Cisco CCNP ENARSI 300-410 (300-410) — Questions 18761950

2152 questions total · 29pages · All types, answers revealed

Page 25

Page 26 of 29

Page 27
1876
MCQhard

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp ipv4 unicast 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 12 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65001 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, external Refresh Epoch 2 65002 10.2.2.2 from 10.2.2.2 (10.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best What does this output indicate?

A.Both paths are equally preferred, and BGP load-balances traffic.
B.The path from AS 65002 is best because it has a higher local preference.
C.The path from AS 65002 is best due to a tie-breaking rule, such as lower neighbor router ID.
D.The path from AS 65001 is best because it was received first.
AnswerC

When attributes are equal, BGP uses tie-breakers like lower router ID. The best path is from AS 65002.

Why this answer

The output shows two paths with equal local preference and metric. The best path is from AS 65002, likely due to a tie-breaking rule such as lower router ID or older route. The path from AS 65001 is valid but not best.

1877
MCQhard

A network engineer is troubleshooting MPLS traffic where packets are being forwarded without a label (IP forwarding) instead of being label-switched. The engineer runs show mpls forwarding-table and sees that the FEC for the destination prefix has a valid label. However, show ip cef shows that the outgoing interface is not MPLS-enabled. What is the most likely cause?

A.The outgoing interface is missing the mpls ip command.
B.The CEF is disabled globally.
C.The mpls label protocol ldp command is missing on the interface.
D.The interface is a loopback interface.
AnswerA

Correct because mpls ip on the interface enables MPLS forwarding; without it, CEF will not impose a label and will forward the packet as IP.

Why this answer

The LFIB has a label, but CEF is not imposing it, indicating that the outgoing interface is not configured for MPLS forwarding. Even if LDP assigns a label, the interface must have mpls ip enabled for label imposition to occur.

1878
MCQmedium

A network engineer runs the following command to verify BFD with MPLS LDP: R1# show mpls ldp neighbor 10.6.6.2 detail Peer LDP Ident: 10.6.6.2:0, Local LDP Ident: 10.6.6.1:0 TCP connection: 10.6.6.2.646 - 10.6.6.1.53456 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:10:00 LDP discovery sources: GigabitEthernet0/2, hello interval: 5 s, hello hold: 15 s Addresses bound to peer LDP ident: 10.6.6.2 10.7.7.2 BFD enabled, BFD state: UP What does this output indicate?

A.BFD is enabled for LDP, allowing faster LDP session failure detection.
B.BFD is disabled for this LDP session.
C.LDP is using BFD only for IPv6.
D.BFD state is DOWN, so LDP uses its own hello timers.
AnswerA

BFD is enabled and UP, enabling sub-second detection for LDP.

Why this answer

The output shows that BFD is enabled for the LDP session and the BFD state is UP, providing fast failure detection for MPLS LDP neighbor.

1880
Multi-Selecthard

Which TWO configuration steps are required to filter routes using a prefix-list in a route-map applied to a BGP neighbor? (Choose TWO.)

Select 2 answers
A.Configure a prefix-list with permit or deny statements for the desired prefixes.
B.Create a route-map that uses the 'match ip address prefix-list' command to reference the prefix-list.
C.Define an extended access-list to match the prefixes.
D.Apply the route-map to the BGP neighbor using the 'neighbor x.x.x.x route-map' command.
E.Use the 'network' command under BGP to advertise the filtered routes.
AnswersA, B

The prefix-list defines which prefixes to match.

Why this answer

To filter routes, you must define the prefix-list to match the desired prefixes, then create a route-map that uses the prefix-list in a match statement. The route-map is then applied to the BGP neighbor. Defining an access-list is an alternative but not required if using a prefix-list.

The 'network' command under BGP is for originating routes, not filtering. The 'distribute-list' command is a separate method and does not use a route-map.

1881
MCQmedium

A network engineer is troubleshooting a BGP route-map that is supposed to set a community value on routes from a specific neighbor. The engineer configures a route-map with 'set community 100:100' and applies it inbound to the neighbor. After the configuration, the engineer checks the BGP table on the local router and sees that the routes do not have the community set. What is the most likely cause?

A.The neighbor is missing the 'send-community' command under the BGP neighbor configuration.
B.The route-map is applied outbound instead of inbound.
C.The community value 100:100 is reserved and cannot be used.
D.The route-map has a 'match community' statement that is filtering the routes before the set command.
AnswerA

Correct because communities are not exchanged without this command.

Why this answer

By default, BGP does not send or receive communities unless the 'neighbor send-community' command is configured. Even if the route-map sets the community, the router will not attach it to the routes unless the neighbor is configured to send communities.

1882
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel is up, but when the engineer tries to ping the IPv6 address of the remote tunnel endpoint, the ping fails. The engineer checks the routing table and sees that the remote IPv6 network is reachable via the tunnel. What is the most likely cause?

A.The IPv6 addresses on the tunnel interfaces are not in the same subnet; manual tunnels require both endpoints to be in the same IPv6 subnet.
B.The tunnel interface is not configured with 'tunnel mode ipv6ip'.
C.The IPv4 address of the remote router is not reachable via the routing table.
D.The 'ipv6 enable' command is missing on the tunnel interface.
AnswerA

Manual tunnels are point-to-point; the IPv6 addresses must be in the same subnet for direct connectivity. If not, the router will try to route the packet, which may fail.

