Cisco CCNP ENARSI 300-410 (300-410) — Questions 17261800

2152 questions total · 29pages · All types, answers revealed

Page 23

Page 24 of 29

Page 25
1726
MCQhard

Router R10 is configured with SNMP and EEM. An EEM applet is configured to send an SNMP trap when a specific syslog message is generated. The applet uses the 'action snmp-trap' command. However, the NMS receives no trap. The syslog message is generated and logged. The router's show snmp statistics shows TrapsSent: 0. What is the root cause?

A.The EEM applet is configured to send a trap, but the 'snmp-server host' command is missing, so the router has no destination for the trap.
B.The syslog message is not matching the EEM trigger pattern correctly.
C.The EEM applet is not registered due to a syntax error.
D.The SNMP community string is not configured with RW privileges.
AnswerA

Without 'snmp-server host', the router does not know where to send the trap. The EEM action will fail silently.

Why this answer

EEM applets that send SNMP traps require the 'snmp-server enable traps' command to be enabled globally, and also the EEM applet must have the correct privilege level. Additionally, the 'action snmp-trap' command in EEM uses the SNMP community string configured globally. If the community string is not configured or the trap host is not set, the trap is not sent.

The correct answer is: 'The EEM applet is configured to send a trap, but the 'snmp-server host' command is missing, so the router has no destination for the trap.'

1728
Drag & Dropmedium

Drag and drop the steps to verify and validate the Administrative Distance operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by showing the IP routing table to see which routes are installed, then display the specific route with its AD, next check the routing protocol database for the prefix, then verify the protocol-specific AD configuration, and finally compare the AD with other protocols to ensure correct preference.

1729
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary BGP router identifier 192.168.0.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1002 1000 10 0 0 00:15:30 5 192.168.2.2 4 65003 1005 1003 10 0 0 00:14:20 3 10.10.10.2 4 65004 0 0 0 0 0 00:00:05 Idle Based on this output, what is the problem with neighbor 10.10.10.2?

A.The neighbor is administratively shut down.
B.The BGP session is not established; possible misconfiguration or reachability issue.
C.The neighbor is in the process of establishing the session.
D.The neighbor has sent all its prefixes and is waiting for updates.
AnswerB

Idle state with no messages indicates the session is down.

Why this answer

Neighbor 10.10.10.2 is in Idle state, with very few messages exchanged (0 MsgRcvd, 0 MsgSent) and a short uptime (5 seconds). This indicates the BGP session is not established, likely due to a configuration issue or connectivity problem.

1730
MCQmedium

A network engineer is troubleshooting a BGP route filtering issue. Router R1 is advertising a prefix 10.1.1.0/24 to its eBGP neighbor R2, but R2 is not receiving it. The engineer checks R1's BGP configuration and sees a route-map named FILTER-OUT applied outbound to the neighbor. The route-map references an ACL that permits 10.1.1.0/24, but the prefix is still not being sent. What is the most likely cause?

A.The route-map is missing a 'permit' statement; the default action is deny.
B.The ACL is using the wrong wildcard mask; it should be 0.0.0.255 instead of 0.0.0.0.
C.The neighbor is configured with 'soft-reconfiguration inbound' which blocks outbound updates.
D.The route-map is applied inbound instead of outbound on R1.
AnswerA

Correct because route-maps without an explicit permit will implicitly deny all prefixes.

Why this answer

The route-map must have an explicit permit statement; if the route-map is missing the permit clause, or if the sequence number is incorrect, the implicit deny at the end of the route-map will filter all routes. The ACL permitting the prefix is necessary but not sufficient if the route-map itself does not have a permit action.

1731
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP table shows the prefix, but it is not installed in the routing table. The IGP does not carry the prefix. Which is the most likely explanation?

A.The BGP synchronization rule is enabled, and the prefix is not in the IGP, so BGP does not install the route.
B.The next-hop is unreachable because of a missing static route.
C.The BGP route is filtered by an inbound route-map.
D.The maximum-paths limit is exceeded.
AnswerA

Synchronization requires that the prefix be reachable via IGP before BGP installs it; if not, the route remains in the BGP table but not the routing table.

Why this answer

BGP synchronization rule (default enabled in older IOS versions) requires that the prefix must be present in the IGP before it is installed in the routing table. If the IGP does not carry the prefix, BGP will not install it even if learned via iBGP. This edge case often surprises engineers who assume iBGP routes are always installed.

1732
MCQmedium

Which statement correctly describes the default behavior of Dead Peer Detection (DPD) in Cisco IOS for IPsec site-to-site VPN?

A.DPD is enabled by default with a 10-second interval
B.DPD is enabled by default with a 30-second interval
C.DPD is disabled by default
D.DPD is enabled only for IKEv2 by default
AnswerC

Cisco IOS requires explicit configuration to enable DPD.

Why this answer

Dead Peer Detection (DPD) is disabled by default in Cisco IOS for IPsec site-to-site VPNs. This means that without explicit configuration using the 'crypto isakmp keepalive' command, the router will not send DPD messages to verify the liveness of the remote peer. DPD must be manually enabled to detect peer failures and trigger failover or tunnel teardown.

Exam trap

Cisco often tests the misconception that DPD is enabled by default or that it has a fixed interval, when in fact it must be manually configured and the default state is disabled.

How to eliminate wrong answers

Option A is wrong because DPD is not enabled by default with a 10-second interval; DPD is disabled by default, and if enabled, the interval is configurable but not a fixed 10 seconds. Option B is wrong because DPD is not enabled by default with a 30-second interval; again, DPD is disabled by default, and the interval is not preset to 30 seconds. Option D is wrong because DPD is not enabled only for IKEv2 by default; DPD is disabled by default for both IKEv1 and IKEv2, and it must be explicitly configured for either version.

1733
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 UPDATE rcvd w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 BGP(0): 10.1.1.2 rcvd 192.168.1.0/24 BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 BGP(0): 10.1.1.2 rcvd 192.168.2.0/24 BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 -- unreachable BGP(0): 10.1.1.2 rcvd 192.168.3.0/24 What does this output indicate?

A.The neighbor 10.1.1.2 is advertising three new prefixes: 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24.
B.The neighbor 10.1.1.2 is withdrawing the prefix 192.168.3.0/24 while advertising 192.168.1.0/24 and 192.168.2.0/24.
C.The neighbor 10.1.1.2 is flapping all three prefixes due to a BGP session reset.
D.The neighbor 10.1.1.2 is sending a malformed update for 192.168.3.0/24, causing it to be marked as unreachable.
AnswerB

The 'unreachable' keyword in the debug output indicates a route withdrawal for 192.168.3.0/24.

Why this answer

The debug ip bgp updates output shows received BGP updates from neighbor 10.1.1.2. The third update includes 'unreachable', indicating that the neighbor is withdrawing the route 192.168.3.0/24. The other prefixes are being advertised normally.

1734
MCQhard

A network engineer is troubleshooting a router that is not executing an EEM applet that is supposed to run when a specific interface goes down. The applet is configured with event syslog pattern 'LINK-3-UPDOWN' and matches the interface with a regex. The engineer checks the syslog and sees the message 'LINK-3-UPDOWN: GigabitEthernet0/1, changed state to down' but the applet does not run. What is the most likely cause?

A.The EEM applet is disabled.
B.The syslog message is not being sent to the EEM server due to logging level restrictions.
C.The regex pattern in the applet does not match the syslog message.
D.The interface is not being monitored because it is a subinterface.
AnswerC

Correct because a mismatch in the regex pattern is a common cause for an applet not triggering.

Why this answer

The EEM applet may have a regex that does not match the actual syslog message format. The engineer should verify the regex pattern using 'show event manager policy' or test the pattern.

1735
Drag & Dropmedium

Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: first, create the ACL with permit/deny statements; second, verify the ACL syntax with show access-list; third, apply it inbound on the interface; fourth, verify the interface configuration with show ip interface; fifth, test connectivity with ping or traceroute.

1736
MCQmedium

Which OSPF LSA type is used to describe a default route injected into a regular area by an Area Border Router (ABR)?

A.Type 1 (Router LSA)
B.Type 2 (Network LSA)
C.Type 3 (Summary LSA)
D.Type 5 (AS-External LSA)
AnswerC

Correct: ABRs use Type 3 LSAs to advertise inter-area routes, including default routes.

Why this answer

Type 3 LSAs are summary LSAs generated by ABRs to advertise networks from one area to another. When an ABR injects a default route into a regular area, it uses a Type 3 LSA with a destination of 0.0.0.0.

1737
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of an IPv6 tunneling technique into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation follows a systematic approach: start with checking the tunnel interface status and counters, then verify IPv6 connectivity across the tunnel using ping, examine routing protocol adjacency over the tunnel, validate end-to-end IPv6 reachability to remote networks, and finally confirm traffic flow with traceroute or debug commands.

1738
MCQhard

What is the default value of the 'reachable time' in IPv6 Neighbor Discovery (ND) on Cisco IOS-XE?

A.0 milliseconds (unspecified)
B.30,000 milliseconds
C.60,000 milliseconds
D.10,000 milliseconds
AnswerA

Correct. The default reachable time in the 'ipv6 nd reachable-time' command is 0, meaning no override is sent in RAs.

Why this answer

The default reachable time in ND is 30,000 milliseconds (30 seconds) as per RFC 4861, but Cisco IOS-XE uses a default of 0 (unspecified) in RA messages, meaning hosts use their own default (typically 30 seconds). However, the default for the 'ipv6 nd reachable-time' command is 0, indicating no override.

