Cisco CCNP ENARSI 300-410 (300-410) — Questions 15761650

2152 questions total · 29pages · All types, answers revealed

Page 21

Page 22 of 29

Page 23
1576
MCQmedium

A network engineer runs the following command on Router R2: R2# show ip route 192.168.10.0 Routing entry for 192.168.10.0/24 Known via "ospf 1", distance 110, metric 20 Redistributing via ospf 1 Last update from 10.0.0.1 on GigabitEthernet0/1, 00:00:10 ago Routing Descriptor Blocks: * 10.0.0.1, from 10.0.0.1, 00:00:10 ago, via GigabitEthernet0/1 Route metric is 20, traffic share count is 1 Based on this output, what is the most likely origin of this route?

A.The route is an OSPF intra-area route.
B.The route is an OSPF inter-area route.
C.The route is an OSPF external route, likely redistributed.
D.The route is an OSPF NSSA external route.
AnswerC

The metric of 20 is the default for OSPF external type 2 routes, indicating redistribution.

Why this answer

The metric of 20 is the default metric for OSPF external routes of type E2 (external type 2). The administrative distance of 110 is the default for OSPF routes. This combination indicates the route was redistributed into OSPF from another protocol.

1577
MCQhard

An engineer configures EIGRP named mode on two routers. The engineer notices that route summarization configured under the interface does not generate a summary route in the routing table, even though the component routes are present. The engineer confirms that the summary address is correct and the interface is up. Which is the most likely explanation?

A.The interface is not configured under the EIGRP address-family in named mode
B.The summary-address command must be configured under the EIGRP process, not the interface
C.The component routes have a higher administrative distance than the summary
D.The summary-address command requires the 'leak-map' option to be specified
AnswerA

Correct. In named mode, the interface must be explicitly enabled under the address-family for summary-address to work.

Why this answer

In EIGRP named mode, route summarization is configured under the interface configuration mode using the 'summary-address' command, but it requires that the interface is part of the EIGRP address-family under that named mode. If the interface is not explicitly configured under the address-family, the summary-address command is accepted but does not take effect. This is a common edge case because the CLI accepts the command without error, but the summary is not generated.

1578
MCQhard

A network engineer configured IP SLA to track a BGP next-hop for a backup path. Router R1 has: ip sla 2 icmp-echo 192.168.2.2 source-ip 192.168.1.1 frequency 5 ip sla schedule 2 life forever start-time now track 2 ip sla 2 reachability router bgp 65001 bgp log-neighbor-changes neighbor 192.168.2.2 remote-as 65002 neighbor 192.168.2.2 fall-over bfd neighbor 192.168.2.2 track 2 However, when the link to 192.168.2.2 goes down, the BGP session does not reset immediately. What is the root cause?

A.The BGP fall-over bfd command takes precedence over the track, and since BFD is not fully operational, the session does not reset.
B.The IP SLA frequency is too low, so the track does not detect the failure quickly enough.
C.The source IP in the IP SLA must match the BGP update-source; otherwise, the track is ignored.
D.The track 2 is not applied to the BGP neighbor correctly; it should be under the address-family.
AnswerA

When both fall-over bfd and track are configured, BFD is used first. If BFD is not established, the track may not be used, causing the session to stay up.

Why this answer

The BGP fall-over bfd command overrides the track 2 behavior. BFD provides faster detection, but if BFD is not configured on the neighbor or if the BFD session is not established, the track might not take effect. The correct answer is that the track 2 is ignored because BGP fall-over bfd takes precedence, and BFD is not actually operational.

1579
MCQhard

A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?

A.The crypto map is not applied to the correct interface.
B.The IPsec transform set is misconfigured with incompatible algorithms.
C.The IKE keepalive timer is too short, causing frequent rekeying.
D.The MTU on the outside interface is too small, causing fragmentation.
AnswerA

Correct because if the route to the remote LAN points to an interface without the crypto map, the router will attempt to send the packet unencrypted, resulting in encapsulation failure.

Why this answer

The 'pkts encaps failed' counter indicates that the router is unable to encrypt packets that should be encrypted. This typically happens when the crypto map's access list matches traffic, but the route to the remote LAN points out an interface that does not have the crypto map applied, causing the router to try to send the packet without encryption.

1580
MCQhard

An engineer is troubleshooting a GRE IPv6 tunnel between two sites. The tunnel is up, and the engineer can ping the remote tunnel endpoint IPv6 address. However, OSPFv3 neighbors over the tunnel fail to form. The engineer verifies that OSPFv3 is configured on both tunnel interfaces with the same area and that the network type is broadcast. What is the most likely cause?

A.The tunnel MTU is set to 1500, but the GRE encapsulation adds 24 bytes, causing OSPFv3 packets to be fragmented.
B.The OSPFv3 network type is set to point-to-point instead of broadcast.
C.The tunnel interface is missing the 'ipv6 ospf 1 area 0' command.
D.The tunnel keepalive is misconfigured, causing the tunnel to flap.
AnswerA

Correct because the default tunnel MTU of 1500 does not account for GRE overhead, leading to fragmentation that OSPFv3 may not handle properly, especially with authentication or large LSAs.

Why this answer

The GRE tunnel MTU of 1500 bytes does not account for the 24-byte GRE/IPv6 encapsulation overhead (20-byte IPv6 header + 4-byte GRE header). OSPFv3 packets, which can be up to 1500 bytes, become fragmented when encapsulated, but fragmentation is often disabled or handled poorly in tunnel interfaces, preventing OSPFv3 neighbor formation. This is the most likely cause because the tunnel is up and the endpoint is reachable, but the OSPFv3 packets are being dropped or corrupted due to fragmentation.

Exam trap

Cisco often tests the concept that GRE encapsulation adds overhead, and candidates mistakenly think the tunnel being up and pingable means all traffic works, overlooking the MTU/fragmentation issue specific to OSPFv3 packets.

How to eliminate wrong answers

Option B is wrong because the question states the network type is broadcast, and changing it to point-to-point would not fix the fragmentation issue; it would only alter OSPFv3 behavior like DR/BDR election. Option C is wrong because the 'ipv6 ospf 1 area 0' command is required to enable OSPFv3 on the interface, and the engineer has already verified OSPFv3 is configured on both tunnel interfaces with the same area, so this command is present. Option D is wrong because the tunnel keepalive misconfiguration would cause the tunnel to flap or go down, but the tunnel is up and the remote endpoint is pingable, indicating the tunnel is stable.

1581
MCQhard

DMVPN spoke-to-spoke tunnel failures are occurring due to route summarization. Hub router R1 has: interface Tunnel0 ip address 172.16.0.1 255.255.255.0 ip nhrp network-id 1 ip nhrp map multicast dynamic tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! router eigrp 100 network 172.16.0.0 ! Spoke R2 has: interface Tunnel0 ip address 172.16.0.2 255.255.255.0 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! R1 also has: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.0.0.0 255.255.252.0 ! Spokes cannot establish direct tunnels to each other for subnets within 10.0.0.0/22. What is the root cause?

A.The summary route causes spokes to forward traffic to the hub instead of establishing direct tunnels, as the summary is preferred over more specific routes.
B.NHRP is not configured correctly on the spokes, so they cannot register.
C.EIGRP is not enabled on the tunnel interface, so routes are not exchanged.
D.The tunnel mode is not multipoint on the spokes.
AnswerA

Spokes use the summary route to reach the hub, bypassing NHRP redirect.

Why this answer

The summary route 10.0.0.0/22 is advertised by R1 to all spokes. When a spoke wants to reach a subnet within that summary on another spoke, it sends traffic to R1 (the summary route) instead of using the NHRP redirect to establish a spoke-to-spoke tunnel. The summary overrides the more specific routes that would trigger NHRP redirects.

The fix is to use a leak-map to advertise specific routes or disable summarization.

1582
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp guard policy Interface Policy Role State Gi0/0/0 DHCP_GUARD server ACTIVE Gi0/0/1 DHCP_GUARD client ACTIVE Gi0/0/2 (default) client ACTIVE Based on this output, which statement is correct?

A.Interface Gi0/0/0 is trusted to send DHCPv6 replies.
B.Interface Gi0/0/1 is trusted to send DHCPv6 replies.
C.Interface Gi0/0/2 is trusted to send DHCPv6 replies.
D.All interfaces are blocked from sending DHCPv6 replies.
AnswerA

Role 'server' allows sending DHCP replies.

Why this answer

The output shows Gi0/0/0 is configured as a DHCP server (trusted to send DHCP replies), while Gi0/0/1 and Gi0/0/2 are clients (not trusted to send DHCP replies). This is typical for DHCP guard to prevent rogue DHCP servers.

1583
Multi-Selecthard

Which TWO actions will prevent a BFD session from flapping when a routing protocol (e.g., OSPF or EIGRP) is configured to use BFD? (Choose TWO.)

Select 2 answers
A.Increase the BFD minimum interval and multiplier values on both routers.
B.Disable BFD on the routing protocol and rely solely on the routing protocol's own hello timers.
C.Set the BFD minimum interval to 50 ms and the multiplier to 3 on both sides.
D.Configure BFD echo mode on both routers to reduce control packet processing overhead.
E.Ensure that the BFD timers are identical on both routers.
AnswersA, B

Correct. Higher intervals and multipliers make BFD less sensitive to minor delays, reducing the chance of false failure detection.

Why this answer

BFD session flapping can be caused by mismatched timers, high CPU load, or aggressive detection multipliers. Increasing the BFD interval or multiplier makes the session more tolerant to transient issues. Disabling BFD for the routing protocol removes BFD dependency.

Lowering timers or using default values can actually increase flapping. Echo mode helps reduce CPU load but does not directly prevent flapping due to timer mismatches.

1584
MCQmedium

A network engineer runs the following command to verify NAT translations: R1# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 create 00:00:15, use 00:00:05, flags: extended, timing-out What does the 'extended' flag indicate?

A.The translation is for a single port only.
B.The translation includes port information, typical of PAT.
C.The translation is static and never times out.
D.The translation is for a VPN tunnel.
AnswerB

Extended NAT entries include protocol and port numbers for PAT.

Why this answer

The 'extended' flag indicates that this is a PAT (Port Address Translation) entry, using port numbers for multiplexing.

1585
MCQmedium

Consider the following partial configuration on a Cisco IOS-XE router: ``` router eigrp 100 network 10.0.0.0 distance eigrp 90 170 ``` What is the effect of the `distance eigrp 90 170` command?

