Cisco CCNP ENARSI 300-410 (300-410) — Questions 14261500

2152 questions total · 29pages · All types, answers revealed

Page 19

Page 20 of 29

Page 21
1427
MCQeasy

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's local discriminator?

A.The local discriminator is 1.
B.The local discriminator is 3.
C.The local discriminator is 10.1.1.1.
D.The local discriminator is 10.1.1.2.
AnswerA

The LD (Local Discriminator) is 1 as shown in the output.

Why this answer

The local discriminator is the LD value shown in the output. In this case, it is 1.

1428
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp neighbors 10.1.1.2 advertised-routes BGP table version is 14, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 0.0.0.0 0 32768 i *> 192.168.1.0/24 0.0.0.0 0 32768 i Total number of prefixes 2 What does this output indicate?

A.R1 is receiving two routes from neighbor 10.1.1.2.
B.R1 is advertising two routes to neighbor 10.1.1.2, both originated locally.
C.R1 is advertising two routes, but one is suppressed due to dampening.
D.R1 is advertising two routes, but the neighbor is not receiving them due to filtering.
AnswerB

The next hop 0.0.0.0 indicates local origin, and the output shows two prefixes.

Why this answer

The show bgp neighbors advertised-routes command shows routes that R1 is advertising to neighbor 10.1.1.2. The output lists two prefixes: 10.0.0.0/24 and 192.168.1.0/24. The next hop of 0.0.0.0 indicates these are locally originated routes (e.g., via network statement or redistribution).

1429
MCQhard

A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R1 redistributes OSPF into EIGRP, and Router R2 redistributes EIGRP into OSPF. After configuration, some routes are missing, and routing loops occur. R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map OSPF-to-EIGRP. R2 has: router ospf 1 redistribute eigrp 100 subnets route-map EIGRP-to-OSPF. Show ip route on R1 shows an OSPF route 172.16.1.0/24 learned via R2, but also an EIGRP route for the same prefix with a better administrative distance. What is the root cause?

A.The route-map OSPF-to-EIGRP on R1 should include a match clause to filter out routes learned from R2 via OSPF, preventing feedback.
B.The redistribute command on R2 should have a metric-type 1 to avoid suboptimal routing.
C.The administrative distance of OSPF should be changed to 85 on R1 to prefer OSPF over EIGRP.
D.The EIGRP metric on R1 should be set to a higher value to make the redistributed route less preferred.
AnswerA

Adding a match route-map that tags routes from R2 and denies them, or using a tag-based filter, stops the redistribution loop.

Why this answer

The correct answer is A because the route-map OSPF-to-EIGRP on R1 is not filtering out the OSPF route 172.16.1.0/24 that was originally redistributed from EIGRP into OSPF by R2. This creates a routing feedback loop: R1 learns the prefix via OSPF (from R2) and then redistributes it back into EIGRP, causing R2 to see an EIGRP route with a better administrative distance (90 vs. 110) and prefer it, leading to missing routes and loops. The route-map should include a match clause to deny routes that were originally EIGRP (e.g., via a tag or prefix-list) to prevent mutual redistribution.

Exam trap

Cisco often tests the concept of mutual redistribution and route feedback loops, where candidates mistakenly focus on metric or administrative distance adjustments instead of recognizing that a route-map filter is required to break the redistribution cycle.

How to eliminate wrong answers

Option B is wrong because changing the metric-type to 1 on R2's redistribute command would affect the OSPF metric type (E1 vs. E2) but does not address the root cause of route feedback and administrative distance preference. Option C is wrong because modifying OSPF's administrative distance to 85 on R1 would make OSPF routes preferred over EIGRP (AD 90), but this only masks the symptom; the feedback loop would still exist, and routes could still be missing or cause instability.

Option D is wrong because increasing the EIGRP metric on R1's redistribute command would make the redistributed route less preferred within EIGRP, but the problem is that R1 is redistributing a route it learned via OSPF back into EIGRP, and the metric adjustment does not prevent the feedback loop.

1430
MCQhard

A network engineer is troubleshooting why the NMS cannot poll SNMP data from router R5. The router has 'snmp-server community cisco RO' configured. The NMS is on subnet 192.168.1.0/24, and the router has an ACL applied to the VTY lines that permits only 10.0.0.0/8. The NMS can ping the router. What is the most likely cause?

A.The engineer applied an ACL to the SNMP community that denies the NMS subnet, but the VTY ACL is unrelated.
B.The VTY ACL is blocking SNMP packets because SNMP uses TCP port 161.
C.The router needs the 'snmp-server ifindex persist' command to enable polling.
D.The NMS is using SNMPv3, but the router only has SNMPv2c configured.
AnswerA

Correct because the community string's ACL must permit the NMS; the VTY ACL does not affect SNMP.

Why this answer

SNMP access is controlled by the community string's optional ACL, not VTY ACLs. However, if the community string does not have an ACL, SNMP access is permitted by default. The VTY ACL only affects SSH/Telnet, not SNMP.

Therefore, the issue must be something else, such as the router not having an SNMP view or the NMS using the wrong SNMP version. But given the symptom, the most likely cause is that the community string is missing the 'RO' keyword? No, it's there. Actually, the correct answer is that the NMS is using SNMPv3, but the router only has SNMPv2c configured.

However, the question states 'snmp-server community cisco RO' which is v2c. The NMS might be trying SNMPv3. But the stem doesn't specify version.

A more plausible issue: the router has an ACL applied to the SNMP community that denies the NMS. The engineer forgot to add the ACL to the community. The VTY ACL is a distractor.

So the most likely cause is that the community string is not associated with an ACL that permits the NMS, but since no ACL is mentioned, the default is permit all. Wait, the question says 'the router has an ACL applied to the VTY lines' but not to SNMP. So SNMP should work.

Let me re-evaluate. The symptom is that the NMS cannot poll. The router has a VTY ACL that restricts management access, but SNMP is not affected by VTY ACLs.

The engineer might think the VTY ACL blocks SNMP, but it doesn't. The real issue could be that the NMS is on a different subnet and the router's SNMP agent is not listening on the correct interface. Actually, a common mistake is that the 'snmp-server community' command without an ACL allows all, but if the router has a firewall or CoPP, that could block.

But the most direct cause: the engineer might have applied an ACL to the community but used the wrong ACL number. Let me craft a better scenario: The engineer configured 'snmp-server community cisco RO 10' where ACL 10 permits only 10.0.0.0/8, but the NMS is on 192.168.1.0/24. That would block.

But the stem says 'the router has an ACL applied to the VTY lines' – that is a distractor. The correct answer is that the SNMP community is missing an ACL that permits the NMS, but since no ACL is mentioned, the default is permit. I need to adjust the stem to include an ACL on the community.

Let me rewrite the question.

1431
MCQmedium

Examine the following EIGRP configuration on Router R6: interface GigabitEthernet0/2 ip hello-interval eigrp 100 15 ip hold-time eigrp 100 45 What is the effect of these commands?

A.EIGRP will send hello packets every 15 seconds and wait 45 seconds before declaring a neighbor down.
B.EIGRP will send hello packets every 45 seconds and wait 15 seconds.
C.EIGRP will use the default hello interval of 5 seconds and hold time of 15 seconds.
D.EIGRP will not form neighbor adjacencies because the hold time is not a multiple of the hello interval.
AnswerA

The hello interval is set to 15 seconds, and hold time to 45 seconds.

Why this answer

These commands change the EIGRP hello interval to 15 seconds and hold time to 45 seconds on the interface for AS 100. The hold time is three times the hello interval by default, but here it is explicitly set.

1432
Drag & Dropmedium

Drag and drop the steps to troubleshoot IP SLA adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying the IP SLA operation state to see if it is active or failed, then check reachability to the target using extended ping with the same source, inspect the IP SLA configuration for errors, review access lists or routing that may block probes, and finally adjust parameters like threshold or timeout as needed.

1433
MCQhard

A network engineer configures EEM to monitor routing table changes on R1. R1 has: event manager applet ROUTE-MONITOR event syslog pattern "%ROUTING-5-ROUTECHANGE" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Routing table changed". After a route update, the engineer notices that the applet runs but the show ip route output does not reflect the change. Router R2 shows: the route is present in the routing table. What is the root cause?

A.The syslog message is generated before the routing table is updated, so the show command shows the old table.
B.The syslog pattern is incorrect; it should be %ROUTING-5-ROUTECHANGED.
C.The routing protocol is not fully converged due to a hold-down timer.
D.The 'show ip route' command is not executed in privileged mode.
AnswerA

The applet executes before the routing table change is committed; a delay is needed.

Why this answer

The syslog message %ROUTING-5-ROUTECHANGE is generated before the routing table is fully updated. The EEM applet runs immediately, capturing the routing table before the change is applied. The correct fix is to add a delay using 'action wait' to allow the routing table to converge.

1434
MCQmedium

An engineer is troubleshooting an EIGRP issue where a router is not learning any routes from a neighbor, but the neighbor adjacency is up. The engineer checks the EIGRP topology table on the local router and sees that the neighbor is listed, but no routes from that neighbor are present. The engineer also verifies that the neighbor has routes to advertise. What is the most likely cause?

A.The neighbor is configured as an EIGRP stub router.
B.The local router has a distribute-list out applied to the neighbor.
C.The EIGRP metric weights are different on the two routers.
D.The local router has a route-map applied to the EIGRP process that is filtering all routes.
AnswerA

Correct because a stub router only advertises connected and summary routes by default, so if the neighbor has other routes, they will not be advertised.