1739
MCQhard

A VRF route leaking configuration causes unexpected reachability. Router R1 has VRF RED and VRF BLUE. Configuration: 'ip vrf RED rd 100:1 route-target export 100:1 route-target import 100:2' and 'ip vrf BLUE rd 100:2 route-target export 100:2 route-target import 100:1'. Router R2 is a route reflector with 'address-family ipv4 vrf RED' and 'address-family ipv4 vrf BLUE'. A host in VRF RED can ping a host in VRF BLUE, but not vice versa. What is the root cause?

A.The route reflector lacks 'address-family ipv4 vrf' configuration for both VRFs, causing incomplete route propagation.
B.The VRF BLUE has a static route pointing to a next-hop that is not reachable from VRF RED, causing asymmetric reachability.
C.The route-target import/export values are reversed; they should be identical for both VRFs.
D.MPLS LDP is not enabled on the interfaces between routers, preventing label switching.
AnswerB

If VRF BLUE imports routes from RED but uses a static route for the return path that is not leaked, return traffic fails.

Why this answer

Route leaking via route-target import/export is asymmetric if the import and export communities are not correctly matched. In this setup, VRF RED exports 100:1 and imports 100:2, while VRF BLUE exports 100:2 and imports 100:1. This allows RED to receive routes from BLUE (import 100:2 matches export 100:2) and BLUE to receive from RED (import 100:1 matches export 100:1), so bidirectional leaking should work.

However, if the route reflector is not configured to pass VPNv4 routes correctly or if there is an issue with the 'next-hop' resolution, one direction may fail. The likely cause is that the route reflector does not have the VRF interfaces in its global routing table, causing next-hop unreachable for one VRF.

1740
Drag & Dropmedium

Drag and drop the steps to configure Flexible NetFlow with a custom flow record into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows Cisco IOS-XE configuration logic: first define the flow record with match fields, then define the flow exporter with destination and source, then define the flow monitor binding record and exporter, then apply the monitor to an interface in the ingress direction, and finally verify with 'show flow monitor'.

1741
Drag & Dropmedium

Drag and drop the steps to verify and validate the SNMP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the SNMP agent status with show snmp. Then, view the SNMP community strings and access permissions. Next, examine SNMP trap and inform configurations.

After that, use show snmp mib to verify MIB object accessibility. Finally, perform a test poll from the NMS to confirm end-to-end functionality.

1742
MCQmedium

An engineer is troubleshooting a router that is not sending syslog messages to the syslog server at 192.168.1.10. The configuration includes 'logging host 192.168.1.10' and 'logging trap informational'. The engineer can ping the syslog server from the router. 'show logging' shows that the logging buffer is filling with messages. What is the most likely cause?

A.The syslog server is not listening on UDP port 514.
B.The 'logging source-interface' command is missing, causing syslog messages to use an incorrect source IP.
C.The 'logging on' command is not configured.
D.The syslog server's IP address is incorrect in the configuration.
AnswerB

Without 'logging source-interface', the router uses the IP of the egress interface, which may not be reachable from the syslog server or may be filtered.

Why this answer

The router has logging to a remote host configured, but the 'logging source-interface' is missing, so syslog messages are sourced from the outgoing interface IP, which may not be reachable or may be filtered by the server.

1743
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a VLAN, but the VLAN includes a voice VLAN. The mirrored traffic shows only data traffic, not voice. What is the most likely explanation?

A.The SPAN source is configured for the data VLAN only, not the voice VLAN.
B.Voice traffic uses a different CoS value, which SPAN ignores.
C.The voice VLAN is configured as a native VLAN, which SPAN does not capture.
D.The switch has a security ACL that blocks voice traffic from being mirrored.
AnswerA

SPAN VLAN-based monitoring captures only the specified VLAN; the voice VLAN must be added separately.

Why this answer

Voice VLANs are often configured as separate VLANs (e.g., VLAN 100 for voice, VLAN 10 for data). If the SPAN source is a single VLAN, it only captures traffic on that VLAN. To capture both, the SPAN session must include both VLANs or use a port-based source that includes both.

1744
MCQhard

A network engineer is troubleshooting a situation where R1 has two routes to 10.0.0.0/8: one via OSPF (AD 110) and one via RIP (AD 120). The engineer wants R1 to prefer the RIP route. After configuring the distance 80 0.0.0.0 255.255.255.255 under the RIP process, the RIP route is still not preferred. What is the most likely reason?

A.The OSPF route has an AD of 110, but the RIP route's AD was set to 80, so RIP should be preferred. The issue is that the distance command was applied to the wrong prefix.
B.The OSPF process has the distance ospf external 70 command configured, lowering the AD of OSPF external routes to 70.
C.The RIP route is not in the routing table because it is suppressed by a distribute-list.
D.The distance command under RIP only affects internal RIP routes, not redistributed routes.
AnswerB

If OSPF AD is lowered to 70, it will still be preferred over RIP with AD 80.

Why this answer

The distance command under RIP can set AD for specific routes. However, if the OSPF route has a lower AD than the new RIP AD, it will still be preferred. The engineer set RIP AD to 80, but OSPF AD is 110, so RIP should be preferred.

If it is not, the OSPF AD may have been lowered or the distance command was applied incorrectly.

1745
MCQmedium

A network engineer runs the following command to troubleshoot BFD with OSPF: R1# show ip ospf interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 2.2.2.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) BFD enabled, BFD interval 100 msec, BFD multiplier 3 What does this output indicate?

A.OSPF is using BFD with a 100 ms interval and multiplier 3, enabling sub-second failure detection.
B.BFD is disabled on this OSPF interface.
C.BFD interval is set to 10 seconds, matching OSPF hello.
D.BFD session is down, causing OSPF to use dead timer.
AnswerA

BFD is enabled with the specified parameters, allowing OSPF to detect failures quickly.

Why this answer

The output shows that BFD is enabled on the OSPF interface with an interval of 100 ms and multiplier of 3. This provides fast failure detection for OSPF adjacency.

1746
MCQmedium

A network engineer is troubleshooting an IPv6 routing issue on a router that is receiving OSPFv3 routes from multiple neighbors. The engineer notices that some routes are missing from the routing table. The engineer checks the interface configuration and finds an inbound IPv6 ACL applied to the interface that permits only specific prefixes. The engineer also notices that the missing routes are from a neighbor that is sending routes with a prefix length of /48, while the ACL permits only /64 prefixes. What is the most likely cause of the missing routes?

A.The ACL is filtering the OSPFv3 routes based on prefix length, and the /48 routes are not permitted.
B.The OSPFv3 neighbor relationship is down due to a mismatched area ID.
C.The router has a route-map that is denying the /48 routes before they are installed.
D.The IPv6 ACL is applied outbound, blocking the routes from being sent.
AnswerA

Correct because the ACL permits only /64 prefixes, so /48 routes are dropped, preventing them from being installed in the routing table.

Why this answer

The inbound IPv6 ACL on the interface is filtering OSPFv3 routes based on prefix length. Since the ACL permits only /64 prefixes, any routes with a /48 prefix length are denied and not installed in the routing table. This is the most likely cause of the missing routes.

Exam trap

The trap here is that candidates may overlook that an inbound ACL on an interface can filter OSPFv3 route updates based on prefix length, assuming ACLs only filter data-plane traffic, not routing protocol updates.

How to eliminate wrong answers

Option B is wrong because a mismatched area ID would prevent the OSPFv3 neighbor relationship from forming entirely, not cause selective route filtering; the engineer already confirmed the router is receiving routes from multiple neighbors, so the neighbor relationship is up. Option C is wrong because the engineer specifically identified an ACL as the filtering mechanism, and there is no mention of a route-map; a route-map would be a separate configuration applied under the OSPFv3 process or redistribution, not on the interface. Option D is wrong because the engineer explicitly states the ACL is applied inbound, not outbound; an outbound ACL would affect routes being sent, not received.

1747
MCQmedium

A network engineer is troubleshooting a PBR (Policy-Based Routing) issue on router R5. The engineer configured a route-map to set the next-hop for traffic from a specific source subnet. The route-map is applied to the incoming interface, but traffic from the source subnet is still being forwarded using the regular routing table. The engineer verifies that the ACL matches the traffic correctly. What is the most likely cause?

A.The route-map is missing a 'set ip next-hop' command, or the next-hop is not reachable.
B.The route-map is applied outbound instead of inbound on the interface.
C.The ACL is using a standard ACL, which cannot match source subnet correctly.
D.The route-map has a 'set default interface' command that overrides the next-hop.
AnswerA

Correct because without a valid 'set' command, PBR does not alter forwarding.

Why this answer

PBR route-maps must have at least one 'match' and one 'set' statement. If the route-map has a 'match ip address' but no 'set ip next-hop' (or the next-hop is unreachable), PBR will not apply and traffic will use the routing table. Also, the route-map must be applied to the correct interface and direction.

1748
MCQhard

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 500000, Received Multiplier: 3 Holddown (hits): 1500(0) Rx Count: 200, Tx Count: 200 Based on this output, what is the holddown timer value in milliseconds and why?

A.The holddown timer is 1500 ms, which is the received MinRxInt (500 ms) multiplied by the multiplier (3).
B.The holddown timer is 3000 ms, but the output shows 1500 ms because the holddown timer displayed is half of the actual holddown time.
C.The holddown timer is 1500 ms, which is the local MinRxInt (1000 ms) multiplied by the multiplier (3) divided by 2.
D.The holddown timer is 3000 ms, and the output is correct as is.
AnswerB

Cisco IOS divides the holddown timer by 2 for display; the actual holddown is 3000 ms.

Why this answer

The holddown timer is calculated as the maximum of the local MinRxInt and the received MinRxInt, multiplied by the multiplier. Local MinRxInt is 1000000 microseconds, received MinRxInt is 500000 microseconds. The maximum is 1000000 microseconds.