A.It sets the administrative distance for all EIGRP routes to 90.
B.It sets the administrative distance for EIGRP internal routes to 90 and external routes to 170.
C.It sets the administrative distance for EIGRP routes to 170 for all routes learned from neighbors with an AS of 100.
D.It sets the metric weights for EIGRP to 90 and 170.
AnswerB

The syntax is `distance eigrp <internal-distance> <external-distance>`.

Why this answer

This command sets the administrative distance for EIGRP internal routes to 90 and external routes to 170.

1586
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip ospf adj Output: OSPF: 2 Way Communication to 10.0.0.2 on GigabitEthernet0/0, state 2WAY OSPF: Send hello to 224.0.0.5 on GigabitEthernet0/0 OSPF: Rcv DBD from 10.0.0.2 on GigabitEthernet0/0 seq 0x1E opt 0x52 flag 0x7 len 32 OSPF: NBR negotiation done. We are the SLAVE OSPF: Exchange done with 10.0.0.2 on GigabitEthernet0/0 OSPF: Build router LSA for area 0, router ID 10.0.0.1 What does this output indicate?

A.The router is successfully forming an OSPF adjacency with neighbor 10.0.0.2.
B.The router is experiencing an OSPF authentication failure.
C.The router is stuck in the EXSTART state due to MTU mismatch.
D.The router is flooding LSAs to all neighbors.
AnswerA

The sequence shows 2WAY, DBD exchange, and exchange done, indicating a full adjacency is being established.

Why this answer

The debug output shows the OSPF adjacency formation process, including the exchange of database descriptors and LSA building. This indicates successful adjacency formation.

1587
Multi-Selecthard

An engineer is troubleshooting an OSPFv2 adjacency that remains stuck in EXSTART state. Which TWO actions should the engineer take to resolve the issue? (Choose TWO.)

Select 2 answers
A.Verify that the MTU on both interfaces is identical.
B.Ensure that the OSPF hello and dead intervals match on both routers.
C.Check that the OSPF network type is the same on both interfaces.
D.Confirm that the OSPF router IDs are unique across the network.
E.Increase the OSPF retransmit interval on both routers.
AnswersA, C

Correct. An MTU mismatch can prevent DD packets from being exchanged properly, causing the adjacency to stay in EXSTART.

Why this answer

An EXSTART state indicates a problem with the Database Description (DD) packet exchange, often due to MTU mismatch or mismatched interface MTU values. Also, mismatched OSPF network types can cause DD packet issues. The other options are either unrelated or incorrect.

1588
MCQhard

A network administrator is troubleshooting BGP path selection for a dual-homed enterprise. Router R1 (AS 65001) has the following configuration: route-map SET-LOCAL-PREF permit 10 match ip address prefix-list PREFER set local-preference 200. Router R2 (AS 65002) shows: 'show bgp ipv4 unicast 10.1.1.0' has two paths: one via R1 with local pref 200, and one via R3 with local pref 100. However, 'show ip route 10.1.1.0' on R2 shows the path via R3 is installed. What is the root cause?

A.The route-map SET-LOCAL-PREF is applied outbound on R1 instead of inbound on R2, so R2 does not receive the modified local preference.
B.The prefix-list PREFER is missing a permit statement for 10.1.1.0/24.
C.The route via R3 has a lower MED value, overriding local preference.
D.The route via R1 is not synchronized with IGP, causing it to be considered invalid.
AnswerA

Local preference is a well-known mandatory attribute that is not passed between ASes. If the route-map is applied outbound on R1, it sets local preference in R1's BGP table, but when the route is sent to R2, the local preference is reset to 100 (default) because it is not sent in eBGP updates. R2 sees the path via R1 with local pref 100, not 200.

Why this answer

BGP path selection compares local preference first, so the path with local pref 200 should be preferred. However, if the route-map SET-LOCAL-PREF is applied inbound on R2 from R1, but the prefix-list PREFER does not match the route (e.g., incorrect prefix or mask), then the local preference is not set, and the default local preference (100) applies. The show bgp output shows local pref 200 for the path via R1, which suggests the route-map is applied correctly, but the route may be received from R1 with a different attribute (e.g., a higher MED or longer AS path) that overrides local preference after the fact.

Alternatively, if the route-map is applied outbound on R1, it would not affect R2's path selection. The root cause is that the route-map is applied on the wrong neighbor or direction.

1589
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router with a policy-map that matches EIGRP packets and sets a police rate of 1000 pps. The class-default is configured with a police rate of 100 pps. Unexpectedly, EIGRP neighbor relationships start flapping, even though the EIGRP packet rate is well below 1000 pps. Which is the most likely explanation?

A.The class-map matching EIGRP does not include multicast address 224.0.0.10, causing EIGRP packets to fall into class-default and be policed at 100 pps.
B.The police rate of 1000 pps is too low for EIGRP hello packets, causing drops.
C.CoPP must be applied to the management interface, not the control plane.
D.The class-default police rate must be higher than the EIGRP class rate.
AnswerA

EIGRP uses multicast; if the ACL doesn't match it, CoPP treats it as default traffic.

Why this answer

CoPP applies to packets destined to the control plane. EIGRP uses multicast address 224.0.0.10. If the class matching EIGRP does not include the multicast group or uses an incorrect match criterion, EIGRP packets may fall into class-default and be policed at the lower rate (100 pps).

This is a common misconfiguration where the ACL or class-map does not properly match EIGRP traffic.

1590
MCQhard

Which statement correctly describes the default value of the 'event timer countdown' when no countdown time is specified?

A.The default countdown time is 60 seconds.
B.The default countdown time is 0 seconds, causing immediate trigger.
C.There is no default; a countdown time must be explicitly configured.
D.The default countdown time is 10 seconds.
AnswerC

The countdown timer requires the 'time' keyword; otherwise, the CLI rejects the command.

Why this answer

The 'event timer countdown' requires an explicit time value; there is no default — the configuration will be rejected if omitted.

1591
MCQeasy

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla application IP Service Level Agreements Version: 2.0 IP SLAs Responder: Disabled IP SLAs Low Memory: Disabled IP SLAs ICMP Echo: Enabled IP SLAs ICMP Jitter: Enabled IP SLAs HTTP: Disabled IP SLAs FTP: Disabled IP SLAs UDP Jitter: Enabled IP SLAs TCP Connect: Enabled IP SLAs DNS: Disabled IP SLAs DHCP: Disabled IP SLAs DLSw: Disabled IP SLAs VoIP: Disabled IP SLAs Metro Ethernet: Disabled IP SLAs Video: Disabled IP SLAs LSP: Disabled IP SLAs LSP Group: Disabled IP SLAs VPLS: Disabled IP SLAs MPLS: Disabled IP SLAs MPLS Group: Disabled IP SLAs LDP: Disabled IP SLAs LDP Group: Disabled IP SLAs BFD: Disabled What does this output indicate?

A.The IP SLA responder is enabled, allowing the device to respond to probes.
B.The device supports ICMP Echo, ICMP Jitter, UDP Jitter, and TCP Connect probes.
C.All IP SLA operations are disabled on this device.
D.The device is running low on memory and cannot support IP SLA.
AnswerB

These operations are listed as 'Enabled'.

Why this answer

This output shows the IP SLA capabilities enabled on the device. ICMP Echo, ICMP Jitter, UDP Jitter, and TCP Connect are enabled; others are disabled. The responder is also disabled.

1592
MCQhard

A network engineer is troubleshooting a DHCPv6 prefix delegation issue on router R1 and runs the following command: R1# debug ipv6 dhcp detail Output: IPv6 DHCP: Received SOLICIT message from FE80::21A:2BFF:FE3C:4D01 on GigabitEthernet0/0 IPv6 DHCP: Using interface pool DHCP_POOL IPv6 DHCP: Sending ADVERTISE message to FE80::21A:2BFF:FE3C:4D01 IPv6 DHCP: Received REQUEST message from FE80::21A:2BFF:FE3C:4D01 IPv6 DHCP: Client requests prefix 2001:DB8:1::/48 IPv6 DHCP: Prefix 2001:DB8:1::/48 not available in pool DHCP_POOL IPv6 DHCP: Sending REPLY message with Status Code NoPrefixAvail What does this output indicate?

A.The DHCPv6 client successfully received the prefix 2001:DB8:1::/48.
B.The DHCPv6 server has a pool configured but the requested prefix is not in that pool or is already allocated.
C.The DHCPv6 client is using a relay agent because the SOLICIT was received on a different interface.
D.The DHCPv6 server is configured with a stateless configuration because it sent an ADVERTISE without a prefix.
AnswerB

The server used pool DHCP_POOL but the prefix 2001:DB8:1::/48 is not available, likely because it is not included in the pool or is already assigned to another client.

Why this answer

The debug output shows a DHCPv6 client requesting a specific prefix delegation, but the server's pool does not have that prefix available. The server responds with a NoPrefixAvail status code, indicating the prefix cannot be assigned.

1593
Multi-Selecthard

Which TWO statements about DHCPv6 rapid commit are true? (Choose TWO.)

Select 2 answers
A.The client includes the Rapid Commit option in the Solicit message to request rapid commit.
B.The server must be configured with the 'ipv6 dhcp server rapid-commit' command to honor rapid commit requests.
C.If the server does not support rapid commit, it sends a Reply message with an error code.
D.Rapid commit reduces the DHCPv6 exchange from six messages to four.
E.Rapid commit is enabled by default on Cisco IOS DHCPv6 servers.
AnswersA, B

Correct. The client sets the Rapid Commit option in the Solicit message to indicate that it wants a two-message exchange.

Why this answer

DHCPv6 rapid commit (RFC 3315) allows a two-message exchange (Solicit + Reply) instead of the normal four-message exchange (Solicit, Advertise, Request, Reply). The client indicates support by including a Rapid Commit option in the Solicit message. The server must also support and be configured for rapid commit.

If the server does not support it, it ignores the option and the client falls back to the normal four-message exchange. The 'ipv6 dhcp server rapid-commit' command enables rapid commit on the server. The client does not need explicit configuration; it includes the option automatically if it supports it.

1594
MCQmedium

In a DMVPN Phase 2 deployment using EIGRP as the routing protocol, what is the default hello timer value on the tunnel interface?

A.5 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerA

Correct. EIGRP default hello timer on tunnel interfaces is 5 seconds.

Why this answer

EIGRP uses a default hello timer of 5 seconds on high-speed interfaces (including tunnel interfaces) and 60 seconds on low-speed interfaces. DMVPN tunnel interfaces are treated as high-speed by default.