Why this answer

If the adjacency is up but no routes are received, the issue is likely that a distribute-list is filtering incoming routes, or the neighbor is configured as a stub router. In this case, the most common cause is that the neighbor is configured as a stub router, which restricts the routes it advertises.

1435
MCQhard

DMVPN phase 2 network: spoke-to-spoke tunnels fail. Router Spoke1 has: tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp nhs 10.0.0.1. Router Spoke2 shows: show dmvpn includes Spoke1 in NHRP cache but no spoke-to-spoke tunnel. What is the root cause?

A.Spoke1 and Spoke2 have different NHRP network IDs.
B.The hub is not configured with ip nhrp redirect, preventing shortcut initiation.
C.Spoke1 has a firewall blocking GRE traffic.
D.The tunnel mode should be point-to-point for spoke-to-spoke.
AnswerB

Without redirect, spokes do not learn each other's real IPs for direct tunnels.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke tunnels require the hub to send NHRP redirect messages to inform spokes of the shortcut path. Without the 'ip nhrp redirect' command on the hub, spokes will not attempt to build direct tunnels, even if they have each other's NHRP cache entries. This is the root cause because Spoke1 and Spoke2 can see each other in the NHRP cache but lack the trigger to initiate the spoke-to-spoke GRE tunnel.

Exam trap

Cisco often tests the distinction between NHRP cache entries (which indicate registration and mapping) and the actual tunnel establishment, which requires additional mechanisms like NHRP redirect in Phase 2 or NHRP shortcut switching in Phase 3.

How to eliminate wrong answers

Option A is wrong because different NHRP network IDs would prevent the spokes from registering with the hub and appearing in each other's NHRP cache, but the scenario states Spoke1 is in the NHRP cache of Spoke2, so the network IDs must match. Option C is wrong because a firewall blocking GRE traffic would prevent any tunnel establishment, including the hub-to-spoke tunnels, but the scenario indicates that spoke-to-hub tunnels are working (since NHRP registration succeeded). Option D is wrong because DMVPN Phase 2 requires multipoint GRE (mGRE) on spokes to support multiple tunnel endpoints; point-to-point tunnels would only allow a single destination and break the DMVPN architecture.

1436
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, OSPF adjacencies go down. The policy includes a class that matches OSPF traffic with a police rate of 1000 pps. Which is the most likely explanation?

A.The OSPF traffic is matched by class-default, which has a low police rate or is set to drop, causing hello packets to be dropped.
B.The police rate of 1000 pps is too low for OSPF hello packets.
C.CoPP only applies to management traffic, not routing protocols.
D.The OSPF process is not configured to use the control plane policy.
AnswerA

If OSPF is not explicitly matched in a higher class, it falls to class-default, which may have a restrictive policy.

Why this answer

CoPP applies to traffic destined to the control plane. If the police rate is too low, legitimate OSPF hello packets may be dropped. However, a more subtle edge case is that the default class (class-default) may have an explicit deny or very low rate, causing all unmatched traffic to be dropped, including OSPF if not explicitly matched.

1437
MCQhard

A large enterprise network is experiencing intermittent BGP session resets between R1 and R2. R1 has the following relevant configuration: event manager applet BGP-MONITOR event syslog pattern "%BGP-3-NOTIFICATION" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp *" action 3.0 syslog msg "BGP session cleared by EEM". Router R2 shows: BGP neighbor 10.1.1.1 has been up for 0:00:05, state Established. What is the root cause?

A.The EEM applet is triggered by the BGP notification and clears all BGP sessions, causing a reset loop.
B.The BGP keepalive timer is set too low on R1.
C.The syslog pattern is incorrect and matches unrelated messages.
D.There is an MTU mismatch between R1 and R2.
AnswerA

The applet clears all BGP sessions upon any BGP notification, which exacerbates the issue.

Why this answer

The EEM applet triggers on any BGP notification syslog and then executes a clear ip bgp * command, which resets all BGP sessions. This creates a loop: a BGP notification causes a clear, which causes more notifications, leading to persistent flapping. The correct fix is to make the applet more specific or avoid clearing all sessions.

1438
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes for the same prefix. The engineer also applies an inbound ACL on the OSPF interface to deny certain routes from being learned via OSPF. After the ACL is applied, the router still has the prefix in the routing table, but it is learned via EIGRP instead of OSPF. What is the most likely explanation?

A.The ACL blocks OSPF updates, so the router learns the prefix via EIGRP with a lower AD.
B.The ACL is applied outbound, so it filters OSPF routes being sent to the neighbor.
C.The router has a static route for the prefix with AD 1.
D.The OSPF process has a distribute-list that is filtering the route.
AnswerA

The ACL prevents OSPF from learning the route, but redistribution allows EIGRP to carry it, and EIGRP's lower AD makes it the best path.

Why this answer

Option A is correct because the inbound ACL on the OSPF interface blocks the OSPF-learned route from being installed in the routing table. Since mutual redistribution is configured, the same prefix is also learned via EIGRP. EIGRP has a default administrative distance (AD) of 90 for internal routes, which is lower than OSPF's AD of 110.

Therefore, the router selects the EIGRP route as the best path, and the prefix remains in the routing table but now points to the EIGRP next hop.

Exam trap

Cisco often tests the distinction between filtering routing updates via an interface ACL (which blocks the entire OSPF packet, preventing route learning) versus using a distribute-list (which filters specific routes within the routing process), leading candidates to confuse the two mechanisms.

How to eliminate wrong answers

Option B is wrong because the question explicitly states the ACL is applied inbound on the OSPF interface, not outbound; an outbound ACL would filter routes being sent to a neighbor, not affect routes received by the local router. Option C is wrong because a static route with AD 1 would always be preferred over both OSPF (AD 110) and EIGRP (AD 90), but the scenario describes the prefix being learned via EIGRP, not a static route; there is no mention of a static route being configured. Option D is wrong because a distribute-list under the OSPF process could filter the route, but the question states the ACL is applied directly on the OSPF interface, not as a distribute-list; a distribute-list is a separate filtering mechanism that operates on routing updates within the OSPF process, not on the interface itself.

1439
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf database external 10.1.1.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States (Area 0) LS age: 120 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.1.1.0 (External Network Number) Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 100 Based on this output, which statement is correct?

A.The route 10.1.1.0/24 is redistributed into OSPF from another protocol with a route-map setting the tag to 100.
B.The route 10.1.1.0/24 is an OSPF inter-area route from area 0.
C.The metric of 20 indicates the route is redistributed with a default metric of 20, which is correct for Type 1 external routes.
D.The forward address of 0.0.0.0 indicates that the next hop is the advertising router 2.2.2.2.
AnswerA

The External Route Tag of 100 is a common indicator that a route-map was used during redistribution to set the tag.

Why this answer

The output shows an OSPF Type-5 external LSA for 10.1.1.0/24 with Metric Type 2 and Metric 20. The default metric for redistributed routes in OSPF is 20 for Type 2. The External Route Tag of 100 indicates a redistribution tag, often used for filtering or route-maps.

1440
Multi-Selecthard

Which THREE commands are used to troubleshoot and verify device access control when using TACACS+ authentication on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.debug tacacs
B.show tacacs
C.test aaa group tacacs+ <username> <password>
D.debug radius authentication
E.show aaa method-list
AnswersA, B, C

This command provides detailed debugging of TACACS+ authentication and authorization packets.

Why this answer

Option A is correct because the 'debug tacacs' command enables real-time logging of TACACS+ authentication, authorization, and accounting transactions, allowing you to observe the exact packets exchanged between the router and the TACACS+ server, including authentication failures or successes. Option B is correct because 'show tacacs' displays the current TACACS+ server statistics, including the number of successful and failed authentication attempts, server status, and the number of pending requests, which is essential for verifying connectivity and performance. Option C is correct because 'test aaa group tacacs+ <username> <password>' directly tests the TACACS+ authentication process by sending a simulated authentication request to the configured TACACS+ server group, confirming whether the server is reachable and the credentials are valid.

Exam trap

Cisco often tests the distinction between TACACS+ and RADIUS troubleshooting commands, so the trap here is that candidates may confuse 'debug radius authentication' (Option D) as applicable to TACACS+ or assume that 'show aaa method-list' (Option E) is a valid command for verifying TACACS+ server status, when in fact it does not exist and the correct command is 'show aaa method-lists'.

1441
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/1 | include access list Outgoing access list is 140 Inbound access list is not set Then the engineer runs: R1# show ip access-lists 140 Extended IP access list 140 10 deny icmp any any 20 permit ip any any What does this output indicate?

A.ACL 140 is applied outbound on GigabitEthernet0/1, denying ICMP and permitting all other traffic.
B.ACL 140 is applied inbound on GigabitEthernet0/1, blocking ICMP.
C.ACL 140 is not applied to any interface.
D.ACL 140 is applied both inbound and outbound.
AnswerA

The output shows the ACL and its entries.

Why this answer

The output of 'show ip interface GigabitEthernet0/1 | include access list' shows 'Outgoing access list is 140', confirming ACL 140 is applied outbound on that interface. The ACL itself contains two entries: 'deny icmp any any' (sequence 10) and 'permit ip any any' (sequence 20). Because the permit ip any any entry matches all IP traffic, including ICMP, the deny icmp entry is effectively overridden for outbound traffic, but the ACL still processes the deny first; however, since the permit ip any any follows, all IP traffic (including ICMP) is permitted outbound.

