 192.168.1.200 informs version 2c public What is the effect of this configuration?

A.Traps are sent to 192.168.1.100 and informs are sent to 192.168.1.200.
B.Both hosts receive traps.
C.Both hosts receive informs.
D.Only traps are enabled; informs require SNMPv3.
AnswerA

The first host is configured for traps, the second for informs, as specified by the 'traps' and 'informs' keywords.

Why this answer

This enables all SNMP traps and configures two hosts: one to receive traps (unacknowledged) and one to receive informs (acknowledged). Both use SNMPv2c with the community string 'public'.

122
MCQmedium

Router R5 has this DHCP configuration: ip dhcp pool POOL3 network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 option 150 ip 10.10.10.10 ! interface GigabitEthernet0/0 ip address 172.16.0.1 255.255.255.0 no shutdown What is the purpose of the option 150 command?

A.It provides the IP address of a TFTP server to DHCP clients, typically used by VoIP phones.
B.It sets the DNS server for the DHCP pool.
C.It defines a custom option that is ignored by standard DHCP clients.
D.It specifies the default gateway for the clients.
AnswerA

Option 150 is used to specify a TFTP server for VoIP phones or other devices that need to download configuration files.

Why this answer

Option 150 is a DHCP option that specifies the IP address of a TFTP server. Cisco IP phones use this option to locate the TFTP server from which they download their configuration and firmware files. The correct answer is A because this is the standard purpose of option 150 in a Cisco VoIP environment.

Exam trap

The trap here is that candidates often confuse option 150 with option 66 (TFTP server name) or assume it is a generic custom option, but Cisco specifically tests that option 150 provides the TFTP server IP address for VoIP phones.

How to eliminate wrong answers

Option B is wrong because the DNS server is set using the 'dns-server' command in the DHCP pool, not option 150. Option C is wrong because option 150 is a well-known DHCP option defined by Cisco for TFTP server address, not a custom or ignored option. Option D is wrong because the default gateway is set using the 'default-router' command, not option 150.

123
MCQhard

A router R1 is redistributing BGP routes into OSPF, but some prefixes are missing. Router R1 has the following relevant configuration: router bgp 65000 neighbor 10.1.1.2 remote-as 65001 address-family ipv4 unicast neighbor 10.1.1.2 activate network 172.16.0.0 mask 255.255.255.0 router ospf 1 redistribute bgp 65000 subnets metric 100 Router R2 shows: show ip ospf database external 172.16.0.0 OSPF Router with ID 10.1.1.1 Type-5 AS External Link States LS age: 600 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 172.16.0.0 Advertising Router: 10.1.1.1 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any valid route) TOS: 0 Metric: 16777215 Forward Address: 0.0.0.0 External Route Tag: 0 What is the root cause?

A.The BGP route 172.16.0.0/24 is not in the routing table; check BGP table and next-hop reachability.
B.The metric 100 is too low; increase to match OSPF cost.
C.The subnets keyword is missing; add it to redistribute classful routes.
D.The OSPF process ID is mismatched; use process 1 on both routers.
AnswerA

OSPF redistributes only routes from routing table; if BGP route is not installed, OSPF may inject a default or max-metric route.

Why this answer

The metric of 16777215 (max) indicates the route is unreachable. This happens when BGP route is not valid (e.g., missing next-hop reachability) or when route-map sets metric to max. The BGP route may not be installed in routing table due to missing network statement or next-hop issue.

The correct fix is to ensure BGP route is valid and reachable.

124
MCQhard

A network engineer configures IP SLA with a UDP echo operation to monitor a remote server. The IP SLA responder is configured on the remote router. The engineer notices that the operation shows 'Timeout' intermittently, but standard UDP connectivity tests from the router to the server succeed. The engineer checks the IP SLA responder configuration and finds that the control port is set to a non-default value. Which is the most likely explanation?