1595
MCQmedium

Given the following EIGRP configuration on Router R2: router eigrp 200 network 192.168.1.0 network 10.0.0.0 no auto-summary Which statement is true about the operation of EIGRP?

A.EIGRP will automatically summarize 192.168.1.0 to 192.168.0.0/16.
B.EIGRP will advertise 192.168.1.0/24 and 10.0.0.0/8 as exact prefixes.
C.EIGRP will only advertise the classful networks 192.168.0.0/16 and 10.0.0.0/8.
D.EIGRP will not form neighbor adjacencies due to missing network mask.
AnswerB

With no auto-summary, subnets are advertised without summarization.

Why this answer

The no auto-summary command disables automatic summarization at classful boundaries, so EIGRP will advertise subnets exactly as configured under the network statements.

1596
MCQhard

A network using IPv6 over IPv4 L2TPv3 tunnels is experiencing packet drops. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 tunnel mode l2tpv3 ipv6. Router R2 shows: R2# show l2tp tunnel Tunnel id 1, 1 session Session id 1, state established. R2# show ipv6 interface Tunnel0 Tunnel0 is up, line protocol is up. What is the root cause?

A.The MTU on the tunnel interface is too high, causing fragmentation of IPv6 packets.
B.The tunnel mode should be l2tpv3 ipv4 instead of ipv6.
C.The session ID on R1 does not match R2's session ID.
D.IPv6 routing is not enabled on R2.
AnswerA

L2TPv3 adds overhead, and if the tunnel MTU is not adjusted, packets may be fragmented or dropped.

Why this answer

The correct answer is A. In an L2TPv3 tunnel carrying IPv6 traffic, the tunnel interface MTU defaults to 1500 bytes, but the actual path MTU between the tunnel endpoints (192.0.2.1 and 198.51.100.1) is likely lower due to the added L2TPv3, UDP, and IP headers. This causes IPv6 packets larger than the effective path MTU to be dropped because IPv6 routers do not fragment packets; they rely on ICMPv6 Packet Too Big messages, which may be blocked or not processed, leading to packet loss.

Exam trap

Cisco often tests the misconception that L2TPv3 tunnels automatically handle MTU issues, when in fact the default MTU on the tunnel interface must be manually adjusted to prevent IPv6 packet drops due to encapsulation overhead.

How to eliminate wrong answers

Option B is wrong because the tunnel mode 'l2tpv3 ipv6' is correct for transporting IPv6 traffic over an L2TPv3 tunnel; using 'l2tpv3 ipv4' would expect IPv4 payloads, not IPv6. Option C is wrong because the session ID is locally significant per tunnel endpoint and does not need to match between R1 and R2; the 'show l2tp tunnel' output on R2 shows the session is established, indicating correct session negotiation. Option D is wrong because IPv6 routing is implicitly enabled on a tunnel interface when an IPv6 address is configured, and the 'show ipv6 interface Tunnel0' output shows the interface is up/up, confirming IPv6 is operational.

1597
MCQmedium

An engineer is troubleshooting an ISATAP tunnel between a Windows host and a Cisco router. The host can ping the router's IPv6 address configured on the tunnel interface, but cannot reach any other IPv6 networks beyond the router. The router has a default route pointing to an upstream IPv6 router. What is the most likely cause?

A.The router is not configured as an ISATAP router; it only has the tunnel interface but lacks the 'ipv6 isatap' command.
B.The host's ISATAP interface has an incorrect IPv4 address for the router's tunnel source.
C.The router's tunnel interface is missing the 'ipv6 enable' command.
D.The upstream router does not have a route back to the ISATAP prefix.
AnswerA

Correct because without 'ipv6 isatap', the router does not respond to ISATAP router solicitations, and the host will not use it as a default gateway for off-link traffic.

Why this answer

The correct answer is A. For ISATAP to function, the router must be explicitly configured as an ISATAP router using the 'ipv6 isatap' command under the tunnel interface. Without this command, the router will not advertise the ISATAP prefix or respond to Router Solicitations from the host, so the host can only communicate with the router's own tunnel IPv6 address but cannot learn a default route or reach other IPv6 networks.

Exam trap

Cisco often tests the distinction between simply configuring a tunnel interface (which allows direct communication) and enabling the ISATAP router functionality (which is required for prefix advertisement and routing beyond the tunnel).

How to eliminate wrong answers

Option B is wrong because if the host had an incorrect IPv4 address for the router's tunnel source, the host would not be able to ping the router's IPv6 tunnel interface address at all. Option C is wrong because the 'ipv6 enable' command is not required on a tunnel interface that already has an explicit IPv6 address configured; the tunnel interface is already IPv6-enabled by the address. Option D is wrong because the upstream router not having a route back to the ISATAP prefix would cause asymmetric routing or unreachability from the remote side, but the host can ping the router's tunnel address, indicating the issue is local to the ISATAP configuration, not the upstream routing.

1598
MCQmedium

A network engineer runs the following command to verify MPLS LDP label bindings: R1# show mpls ldp bindings 192.168.1.0 255.255.255.0 Output: lib entry: 192.168.1.0/24, rev 8 local binding: label: 101 remote binding: lsr: 10.0.0.2:0, label: 201 remote binding: lsr: 10.0.0.3:0, label: 301 What does this output indicate?

A.The prefix 192.168.1.0/24 has a local label of 101 and two remote labels from LDP neighbors
B.The prefix 192.168.1.0/24 is not reachable via any LDP neighbor
C.Label 101 is the only label assigned to this prefix in the network
D.The LDP session with 10.0.0.2 is down
AnswerA

The output clearly shows the local binding (label 101) and two remote bindings from different LSRs.

Why this answer

The output shows the label bindings for the prefix 192.168.1.0/24 in the Label Information Base (LIB). The local label is 101, and two remote labels (201 from 10.0.0.2, 301 from 10.0.0.3) have been received from LDP neighbors.

1599
Multi-Selecthard

Which THREE commands can be used to verify and troubleshoot EIGRP route redistribution issues, specifically when routes are not being redistributed correctly? (Choose THREE.)

Select 3 answers
A.'show ip eigrp topology'
B.'show ip route'
C.'debug eigrp fsm'
D.'show ip protocols'
E.'ping'
AnswersB, C, D

This command shows the routing table, including routes from all sources. It can verify whether redistributed routes are present and have the correct administrative distance and metric.

Why this answer

Troubleshooting redistribution involves verifying that routes are in the source routing protocol, that the redistribute command is correct, and that metrics are set. 'show ip eigrp topology' shows EIGRP routes, not redistributed routes from other protocols. 'show ip route' shows all routes in the routing table. 'debug eigrp fsm' tracks EIGRP events. 'show ip protocols' shows redistribution configuration. 'ping' verifies reachability but not redistribution.

1600
MCQhard

A large enterprise network is experiencing intermittent reachability between VRF-A on Router R1 and VRF-B on Router R2. R1 has the following relevant configuration: ip vrf VRF-A, rd 100:1, route-target export 100:1, route-target import 100:2. R2 shows: ip vrf VRF-B, rd 200:2, route-target export 200:2, route-target import 200:1. The link between R1 and R2 is configured with VRF forwarding VRF-A on R1 and VRF forwarding VRF-B on R2. What is the root cause?

A.The route-target import and export values are mismatched between the VRFs, preventing route exchange.
B.The RD values must match for VRF-Lite to work on a direct link.
C.The VRFs must have the same name on both routers for direct connectivity.
D.The interface must be in the same VRF on both ends; route-targets are irrelevant for VRF-Lite.
AnswerA

Correct: R1 exports RT 100:1, but R2 imports RT 200:1; R2 exports RT 200:2, but R1 imports RT 100:2. No common RT exists.

Why this answer

The route-target import/export values are mismatched for the VRF-Lite scenario. In VRF-Lite, route-targets are used for route leaking, but on a direct link, the VRFs must match or route leaking must be configured properly. Here, R1 imports routes with RT 100:2, which R2 exports as 200:2, not 100:2.

R2 imports RT 200:1, but R1 exports 100:1. Thus, no routes are exchanged, causing unreachability.

1601
MCQhard

In IPsec site-to-site VPN, what is the default Diffie-Hellman (DH) group used in IKEv1 phase 1 on Cisco IOS?

A.DH group 1 (768-bit)
B.DH group 2 (1024-bit)
C.DH group 5 (1536-bit)
D.No default DH group; negotiation fails if not set
AnswerA

When no DH group is specified in IKE policy, Cisco IOS defaults to group 1.

Why this answer

In Cisco IOS, the default Diffie-Hellman group for IKEv1 Phase 1 is DH group 1 (768-bit). This is defined in the default ISAKMP policy (policy 100) that is automatically present when no custom policy is configured. If no DH group is explicitly specified, the router uses group 1 by default, which provides the lowest security level but ensures backward compatibility.

Exam trap

Cisco often tests the fact that there is a default DH group (group 1) in IKEv1 Phase 1, leading candidates to incorrectly assume that no default exists or that a stronger group like 2 or 5 is the default.

How to eliminate wrong answers

Option B is wrong because DH group 2 (1024-bit) is not the default; it must be explicitly configured using the 'crypto isakmp policy' command with 'group 2'. Option C is wrong because DH group 5 (1536-bit) is a stronger option but is never the default; it also requires explicit configuration. Option D is wrong because there is a default DH group (group 1) in IKEv1 Phase 1 on Cisco IOS; negotiation does not fail if no group is set—the router uses the default policy.

1602
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip ospf adj OSPF: 2 Way: DBD with 10.1.1.2 on GigabitEthernet0/0 OSPF: Send DBD to 10.1.1.2 seq 0x1C opt 0x52 flag 0x7 len 32 OSPF: Rcv DBD from 10.1.1.2 seq 0x1C opt 0x52 flag 0x2 len 132 mtu 1500 OSPF: Nbr 10.1.1.2 is FULL, state changed from LOADING to FULL What does this output indicate?

A.The OSPF neighbor adjacency is successfully established and is in the FULL state.
B.The OSPF neighbor is stuck in the 2-Way state due to a mismatched MTU.
C.The OSPF neighbor is in the LOADING state and cannot reach FULL because of a missing network statement.
D.The OSPF neighbor is in the EXSTART state and is negotiating the master/slave relationship.
AnswerA

The output shows the neighbor state changing to FULL after DBD exchange, indicating a complete adjacency.