Why this answer

In a manual IPv6 tunnel (RFC 4213), the tunnel source and destination are IPv4 addresses, and the IPv6 addresses configured on the tunnel interfaces are not required to be in the same subnet. The ping fails because the router cannot determine the correct next-hop IPv4 address for the destination IPv6 address; manual tunnels rely on a static route pointing to the remote IPv6 prefix via the tunnel interface, not on the IPv6 subnet of the tunnel endpoints. The correct answer is A because the statement that both endpoints must be in the same IPv6 subnet is false, but the question presents it as the 'most likely cause'—in reality, the issue is typically a missing or incorrect static route for the remote IPv6 network, not the subnet mismatch.

Exam trap

Cisco often tests the misconception that tunnel interfaces must have IPv6 addresses in the same subnet, similar to Ethernet interfaces, when in fact manual tunnels are point-to-point and rely on static routing, not subnet matching.

How to eliminate wrong answers

Option A is incorrect because manual tunnels do not require the IPv6 addresses on the tunnel interfaces to be in the same subnet; the tunnel is a point-to-point link and the IPv6 addresses can be from different subnets. Option B is wrong because 'tunnel mode ipv6ip' is the correct mode for an IPv6 manual tunnel, and if it were missing, the tunnel would not come up at all. Option C is wrong because the engineer confirmed the remote IPv6 network is reachable via the tunnel in the routing table, implying the IPv4 destination is reachable; if the IPv4 address were unreachable, the tunnel would be down or the route would not appear.

Option D is wrong because 'ipv6 enable' is not required on a tunnel interface that already has an explicit IPv6 address configured; it is only needed to enable IPv6 on an interface without a configured IPv6 address.

1883
MCQhard

An engineer configures OSPF on two routers connected via a serial link. Both routers show the neighbor state as EXSTART/EXSTART, and no LSAs are exchanged. The engineer verifies that the OSPF process IDs are the same, areas match, and authentication is correct. Which is the most likely explanation?

A.MTU mismatch between the two routers
B.OSPF network type mismatch (e.g., point-to-point vs broadcast)
C.OSPF hello interval mismatch
D.OSPF dead interval mismatch
AnswerA

Correct. An MTU mismatch causes DBD packets to be dropped, preventing the neighbor from advancing past EXSTART.

Why this answer

In OSPF, when neighbors are stuck in EXSTART, it often indicates an MTU mismatch. OSPF uses the interface MTU to determine the size of Database Description (DBD) packets. If the MTU differs, the receiving router will reject DBD packets larger than its own MTU, causing the neighbor to remain in EXSTART.

This is a common edge case because MTU is not always checked during initial troubleshooting.

1884
Multi-Selectmedium

Which TWO configuration steps are required to implement static NAT on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.Configure ip nat inside source static <inside-local> <inside-global> in global configuration mode.
B.Apply the ip nat inside command on the interface facing the internal network.
C.Apply the ip nat outside command on the interface facing the internal network.
D.Configure an access list to match the inside local addresses for translation.
E.Enable the ip nat service command globally to activate NAT.
AnswersA, B

This command creates a permanent mapping between a private inside address and a public global address.

Why this answer

Static NAT requires defining a one-to-one mapping between inside local and inside global addresses, and then applying the ip nat inside and ip nat outside commands on the respective interfaces.

1885
MCQmedium

A network engineer runs the following command to troubleshoot a DMVPN spoke not registering with the hub: R2# debug nhrp NHRP: Send Registration Request via Tunnel0 10.0.0.2, target 10.0.0.1 NHRP: Receive Registration Reply via Tunnel0 10.0.0.1, src 10.0.0.1, dst 10.0.0.2 NHRP: Registration successful for 10.0.0.2/32 via Tunnel0 What does this output indicate?

A.The spoke is unable to reach the hub; the registration request is being sent but no reply is received.
B.The spoke has successfully registered its tunnel IP 10.0.0.2/32 with the hub at 10.0.0.1.
C.The spoke is sending a registration request to 10.0.0.1 but the hub is not responding, causing a timeout.
D.The spoke is attempting to register with the wrong hub IP address.
AnswerB

Correct: The debug shows the registration request and reply, ending with 'Registration successful'.

Why this answer

The debug output shows a successful NHRP registration: the spoke sends a registration request to the hub and receives a reply, confirming that the spoke's tunnel IP is registered with the hub.

1886
Multi-Selecthard

An engineer is troubleshooting BGP convergence issues. Which THREE commands can be used to verify BGP path selection and best path criteria? (Choose THREE.)

Select 3 answers
A.show ip bgp <prefix>
B.show ip route bgp
C.show ip bgp neighbors <neighbor> routes
D.show ip bgp
E.show ip bgp community <community>
AnswersA, C, D

Correct. This command displays all paths for a prefix, including the best path indicator and path attributes.

Why this answer

BGP path selection can be verified using 'show ip bgp <prefix>' to see the best path and all paths, 'show ip bgp neighbors <neighbor> routes' to see received routes, and 'show ip bgp' to see the BGP table summary. 'show ip route bgp' shows only the RIB, not the BGP decision process. 'show ip bgp community' filters by community but does not show path selection details.

1887
MCQeasy

Consider the configuration snippet: logging 192.168.1.10 vrf Mgmt-intf logging source-interface Vlan1 logging trap 6 What is the effect of the 'logging trap 6' command?

A.Only messages of severity 6 are sent to the syslog server.
B.Messages of severity 0 through 6 are sent to the syslog server.
C.Messages of severity 6 through 7 are sent to the syslog server.
D.The number 6 is invalid; only named levels are accepted.
AnswerB

Level 6 (informational) includes severities 0-6.

Why this answer

The 'logging trap' command accepts either a severity level name or number. Level 6 corresponds to 'informational'. This means messages with severity 0-6 are sent to the syslog server.