The correct interpretation is that ACL 140 is applied outbound, denying ICMP (though the permit overrides it) and permitting all other traffic.

Exam trap

Cisco often tests the misconception that 'permit ip any any' overrides all previous deny statements, but in reality, ACLs are processed top-down and the first matching entry determines the action, so the deny icmp entry still blocks ICMP despite the later permit all.

How to eliminate wrong answers

Option B is wrong because the 'show ip interface' output explicitly states 'Inbound access list is not set', so ACL 140 is not applied inbound. Option C is wrong because the output shows 'Outgoing access list is 140', confirming the ACL is applied outbound on the interface. Option D is wrong because the output shows only an outbound ACL; there is no inbound ACL applied, so it is not applied both inbound and outbound.

1442
MCQmedium

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 3 detail Session 3 --------- Type : ERSPAN Source Session Source Ports : Both : Gi0/0 Destination IP : 10.1.1.1 ERSPAN ID : 100 What does this output indicate?

A.The session is correctly configured as an ERSPAN source session.
B.The session is misconfigured because the destination must be a VLAN, not an IP.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the ERSPAN ID must match on both source and destination.
AnswerA

The output confirms an ERSPAN source session with a destination IP and ERSPAN ID.

Why this answer

The output shows an ERSPAN source session with source port Gi0/0, destination IP 10.1.1.1, and ERSPAN ID 100. This is the source side of an ERSPAN configuration.

1443
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet BACKUP_CONFIG event timer watchdog time 86400 action 1.0 cli command "enable" action 2.0 cli command "copy running-config tftp://192.168.1.100/backup.cfg" !--- What is the effect of this configuration?

A.The applet will copy the running configuration to the TFTP server every 24 hours.
B.The applet will copy the startup configuration instead of the running configuration.
C.The applet will fail because the TFTP server IP address is not reachable.
D.The applet will only trigger once because the watchdog timer is a one-shot timer.
AnswerA

Correct. The watchdog timer triggers the applet every 86400 seconds, and the CLI command copies the running config to the TFTP server.

Why this answer

The applet uses a watchdog timer event that triggers every 86400 seconds (24 hours). When triggered, it copies the running configuration to a TFTP server. This is a valid configuration for periodic backup.

1444
MCQhard

In Flexible NetFlow, what is the default 'collect counter bytes' setting for a flow record?

A.Byte counters are collected by default.
B.Byte counters are never collected in Flexible NetFlow.
C.Byte counters are collected only if the flow monitor includes the 'collect counter bytes' command.
D.Byte counters are collected by default only for IPv6 flows.
AnswerC

Correct. Byte counters require explicit configuration.

Why this answer

By default, byte counters are not collected unless explicitly configured with 'collect counter bytes' in the flow record.

1445
Multi-Selecthard

Which TWO statements about the 'show policy-map control-plane' command output are true? (Choose TWO.)

Select 2 answers
A.The output displays the number of packets that matched each class in the CoPP policy.
B.The output includes the number of packets dropped by each class due to policing.
C.The output shows the routing table entries that are affected by the CoPP policy.
D.The output displays the CoPP policy applied to each physical interface.
E.The output includes the ARP cache entries that are protected by CoPP.
AnswersA, B

Correct. The command shows per-class packet and byte counters for matched traffic.

Why this answer

The 'show policy-map control-plane' command displays the applied CoPP policy, including per-class statistics such as classified packets, bytes, and drop counts. It shows the policy name, class maps, and actions (police, drop, etc.). It does not show per-interface statistics (that would be 'show policy-map interface'), nor does it show the routing table or ARP cache.

1446
MCQmedium

Router R6 has the following DHCPv6 configuration: ipv6 dhcp pool DHCP6_POOL3 address prefix 2001:db8:3::/64 lifetime 3600 600 dns-server 2001:db8::1 ! interface GigabitEthernet0/2 ipv6 address 2001:db8:3::1/64 ipv6 dhcp server DHCP6_POOL3 ipv6 nd managed-config-flag no shutdown What is the effect of the lifetime parameters 3600 and 600?

A.The preferred lifetime is 3600 seconds and the valid lifetime is 600 seconds, which is invalid because the valid lifetime must be greater than or equal to the preferred lifetime.
B.The preferred lifetime is 600 seconds and the valid lifetime is 3600 seconds, which is a typical configuration.
C.The lifetimes are applied to the DNS server address, not the address prefix.
D.The configuration is valid and will work as expected.
AnswerA

Per RFC 4862, the valid lifetime must be greater than or equal to the preferred lifetime. A shorter valid lifetime is not allowed and will cause a configuration error.

Why this answer

Option A is correct because in the `ipv6 dhcp pool` configuration, the `lifetime` command specifies the preferred lifetime first (3600 seconds) and the valid lifetime second (600 seconds). According to RFC 4862, the valid lifetime must be greater than or equal to the preferred lifetime; otherwise, the configuration is invalid and will be rejected by the router. This mismatch causes the DHCPv6 pool to fail to apply the prefix.

Exam trap

The trap here is that Cisco tests whether candidates know the correct order of the preferred and valid lifetime parameters in the `lifetime` command, as many mistakenly assume the valid lifetime comes first or that the router will accept an invalid lifetime relationship.

How to eliminate wrong answers

Option B is wrong because it reverses the order of the lifetimes: the preferred lifetime is 3600 seconds (first value) and the valid lifetime is 600 seconds (second value), not the other way around. Option C is wrong because the `lifetime` command applies exclusively to the address prefix defined in the pool, not to the DNS server address; DNS server lifetimes are not configurable in this context. Option D is wrong because the configuration is invalid due to the valid lifetime being shorter than the preferred lifetime, so the router will not accept it and the DHCPv6 pool will not function as expected.

1447
MCQeasy

An engineer is troubleshooting an EIGRP issue where a router is not learning a specific route from a neighbor, but other routes from the same neighbor are being learned. The engineer checks the EIGRP topology table and sees that the route is not present. The engineer also checks the neighbor's routing table and confirms that the route exists. What is the most likely cause?

A.A distribute-list in is applied on the local router that filters the specific route.
B.The neighbor is configured as a stub router.
C.The route is a summary route that is being suppressed by the 'summary-address' command.
D.The EIGRP metric for the route is too high, so it is not considered feasible.
AnswerA

Correct because a distribute-list can filter specific routes based on prefix or other criteria.

Why this answer

If only one route is missing from a neighbor, the issue is likely that the route is being filtered by a distribute-list or route-map on the receiving router. Since other routes are received, the filter is specific to that route.

1448
MCQhard

An engineer enables 'ipv6 destination guard' on a switch to prevent IPv6 address spoofing. After configuration, a legitimate host on a port is unable to receive traffic from the network, although it can send traffic. The host has a global unicast address. The switch logs show that destination guard is dropping packets destined to that host. What is the most likely cause?

A.The host uses IPv6 privacy extensions and changes its address frequently, but the binding table only has the original address.
B.Destination Guard blocks all global unicast addresses by default.
C.The switch port is not configured as 'trusted' for destination guard.
D.The host is using a link-local address, which destination guard does not support.
AnswerA

Destination Guard relies on static bindings; privacy addresses are not learned.

Why this answer

IPv6 Destination Guard validates destination addresses against the binding table. If the host's address is not in the binding table (e.g., because the host did not send an NA or the binding timed out), the switch drops packets destined to that address. The edge case is that Destination Guard requires the binding to be in 'REACHABLE' state.

If the host is silent for a long time, the binding may become 'STALE' and eventually 'DELAY' or 'PROBE', but Destination Guard still accepts traffic as long as the binding exists. However, if the binding is removed due to a timeout or if the host's address was never learned (e.g., the host uses privacy extensions and changes its address frequently), Destination Guard will drop traffic. The most likely oversight is that the host uses temporary addresses (privacy extensions) that are not registered in the binding table because the switch only learns the initial address from the first NA.

1449
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 192.168.1.2 BGP neighbor is 192.168.1.2, remote AS 65001, external link BGP version 4, remote router ID 10.2.2.2 BGP state = Established, up for 00:15:00 Last read 00:00:05, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is multisession capable Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN: advertised and received Address family IPv4 Unicast: advertised and received Enhanced Refresh: advertised Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 10 5 Keepalives: 15 15 Route Refresh: 0 0 Total: 26 21 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 192.168.1.2 BGP table version 14, neighbor version 14/0 Output queue size : 0 Index 1, Advertise bit 0 1 update-group member Incoming update prefix filter list: FILTER_IN Outgoing update prefix filter list: FILTER_OUT Sent Rcvd Prefixes: 2 2 Updates: 10 5 Based on this output, what is the effect of the prefix lists?

A.The prefix lists FILTER_IN and FILTER_OUT are allowing only 2 prefixes in each direction.
B.The prefix lists are blocking all prefixes.
C.The prefix lists are not applied because the session is established.
D.The prefix lists are misconfigured and causing route flapping.
AnswerA

The counters show 2 prefixes sent and received, matching the filter lists.

Why this answer

The output shows that incoming and outgoing prefix filters (FILTER_IN and FILTER_OUT) are applied. The prefixes sent and received are both 2, indicating that the filters are allowing exactly 2 prefixes in each direction. The correct answer is that the prefix lists are filtering routes to only 2 prefixes.

