Cisco CCNP ENARSI 300-410 (300-410) — Questions 16511725

2152 questions total · 29pages · All types, answers revealed

Page 22

Page 23 of 29

Page 24
1651
Multi-Selecthard

Which TWO statements about the interaction between IPv6 ACLs and uRPF are correct? (Choose TWO.)

Select 2 answers
A.When both uRPF and an inbound IPv6 ACL are configured on the same interface, uRPF is processed first.
B.An IPv6 ACL can be used to permit traffic that would otherwise be dropped by uRPF strict mode due to asymmetric routing.
C.uRPF can be configured to ignore IPv6 ACLs on the same interface.
D.An outbound IPv6 ACL can be used to filter traffic before uRPF checks.
E.If uRPF drops a packet, the inbound ACL is still evaluated for logging purposes.
AnswersA, B

Correct. uRPF checks occur before ACL processing in the input path.

Why this answer

IPv6 ACLs and uRPF can be applied together on the same interface. uRPF processes packets before inbound ACLs in the input path. If uRPF drops a packet, the ACL is not evaluated. Conversely, if uRPF passes the packet, the ACL then filters it.

ACLs can be used to permit traffic that uRPF would otherwise drop (e.g., for asymmetric routing), but that requires careful design. uRPF does not override ACLs; they work sequentially.

1652
MCQeasy

Which of the following is true regarding the placement of an IPv4 ACL to filter traffic between two internal subnets?

A.Standard ACLs should be placed closest to the source.
B.Extended ACLs should be placed closest to the destination.
C.Standard ACLs should be placed closest to the destination.
D.Placement does not affect ACL functionality.
AnswerC

Standard ACLs lack destination filtering; placing near destination prevents blocking traffic to other networks.

Why this answer

Standard ACLs filter based solely on the source IP address and lack the granularity to distinguish between different destination subnets. Placing a standard ACL closest to the destination ensures that traffic is filtered only after it has reached the target subnet, preventing the ACL from inadvertently blocking traffic to other destinations that share the same source. This placement aligns with the Cisco best practice of placing standard ACLs near the destination to minimize unintended filtering.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed closest to the source (like extended ACLs), but the correct practice is to place standard ACLs closest to the destination due to their lack of destination-based filtering.

How to eliminate wrong answers

Option A is wrong because standard ACLs should be placed closest to the destination, not the source; placing them near the source can block all traffic from a source regardless of the destination, which is overly restrictive and can disrupt traffic to other subnets. Option B is wrong because extended ACLs should be placed closest to the source, not the destination; placing them near the destination wastes bandwidth by allowing unwanted traffic to traverse the network before being filtered. Option D is wrong because placement directly affects ACL functionality and efficiency; improper placement can cause unintended filtering or unnecessary network congestion.

1653
MCQmedium

Given the following partial configuration on router R1: router eigrp 100 network 10.0.0.0 0.255.255.255 network 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/2 ip address 172.16.1.1 255.255.255.0 What is the effect of this configuration?

A.EIGRP will form adjacencies and advertise all three interfaces because the network statements use classful boundaries.
B.EIGRP will only advertise the 10.1.1.0/24 and 192.168.1.0/24 networks; the 172.16.1.0/24 network will not be advertised and no EIGRP adjacency will be formed on that interface.
C.EIGRP will advertise all three networks because the network 10.0.0.0 command includes all interfaces with an IP starting with 1, 172, or 192.
D.EIGRP will not form any adjacencies because the network statements must use exact subnet masks instead of wildcard masks.
AnswerB

Only interfaces matching the network statements are enabled for EIGRP. 172.16.1.0/24 does not match 10.0.0.0 or 192.168.1.0, so it is excluded.

Why this answer

The EIGRP configuration uses classful network statements with wildcard masks. The network 172.16.1.0/24 is not included in any network statement, so EIGRP will not advertise or form adjacencies on that interface.

1654
MCQmedium

Consider this IP SLA configuration on router R3: ip sla 30 icmp-echo 192.168.2.1 frequency 5 ip sla schedule 30 life forever start-time now What is missing from this configuration?

A.A source IP address is missing; the router will use the outgoing interface IP.
B.The frequency is too low; it should be at least 60 seconds.
C.The destination IP is invalid; it must be a multicast address.
D.The operation type is wrong; it should be udp-echo.
AnswerA

Without source-ip, the router defaults to the interface IP used for the route to the destination.

Why this answer

The configuration lacks a source IP address. While optional, without a source-ip, the router uses the outgoing interface IP, which may not be desired for tracking specific paths.

1655
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, routing loops occur. The engineer did not use route tagging. Which is the most likely explanation?

A.Routes redistributed from OSPF into EIGRP have a higher administrative distance than the original OSPF routes, causing them to be preferred.
B.Redistributed routes retain their original metric, which can cause them to be preferred over the original route.
C.Without route tagging, OSPF redistributes EIGRP routes back into OSPF, and EIGRP redistributes OSPF routes back into EIGRP, creating a cycle.
D.The seed metric for redistribution is not set, causing the redistributed routes to be rejected.
AnswerC

Route tagging (e.g., using a route-map) is essential to prevent redistributed routes from being re-redistributed. Without it, each protocol can re-inject the other's routes, causing loops.

Why this answer

Option C is correct because mutual redistribution without route tagging creates a feedback loop: OSPF redistributes EIGRP-learned routes back into OSPF, and EIGRP redistributes OSPF-learned routes back into EIGRP. Each protocol re-advertises the other's routes, causing them to be learned and re-injected repeatedly, which leads to routing loops. Route tagging (e.g., using a route-map to set a tag) is the standard method to prevent such cycles by filtering redistributed routes that already originated from the other protocol.

Exam trap

Cisco often tests the misconception that routing loops in mutual redistribution are caused by administrative distance or metric issues, when in fact the core problem is the lack of route tagging to prevent re-redistribution of routes back into their original protocol.

How to eliminate wrong answers

Option A is wrong because administrative distance (AD) is used to select between routes from different protocols, but in mutual redistribution, the issue is not about preferring one protocol over another—it is about the same route being re-injected and causing a loop. Option B is wrong because redistributed routes do not retain their original metric; OSPF uses a seed metric (default 20 for external routes) and EIGRP uses a seed metric (default infinity unless set), and metric manipulation does not directly cause loops—the loop stems from re-redistribution. Option D is wrong because if the seed metric is not set for EIGRP redistribution, the route is not rejected; EIGRP requires a seed metric (e.g., bandwidth, delay) to be configured, but OSPF uses a default seed metric of 20, so routes are still redistributed and can cause loops.

1656
MCQeasy

What is the default metric for a static route pointing to a tunnel interface in Cisco IOS-XE?

A.0
B.1
C.10
D.20
AnswerA

The default metric for static routes is 0.

Why this answer

In Cisco IOS-XE, a static route pointing to a tunnel interface (e.g., a GRE or IPsec tunnel) uses a default administrative distance of 0. This is because the route is considered directly connected to the tunnel interface, and directly connected routes have an administrative distance of 0, overriding any other route type. This behavior is specific to tunnel interfaces and differs from static routes pointing to next-hop IP addresses, which default to an administrative distance of 1.

Exam trap

Cisco often tests the misconception that all static routes default to an administrative distance of 1, but the trap here is that static routes pointing to a tunnel interface are treated as directly connected, resulting in a default metric of 0, not 1.

How to eliminate wrong answers

Option B is wrong because 1 is the default administrative distance for a static route pointing to a next-hop IP address, not a tunnel interface. Option C is wrong because 10 is the administrative distance for static routes configured with a next-hop interface that is not a tunnel (e.g., Ethernet), but this is not the default for tunnel interfaces. Option D is wrong because 20 is the default administrative distance for external BGP routes (eBGP), not for static routes to tunnel interfaces.

1657
MCQhard

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 1000 High Watermark: 1000 Flows added: 50000 Flows aged: 49000 - Active timeout (1800 secs) 40000 - Inactive timeout (15 secs) 8000 - Event aged 0 - Watermark aged 1000 - Emergency aged 0 Based on this output, what is the most likely issue?

A.The cache size is too small, causing watermark aging and potential loss of flow data.
B.The active timeout is set too low at 1800 seconds.
C.The inactive timeout is set too low at 15 seconds.
D.The flow exporter is not configured.
AnswerA

The cache is full and watermark aging is occurring, meaning flows are being aged out due to lack of space, which can result in incomplete export data.

Why this answer

The cache is full (1000 current entries, high watermark 1000), and watermark aging has occurred (1000 flows aged due to watermark). This indicates the cache is overflowing, causing flows to be aged prematurely to make room for new flows. This can lead to incomplete data.

1658
MCQhard

A DMVPN network is experiencing spoke-to-spoke tunnel failures. R1 (hub) has: event manager applet DMVPN-TRIGGER event syslog pattern "%DMVPN-5-UP" action 1.0 cli command "enable" action 2.0 cli command "clear crypto sa" action 3.0 syslog msg "Cleared crypto SAs". Router R2 (spoke) shows: DMVPN tunnel is up, but IPsec SAs are renegotiating frequently. What is the root cause?