Why this answer

The debug output shows the OSPF neighbor transitioning from LOADING to FULL, which confirms that the adjacency has been fully established. The sequence of DBD exchanges (flag 0x7 for master, flag 0x2 for slave) and the final FULL state indicate successful database synchronization, including LSA exchange and acknowledgment.

Exam trap

Cisco often tests the misinterpretation of the '2 Way: DBD' message, leading candidates to think the neighbor is stuck in the 2-Way state, when in fact the debug output clearly shows the adjacency progressing to FULL.

How to eliminate wrong answers

Option B is wrong because the debug output shows the neighbor reaching FULL, not stuck in 2-Way; a mismatched MTU would cause the neighbor to remain in EXSTART or EXCHANGE state, not reach FULL. Option C is wrong because the neighbor transitions from LOADING to FULL, meaning the loading process completed successfully; a missing network statement would prevent the neighbor from even reaching 2-Way state. Option D is wrong because the debug shows DBD exchange with flag 0x7 (master) and flag 0x2 (slave), which occurs in EXSTART/EXCHANGE, but the final state is FULL, indicating the adjacency progressed beyond EXSTART.

1603
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 mtu IPv6 MTU per interface: Interface MTU Tunnel0 1476 Tunnel1 1476 GigabitEthernet0/0 1500 Based on this output, what is the most likely reason for the reduced MTU on the tunnel interfaces?

A.The tunnels are configured with a manual MTU.
B.The tunnels are using GRE encapsulation, which adds 24 bytes of overhead.
C.The tunnels are using IPsec, which adds more overhead.
D.The tunnels are 6to4 tunnels, which do not reduce MTU.
AnswerB

GRE adds 4 bytes to the 20-byte IPv4 header, totaling 24 bytes overhead.

Why this answer

The output shows an MTU of 1476 on the tunnel interfaces, which is exactly 24 bytes less than the 1500-byte MTU of the physical GigabitEthernet0/0 interface. GRE encapsulation adds a 4-byte outer IP header and a 4-byte GRE header (total 24 bytes with the inner IP header), reducing the payload MTU. This is the default behavior when a tunnel is configured without a manual MTU override, making option B correct.

Exam trap

Cisco often tests the exact overhead values for different tunnel types (GRE vs. IPsec vs. 6to4) to see if candidates know that GRE adds exactly 24 bytes, while IPsec adds more and 6to4 adds only 20 bytes.

How to eliminate wrong answers

Option A is wrong because a manual MTU configuration would explicitly set the MTU value, but the output shows a standard reduction of 24 bytes from the physical interface MTU, which is the default behavior for GRE tunnels, not a manual setting. Option C is wrong because IPsec adds more than 24 bytes of overhead (typically 50-70+ bytes depending on mode and encryption), which would result in an MTU lower than 1476, such as 1400 or less. Option D is wrong because 6to4 tunnels use IPv6-in-IPv4 encapsulation with a 20-byte IPv4 header (no GRE), which would reduce the MTU by 20 bytes to 1480, not 1476; the 24-byte reduction indicates GRE encapsulation, not 6to4.

1604
MCQhard

An engineer configures OSPFv2 on two routers with a direct Ethernet link. The routers are stuck in the EXSTART state. Which is the most likely explanation?

A.The interface MTU on one router is 1500, and on the other is 1400.
B.The OSPF hello and dead intervals are mismatched.
C.One router has OSPF authentication configured, and the other does not.
D.The OSPF network type is point-to-point on one router and broadcast on the other.
AnswerA

An MTU mismatch causes DBD packets to be dropped, stalling the adjacency in EXSTART.

Why this answer

OSPF neighbors can become stuck in EXSTART when there is a mismatch in the interface MTU. The DBD packet size is based on the interface MTU; if the receiving interface has a smaller MTU, the DBD packet is dropped, preventing the adjacency from progressing.

1605
MCQhard

Route summarization blocks specific routes in an MPLS network. Router R1 is a PE router that summarizes routes from a VRF into BGP. Configuration: 'router bgp 65000 address-family ipv4 vrf CUSTOMER network 10.0.0.0 255.255.252.0' and 'aggregate-address 10.0.0.0 255.255.252.0 summary-only'. A specific prefix 10.0.3.0/24 is not reachable from the MPLS core. 'show ip bgp vpnv4 vrf CUSTOMER 10.0.3.0/24' output: 'Not in table'. What is the root cause?

A.The 'summary-only' keyword suppresses more specific routes, so 10.0.3.0/24 is not advertised.
B.The VRF CUSTOMER does not have the route 10.0.3.0/24 in its routing table.
C.The aggregate-address command is missing the 'as-set' keyword, causing routing loops.
D.The network statement for 10.0.0.0/22 is missing; need to advertise the aggregate.
AnswerA

With summary-only, only the aggregate is advertised; specifics are suppressed, causing loss of reachability to 10.0.3.0/24.

Why this answer

The 'summary-only' keyword in aggregate-address suppresses all more specific routes, including 10.0.3.0/24, from being advertised. This causes the specific prefix to be missing from the BGP table, leading to unreachability if the summary route does not have a valid next-hop or if the specific route is needed for traffic engineering.

1606
Multi-Selectmedium

Which TWO statements about Control Plane Policing (CoPP) are true? (Choose TWO.)

Select 2 answers
A.CoPP uses Modular QoS CLI (MQC) to define traffic classes and actions.
B.CoPP is applied directly to physical interfaces to protect the control plane.
C.CoPP can be used to rate-limit traffic destined to the CPU, such as routing protocol packets or management traffic.
D.CoPP operates at Layer 2 to filter Ethernet frames before they reach the CPU.
E.CoPP replaces the need for access control lists (ACLs) on the device.
AnswersA, C

CoPP relies on MQC with class maps to match traffic and policy maps to define policing actions.

Why this answer

CoPP applies a QoS service policy to the control plane to rate-limit traffic, protecting the CPU from excessive packets. It uses MQC (class maps and policy maps) to classify and police traffic. CoPP is not applied to interfaces directly; it is applied to the control plane.

It does not filter traffic at Layer 2; it works at Layer 3 and above. CoPP does not replace ACLs; it works alongside them.

1607
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.10.10.0/24 IP-EIGRP (AS 100): Topology entry for 10.10.10.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131072 Routing Descriptor Blocks: 10.1.1.2 (FastEthernet0/0), from 10.1.1.2, Send flag is 0x0 Composite metric is (131072/128256), Route is Internal Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 R1# show ip route 10.10.10.0 Routing entry for 10.10.10.0/24 Known via "eigrp 100", distance 90, metric 131072, type internal Last update from 10.1.1.2 on FastEthernet0/0, 00:00:12 ago Routing Descriptor Blocks: * 10.1.1.2, from 10.1.1.2, 00:00:12 ago, via FastEthernet0/0 Route metric is 131072, traffic share count is 1 R1# show ip eigrp interfaces Interface Peers Xmit Queue Mean Pacing Time Multicast Pending Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/0 1 0/0 10 0/10 50 0 Fa0/1 0 0/0 0 0/10 50 0 Based on this output, what is a likely issue?

A.EIGRP neighbor on FastEthernet0/1 is not forming due to a route-map filtering updates.
B.The route 10.10.10.0/24 is not in the routing table.
C.The EIGRP process is not running.
D.The metric is too high for the route to be installed.
AnswerA

FastEthernet0/1 has 0 peers, indicating no neighbor; a route-map could be blocking hello packets or updates.

Why this answer

The route is in the topology table and routing table, but the interface FastEthernet0/1 has 0 peers. This suggests that a route-map filtering EIGRP updates on FastEthernet0/1 may be preventing neighbor formation or route advertisement. The correct answer is that a route-map may be filtering EIGRP updates on FastEthernet0/1.

1608
Multi-Selecthard

Which TWO statements about the behavior of route-map sequence numbers and the "continue" clause in Cisco IOS are true? (Choose TWO.)

Select 2 answers
A.A route-map sequence with no match command matches all routes and applies any set commands.
B.The continue clause can cause evaluation to jump to a lower sequence number.
C.If a route does not match any sequence, it is permitted by default.
D.When a route matches a sequence with a continue clause, the continue is processed before any set commands in that sequence.
E.The continue clause allows a route to be evaluated by a later sequence even if the current sequence matches and applies set actions.
AnswersA, E

Correct. If no match command is configured, the sequence matches all routes by default.

Why this answer

The continue clause allows a route-map to jump to a later sequence after a match, but not to an earlier one. If a sequence does not have a match statement, it matches all routes by default. The default action for an unmatched route is to deny (implicit deny).

The continue clause is processed only if the current sequence matches and the set actions are applied; it does not skip the current sequence's processing. Sequence numbers are evaluated in ascending order, and the first match wins.

1609
MCQhard

What is the default maximum number of paths that BGP can install in the routing table using the 'maximum-paths' command in Cisco IOS?

A.1
B.2
C.4
D.6
AnswerA

Correct. BGP defaults to a single path unless explicitly configured otherwise.

Why this answer

By default, BGP installs only one best path (maximum-paths 1). This can be increased to allow load balancing, but the default is 1.

1610
MCQhard

An engineer configures EIGRP named mode on a router. After configuration, a directly connected EIGRP neighbor is not forming an adjacency. 'show ip eigrp neighbors' shows nothing. Which is the most likely explanation?

A.The 'network' command was used under the EIGRP process, but the 'af-interface' configuration was omitted.
B.The EIGRP autonomous system number is mismatched.
C.The K-values are mismatched between the routers.
D.The passive-interface default command is configured.
AnswerA

In named mode, the 'af-interface' command is required to enable EIGRP on an interface; the 'network' command alone does not activate the interface.

Why this answer

In EIGRP named mode, the network statement is not used. Instead, the 'af-interface' configuration under the address-family is mandatory to enable EIGRP on an interface. If the engineer only uses the classic 'network' command under the router eigrp process (which is still accepted in named mode for backward compatibility but does not activate the interface), the interface will not be enabled for EIGRP.

1611
MCQmedium

A network engineer runs the following command on Router R4: R4# show logging | include %BGP-3-NOTIFICATION *Mar 1 00:01:05.123: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes *Mar 1 00:02:10.456: %BGP-3-NOTIFICATION: received from neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes *Mar 1 00:03:15.789: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes Based on this output, what is the most likely problem?