1450
MCQhard

What is the default behavior of BGP synchronization in Cisco IOS-XE?

A.Enabled by default
B.Disabled by default
C.Enabled only for iBGP
D.Disabled only for eBGP
AnswerB

Correct. BGP synchronization is off by default.

Why this answer

BGP synchronization is disabled by default in IOS-XE; routes can be advertised without being in the IGP.

1451
MCQmedium

A network engineer runs the following command to troubleshoot a SPAN issue: R1# debug monitor session 1 *Mar 1 00:00:01.123: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 *Mar 1 00:00:02.456: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 What does this output indicate?

A.The SPAN session is correctly forwarding packets from Gi0/0 to Gi0/1.
B.The SPAN session is misconfigured because packets should not be forwarded.
C.The SPAN session is misconfigured because the debug output shows errors.
D.The SPAN session is misconfigured because the destination port is not specified.
AnswerA

The debug output confirms successful packet forwarding.

Why this answer

The debug output shows that packets captured on source port Gi0/0 are being forwarded to destination port Gi0/1 for session 1. This indicates that the SPAN session is operational.

1452
Drag & Dropmedium

Drag and drop the steps to configure a GRE tunnel for IPv6 over IPv4 into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the standard Cisco IOS-XE GRE tunnel configuration workflow: first create the tunnel interface, then assign an IPv6 address, set the tunnel source (physical interface or IP), set the tunnel destination (IPv4 address of the remote endpoint), and finally configure the tunnel mode as GRE IPv6.

1453
MCQmedium

A network engineer is troubleshooting a router that is experiencing high CPU utilization. The engineer checks the process list and sees that the 'EEM Server' process is consuming a significant amount of CPU. The engineer reviews the EEM configuration and finds multiple applets that are triggered by syslog events. What should the engineer do first to reduce CPU utilization?

A.Disable all EEM applets.
B.Use the 'show event manager statistics' command to see which applets are triggered most often.
C.Increase the router's CPU priority for the EEM process.
D.Change the syslog trigger to use a less frequent pattern.
AnswerB

Correct because this command provides per-applet trigger counts, helping pinpoint the culprit.

Why this answer

High CPU from EEM is often due to excessive syslog triggers. The engineer should first identify which applets are being triggered most frequently and either optimize their conditions or reduce the number of applets.

1454
MCQeasy

What is the default OSPF network type for a tunnel interface configured with 'tunnel mode gre multipoint'?

A.Broadcast
B.Point-to-multipoint
C.Point-to-point
D.Non-broadcast
AnswerA

The default OSPF network type for multipoint GRE tunnels is broadcast.

Why this answer

By default, a multipoint GRE tunnel interface uses the broadcast network type, which requires DR/BDR elections.

1455
MCQeasy

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0 What does this output indicate?

A.The IPsec VPN is actively encrypting and decrypting traffic.
B.The IPsec SAs are established but no traffic is flowing, possibly due to routing or ACL issues.
C.The crypto engine is overloaded and cannot process packets.
D.The IPsec SAs are using the wrong transform set.
AnswerB

Zero packets suggest the SAs are idle; the issue is likely with traffic matching the crypto ACL or routing.

Why this answer

The output shows three IPsec Security Associations (SAs) with zero encrypted and zero decrypted packets, and a LastSeqNo of 0. This indicates the SAs are established (the tunnels are up) but no traffic is being processed through them. The most common causes are routing issues preventing traffic from reaching the tunnel interface, or ACLs that do not match the interesting traffic for encryption.

Exam trap

Cisco often tests the misconception that a non-zero number of SAs in 'show crypto engine connections active' automatically means traffic is flowing, when in fact the Encrypt/Decrypt counters must be checked to confirm actual data processing.

How to eliminate wrong answers

Option A is wrong because the Encrypt and Decrypt counters are both 0, which means no traffic is being encrypted or decrypted; active encryption would show non-zero counts. Option C is wrong because the crypto engine is not overloaded; an overloaded engine would typically show high packet counts or errors, not all zeros. Option D is wrong because the output does not indicate a transform set mismatch; mismatched transform sets would prevent SA establishment entirely, but here the SAs are listed (ID 1, 2, 3), meaning Phase 2 negotiation succeeded.

1456
Multi-Selectmedium

Which TWO commands verify the operational status of a local SPAN session on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show monitor session 1
B.show monitor
C.show spanning-tree
D.show interfaces
E.show vlan
AnswersA, B

Displays detailed information about a specific SPAN session, including source, destination, and operational status.

Why this answer

The 'show monitor session 1' command displays details of a specific SPAN session, including source and destination interfaces and operational state. The 'show monitor' command lists all configured SPAN sessions and their status. 'show spanning-tree' is unrelated, 'show interfaces' does not show SPAN status, and 'show vlan' is for VLAN information.

1457
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 ip next-hop verify-availability Policy routing matches: 0 packets, 0 bytes What does this output indicate?

A.The route-map is correctly configured but no traffic has matched it yet.
B.The next-hop 10.1.1.2 is unreachable, causing PBR to fail.
C.The access-list 101 is misconfigured and blocking all traffic.
D.The verify-availability feature is preventing any matches.
AnswerA

The packet counter shows 0 matches, so no packets have triggered PBR.

Why this answer

The output shows that the route-map PBR-MAP has a match clause referencing access-list 101 and a set clause with next-hop 10.1.1.2 and next-hop verify-availability. The packet counter is 0, meaning no packets have been policy-routed yet.

1458
MCQeasy

What is the default OSPF reference bandwidth used in the cost calculation formula on Cisco IOS?

A.10 Mbps
B.100 Mbps
C.1000 Mbps
D.1 Gbps
AnswerB

Cisco IOS uses 100 Mbps as the reference bandwidth by default.

Why this answer

The default reference bandwidth is 100 Mbps, meaning the cost is calculated as 100,000,000 / interface bandwidth in bps.

1459
MCQhard

A network uses Control Plane Policing (CoPP) to protect the router. Router R1 has CoPP policy applied that rate-limits all traffic to 1 Mbps. R1 shows: 'show policy-map control-plane' indicates drops for EIGRP packets. R1's EIGRP neighbor R2 is flapping. What is the root cause?

A.The CoPP policy rate-limits EIGRP packets to 1 Mbps, but EIGRP hellos are small and frequent; the rate-limit may still drop them if the policer is not properly configured for burst.
B.R2 is sending too many EIGRP packets, exceeding the rate-limit.
C.R1 has an ACL that blocks EIGRP packets before they reach the control plane.
D.The CoPP policy is applied to the wrong interface.
AnswerA

Even small packets can be dropped if the policer uses a strict rate without adequate burst size.

Why this answer

CoPP rate-limits control plane traffic, including EIGRP hellos. If the rate is too low, hellos are dropped, causing the neighbor relationship to flap.

1460
MCQhard

A network engineer is troubleshooting a router that is generating excessive syslog messages, filling up the local logging buffer and causing performance issues. The engineer wants to reduce the volume of messages sent to the remote syslog server while still capturing critical alerts locally. The current configuration includes 'logging buffered 4096 debugging' and 'logging host 10.1.1.100'. What is the best approach?

A.Change 'logging buffered 4096 debugging' to 'logging buffered 4096 errors' to reduce local messages.
B.Configure 'logging trap errors' under the logging host configuration to limit remote messages to severity 3 and above.
C.Remove the 'logging buffered' command to stop all local logging.
D.Add 'logging rate-limit 10' to limit the number of messages per second.
AnswerB

Correct because 'logging trap errors' sets the remote syslog threshold to severity 3 (errors), reducing volume while keeping local debugging intact.

Why this answer

To reduce remote syslog volume without affecting local logging, the engineer should set a higher severity threshold for the remote server using 'logging trap' (e.g., 'logging trap 3' for errors only). The local buffer can remain at debugging level for detailed troubleshooting. This separates the logging levels.

1461
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map TEST route-map TEST, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: metric 50 Policy routing matches: 0 packets, 0 bytes route-map TEST, deny, sequence 20 Match clauses: ip address (access-lists): 101 Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, which statement is correct?

A.The route-map is applied to an interface but no traffic has matched it yet.
B.The route-map is misconfigured because sequence 20 does not have a set clause.
C.The route-map will set the metric to 50 for all packets.
D.The route-map is applied globally and is affecting all routing decisions.
AnswerA

The 'Policy routing matches: 0 packets' indicates that the route-map is configured but has not yet been used to route any packets.

Why this answer

The output shows 'Policy routing matches: 0 packets, 0 bytes' for both sequences, which indicates the route-map has been applied to an interface (for policy-based routing) but no traffic has matched any of the match clauses yet. This is the only conclusion that can be drawn from the provided data.

Exam trap

Cisco often tests the distinction between route-maps used for policy-based routing (which show 'Policy routing matches' counters) versus those used for redistribution or routing protocol filtering (which do not show those counters), leading candidates to incorrectly assume a route-map is globally applied.

How to eliminate wrong answers

Option B is wrong because a set clause is not required in a deny sequence; the deny action itself is sufficient to reject matching traffic, and the set clause is irrelevant. Option C is wrong because the route-map only sets the metric to 50 for packets that match access-list 100 in sequence 10, not for all packets; packets matching sequence 20 (deny) or not matching any sequence will not have their metric set. Option D is wrong because the output shows 'Policy routing matches' which is specific to policy-based routing applied on an interface, not a global routing process; route-maps used globally (e.g., with redistribute or route-map in BGP) would not display 'Policy routing matches' counters.