A.The EEM applet clears all crypto SAs whenever a DMVPN tunnel comes up, disrupting existing SAs.
B.The DMVPN tunnel is misconfigured with mismatched IPsec profiles.
C.The spoke router has an incorrect NHRP mapping.
D.The hub router has a routing protocol issue preventing spoke-to-spoke routes.
AnswerA

Clearing all crypto SAs forces renegotiation, causing spoke-to-spoke failures.

Why this answer

The EEM applet triggers on any DMVPN tunnel UP event and clears all crypto security associations (SAs). This forces renegotiation of IPsec SAs for all tunnels, causing temporary loss of spoke-to-spoke connectivity. The correct fix is to clear only specific SAs or avoid clearing them on DMVPN UP events.

1659
MCQhard

A network engineer configures SNMPv3 on a router with the 'snmp-server group' and 'snmp-server user' commands, using SHA for authentication and AES for privacy. The NMS can poll the router successfully, but SNMP traps are not received. Which is the most likely explanation?

A.The SNMP engine ID on the router changed after the NMS was configured, causing authentication failures for traps.
B.The 'snmp-server enable traps' command was omitted, so no traps are generated.
C.The NMS is using SNMPv2c for trap reception, which is incompatible with SNMPv3.
D.The 'snmp-server host' command specifies a community string instead of the SNMPv3 username.
AnswerA

The engine ID is used to derive keys; if it changes, the NMS cannot decrypt or authenticate traps, even though polling still works if the NMS uses the old engine ID.

Why this answer

SNMPv3 traps require that the engine ID be known to both the agent and the NMS. If the engine ID changes (e.g., due to a reload or configuration change), the NMS may not recognize the trap sender, causing traps to be dropped. Additionally, traps use a different notification view than the read view used for polling.

1660
MCQmedium

A network engineer runs the following command to troubleshoot SNMP traps: R1# show snmp host Host: 10.1.1.2 Port: 162 Timeout: 30 Retries: 3 Community: trap-public Version: 2c Filter: none Host: 10.1.1.3 Port: 162 Timeout: 30 Retries: 3 Community: trap-public Version: 2c Filter: none What does this output indicate?

A.SNMP traps are sent to two NMS hosts: 10.1.1.2 and 10.1.1.3 using SNMPv2c.
B.SNMP traps are sent to host 10.1.1.2 only.
C.The router is configured to receive traps from these hosts.
D.SNMPv3 is used for trap communication.
AnswerA

The output shows two hosts configured for trap reception with SNMPv2c.

Why this answer

The show snmp host command displays configured SNMP trap receivers. The output shows two hosts (10.1.1.2 and 10.1.1.3) configured to receive SNMPv2c traps with community 'trap-public'.

1661
MCQhard

In an MPLS LDP network, routers R1 and R2 are directly connected via GigabitEthernet0/0. R1 shows 'show mpls ldp neighbor' output: 'Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0, TCP connection: 10.0.0.2.646 - 10.0.0.1.646, State: OPERATIONAL' but 'show mpls forwarding-table' for prefix 192.168.1.0/24 shows 'No label'. R2 has the same prefix in its routing table. What is the root cause?

A.R2 does not have MPLS enabled on the interface facing the prefix's origin; LDP only labels routes learned via MPLS-enabled interfaces.
B.R1 has an ACL blocking LDP label advertisement for prefix 192.168.1.0/24.
C.The MTU mismatch between R1 and R2 causes label distribution failure.
D.R1's MPLS forwarding table is full; no room for new labels.
AnswerA

If the prefix is learned via an interface without 'mpls ip', LDP will not assign a label, causing R1 to have no label in forwarding table.

Why this answer

LDP neighbors are operational, but label binding may fail if the IGP (e.g., OSPF) has a route to the prefix but LDP does not advertise a label for it. This can occur if the prefix is a connected route on R2 but R2's LDP is not configured to advertise labels for connected routes (e.g., 'no mpls ldp advertise-labels' or route filtering). Alternatively, R2 may have the prefix via a different interface not running MPLS.

1662
MCQhard

A network engineer runs the following command to troubleshoot a SPAN issue: R1# show monitor session all Session 1 --------- Type : Local Session Source Ports : Both : Gi0/0 Destination Ports : Gi0/1 Encapsulation : Native Ingress : Disabled Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/2 Destination RSPAN VLAN : 100 What does this output indicate?

A.Both sessions are correctly configured and can operate simultaneously.
B.Session 1 is misconfigured because it cannot coexist with an RSPAN session.
C.Session 2 is misconfigured because the RSPAN VLAN must be used only for RSPAN.
D.Both sessions are misconfigured because they use the same source port.
AnswerA

Multiple SPAN sessions can coexist on the same device.

Why this answer

The output shows two sessions: Session 1 is a local SPAN session, and Session 2 is an RSPAN source session. This is a valid configuration for multiple monitoring sessions.

1663
MCQhard

An engineer configures PBR with a route-map that sets the next-hop to 10.0.0.2 for traffic matching ACL 100. The route-map is applied inbound on interface GigabitEthernet0/1. Traffic from a host on that interface is forwarded via 10.0.0.2, but the engineer notices that packets with destination IP 10.0.0.2 itself are also being redirected, causing a loop. Why does this happen?

A.The ACL 100 inadvertently matches the router's own IP address as source.
B.PBR is applied outbound, causing packets to the router to be re-routed.
C.The set ip next-hop command does not check if the next-hop is the router itself, so packets destined to the router are forwarded instead of being processed locally.
D.The route-map has a default route that sends all traffic to 10.0.0.2.
AnswerC

PBR overrides local delivery; packets to the router's own IP are forwarded per the policy.

Why this answer

PBR processes all incoming packets, including those destined to the router itself. If the set next-hop points to the router's own IP, packets to that IP are forwarded back out, creating a loop. The route-map should include a match clause to exclude traffic destined to the router.

1664
MCQhard

A network engineer is troubleshooting an EIGRP adjacency that is not forming. Both routers are configured for EIGRP with BFD. The engineer checks the BFD session and sees it is 'Down'. The interface between the routers is up/up. The EIGRP configuration appears correct. What is the most likely cause?

A.The EIGRP process is configured with 'bfd all-interfaces' but the interface is not configured with 'eigrp bfd'.
B.The BFD timers are configured with 'bfd interval 50 min_rx 50 multiplier 3' on one router and 'bfd interval 100 min_rx 100 multiplier 3' on the other, causing a negotiation failure.
C.The interface is configured with 'ip address 10.0.0.1 255.255.255.252' but the neighbor is using a different subnet.
D.The EIGRP autonomous system number is mismatched between the two routers.
AnswerB

BFD timers must be compatible; if the required interval or multiplier values are not negotiable, the session will fail to come up.

Why this answer

EIGRP BFD requires that the BFD session be established before the EIGRP adjacency can form. If the BFD session is down, the issue is often a mismatch in BFD parameters or a lack of BFD configuration on one side.

1665
MCQeasy

According to RFC 5424, which syslog severity level corresponds to 'Critical' conditions?

A.Severity 0
B.Severity 1
C.Severity 2
D.Severity 3
AnswerC

Severity 2 is defined as 'Critical' in RFC 5424.

Why this answer

RFC 5424 defines severity level 2 as 'Critical' conditions.

1666
MCQmedium

Given the following OSPF configuration on router R2: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 area 0 range 10.0.0.0 255.255.252.0 Which statement is true about this configuration?

A.Router R2 will advertise a summary route 10.0.0.0/22 into area 0 from other areas.
B.Router R2 will summarize routes from area 0 into other areas.
C.Router R2 will create a static route for 10.0.0.0/22.
D.Router R2 will filter all routes not within 10.0.0.0/22.
AnswerA

Correct. The area range command on an ABR summarizes routes from other areas into area 0.

Why this answer

The 'area range' command is used for inter-area route summarization on an ABR. It summarizes routes from one area into another, but only if the router is an ABR.

1667
MCQhard

What is the default metric value assigned to redistributed routes into IS-IS when no metric is specified?

A.0
B.10
C.20
D.63
AnswerA

IS-IS uses a default metric of 0 for redistributed routes, requiring manual configuration to set a meaningful metric.

Why this answer

By default, Cisco IOS assigns a metric of 0 to routes redistributed into IS-IS, which can cause suboptimal routing if not modified.

1668
MCQhard

Which statement correctly describes the default behavior of the 'flow monitor' in Flexible NetFlow regarding the collection of BGP next-hop information?

A.BGP next-hop is always collected by default in Flexible NetFlow monitors.
B.BGP next-hop is never collected in Flexible NetFlow, only in traditional NetFlow.
C.BGP next-hop is collected only if the flow record includes the 'match routing bgp next-hop' command.
D.BGP next-hop is collected by default only for IPv4 flows.
AnswerC

Correct. The BGP next-hop must be explicitly matched in the flow record.

Why this answer

By default, Flexible NetFlow does not collect BGP next-hop information unless explicitly configured in the flow record.

1669
MCQmedium

A network engineer runs the following command to verify IPv6 binding table: R1# show ipv6 neighbors binding IPv6 Address Age Link-layer Addr State Interface VLAN Policy 2001:db8::1 10 0011.2233.4455 REACH Fa0/1 10 TRUSTED 2001:db8::2 5 00aa.bbcc.ddee STALE Fa0/0 10 INSPECT 2001:db8::3 0 1111.2222.3333 INCOMP Fa0/0 10 - What does this output indicate?