A.The BGP neighbor has a mismatched autonomous system number.
B.There is a connectivity issue causing keepalive packets to be lost.
C.The BGP update interval is too short, causing excessive updates.
D.The router is configured with soft-reconfiguration inbound, causing memory issues.
AnswerB

Hold timer expiration means keepalives are not received within the hold time, indicating packet loss or high delay.

Why this answer

The output shows BGP notifications for hold timer expiration between R4 and neighbor 10.0.0.2. This indicates that keepalive messages are not being exchanged in time, causing the BGP session to reset repeatedly. This is typically due to a flapping link, high CPU load, or mismatched hold timers.

1612
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 192.168.2.1 for traffic matching ACL 101. The engineer also configures 'ip route 0.0.0.0 0.0.0.0 192.168.1.1' as a default route. Traffic that matches ACL 101 is correctly forwarded to 192.168.2.1, but traffic that does not match ACL 101 is dropped instead of using the default route. What is the most likely explanation?

A.The route-map has an implicit deny at the end, so unmatched traffic is dropped.
B.The default route is not installed in the routing table due to administrative distance.
C.The ACL 101 is blocking all other traffic.
D.The 'ip policy route-map' command is applied outbound, causing unmatched traffic to be dropped.
AnswerA

Route-maps have an implicit deny; unmatched packets are discarded unless a permit sequence with no match is added.

Why this answer

PBR with a route-map that does not have a default action (e.g., 'set ip default next-hop' or an implicit permit) will drop non-matching traffic by default. The route-map must include a permit statement with no match to allow normal routing for unmatched traffic.

1613
MCQmedium

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?

A.Verify that the crypto map is correctly applied to the outside interface.
B.Check the IP connectivity between the two public IP addresses using ping.
C.Check the IPsec transform set configuration on both routers.
D.Verify the pre-shared key is identical on both routers.
AnswerB

Correct because without basic IP reachability, IKE packets cannot be exchanged, and the VPN cannot establish.

Why this answer

The absence of IKE SAs indicates that IKE phase 1 negotiation has not started or failed. The first step is to verify that the routers can reach each other at the IP layer, as a connectivity issue will prevent any IKE exchange.

1614
MCQhard

In an MPLS network, OSPF network type mismatch causes routing issues. Router R1 and R2 are connected via a multi-access Ethernet link. R1 has 'interface GigabitEthernet0/0 ip ospf network point-to-point', while R2 has default OSPF network type broadcast. R1 shows 'show ip ospf neighbor' output: 'Neighbor 10.0.0.2, interface address 10.0.0.2, state FULL' but 'show ip route' does not include routes from R2. What is the root cause?

A.The OSPF network type mismatch causes R1 to ignore Type 2 LSAs from R2, preventing route installation.
B.The MTU mismatch between R1 and R2 causes OSPF database synchronization failure.
C.R1 has a distribute-list blocking routes from R2.
D.R2 is not advertising any routes; need 'network' statement.
AnswerA

Point-to-point network type does not process Type 2 (network) LSAs, so routes advertised by R2 via network LSA are ignored.

Why this answer

OSPF network type mismatch on a multi-access link can cause adjacency to form but with different DR/BDR election behavior. With point-to-point on R1, it expects no DR/BDR, while broadcast on R2 expects DR election. The adjacency forms as FULL, but R1 does not accept routes from R2 because R2's LSA may have a different link type or R1 ignores them due to mismatch in network type handling.

1615
MCQhard

An engineer configures an IPv6 ACL to permit BGP traffic (TCP port 179) between two routers and deny all other traffic. The ACL is applied inbound on the interface facing the BGP neighbor. BGP session establishes, but the routers cannot exchange IPv6 routes. Which is the most likely explanation?

A.The ACL permits only TCP packets with destination port 179, but BGP updates are sent from source port 179 to an ephemeral destination port, so they are not matched and are dropped.
B.The ACL must also permit ICMPv6 for PMTUD, but the BGP session establishes, so PMTUD is not needed.
C.The ACL is applied outbound, not inbound, causing the BGP updates to be filtered.
D.The router has BGP authentication configured, which changes the TCP port number.
AnswerA

Correct. BGP uses source port 179 for outgoing updates; the destination port is ephemeral. The ACL must permit both directions or use 'tcp any any eq 179' for incoming updates, but for outgoing updates, the router needs to permit 'tcp any any' or specify the correct direction.

Why this answer

BGP uses TCP port 179. The ACL permits TCP port 179, which allows the BGP session to establish. However, BGP updates are sent over the same TCP connection, so they should be permitted.

The issue may be that the ACL also needs to permit the BGP keepalives and notifications, but they use the same port. A more subtle edge case: if the ACL permits only TCP port 179, it may inadvertently block ICMPv6 packets needed for PMTUD or neighbor discovery, but the BGP session establishes. The most likely explanation: the ACL is applied inbound and the BGP updates are sent from a source port of 179 (or ephemeral), but the ACL might be matching only destination port 179.

If the ACL permits only 'tcp any any eq 179', it matches packets with destination port 179. BGP updates are sent from the BGP router's source port 179 to the neighbor's ephemeral port, so the destination port is not 179. Thus, the updates are dropped.

1616
Multi-Selecthard

Which THREE symptoms indicate a misconfigured RSPAN session on a Cisco switch? (Choose THREE.)

Select 3 answers
A.The RSPAN VLAN is not allowed on the trunk between the source and destination switches.
B.The destination switch does not have the RSPAN VLAN created.
C.The source switch is missing the 'monitor session 1 source' command.
D.The native VLAN mismatch on the trunk link.
E.The routing protocol is not redistributing the RSPAN VLAN.
AnswersA, B, C

The RSPAN VLAN must be permitted on all trunk links in the path for traffic to traverse.

Why this answer

RSPAN requires a dedicated VLAN (RSPAN VLAN) that is trunked across the network. If the RSPAN VLAN is not allowed on the trunk, traffic fails to reach the destination. If the destination switch does not have the RSPAN VLAN configured, the session cannot receive traffic.

A missing 'monitor session' command on the source switch means no traffic is being captured. A native VLAN mismatch does not specifically affect RSPAN, and a routing protocol issue is not directly related to Layer 2 RSPAN.

1617
Drag & Drophard

Drag and drop the steps to troubleshoot an MPLS L3VPN adjacency or connectivity failure into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting begins by verifying the PE-CE adjacency with 'show ip bgp vpnv4 vrf <name> summary'. If the adjacency is down, check the VRF interface status and IP connectivity using ping. Then verify that the VRF is correctly configured with 'show vrf'.

Next, confirm that the MPLS LSP to the remote PE is functional using 'show mpls lsp'. Finally, check that the VPNv4 routes are being exchanged between PEs with 'show bgp vpnv4 unicast all'.

1618
MCQhard

A network engineer is troubleshooting an IPv6 connectivity problem across an IPv4 MPLS network using 6PE. The 6PE routers have MP-BGP sessions to exchange IPv6 prefixes, and the tunnel between them is up. However, a customer edge router behind one 6PE router cannot reach an IPv6 prefix behind the other 6PE router. The engineer checks the 6PE router's BGP table and sees the prefix, but the routing table shows the next-hop as unreachable. What is the most likely cause?

A.The MPLS LDP session between the 6PE routers or between the 6PE and P routers is down, so no label exists for the BGP next-hop.
B.The 6PE router is missing the 'ipv6 unicast-routing' command.
C.The tunnel interface is not in the VRF of the customer.
D.The remote 6PE router is not advertising the IPv6 prefix via BGP.
AnswerA

Correct because 6PE relies on MPLS labels to reach the remote 6PE router; without a label, the next-hop is unreachable, and traffic is dropped.

Why this answer

In 6PE, the BGP next-hop for an IPv6 prefix is the IPv4 address of the remote 6PE router. The 6PE router must have a label-switched path (LSP) to that IPv4 next-hop, which requires a working MPLS LDP session to distribute a label for that IPv4 address. If the LDP session is down, no label exists for the BGP next-hop, making it unreachable in the routing table even though the BGP table contains the prefix.

Exam trap

Cisco often tests the distinction between BGP table presence and routing table reachability, trapping candidates who assume that seeing the prefix in BGP guarantees it is usable for forwarding.

How to eliminate wrong answers

Option B is wrong because the 'ipv6 unicast-routing' command enables IPv6 routing globally on the router, but the issue is that the next-hop is unreachable in the routing table, not that IPv6 routing is disabled. Option C is wrong because 6PE uses a global IPv6 routing table, not a VRF; the tunnel is an MPLS LSP, not a tunnel interface placed in a VRF. Option D is wrong because the BGP table already shows the prefix, confirming the remote 6PE router is advertising it; the problem is that the next-hop is unreachable, not that the prefix is missing.

1619
MCQeasy

In ERSPAN, what is the default encapsulation type used for transporting mirrored packets across an IP network?

A.IPsec
B.GRE
C.MPLS
D.VXLAN
AnswerB

ERSPAN uses GRE encapsulation as defined by Cisco.

Why this answer

ERSPAN uses GRE (Generic Routing Encapsulation) to encapsulate the original packets for transport over an IP network.

1620
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 500 High Watermark: 800 Flows added: 15000 Flows aged: 14500 - Active timeout (1800 secs) 12000 - Inactive timeout (15 secs) 2500 - Event aged 0 - Watermark aged 0 - Emergency aged 0 Based on this output, what is a valid conclusion?

A.The cache is experiencing packet drops due to overflow.
B.Most flows are long-lived, as indicated by the high number of active timeout expirations.
C.The inactive timeout is set too high at 15 seconds.
D.The cache size should be increased to 2000 entries.
AnswerB

Active timeout (1800 secs) aged 12000 flows, meaning flows lasted longer than 30 minutes, indicating long-lived traffic.

Why this answer

The cache has 500 current entries, with many flows added and aged. The high watermark of 800 indicates the cache has been near full, but no emergency aging occurred. The active timeout accounts for most aging, meaning flows are long-lived.

1621
Multi-Selecthard

Which TWO statements about PBR and the 'set ip tos' command are true? (Choose TWO.)

Select 2 answers
A.The 'set ip tos' command can use keywords such as 'min-delay', 'reliability', 'throughput', and 'low-cost' to set the ToS value.
B.The 'set ip tos' command modifies the entire DSCP field in the IP header.
C.The 'set ip tos' command can be used in a route-map sequence with a 'deny' keyword to mark packets that are not policy-routed.
D.The 'set ip tos' command is applied to all packets that match the route-map, regardless of whether the packet is policy-routed or forwarded normally.
E.The 'set ip tos' command can be verified using 'show route-map' to display the configured ToS value.
AnswersA, E

Correct. These keywords correspond to standard ToS values (e.g., min-delay = 8, reliability = 4, etc.).