Multiplied by 3 gives 3000000 microseconds = 3000 ms. However, the output shows 1500 ms. This is because the holddown timer displayed is actually half of the calculated value due to a Cisco implementation detail where the holddown timer is divided by 2 for display purposes.

The actual holddown time is 3000 ms.

1749
MCQhard

An engineer is troubleshooting a DHCPv6 stateful (DHCPv6) deployment. The router is configured as a DHCPv6 server with a pool for prefix 2001:db8:2::/64. Clients on the LAN are configured to use DHCPv6, but they are not receiving IPv6 addresses. The router interface has 'ipv6 address 2001:db8:2::1/64' and 'ipv6 dhcp server DHCP_POOL'. The engineer sees that the clients are sending SOLICIT messages, but the router sends no REPLY. What is the issue?

A.The interface is missing the 'ipv6 nd managed-config-flag' command.
B.The DHCPv6 pool is missing the 'address prefix 2001:db8:2::/64' command.
C.The router needs the 'ipv6 dhcp relay' command on the interface.
D.The 'ipv6 unicast-routing' command is missing globally.
AnswerB

Correct because without an address prefix in the pool, the DHCPv6 server has no addresses to assign and will not send a REPLY to SOLICIT messages.

Why this answer

For stateful DHCPv6, the router must also send Router Advertisements with the 'M' (Managed) flag set to indicate that clients should use DHCPv6. Without the 'ipv6 nd managed-config-flag' command, clients may not request addresses via DHCPv6, or the server may not respond appropriately. However, the symptom says clients are sending SOLICIT messages, so they are attempting DHCPv6.

The router is not replying, which could be due to a misconfigured pool or the server not being enabled. The most likely cause is that the DHCPv6 pool does not have an 'address prefix' statement, so the server has no addresses to assign.

1750
MCQmedium

An engineer is troubleshooting why syslog messages from a router are not being received by the syslog server at 192.168.1.10. The router configuration includes 'logging host 192.168.1.10' and 'logging trap 6'. The engineer runs 'debug ip packet' and sees packets destined for 192.168.1.10 being sent but no response. What should the engineer check first?

A.Verify that the syslog server is running and listening on UDP port 514.
B.Change the logging trap level to 7 (debugging) to ensure all messages are sent.
C.Add the 'logging source-interface' command to use a loopback interface.
D.Configure 'logging on' if it is not already enabled.
AnswerA

Correct because if the server is not listening or a firewall drops the packets, the messages will never be received despite the router sending them.

Why this answer

Syslog uses UDP, which is connectionless; the server does not send acknowledgments. The debug showing packets being sent indicates the router is transmitting, but the server may not be listening on UDP 514, or a firewall may be blocking the traffic. Checking the server's syslog service status and firewall rules is the logical first step.

1751
MCQeasy

A network engineer runs the following command to verify DHCPv4 server conflict detection on router R1: R1# show ip dhcp conflict Output: IP address Detection method Detection time VRF 192.168.1.50 Ping Mar 01 2025 10:00 AM default 192.168.1.75 Gratuitous ARP Mar 01 2025 11:00 AM default What does this output indicate?

A.The DHCP server has detected two IP address conflicts on the network.
B.The DHCP server has successfully assigned IP addresses 192.168.1.50 and 192.168.1.75.
C.The DHCP server uses only ping to detect conflicts.
D.The DHCP server has cleared all conflicts from the database.
AnswerA

Two IP addresses are listed with detection methods and times, indicating conflicts.

Why this answer

The show ip dhcp conflict command displays IP addresses that were found to be already in use on the network. Two conflicts are shown: one detected by ping, another by gratuitous ARP. These addresses are removed from the pool and not assigned until cleared.

1752
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.10.10.0/24, 1 successors, FD is 28160 via 10.1.1.2 (28160/28160), GigabitEthernet0/0 P 10.20.20.0/24, 1 successors, FD is 28160 via 10.2.2.2 (28160/28160), GigabitEthernet0/1 P 10.30.30.0/24, 1 successors, FD is 28160 via 10.3.3.2 (28160/28160), GigabitEthernet0/2 A 10.40.40.0/24, 0 successors, FD is Infinity via 10.4.4.2 (Infinity/Infinity), GigabitEthernet0/3 Based on this output, what is the problem?

A.The route to 10.40.40.0/24 is stuck-in-active and may cause a network instability.
B.The route to 10.40.40.0/24 is passive and stable.
C.The route to 10.30.30.0/24 has a feasible successor.
D.All routes are in a stable passive state.
AnswerA

A route in Active state with no successor indicates that the router is querying neighbors and has not received a reply, which can lead to SIA.

Why this answer

The topology table shows that the route to 10.40.40.0/24 is in Active state (A), meaning the router is actively querying for a successor. The FD is Infinity, indicating no feasible successor is available. This could be due to a network failure or a stuck-in-active condition.

1753
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, the network becomes unstable with routing loops. The engineer checks the routing tables and notices that the same prefix is being learned from both protocols with different administrative distances. Which is the most likely explanation?

A.Routes are redistributed back and forth between OSPF and EIGRP without any filtering or tagging
B.The seed metric for OSPF redistribution into EIGRP is not configured
C.The administrative distance of OSPF is lower than EIGRP, causing OSPF routes to be preferred
D.The redistribute command is missing the subnets keyword under OSPF
AnswerA

Correct. Mutual redistribution without tagging or filtering causes a feedback loop, leading to routing loops.

Why this answer

Mutual redistribution without proper route tagging can cause routing loops because each protocol redistributes routes back into the other, creating a feedback loop. The administrative distance of the redistributed routes may cause one protocol to prefer the redistributed route over the original, leading to instability. Using route tags and filtering can prevent this, but without them, loops are common.

1754
MCQmedium

In MPLS, what is the default behavior of a Cisco IOS-XE router regarding the 'auto-summary' command for BGP routes?

A.Auto-summary is disabled by default for BGP.
B.Auto-summary is enabled by default for BGP.
C.Auto-summary is enabled by default only for directly connected routes.
D.Auto-summary is disabled by default for BGP but enabled for OSPF.
AnswerA

Cisco IOS-XE disables auto-summary by default for BGP since version 12.2(8)T.

Why this answer

By default, auto-summary is disabled in Cisco IOS-XE for BGP, meaning that BGP will not automatically summarize subnets to their classful boundaries.

1755
MCQmedium

Examine this partial configuration on router R5: flow record RECORD-3 match ipv4 source address match ipv4 destination address match ipv4 protocol collect routing source as collect routing destination as ! flow monitor MONITOR-5 record RECORD-3 cache timeout active 60 ! interface GigabitEthernet0/5 ip flow monitor MONITOR-5 input ! What is missing or incorrect in this configuration?

A.The flow record is missing 'match ipv4 source prefix-length' and 'match ipv4 destination prefix-length' to collect AS numbers.
B.The router must have BGP configured and the flow record must include 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as' to collect AS numbers.
C.The flow monitor is missing the 'cache timeout inactive' command to properly age out flows.
D.The configuration is correct; AS numbers will be collected automatically from the routing table.
AnswerB

To collect BGP AS numbers, the flow record must match BGP AS attributes using 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as'. The 'collect routing source as' command alone is insufficient without the corresponding match.

Why this answer

This question tests knowledge of BGP AS number collection requirements in Flexible NetFlow.

1756
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite issue: R1# show ip route vrf CUSTOMER_A summary Output: IP routing table name: CUSTOMER_A (0x00000001) IP routing table maximum-paths: 32 Route Source Networks Subnets Replicates Overhead Memory (bytes) connected 2 0 0 0 576 static 1 0 0 0 288 eigrp 100 3 0 0 0 864 Internal 3 0 0 0 864 External 0 0 0 0 0 ospf 200 0 0 0 0 0 Intra-area 0 0 0 0 0 Inter-area 0 0 0 0 0 External-1 0 0 0 0 0 External-2 0 0 0 0 0 NSSA-1 0 0 0 0 0 NSSA-2 0 0 0 0 0 bgp 65000 0 0 0 0 0 Internal 0 0 0 0 0 External 0 0 0 0 0 Total 6 0 0 0 1728 What does this output indicate?

A.The VRF CUSTOMER_A has 6 routes, with EIGRP 100 providing 3 internal routes.
B.The VRF CUSTOMER_A has 6 routes, all redistributed from BGP 65000.
C.The VRF CUSTOMER_A has 6 routes, with OSPF 200 providing 3 external routes.
D.The VRF CUSTOMER_A has 6 routes, all from connected and static only.
AnswerA

Correct. The summary shows 6 total routes, with EIGRP 100 contributing 3 internal routes.

Why this answer

The 'show ip route vrf summary' command displays the routing table summary for a specific VRF. It shows the number of routes from each routing protocol source. In this output, the VRF CUSTOMER_A has 6 total routes: 2 connected, 1 static, and 3 from EIGRP 100.

OSPF and BGP have 0 routes, indicating they are not contributing to the VRF's routing table.

1757
Multi-Selectmedium

Which TWO statements about route redistribution between EIGRP and OSPF are true? (Choose TWO.)

Select 2 answers
A.When redistributing EIGRP into OSPF, the OSPF metric must be explicitly configured if the default metric of 20 is not desired.
B.When redistributing OSPF into EIGRP, the default EIGRP metric is 1.
C.When redistributing OSPF into EIGRP, the default EIGRP metric is 100.
D.When redistributing OSPF into EIGRP, a seed metric must be configured for EIGRP to advertise the redistributed routes.
E.Route-maps cannot be used to filter routes during redistribution between EIGRP and OSPF.
AnswersA, D

Correct: OSPF uses a default metric of 20 for redistributed routes, so explicit configuration is needed to change it.