A.The binding table shows three entries: one reachable on trusted port, one stale on untrusted port, and one incomplete, indicating active ND learning.
B.The binding table is empty, indicating no ND activity.
C.The binding table shows all entries as reachable, indicating stable neighbor relationships.
D.The binding table is only for DHCPv6-learned addresses.
AnswerA

The output correctly shows the state and policy for each entry.

Why this answer

The show command displays the IPv6 binding table with entries learned via ND. The table shows reachable, stale, and incomplete entries with associated policies.

1670
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show logging Output: Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 100 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 100 messages logged Trap logging: level informational, 100 messages logged Logging to 192.168.1.100 (udp port 514, audit disabled) What does this output indicate?

A.The router is logging all debug-level messages to the console, monitor, buffer, and a remote syslog server.
B.The router is only logging informational messages to the remote syslog server.
C.The router has dropped 100 messages due to buffer overflow.
D.The router is logging to a remote syslog server using TCP port 514.
AnswerA

Console, monitor, and buffer are set to debugging; trap (remote) is informational, so debug messages are not sent to the server.

Why this answer

The output shows that syslog logging is enabled and messages are being sent to a remote syslog server at 192.168.1.100. The buffer logging is at debugging level, which can consume resources.

1671
MCQhard

A network engineer runs the following command to debug MPLS LDP session establishment: R1# debug mpls ldp session Output: *Mar 1 00:01:23.456: LDP: Session with 10.0.0.2:0 (0x1234) is UP *Mar 1 00:01:24.567: LDP: Session with 10.0.0.2:0 (0x1234) is DOWN *Mar 1 00:01:25.678: LDP: Session with 10.0.0.2:0 (0x1234) is UP *Mar 1 00:01:26.789: LDP: Session with 10.0.0.2:0 (0x1234) is DOWN What does this output indicate?

A.The LDP session with 10.0.0.2 is flapping
B.The LDP session with 10.0.0.2 is stable
C.The LDP session with 10.0.0.2 is using targeted hello
D.The LDP session with 10.0.0.2 is down permanently
AnswerA

The session repeatedly transitions between UP and DOWN states, indicating flapping.

Why this answer

The debug output shows the LDP session with neighbor 10.0.0.2 is flapping (repeatedly going UP and DOWN). This indicates instability in the LDP session.

1672
MCQhard

An engineer enables uRPF (unicast Reverse Path Forwarding) in strict mode on an interface connected to a DMVPN spoke. The spoke has multiple tunnels and receives traffic from the hub with a source IP that is not the best reverse path. Unexpectedly, the spoke drops all traffic from the hub, even though the hub is reachable via the tunnel. Which is the most likely explanation?

A.uRPF strict mode requires the reverse path to be via the same interface; asymmetric routing causes drops.
B.The hub's IP address is not in the routing table, so uRPF drops the packet.
C.uRPF must be configured with the `allow-default` option to accept packets with default route.
D.uRPF is not supported on tunnel interfaces; it must be applied on the physical interface.
AnswerA

Strict mode fails if the return route uses a different interface, which is common in DMVPN.

Why this answer

uRPF strict mode checks that the source IP of incoming packets has a route back to the source via the same interface. In DMVPN, the hub's source IP may be reachable via a different interface (e.g., physical interface) than the tunnel interface where the packet arrives. This asymmetric routing causes uRPF strict mode to drop the packets.

The solution is to use loose mode or allow-default.

1673
Multi-Selecthard

Which THREE commands can be used to verify the current syslog configuration and message flow on a Cisco IOS device? (Choose THREE.)

Select 3 answers
A.show logging
B.debug logging
C.terminal monitor
D.show running-config | include logging
E.show log
AnswersA, C, D

Correct. This command displays the current logging configuration, buffer contents, and statistics such as messages logged and dropped.

Why this answer

The 'show logging' command displays the logging configuration, buffer contents, and statistics. The 'debug logging' command is not a verification command; it enables debugging of logging itself. The 'terminal monitor' command allows a user to see syslog messages on their terminal session.

The 'show running-config | include logging' filters the running configuration for logging-related lines. The 'show log' command is not valid in Cisco IOS; the correct command is 'show logging'.

1674
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp neighbors 10.1.1.2 advertised-routes BGP table version is 10, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 0.0.0.0 0 32768 i Total number of prefixes 1 What does this output indicate?

A.BGP is not advertising routes due to CoPP dropping update packets.
B.BGP is advertising routes correctly, and CoPP is not affecting outbound updates.
C.BGP is receiving routes but not advertising them due to CoPP.
D.BGP session is down due to CoPP.
AnswerB

The route is advertised with weight 32768, indicating local origin, and no errors are shown.

Why this answer

The command shows routes advertised to BGP neighbor 10.1.1.2. Only one prefix (10.2.2.0/24) is being advertised. This can be used to verify that CoPP is not preventing route advertisement, though the output does not show any errors.

1675
MCQhard

A network engineer applies a CoPP (Control Plane Policing) policy to a router running VRF-Lite. The policy includes a class that matches SSH traffic and polices it to 1 Mbps. After applying the policy, the engineer cannot SSH into the router from any VRF. Which is the most likely explanation?

A.The CoPP policy has an explicit 'deny' in the class-default, which drops all traffic not matched by other classes.
B.The SSH traffic is being policed to 1 Mbps, but the traffic rate is below that, so it should be allowed.
C.The CoPP policy is applied to the control plane of the VRF, not the global control plane, so it does not affect SSH traffic.
D.The SSH traffic is being matched by a different class that has a 'drop' action, such as a class for ICMP.
AnswerA

If class-default has a 'police' or 'drop' action, all unmatched traffic (including SSH) is dropped. The engineer should have added a 'class class-default' with 'police' or 'permit'.

Why this answer

CoPP policies are applied to the control plane and affect all traffic destined to the router, regardless of VRF. However, CoPP uses the global routing table for classification. If the SSH traffic is sourced from a VRF, the CoPP policy may not match it correctly because the class-map might be using 'match protocol' or 'match access-group' that is evaluated in the global context.

Additionally, the default class (class-default) often has a police action that drops traffic if not explicitly allowed. A common edge case is that the engineer forgot to include a 'class-default' action to permit traffic, causing all unmatched traffic to be dropped.

1676
Multi-Selectmedium

Which TWO commands can be used to verify the MPLS L3VPN label forwarding table on a PE router? (Choose TWO.)

Select 2 answers
A.show mpls forwarding-table
B.show ip bgp vpnv4 vrf CUSTOMER_A labels
C.show mpls ldp bindings
D.show ip route vrf CUSTOMER_A
E.show mpls ldp neighbor
AnswersA, B

Displays the LFIB including VPN labels for all prefixes.

Why this answer

The 'show mpls forwarding-table' displays the LFIB with labels and next hops for all VPNv4 prefixes. The 'show ip bgp vpnv4 vrf <vrf-name> labels' shows the label assigned by the local PE for prefixes in a specific VRF. 'show mpls ldp bindings' shows LDP label bindings, not VPN labels. 'show ip route vrf <vrf-name>' shows the routing table, not labels. 'show bgp vpnv4 unicast all labels' is a valid alternative but not listed; 'show ip bgp vpnv4 vrf' with labels is correct.

1677
MCQeasy

What is the default BFD multiplier (detection time multiplier) on Cisco IOS-XE?

A.1
B.2
C.3
D.4
AnswerC

The default multiplier is 3, as per Cisco IOS-XE defaults.

Why this answer

The default BFD multiplier is 3, meaning the detection time is 3 times the negotiated hello interval.

1678
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 snooping policy Interface Policy Role State Gi0/0/0 GUARD_POLICY device-guard ACTIVE Gi0/0/1 GUARD_POLICY device-guard ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?

A.Interface Gi0/0/2 is protected by the GUARD_POLICY policy.
B.Interface Gi0/0/2 is not protected by the custom guard policy and may be vulnerable to spoofing attacks.
C.All interfaces are equally protected by the same policy.
D.The role 'host' means Gi0/0/2 is acting as a device-guard.
AnswerB

The default policy provides minimal protection; the custom GUARD_POLICY is not applied to Gi0/0/2.

Why this answer

The output shows that interface Gi0/0/2 is using the default policy with role 'host', while Gi0/0/0 and Gi0/0/1 are configured with a specific policy named GUARD_POLICY and role 'device-guard'. This indicates that Gi0/0/2 is not protected by the custom guard policy, which could allow rogue DHCPv6 or ND messages on that interface.

1679
Drag & Dropmedium

Drag and drop the steps to configure a DHCP pool and relay agent on a Cisco router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you must define the DHCP pool with a name and network. Then, you set the default router and DNS server. Next, you exclude any addresses from the pool.

Finally, you enable the DHCP relay agent on the interface facing clients to forward requests to the DHCP server.