1462
MCQmedium

A network engineer is troubleshooting an OSPF adjacency that is flapping between two routers. The adjacency forms and then drops repeatedly. Both routers are configured for BFD on the OSPF interface. The engineer checks the BFD session and sees it is up, but the OSPF neighbor state transitions from FULL to DOWN every few seconds. What is the most likely cause of this issue?

A.The BFD timers are set too low on one router.
B.The OSPF dead interval is mismatched between the two routers.
C.The interface is flapping due to a physical issue.
D.BFD is configured with the 'strict-mode' command, causing OSPF to ignore BFD state.
AnswerB

A mismatch in OSPF dead interval (or hello interval) causes the adjacency to reset even if BFD is healthy, because OSPF uses its own keepalive mechanism.

Why this answer

The BFD session is up, so BFD is not causing the flap. The issue is likely a mismatch in OSPF parameters that causes the adjacency to reset independently of BFD.

1463
MCQhard

An engineer configures Control Plane Policing (CoPP) on a PE router in an MPLS L3VPN to protect the control plane. The engineer creates a policy-map that matches BGP packets and applies a police rate of 100 pps. The engineer also configures a class-default with a police rate of 10 pps. After applying the policy to the control-plane, the engineer notices that BGP sessions are flapping and the router is dropping BGP packets. The engineer verifies that the ACL for BGP is correct. What is the most likely explanation?

A.The class-default policy is dropping BGP packets that are not matched by the BGP class due to an incomplete ACL.
B.The police rate for BGP is too low, causing BGP packets to be dropped even when matched.
C.The CoPP policy is applied to the wrong control-plane (e.g., 'control-plane host' instead of 'control-plane transit').
D.The 'service-policy' command is missing the 'input' keyword, causing the policy to be applied only to output traffic.
AnswerA

Correct. If the ACL does not match all BGP packets (e.g., only matching TCP port 179 from one direction), some BGP packets fall into class-default and are dropped.

Why this answer

A common edge case with CoPP is that the class-default policy can inadvertently match control plane traffic that is not explicitly matched in other classes. If the class-default has a very low police rate (e.g., 10 pps), it can drop packets that are not matched by the BGP class, such as routing protocol packets that are not BGP (e.g., OSPF, EIGRP) or management traffic. However, the specific issue here is that the BGP class is matching BGP packets, but if the ACL is not correctly matching all BGP packets (e.g., using TCP port 179 but not matching both directions), some BGP packets may fall into class-default and be dropped.

The most likely explanation is that the class-default is dropping packets that are not explicitly matched, including some BGP packets that are not caught by the ACL.

1464
Multi-Selecthard

Which TWO statements correctly describe the behavior of automatic 6to4 tunneling? (Choose TWO.)

Select 2 answers
A.The 6to4 prefix is 2002::/16, where the next 32 bits are the IPv4 address of the tunnel source in hexadecimal.
B.A 6to4 relay router must have an IPv6 route to 2002::/16 pointing to the tunnel interface.
C.6to4 tunnels can use private IPv4 addresses as the tunnel source.
D.The 6to4 prefix is 2001::/16, and the IPv4 address is embedded in the interface ID.
E.The tunnel interface must be configured with tunnel mode ipv6ip.
AnswersA, B

Correct. The 6to4 prefix is 2002::/16, and the IPv4 address is embedded in hex in the next 32 bits.

Why this answer

Option A is correct because RFC 3056 defines the 6to4 prefix as 2002::/16, and the next 32 bits are the IPv4 address of the tunnel source converted to hexadecimal. This embeds the IPv4 address directly into the IPv6 prefix, allowing automatic tunnel creation without explicit peer configuration.

Exam trap

Cisco often tests the distinction between 6to4 (2002::/16) and Teredo (2001::/16), and candidates mistakenly think private IPv4 addresses are acceptable for 6to4 tunnel sources.

1465
MCQhard

A large enterprise network is experiencing intermittent IPv6 connectivity between two remote sites connected via an IPv6-in-IPv4 manual tunnel. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 ipv6 route 2001:DB8:2::/64 Tunnel0. Router R2 shows: R2# show ipv6 route 2001:DB8:1::/64 % Route not found. The tunnel interface is up/up on both routers, and IPv4 reachability between tunnel endpoints is verified. What is the root cause?

A.The tunnel destination on R1 is incorrect and should be 198.51.100.2.
B.R2 is missing a static route for 2001:DB8:1::/64 pointing to its Tunnel0 interface.
C.The tunnel mode must be changed to ipv6ip for IPv6-in-IPv4 tunneling.
D.IPv6 unicast-routing is disabled on R2.
AnswerB

Without a return route, R2 cannot forward packets back to R1's IPv6 network.

Why this answer

The issue is that R2 has no route to the 2001:DB8:1::/64 network, which is the tunnel subnet on R1's side. Even though the tunnel is up/up and IPv4 reachability exists, R2 cannot return traffic to R1's tunnel endpoint address because it lacks a static route pointing to its own Tunnel0 interface. This is a common misconfiguration in point-to-point IPv6-in-IPv4 manual tunnels where both sides must have reciprocal static routes for the remote tunnel networks.

Exam trap

Cisco often tests the misconception that if the tunnel is up/up and IPv4 reachability is verified, IPv6 routing will automatically work, but they intentionally omit the reciprocal static route to trap candidates who overlook the need for explicit routing on both sides.

How to eliminate wrong answers

Option A is wrong because the tunnel destination on R1 is 198.51.100.1, which is the tunnel source address of R2; changing it to 198.51.100.2 would be incorrect as that is not the configured tunnel source on R2. Option B is correct and not wrong. Option C is wrong because the default tunnel mode for a manual IPv6-in-IPv4 tunnel is 'ipv6ip' (or 'tunnel mode ipv6ip'), and no mode change is needed; the configuration shown uses the correct default.

Option D is wrong because the 'ipv6 unicast-routing' command enables IPv6 routing globally, but the symptom here is a missing route, not a routing protocol or forwarding issue; R2 can still forward packets with static routes even if unicast-routing is disabled (though it is typically required for dynamic routing).

1466
MCQhard

What is the default SNMPv3 engine ID format on a Cisco IOS device?

A.A random 32-bit integer
B.The IP address of the management interface
C.The MAC address of the lowest-numbered interface
D.A manually configured string; no default exists
AnswerC

Cisco IOS uses the MAC address of the lowest-numbered interface (e.g., GigabitEthernet0/0) to form the engine ID.

Why this answer

The default engine ID is derived from the MAC address of the lowest-numbered interface, per RFC 3411 and Cisco implementation.

1467
MCQeasy

A network engineer is troubleshooting a BGP route advertisement issue. Router R1 (AS 65001) is an eBGP peer of R2 (AS 65002). R1 is advertising the prefix 10.0.0.0/8 to R2. R2 has an iBGP session with R3 (AS 65002). R3's BGP table shows the prefix 10.0.0.0/8 with next-hop 10.1.1.1 (R1's interface). However, R3 does not install this route in its routing table. The output of 'show ip route 10.0.0.0' on R3 shows no route. The engineer checks the routing table on R3 and sees that the interface connected to 10.1.1.0/24 is down. What is the most likely cause?

A.The next-hop 10.1.1.1 is not reachable because the directly connected interface is down.
B.The route is not installed because BGP synchronization is enabled.
C.The route is not installed because the prefix is being filtered by an inbound route-map on R3.
D.The route is not installed because the administrative distance of the route is too high.
AnswerA

Correct because BGP requires the next-hop to be reachable; a down interface makes the next-hop unreachable.

Why this answer

For BGP to install a route, the next-hop must be reachable. If the interface to the next-hop is down, the route is considered unreachable and will not be installed.

1468
MCQhard

An engineer configures iBGP between two PE routers in an MPLS L3VPN. The PE routers are in the same AS and are directly connected. The engineer configures 'neighbor x.x.x.x next-hop-self' on the route reflector (RR) but notices that the RR is not sending the VPNv4 routes to the client PE with the next-hop set to itself. The client PE receives the routes but the next-hop remains the original PE. What is the most likely explanation?

A.The 'next-hop-self' command is not applied to the route-reflector client session; it must be applied to the client's neighbor statement on the RR, but it is ignored for reflected routes.
B.The 'next-hop-self' command is only applicable to eBGP sessions, not iBGP.
C.The 'next-hop-self' command requires the 'soft-reconfiguration inbound' to be configured to take effect.
D.The 'next-hop-self' command is overridden by the 'next-hop-unchanged' command on the route reflector.
AnswerA

Correct. 'next-hop-self' is not effective for routes reflected by a route reflector; the RR preserves the original next-hop.

Why this answer

In BGP, the 'next-hop-self' command is only effective for eBGP sessions or for iBGP sessions when the neighbor is not a route-reflector client. When a route reflector sends a route to a client, it does not change the next-hop attribute by default, even if 'next-hop-self' is configured. This is because the route reflector is expected to preserve the next-hop as learned from the original router.

To change the next-hop on a route reflector, the engineer must use 'neighbor x.x.x.x next-hop-self' on the RR for the client, but this command is ignored for routes that are reflected from another iBGP speaker. This is a known edge case that can cause reachability issues if the client cannot reach the original next-hop.