Why this answer

PBR can modify the Type of Service (ToS) field in the IP header using 'set ip tos'. The ToS value can be specified as a decimal number (0-255) or using predefined keywords like 'min-delay', 'reliability', 'throughput', etc. The command affects only the ToS byte, not the entire DSCP field, though DSCP can be set using 'set ip dscp'.

The ToS change is applied to packets that match the route-map permit sequence.

1622
Multi-Selecthard

Which THREE configuration steps are required to enable DMVPN Phase 3 on a spoke router? (Choose THREE.)

Select 3 answers
A.Configure the tunnel interface as a multipoint GRE interface.
B.Set the tunnel source to the physical interface (e.g., GigabitEthernet0/1).
C.Configure an NHRP map to the hub with an authentication string.
D.Disable split horizon on the tunnel interface.
E.Configure the tunnel mode as 'tunnel mode ipsec ipv4'.
AnswersA, B, C

DMVPN Phase 3 requires the tunnel to be multipoint GRE (mGRE) to support multiple spoke connections.

Why this answer

To enable DMVPN Phase 3 on a spoke, you must configure the tunnel interface as multipoint GRE (mGRE), set the tunnel source to the physical interface, and configure an NHRP map to the hub with an authentication string. Phase 3 also uses 'ip nhrp shortcut' and 'ip nhrp redirect' commands, but the question asks for required steps that are common to all Phase 3 spokes. The other options are either not required or are for different phases.

1623
Drag & Dropmedium

Drag and drop the steps to configure conditional debugging and syslog forwarding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable logging to a buffer to capture debug messages locally. Then, set the logging severity level to ensure debug messages are included. Next, configure the syslog server IP address.

After that, enable logging to the remote syslog server. Finally, enable conditional debugging to limit debug output based on specific conditions.

1624
MCQmedium

In Cisco IOS, what is the default timeout for TCP NAT translations when the TCP session is idle?

A.60 seconds
B.300 seconds
C.3600 seconds
D.86400 seconds
AnswerD

Correct. The default TCP NAT translation timeout is 24 hours (86400 seconds) in Cisco IOS.

Why this answer

The default TCP NAT translation timeout in Cisco IOS is 86400 seconds (24 hours) when no data is being transferred. However, if the TCP session is established and idle, the timeout is 60 minutes (3600 seconds) after the first packet. The 24-hour value applies to the overall translation entry.

1625
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-SNMP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 130 police: cir 32000 bps, bc 6000 bytes, be 6000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show access-lists 130 Extended IP access list 130 10 permit udp any any eq snmp 20 permit udp any any eq snmptrap Based on this output, what is the most likely reason that no packets are matching the CoPP-SNMP class?

A.The access-list does not include the correct SNMP port numbers.
B.The SNMP traffic is being sent from the router itself, which is not processed through the input control plane policy.
C.The police rate is too low and is dropping all packets before counting.
D.The class-map is using 'match-all' instead of 'match-any'.
AnswerB

Traffic originated by the router (e.g., SNMP traps) is not subject to input CoPP.

Why this answer

The access-list 130 matches SNMP traffic (UDP ports 161 and 162). However, SNMP traffic to the router itself typically uses the control plane, but the access-list may not match if the traffic is sourced from the router (e.g., SNMP traps) or if the source/destination IPs are not 'any'. The most common issue is that the access-list does not specify the direction of traffic, but since it is applied to the control plane input, it should match incoming SNMP requests.

However, if the router is sending SNMP traps, those are output traffic. The problem could be that the access-list is not matching the actual SNMP traffic because the router's own SNMP agent traffic is not subject to CoPP. But the key clue is that the class is not matching any packets, indicating the access-list may not be correct for the traffic type.

1626
MCQhard

An engineer configures DHCP snooping on a switch to prevent rogue DHCP servers. After enabling, legitimate DHCP clients on VLAN 10 cannot obtain addresses. The DHCP server is connected to a trusted port. The switch shows 'show ip dhcp snooping binding' with no entries. Which is the most likely explanation?

A.The DHCP server is on a different subnet, and no DHCP relay is configured; the switch only snoops broadcast traffic within the VLAN.
B.The trusted port is configured as an access port in VLAN 10, but the server is in VLAN 20.
C.The switch has 'ip dhcp snooping information option' disabled, preventing binding creation.
D.The DHCP server is using a different MAC address than expected, causing the switch to drop the packets.
AnswerA

Correct: DHCP snooping relies on seeing the DHCP packets. Without a relay, the server may not be reachable, or the packets may not traverse the switch.

Why this answer

DHCP snooping builds a binding database by snooping DHCPACK messages. If the switch does not see the DHCPACK (e.g., due to asymmetric routing or the server responding on a different VLAN), no bindings are created. A common edge case is that the DHCP server is on a different subnet and the relay agent is not configured, so the DHCP requests are broadcast and not forwarded.

1627
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite OSPF adjacency issue: R1# debug ip ospf adj vrf CUSTOMER_C Output: OSPF: 2 Way state received from 10.1.1.2 on interface GigabitEthernet0/1, address 10.1.1.2 OSPF: Neighbor 10.1.1.2 is eligible for DR election on interface GigabitEthernet0/1 OSPF: DR election: 10.1.1.1 (pri 1) is DR, 10.1.1.2 (pri 1) is BDR OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x80000001 OSPF: Neighbor 10.1.1.2 is FULL, state changed from LOADING to FULL What does this output indicate?

A.The OSPF adjacency failed because the neighbor remained in LOADING state.
B.The OSPF adjacency formed successfully, with 10.1.1.1 as DR and 10.1.1.2 as BDR.
C.The OSPF adjacency formed but the router ID is missing, causing instability.
D.The OSPF adjacency is stuck in 2-Way state due to mismatched area IDs.
AnswerB

Correct. The debug shows FULL state and DR/BDR election results.

Why this answer

The 'debug ip ospf adj vrf' command shows OSPF adjacency state changes for a specific VRF. The output shows a successful OSPF adjacency formation: the neighbor transitioned through 2-Way, DR election, and reached FULL state. The router with IP 10.1.1.1 became the DR, and 10.1.1.2 became the BDR.

1628
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.200 is being dropped. Router R1 shows: show ip nat statistics: Total active translations: 1000. Debug ip nat: NAT: s=192.168.1.1->203.0.113.1, d=203.0.113.200 [0]. The external server shows no received packets. What is the root cause?

A.The router does not have a route to 203.0.113.200; configure a default route or specific route.
B.The access-list 100 is blocking the destination.
C.The NAT translation is failing due to port exhaustion.
D.The external server is blocking the source IP.
AnswerA

Without a route, the packet is dropped after NAT.

Why this answer

The debug shows successful NAT translation, but the packet is still dropped. This could be due to a route issue: the router may not have a route to 203.0.113.200, or the next-hop is unreachable. The correct fix is to check the routing table for the destination.

1629
MCQhard

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# debug ip routing IP routing debugging is on *Mar 1 00:01:23.456: RT: add 192.168.2.0/24 via 10.1.1.2, eigrp metric [170/30720] *Mar 1 00:01:23.456: RT: closer admin distance for 192.168.2.0, adding to routing table *Mar 1 00:01:23.456: RT: add 192.168.2.0/24 via 10.1.1.2, ospf metric [110/20] *Mar 1 00:01:23.456: RT: not add 192.168.2.0/24 via 10.1.1.2, ospf metric [110/20] - route already in table with better admin distance What does this output indicate?

A.The EIGRP route is preferred because it was added first.
B.The OSPF route is preferred because it has a lower administrative distance of 110 compared to EIGRP's 170.
C.The EIGRP route remains in the routing table because its administrative distance was manually changed to 100, making it better than OSPF's 110.
D.Both routes are added to the routing table, and load balancing occurs.
AnswerC

The debug shows the OSPF route is not added because the existing EIGRP route has a better admin distance. Since default EIGRP external AD is 170, it must have been changed to a value lower than 110, such as 100.

Why this answer

The debug shows that the EIGRP route (AD 170) is added first, but then OSPF (AD 110) tries to add the same route. Since OSPF has a lower AD, it replaces the EIGRP route. The output indicates that the route from OSPF is preferred due to lower administrative distance.

1630
MCQeasy

In Policy-Based Routing (PBR), what is the default action for packets that do not match any route-map sequence?

A.They are dropped.
B.They are forwarded using the normal routing table.
C.They are forwarded using the default route.
D.They are sent to the next-hop specified in the last sequence.
AnswerB

The implicit deny in a route-map for PBR means that unmatched packets are not subject to PBR and are routed normally.

Why this answer

Route-maps have an implicit deny at the end. For PBR, if a packet does not match any permit sequence, it is not policy-routed and is forwarded using the normal routing table.

1631
MCQhard

A network engineer runs the following command to troubleshoot an EIGRP issue: R1# debug eigrp fsm *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - do advertising, metric 131072 *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - route installed in table *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - metric change from 131072 to 131328 *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - find FS, metric 131328, RD 130816 *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - found FS via 10.1.3.3, metric 131328 *Mar 1 00:20:45.678: EIGRP: 10.1.1.0/24 - new successor is 10.1.3.3 What does this output indicate?

A.The route 10.1.1.0/24 has become unreachable, and EIGRP is querying neighbors.
B.EIGRP is performing a Diffusing Update Algorithm (DUAL) recomputation due to a metric increase, but a feasible successor is available, so no query is needed.
C.The route is being removed from the topology table because the metric changed.
D.EIGRP is sending a query to all neighbors because no feasible successor exists.
AnswerB

The metric increased, but a feasible successor was found, allowing immediate convergence without queries.

Why this answer

The debug shows the EIGRP Finite State Machine (FSM) processing a route change. The metric for 10.1.1.0/24 increased from 131072 to 131328, and the router found a feasible successor (10.1.3.3) with a metric of 131328, which becomes the new successor. This is a normal convergence event.

1632
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.1.1.0/24 IP-EIGRP (AS 100): Topology entry for 10.1.1.0/24 State: Passive, Originating reply status: 0 Routing Descriptor Blocks: 0.0.0.0 (Null0), from 0.0.0.0, Send flag: 0x0 Composite metric is (2560000000/0), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 10.2.2.2 (GigabitEthernet0/1), from 10.2.2.2, Send flag: 0x0 Composite metric is (2688000000/2560000000), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 200 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Based on this output, what is the problem?