1680
MCQhard

A network engineer runs the following command on switch SW6: SW6# show monitor session 8 Session 8 --------- Type : Remote Source Session Source Ports : Both : Gi0/13 Source VLANs : TX Only : 200 Destination Ports : Gi0/14 Encapsulation : Dot1q Ingress : Disabled Based on this output, which statement is correct?

A.The RSPAN source session sends mirrored traffic to Gi0/14 with a Dot1q tag.
B.The RSPAN source session sends mirrored traffic to Gi0/14 without any VLAN tag.
C.The session is an ERSPAN source session because it uses Dot1q encapsulation.
D.The session is misconfigured because source VLANs cannot be TX only.
AnswerA

The encapsulation type 'Dot1q' means the traffic is tagged with the RSPAN VLAN.

Why this answer

This is an RSPAN source session. It monitors source port Gi0/13 and source VLAN 200 (TX only), and sends the mirrored traffic to destination port Gi0/14 with Dot1q encapsulation. The Dot1q encapsulation indicates that the destination port is a trunk port carrying the RSPAN VLAN.

The session is correctly configured.

1681
MCQhard

What is the default maximum number of labels that can be imposed in the MPLS label stack on a Cisco IOS-XE router?

A.6 labels
B.3 labels
C.10 labels
D.Unlimited
AnswerA

The default maximum label stack depth is 6 labels.

Why this answer

The default maximum label stack depth is 6 labels on Cisco IOS-XE routers, though this can be increased with the 'mpls label range' command.

1682
MCQmedium

What is the default frequency (in seconds) for an IP SLA operation when no frequency is explicitly configured?

A.10 seconds
B.30 seconds
C.60 seconds
D.120 seconds
AnswerC

Correct. The default frequency for IP SLA operations is 60 seconds.

Why this answer

The default frequency for an IP SLA operation is 60 seconds. This means the probe is sent every 60 seconds unless a different frequency is configured under the IP SLA configuration.

1683
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS polls the router via the management interface. The engineer then adds a loopback interface and configures the router to send SNMP traps sourced from the loopback IP. The NMS stops receiving traps. Which is the most likely explanation?

A.The NMS is configured to accept traps only from the management interface IP address, not the loopback IP.
B.The loopback interface does not support SNMP trap generation.
C.The SNMP engine ID changed when the loopback interface was added.
D.The 'snmp-server trap-source' command requires a specific interface type.
AnswerA

NMS trap receivers often filter or authenticate based on source IP; if the source IP changes, traps may be dropped.

Why this answer

When traps are sourced from a different IP address, the NMS may not recognize the sender if it expects traps from the original IP. Additionally, if the loopback IP is not reachable from the NMS, traps are lost.

1684
MCQhard

Router R9 is configured with SNMP and NetFlow. The NMS uses SNMP to poll NetFlow statistics. The configuration includes: snmp-server community public RO, snmp-server enable traps netflow. However, the NMS cannot poll NetFlow MIB objects. The router's show snmp mib shows that the NetFlow MIB is not loaded. What is the root cause?

A.The NetFlow MIB is not loaded because NetFlow data export is not configured; the 'ip flow-export' command is missing.
B.The SNMP community string does not have read access to the NetFlow MIB.
C.The router's SNMP agent is not compatible with the NetFlow MIB.
D.The NMS is using an incorrect OID for NetFlow statistics.
AnswerA

The NetFlow MIB is only loaded when NetFlow is configured with 'ip flow-export' commands. Without it, the MIB is not available for SNMP polling.

Why this answer

NetFlow MIB is not loaded by default; it requires the 'ip flow-export' command to enable NetFlow and load the MIB. Additionally, the SNMP agent may need to have the MIB loaded via 'snmp-server mib' command. The correct answer is: 'The NetFlow MIB is not loaded because NetFlow data export is not configured; the 'ip flow-export' command is missing.'

1685
MCQeasy

In the context of NAT and PAT, what is the purpose of the ip nat translation timeout command?

A.It sets the timeout for static NAT entries.
B.It configures the timeout for all dynamic NAT translations globally.
C.It sets the timeout only for TCP translations.
D.It configures the timeout for translations on a specific interface.
AnswerB

Correct. This command sets the global timeout for dynamic NAT entries.

Why this answer

The ip nat translation timeout command globally modifies the timeout value for dynamic NAT translations. It affects all protocols unless overridden by protocol-specific timers (e.g., ip nat translation udp-timeout).

1686
MCQmedium

A network engineer runs the following command to troubleshoot an EIGRP issue: R1# debug eigrp packets EIGRP: Received HELLO on GigabitEthernet0/0 nbr 10.1.1.2 AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 EIGRP: Sending HELLO on GigabitEthernet0/0 AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 EIGRP: Received UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 AS 100, Flags 0x1, Seq 1/0 idbQ 0/0 iidbQ un/rely 0/0 EIGRP: Sending UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 AS 100, Flags 0x1, Seq 2/1 idbQ 0/0 iidbQ un/rely 0/0 What does this output indicate?

A.EIGRP adjacency is forming and routes are being exchanged successfully.
B.EIGRP adjacency is stuck in INIT state because no hello packets are received.
C.EIGRP is experiencing authentication failures.
D.EIGRP is only sending hellos but not receiving updates.
AnswerA

The debug shows HELLO and UPDATE packets with proper sequence numbers, confirming adjacency and route exchange.

Why this answer

The debug output shows normal EIGRP hello and update packet exchange between neighbors. The sequence numbers increment properly, indicating adjacency is established and routes are being exchanged without errors.

1687
MCQmedium

A network engineer is troubleshooting MPLS L3VPN where traffic from CE1 to CE2 is being dropped. On PE1, show mpls forwarding-table shows that the label for the BGP next-hop is 'Pop tag' (implicit null). The engineer checks the remote PE and sees that it is advertising implicit null for the BGP next-hop. What is the most likely reason for the traffic drop?

A.The remote PE does not have the CE route in its VRF.
B.The penultimate hop is not popping the label correctly.
C.The MTU on the link between P and PE2 is too small.
D.The remote PE is configured with explicit null for the BGP next-hop.
AnswerA

Correct because after label pop, the packet is forwarded as IP; if the remote PE lacks the VRF route, it drops the packet.

Why this answer

Implicit null (pop tag) means the penultimate hop pops the label and forwards the IP packet. If the traffic is dropped, the issue is likely that the remote PE does not have a route to the CE in its VRF, so it drops the IP packet after label pop.

1688
MCQhard

An engineer configures BFD on an OSPF link between two routers. The BFD session comes up, but OSPF remains stuck in EXSTART state. The engineer verifies that IP connectivity is fine and OSPF hello packets are exchanged. What is the most likely cause?

A.An MTU mismatch between the two routers causes the DBD packets to be dropped, preventing OSPF from progressing past EXSTART.
B.BFD is not configured with the 'bfd all-interfaces' command under OSPF, causing OSPF to ignore BFD state changes.
C.The OSPF network type is set to point-to-multipoint on one side and broadcast on the other, preventing the adjacency from forming.
D.The BFD minimum interval is set too low, causing BFD to flap and reset the OSPF adjacency repeatedly.
AnswerA

Correct. OSPF DBD packets are sized based on the interface MTU. A mismatch causes the larger DBD to be dropped, halting the adjacency while BFD remains up.

Why this answer

BFD can cause OSPF to remain stuck in EXSTART if there is an MTU mismatch on the link. OSPF uses the interface MTU to determine the size of Database Description (DBD) packets. If the MTU is mismatched, the larger DBD packet is silently dropped by the receiving router, preventing the exchange of LSAs.

BFD does not detect this because BFD packets are small and unaffected by MTU issues.

1689
MCQmedium

A network engineer runs the following command on Router PE1: PE1# show mpls forwarding-table 192.168.1.0 24 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 192.168.1.0/24 0 Gi0/0 10.1.1.2 17 22 192.168.1.0/24 0 Gi0/1 10.2.2.2 Based on this output, which statement is correct?

A.The router is performing load balancing across two LSPs for prefix 192.168.1.0/24.
B.The router has a routing loop for prefix 192.168.1.0/24.
C.Penultimate Hop Popping is disabled on this router.
D.The prefix 192.168.1.0/24 is learned via BGP from two different neighbors.
AnswerA

Two forwarding entries for the same prefix with different outgoing interfaces and labels indicate ECMP load balancing.

Why this answer

The show mpls forwarding-table output shows two entries for the same prefix. The first entry has 'Pop Label' as outgoing label, meaning PHP (Penultimate Hop Popping) is in use for that path. The second entry has label 22, indicating a different LSP.

The presence of two entries for the same prefix suggests load balancing across two equal-cost paths.

1690
MCQhard

An engineer configures 'ipv6 nd suppress' on a switch port to prevent the switch from sending Router Advertisements. However, after this configuration, hosts on that port cannot obtain IPv6 addresses via SLAAC, even though a router on another port is sending RAs. What is the most likely explanation?

A.The 'ipv6 nd suppress' command blocks all RA traffic on the port, including RAs forwarded from other ports.
B.The router's RAs are being filtered by an ACL on the switch.
C.The hosts must be configured to use DHCPv6 instead of SLAAC.
D.The switch port is in a different VLAN than the router.
AnswerA

Suppress prevents any RA from being sent or forwarded on that port.