1469
MCQhard

An engineer configures a route map to filter OSPF routes using a distribute-list in OSPF process 1. The distribute-list references a prefix-list that permits only the 10.0.0.0/8 network. After applying the distribute-list in, the engineer notices that the OSPF neighbor state remains stuck in EXSTART/EXCHANGE. Which is the most likely explanation?

A.The distribute-list is applied incorrectly; it should be applied out instead of in.
B.The distribute-list filters LSAs during the exchange, causing the neighbor to be stuck.
C.There is an MTU mismatch between the OSPF neighbors, preventing the exchange of Database Description packets.
D.The prefix-list is misconfigured; it should permit 10.0.0.0/8 with a ge 24 operator.
AnswerC

MTU mismatch causes OSPF to get stuck in EXSTART/EXCHANGE because DBD packets are dropped.

Why this answer

OSPF distribute-list in only filters routes in the routing table, not LSAs. It does not affect the exchange of LSAs during adjacency formation. The adjacency stall is unrelated to the distribute-list; the issue is likely an MTU mismatch between the interfaces.

1470
MCQeasy

What is the maximum hop count for a route in RIPv2 by default?

A.15
B.16
C.255
D.32
AnswerA

15 is the maximum metric; 16 means infinity (unreachable).

Why this answer

RIP uses a maximum hop count of 15, with 16 considered unreachable, to prevent routing loops.

1471
MCQeasy

Which DHCPv6 option carries the DNS recursive name server information?

A.Option 6 (Domain Name Server)
B.Option 23 (DNS Recursive Name Server)
C.Option 24 (Domain Search List)
D.Option 21 (SIP Server Domain Name)
AnswerB

Option 23 is the DHCPv6 option for DNS servers.

Why this answer

Option 23 (DNS Recursive Name Server) in DHCPv6 provides the list of DNS servers to clients, per RFC 3646.

1472
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp host Host: 192.168.1.100 Port: 162 Timeout: 1.5 seconds Retries: 3 Version: 2c Community: PUBLIC Host: 192.168.1.200 Port: 162 Timeout: 3 seconds Retries: 5 Version: 3 User: admin Security level: authPriv Based on this output, which statement is correct?

A.SNMP traps sent to 192.168.1.200 will be encrypted.
B.Both hosts use the same SNMP version.
C.The host at 192.168.1.100 uses SNMPv3 with user 'admin'.
D.Traps to 192.168.1.200 will be sent with community string 'admin'.
AnswerA

The security level 'authPriv' requires both authentication and privacy (encryption).

Why this answer

The output shows two SNMP trap receivers. The first uses SNMPv2c with community 'PUBLIC', while the second uses SNMPv3 with user 'admin' and security level authPriv. The timeout and retry values differ between the two hosts.

1473
MCQmedium

A network engineer configures NetFlow on a router using the legacy 'ip flow-export' commands. After applying 'ip route-cache flow' on an interface, 'show ip flow export' shows packets being sent, but the collector reports that all flows have a source IP of the router's management interface instead of the actual source IPs. What is the most likely cause?

A.The 'ip flow-export source' command is set to the management interface, which becomes the source IP of export packets.
B.The router is performing NAT on the flow data before exporting.
C.The flow record is configured to match the router's interface IP as the source.
D.The collector is misconfigured to display the export packet source instead of the flow source.
AnswerA

The export source IP is the source of the NetFlow packets, not the flow data. The collector should display flow source IPs separately.

Why this answer

In legacy NetFlow, the 'ip flow-export source' command sets the source IP of export packets, not the flow data. The symptom described is normal; the collector sees the source IP of the export packets, not the flow source IPs. However, if the collector is misconfigured to interpret the export source as flow source, that is a collector issue.

But more likely, the engineer is misreading the collector output. The question tests understanding that export source IP is not the flow source.

1474
Multi-Selecthard

Which TWO configuration steps are required to enable NETCONF over SSH on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.Configure 'netconf-yang' under the 'router' configuration mode.
B.Issue the command 'netconf ssh' in global configuration mode.
C.Enable the 'netconf-yang' feature using the command 'netconf-yang' in global configuration mode.
D.Configure 'ip ssh version 2' to ensure SSH is available.
E.Issue the command 'netconf' in global configuration mode.
AnswersB, C

This command enables the NETCONF SSH subsystem.

Why this answer

NETCONF over SSH requires the 'netconf-yang' feature to be enabled globally and the 'netconf ssh' command to activate the NETCONF SSH subsystem. The 'ip ssh' commands are for general SSH configuration, not NETCONF-specific. The 'netconf' command alone does not specify the transport.

1475
MCQeasy

What is the default behavior of an EEM applet when a 'set' action modifies a variable that is used in a subsequent 'if' condition?

A.The variable is evaluated at the start of the applet, so the 'if' condition uses the original value.
B.The variable is evaluated at the time the 'if' condition is executed, so it uses the updated value.
C.The 'set' action cannot modify a variable that is used in an 'if' condition.
D.The applet will fail if a variable is modified after being used in an 'if' condition.
AnswerB

Correct. EEM actions are executed sequentially, so the 'if' condition uses the current value of the variable.

Why this answer

EEM applets execute actions sequentially. If a 'set' action modifies a variable, that new value is used in any subsequent 'if' condition that references the same variable. Variables are not pre-evaluated; they are evaluated at the time the action is executed.

1476
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 192.0.2.10:80 10.0.0.10:80 203.0.113.5:12345 203.0.113.5:12345 tcp 192.0.2.10:80 10.0.0.11:80 203.0.113.5:67890 203.0.113.5:67890 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50 Misses: 0 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload refcount 2 Based on this output, what is the problem?

A.PAT is not assigning unique source ports; both translations use port 80, which will cause conflicts.
B.The NAT pool is misconfigured because it uses the interface address.
C.The inside and outside interfaces are swapped.
D.Static NAT is interfering with dynamic NAT.
AnswerA

In PAT, the router should change the source port to a unique value. Both translations showing the same inside global port 80 indicates a problem.

Why this answer

The output shows two inside hosts (10.0.0.10 and 10.0.0.11) both using the same inside global address 192.0.2.10 (the interface address) and the same port 80. This is a problem because PAT should assign unique source ports for each translation. Both translations show the same inside global port (80), which is incorrect; PAT should use different ports.

This indicates a misconfiguration or a bug, as PAT normally changes the source port to a unique value. The correct answer is that PAT is not assigning unique ports, which will cause conflicts.

1477
MCQhard

R1 and R2 are iBGP peers. R1 has: neighbor 10.1.1.2 route-map RM_SET in. The route-map RM_SET sets community 100:100. R2 advertises a prefix 172.16.1.0/24 with community 200:200. R1 receives the prefix and the community is changed to 100:100. However, R1's BGP table shows the prefix with community 100:100, but R1 does not propagate this prefix to its other iBGP peer R3. R3 has no special configuration. What is the root cause?

A.iBGP split-horizon rule prevents R1 from advertising routes learned from an iBGP peer to another iBGP peer.
B.The community 100:100 is being filtered by R3's inbound policy.
C.The route-map RM_SET should have been applied outbound on R2 instead.
D.R1 must have a network statement for 172.16.1.0/24 to advertise it.
AnswerA

iBGP does not advertise routes learned from one iBGP neighbor to another iBGP neighbor unless route reflection or confederation is used.

Why this answer

By default, iBGP learned routes are not advertised to other iBGP peers to prevent loops, unless the router is a route reflector or confederation. R1 is not a route reflector, so it will not advertise the prefix learned from R2 to R3. The community manipulation is irrelevant to the propagation issue.

The root cause is that iBGP split-horizon prevents R1 from advertising the prefix to R3.

1478
MCQhard

A network engineer runs the following command to troubleshoot SNMPv3: R1# show snmp user User name: admin Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: AES128 Group: admin-group User name: monitor Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: MD5 Privacy Protocol: DES Group: monitor-group What does this output indicate?

A.Two SNMPv3 users are configured: 'admin' with SHA/AES128 and 'monitor' with MD5/DES.
B.SNMPv3 is not configured because no users are shown.
C.Both users use the same authentication and privacy protocols.
D.The users are in the same SNMP group.
AnswerA

The output shows the authentication and privacy protocols for each user.

Why this answer

The show snmp user command displays SNMPv3 users. The output shows two users: 'admin' with SHA authentication and AES128 encryption in group 'admin-group', and 'monitor' with MD5 authentication and DES encryption in group 'monitor-group'.

1479
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE Based on this output, what is the problem?

A.The IPsec SA is established and working correctly.
B.The IKE phase 1 negotiation has failed; the pre-shared key may be mismatched.
C.The tunnel is up but no interesting traffic is triggering the IPsec SA.
D.The ISAKMP SA is in MM_ACTIVE state, meaning phase 1 is complete.
AnswerB

MM_NO_STATE indicates no ISAKMP SA has been formed, often due to pre-shared key mismatch or firewall blocking UDP 500.

Why this answer

The MM_NO_STATE indicates that the IKE phase 1 negotiation has not progressed past the initial state. This typically means the peer is not responding to the ISAKMP proposals, often due to mismatched pre-shared keys or access-list blocking UDP port 500.

1480
MCQhard

A network uses PBR to route traffic from a specific subnet (192.168.1.0/24) through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being sent to the WAN link but is being dropped. Router R1 shows: 'show route-map' shows the route-map is applied, 'debug ip policy' shows traffic being forwarded to 10.10.10.2, but 'show ip route 10.10.10.2' shows a route via a different interface (GigabitEthernet0/1). What is the root cause?