A.The route 10.1.1.0/24 is redistributed from another protocol into EIGRP.
B.A manual summary route is configured on R1 for 10.1.1.0/24, causing a local Null0 entry.
C.The route 10.1.1.0/24 is flapping between Passive and Active states.
D.The neighbor 10.2.2.2 is not reachable, so the route is installed via Null0.
AnswerB

The Null0 entry with metric 2560000000/0 indicates a summary route; the 'ip summary-address eigrp' command creates this entry to prevent loops.

Why this answer

The output shows a Null0 entry with a metric of 2560000000/0, which is characteristic of a summary route. The problem is that an EIGRP summary route is being advertised, but the route is also learned from another neighbor (10.2.2.2) with a higher metric, indicating potential suboptimal routing or a missing 'no auto-summary' command.

1633
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. The engineer notices that PBR is working for TCP traffic but not for UDP traffic from the same subnet. What is the most likely cause?

A.The ACL in the route-map is configured to match only TCP traffic, so UDP packets are not policy-routed.
B.UDP traffic is not supported by PBR.
C.The next-hop 10.0.0.2 does not have a route for UDP traffic.
D.The route-map is missing a 'set ip next-hop' command for UDP.
AnswerA

ACL protocol matching is specific; using 'tcp' excludes UDP.

Why this answer

PBR processes all IP traffic regardless of protocol, but if the ACL in the route-map uses 'tcp' as the protocol, it will only match TCP packets. The engineer likely configured the ACL to match only TCP, inadvertently excluding UDP. The ACL should use 'ip' to match all protocols.

1634
MCQhard

A router is configured as a DHCPv6 client on an interface using 'ipv6 address dhcp'. The router receives a valid IPv6 address from the server, but the address is not used for outgoing traffic. Which is the most likely explanation?

A.The router has a static IPv6 address configured on the same interface, and the DHCP-assigned address is not preferred for source selection.
B.The DHCPv6 server assigned a temporary address (IA_TA) instead of a non-temporary address (IA_NA).
C.The router's 'ipv6 unicast-routing' is disabled.
D.The DHCP-assigned address is in a different subnet than the default gateway.
AnswerA

Correct: If a static address is present, the router may use it as the source, especially if it is in the same subnet as the destination.

Why this answer

When a router uses 'ipv6 address dhcp', it requests a non-temporary address (IANA). However, the router may also have a link-local address and possibly a static address. The source address selection for outgoing traffic is based on the destination and the routing table.

If the router has a static global unicast address configured, it may prefer that over the DHCP-assigned address. A common edge case is that the DHCP-assigned address is not preferred due to the 'ipv6 dhcp client' command not setting the address as the primary.

1635
MCQmedium

A network engineer is troubleshooting a DHCPv4 issue on a Cisco router configured as a DHCP server. Clients on VLAN 10 are unable to obtain IP addresses. The engineer verifies that the DHCP pool is correctly configured and that the router interface facing the clients has 'ip helper-address 192.168.1.1' pointing to the DHCP server. However, the DHCP server is on a different subnet and the router's interface is in a VRF. The DHCP DISCOVER messages are not reaching the server. What is the most likely cause?

A.The DHCP pool is missing the 'default-router' command.
B.The router needs the 'ip dhcp relay information option' command to insert Option 82.
C.The 'ip helper-address' command must be configured under the interface with the VRF name using 'ip helper-address vrf <vrf-name> <server-ip>'.
D.The DHCP server is not configured with a scope for the client subnet.
AnswerC

Correct because when the interface is in a VRF, the helper address must specify the VRF to ensure the DHCP broadcast is forwarded into the correct routing table.

Why this answer

The DHCP relay agent (the router) must be configured to forward DHCP broadcasts across VRFs using the 'ip helper-address vrf <name>' command, otherwise the packets are dropped because the interface is in a VRF and the helper address is not VRF-aware.

1636
MCQmedium

A network engineer runs the following command to troubleshoot a Route Summarization issue: R1# show ip route summary IP routing table maximum-paths limit: 32 IP routing table entry count: 15 IP routing table active entry count: 15 Number of prefixes: 15 Number of /0: 0 Number of /8: 1 Number of /16: 2 Number of /24: 12 Number of /32: 0 What does this output indicate?

A.The routing table contains 2 /16 summary routes, likely summarizing the 12 /24 subnets, indicating successful route summarization.
B.The routing table has no summarization, as all routes are /24 or smaller.
C.The routing table is full and cannot accept more routes.
D.The summary routes are not being used because they are inactive.
AnswerA

The presence of fewer /16 routes than /24 routes suggests summarization is working.

Why this answer

This output shows a summary of the IP routing table. The prefix length distribution indicates that there are 2 /16 routes and 12 /24 routes. This suggests that route summarization is in effect, as the /16 routes likely summarize the /24 subnets.

1637
Multi-Selectmedium

Which TWO statements about IPsec site-to-site VPN configuration using IKEv1 are true? (Choose TWO.)

Select 2 answers
A.IKEv1 phase 1 establishes the ISAKMP SA, which is bidirectional.
B.IKEv1 phase 2 uses the crypto isakmp policy to negotiate IPsec SAs.
C.The 'crypto isakmp policy' command configures authentication, encryption, and DH group for phase 1.
D.IPsec SAs are unidirectional and require two SAs per tunnel.
E.The 'crypto ipsec transform-set' command defines the IKEv1 phase 1 policy.
AnswersA, C

Phase 1 creates a bidirectional ISAKMP SA used to protect IKE negotiations.

Why this answer

IKEv1 phase 1 establishes the ISAKMP Security Association (SA), which is used to securely negotiate the IPsec SAs in phase 2. This ISAKMP SA is bidirectional, meaning a single SA protects both inbound and outbound IKE traffic between the peers.

Exam trap

Cisco often tests the distinction between IKEv1 phase 1 (ISAKMP SA, bidirectional) and phase 2 (IPsec SAs, unidirectional), and candidates frequently confuse which commands apply to each phase, especially the 'crypto isakmp policy' versus 'crypto ipsec transform-set' commands.

1638
MCQhard

A network engineer is troubleshooting IPv6 neighbor discovery issues on a VLAN. Router R1 is configured with IPv6 First Hop Security features. Hosts are unable to communicate with each other, even though they have valid IPv6 addresses. Router R1 has the following relevant configuration: interface Vlan100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 dhcp guard ipv6 source guard ! Router R2 shows: debug ipv6 nd output indicates that Neighbor Solicitations from hosts are being dropped. What is the root cause?

A.RA Guard is blocking Neighbor Solicitations because they are mistaken for RAs.
B.DHCP Guard is dropping Neighbor Solicitations because they contain DHCP options.
C.IPv6 Source Guard is dropping Neighbor Solicitations because the source address is not in the binding table.
D.The VLAN interface is not in a state to forward ND messages due to a spanning tree issue.
AnswerC

Source Guard validates source addresses against the binding table; if the host is not bound, the NS is dropped.

Why this answer

The combination of RA Guard, DHCP Guard, and Source Guard can create complex filtering. In this scenario, IPv6 Source Guard is likely dropping Neighbor Solicitations because the hosts' IPv6 addresses are not in the binding table. This is a common issue when DHCPv6 is not used or when static bindings are missing, causing legitimate ND traffic to be filtered.

1639
MCQhard

A network uses PBR to route traffic from a specific VLAN (10.10.10.0/24) through a firewall (next-hop 192.168.1.1). After a firewall policy change, traffic from this VLAN is being dropped. Router R1 shows: 'show ip policy' shows PBR applied, 'debug ip policy' shows traffic being forwarded to 192.168.1.1, but 'debug ip packet' on R1 shows packets being sent to 192.168.1.1 and no response. Router R2 (firewall) shows: 'show ip route 10.10.10.0' returns a route via 192.168.2.1, but 'show access-lists' on the firewall shows an ACL that denies traffic from 10.10.10.0/24. What is the root cause?

A.The firewall has an ACL that denies traffic from 10.10.10.0/24. Update the ACL to allow this traffic.
B.The next-hop 192.168.1.1 is not reachable from R1 due to a routing issue.
C.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing it to forward traffic to an unreachable next-hop.
D.The VLAN interface on R1 has an ACL that is blocking traffic from 10.10.10.0/24.
AnswerA

PBR successfully forwards traffic to the firewall, but the firewall drops it due to an ACL. The routing is correct, but the firewall policy is blocking the traffic.

Why this answer

PBR forwards traffic to the firewall, but the firewall has an ACL that denies traffic from the source subnet (10.10.10.0/24). This is a policy issue on the firewall, not a routing issue. The solution is to update the firewall ACL to allow traffic from the source subnet.

1640
MCQhard

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 160 10 permit tcp any any established (200 matches) 20 permit udp any any (100 matches) 30 deny ip any any (50 matches) Based on this output, what is the problem?

A.The ACL allows all UDP traffic.
B.The ACL blocks all traffic except established TCP and UDP.
C.The ACL permits all TCP traffic.
D.The ACL is correctly configured for a firewall.
AnswerB

Line 30 denies all other IP traffic, which may block new TCP connections and other protocols.

Why this answer

The ACL 160 permits only established TCP sessions (using the 'established' keyword, which matches TCP segments with the ACK or RST bit set) and all UDP traffic, while denying everything else. This means non-established TCP traffic (e.g., initial SYN packets) is blocked, so the ACL effectively blocks all traffic except established TCP and UDP, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with 'permit tcp any any established' allows all TCP traffic, when in fact it only permits TCP segments with the ACK or RST bit set, blocking initial SYN packets.

How to eliminate wrong answers

Option A is wrong because the ACL does allow all UDP traffic (as shown by the 'permit udp any any' line), so this is not a problem—it is a correct observation but not the issue. Option C is wrong because the ACL does not permit all TCP traffic; it only permits established TCP sessions, blocking initial TCP handshake packets. Option D is wrong because the ACL is not correctly configured for a firewall; a proper firewall ACL should typically permit only specific necessary traffic and deny all else, but here it allows all UDP traffic without restriction, which is a security risk.

1641
MCQhard

A network uses PBR to load-balance traffic from two subnets (10.1.1.0/24 and 10.2.2.0/24) across two ISPs (next-hops 100.64.1.1 and 100.64.2.2). After a routing change, traffic from 10.1.1.0/24 is being sent to both ISPs intermittently. Router R1 shows: 'show route-map' shows the route-map with two match clauses, 'debug ip policy' shows traffic from 10.1.1.0/24 being sent to both next-hops. What is the root cause?