1888
MCQhard

A network engineer runs the following command on Router R1: R1# show ip ospf database OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.1.1.1 10.1.1.1 120 0x80000002 0x00A1B2 3 10.1.1.2 10.1.1.2 200 0x80000001 0x00B2C3 2 10.1.1.3 10.1.1.3 150 0x80000003 0x00C3D4 4 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 192.168.12.2 10.1.1.2 180 0x80000001 0x00D4E5 Based on this output, what can be concluded?

A.Router R1 is the DR on the segment 192.168.12.0/24.
B.Router 10.1.1.2 is the DR on the segment 192.168.12.0/24.
C.Router 10.1.1.3 has the highest router ID.
D.There is a network LSA for every broadcast segment in area 0.
AnswerB

The net link state with Link ID 192.168.12.2 is advertised by 10.1.1.2, meaning it is the DR on that segment.

Why this answer

The database shows router link states for three routers and one net link state. The net link state is advertised by 10.1.1.2, indicating it is the DR on the segment 192.168.12.0/24. The absence of other net link states suggests only one broadcast segment exists.

1889
MCQhard

An engineer configures OSPFv3 with a filter-list on an ABR to filter prefixes. After configuration, the routes are still being advertised. Which is the most likely explanation?

A.The filter-list only filters inter-area prefixes, not external routes.
B.The filter-list is applied to the wrong area.
C.The filter-list uses an incorrect prefix-list.
D.The OSPFv3 process needs to be restarted.
AnswerA

Filter-list in OSPFv3 applies to type 3 LSAs only, not type 5 LSAs.

Why this answer

In OSPFv3, prefix filtering is done using the 'prefix-list' or 'filter-list' command under the area. However, the filter-list in OSPFv3 filters type 3 LSAs (inter-area prefixes) but not type 5 LSAs (external routes). If the routes being advertised are external, the filter-list will not affect them.

1890
Multi-Selecthard

Which TWO statements about DHCP IPv6 (DHCPv6) operation are true? (Choose TWO.)

Select 2 answers
A.DHCPv6 servers listen on UDP port 547.
B.Stateless DHCPv6 is used to provide DNS server information to clients that obtain their IPv6 address via SLAAC.
C.DHCPv6 can only be used in stateless mode.
D.DHCPv6 uses UDP ports 67 and 68, just like DHCPv4.
E.DHCPv6 relies on ARP to discover DHCPv6 servers.
AnswersA, B

DHCPv6 uses UDP port 547 for server communication.

Why this answer

DHCPv6 servers listen on UDP port 547, while DHCPv6 clients use UDP port 546. This is defined in RFC 3315 and is a key distinction from DHCPv4, where servers listen on port 67 and clients on port 68. The server uses port 547 to receive requests from clients, ensuring proper separation of DHCPv6 traffic.

Exam trap

Cisco often tests the misconception that DHCPv6 uses the same UDP ports as DHCPv4 (67/68) or that it can only run in stateless mode, leading candidates to incorrectly select options D or C.

1891
Multi-Selecthard

Which TWO statements about ERSPAN source session configuration are correct? (Choose TWO.)

Select 2 answers
A.The source session must include the 'type erspan-source' keyword.
B.The source session can use an IPv6 address for the destination without any additional configuration.
C.The source session must specify the 'erspan-id' and 'ip address' under the destination configuration.
D.The source session can be configured to use a VRF for the destination IP reachability.
E.The source session automatically creates a GRE tunnel interface that can be verified with 'show ip interface brief'.
AnswersA, C

Correct. The 'monitor session <session> type erspan-source' command defines the session as an ERSPAN source.

Why this answer

ERSPAN encapsulates mirrored traffic in GRE and sends it over an IP network. The source session must specify a type (ethernet or vlan), source interfaces or VLANs, and the destination ERSPAN ID along with the IPv4 or IPv6 address of the destination. The destination session on the remote switch decapsulates the GRE tunnel and presents the traffic to a local destination port.

1892
MCQhard

A DMVPN network with EIGRP as the routing protocol is experiencing spoke-to-spoke tunnel failures. Spoke routers R1 and R2 are both connected to hub R3. R1 shows: 'show ip nhrp' lists R2's NBMA address, but 'show ip eigrp neighbors' does not show R2. R1's configuration: interface Tunnel0 ip nhrp network-id 1 ip nhrp nhs 10.0.0.3. What is the root cause?

A.R1 has no EIGRP configuration on the tunnel interface, so it does not send hellos over the tunnel.
B.R2's NHRP registration is incomplete, so R1 cannot reach R2's NBMA address.
C.The hub R3 is not configured to forward EIGRP packets between spokes.
D.R1's tunnel interface has an ACL that blocks EIGRP packets.
AnswerA

EIGRP must be enabled on the tunnel interface to establish neighbor relationships over it.

Why this answer

In DMVPN, spoke-to-spoke tunnels require NHRP to resolve the NBMA addresses. If EIGRP is not configured to use the tunnel interface for neighbor discovery, or if the EIGRP hello packets are not being sent over the tunnel, the neighbor relationship fails.

1893
MCQhard

Network management traffic from a monitoring server to routers R1, R2, and R3 is being blocked intermittently. The monitoring server uses SNMP and SSH. R1 configuration: access-list 100 permit udp any any eq snmp, access-list 100 permit tcp any any eq 22, access-list 100 deny ip any any, and 'ip access-group 100 in' on the management interface. R2 shows: 'show snmp' indicates SNMP is enabled. R3 shows: 'show ssh' indicates SSH is enabled. The monitoring server can reach R1 but not R2 or R3. What is the root cause?