Why this answer

When redistributing between EIGRP and OSPF, the seed metric must be explicitly set for the receiving protocol. EIGRP uses a composite metric (bandwidth, delay, reliability, load, MTU) and OSPF uses a metric of type 1 or type 2. By default, OSPF assigns a metric of 20 to redistributed routes unless specified otherwise.

Option A is correct because OSPF requires a seed metric for redistributed routes. Option D is correct because EIGRP redistributed routes default to an infinite metric (effectively not advertised) unless a seed metric is provided. Option B is incorrect because OSPF default metric is 20, not 1.

Option C is incorrect because the default metric for EIGRP is not 100. Option E is incorrect because route-maps can be used to filter redistributed routes.

1758
MCQhard

A network engineer configures an EEM applet to monitor EIGRP stuck-in-active (SIA) events using the event syslog pattern 'EIGRP-3-SIA'. The applet is designed to clear the EIGRP neighbor. The EIGRP network has a unidirectional link that causes a route to go active, but the EEM applet does not trigger. Which is the most likely explanation?

A.The EIGRP SIA syslog message is only generated when the SIA timer expires, but a unidirectional link may prevent the query from being sent, so the timer never starts.
B.The EEM applet must use 'event eigrp' instead of 'event syslog' to catch EIGRP events.
C.The EIGRP process must be restarted for the EEM applet to take effect.
D.The unidirectional link causes a routing loop that suppresses syslog generation.
AnswerA

Correct. If the unidirectional link prevents query transmission, the SIA timer is not triggered, and no syslog is generated.

Why this answer

EIGRP SIA events generate syslog messages only when the SIA timer expires (default 3 minutes). If the unidirectional link causes the route to go active but the query propagation is blocked or the neighbor is not reachable, the SIA timer may not start because the router does not receive a reply from the neighbor. In some cases, the route may remain active indefinitely without generating an SIA syslog if the query is not sent due to the unidirectional link.

The EEM applet requires the specific 'EIGRP-3-SIA' syslog pattern, which is only generated when the SIA timer actually expires.

1759
Multi-Selectmedium

Which TWO statements about the 'match ip address' command within a route-map are true? (Choose TWO.)

Select 2 answers
A.It can reference a standard access-list, extended access-list, or prefix-list.
B.It matches the source IP address of the route.
C.It can only be used in a route-map sequence with a 'permit' clause.
D.If multiple access-lists are listed in the same match command, they are evaluated with a logical OR.
E.The command 'match ip address prefix-list' is not valid.
AnswersA, D

The command accepts access-list numbers/names and prefix-list names.

Why this answer

The 'match ip address' command can reference either a standard or extended access-list, or a prefix-list. It matches the destination network of the route. It cannot match source address (that would be 'match ip next-hop' or 'match ip route-source').

The command can be used in both permit and deny sequences. A single route-map sequence can have multiple match commands, but they are logically ANDed only if under the same match statement type.

1760
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke-to-spoke tunnels are established, but traffic between spokes is not being forwarded directly; it is still going through the hub. The engineer verifies that NHRP is working and spoke-to-spoke registrations are successful. What is the most likely explanation?

A.The hub is not sending NHRP redirect messages to the spokes.
B.The spoke routers have 'ip nhrp shortcut' disabled.
C.The hub is configured with 'no ip split-horizon' on the tunnel interface.
D.The spoke routers have mismatched IPsec transform sets.
AnswerA

In DMVPN Phase 2, the hub must send NHRP redirect messages to inform spokes of the existence of a direct path. Without these redirects, spokes do not know to send traffic directly to each other.

Why this answer

In DMVPN Phase 2, spoke-to-spoke traffic requires that the spoke routers have a route to the destination prefix via the tunnel interface with the next-hop being the remote spoke's tunnel IP. If the hub is not configured to send an NHRP redirect or if the spoke does not have a route for the remote subnet via the tunnel, traffic will continue to go through the hub. The edge case is that the hub may be using a different next-hop in its routing table, or the spoke's routing table does not have a more specific route for the remote spoke's subnet via the tunnel.

1761
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# show ip ospf database external And sees the following output: OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States LS age: 360 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 192.168.10.0 (External Network Number ) Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 100 What does this output indicate?

A.The route 192.168.10.0/24 is an OSPF internal route.
B.The route is redistributed into OSPF with a metric of 20 and a route tag of 100.
C.The forward address is 0.0.0.0, meaning the route is not reachable.
D.The route is a default route redistributed into OSPF.
AnswerB

The LSA shows metric type 2, metric 20, and tag 100, typical for redistributed routes.

Why this answer

The show ip ospf database external output shows a Type 5 LSA for 192.168.10.0/24, with metric type 2 and metric 20, and external route tag 100. This indicates that the route is redistributed into OSPF from another protocol (likely EIGRP or BGP) by router 2.2.2.2. The tag 100 can be used for filtering.

1762
MCQmedium

A network engineer is troubleshooting a VRF-Lite configuration where a router is using RIP as the routing protocol in VRF_BLUE. The engineer notices that RIP routes are not being learned from a neighbor router. The 'show ip rip database vrf VRF_BLUE' shows no entries. The 'show ip vrf interfaces VRF_BLUE' shows the correct interface. What is the most likely cause?

A.The 'network' command is configured under the global RIP process, not under the VRF address-family.
B.The 'version 2' command is missing under the VRF address-family.
C.The 'no auto-summary' command is missing.
D.The 'timers basic' command is set to a very low value.
AnswerA

For RIP to operate in a VRF, the network command must be under the VRF address-family.

Why this answer

RIP in VRF-Lite requires that the RIP process be associated with the VRF and that the network command is issued under the VRF context. Missing the 'address-family ipv4 vrf VRF_BLUE' configuration is a common oversight.

1763
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router. After applying the policy, OSPF neighbors go down. The engineer checks the policy and sees that OSPF packets are not explicitly matched. Which is the most likely explanation?

A.The class-default is set to 'drop', and OSPF packets fall into class-default because they are not matched by any other class.
B.The CoPP policy uses 'police' in bps, but OSPF packets are small and exceed the rate limit.
C.The CoPP policy is applied to the input direction, but OSPF packets are processed in the output direction.
D.The CoPP policy uses 'police' in pps, but OSPF hello packets are sent every 10 seconds, so they are not rate-limited.
AnswerA

CoPP processes packets in order. If OSPF is not matched by a higher class, it goes to class-default. If class-default drops, OSPF packets are dropped, causing neighbor loss.

Why this answer

When Control Plane Policing (CoPP) is configured, traffic is classified into classes based on match criteria. If OSPF packets are not explicitly matched by any configured class, they fall into the default class (class-default). If the policy-map sets class-default to 'drop', all unmatched traffic, including OSPF hello packets (which use IP protocol 89), will be dropped.

This causes OSPF neighbors to go down because the router stops receiving or sending OSPF control packets.

Exam trap

Cisco often tests the concept that class-default in CoPP can be set to 'drop', and candidates may overlook that OSPF or other routing protocols are not explicitly matched, leading to neighbor loss.

How to eliminate wrong answers

Option B is wrong because CoPP policies use 'police' in bps or pps, but the issue here is not rate-limiting; it is that OSPF packets are not matched and are dropped by class-default. Option C is wrong because CoPP is applied to the control plane, which processes both inbound and outbound control traffic; OSPF packets are sent and received via the control plane, and the input direction is the correct direction for incoming OSPF packets. Option D is wrong because even if OSPF hello packets are sent every 10 seconds, they would still be subject to rate-limiting if matched; the problem is that they are not matched at all and fall into class-default.

1764
MCQmedium

In DMVPN Phase 3 using OSPF, what is the default network type on a multipoint GRE tunnel interface?

A.broadcast
B.point-to-multipoint
C.NBMA
D.point-to-point
AnswerC

Correct. The default OSPF network type for mGRE is NBMA.

Why this answer

By default, a multipoint GRE tunnel interface is treated as an OSPF NBMA network type. This requires manual neighbor configuration unless the interface is set to broadcast or point-to-multipoint.

1765
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# debug eigrp packets And sees the following output: *Mar 1 00:15:22.123: EIGRP: Received UPDATE on Serial0/0/0 nbr 10.1.1.2 *Mar 1 00:15:22.124: AS 100, Flags 0x1, Seq 45/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:15:22.125: Ext: 192.168.10.0/255.255.255.0, metric 156160, tag 0 *Mar 1 00:15:22.126: EIGRP: Enqueueing UPDATE on Serial0/0/0 nbr 10.1.1.2 iidbQ un/rely 0/1 peerQ un/rely 0/0 serno 12-12 *Mar 1 00:15:22.127: EIGRP: Sending UPDATE on Serial0/0/0 nbr 10.1.1.2, retry 0, R=1 *Mar 1 00:15:22.128: Ext: 10.2.2.0/255.255.255.0, metric 128256, tag 0 What does this output indicate?

A.EIGRP is redistributing routes from another protocol into EIGRP, as indicated by the tag 0.
B.R1 is learning 192.168.10.0/24 via EIGRP and advertising 10.2.2.0/24 back to the same neighbor, which could indicate a routing loop.
C.R1 is receiving an EIGRP update and sending an update in response, which is normal EIGRP behavior.
D.The metric of 156160 indicates that the route 192.168.10.0/24 is redistributed from OSPF.
AnswerC

The output shows standard EIGRP update exchange. No redistribution issue is visible.

Why this answer

The debug eigrp packets output shows EIGRP update packets being exchanged. R1 receives an update for 192.168.10.0/24 from neighbor 10.1.1.2 and then sends an update for 10.2.2.0/24. This indicates normal EIGRP operation; no redistribution issue is apparent from this output.