A.The IP SLA responder is not configured to respond to UDP echo requests from the initiator.
B.The IP SLA initiator must be configured with the 'control' keyword to match the non-default control port on the responder.
C.The UDP echo operation uses a different protocol than standard UDP, causing packet drops.
D.The IP SLA operation has a threshold that is too low, causing the operation to time out.
AnswerB

The control port mismatch causes the initiator to fail to establish the operation, leading to timeouts.

Why this answer

IP SLA UDP echo operations require the IP SLA responder to be configured with the correct control port. If the responder uses a non-default control port, the initiator must be configured to use that port using the 'control' keyword under the IP SLA operation. Without this, the initiator uses the default control port (1967), causing communication failures and intermittent timeouts.

126
MCQhard

What is the default BGP update timer interval in Cisco IOS-XE?

A.30 seconds for eBGP, 0 seconds for iBGP
B.60 seconds for both eBGP and iBGP
C.5 seconds for eBGP, 15 seconds for iBGP
D.0 seconds for eBGP, 30 seconds for iBGP
AnswerA

Correct. The MRAI timer defaults to 30 seconds for eBGP and 0 for iBGP.

Why this answer

BGP does not have a fixed update timer like RIP; updates are triggered by changes, but the default minimum route advertisement interval (MRAI) is 30 seconds for eBGP and 0 seconds for iBGP.

127
Drag & Dropmedium

Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying physical connectivity with ping to isolate Layer 1/2 issues. Then check the access control configuration on the interface to ensure it is not blocking traffic. Next, examine the adjacency table to confirm neighbor relationships.

After that, review logs for authentication or authorization errors. Finally, use debug commands to capture real-time access control events.

128
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 Policy routing matches: 50 packets, 6000 bytes What does this output indicate?

A.PBR is successfully forwarding matching traffic to 10.1.1.2.
B.The next-hop 10.1.1.2 is not reachable.
C.The ACL 101 is misconfigured.
D.PBR is not applied to any interface.
AnswerA

The packet counter shows successful matches and forwarding.

Why this answer

The output shows that 50 packets have matched the route-map and have been policy-routed to next-hop 10.1.1.2. This indicates PBR is working.

129
MCQhard

A network engineer configures EEM to monitor OSPF neighbor state changes. R1 has: event manager applet OSPF-MON event syslog pattern "%OSPF-5-ADJCHG" action 1.0 cli command "enable" action 2.0 cli command "show ip ospf neighbor" action 3.0 syslog msg "OSPF neighbor change detected". After a link flap, the engineer notices that the EEM applet does not execute. Router R2 shows: OSPF neighbor state changes are logged, but no EEM actions occur. What is the root cause?

A.The EEM applet is not registered correctly; it needs to be enabled with 'event manager applet OSPF-MON trigger'
B.The syslog pattern matches, but the OSPF ADJCHG message is severity 5, which is below the default EEM syslog severity threshold of 4.
C.The 'action 1.0 cli command "enable"' fails because the applet is already in privileged mode.
D.The OSPF neighbor change is not generating a syslog message due to logging buffer size.
AnswerB

EEM syslog triggers require severity 0-4 by default; OSPF ADJCHG is severity 5.

Why this answer

The EEM applet uses the syslog pattern trigger, but the OSPF ADJCHG message is logged at severity 5 (notification). By default, EEM syslog triggers only match severity 0-4 (emergency through warning). The engineer must adjust the logging severity or use a different trigger (e.g., event syslog pattern with severity).

130
MCQhard

A network engineer configures IP SLA with an HTTP GET operation to monitor a web server. The operation shows 'Success' but the response time is extremely high. The engineer checks the web server and finds it is overloaded. The engineer wants to configure a threshold so that the IP SLA operation triggers a track object when the response time exceeds 500 ms. Which configuration change is required?