A.The ACL permits only SNMP and SSH, but blocks other necessary traffic such as ICMP and routing protocol packets, preventing the monitoring server from reaching R2 and R3.
B.The ACL is applied in the wrong direction; it should be applied outbound to allow traffic from the management interface.
C.SNMP and SSH are not enabled on R2 and R3.
D.The monitoring server is not in the same subnet as the management interface, so routing is required but blocked by the ACL.
AnswerA

The implicit deny at the end of the ACL blocks all traffic not explicitly permitted, including ICMP echo requests and routing updates, which are needed for end-to-end connectivity.

Why this answer

The ACL on R1 is applied inbound on the management interface, which filters traffic coming into R1. However, for traffic to reach R2 and R3, it must traverse R1. The ACL permits SNMP and SSH to any destination, but the implicit deny at the end blocks other traffic, including routing protocols or ICMP needed for reachability.

Additionally, the ACL may be blocking return traffic if not applied correctly. The root cause is that the ACL is too restrictive, blocking necessary control plane traffic.

1894
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow interface GigabitEthernet0/0 Interface GigabitEthernet0/0 FNF: enabled Ingress IPV4/IPV6 flow monitoring: enabled Exporter: EXPORTER1 Monitor: MONITOR1 Egress IPV4/IPV6 flow monitoring: disabled Ingress MPLS flow monitoring: disabled Egress MPLS flow monitoring: disabled Based on this output, what is the state of NetFlow on this interface?

A.NetFlow is fully enabled for both ingress and egress traffic.
B.NetFlow is only monitoring incoming traffic on this interface.
C.NetFlow is not configured on this interface.
D.NetFlow is only monitoring MPLS traffic.
AnswerB

Ingress is enabled, egress is disabled.

Why this answer

The output shows that NetFlow is enabled on the interface for ingress IPV4/IPV6 traffic, with an exporter and monitor configured. Egress monitoring is disabled. This indicates NetFlow is collecting data on incoming traffic.

1895
Multi-Selecthard

An engineer must enable BFD for an OSPF single-hop session between two directly connected routers. Which TWO configuration changes are required on each router? (Choose TWO.)

Select 2 answers
A.Configure the bfd interval command under the interface.
B.Configure the ip ospf bfd command under the interface.
C.Configure the bfd neighbor command under global configuration.
D.Configure the router ospf command and then use the bfd all-interfaces command.
E.Configure the bfd slow-timers command under the interface.
AnswersA, B

Correct. The bfd interval command enables BFD on the interface and sets the timers.

Why this answer

To enable BFD for OSPF, you must first enable BFD on the interface (bfd interval) and then enable BFD support under the OSPF routing process or interface (ip ospf bfd). The bfd neighbor command is for static BFD sessions, not OSPF. The router ospf command alone does not enable BFD.

The bfd all-interfaces command enables BFD on all OSPF interfaces but still requires interface-level BFD configuration.

1896
MCQhard

R1 and R2 are connected via a point-to-point serial link running OSPF. R1 has an IPsec tunnel protecting traffic between loopback0 (10.1.1.1/32) and R2's loopback0 (10.2.2.2/32). The crypto map is applied to the physical serial interface. OSPF adjacencies form, but routes are not installed correctly. R1's show ip route ospf shows a route to 10.2.2.2/32 via the serial interface, not the tunnel. What is the root cause?

A.The crypto map is applied to the physical serial interface instead of the tunnel interface.
B.OSPF network type on the serial interface is point-to-point, causing route preference over tunnel.
C.The tunnel interface has an incorrect IP address.
D.The IPsec transform set does not include ESP authentication.
AnswerA

Applying crypto to the physical interface encrypts OSPF traffic on that link, causing OSPF to form adjacency over the physical interface and install routes via the serial link, bypassing the tunnel.

Why this answer

When a crypto map is applied to the physical serial interface, IPsec encrypts the OSPF packets before they are sent, but the routing table still sees the next-hop via the physical interface (serial) rather than the tunnel interface. OSPF installs the route to 10.2.2.2/32 with the serial interface as the outgoing interface because the tunnel interface is not used for routing decisions; the route is learned via the physical interface adjacency. To have the route point to the tunnel interface, the crypto map must be applied to the tunnel interface (or a virtual tunnel interface like a GRE/IPsec tunnel) so that OSPF runs over the tunnel and installs the route via the tunnel interface.

Exam trap

Cisco often tests the misconception that applying a crypto map to the physical interface automatically makes OSPF routes point to the tunnel interface, but in reality, the routing table uses the interface over which the adjacency was formed, which remains the physical interface unless a tunnel interface is used.

How to eliminate wrong answers

Option B is wrong because the OSPF network type point-to-point on the serial interface does not cause route preference over the tunnel; it simply affects neighbor discovery and LSA flooding, not the interface used in the routing table. Option C is wrong because an incorrect IP address on the tunnel interface would prevent the tunnel from coming up or OSPF from forming an adjacency, but the question states OSPF adjacencies form, so the IP address is correct. Option D is wrong because the IPsec transform set lacking ESP authentication would cause IPsec to fail to establish or decrypt packets, but OSPF adjacencies form, indicating IPsec is working; authentication is not required for OSPF route installation.

1897
Drag & Dropmedium

Drag and drop the steps to perform mutual redistribution between OSPF and EIGRP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order ensures that route filtering is applied before redistribution to prevent routing loops, and that redistribution is configured on both protocols symmetrically. First, identify the routing domains and interfaces. Second, configure route filtering using distribute-lists or route-maps to control which routes are exchanged.

Third, configure redistribution of EIGRP into OSPF. Fourth, configure redistribution of OSPF into EIGRP. Finally, verify the redistribution using show commands to confirm routes are exchanged correctly.