1766
MCQmedium

Examine this configuration: interface GigabitEthernet0/4 ipv6 address 2001:db8:2::1/64 ipv6 verify unicast source reachable-via any What is the effect of the 'ipv6 verify unicast source reachable-via any' command?

A.The router performs strict uRPF: the source address must be reachable via the same interface the packet arrived on.
B.The router performs loose uRPF: the source address must be reachable via any route in the FIB.
C.The router drops all packets with source addresses not in the same subnet as the interface.
D.The command is invalid because 'ipv6 verify unicast' requires a route-map.
AnswerB

Loose mode only requires a route to the source, not necessarily via the receiving interface.

Why this answer

This enables uRPF (unicast Reverse Path Forwarding) in loose mode. It checks that the source address of incoming packets is reachable via any route in the FIB, but does not require the exact interface.

1767
MCQmedium

Given this partial configuration on router R6: router bgp 65000 neighbor 192.168.1.1 remote-as 65001 address-family ipv4 network 172.16.0.0 mask 255.255.0.0 aggregate-address 172.16.0.0 255.255.0.0 What is missing if the administrator wants to ensure that only the aggregate route is advertised to neighbor 192.168.1.1?

A.The 'summary-only' keyword is missing from the aggregate-address command.
B.The 'network' command should be removed.
C.The 'synchronization' command must be enabled.
D.The 'neighbor 192.168.1.1 route-map' command is needed.
AnswerA

Correct. Without summary-only, more specific routes are still advertised.

Why this answer

The aggregate-address command without the summary-only keyword will advertise both the aggregate and the more specific routes. To suppress the specifics, the summary-only keyword is required.

1768
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 12 200 0 45 1 10.2.2.2 Gi0/1 12 00:10:20 15 200 0 32 2 10.3.3.2 Gi0/2 14 00:08:15 18 200 0 28 3 10.4.4.2 Gi0/3 13 00:06:10 20 200 0 22 Based on this output, which statement is correct?

A.All four EIGRP neighbors are in the established state and exchanging routes.
B.Neighbor 10.4.4.2 has a high SRTT of 20 ms, indicating a slow link.
C.The Q Cnt of 0 means that there are 0 packets queued for retransmission, but this could indicate a problem.
D.The neighbor on Gi0/3 has the lowest uptime, so it may be flapping.
AnswerA

All neighbors show a hold time, uptime, SRTT, RTO, and Q Cnt of 0, indicating a stable adjacency.

Why this answer

The show ip eigrp neighbors command displays all EIGRP neighbors. The 'H' column shows the order in which neighbors were learned. The 'Hold' column shows the remaining hold time in seconds.

All neighbors are in a stable state with low SRTT and RTO values, and no outstanding packets (Q Cnt = 0). The output indicates that all four neighbors are fully operational.

1769
Multi-Selecthard

Which TWO statements correctly describe the behavior of SNMPv3 when using the 'noAuthNoPriv' security level? (Choose TWO.)

Select 2 answers
A.The username and password are sent in clear text.
B.The SNMP engine ID is still used for message processing and identification.
C.The 'snmp-server user' command must include the 'auth' and 'priv' keywords set to 'md5' and 'des' respectively.
D.The security level is configured per user, not per group.
E.The engine ID can be manually configured or automatically generated based on the router's MAC address.
AnswersB, E

The engine ID is always used in SNMPv3 for message processing, regardless of the security level.

Why this answer

SNMPv3 'noAuthNoPriv' provides no authentication and no encryption. The engine ID is still used for message processing, and the community string is replaced by the username. The security level is configured per user, not per group.

The 'auth' and 'priv' keywords are omitted from the 'snmp-server user' command. The engine ID is automatically generated based on the router's MAC address or manually configured.

1770
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 140 10 deny tcp any host 10.1.1.1 eq 23 (15 matches) 20 permit tcp any host 10.1.1.1 eq 22 (20 matches) 30 permit ip any any (5 matches) Based on this output, what is the problem?

A.SSH to 10.1.1.1 is being denied.
B.Telnet to 10.1.1.1 is being denied, which may be intentional.
C.All traffic is permitted because of line 30.
D.The ACL is not applied to any interface.
AnswerB

Line 10 denies Telnet with 15 matches, so Telnet traffic is blocked.

Why this answer

Option B is correct because the ACL explicitly denies TCP traffic to host 10.1.1.1 on port 23 (Telnet) with line 10, and the match count of 15 confirms that Telnet attempts are being blocked. While this may be intentional to enforce secure management via SSH (permitted on port 22), the question asks for the problem, and the output shows Telnet is being denied. The ACL does not block SSH (line 20 permits it), so the issue is specifically that Telnet access is denied.

Exam trap

Cisco often tests the misconception that a 'permit ip any any' at the end of an ACL overrides earlier deny statements, but candidates must remember that ACLs are processed sequentially and the first match wins.

How to eliminate wrong answers

Option A is wrong because SSH to 10.1.1.1 is permitted by line 20 (permit tcp any host 10.1.1.1 eq 22) with 20 matches, so SSH is not being denied. Option C is wrong because line 30 (permit ip any any) only applies to traffic that has not matched earlier lines; since Telnet to 10.1.1.1 matches line 10 (deny), it is blocked regardless of line 30. Option D is wrong because the output shows match counts (15, 20, 5), which indicate the ACL is applied to an interface and processing traffic; an unapplied ACL would show zero matches.

1771
MCQhard

In an MPLS network, Router R1 is a provider edge (PE) router that redistributes BGP routes into OSPF. The network experiences intermittent loss of reachability to a specific prefix 10.10.10.0/24. R1 configuration includes: 'router ospf 1 redistribute bgp 65000 subnets metric-type 1' and 'router bgp 65000 neighbor 10.0.0.2 route-map SET-METRIC in' with a route-map that sets metric 100. R2, a P router, shows 'show ip route 10.10.10.0' output: 'O E1 10.10.10.0/24 [110/20] via 10.0.0.1, 00:00:15' but traffic fails. What is the root cause?

A.The route-map SET-METRIC is not applied to the correct neighbor direction; it should be outbound.
B.The OSPF redistribute command lacks the 'metric' keyword to use the BGP metric; default metric 20 is used, causing inconsistency.
C.The OSPF network type mismatch on the link between R1 and R2 causes adjacency issues.
D.The BGP neighbor 10.0.0.2 is not reachable due to ACL blocking.
AnswerB

Without 'metric' in redistribute, OSPF uses default metric 20, ignoring the BGP metric set by route-map, leading to incorrect cost and potential routing loops.

Why this answer

The route-map applied to BGP inbound sets metric 100, but redistribution into OSPF uses the BGP metric as the OSPF cost. However, OSPF external route cost is calculated as metric-type 1 cost plus internal cost to the ASBR. The OSPF cost of 20 indicates the BGP metric is not being used correctly; instead, the default metric of 20 is applied because the 'metric' keyword is missing in the redistribute command, causing suboptimal path and potential blackholing due to metric mismatch.

1772
MCQmedium

A network engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Routers R1 (EIGRP) and R2 (OSPF) are redistributing routes. The engineer notices that some EIGRP routes are appearing in the OSPF database on R2, but traffic to those destinations is not being forwarded correctly. The show ip route command on R2 shows the redistributed routes with a next-hop of 0.0.0.0. What is the most likely cause?

A.The redistribute eigrp command under OSPF is missing the subnets keyword.
B.The OSPF process on R2 has a route map that is changing the next-hop.
C.EIGRP has a lower administrative distance than OSPF.
D.The EIGRP routes are not in the routing table on R2.
AnswerA

Correct: Without subnets, the next-hop may be set to 0.0.0.0 for classless routes.

Why this answer

When redistributing into OSPF, if the redistributed routes are not directly connected to the redistributing router, the next-hop may be set to 0.0.0.0 (self) if the subnets keyword is missing or if the route is not in the routing table. However, a common cause is that the redistribute command is missing the subnets keyword, causing classful behavior.

1773
MCQhard

An engineer configures an ISATAP tunnel on a router. The tunnel comes up and the router can ping the ISATAP server, but IPv6 hosts on the ISATAP network cannot reach IPv6 hosts on the native IPv6 network. The ISATAP router is configured with a static route to the native network. What is the most likely cause?

A.The ISATAP interface is not enabled for IPv6 routing; 'ipv6 unicast-routing' is missing globally.
B.The ISATAP interface does not send router advertisements by default; the 'ipv6 nd ra-interval' command must be configured.
C.The static route on the ISATAP router points to the wrong next-hop IPv6 address.
D.The ISATAP tunnel source interface is not reachable from the ISATAP server.
AnswerB

ISATAP tunnel interfaces are point-to-point and do not send RAs unless explicitly configured. Hosts need RAs to learn the prefix and default route.

Why this answer

ISATAP tunnels do not send Router Advertisements (RAs) by default because they are point-to-point links, not multi-access links. Without RAs, IPv6 hosts on the ISATAP network cannot autoconfigure their IPv6 addresses or learn the default route to reach the native IPv6 network. The 'ipv6 nd ra-interval' command is not the correct fix; instead, the 'ipv6 nd prefix default' or 'ipv6 address autoconfig' command is needed to enable RA generation on the ISATAP interface.

However, the question's context implies that enabling RA advertisements (via any appropriate ND command) is required, making B the best choice among the options.

Exam trap

Cisco often tests the misconception that ISATAP tunnels behave like native Ethernet interfaces and automatically send Router Advertisements, when in fact they require explicit ND configuration to enable host autoconfiguration.