A.Configure the 'threshold' command under the IP SLA operation and use the 'track' command with 'threshold' keyword in the track object.
B.Configure the 'timeout' command to 500 ms; the track object will automatically react to timeouts.
C.Use the 'reaction' command under the IP SLA operation to trigger a trap; the track object cannot react to thresholds.
D.Configure the IP SLA operation with a lower frequency to get more samples; the track object will average the response time.
AnswerA

The track object must be configured to monitor the threshold state using the 'threshold' keyword; otherwise, it only tracks reachability.

Why this answer

IP SLA HTTP operations measure response time, but to trigger a track object based on threshold violation, the engineer must configure the 'threshold' command under the IP SLA operation and then configure the track object to react to the 'threshold' state, not just the 'up/down' state. By default, track objects only track up/down, not threshold violations.

131
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-QOS R1# show route-map PBR-QOS route-map PBR-QOS, permit, sequence 10 Match clauses: ip address (access-lists): 120 Set clauses: ip next-hop 10.0.0.2 Policy routing matches: 500 packets, 45000 bytes R1# show access-lists 120 Extended IP access list 120 10 permit ip 192.168.1.0 0.0.0.255 any R1# debug ip policy Policy routing debugging is on *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy match *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy rejected Based on this output, what is the most likely problem?

A.The next-hop 10.0.0.2 is unreachable.
B.The access list 120 is misconfigured.
C.The route map is applied to the wrong interface.
D.The route map sequence number is incorrect.
AnswerA

The debug 'policy rejected' after a match typically means the set next-hop is not reachable, so the packet is not policy-routed.

Why this answer

The debug output shows 'policy match' followed by 'policy rejected'. This indicates that the packet matched the route map, but the set clause was not applied because the next-hop is unreachable or the route map's set condition fails (e.g., verify-availability if used, or next-hop not in routing table). The show route-map shows matches, but the packet is rejected and forwarded normally.

132
MCQhard

A network engineer configures DMVPN Phase 2 with NHRP. Spoke routers can communicate with the hub, but spoke-to-spoke traffic fails. The 'show dmvpn' on spokes shows the hub's NBMA address but not other spokes. Which is the most likely explanation?

A.The hub is configured with 'ip nhrp redirect' but spokes are missing 'ip nhrp shortcut'.
B.The tunnel interface mode is GRE IP, not mGRE.
C.The spokes have different IPsec transform sets configured.
D.The NHRP authentication string is missing on the hub.
AnswerA

Without 'ip nhrp shortcut' on spokes, they will not install dynamic NHRP entries.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require NHRP redirect from the hub and NHRP shortcut on spokes. If the hub is not sending NHRP redirect messages (e.g., due to 'no ip nhrp redirect'), spokes will not learn each other's NBMA addresses, and traffic will be sent through the hub.

133
MCQhard

A network engineer is troubleshooting a PBR route-map that is supposed to set the next-hop for traffic from a specific source to a different next-hop. The route-map is applied to the incoming interface, and the ACL matches the traffic. However, the engineer notices that the traffic is still being forwarded using the routing table. The engineer checks the route-map and sees that the 'set ip next-hop' command points to an IP address that is not reachable. What is the most likely result?

A.PBR will fall back to the routing table and forward the packet normally.
B.The packet will be dropped because PBR cannot forward it.
C.The router will send an ICMP unreachable message to the source.
D.The route-map will be ignored and all traffic will be dropped.
AnswerA

Correct because PBR uses the routing table if the next-hop is unreachable.

Why this answer

If the next-hop in a PBR set command is not reachable (i.e., not in the routing table), PBR will fall back to the routing table for forwarding. PBR does not drop the packet; it uses the default routing decision.

134
MCQhard

R1 and R2 are connected via an IPsec VPN tunnel. They are running OSPF over the tunnel. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip ospf database shows the LSA from R2 but with a high age (e.g., 3600). R1's show ip route does not have routes from R2. What is the root cause?