1898
Multi-Selectmedium

Which TWO commands would a network engineer use to verify NetFlow data export and flow monitor statistics on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.show flow monitor name FLOW-MON cache
B.show ip cache flow
C.show ip flow export
D.debug ip flow export
E.show snmp mib ifmib ifindex
AnswersA, B

Displays the flow cache entries for a specific Flexible NetFlow monitor, including key fields and counters.

Why this answer

The 'show flow monitor name <name> cache' command displays detailed flow cache entries for a specific Flexible NetFlow monitor, including packet/byte counts and timestamps. The 'show ip cache flow' command is the traditional way to verify NetFlow statistics and export status. Option C ('show ip flow export') is plausible but shows only export parameters, not cache data.

Option D is a debug command not used for verification. Option E is for SNMP, not NetFlow.

1899
MCQmedium

Consider the following partial configuration on a Cisco router: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface Serial0/0/0 ip access-group BLOCK_TELNET out ! line vty 0 4 transport input telnet password cisco login What is the effect of this configuration?

A.Telnet traffic from the router to remote devices via Serial0/0/0 is blocked; Telnet to the router itself is still allowed.
B.All Telnet traffic to and from the router is blocked.
C.The ACL has no effect because it is applied outbound and Telnet is a TCP protocol.
D.The configuration is invalid because the ACL name contains an underscore.
AnswerA

The outbound ACL blocks Telnet leaving the interface, but does not filter traffic destined to the router. VTY lines still accept Telnet.

Why this answer

The ACL BLOCK_TELNET is applied outbound on Serial0/0/0, so it filters traffic leaving that interface. Telnet traffic (TCP port 23) sourced from the router itself (e.g., a user initiating a Telnet session from the router's CLI) is subject to this outbound ACL and is denied. However, Telnet traffic destined to the router (i.e., incoming management sessions to the VTY lines) is not affected because the ACL is not applied inbound on any interface, and the VTY lines have their own authentication and transport input settings.

Exam trap

Cisco often tests the misconception that an outbound ACL on a router's interface will block Telnet sessions to the router itself, when in fact it only affects traffic exiting that interface, not traffic destined to the router's own IP addresses.

How to eliminate wrong answers

Option B is wrong because the ACL is applied outbound only on Serial0/0/0, so it does not block Telnet traffic entering the router (e.g., a remote user Telnetting into the router's VTY lines). Option C is wrong because an outbound ACL can filter Telnet traffic; the protocol (TCP) does not prevent outbound filtering—the ACL's direction determines which traffic is inspected. Option D is wrong because underscores are permitted in ACL names; the configuration is syntactically valid.

1900
MCQmedium

A network engineer is troubleshooting a sudden drop in NetFlow data on a Cisco router running IOS-XE 17.x. The engineer verifies that 'ip flow-export destination 10.1.1.100 2055' is configured, and the collector is reachable. However, 'show ip flow export' shows zero packets exported. What is the most likely cause?

A.The collector IP address is incorrect.
B.No flow monitor is applied to any interface.
C.The export version is set to 9 but the collector expects version 5.
D.The router is in a VRF that is not configured for NetFlow export.
AnswerB

NetFlow data is only generated when a monitor or flow is enabled on an interface; without it, no flows are exported.

Why this answer

The issue is that NetFlow generation requires at least one monitor or flow record to be applied to an interface. Without a 'ip flow monitor' or 'ip route-cache flow' command on an interface, no flows are created and thus nothing is exported.

1901
MCQhard

An engineer configures BFD on an OSPF link and also applies a distribute-list outbound under the OSPF process. The BFD session is up, but OSPF routes are not being advertised to the neighbor. The engineer verifies that the distribute-list is correctly configured. What is the most likely cause?

A.The distribute-list is applied outbound, but OSPF distribute-lists only filter routes in the routing table, not LSAs, so the routes are still advertised.
B.The BFD session is flapping due to a mismatch in the 'bfd interval' command, causing OSPF to withdraw routes.
C.The distribute-list references an ACL that denies the network, but OSPF uses type 3 LSAs that are not affected by ACLs.
D.The 'area range' command is configured on the ABR, summarizing the route, and the distribute-list is filtering the summary.
AnswerA

Correct. OSPF distribute-lists outbound do not filter LSAs; they only filter routes from being installed in the routing table. The neighbor will still receive the LSA.

Why this answer

OSPF distribute-lists only filter routes in the routing table, not LSAs. If the distribute-list is filtering the route, OSPF will still advertise the LSA to the neighbor, but the neighbor will not install the route. However, if the distribute-list is applied inbound, it can prevent the route from being installed.

The edge case here is that the distribute-list is applied outbound, which has no effect on OSPF LSA flooding. BFD does not interact with distribute-lists.

1902
Multi-Selecthard

Which TWO statements correctly describe the behavior of OSPFv3 when troubleshooting neighbor adjacency issues on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.OSPFv3 neighbor adjacencies are formed using the link-local IPv6 address of the neighbor.
B.The OSPFv3 router ID is a 128-bit value derived from the highest loopback IPv6 address.
C.The 'ipv6 router ospf' command is used to enable OSPFv3 on an interface.
D.The 'show ipv6 ospf neighbor' command displays the link-local address of each neighbor.
E.OSPFv3 uses the network type configured under the OSPFv3 process globally, not per interface.
AnswersA, D

Correct. OSPFv3 uses IPv6 link-local addresses for neighbor discovery and adjacency formation, not global unicast addresses.

Why this answer

OSPFv3 uses link-local addresses for neighbor adjacency formation and relies on IPv6 link-local addresses for next-hop resolution. The router ID is still a 32-bit value, and the network type must be configured under the interface. The 'ipv6 ospf' command is used to enable OSPFv3 on an interface, not 'ipv6 router ospf'.