How to eliminate wrong answers

Option A is wrong because 'ipv6 unicast-routing' is a global command that enables IPv6 routing on the router, and since the tunnel is up and the router can ping the ISATAP server, IPv6 routing is already enabled. Option C is wrong because the static route pointing to the wrong next-hop would cause the router itself to be unable to reach the native network, but the problem states that the router can ping the ISATAP server (which is on the native side), so the static route is correct. Option D is wrong because the tunnel source interface is reachable from the ISATAP server, as evidenced by the router successfully pinging the ISATAP server.

1774
MCQhard

OSPF is configured on a multi-access link between R1 and R2. R1 has: interface GigabitEthernet0/0, ip ospf network point-to-point. R2 has default broadcast network type. R1 shows: show ip ospf neighbor includes R2 in FULL state, but R2 shows: show ip ospf neighbor includes R1 in INIT state. What is the root cause?

A.R1's OSPF process ID does not match R2's.
B.The network type mismatch causes R1 to use unicast hellos, while R2 expects multicast.
C.R1 has a higher router ID, preventing adjacency.
D.R2's interface is passive, blocking OSPF hellos.
AnswerB

Point-to-point uses unicast; broadcast uses multicast, leading to one-way communication.

Why this answer

When R1 is configured with 'ip ospf network point-to-point' on a multi-access link, it changes its OSPF behavior to use unicast hellos to the neighbor's IP address instead of the standard multicast address 224.0.0.5. R2, with the default broadcast network type, expects to receive OSPF hellos on the multicast address. Because R1 sends unicast hellos, R2 never receives them, so R2's neighbor state for R1 remains INIT.

R1, however, receives R2's multicast hellos and can form a full adjacency from its perspective, leading to the asymmetric state.

Exam trap

Cisco often tests the asymmetric neighbor state (FULL on one side, INIT on the other) as a signature symptom of OSPF network type mismatch, tempting candidates to blame mismatched process IDs or passive interfaces instead.

How to eliminate wrong answers

Option A is wrong because OSPF process IDs are locally significant and do not need to match between routers for adjacency formation. Option C is wrong because a higher router ID does not prevent adjacency; the router ID is used for DR/BDR election in broadcast networks, but with a point-to-point network type on R1, no DR/BDR election occurs, and a higher router ID would not block adjacency. Option D is wrong because a passive interface would suppress all OSPF hellos, causing both sides to show no neighbor or only INIT state, not the asymmetric FULL/INIT state described.

1775
MCQhard

A network uses route summarization to reduce routing table size. After enabling Flexible NetFlow, some routes that were previously summarized are now being advertised individually. Router R1 has: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0. The flow monitor is applied to the same interface. show ip route eigrp | include (10.0.0.0/8) shows the summary route, but also shows more specific routes like 10.1.0.0/16. What is the root cause?

A.The flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from routing updates that are not summarized.
B.The flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, causing the router to install a route for each destination.
C.The summary route is not configured correctly; it should be a range of /8, but the more specific routes are from a different EIGRP process.
D.The flow exporter is sending the more specific routes to the collector, which then redistributes them back.
AnswerA

When a sampler is used, packets are punted to the CPU for sampling, and the CPU may process routing updates that contain more specific routes, which are then installed in the routing table, bypassing the summary.

Why this answer

Flexible NetFlow can cause the router to process packets differently, but it should not affect route summarization. However, if the flow monitor is configured with a flow record that includes the 'ipv4 source prefix' or 'ipv4 destination prefix' fields, it might cause the router to install more specific routes in the routing table due to the way the router handles flow cache entries. The correct answer is that the flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, and the router is using that to create a route cache that overrides the summary route.

But this is not standard behavior. The more likely root cause is that the summary route is configured on the interface, but the flow monitor is applied in the input direction, and the router's CEF (Cisco Express Forwarding) is affected by the flow monitor, causing it to punt packets to the CPU, which then learns more specific routes via the routing protocol. Actually, the correct answer is that the flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from the routing updates that are not summarized.

1776
MCQmedium

Examine the following partial configuration on router R1: flow record RECORD-1 match ipv4 source address match ipv4 destination address match ipv4 protocol collect counter bytes collect counter packets ! flow monitor MONITOR-1 record RECORD-1 cache timeout active 60 ! interface GigabitEthernet0/1 ip flow monitor MONITOR-1 input ! Which statement about this configuration is true?

A.The flow monitor will export flow records every 60 seconds regardless of whether the flow is still active.
B.The flow monitor will only export flows that have been idle for 60 seconds.
C.The flow record is missing the 'collect transport tcp-flags' command to be valid.
D.The flow monitor will not export any data because no exporter has been configured.
AnswerA

The cache timeout active 60 command causes active flows to be exported every 60 seconds, even if the flow is still ongoing.

Why this answer

This question tests understanding of Flexible NetFlow configuration components and the effect of the cache timeout active command.

1777
Multi-Selectmedium

Which TWO statements about administrative distance are true? (Choose TWO.)

Select 2 answers
A.A lower administrative distance is preferred over a higher one.
B.Administrative distance is used to compare routes from different routing protocols.
C.The default administrative distance for OSPF is 90.
D.Administrative distance is used to compare routes within the same routing protocol.
E.The default administrative distance for EIGRP internal routes is 170.
AnswersA, B

The route with the lowest administrative distance is installed in the routing table.

Why this answer

Administrative distance is used to select the best route when multiple routing protocols provide routes to the same destination. A lower administrative distance is preferred. The default administrative distance for OSPF is 110, and for EIGRP it is 90 (internal) or 170 (external).

1778
MCQmedium

A network engineer is troubleshooting a route filtering issue using distribute-lists under OSPF. Router R8 has a distribute-list out applied to the OSPF process to filter routes being advertised to a specific neighbor. The distribute-list references an ACL that denies a specific prefix, but the prefix is still being advertised to the neighbor. What is the most likely cause?

A.The distribute-list is applied to the OSPF process, not to the specific neighbor; use 'neighbor distribute-list' instead.
B.The ACL is using the wrong wildcard mask; it should deny the exact prefix with 0.0.0.0 mask.
C.The distribute-list is applied inbound instead of outbound.
D.The OSPF process has 'default-information originate' that overrides the distribute-list.
AnswerA

Correct because per-neighbor filtering requires the distribute-list under the neighbor command.

Why this answer

Distribute-lists under OSPF can be applied in or out, but the 'out' direction filters routes being advertised out of the OSPF process to all neighbors. However, if the distribute-list is applied to the OSPF process (not to a specific interface), it filters routes from the routing table into OSPF, not to a specific neighbor. To filter per neighbor, a distribute-list must be applied to the neighbor under the OSPF process using 'neighbor x.x.x.x distribute-list'.

1779
MCQhard

Two routers R1 and R2 are connected via a FastEthernet link. OSPF is configured on both with network type broadcast. R1 shows: 'show ip ospf neighbor' lists R2 as FULL/DR. R2 shows: 'show ip ospf neighbor' lists R1 as FULL/BDR. However, pings between loopback interfaces on R1 and R2 fail intermittently. 'show ip route' on R1 shows the loopback of R2 as reachable via OSPF, but 'show ip ospf interface' on R1 shows the link as point-to-point. What is the root cause?

A.One router has 'ip ospf network point-to-point' configured, while the other uses the default broadcast, causing a mismatch in the network type.
B.The FastEthernet interface is operating at half-duplex, causing packet loss.
C.OSPF hello and dead timers are mismatched, preventing adjacency formation.
D.The MTU on the link is mismatched, causing OSPF packets to be dropped.
AnswerA

A network type mismatch prevents proper OSPF operation; broadcast expects DR/BDR election, while point-to-point does not, leading to inconsistent neighbor states and potential forwarding issues.

Why this answer

The 'show ip ospf interface' output indicating point-to-point suggests that the interface has been manually configured as OSPF network type point-to-point, but the neighbor state shows DR/BDR election, which is inconsistent. This mismatch causes OSPF to form adjacency but with incorrect forwarding behavior. The actual configuration likely has 'ip ospf network point-to-point' on one router but not the other, leading to a mismatch.

The fix is to ensure consistent network type.

1780
MCQmedium

In DHCPv6, what is the purpose of the 'managed-config-flag' in Router Advertisement messages?

A.It indicates that hosts should use DHCPv6 to obtain their IPv6 address and other configuration parameters.
B.It indicates that hosts should use SLAAC for addressing and DHCPv6 for other configuration only.
C.It indicates that the router is a DHCPv6 server.
D.It indicates that hosts should use only stateless address autoconfiguration.
AnswerA

The M flag signals stateful DHCPv6, where hosts get both addresses and other info from a DHCPv6 server.

Why this answer

The 'managed-config-flag' (M flag) in Router Advertisement (RA) messages, as defined in RFC 3315 and RFC 4861, tells hosts to use stateful DHCPv6 for both IPv6 address assignment and other configuration parameters (e.g., DNS servers). When set to 1, hosts must use DHCPv6 to obtain their IPv6 address, overriding SLAAC for addressing. This flag is part of the RA's prefix information option and directly controls whether hosts perform stateful or stateless address configuration.

Exam trap

Cisco often tests the distinction between the M flag and the O flag, and the trap here is confusing the 'managed-config-flag' (for addressing + other config) with the 'other-config-flag' (for other config only), leading candidates to incorrectly select option B.

How to eliminate wrong answers

Option B is wrong because it describes the 'other-config-flag' (O flag), not the managed-config-flag; the O flag indicates hosts should use SLAAC for addressing and DHCPv6 for other configuration only. Option C is wrong because the managed-config-flag does not indicate that the router is a DHCPv6 server; it is a directive to hosts, and the router sending the RA may or may not be a DHCPv6 server itself. Option D is wrong because it describes the behavior when both the M and O flags are set to 0, meaning hosts should use only stateless address autoconfiguration (SLAAC) without DHCPv6.