Why this answer

The 'ipv6 nd suppress' command on a switch port prevents the switch from sending RAs, but it does not forward RAs from other routers. In fact, on some platforms, 'ipv6 nd suppress' also blocks the forwarding of RAs received on other ports to that port, because the switch treats the port as a host port. This is an edge case where the command is misunderstood: it suppresses all RA traffic on that port, both outgoing and incoming (forwarded).

The hosts never receive the router's RAs.

1691
MCQhard

A network engineer is troubleshooting a route redistribution issue between two OSPF processes. Router R1 runs OSPF process 1 and OSPF process 2, and redistributes routes between them. The engineer notices that routes from OSPF process 1 are not appearing in the OSPF database of process 2, even though the redistribute command is configured. The show ip ospf database command on R1 for process 2 shows no external routes. What is the most likely cause?

A.The redistribute ospf 1 command under OSPF process 2 is missing the subnets keyword.
B.OSPF process 1 has a higher administrative distance than OSPF process 2.
C.The redistribute ospf 1 command under OSPF process 2 is missing the match internal keyword.
D.OSPF process 2 has a route map applied that is filtering all routes.
AnswerA

Correct: Without subnets, only classful networks are redistributed, causing many missing routes.

Why this answer

When redistributing between OSPF processes, the redistribute command must include the subnets keyword to redistribute classless subnets. Without it, only classful networks are redistributed, which may cause many routes to be missing.

1692
MCQmedium

A network engineer runs the following command to verify redistribution with route-maps: R1# show ip route 10.10.10.0 255.255.255.0 Routing entry for 10.10.10.0/24 Known via "eigrp 100", distance 170, metric 2560002816 Tag 100, type internal Last update from 10.1.1.2 on GigabitEthernet0/0, 00:00:45 ago Routing Descriptor Blocks: * 10.1.1.2, from 10.1.1.2, 00:00:45 ago, via GigabitEthernet0/0 Route metric is 2560002816, traffic share count is 1 Total delay is 2000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 What does the 'Tag 100' indicate?

A.The route was originated by EIGRP autonomous system 100.
B.The route has a tag of 100, likely set by a route-map during redistribution.
C.The route is internal to EIGRP and has a metric of 100.
D.The route is from a BGP AS 100.
AnswerB

The 'Tag 100' is a route tag, commonly set by a route-map to mark routes for filtering or administrative purposes.

Why this answer

The 'Tag 100' indicates that a route-map applied during redistribution set the tag to 100. Route tags are often used for filtering or administrative purposes during redistribution.

1693
MCQhard

A large enterprise network is experiencing intermittent loss of reachability to a critical subnet 10.10.10.0/24 from remote sites. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip summary-address eigrp 100 10.10.0.0 255.255.252.0. Router R2 shows: show ip route eigrp | include 10.10.10.0 outputs nothing, but show ip eigrp topology all-links shows 10.10.10.0/24 via 192.168.1.1 with a feasible distance of 1280. What is the root cause?

A.The EIGRP summary address 10.10.0.0/22 is configured on the wrong interface; it should be on the interface facing the remote site.
B.The EIGRP summary address 10.10.0.0/22 is causing R1 to suppress the advertisement of 10.10.10.0/24, and R2 does not have a route to the summary because the summary route is not installed in R1's routing table.
C.Split horizon is enabled on R1's GigabitEthernet0/0, preventing the advertisement of 10.10.10.0/24 learned from another interface.
D.The EIGRP metric for 10.10.10.0/24 is too high, causing it to be suppressed by the summary route.
AnswerB

The summary suppresses the specific route, but if the summary is not installed (e.g., no discard route), R2 never learns any route to 10.10.10.0/24.

Why this answer

The ip summary-address eigrp 100 10.10.0.0 255.255.252.0 command on R1's GigabitEthernet0/0 creates a local summary route that suppresses all more-specific routes within the 10.10.0.0/22 range, including 10.10.10.0/24, from being advertised out that interface. However, the summary route itself is not installed in R1's routing table unless a component route exists in the table, which may not be the case if the specific route is learned via another interface or is not present. As a result, R2 never receives either the specific /24 or the summary /22, leading to the intermittent loss of reachability.

Exam trap

Cisco often tests the nuance that EIGRP summary routes suppress more-specific routes but are only advertised if a component route exists in the routing table, leading candidates to incorrectly assume the summary is always advertised or that the issue is with split horizon or interface placement.

How to eliminate wrong answers

Option A is wrong because the summary address is correctly placed on the interface facing the remote site (GigabitEthernet0/0), which is the outbound interface toward R2; moving it to another interface would not solve the suppression issue. Option C is wrong because split horizon prevents routes learned on an interface from being advertised back out the same interface, but the 10.10.10.0/24 route is not learned on GigabitEthernet0/0; it is suppressed by the summary, not by split horizon. Option D is wrong because EIGRP summary routes do not use metric comparison to suppress more-specific routes; the suppression is automatic based on the prefix range, regardless of the metric of the specific route.

1694
MCQhard

An engineer configures EIGRP named mode with an offset-list applied to the EIGRP topology table. The offset-list increases the metric of a route learned from a neighbor. However, the route is still used as the successor even though the offset-list increased its metric above the feasible distance (FD) of another route. Which is the most likely explanation?

A.The offset-list is applied to the wrong interface; it must be applied to the outgoing interface.
B.The offset-list only affects the advertised distance (AD), not the feasible distance (FD).
C.The offset-list is applied in classic mode, but the router is running named mode.
D.The offset-list value is too small to change the successor; a larger value is needed.
AnswerB

Offset-list modifies the metric of the route but does not update the FD, which is the metric of the best path at the time of learning.

Why this answer

In EIGRP named mode, the offset-list is applied to the route's metric in the topology table, but it does not affect the feasible distance (FD) calculation. The FD is computed from the original metric before the offset. The successor is chosen based on the FD, not the offset metric, so the route remains the successor.

1695
MCQmedium

Which of the following best describes the behavior of BGP when an 'aggregate-address' command is used without the 'summary-only' keyword?

A.The aggregate route is advertised, and all more specific routes are also advertised.
B.Only the aggregate route is advertised.
C.The aggregate route is not advertised unless a network command exists for it.
D.The more specific routes are withdrawn from the BGP table.
AnswerA

Correct. Without summary-only, both aggregate and specifics are advertised.

Why this answer

Without the summary-only keyword, BGP advertises both the aggregate route and the more specific routes that are in the BGP table.

1696
Multi-Selecthard

Which TWO actions will prevent an ISATAP tunnel from forming correctly? (Choose TWO.)

Select 2 answers
A.Configuring the tunnel destination with the IPv4 address of the ISATAP client itself.
B.Using a private IPv4 address as the tunnel source on the ISATAP router.
C.Configuring the ISATAP interface ID as ::5EFE:xxxx.
D.Setting the tunnel mode to ipv6ip.
E.Adding a static IPv6 route pointing to the ISATAP tunnel interface.
AnswersA, B

Correct. The tunnel destination should be the ISATAP router's IPv4 address, not the client's own address.

Why this answer

Option A is correct because in an ISATAP tunnel, the tunnel destination must be the IPv4 address of the ISATAP client (which is dynamically derived from the ISATAP interface ID). Configuring the tunnel destination with the client's own IPv4 address creates a loopback tunnel that cannot forward traffic, preventing the tunnel from forming correctly. The ISATAP router automatically derives the destination from the IPv4 address embedded in the ISATAP interface ID; manually setting it to the client's address breaks the automatic mapping.

Exam trap

Cisco often tests the misconception that the tunnel destination must be explicitly configured, when in fact ISATAP automatically derives it from the interface ID, and manually setting it to the client's own address breaks the tunnel.

1697
MCQhard

R1 and R2 are eBGP peers. R1 advertises a prefix 192.168.1.0/24 with MED 50. R2 also receives the same prefix from another eBGP peer R3 with MED 100. R2's BGP best path selection chooses the path via R1 because of lower MED. However, R2's routing table shows the next-hop for 192.168.1.0/24 as 10.1.1.1 (R1), but R2 cannot ping 192.168.1.1. R2 has: interface GigabitEthernet0/0, ip address 10.1.1.2 255.255.255.0, and no ip route to 192.168.1.0/24 other than BGP. R1's interface to R2 has ip address 10.1.1.1 255.255.255.0. R1's BGP table shows the prefix with next-hop 10.1.1.1 (self). What is the root cause?

A.R1 does not have the prefix 192.168.1.0/24 in its routing table because the next-hop for that prefix in R1's BGP table is unreachable.
B.R2's MED comparison is incorrect; lower MED should be preferred, but R2 should have chosen R3.
C.R2 is missing a static route to 192.168.1.0/24.
D.R1 should use next-hop-self when advertising to R2.
AnswerA

R1's BGP table may have the prefix, but if the next-hop is not reachable (e.g., due to missing route), R1 will not install it in the routing table, causing forwarding failure.

Why this answer

The issue is that R1 is advertising the prefix with next-hop 10.1.1.1, which is the interface IP of R1 towards R2. R2 installs the route with that next-hop, and since it is directly connected, R2 can reach it. However, R1 may not have a route to 192.168.1.0/24 in its routing table (e.g., it learned it via iBGP but did not install it due to next-hop unreachable or other issue).