1903
MCQhard

A network engineer runs the following command on Router R1: R1# show ip ospf database router 10.1.1.2 OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 150 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 10.1.1.2 Advertising Router: 10.1.1.2 LS Seq Number: 80000002 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 192.168.12.2 (Link Data) Router Interface address: 192.168.12.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.2.2.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 Based on this output, which statement is correct?

A.Router 10.1.1.2 is connected to a transit network and a stub network.
B.Router 10.1.1.2 is the DR on the transit network.
C.Router 10.1.1.2 has a cost of 20 to reach the stub network.
D.Router 10.1.1.2 is not advertising any external routes.
AnswerA

The LSA lists two links: one transit (to the DR) and one stub (10.2.2.0/24).

Why this answer

The router LSA from 10.1.1.2 shows two links: one transit network (to the DR address) and one stub network (10.2.2.0/24). The transit link indicates it is connected to a broadcast segment where it is the DR (since it lists its own interface address as DR address).

1904
MCQhard

A network engineer runs the following command to debug IPv6 uRPF with detailed information: R1# debug ipv6 verify detail IPv6 verify debugging is on (detail) *Mar 1 00:03:45.678: IPv6 verify: source 2001:DB8:5::1 on GigabitEthernet0/0 *Mar 1 00:03:45.678: route to source via GigabitEthernet0/1, not same as input interface What does this output indicate?

A.The packet will be dropped because strict uRPF requires the return path to be through the same interface.
B.The packet will be forwarded because a route exists.
C.The packet will be forwarded because uRPF is loose.
D.The router will change the route to use GigabitEthernet0/0.
AnswerA

Correct. Strict uRPF checks that the best route to the source uses the same interface as the packet arrived on.

Why this answer

The debug output shows that a packet from source 2001:DB8:5::1 arrived on GigabitEthernet0/0, but the route to that source points out GigabitEthernet0/1. With strict uRPF, this packet will be dropped because the return path is not through the receiving interface.

1905
MCQhard

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.4.4.0/24 BGP routing table entry for 10.4.4.0/24, version 8 Paths: (1 available, best #1, table default) Not advertised to any peer Refresh Epoch 1 65006 10.1.16.6 from 10.1.16.6 (10.6.6.6) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, what is the most likely reason the route is not advertised to any peer?

A.The route has a local preference of 100, which is too low.
B.There is an outbound route-map or prefix-list filtering the route.
C.The BGP session to the neighbor is down.
D.The route is not in the routing table.
AnswerB

The most common reason for a valid best route not being advertised is outbound filtering applied to the neighbor.

Why this answer

The route is valid and best, but not advertised. This could be due to outbound filtering (route-map, prefix-list) applied to the BGP neighbor, or the neighbor might not be configured to receive this prefix. Another possibility is that the route is suppressed by a policy.

1906
MCQmedium

A network engineer runs the following command on Router R5: R5# show ip route 192.168.100.0 Routing entry for 192.168.100.0/24 Known via "static", distance 1, metric 0 Redistributing via ospf 1 Last update from 10.0.0.2 on GigabitEthernet0/1, 00:00:05 ago Routing Descriptor Blocks: * 10.0.0.2, via GigabitEthernet0/1 Route metric is 0, traffic share count is 1 Based on this output, what is the likely issue if this route is not being preferred over an EIGRP route with distance 90?

A.The static route is not preferred because its distance is higher than EIGRP's default distance of 90.
B.The static route may have been configured with a higher distance as a floating static route.
C.EIGRP always has a lower administrative distance than static routes.
D.The static route is redistributed into OSPF, which changes its distance.
AnswerB

If the static route is not preferred, it might have a manually configured distance greater than 90, making it a floating static route.

Why this answer

The static route has a default distance of 1, which is lower than EIGRP's default distance of 90. If the static route is not preferred, it may have a higher distance if configured as a floating static route, or the EIGRP route may have a lower distance due to configuration.

1907
MCQmedium

A network engineer is troubleshooting an OSPFv2 adjacency issue between two directly connected routers, R1 and R2, both running IOS-XE. The link is a point-to-point Ethernet link. The engineer issues 'show ip ospf neighbor' on R1 and sees no neighbors. 'show ip ospf interface GigabitEthernet0/0' on R1 shows 'Network Type BROADCAST', but the link is actually a point-to-point link. Both routers have 'ip ospf 1 area 0' configured on the interface. What is the most likely cause of the adjacency not forming?

A.The OSPF network type mismatch between the two routers (one is BROADCAST, the other is POINT-TO-POINT).
B.The routers have duplicate OSPF router IDs.
C.The interface is configured with 'ip ospf passive-interface'.
D.The OSPF process is not enabled globally; 'router ospf 1' is missing.
AnswerB

Duplicate router IDs prevent OSPF adjacency from forming; each router must have a unique router ID.

Why this answer

The default OSPF network type on Ethernet interfaces is BROADCAST, which requires a DR/BDR election and uses multicast 224.0.0.5 and 224.0.0.6. On a point-to-point link, if both routers do not agree on the network type, they may not form an adjacency because the hello packets are sent differently. However, since both are BROADCAST, they should form an adjacency.

The real issue is likely a mismatch in OSPF network type if one side is manually set to POINT-TO-POINT, but here both are BROADCAST. A more common cause is that the interface is administratively down or there is a Layer 1 issue, but the stem indicates the interface is up. Another common cause is that the router IDs are not configured, leading to OSPF not starting.

The most likely cause in this scenario is that the routers have duplicate router IDs, which prevents adjacency formation. The stem does not mention router IDs, so the best answer is that the engineer should check for duplicate router IDs.