1781
MCQhard

When using the 'access-group' command to apply an ACL to an interface, what is the default direction if none is specified?

A.Inbound
B.Outbound
C.The command defaults to inbound.
D.The command is rejected without a direction keyword.
AnswerD

The access-group command syntax requires either 'in' or 'out'.

Why this answer

The 'access-group' command in Cisco IOS requires a direction keyword (either 'in' or 'out') to specify whether the ACL filters inbound or outbound traffic. If no direction is provided, the command is rejected with an error message because the direction is a mandatory parameter. This behavior is consistent across all Cisco IOS versions and platforms.

Exam trap

The trap here is that Cisco often tests the misconception that ACLs default to inbound when no direction is specified, but the command is actually rejected without the mandatory keyword.

How to eliminate wrong answers

Option A is wrong because the command does not default to inbound; it requires an explicit direction keyword. Option B is wrong because the command does not default to outbound; the direction must be specified. Option C is wrong because the command does not default to inbound; it is rejected without a direction keyword.

1782
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 100 detail IP packet debugging is on for access list 100 *Mar 1 00:12:34.567: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto UDP, flags 0x0, sport 12345, dport 80, access list 100: matched line 10 permit udp host 10.1.1.1 host 10.2.2.2 eq 80 *Mar 1 00:12:35.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 *Mar 1 00:12:35.124: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 What does this output indicate?

A.The ACL is applied inbound on GigabitEthernet0/0 and is permitting UDP traffic to port 80 while denying TCP traffic to port 443.
B.The ACL is applied outbound on GigabitEthernet0/0 and is permitting all traffic.
C.The ACL is misconfigured because TCP traffic to port 443 should be permitted.
D.The ACL is not applied to any interface because debug ip packet shows only the ACL number.
AnswerA

The debug output shows that UDP traffic to port 80 matches line 10 (permit) and TCP traffic to port 443 matches line 20 (deny).

Why this answer

The debug output shows packets entering GigabitEthernet0/0 (source interface) and matching ACL 100. The first packet (UDP to port 80) matches line 10 (permit), while subsequent TCP packets to port 443 match line 20 (deny). Since the source interface is the inbound interface, the ACL is applied inbound.

This confirms Option A: the ACL permits UDP to port 80 and denies TCP to port 443.

Exam trap

Cisco often tests the ability to distinguish inbound vs. outbound ACL application by interpreting the source and destination IP addresses in debug output, where the trap is that candidates mistakenly assume the ACL is outbound because the destination IP is different, ignoring that the source interface reveals the direction.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows packets being denied (matched line 20 deny), not permitted, and the source interface indicates inbound, not outbound, application. Option C is wrong because the ACL is not misconfigured; it is functioning as designed by denying TCP to port 443, and there is no requirement that TCP to port 443 must be permitted. Option D is wrong because the debug output includes the interface (GigabitEthernet0/0) in the source field, confirming the ACL is applied to that interface; the 'debug ip packet' command with an ACL number only filters packets matching that ACL, but the interface is still shown in the debug message.

1783
MCQhard

In DMVPN Phase 2, what is the default behavior of the 'ip nhrp redirect' command on the hub router?

A.It is enabled by default and causes the hub to send redirect messages to spokes.
B.It is disabled by default and must be configured for spoke-to-spoke direct communication.
C.It is disabled by default and is used in Phase 3 to enable NHRP redirects.
D.It is enabled by default and is used to disable NHRP shortcut switching.
AnswerC

Correct. The command is off by default and is a Phase 3 feature.

Why this answer

In DMVPN Phase 2, the 'ip nhrp redirect' command is not enabled by default on the hub. It is used in Phase 3 to enable NHRP redirects, which allow the hub to inform spokes that a better path exists directly to another spoke. In Phase 2, spoke-to-spoke tunnels are established based on NHRP resolution triggered by traffic, not by redirect messages.

1784
MCQmedium

A network engineer configures BGP on router R4: router bgp 65004 bgp router-id 4.4.4.4 neighbor 10.4.4.3 remote-as 65003 neighbor 10.4.4.3 password BGPsecret ! What is the effect of the password command?

A.It encrypts the BGP updates using the password as a key.
B.It enables MD5 authentication for the TCP session; the neighbor must also have the same password.
C.It sets a simple password that is sent in clear text with each BGP update.
D.It has no effect unless the neighbor is configured with the same password.
AnswerB

The password command enables TCP MD5 signature option, requiring both sides to match.

Why this answer

The password command enables MD5 authentication for the TCP connection between BGP peers. Both peers must have the same password; otherwise, the session will not establish.

1785
MCQmedium

A network engineer configures a SPAN session on a Cisco switch to monitor traffic on interface GigabitEthernet0/1 and sends it to interface GigabitEthernet0/2. The engineer notices that the destination port is up but does not forward any traffic. The engineer checks the configuration and sees that the destination port is configured as a trunk port. What is the most likely cause?

A.The destination port is configured as a trunk port instead of an access port.
B.The source interface is in a different VLAN than the destination interface.
C.The SPAN session is configured with the 'rx' direction only.
D.The destination port is not in the same VLAN as the source interface.
AnswerA

Correct because SPAN destination ports should be access ports; trunk ports are not supported for SPAN destinations on most platforms.

Why this answer

SPAN destination ports should be access ports, not trunk ports. If a trunk port is used as a destination, the switch may not forward the monitored traffic correctly because the port expects tagged traffic.

1786
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 over IPv4 tunnel adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The troubleshooting process follows a logical progression: first verify the tunnel interface is up/up, then check the IPv6 routing table for the destination prefix, inspect the tunnel source and destination IPs for correctness, verify IPv4 reachability to the tunnel destination, and finally examine ACLs or firewall rules that might block GRE protocol 47 traffic.

1787
MCQmedium

Router R1 has the following configuration: ``` interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip policy route-map PBR-OUT ! route-map PBR-OUT permit 10 match ip address 100 set ip next-hop 192.168.1.1 ! access-list 100 permit ip host 10.1.1.100 any ``` What is the effect of this configuration?

A.Packets received on GigabitEthernet0/1 from source 10.1.1.100 are forwarded to next-hop 192.168.1.1.
B.Packets transmitted out of GigabitEthernet0/1 to destination 10.1.1.100 are forwarded to next-hop 192.168.1.1.
C.All packets from 10.1.1.100 are dropped because the route-map does not have a permit statement.
D.The configuration is invalid because the ACL must match destination, not source.
AnswerA

The route-map is applied inbound, so packets arriving on this interface from 10.1.1.100 are policy-routed to 192.168.1.1.

Why this answer

The route-map is applied as an inbound policy on the interface, but the name 'PBR-OUT' suggests outbound, which is misleading. However, the 'ip policy route-map' command applies to incoming packets on that interface. The ACL matches source 10.1.1.100 to any destination, and sets next-hop 192.168.1.1.

1788
MCQmedium

A network engineer is troubleshooting a VRF-Lite setup where a router is configured with VRF_GREEN. The engineer pings the gateway IP of a host in VRF_GREEN from the router, but the ping fails. The 'show ip route vrf VRF_GREEN' command shows the connected network for the host's subnet. The 'show ip interface brief' shows the interface is up/up. What is the most likely cause?

A.The host's default gateway is not set to the router's interface IP in VRF_GREEN.
B.The router's interface in VRF_GREEN has 'ip proxy-arp' disabled.
C.The host's IP address is not in the same subnet as the router's interface IP in VRF_GREEN.
D.The 'ip routing' command is disabled in VRF_GREEN.
AnswerC

If the host's IP is in a different subnet, the router will not have a connected route for that host, and ARP will fail.

Why this answer

If the interface is up and the route is present, the issue might be with ARP resolution or the host's configuration. However, in VRF-Lite, the router might not be able to ping the gateway if the gateway IP is not in the same subnet as the interface IP, or if the host has a firewall blocking ICMP.

1789
MCQmedium

A PE router has the following configuration: ip vrf CUSTOMER-D rd 300:1 route-target export 300:1 route-target import 300:1 ! interface GigabitEthernet0/4 ip vrf forwarding CUSTOMER-D ip address 10.3.3.1 255.255.255.252 ! router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended exit-address-family ! address-family ipv4 vrf CUSTOMER-D neighbor 10.3.3.2 remote-as 65002 neighbor 10.3.3.2 activate exit-address-family What is the effect of this configuration?

A.The PE will successfully exchange VPNv4 routes with the remote PE and redistribute routes from CE into VPNv4.
B.The eBGP session will fail because the neighbor is not activated under the global BGP process.
C.The VPNv4 session will fail because the neighbor is not configured as a route-reflector client.
D.The VRF will not import routes because the import and export RTs are the same.
AnswerA

All necessary components are present: VRF with RT, iBGP VPNv4 session with extended community, and eBGP to CE under VRF.

Why this answer

The configuration is correct. The VRF has RD and RTs, the interface is in the VRF, the iBGP VPNv4 session is configured with extended community, and the eBGP session to the CE is configured under the VRF address-family. The PE will exchange VPNv4 routes with the remote PE and redistribute CE routes.

1790
MCQhard

A network administrator configures 'ipv6 dhcp guard' on a switch and sets the policy to 'allow only' for a specific DHCPv6 server. However, clients are still receiving DHCPv6 replies from a rogue server on the same VLAN. The engineer verifies that the rogue server's port is not trusted. What is the most likely reason the rogue server's advertisements are not being blocked?

A.IPv6 snooping is not enabled globally, so DHCPv6 Guard cannot inspect DHCPv6 messages.
B.The rogue server is using a different UDP port for DHCPv6.
C.The 'allow only' policy only works for DHCPv6 requests, not replies.
D.The rogue server is on a trunk port, and DHCPv6 Guard does not apply to trunk ports.
AnswerA

DHCPv6 Guard depends on IPv6 snooping for packet inspection.