R1's BGP table shows the prefix, but if the next-hop is not reachable in R1's routing table, R1 will not install it in the routing table, and thus cannot forward packets. The root cause is that R1 does not have a valid route to the next-hop of the prefix it is advertising, so it cannot forward traffic.

1698
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a source VLAN. Unexpectedly, BPDU guard shuts down the monitoring port when a switch is connected to it. Which is the most likely explanation?

A.The SPAN destination port is configured with spanning-tree bpduguard enable, and a BPDU from the connected switch triggers errdisable.
B.The SPAN source VLAN includes the native VLAN, causing BPDUs to be forwarded to the destination port.
C.The SPAN destination port is in the same VLAN as the source, causing a loop that triggers BPDU guard.
D.The switch has PortFast enabled on the SPAN destination port, which automatically enables BPDU guard.
AnswerA

BPDU guard on a SPAN destination port causes errdisable upon BPDU reception, despite SPAN disabling STP on that port.

Why this answer

SPAN destination ports do not participate in spanning tree, but BPDU guard still operates on them if configured globally or per interface. When a BPDU is received on a SPAN destination port, BPDU guard errdisables the port, even though the port is not forwarding traffic.

1699
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 203.0.113.5 203.0.113.5 --- 192.0.2.11 10.0.0.11 203.0.113.5 203.0.113.5 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 2 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 2 Based on this output, which statement is correct?

A.NAT is configured without PAT; each inside host uses a unique global address.
B.PAT is enabled, but only two translations are active.
C.The pool is exhausted because two addresses are used.
D.Static NAT is configured for both hosts.
AnswerA

The statistics show 0 extended translations, and the mapping lacks 'overload'. The translations show different inside global addresses for each inside local.

Why this answer

The output shows dynamic NAT without overload (no 'overload' keyword in the mapping, and 0 extended translations). Each inside host gets a unique inside global address. This is basic NAT, not PAT.

The correct answer is that NAT is working without PAT.

1700
MCQhard

VRF route leaking between two VRFs is causing unexpected reachability to a sensitive subnet. Router R1 has the following relevant configuration: vrf definition BLUE rd 100:1 ! address-family ipv4 route-target export 100:1 route-target import 100:2 vrf definition RED rd 100:2 ! address-family ipv4 route-target export 100:2 route-target import 100:1 interface GigabitEthernet0/0 vrf forwarding BLUE ip address 10.1.1.1 255.255.255.0 interface GigabitEthernet0/1 vrf forwarding RED ip address 10.2.2.1 255.255.255.0 router ospf 1 vrf BLUE network 10.1.1.0 0.0.0.255 area 0 router ospf 2 vrf RED network 10.2.2.0 0.0.0.255 area 0 A ping from a host in BLUE VRF to 10.2.2.2 (RED VRF) succeeds, but it should not. What is the root cause?

A.Route-target import/export is symmetric, causing full route exchange; use route-map to filter.
B.The OSPF process IDs are different; they should be the same for route leaking.
C.The network commands are missing the vrf keyword; add vrf BLUE/RED.
D.The interfaces are in the wrong VRF; move GigabitEthernet0/1 to BLUE.
AnswerA

Both VRFs import each other's routes, so all routes are leaked. Route-maps can restrict which prefixes are imported.

Why this answer

The route-target import/export configuration is bidirectional, causing full route leaking between VRFs. This allows hosts in BLUE to reach RED subnets. The correct fix is to use import/export only for specific prefixes or use route-maps to control leaking.

1701
MCQhard

A large enterprise network is experiencing intermittent reachability to a subnet 10.1.1.0/24 from the rest of the network. Router R1 has the following relevant configuration: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 ! router ospf 1 redistribute eigrp 100 subnets summary-address 10.0.0.0 255.255.0.0 ! interface GigabitEthernet0/0 ip summary-address eigrp 100 10.0.0.0 255.255.0.0 5 Router R2 shows: R2# show ip route 10.1.1.0 Routing entry for 10.0.0.0/16, supernet Known via "eigrp 100", distance 90, metric 128256 Redistributing via eigrp 100 Last update from 10.10.10.1 on GigabitEthernet0/1 What is the root cause?

A.The OSPF summary-address command on R1 is blocking the redistribution of the specific /24 route.
B.The EIGRP metric values are too high, causing the route to be unreachable.
C.The redistribute ospf command under EIGRP is missing the subnets keyword.
D.The route is being filtered by a distribute-list on R2.
AnswerA

The OSPF summary-address creates an aggregate route, and combined with the EIGRP interface summary, the specific /24 is suppressed.

Why this answer

The issue is that R1 has both an OSPF summary-address and an EIGRP interface summary-address, causing the more specific /24 route to be suppressed by the /16 summary. The EIGRP summary-address command on the interface creates a null0 summary route, and the OSPF redistribution of the EIGRP summary further aggregates, losing the specific prefix. The fix is to remove the interface summary-address or adjust the summary to include the specific subnet.

1702
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show access-lists 120 Extended IP access list 120 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 30 deny ip any any log What does this output indicate?

A.The ACL permits HTTP traffic from 192.168.1.0/24 and HTTPS traffic from 192.168.2.0/24, and denies all other traffic with logging.
B.The ACL permits all traffic from 192.168.1.0/24 and 192.168.2.0/24.
C.The ACL denies all traffic from 192.168.1.0/24 and 192.168.2.0/24.
D.The ACL is applied inbound on an interface and is blocking all traffic.
AnswerA

The ACL entries match this description.

Why this answer

The output shows an extended ACL with two permit statements: the first permits TCP traffic from 192.168.1.0/24 to any destination on port 80 (HTTP), and the second permits TCP traffic from 192.168.2.0/24 to any destination on port 443 (HTTPS). The final deny ip any any log statement explicitly denies all other IP traffic and logs matches, which is standard practice for ACL troubleshooting. Therefore, option A correctly describes the ACL's behavior.

Exam trap

Cisco often tests the ability to read ACL output precisely, and the trap here is that candidates may overlook the specific port restrictions (eq 80 and eq 443) and assume the ACL permits all traffic from the source networks, or misinterpret the 'log' keyword as affecting the permit/deny action.

How to eliminate wrong answers

Option B is wrong because the ACL does not permit all traffic from the specified subnets; it only permits HTTP from 192.168.1.0/24 and HTTPS from 192.168.2.0/24, and denies everything else. Option C is wrong because the ACL does not deny traffic from those subnets; it explicitly permits specific traffic from them. Option D is wrong because the output does not indicate where the ACL is applied (inbound or outbound) or that it is blocking all traffic; it only shows the ACL's configured entries, and the implicit deny at the end is standard, not a sign of blocking all traffic.

1703
MCQhard

A large enterprise uses IP SLA to track a route to a remote site via an MPLS L3VPN. Router R1 (PE) has: ip sla 8 icmp-echo 10.10.10.10 source-ip 192.168.1.1 frequency 10 ip sla schedule 8 life forever start-time now track 8 ip sla 8 reachability ip route vrf CUSTOMER 10.10.10.0 255.255.255.0 192.168.1.2 track 8 The MPLS network is operational, but the route is intermittently removed. Show output on R1: show ip route vrf CUSTOMER 10.10.10.0 Routing entry for 10.10.10.0/24 Known via "static", distance 1, metric 0 Last update from 192.168.1.2 on GigabitEthernet0/0 * 192.168.1.2, via GigabitEthernet0/0 But the track is down: show track 8 Track 8 IP SLA 8 reachability Reachability is Down 3 changes, last change 00:00:15 What is the root cause?

A.The IP SLA is not configured with the vrf CUSTOMER keyword, so the probe is sent in the global table and cannot reach the target in the VRF.
B.The MPLS label distribution is failing, causing the IP SLA probe to be dropped.
C.The source IP 192.168.1.1 is not in the VRF CUSTOMER, so the probe cannot be sourced correctly.
D.The track 8 is not supported for VRF routes.
AnswerA

The IP SLA must be VRF-aware to send probes within the VRF; otherwise, the probe fails and the track goes down, but the route might still be installed due to other factors.

Why this answer

The IP SLA probe is sent to 10.10.10.10, but the source IP is 192.168.1.1. In an MPLS L3VPN, the VRF CUSTOMER might have a different routing table. The probe is sent in the global table unless configured with vrf.

The correct answer is that the IP SLA is not VRF-aware, so the probe fails, but the static route is still installed because the track is down but the route is not removed immediately due to the delay or because the route is still in the table from a previous state.

1704
MCQmedium

A network engineer runs the following command to troubleshoot OSPF neighbor states: R1# show ip ospf neighbor detail Neighbor 2.2.2.2, interface address 10.1.1.2 In the area 0 via interface GigabitEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 10.1.1.2, BDR is 10.1.1.1 Options is 0x42 (LLS, DC) LLS Options is 0x1 (LR) Dead timer due in 00:00:36 Neighbor is up for 00:12:34 Index 1/1/1 Retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec What does this output indicate?