1908
MCQmedium

A network engineer runs the following command to verify IPv6 traffic filtering with logging: R1# show logging | include FILTER *Mar 1 00:04:56.789: %IPV6_ACL-6-ACCESSLOGDP: list FILTER denied tcp 2001:DB8:2::1(12345) -> 2001:DB8:3::1(80), 1 packet What does this output indicate?

A.A TCP packet from 2001:DB8:2::1 to destination 2001:DB8:3::1 port 80 was denied by the access list.
B.A TCP packet was permitted by the access list.
C.The access list is not applied to any interface.
D.The packet was dropped due to uRPF.
AnswerA

Correct. The log clearly indicates the denied packet details.

Why this answer

The log message shows that a TCP packet from 2001:DB8:2::1 to 2001:DB8:3::1 was denied by the access-list FILTER. This is consistent with the deny entry for 2001:DB8:2::/48.

1909
MCQhard

An engineer configures IPv6 uRPF strict mode on an interface that is used for both IPv6 traffic and OSPFv3 routing. The router is an ABR with multiple areas. OSPFv3 adjacencies form correctly, but some IPv6 data traffic is dropped. The show ipv6 interface command shows uRPF is enabled. Which is the most likely explanation?

A.The router has a default route pointing to a different interface, and uRPF strict mode without 'allow-default' drops packets whose source address is reachable via the default route.
B.OSPFv3 adjacencies use link-local addresses, which are not checked by uRPF, but data traffic uses global addresses that are incorrectly filtered by the OSPFv3 process.
C.The router has 'ipv6 uRPF allow-default' configured, but the default route is not installed, causing all traffic to be dropped.
D.The interface has an IPv6 ACL that denies traffic from certain prefixes, overriding uRPF.
AnswerA

Correct. uRPF strict mode checks the specific route, not the default. If the source address is only matched by a default route via another interface, the packet is dropped.

Why this answer

uRPF strict mode checks the source address of incoming packets against the routing table. For a router that is an ABR, some routes may be learned via OSPFv3 inter-area or external routes. If the routing table has multiple paths, the reverse path may not be via the incoming interface.

Additionally, OSPFv3 uses link-local addresses for adjacencies, which are not affected because uRPF is not applied to OSPFv3 packets if the router uses 'ipv6 uRPF' but OSPFv3 packets are sourced from link-local addresses that are not in the routing table, but the engineer may have configured 'allow-default' or not. The edge case: uRPF strict mode can drop traffic that arrives on a different interface than the best reverse path, especially if the router has multiple interfaces in the same area or different areas. However, a more subtle issue: if the router has a default route via another interface, uRPF strict mode without 'allow-default' will drop packets whose source address matches the default route because the default route points to a different interface.

1910
Multi-Selecthard

Which TWO actions will prevent an IPsec site-to-site VPN tunnel from coming up when using IKEv2 and pre-shared keys? (Choose TWO.)

Select 3 answers
A.The pre-shared key configured on one router does not match the key on the peer.
B.An ACL on the router's outside interface blocks UDP port 500.
C.An ACL on the router's outside interface blocks UDP port 4500.
D.The IPsec SA lifetime is set to 3600 seconds on one router and 7200 seconds on the peer.
E.The transform set on one router uses ESP-AES and the peer uses ESP-3DES.
AnswersA, B, E

Correct. Authentication will fail, and the IKE SA will not be established.

Why this answer

Option A is correct because IKEv2 uses pre-shared keys (PSK) for authentication during the IKE_SA_INIT exchange. If the PSK configured on one router does not match the key on the peer, the authentication check fails, and the IKEv2 session is terminated before any IPsec SAs can be established. This mismatch directly prevents the VPN tunnel from coming up.

Exam trap

Cisco often tests the misconception that blocking UDP port 4500 alone will prevent the tunnel, but the trap is that NAT-T uses port 4500 only after detecting NAT, and the initial IKE exchange always requires UDP port 500, so blocking only port 4500 does not stop the tunnel unless NAT is present and the router fails to negotiate port 500 fallback.

1911
MCQhard

A network engineer runs the following command on Router R1: R1# show route-map REDISTRIBUTE route-map REDISTRIBUTE, permit, sequence 10 Match clauses: ip address prefix-list EIGRP_ROUTES Set clauses: metric 100 metric-type type-1 tag 200 Policy routing matches: 0 packets, 0 bytes route-map REDISTRIBUTE, deny, sequence 20 Match clauses: ip address prefix-list DENY_ALL Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, what is the problem?

A.The route-map will redistribute all routes that match prefix-list EIGRP_ROUTES with metric 100 and type-1.
B.The route-map has a deny sequence that may block all routes if prefix-list DENY_ALL is configured to permit all.
C.The route-map will only redistribute routes with tag 200.
D.The route-map is not applied to any redistribution command, so it has no effect.
AnswerB

If DENY_ALL is a catch-all prefix-list (e.g., permit 0.0.0.0/0 le 32), then sequence 20 will deny all routes, overriding sequence 10.

Why this answer

The route-map has a deny sequence 20 that matches prefix-list DENY_ALL. If DENY_ALL is configured to permit all (e.g., permit 0.0.0.0/0 le 32), then all routes will be denied after sequence 10, effectively blocking redistribution. The problem is that the deny sequence may unintentionally block routes that should be redistributed.

1912
MCQmedium

Which statement correctly describes the behavior of the 'set metric' command in a route-map when applied to redistributed routes into OSPF?