Why this answer

DHCPv6 Guard works by intercepting DHCPv6 server messages (Advertise and Reply) and checking them against the policy. However, if the switch does not have 'ipv6 snooping' enabled globally, DHCPv6 Guard may not be able to inspect the packets because it relies on the snooping database. The edge case is that DHCPv6 Guard requires IPv6 snooping to be enabled to function properly; without it, the guard may not be applied or may not filter correctly.

Many engineers forget to enable 'ipv6 snooping' globally.

1791
MCQhard

A DMVPN Phase 3 network with EIGRP as the routing protocol experiences intermittent connectivity between spokes. R1 (hub) has 'ip summary-address eigrp 100 10.0.0.0 255.255.0.0' configured on the tunnel interface. R2 (spoke) shows 'show ip eigrp topology all-links' listing 10.1.0.0/24 as reachable via R1, but traffic from R2 to 10.1.0.1 (another spoke) is forwarded to R1 instead of directly via the spoke-to-spoke tunnel. What is the root cause?

A.The summary route on the hub creates a less specific route that is preferred over the more specific /24 routes learned from other spokes, causing suboptimal routing.
B.EIGRP stub configuration on spokes prevents them from learning routes from other spokes.
C.NHRP redirect is disabled on the hub, preventing spoke-to-spoke tunnel establishment.
D.The spoke-to-spoke tunnel interface has a different MTU causing fragmentation.
AnswerA

Correct. EIGRP summary routes have administrative distance 5 by default, which is lower than the distance of learned routes (90/170). This causes spokes to prefer the summary route and forward traffic to the hub, even though more specific routes exist.

Why this answer

The hub's summary route 10.0.0.0/16 is advertised to spokes, causing them to prefer the summary route over the more specific /24 routes learned from other spokes via NHRP redirect. This prevents spoke-to-spoke direct tunnels from being established or used, as traffic is forwarded to the hub based on the summary route.

1792
MCQmedium

Which BGP attribute is used as the first tie-breaker when multiple paths are available for the same prefix, assuming default settings?

A.Local preference
B.AS-path length
C.Weight
D.MED (Multi-Exit Discriminator)
AnswerC

Correct: Weight is checked first in the BGP path selection process.

Why this answer

The BGP best-path selection process uses the highest weight (Cisco proprietary) as the first tie-breaker. Weight is locally significant and defaults to 0 for routes learned from peers.

1793
MCQhard

An engineer configures an IPv6 ACL to filter OSPFv3 traffic on a router interface. The ACL includes a deny entry for OSPFv3 (protocol 89) followed by a permit ipv6 any any. However, OSPFv3 adjacencies still fail to form over that interface. Which is the most likely explanation?

A.The ACL is applied outbound, but OSPFv3 packets are generated locally and are not subject to outbound ACL filtering.
B.The ACL uses 'deny ospf' but OSPFv3 uses protocol 89, which is not matched by 'deny ospf' in IPv6 ACLs.
C.The ACL must include a permit entry for the link-local address of the neighbor, otherwise OSPFv3 packets are dropped.
D.The ACL is applied to the interface but the router has 'ipv6 ospf authentication' configured, which changes the packet format and bypasses ACL filtering.
AnswerA

Correct. Outbound ACLs do not filter locally generated packets, including OSPFv3 Hellos. The ACL must be applied inbound to filter incoming OSPFv3 packets.

Why this answer

OSPFv3 uses IPv6 multicast addresses ff02::5 (all OSPF routers) and ff02::6 (all DR/BDR routers). Even if an ACL permits OSPFv3 protocol, the multicast destination may be filtered by other mechanisms or the ACL may not be applied correctly. However, a common edge case is that the ACL is applied inbound and OSPFv3 packets are sourced from link-local addresses, which may not match the ACL source entry if not specified correctly.

But the key point: OSPFv3 uses protocol 89 in the IPv6 header, but the ACL must match the protocol number, not the next header field in IPv6. In IOS, the 'ipv6 access-list' uses 'deny ospf' to match OSPFv3, but if the engineer uses 'deny 89' incorrectly, it may not match. The most likely issue: the ACL is applied outbound instead of inbound, or the deny entry incorrectly matches the OSPFv3 packets before the permit.

1794
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 170, metric 30720 Redistributing via eigrp 100 Last update from 192.168.1.2 on GigabitEthernet0/0, 00:00:05 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:05 ago, via GigabitEthernet0/0 Route metric is 30720, traffic share count is 1 Based on this output, which statement is correct?

A.The route 10.1.1.0/24 is an EIGRP internal route.
B.The route 10.1.1.0/24 is an EIGRP external route, likely redistributed.
C.The route 10.1.1.0/24 is learned via OSPF and redistributed into EIGRP.
D.The administrative distance of 170 is non-default and must have been manually configured.
AnswerB

The administrative distance of 170 is the default for EIGRP external routes, confirming redistribution.

Why this answer

The output shows an EIGRP route with an administrative distance of 170, which is the default distance for EIGRP external routes. This indicates the route was redistributed into EIGRP from another protocol or process. The metric of 30720 is the default for a redistributed connected route.

1795
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp community Community name: PUBLIC Community Index: PUBLIC Permission: read-only View: v1default Community name: PRIVATE Community Index: PRIVATE Permission: read-write View: v1default Community name: MONITOR Community Index: MONITOR Permission: read-only View: restricted Based on this output, which statement is correct?

A.The 'MONITOR' community may not have access to any MIB objects if the 'restricted' view is not configured.
B.The 'PUBLIC' community can be used to modify router configurations.
C.The 'PRIVATE' community uses a view named 'restricted'.
D.All three communities have the same access rights.
AnswerA

If the view 'restricted' is not defined, SNMP requests using the 'MONITOR' community will fail or return no data.

Why this answer

The output shows three SNMP communities. The 'MONITOR' community uses a view named 'restricted', which may not be defined, potentially causing access issues. The 'PUBLIC' and 'PRIVATE' communities use the default 'v1default' view, which typically includes the entire MIB tree.

The 'PRIVATE' community has read-write permission, allowing configuration changes via SNMP.

1796
Multi-Selectmedium

Which TWO statements about RSPAN are true? (Choose TWO.)

Select 2 answers
A.RSPAN uses a dedicated VLAN to carry monitored traffic between switches.
B.The RSPAN VLAN must be allowed on all trunk links between the source and destination switches.
C.RSPAN encapsulates traffic in GRE headers for transport across Layer 3 networks.
D.RSPAN requires a dedicated monitoring server at the source switch.
E.RSPAN can only be configured on a single switch.
AnswersA, B

The RSPAN VLAN is used to transport mirrored traffic across the network.

Why this answer

RSPAN uses a dedicated VLAN (the RSPAN VLAN) to transport monitored traffic across switches. This VLAN must be configured on all switches in the path and trunked. It does not use GRE encapsulation (that is ERSPAN).

It does not require a separate monitoring server at the source, and it is not limited to a single switch.

1797
MCQmedium

A network engineer is troubleshooting a router that is not responding to SNMP polls from the NMS at 10.1.1.100. The SNMP configuration includes 'snmp-server community public RO' and 'snmp-server community private RW'. The engineer can ping the router from the NMS. 'show snmp' shows SNMP is enabled. What is the most likely cause?

A.The NMS is using the wrong SNMP version.
B.An ACL is applied to the SNMP community that denies the NMS IP.
C.The router's SNMP agent is disabled due to high CPU.
D.The NMS is using the wrong community string.
AnswerB

The configuration may include 'snmp-server community public RO 10', where ACL 10 denies the NMS; this is a common misconfiguration.

Why this answer

The router has SNMP communities configured, but an ACL may be applied to the community that restricts access. The most common issue is an access-list applied to the community string that does not permit the NMS IP.

1798
Multi-Selecthard

Which TWO statements about SNMPv3 configuration on Cisco IOS XE are true? (Choose TWO.)

Select 2 answers
A.The 'snmp-server group' command creates a group and assigns a username to it.
B.The 'snmp-server user' command can specify an authentication and privacy password for a user.
C.The engine ID is automatically generated and cannot be manually configured.
D.The 'snmp-server host' command for SNMPv3 requires a username to be specified when sending traps or informs.
E.SNMPv3 supports only the authPriv security level.
AnswersB, D

Correct. The 'snmp-server user' command allows configuration of authentication (MD5/SHA) and privacy (DES/AES) passwords for SNMPv3 users.

Why this answer

SNMPv3 supports both noAuthNoPriv and authPriv security levels. The engine ID is automatically generated based on the router's MAC address but can be manually configured. The 'snmp-server group' command does not directly specify the username; it creates a group that users belong to.

The 'snmp-server user' command requires the engine ID to be specified if the remote engine ID is known, but for local users it uses the local engine ID. The 'snmp-server host' command can specify a username for SNMPv3 informs, but the default for traps is to use the community string for SNMPv1/v2c.

1799
MCQhard

What is the default maximum recursion depth for EEM Tcl policies?

A.10
B.50
C.100
D.Unlimited
AnswerC

The default recursion limit for Tcl policies is 100.

Why this answer

EEM limits Tcl policy recursion to 100 levels by default to prevent infinite loops.

1800
Drag & Drophard

Drag and drop the steps to troubleshoot OSPF adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting OSPF adjacency failures starts with verifying Layer 3 connectivity using ping. Next, check that OSPF is enabled on the correct interfaces with show ip ospf interface. Then, verify OSPF network type and area ID match on both sides.

After that, check for mismatched authentication settings. Finally, clear the OSPF process to reset adjacency attempts.

Page 23

Page 24 of 29

Page 25