A.The OSPF dead interval on R1's tunnel interface is too short, causing frequent neighbor resets and LSA aging.
B.The IPsec tunnel is dropping OSPF packets due to MTU issues.
C.OSPF network type is point-to-multipoint, causing LSA flooding issues.
D.R2 has a distribute-list out filtering OSPF routes.
AnswerA

A short dead interval causes the neighbor to be declared dead and re-established, but LSAs are not refreshed, leading to high age and eventual removal.

Why this answer

The correct answer is A. When the OSPF dead interval on R1's tunnel interface is too short, R1 may temporarily lose neighbor adjacency with R2, causing the LSA from R2 to be prematurely aged out (age reaches 3600, the MaxAge) and removed from the OSPF database. Even though the neighbor state shows FULL at the moment of inspection, the LSA has already been flushed due to a previous timeout, so routes are not installed in the routing table.

Exam trap

Cisco often tests the distinction between neighbor state (which can appear FULL momentarily after a flap) and LSA age (which reflects the last successful refresh), leading candidates to overlook that a short dead interval can cause LSA expiration without a permanent neighbor down state.

How to eliminate wrong answers

Option B is wrong because MTU issues would typically cause OSPF packets to be fragmented or dropped, leading to neighbor state changes (e.g., stuck in EXSTART/EXCHANGE) or packet loss, not a FULL neighbor state with a high-aged LSA. Option C is wrong because point-to-multipoint network type does not inherently cause LSA flooding issues that result in a high age of 3600; it uses additional LSAs (Type 2) but still maintains proper aging. Option D is wrong because a distribute-list out on R2 would filter routes from being advertised into OSPF, which would prevent the LSA from being generated in the first place, not cause an existing LSA to age to 3600 while the neighbor remains FULL.

135
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 150 IP packet debugging is on for access list 150 *Mar 1 00:25:45.678: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto UDP, flags 0x0, sport 12345, dport 53, access list 150: matched line 10 permit udp host 192.168.1.1 host 10.1.1.1 eq 53 *Mar 1 00:25:45.679: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto TCP, flags 0x2, sport 12346, dport 53, access list 150: matched line 20 permit tcp host 192.168.1.1 host 10.1.1.1 eq 53 What does this output indicate?

A.DNS traffic from 192.168.1.1 to 10.1.1.1 is being permitted by ACL 150.
B.DNS traffic from 192.168.1.1 to 10.1.1.1 is being denied by ACL 150.
C.ACL 150 is applied outbound on GigabitEthernet0/0.
D.ACL 150 has no line 10 or 20.
AnswerA

Both UDP and TCP DNS packets match permit lines.

Why this answer

The debug output shows that packets from source 192.168.1.1 to destination 10.1.1.1 with destination port 53 (DNS) are matching permit statements in ACL 150 (line 10 for UDP and line 20 for TCP). Since the ACL is permitting these packets, DNS traffic is allowed through the interface where the ACL is applied.

Exam trap

Cisco often tests the misconception that 'debug ip packet' output shows only denied packets, but it actually shows all packets that match the ACL, whether permitted or denied, and the 'permit' or 'deny' keyword in the matched line is what determines the action.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows 'permit' for both UDP and TCP DNS packets, not 'deny'. Option C is wrong because the debug output does not indicate the direction (inbound or outbound) of the ACL application; it only shows that packets are being matched against ACL 150 on GigabitEthernet0/0, but the direction is not specified. Option D is wrong because the debug output clearly shows 'matched line 10' and 'matched line 20', confirming that lines 10 and 20 exist in ACL 150.

136
Multi-Selecthard

Which TWO configuration steps are required to enable SNMPv3 with authentication and encryption on a Cisco router? (Choose TWO.)

Select 2 answers
A.snmp-server group GROUP v3 priv
B.snmp-server user USER GROUP v3 auth sha PASSWORD priv aes 128 PASSWORD
C.snmp-server community PUBLIC ro
D.snmp-server host 10.1.1.1 version 3 priv USER
E.snmp-server enable traps
AnswersA, B

Creates an SNMPv3 group with the 'priv' keyword to enable encryption.