A.The route-map has a match clause that matches both subnets, causing traffic to be load-balanced across both next-hops. Use specific ACLs or separate route-map entries.
B.The 'set ip next-hop' command is missing the 'load-balance' keyword, causing PBR to use both next-hops by default.
C.The routing table on R1 has equal-cost routes to both ISPs, causing PBR to be overridden by the routing table.
D.The interface where PBR is applied is in a VRF, causing the route-map to be applied incorrectly.
AnswerA

If the ACL in the route-map matches both subnets (e.g., using a wildcard mask that is too broad), traffic from 10.1.1.0/24 can match multiple clauses, leading to load-balancing. Using specific ACLs or separate route-map entries with sequence numbers ensures each subnet is matched by only one clause.

Why this answer

PBR route-maps can have multiple match clauses, but if the route-map does not have a 'sequence' number or if the match clauses are not mutually exclusive, traffic can match multiple clauses. In this case, the route-map likely has a match clause that matches both subnets (e.g., using a less specific ACL), causing traffic from 10.1.1.0/24 to match both clauses and be load-balanced. The solution is to ensure the ACLs in the route-map are mutually exclusive or use separate route-map entries with sequence numbers.

1642
MCQhard

An engineer configures an EEM applet to react to BGP prefix changes using the event syslog pattern 'BGP-5-ADJCHANGE'. The applet sends a custom SNMP trap. The BGP session between two routers is established, but when a route is withdrawn due to next-hop-self requirement for iBGP, the EEM applet does not trigger. Which is the most likely explanation?

A.The BGP-5-ADJCHANGE syslog is only generated for session state changes, not for individual route updates.
B.The EEM applet must be configured with 'event bgp' to monitor BGP prefix changes.
C.The next-hop-self requirement causes a BGP notification that generates a different syslog pattern.
D.The EEM applet requires the 'event manager directory' to be set for SNMP traps.
AnswerA

Correct. The syslog message is only for session state transitions, not for prefix changes.

Why this answer

The BGP-5-ADJCHANGE syslog message is generated only when the BGP session state changes (e.g., from Established to Idle or vice versa). It is not generated for individual prefix updates or withdrawals. When a route is withdrawn due to next-hop-self requirement, the BGP session remains established, so no ADJCHANGE event occurs.

The EEM applet will not trigger because the syslog pattern does not match any generated message.

1643
MCQhard

What is the default EIGRP authentication mode when authentication is configured?

A.SHA-256
B.MD5
C.Plain text
D.No authentication by default
AnswerB

Correct. EIGRP defaults to MD5 authentication when enabled.

Why this answer

EIGRP supports MD5 authentication by default. When 'ip authentication mode eigrp' is configured, the default mode is MD5. SHA-256 requires additional configuration.

1644
MCQmedium

A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# show bgp neighbors 10.0.0.2 received-routes Output: BGP table version is 10, local router ID is 10.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.3.3.0/24 10.0.0.2 0 100 0 65000 i *> 10.4.4.0/24 10.0.0.2 0 100 0 65000 i Total number of prefixes 2 What does this output indicate?

A.R1 is receiving two routes from BGP neighbor 10.0.0.2
B.R1 is advertising two routes to BGP neighbor 10.0.0.2
C.R1 has no BGP routes
D.R1 is using OSPF to learn these prefixes
AnswerA

The output shows two prefixes with next hop 10.0.0.2, indicating they are learned from that neighbor.

Why this answer

The show bgp neighbors received-routes command displays routes received from the specified neighbor. Here, R1 has received two prefixes (10.3.3.0/24 and 10.4.4.0/24) from neighbor 10.0.0.2, with next hop 10.0.0.2 and AS path 65000. These are valid and best.

1645
MCQhard

In a DMVPN Phase 2 network with OSPF as the IGP, R1 (hub) and R2 (spoke) are configured with 'ip ospf network broadcast' on the tunnel interface. R3 (another spoke) has 'ip ospf network point-to-multipoint'. R2 can ping R3's tunnel IP, but OSPF adjacencies between R2 and R3 are not forming. What is the root cause?

A.OSPF network type mismatch between R2 (broadcast) and R3 (point-to-multipoint) prevents adjacency formation because the multicast and unicast OSPF packets are not compatible.
B.R3's OSPF priority is set to 0, preventing it from becoming DR/BDR.
C.R2 has an ACL blocking OSPF multicast traffic (224.0.0.5/6).
D.The DMVPN tunnel is not in Phase 2 mode, preventing spoke-to-spoke adjacencies.
AnswerA

Correct. OSPF network types must match on all routers in the same network segment for adjacencies to form. Broadcast uses multicast, point-to-multipoint uses unicast, causing communication failure.

Why this answer

OSPF network type mismatch on the DMVPN tunnel prevents adjacency formation. Broadcast network type requires a DR/BDR election and uses multicast 224.0.0.5/6, while point-to-multipoint uses unicast and does not elect DR/BDR. The mismatch causes OSPF packets to be ignored or not processed correctly.

1646
MCQmedium

A network engineer runs the following command on router R3: R3# show monitor session 5 Session 5 --------- Type : ERSPAN Destination Session Status : Admin Enabled Source IP : 10.0.0.2 Destination Ports : Gi0/1 Encapsulation : Native Ingress : Disabled ERSPAN ID : 100 Based on this output, which statement is correct?

A.The ERSPAN destination session receives traffic from source IP 10.0.0.2 and sends it to Gi0/1.
B.The ERSPAN destination session sends traffic to source IP 10.0.0.2.
C.The session is an RSPAN destination session because it uses a destination port.
D.The session is misconfigured because the destination port has ingress disabled.
AnswerA

The output shows source IP 10.0.0.2, destination port Gi0/1, and ERSPAN ID 100, confirming this.

Why this answer

This is an ERSPAN destination session. It receives ERSPAN-encapsulated traffic from source IP 10.0.0.2 with ERSPAN ID 100, decapsulates it, and sends the original mirrored traffic to destination port Gi0/1. The session is administratively enabled.

1647
MCQhard

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Down 0(0) Gi0/0 Session state is DOWN OurAddr: 10.1.1.1 Handle: 1 Local Diag: 1, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 0(0) Rx Count: 0, Tx Count: 50 Based on this output, what is the most likely cause of the BFD session being down?

A.The neighbor router is not configured for BFD.
B.The BFD session is down because the local router is not sending BFD packets.
C.The BFD session is down because the neighbor is not responding to BFD packets, likely due to a network connectivity issue or neighbor misconfiguration.
D.The BFD session is down because the multiplier is set too low.
AnswerC

Local Diag 1 means control detection time expired, and Rx Count is 0, indicating no packets received from the neighbor. This points to a problem with the neighbor or the path.

Why this answer

The Local Diag field shows 1, which indicates 'Control Detection Time Expired'. This means the local router did not receive BFD control packets from the neighbor within the expected time. The Rx Count is 0, confirming no packets were received.

Tx Count is 50, so the local router is sending packets but not receiving any.

1648
MCQhard

A network engineer configures redistribution between OSPF and EIGRP on a multi-access link. After configuration, OSPF neighbors keep flapping. Router R1 config: interface GigabitEthernet0/0 ip ospf network broadcast ip ospf hello-interval 10 ! router ospf 1 redistribute eigrp 100 subnets ! router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 192.168.1.3 1 2WAY/DROTHER 00:00:31 10.1.1.3 GigabitEthernet0/0 What is the root cause?

A.The OSPF hello interval is too low, causing neighbor flapping under load from redistribution.
B.The EIGRP metric is misconfigured, causing route inconsistency.
C.The OSPF network type broadcast requires a DR/BDR election, causing instability.
D.The redistribute command under OSPF is missing the metric type.
AnswerA

Redistribution increases CPU load, causing hello packets to be delayed and neighbors to time out.

Why this answer

The OSPF network type is broadcast, but the EIGRP redistribution may be causing OSPF LSAs to be flooded with high CPU load, leading to neighbor flapping. Additionally, the hello interval is set to 10 seconds, but the dead interval is not explicitly set, defaulting to 40 seconds. If the router is overloaded, hello packets may be missed.

The fix is to increase the dead interval or adjust the network type to point-to-point.

1649
MCQmedium

A network engineer runs the following command on switch SW1: SW1# show monitor session 1 Session 1 --------- Type : Local Session Source Ports : Both : Gi0/1, Gi0/2 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The SPAN session is monitoring traffic on Gi0/1 and Gi0/2 and sending it to Gi0/3.
B.The SPAN session is monitoring traffic on Gi0/3 and sending it to Gi0/1 and Gi0/2.
C.The SPAN session is using RSPAN because the destination port has ingress disabled.
D.The SPAN session is not active because the destination port is not in forwarding state.
AnswerA

The output clearly shows source ports Gi0/1 and Gi0/2, destination port Gi0/3, and type Local Session, confirming this.

Why this answer

The output shows a local SPAN session with source ports Gi0/1 and Gi0/2, and destination port Gi0/3. The destination port is configured with native encapsulation and ingress is disabled, meaning traffic received on the destination port is not forwarded. The session is active and correctly configured.

1650
MCQhard

An engineer configures IP SLA with an ICMP echo operation and uses it to track a static route. The engineer also configures a backup static route with a higher administrative distance. The engineer notices that when the primary route is removed due to IP SLA failure, the backup route is installed, but when the IP SLA operation recovers, the primary route is not reinstalled. The show ip sla statistics shows the operation is 'Active' and 'Success'. The show track shows the track object is 'Up'. Which is the most likely explanation?

A.The primary static route has a higher administrative distance than the backup route.
B.The IP SLA operation has a frequency that is too low, causing a delay in detection of recovery.
C.The track object has a 'delay up' configured, causing a delay before the primary route is reinstalled.
D.The backup static route is configured with a permanent keyword, preventing the primary route from being reinstalled.
AnswerA

If the primary route has a higher AD, it will not be installed even when the track object is up, because the backup route is preferred.

Why this answer

When a tracked static route is removed and the backup route is installed, the primary route may not be reinstalled if the primary route's administrative distance is not lower than the backup route. However, in this scenario, the track object is up, so the primary route should be reinstalled. The most likely edge case is that the primary static route has a higher administrative distance than the backup route, which would prevent it from being reinstalled even when the track object is up.

This can happen if the engineer misconfigured the AD values.

Page 21

Page 22 of 29

Page 23