A.The next-hop 10.10.10.2 is not directly connected to the interface where PBR is applied. PBR requires the next-hop to be directly connected. Use a directly connected next-hop or configure a static route to make it directly connected.
B.The route-map is missing a 'set ip next-hop verify-availability' command, causing PBR to use the next-hop even when it is not reachable.
C.The routing table on R1 has a better route to the destination via a different next-hop, overriding PBR.
D.The interface where PBR is applied is in a different VRF, causing the next-hop to be unreachable.
AnswerA

PBR's 'set ip next-hop' command requires the next-hop to be on a directly connected subnet. If it is reachable via a route, PBR will drop the packet. This is a common misconfiguration when the next-hop is on a remote subnet.

Why this answer

PBR requires the next-hop to be directly connected. If the next-hop is reachable via a route (e.g., through another router), PBR will not use it and will drop the packet. In this case, 10.10.10.2 is reachable via GigabitEthernet0/1, but it is not directly connected to the interface where PBR is applied.

The solution is to ensure the next-hop is directly connected or use a different next-hop.

1481
MCQmedium

Router R3 has the following DHCP configuration: ip dhcp pool POOL2 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 10.10.10.2 lease 7 ! interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.0 ip dhcp relay information option no shutdown What is the problem with this configuration?

A.The relay information option should not be configured on the server interface; it is intended for relay agents and may cause DHCP packets to be dropped or misprocessed.
B.The lease duration of 7 days is invalid; valid lease values are in hours or minutes only.
C.The default-router address is missing the subnet mask, which will cause clients to receive an incomplete configuration.
D.The DNS server address is on the same subnet as the clients, which is not allowed.
AnswerA

The ip dhcp relay information option is meant for interfaces acting as DHCP relay agents. On a server interface, it can cause the server to add Option 82 to its own packets, leading to confusion or packet rejection.

Why this answer

The 'ip dhcp relay information option' command is intended for DHCP relay agents to insert Option 82 (Relay Agent Information) into DHCP packets. When configured on a DHCP server interface, it causes the server to expect and process Option 82, but since the server itself is not a relay agent, this can lead to malformed packets, dropped requests, or misprocessing of DHCP messages. In this scenario, R3 is acting as the DHCP server on GigabitEthernet0/0, so the command should be removed to ensure normal DHCP operation.

Exam trap

Cisco often tests the misconception that 'ip dhcp relay information option' is a generic DHCP feature that can be applied anywhere, when in fact it is strictly for relay agents and causes problems if enabled on a DHCP server interface.

How to eliminate wrong answers

Option B is wrong because the lease duration of 7 days is valid; Cisco IOS DHCP supports lease values in days, hours, or minutes (e.g., 'lease 7' means 7 days). Option C is wrong because the 'default-router' command does not require a subnet mask; the mask is derived from the 'network' statement, and clients receive the default gateway IP without a mask. Option D is wrong because there is no restriction preventing the DNS server from being on the same subnet as the clients; in fact, it is common and fully supported.

1482
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show ip route summary Output: Route Source Networks Subnets Overhead Memory (bytes) connected 0 2 0 0 static 0 0 0 0 ospf 1 5 10 0 0 bgp 65001 3 5 0 0 Total 8 17 0 0 What does this output indicate?

A.The routing table contains 8 networks and 17 subnets, with OSPF contributing the most routes.
B.The router has a routing table with 25 total routes.
C.The router is using BGP as the primary routing protocol.
D.The router has no static routes configured.
AnswerA

The totals show 8 networks and 17 subnets; OSPF has 5 networks and 10 subnets.

Why this answer

The output shows the routing table summary, including the number of networks and subnets from each routing protocol. This helps in understanding the routing table size and protocol contributions.

1483
MCQhard

An engineer configures IPsec between two VRF-Lite routers using a site-to-site VPN. The tunnel is established, but no traffic is encrypted. The engineer verifies that the crypto map is applied to the correct interface and that the ACL for interesting traffic matches the VRF traffic. Which is the most likely explanation?

A.The crypto map is applied to the wrong interface; it should be applied to the VRF interface, not the physical interface.
B.The ACL for interesting traffic is not matching the VRF traffic because the ACL is evaluated in the global routing table, not the VRF.
C.The IPsec transform set has a mismatch in the encryption algorithm, causing the tunnel to fail to establish.
D.The 'crypto isakmp key' command is missing the VRF keyword, causing IKE to fail.
AnswerB

IPsec crypto maps are evaluated in the global routing table. VRF traffic must be redirected to the global table using PBR or the crypto map must be VRF-aware.

Why this answer

In VRF-Lite, traffic is forwarded based on the VRF routing table. However, IPsec crypto maps operate on the global routing table by default. If the traffic is in a VRF, the crypto map must be applied with the VRF keyword or the traffic must be redirected using a policy-based route (PBR) to the global table.

Without this, the crypto engine does not see the traffic as interesting, so it is not encrypted.

1484
Drag & Dropmedium

Drag and drop the steps to verify and validate OSPF operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The verification process starts by checking the OSPF neighbor state with show ip ospf neighbor. Next, examine the OSPF database using show ip ospf database to see LSAs. Then, verify the routing table for OSPF routes with show ip route ospf.

After that, check interface-specific OSPF details with show ip ospf interface. Finally, test end-to-end connectivity with extended ping to validate reachability.

1485
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla history 10 Point by Point History Entry = 10 Life = 1 Time of Event = 12:34:56.789 UTC Mon Mar 1 2021 Start Time = 12:34:56.789 UTC Mon Mar 1 2021 Completion Time = 12:34:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 12 ms Life = 2 Time of Event = 12:35:56.789 UTC Mon Mar 1 2021 Start Time = 12:35:56.789 UTC Mon Mar 1 2021 Completion Time = 12:35:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 14 ms Life = 3 Time of Event = 12:36:56.789 UTC Mon Mar 1 2021 Start Time = 12:36:56.789 UTC Mon Mar 1 2021 Completion Time = 12:36:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 11 ms What does this output indicate?

A.The IP SLA operation has experienced multiple timeouts.
B.The IP SLA operation shows a history of successful probes with low RTT values.
C.The IP SLA operation has failed because the RTT values are inconsistent.
D.The IP SLA operation is not configured because no history is shown.
AnswerB

Each entry shows 'Return Code = OK' and RTT between 11-14 ms.

Why this answer

This output shows historical data for IP SLA operation 10. Each entry shows a successful probe with RTT around 11-14 ms, indicating consistent performance over time.

1486
MCQmedium

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's detection time?

A.The detection time is 3000 ms.
B.The detection time is 1000 ms.
C.The detection time is 1500 ms.
D.The detection time is 9000 ms.
AnswerA

It is the holddown timer shown in the output, which is 3000 ms.

Why this answer

The detection time is the holddown timer, which is the negotiated transmit interval multiplied by the multiplier. The negotiated transmit interval is 1000 ms (maximum of local MinTxInt and received MinRxInt), and the multiplier is 3, so the detection time is 3000 ms.

1487
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp group group name: readonly security model: v3 security level: authNoPriv context: <none> read view: iso write view: <none> notify view: <none> Group name: admin security model: v3 security level: authPriv context: <none> read view: iso write view: iso notify view: iso Based on this output, which statement is correct?

A.The 'readonly' group can read all MIB objects because its read view is 'iso'.
B.The 'admin' group requires only authentication, not encryption.
C.The 'readonly' group can send SNMP traps.
D.Both groups have the same security level.
AnswerA

The read view 'iso' typically includes the entire MIB tree, allowing read access to all objects.

Why this answer

The output shows two SNMPv3 groups. The 'readonly' group has security level 'authNoPriv', meaning authentication is required but no privacy. The 'admin' group has 'authPriv', requiring both authentication and privacy.

The 'readonly' group has no write view, so it cannot modify configurations.

1488
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# debug ip bgp updates And sees the following output: *Mar 1 00:25:44.789: BGP(0): 10.1.1.2 UPDATE out about 192.168.10.0/24, NEXT_HOP 10.1.1.1, LOCAL_PREF 100, MED 0, origin i, path 65000 65001 *Mar 1 00:25:44.790: BGP(0): 10.1.1.2 UPDATE run, update sent *Mar 1 00:25:44.791: BGP(0): 10.1.1.2 UPDATE in about 10.2.2.0/24, NEXT_HOP 10.1.1.2, LOCAL_PREF 100, MED 0, origin i, path 65002 What does this output indicate?

A.BGP is redistributing routes from OSPF into BGP, as shown by the AS path.
B.R1 is advertising 192.168.10.0/24 to neighbor 10.1.1.2 and learning 10.2.2.0/24 from the same neighbor.
C.The route 192.168.10.0/24 is being filtered due to AS path length.
D.BGP is not receiving any routes because of a redistribution issue.
AnswerB

The output shows outbound update for 192.168.10.0/24 and inbound update for 10.2.2.0/24, indicating BGP peering is working.

Why this answer

The debug ip bgp updates output shows BGP updates being sent and received. R1 sends an update for 192.168.10.0/24 with AS path 65000 65001 and receives an update for 10.2.2.0/24 with AS path 65002. This indicates BGP is exchanging routes, but if redistribution is expected, the AS path may indicate the route origin.

1489
Multi-Selecthard

Which TWO statements about the behavior of administrative distance in Cisco IOS are correct? (Choose TWO.)