Why this answer

To configure SNMPv3 with authPriv, you must first define an SNMP group with the appropriate security level using 'snmp-server group', then create a user associated with that group using 'snmp-server user' with authentication and privacy passwords. The 'snmp-server community' command is for SNMPv1/v2c, and 'snmp-server host' is for trap destinations.

137
Drag & Dropmedium

Drag and drop the steps to verify and validate SPAN, RSPAN, and ERSPAN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, use show monitor session all to list all sessions. Then, inspect the specific session details with show monitor session <id>. Next, check the RSPAN VLAN status if using RSPAN.

After that, verify ERSPAN packet capture at the destination. Finally, confirm that the mirrored traffic matches expected patterns.

138
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) Source Guard are true? (Choose TWO.)

Select 2 answers
A.IPv6 Source Guard dynamically creates binding entries for all IPv6 addresses learned via ND.
B.IPv6 Source Guard uses the IPv6 binding table to permit or deny traffic based on source address.
C.IPv6 Source Guard filters traffic based on the destination IPv6 address in the packet.
D.IPv6 Source Guard can be enabled on a per-interface or per-VLAN basis.
E.IPv6 Source Guard only works with addresses learned via DHCPv6.
AnswersB, D

Correct. Source Guard checks the source IPv6 address and MAC against the binding table and drops unauthorized traffic.

Why this answer

IPv6 Source Guard filters traffic based on the source IPv6 address and MAC address, using the binding table. It can be used with both SLAAC and DHCPv6, but it does not create bindings itself—it relies on DHCPv6 snooping or ND snooping. Option B is correct because Source Guard uses the binding table to validate source addresses.

Option D is correct because Source Guard can be enabled per interface or per VLAN. Option A is incorrect because Source Guard does not create bindings; it uses bindings from DHCPv6 snooping or ND snooping. Option C is incorrect because Source Guard filters on source IP and MAC, not destination.

Option E is incorrect because Source Guard is not limited to DHCPv6-learned addresses; it can also use ND snooping entries.

139
MCQmedium

When troubleshooting SNMPv3 authentication failures, which default HMAC algorithm is used if the user is configured with "auth md5"?

A.HMAC-SHA-96
B.HMAC-MD5-96
C.HMAC-SHA-256
D.No HMAC is used; MD5 is used directly.
AnswerB

RFC 3414 defines HMAC-MD5-96 as the authentication protocol for usmHMACMD5AuthProtocol.

Why this answer

SNMPv3 uses HMAC-MD5-96 for authentication when MD5 is specified.

140
MCQhard

A network using IPv6 over IPv4 ISATAP tunnels is experiencing connectivity issues. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::/64 eui-64 tunnel source 192.0.2.1 tunnel mode ipv6ip isatap. Router R2 shows: R2# show ipv6 interface Tunnel0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5EFE:192.0.2.2 Global unicast address(es): 2001:DB8:1::5EFE:192.0.2.2. What is the root cause?

A.The IPv6 address on R1 should be configured without the eui-64 keyword to allow manual assignment.
B.The tunnel mode should be ipv6ip isatap on both ends, but R2's address shows correct ISATAP format, indicating R1's address is wrong.
C.The tunnel source on R1 should be the IPv4 address of R2.
D.ISATAP requires the use of a link-local address only.
AnswerB

R1's address uses EUI-64, which does not produce the ISATAP-specific interface identifier, causing address mismatch.

Why this answer

Option B is correct because ISATAP tunnels require both endpoints to use the same tunnel mode (ipv6ip isatap) and to form the IPv6 interface identifier from the IPv4 tunnel source using the format ::5EFE:w.x.y.z. R2's global address 2001:DB8:1::5EFE:192.0.2.2 correctly embeds its IPv4 address 192.0.2.2, but R1's configuration with the eui-64 keyword causes it to derive an interface identifier from its MAC address instead of the required ISATAP format. This mismatch prevents proper IPv6 neighbor discovery and connectivity over the tunnel.