A.The neighbor is in the 2WAY state and not fully adjacent.
B.The neighbor is the DR and the adjacency is fully established.
C.There is a retransmission queue issue causing packet loss.
D.The neighbor is not participating in DR/BDR election.
AnswerB

The DR is 10.1.1.2 (neighbor's address) and state is FULL.

Why this answer

The output shows detailed OSPF neighbor information, including state, DR/BDR roles, and timers.

1705
MCQhard

A network engineer is troubleshooting IPv6 connectivity issues on a multi-access segment where Router R1 and Router R2 are both acting as default routers. Hosts on the segment are not using R1 as a preferred router, even though R1 has a higher router preference. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd router-preference high ! Router R2 shows: debug ipv6 nd output indicates that R2 is sending RAs with default preference (medium). What is the root cause?

A.Router R1's RA interval is set too high, causing hosts to prefer R2's more frequent RAs.
B.An IPv6 ACL applied to the interface is blocking Router Advertisements from R1.
C.Router R2 is configured with 'ipv6 nd router-preference high' as well, overriding R1's preference.
D.Hosts are configured to ignore router preference due to a security policy.
AnswerB

An ACL with an implicit deny can block RAs, even if the router is configured to send them with high preference.

Why this answer

The 'ipv6 nd router-preference high' command sets the preference in RAs, but if the host's operating system or implementation does not support RFC 4191 (Default Router Preferences), it may ignore the preference field. However, the more common issue is that R1's RAs are being suppressed or filtered. The correct answer identifies that R1 has an IPv6 ACL blocking outgoing RAs, a subtle interaction between First Hop Security and ACLs.

1706
MCQmedium

A network engineer is troubleshooting an MPLS L3VPN where CE1 cannot reach CE2. The PE routers are running OSPF as the IGP and LDP for label distribution. On PE1, the engineer sees that the VRF route for CE2's subnet is present, but the corresponding MPLS label is missing in the LFIB. The show mpls ldp neighbor command shows LDP neighbors are up. What is the most likely cause of the missing label?

A.LDP is not enabled on the interface facing the next-hop router.
B.The VRF route is not redistributed into BGP on the remote PE.
C.MTU mismatch on the link between PE1 and P causes label imposition failure.
D.The mpls label protocol ldp command is missing under the VRF.
AnswerA

Correct because LDP must be enabled on the interface that connects to the next-hop router to assign a label for the IGP route, which is used to resolve the BGP next-hop in MPLS VPN.

Why this answer

The missing label in the LFIB despite the VRF route being present indicates that LDP is not binding a label to the BGP next-hop of the VPN route. Since the IGP route to the BGP next-hop is present but LDP has not assigned a label for it, the issue is likely that LDP is not enabled on the interface facing the next-hop router.

1707
MCQmedium

Examine this partial configuration on router R3: flow record RECORD-2 match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port collect counter bytes collect counter packets ! flow monitor MONITOR-3 record RECORD-2 cache timeout active 60 cache timeout inactive 15 ! interface GigabitEthernet0/3 ip flow monitor MONITOR-3 input ip flow monitor MONITOR-3 output ! Which statement is true about this configuration?

A.The router will create separate flow records for traffic entering and leaving GigabitEthernet0/3, doubling the cache entries.
B.The router will aggregate input and output flows into a single cache entry for each unique flow.
C.The inactive timeout of 15 seconds will cause flows to be exported only after 15 seconds of inactivity, overriding the active timeout.
D.The configuration is invalid because a flow monitor cannot be applied to both input and output on the same interface.
AnswerA

Applying the same flow monitor in both input and output directions creates separate flow entries for each direction, effectively doubling the cache usage.

Why this answer

This question tests understanding of bidirectional flow monitoring and cache timeout interaction.

1708
MCQhard

An MPLS network uses LDP for label distribution with IPv6. Router R1 and R2 are LDP peers. R1 has an IPv6 ACL applied inbound on the interface facing R2 that permits only TCP port 646 (LDP) and denies all other traffic. R2 shows 'show mpls ldp neighbor' indicates the neighbor is up, but 'show mpls forwarding-table' shows no labels for IPv6 prefixes. R1's 'show mpls ldp bindings' shows labels for all prefixes. What is the root cause?

A.The ACL blocks UDP port 646, which is used for LDP label advertisement messages, preventing label distribution.
B.LDP session is established but the routers have mismatched label ranges, causing no label bindings.
C.IPv6 CEF is not enabled on R1, preventing label imposition.
D.R2 has an outbound ACL blocking LDP packets, causing asymmetric filtering.
AnswerA

LDP uses TCP for session but UDP for initial discovery and some label advertisements. Blocking UDP 646 stops label exchange.

Why this answer

LDP uses UDP for discovery (hello) and TCP for session. The ACL permits TCP 646, so the session is established. However, LDP also uses UDP for targeted hellos or link hellos, and the ACL blocks UDP 646, preventing proper label exchange.

The bindings exist but are not advertised because the UDP-based label advertisement is blocked.

1709
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip vrf interfaces Interface VRF IP Address Protocol GigabitEthernet0/0 BLUE 10.1.1.1 up GigabitEthernet0/1 BLUE 10.1.2.1 up GigabitEthernet0/2 RED 192.168.1.1 up Loopback0 BLUE 10.0.0.1 up Loopback1 RED 192.168.0.1 up Based on this output, which statement is correct?

A.All interfaces are in the global routing table.
B.GigabitEthernet0/2 is in VRF RED with IP address 192.168.1.1.
C.Loopback0 is in VRF RED.
D.GigabitEthernet0/1 has IP address 10.1.2.2.
AnswerB

The output shows GigabitEthernet0/2 is in VRF RED with IP 192.168.1.1 and protocol up.

Why this answer

The 'show ip vrf interfaces' command displays all interfaces assigned to VRFs and their IP addresses. The output shows that GigabitEthernet0/0, GigabitEthernet0/1, and Loopback0 are in VRF BLUE, while GigabitEthernet0/2 and Loopback1 are in VRF RED. There are no interfaces in the global routing table shown here, but that is normal for VRF-Lite.

1710
Drag & Drophard

Drag and drop the steps to troubleshoot a BFD adjacency or connectivity failure into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic IP connectivity to isolate layer 3 issues, then verify BFD parameters match on both sides, inspect BFD session state, check for interface or routing protocol mismatches, and finally enable debug to capture BFD packet exchange.

1711
Multi-Selecthard

Which TWO actions will prevent a Cisco IOS router from acting as a DHCPv4 server for a specific VLAN? (Choose TWO.)

Select 2 answers
A.Configure 'no ip dhcp server' under the interface associated with the VLAN.
B.Configure 'ip dhcp excluded-address' for the entire subnet of the VLAN.
C.Disable DHCP snooping on the VLAN using 'no ip dhcp snooping vlan <vlan-id>'.
D.Configure 'ip dhcp relay information trusted' on the interface.
E.Use the global command 'no service dhcp'.
AnswersA, C

Correct. This command disables the DHCP server functionality on that specific interface, preventing it from responding to DHCP requests on that VLAN.

Why this answer

To prevent a router from offering DHCP services on a VLAN, you can either disable DHCP snooping on that VLAN (if snooping is enabled globally) or use the 'no ip dhcp server' command under the interface. Alternatively, you can configure the interface with 'ip dhcp relay information trusted' but that does not prevent server operation. The 'ip dhcp excluded-address' command only excludes specific addresses from the pool, not entire VLANs.

The 'service dhcp' command globally enables or disables DHCP, not per-VLAN.

1712
MCQmedium

In IPv6 First Hop Security, what is the purpose of the 'device-role' command in a DHCP guard policy?

A.It specifies whether the interface is a server, client, or relay for DHCP filtering.
B.It sets the trust level for ND inspection.
C.It defines the VLAN membership for the interface.
D.It enables IPv6 routing on the interface.
AnswerA

The role dictates the expected DHCP message types on that interface.

Why this answer

The 'device-role' command defines whether the interface is a DHCP server, client, or relay. This determines which DHCP messages are allowed.

1713
Drag & Drophard

Drag and drop the steps to troubleshoot EIGRP adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the EIGRP neighbor table to confirm adjacency state, then verify interface status and MTU mismatch, review K-value mismatches, inspect ACLs that might block EIGRP packets, and finally check for authentication mismatches.

1714
MCQhard

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager environment all No. Variable Name Value 1 _exit_status 1 2 _event_type syslog 3 _syslog_msg %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done 4 _syslog_severity 5 5 _syslog_facility OSPF 6 _syslog_mnemonic ADJCHG What does this output indicate?

A.The environment variables show that a syslog event with mnemonic ADJCHG triggered, and the applet can use these variables in actions.
B.The environment variables are configured manually by the engineer to define the applet behavior.
C.The output shows the current state of all EEM applets and their variables.
D.The _exit_status variable indicates the applet failed to execute.
AnswerA

Correct. The variables show the event details, and applets can reference them using $_syslog_msg, etc.

Why this answer

The output shows the EEM environment variables that are set when an event triggers an applet. These variables contain information about the event, such as the event type, syslog message details, and exit status. This is useful for debugging applets that use these variables in their actions.

1715
MCQmedium

Which EIGRP packet type is used to confirm receipt of a route update during reliable transport?