Select 2 answers
A.The default administrative distance for an EIGRP summary route is 5.
B.The default administrative distance for OSPF is 90.
C.The distance command applied under a routing protocol can modify the AD for all routes, including connected and static routes, learned via that protocol.
D.The show ip route command displays the administrative distance of each route in the routing table.
E.When two different routing protocols provide routes to the same destination, the route with the higher administrative distance is installed in the routing table.
AnswersA, D

Correct. EIGRP summary routes have a default AD of 5, which is lower than the AD of any dynamic routing protocol, ensuring they are preferred.

Why this answer

Administrative distance (AD) is a trustworthiness metric used to select the best route among multiple routing protocols. A lower AD is preferred. The default AD for EIGRP summary routes is 5, which is lower than the default AD for OSPF (110).

The distance command can be applied to a routing process to change the AD for all routes learned via that protocol, but it does not affect connected or static routes unless explicitly configured. The show ip route command displays the AD of each route, and the AD value is used to break ties when multiple protocols provide routes to the same destination.

1490
MCQhard

A network engineer configures EEM to monitor memory usage on R1. R1 has: event manager applet MEM-MONITOR event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op gt entry-val 90 poll-interval 10 action 1.0 cli command "enable" action 2.0 cli command "show processes memory" action 3.0 syslog msg "High memory usage detected". After a few days, the engineer notices that the applet never triggers, even though memory usage exceeds 90%. Router R2 shows: memory usage is at 95%, but no syslog from EEM. What is the root cause?

A.The SNMP OID is for free memory, and the condition checks if free memory is greater than 90%, which is not met when memory is low.
B.The poll-interval of 10 seconds is too short and causes the applet to be suppressed.
C.The SNMP community string is not configured, so the OID cannot be polled.
D.The applet requires 'event manager applet MEM-MONITOR trigger' to start.
AnswerA

The OID returns free memory; the applet triggers only when free memory >90%, which never happens when memory is high.

Why this answer

The SNMP OID used (1.3.6.1.4.1.9.9.48.1.1.1.6.1) is for the free memory, not used memory. The applet checks if free memory is greater than 90%, which is false when memory is low. The correct OID should be for used memory or the comparison operator should be 'lt' for free memory below 10%.

1491
Drag & Dropmedium

Drag and drop the steps to establish a DMVPN Phase 2 spoke-to-spoke tunnel into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, spoke-to-spoke tunnels are built dynamically. First, the spoke must have a valid NHRP registration to the hub. When traffic from one spoke to another triggers an NHRP resolution request, the hub forwards it to the target spoke, which replies.

The spoke then initiates a direct mGRE tunnel, and finally, the spoke-to-spoke IPsec session is established.

1492
MCQmedium

Which of the following statements about MPLS L3VPN label operations is true?

A.The ingress PE pushes two labels: the outer IGP label and the inner VPN label.
B.The egress PE uses the IGP label to determine the VRF.
C.The P routers swap the VPN label as they forward the packet.
D.The ingress PE pushes only one label (the VPN label) and uses the IP destination for forwarding.
AnswerA

The outer label is used to reach the egress PE, and the inner label identifies the VRF and the specific prefix.

Why this answer

In MPLS L3VPN, the PE router assigns a per-VRF label (VPN label) for each prefix in the VRF. When forwarding a packet from the CE, the ingress PE pushes an IGP label (for the egress PE) and the VPN label. The egress PE pops the IGP label and uses the VPN label to identify the VRF and forward to the correct CE.

1493
MCQeasy

In a VRF-Lite scenario with OSPF, what is the default network type on a physical Ethernet interface?

A.Point-to-point
B.Broadcast
C.Non-broadcast
D.Point-to-multipoint
AnswerB

Ethernet defaults to broadcast network type in OSPF.

Why this answer

By default, OSPF sets the network type to broadcast on Ethernet interfaces, which enables DR/BDR election.

1494
Multi-Selecthard

Which TWO statements about IP SLA reaction configuration and event monitoring are true? (Choose TWO.)

Select 2 answers
A.The 'reaction-configuration' command can be used to generate a syslog trap when an IP SLA operation times out.
B.The 'reaction-configuration' command with 'react connectionLoss' and 'action trigger' will cause the track object to change state immediately upon loss of connectivity.
C.The default action for a reaction configuration is 'trigger'.
D.The 'reaction-configuration' command supports the 'react rtt' option with 'action trigger' to immediately change the track state when RTT exceeds a threshold.
E.Multiple reaction configurations can be applied to the same IP SLA operation.
AnswersA, B

Correct. Using 'reaction-configuration' with 'react timeout' and 'action trapOnly' will generate a syslog trap on timeout.

Why this answer

The 'reaction-configuration' command allows specifying a type (e.g., timeout, threshold) and an action (e.g., trapOnly, trigger). The 'react' keyword defines the condition to monitor, such as 'connectionLoss' or 'timeout'. The 'action' keyword defines what happens when the condition is met.

The default action is 'trapOnly', meaning only a syslog trap is generated. The 'reaction-configuration' does not support 'react rtt' with 'action trigger' directly; instead, 'react rtt' uses threshold-based triggers.

1495
MCQhard

A network engineer is troubleshooting a router that has been running for 200 days. The router experiences a sudden reboot, and after reload, the configuration is missing. 'show startup-config' returns 'startup-config is not present'. The engineer checks the boot variable: 'boot system flash:ios-image.bin'. What is the most likely cause of the configuration loss?

A.The router's NVRAM has a hardware failure and lost the configuration.
B.The engineer did not execute 'copy running-config startup-config' before the reboot.
C.The 'boot system' command points to a TFTP server that also contains a configuration file, overwriting the local startup-config.
D.The router's configuration register is set to 0x2142, ignoring startup-config.
AnswerB

The router had been running for 200 days without a save; after reload, the running-config is lost, and startup-config is empty because it was never saved.

Why this answer

The router likely has a corrupt NVRAM or the startup configuration was never saved. However, the key clue is that the router has been running for 200 days without a save, and the 'copy running-config startup-config' was not performed, so the startup-config is empty or missing.

1496
MCQmedium

Which BGP path attribute is used as the tie-breaker after the local preference and AS-path length in the BGP best path selection algorithm?

A.MED (Multi-Exit Discriminator)
B.Origin type
C.Neighbor IP address
D.Router ID
AnswerB

Correct. Origin type is the third tie-breaker: IGP > EGP > incomplete.

Why this answer

After comparing local preference (highest wins) and AS-path length (shortest wins), the next tie-breaker is the origin type, where IGP is preferred over EGP, and EGP over incomplete.

1497
MCQmedium

Which BGP attribute is considered the highest priority (most preferred) in the BGP best path selection process?

A.Local preference
B.AS path length
C.Weight
D.MED
AnswerC

Weight is the first attribute checked in the BGP best path selection process (Cisco-specific).

Why this answer

BGP best path selection considers many attributes in order. The highest priority (first checked) is the weight attribute (Cisco proprietary), followed by local preference, locally originated routes, AS path length, origin type, MED, etc.

1498
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit ip 10.0.0.0 0.255.255.255 any (500 matches) 20 deny ip any any (100 matches) Based on this output, which statement is correct?

A.Traffic from 10.0.0.0/8 is denied.
B.Traffic not from 10.0.0.0/8 is denied.
C.All traffic is permitted.
D.The ACL has no effect.
AnswerB

Line 20 denies all other traffic with 100 matches.

Why this answer

The ACL 150 has a permit entry for source 10.0.0.0/8 (wildcard 0.255.255.255) followed by a deny any any. Traffic matching the permit (from 10.0.0.0/8) is allowed, while all other traffic is denied by the implicit deny or the explicit deny entry. Thus, traffic not from the 10.0.0.0/8 network is denied, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with a permit entry followed by a deny entry permits all traffic, when in fact the deny explicitly blocks everything not matching the earlier permit.

How to eliminate wrong answers

Option A is wrong because the ACL permits traffic from 10.0.0.0/8 (500 matches), not denies it. Option C is wrong because the ACL includes an explicit deny ip any any (100 matches), which blocks all traffic not matching the permit, so not all traffic is permitted. Option D is wrong because the ACL is applied (matches are shown) and actively filters traffic, so it has an effect.

1499
Multi-Selectmedium

Which TWO commands can be used to verify the operation of IPv6 First Hop Security features such as RA Guard and DHCPv6 Guard on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show ipv6 snooping
B.show ipv6 dhcp guard
C.show ipv6 nd raguard
D.show ipv6 dhcp binding
E.show ipv6 source guard
AnswersA, B

This command displays the operational status of IPv6 snooping features, including RA Guard and DHCPv6 Guard, and is a primary verification tool.

Why this answer

The correct commands directly display the operational state and statistics of IPv6 FHS features. 'show ipv6 snooping' provides a summary of all snooping features, and 'show ipv6 dhcp guard' shows the DHCPv6 Guard policy and its application. The incorrect options are either for different features or do not exist.

1500
MCQmedium

Which TCP flag combination triggers the NAT translation timeout to change from the default to the 'ip nat translation tcp-timeout' value?

A.SYN
B.FIN or RST
C.ACK
D.URG
AnswerB

FIN and RST indicate connection termination, causing the NAT entry to expire quickly.

Why this answer

When a TCP connection is closed, the FIN or RST flag causes the NAT entry to use the shorter tcp-timeout (default 60 seconds) instead of the general timeout.

Page 19

Page 20 of 29

Page 21