Exam trap

Cisco often tests the distinction between standard EUI-64 address generation and ISATAP's fixed interface identifier format, trapping candidates who assume that eui-64 is always correct for IPv6 tunnel interfaces.

How to eliminate wrong answers

Option A is wrong because removing the eui-64 keyword and manually assigning an address would not fix the root cause; the issue is that R1 must use the ISATAP-specific interface identifier (::5EFE:IPv4) derived from its tunnel source, not a manually assigned or MAC-based identifier. Option C is wrong because the tunnel source on R1 should be its own IPv4 address (192.0.2.1) to identify the tunnel endpoint; pointing to R2's IPv4 address would break the tunnel encapsulation. Option D is wrong because ISATAP tunnels support both link-local and global unicast addresses; the link-local address is automatically derived, but global addresses are required for end-to-end connectivity and are correctly used in this scenario.

141
MCQhard

Router R1 and R2 are running OSPF and BGP. R1 is an ASBR redistributing BGP routes into OSPF. R2 is an ABR between area 0 and area 1. R2 has 'distance ospf external 150' configured. R3 in area 1 learns a BGP-redistributed route 10.0.0.0/8 via R2 with AD 150. R3 also learns the same prefix via a different path from R4 (another ABR) with AD 110 (default OSPF external). R3's 'show ip route 10.0.0.0' shows the route via R4. What is the root cause?

A.R2's 'distance ospf external 150' makes the external route less preferred than the default AD 110 from R4.
B.R4's route is an inter-area route (AD 110) while R2's route is external (AD 150), so inter-area is preferred.
C.R3 has a route-map that prefers routes from R4.
D.The route from R2 is not in the OSPF database due to a filter.
AnswerA

Higher AD means less trust; R3 chooses the lower AD route.

Why this answer

OSPF administrative distance can be set per route type. With 'distance ospf external 150', the external routes from R2 have AD 150, while routes from R4 have default AD 110. R3 prefers the route with lower AD (110 via R4).

This is expected behavior, but the question might imply that the route via R2 should be preferred due to some other reason. The correct answer is that the configuration on R2 increases the AD for external routes, making them less preferred.

142
MCQmedium

A network engineer runs the following command to troubleshoot a NAT issue: R1# debug ip nat detailed NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [45] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [46] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [47] NAT*: s=192.168.1.1, d=10.2.2.2->10.1.1.1 [48] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [49] What does this output indicate?

A.NAT is working correctly; the asterisk indicates a packet that was translated and fast-switched.
B.NAT is failing; the asterisk indicates a packet that was dropped.
C.NAT is working but only for outbound traffic; return traffic is not being translated.
D.NAT is not configured; the output shows only routing information.
AnswerA

The asterisk shows fast-switching, and translations are occurring bidirectionally.

Why this answer

The output shows successful NAT translations. The asterisk (*) indicates a packet that was translated and fast-switched.

143
MCQhard

A network engineer configures an EEM applet to monitor OSPF network type mismatches using the event syslog pattern 'OSPF-5-ADJCHG'. The applet is supposed to send a notification when an adjacency fails. Two routers are connected with an OSPF network type mismatch (one is broadcast, the other is point-to-point). The adjacency fails, but the EEM applet does not trigger. Which is the most likely explanation?

A.A network type mismatch prevents the routers from reaching the 2WAY state, so no OSPF-5-ADJCHG syslog is generated.
B.The EEM applet must use 'event ospf' to capture OSPF network type mismatches.
C.The network type mismatch generates a syslog with pattern 'OSPF-4-ERRRCV', but the EEM applet is looking for 'OSPF-5-ADJCHG'.
D.The OSPF process must be restarted for the EEM applet to detect the mismatch.
AnswerA

Correct. The adjacency fails early, and the syslog for state change is not generated because FULL was never reached.