A.Hello
B.Update
C.ACK
D.Query
AnswerC

ACK packets are Hello packets with no data, used to acknowledge received updates.

Why this answer

EIGRP uses ACK packets (which are Hello packets with no data) to acknowledge reliable updates.

1716
Multi-Selecthard

Which TWO statements correctly describe the use of IKEv2 for IPsec site-to-site VPNs? (Choose TWO.)

Select 2 answers
A.IKEv2 uses UDP port 500 and 4500 for NAT traversal.
B.IKEv2 supports only pre-shared keys for authentication.
C.IKEv2 uses aggressive mode to establish the IKE SA.
D.IKEv2 can authenticate using EAP (Extensible Authentication Protocol).
E.The default IKEv2 SA lifetime is 3600 seconds.
AnswersA, D

Correct. IKEv2 uses UDP 500 for initial exchanges and UDP 4500 when NAT is detected.

Why this answer

Option A is correct because IKEv2 uses UDP port 500 for initial IKE SA establishment and port 4500 for NAT traversal (encapsulating IPsec packets in UDP to pass through NAT devices). This is a standard behavior defined in RFC 7296, ensuring compatibility with NAT environments.

Exam trap

Cisco often tests the misconception that IKEv2 uses aggressive mode (like IKEv1) or that its default SA lifetime is 3600 seconds, when in fact IKEv2 uses a simpler exchange and a 24-hour default lifetime.

1717
MCQeasy

In OSPF, what is the default metric for a Type 3 summary LSA generated by an ABR using the 'area range' command?

A.The lowest metric among the summarized routes.
B.The highest metric among the summarized routes.
C.The sum of all metrics.
D.The metric is set to 1 by default.
AnswerA

Correct. OSPF uses the best (lowest) metric from the component routes for the summary LSA.

Why this answer

The default metric for a Type 3 summary LSA is the lowest metric among the component routes being summarized.

1718
MCQeasy

A network engineer runs the following command to debug NAT with access lists: R1# debug ip nat access-list 100 NAT: access list 100 matched ip 10.1.1.1 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.2 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.3 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.4 -> 192.168.1.1 What does this output indicate?

A.The access list is correctly matching traffic for NAT.
B.NAT is failing because translations are not being created.
C.The access list is misconfigured and blocking traffic.
D.The inside interface is not configured.
AnswerA

The debug confirms the access list is being hit by traffic.

Why this answer

The debug shows that traffic from multiple inside hosts is matching the access list, which is the first step in NAT. It does not show whether translations are created.

1719
MCQhard

An engineer configures DHCPv6 prefix delegation on a Cisco router acting as a requesting client. The router receives a valid IA_PD prefix from the server, but no route for the delegated prefix appears in the routing table. Which is the most likely explanation?

A.DHCPv6 prefix delegation automatically installs a connected route; the issue is a missing 'ipv6 route' command to point the prefix to the DHCP-learned next-hop.
B.The router's 'ipv6 dhcp client pd' command does not install a route; the engineer must manually configure a static route for the delegated prefix.
C.The DHCPv6 server must also send a route option; the requesting client cannot install a route without it.
D.The router's 'ipv6 unicast-routing' is disabled, preventing route installation.
AnswerB

Correct: DHCPv6 PD only assigns the prefix to an interface; no route is created. A static route or dynamic routing is needed.

Why this answer

DHCPv6 prefix delegation does not automatically install a route for the delegated prefix. The engineer must configure a static route or use a routing protocol to advertise the prefix. This is a common oversight.

1720
Multi-Selectmedium

Which TWO commands can be used to troubleshoot an Embedded Event Manager (EEM) applet that is not triggering as expected? (Choose TWO.)

Select 2 answers
A.debug event manager action all
B.show event manager detector all
C.show event manager policy registered
D.show event manager environment all
E.debug event manager all
AnswersA, B

This enables debugging for all EEM actions, showing detailed output when actions run, which helps identify if the applet is executing and what actions are performed.

Why this answer

The 'debug event manager action all' command provides detailed logs of EEM actions, while 'show event manager detector all' shows the status of all EEM detectors (including whether they are registered). The other options are either not valid or not useful for troubleshooting trigger issues.

1721
MCQhard

A network engineer is troubleshooting IPv6 MPLS LDP neighbor discovery on a link between Router R1 and Router R2. The LDP session is not forming. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip mpls ldp discovery transport-address interface ! Router R2 shows: debug mpls ldp discovery output indicates that R2 is receiving Hello packets from R1, but the LDP session remains in INIT state. What is the root cause?

A.The 'mpls ldp discovery transport-address interface' command on R1 causes the transport address to be the link-local address, which is not routable.
B.The MPLS LDP label distribution is disabled on the interface, preventing session establishment.
C.The LDP hello interval is mismatched between R1 and R2, causing the session to fail.
D.Router R2 has a firewall blocking TCP port 646, preventing the LDP session.
AnswerA

Link-local addresses are not routable, so R2 cannot establish a TCP session to R1's transport address.

Why this answer

LDP uses transport addresses for session establishment. If the transport address is not reachable or if there is a mismatch in the LDP hello parameters, the session may not form. The correct answer identifies that the transport address on R1 is set to the interface address, but R2 expects a different transport address (e.g., loopback), causing a mismatch that prevents the TCP session from establishing.

1722
Multi-Selecthard

Which TWO statements correctly describe the behavior of NAT with route maps and ACLs when using the 'ip nat inside source route-map' feature? (Choose TWO.)

Select 2 answers
A.The route map can use 'match ip address' to select traffic for translation based on source IP.
B.The route map can use 'match interface' to translate only when traffic exits a specific interface.
C.The route map can use 'match ip next-hop' to control translation based on the next-hop IP.
D.The route map is evaluated once per session at the creation of the translation entry.
E.The route map can use 'set ip next-hop' to change the destination of translated packets.
AnswersA, B

Correct. 'match ip address' references an ACL that selects source IPs for NAT.

Why this answer

Route maps used with NAT allow granular control based on match criteria. The 'match ip address' references an ACL for source IP, and the 'match interface' can be used to match the outgoing interface. The route map is evaluated per packet, not per session, and the 'ip nat inside source' command does not support 'match ip next-hop' or 'set ip next-hop'.

1723
MCQmedium

A network engineer runs the following command to troubleshoot OSPF route filtering: R1# show ip ospf database router 2.2.2.2 OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 300 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 2.2.2.2 Advertising Router: 2.2.2.2 LS Seq Number: 80000004 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.1.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.1 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.Router 2.2.2.2 is advertising two links, one of which is a stub network 10.1.1.0/24.
B.Router 2.2.2.2 is filtering routes from area 0.
C.Router 2.2.2.2 is a DR for the transit network.
D.Router 2.2.2.2 has a mismatched area ID.
AnswerA

The LSA shows two links: a stub network and a transit network. The stub network is 10.1.1.0/24.

Why this answer

The output shows the OSPF router LSA from router 2.2.2.2. It lists two links: one stub network (10.1.1.0/24) and one transit network (via DR 10.1.1.2). This is normal OSPF operation.

1724
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access control: R1# show snmp view v1default - includes all objects up to OID 1.3.6.1.2.1.1 v1system - includes system MIB only (1.3.6.1.2.1.1) What does this output indicate?

A.Two SNMP views are configured: 'v1default' with broader access and 'v1system' limited to the system MIB.
B.The router uses SNMPv3 views exclusively.
C.The 'v1default' view includes all MIB objects.
D.No views are configured, so SNMP access is denied.
AnswerA

The output shows two views with different scopes.

Why this answer

The show snmp view command displays configured SNMP views. The output shows two views: 'v1default' includes objects up to OID 1.3.6.1.2.1.1 (system group), and 'v1system' includes only the system MIB.

1725
MCQhard

An engineer configures IP SLA to track a route to a server that is reachable via a GRE tunnel. Router R1 has: ip sla 9 icmp-echo 172.16.0.1 source-ip 10.0.0.1 frequency 10 ip sla schedule 9 life forever start-time now track 9 ip sla 9 reachability ip route 192.168.2.0 255.255.255.0 Tunnel0 track 9 The GRE tunnel is up, but the route is flapping. Show output on R1: show interface Tunnel0 Tunnel0 is up, line protocol is up show track 9 Track 9 IP SLA 9 reachability Reachability is Up 10 changes, last change 00:00:05 What is the root cause?

A.The GRE tunnel has a path MTU issue that causes ICMP packets to be fragmented or dropped, leading to intermittent probe failures.
B.The IP SLA frequency is too high, causing the router to overload.
C.The source IP 10.0.0.1 is not reachable from the tunnel destination.
D.The track 9 is not correctly associated with the route.
AnswerA

GRE adds overhead, and if the path MTU is not adjusted, ICMP packets may be dropped due to fragmentation, causing the track to flap.

Why this answer

The IP SLA probe is successful, but the track is flapping. This could be due to the IP SLA probe itself being intermittent, perhaps because the GRE tunnel is using a path that has high latency or packet loss. The correct answer is that the IP SLA probe is being affected by the GRE tunnel's path MTU or fragmentation issues, causing some probes to be dropped.

Page 22

Page 23 of 29

Page 24