Why this answer

When OSPF network types mismatch, the adjacency may fail during the database exchange process, but the syslog message generated is often 'OSPF-4-ERRRCV' or 'OSPF-5-ADJCHG' depending on the specific failure. However, if the mismatch is between broadcast and point-to-point, the routers may not even form a neighbor relationship because they interpret Hello packets differently. In some IOS versions, the syslog message is not generated at all because the routers never reach the 2WAY state.

The EEM applet relies on the 'OSPF-5-ADJCHG' pattern, which is only generated when there is a state change from FULL to DOWN or vice versa. If the adjacency never progresses beyond INIT, no ADJCHG message is produced.

144
MCQeasy

A network engineer is troubleshooting a connectivity issue between two sites. R1 learns the prefix 10.0.0.0/8 via RIP (AD 120) from R2, and also via a directly connected interface on R3. The engineer notices that R1 uses the RIP route instead of the connected route. What is the most likely cause?

A.The connected interface on R3 has a higher metric than the RIP route.
B.The RIP route has an AD of 120, but the connected route is for a different subnet mask.
C.The distance rip 0 command was applied under RIP, making RIP routes have AD 0.
D.The connected interface is administratively down.
AnswerB

If the connected route is for 10.0.0.0/16 and the RIP route is for 10.0.0.0/8, they are different prefixes; the router will use the most specific match, but if the connected route is not for the exact prefix, RIP may be the only route.

Why this answer

Connected routes have an AD of 0, which is always preferred over any dynamic routing protocol. If the connected route is not used, it likely does not exist for that exact prefix, or the interface is down. However, if the prefix is learned via RIP with AD 120, the connected route should take precedence.

The only way RIP is preferred is if the connected route is not present for that prefix.

146
MCQhard

An engineer configures uRPF loose mode on an interface that is part of an IPv6 network with multiple equal-cost paths to the same destination via different interfaces. The router receives traffic from a source that is reachable via one of the paths, but the traffic arrives on a different interface. The traffic is dropped. Which is the most likely explanation?

A.The source address is a link-local address (fe80::), which is not installed in the global routing table, causing uRPF loose mode to drop the packet.
B.The router has 'ipv6 uRPF strict' configured instead of loose, but the show command indicates loose.
C.The equal-cost paths cause the routing table to have multiple entries, and uRPF loose mode requires a single best path.
D.The interface has an IPv6 ACL that denies the traffic before uRPF is applied.
AnswerA

Correct. Link-local addresses are not in the routing table, so uRPF loose mode drops them.

Why this answer

uRPF loose mode checks that the source address has a routing table entry (any interface), but it does not require the incoming interface to match the reverse path. However, if the source address is not in the routing table at all, loose mode drops the packet. In this scenario, the source address is reachable via one interface, so it should be in the routing table.

The edge case: if the routing table has the source prefix but with a different prefix length (e.g., a more specific route), the check may fail. But the most common issue: uRPF loose mode with multiple equal-cost paths still requires that the source address be present in the routing table. If the router has multiple paths, the source address is present.

The traffic should not be dropped. However, a subtle corner case: if the router uses 'ipv6 uRPF loose allow-default' and the source address is only matched by a default route, it is permitted. But without 'allow-default', if the source address is only matched by a default route, it is dropped.

The question says the source is reachable via one of the paths, so it is not a default route. The most likely explanation: the router has 'ipv6 uRPF loose' but the source address is a link-local address, which is not in the routing table, causing the drop.

147
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 First Hop Security adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic connectivity with ping. Then examine the neighbor cache for incomplete entries. Verify if IPv6 snooping is enabled and inspect the binding table.

Check RA Guard and DHCPv6 Guard policies that may drop packets. Finally, use debug ipv6 snooping to capture packet drops.

148
MCQhard

An engineer configures an IPsec VPN between two routers using a transform-set with ESP encryption (AES 256) and ESP authentication (SHA-256). The engineer also applies an IPv4 ACL to define interesting traffic that matches all IP traffic. After configuration, the VPN tunnel comes up, but only ICMP traffic is encrypted; other traffic like HTTP is sent in clear text. What is the most likely explanation?

A.The ACL for interesting traffic only permits ICMP, so only ICMP is encrypted.
B.The transform-set does not support HTTP traffic due to port filtering.
C.The IPsec SA is only established for ICMP; other traffic requires a separate SA.
D.The router has a NAT rule that bypasses IPsec for HTTP traffic.
AnswerA

IPsec uses the ACL to determine which traffic to protect; if only ICMP is permitted, other traffic is not encrypted.

Why this answer

The most likely explanation is that the ACL for interesting traffic only permits ICMP, so only ICMP is encrypted. In Cisco IOS, the crypto map uses the ACL to identify which traffic should be protected by IPsec. If the ACL only matches ICMP (e.g., 'permit icmp any any'), then only ICMP packets trigger IPsec encryption; all other traffic, such as HTTP, is forwarded in clear text because it does not match the ACL and is therefore not subject to IPsec processing.

Exam trap

Cisco often tests the misconception that the transform-set or the IPsec SA itself filters traffic by port or protocol, when in reality the ACL is the sole mechanism for defining interesting traffic in a crypto map.

How to eliminate wrong answers

Option B is wrong because transform-sets define encryption and authentication algorithms (e.g., ESP with AES 256 and SHA-256) and do not perform port filtering; they apply to all traffic matched by the ACL. Option C is wrong because IPsec SAs are established per traffic selector (as defined by the ACL), but if the ACL only matches ICMP, only one SA is created for ICMP; other traffic like HTTP would not trigger a separate SA because it is not matched by the ACL. Option D is wrong because while a NAT rule could bypass IPsec, the question states the tunnel comes up and ICMP is encrypted, indicating IPsec is functioning; the most direct and common cause is a restrictive ACL, not a NAT misconfiguration.

149
Multi-Selectmedium

Which TWO configuration steps are required to enable TACACS+ authentication for device access control on a Cisco IOS router, assuming the TACACS+ server is already reachable? (Choose TWO.)

Select 2 answers
A.Configure the TACACS+ server with the 'tacacs server' command and specify the server IP and key.
B.Create an AAA authentication login method list using 'aaa authentication login default group tacacs+' to use TACACS+ as the primary method.
C.Configure 'aaa authorization exec default group tacacs+' to authorize user commands after authentication.
D.Use 'radius-server host' to define the authentication server.
E.Enable 'aaa new-model' to activate AAA services.
AnswersA, B

This is required to define the TACACS+ server for the router to communicate with.

Why this answer

Option A is correct because the 'tacacs server' command is required to define the TACACS+ server's IP address and the shared secret key, which is necessary for the router to communicate securely with the server. Option B is correct because 'aaa authentication login default group tacacs+' creates an authentication method list that tells the router to use TACACS+ as the primary method for login authentication, which is essential for device access control.

Exam trap

Cisco often tests the distinction between authentication (verifying identity) and authorization (granting permissions), so candidates mistakenly select authorization commands like 'aaa authorization exec' when the question explicitly asks for authentication steps.

150
MCQmedium

A network engineer is troubleshooting a routing issue in an EIGRP network. Router R1 is not learning a specific route from its neighbor R2, even though R2 has the route in its routing table. The engineer checks the EIGRP topology table on R1 and does not see the route. The output of 'show ip eigrp neighbors' shows that R1 and R2 are adjacent. What should the engineer check next?

A.Check if a distribute-list in or out is applied under the EIGRP process on R1.
B.Check if the route is being summarized on R2.
C.Check if the EIGRP metric for the route is too high.
D.Check if the route is a connected route on R2.
AnswerA

Correct because a distribute-list can filter incoming or outgoing routes, preventing them from being added to the topology table.

Why this answer

If the neighbor adjacency is up but the route is not in the topology table, the issue is likely that the route is being filtered by a distribute-list configured under the EIGRP process on the receiving router.

Page 1

Page 2 of 29

Page 3