A.It sets the OSPF metric to a value between 1 and 65535, with a default of 10.
B.It sets the OSPF metric to a value between 1 and 65535, with a default of 20.
C.It sets the OSPF metric to a value between 1 and 16777215, with a default of 20.
D.It sets the OSPF metric to a value between 1 and 255, with a default of 1.
AnswerB

Correct. The default metric for redistributed OSPF routes is 20.

Why this answer

When redistributing into OSPF, the 'set metric' command sets the metric type and value. The default metric type is E2 (external type 2), and the default metric value is 20.

1913
MCQeasy

A network engineer runs the following command on Router R1: R1# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.2 10.0.0.2 UP 00:15:30 D 1 192.168.1.3 10.0.0.3 UP 00:10:20 D Based on this output, what is the role of Router R1?

A.Router R1 is a DMVPN spoke.
B.Router R1 is a DMVPN hub.
C.Router R1 is a DMVPN server.
D.Router R1 is a DMVPN client.
AnswerB

The output explicitly states 'Type:Hub'.

Why this answer

The output shows 'Type:Hub', indicating that Router R1 is configured as a DMVPN hub. It has two dynamic peers (spokes) connected.

1914
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers. The tunnel comes up, but traffic is not encrypted. Which is the most likely explanation?

A.The crypto ACL does not match the traffic that is being sent.
B.The transform set uses ESP with null encryption.
C.The ISAKMP policy has the wrong authentication method.
D.The pre-shared key is incorrect.
AnswerA

Correct. Interesting traffic must match the ACL for encryption.

Why this answer

IPsec encryption requires interesting traffic to trigger the tunnel. If the crypto ACL (access list) defining interesting traffic does not match the actual traffic (e.g., wrong source/destination or protocol), the traffic will be sent in the clear. Additionally, if the crypto map is not applied to the correct interface, encryption may not occur.

1915
Multi-Selectmedium

Which TWO configuration steps are required to set up an ERSPAN session on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.monitor session 1 type erspan-source
B.destination erspan-id 1 ip address 192.168.1.100
C.shutdown
D.no monitor session 1
E.ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
AnswersA, B

Creates an ERSPAN source session on the device.

Why this answer

ERSPAN encapsulates monitored traffic in GRE and sends it to an IP destination. The 'monitor session 1 type erspan-source' command defines the session as an ERSPAN source. The 'destination' command under that session specifies the IP address of the destination. 'source' is also needed but is not listed as an option here; 'shutdown' disables the session, 'no monitor session' removes it, and 'ip route' is for routing, not ERSPAN configuration.

1916
MCQhard

BGP attribute manipulation causes unexpected path selection. Router R1 and R2 are eBGP peers. R1 receives prefix 172.16.0.0/16 from R2 with MED 50 and from another peer R3 with MED 100. R1 has configuration: 'route-map SET-MED permit 10 set metric 200' applied to neighbor R2 inbound. R1 shows 'show ip bgp 172.16.0.0' output: 'BGP routing table entry for 172.16.0.0/16, version 2, Paths: (2 available, best #2) Path #1: from R2 with MED 200, Path #2: from R3 with MED 100'. The best path is via R3, but the network expects R2 to be preferred. What is the root cause?

A.The 'bgp always-compare-med' command is missing, causing MED to be ignored for paths from different ASes.
B.The route-map SET-MED should be applied outbound on R2, not inbound.
C.R2's next-hop is unreachable via IGP, causing R1 to ignore R2's path.
D.R1 has 'bgp bestpath med missing-as-worst' configured, causing missing MED to be treated as worst.
AnswerA

Without this command, MED is only compared within same AS, so R2's lower MED (200 vs 100) is not considered, and R3's path is chosen.

Why this answer

BGP best path selection uses MED only if paths are from the same AS (if 'bgp always-compare-med' is not configured). Since R2 and R3 are different ASes, MED is not compared; instead, the next tie-breaker (e.g., IGP metric to next-hop) selects R3. The route-map sets MED on R2's routes, but it does not affect the comparison because of AS path difference.

1917
MCQhard

An engineer configures IPsec between two routers using transform-set esp-aes 256 esp-sha-hmac. The tunnel fails to establish. Debug shows 'transform set proposal mismatch'. Which is the most likely explanation?

A.The other router uses 'esp-aes' without specifying the key length, defaulting to 128-bit, causing a mismatch.
B.The transform-set uses SHA-1, which is not supported by the other router.
C.The IPsec proposal includes both esp-aes and esp-3des, causing confusion.
D.The transform-set is missing the authentication header.
AnswerA

If one side specifies 256-bit and the other defaults to 128-bit, the transform sets do not match.

Why this answer

The transform-set must match exactly on both ends, including the encryption and hash algorithms. A common edge case is that one side uses 'esp-aes 256' while the other uses 'esp-aes', which defaults to 128-bit. The mismatch causes the proposal to be rejected.

1918
MCQhard

An engineer configures an IPv6 ACL on a router interface to permit only specific ICMPv6 types (e.g., echo request and echo reply) and deny all other IPv6 traffic. After applying the ACL inbound, the router stops forming IPv6 neighbor discoveries (ND) and the interface loses IPv6 connectivity. Which is the most likely explanation?

A.The ACL denies ICMPv6 types 133-137, which are required for Neighbor Discovery, causing the router to fail to resolve neighbors.
B.The ACL must be applied outbound, not inbound, to allow ND packets to be sent.
C.The router needs to have 'ipv6 nd suppress' configured to bypass ACL filtering for ND packets.
D.The ACL should use 'permit ipv6 any any' before the deny statements to allow ND, but the engineer placed it after.
AnswerA

Correct. ND uses ICMPv6 types 133-137; denying them breaks IPv6 connectivity.

Why this answer

IPv6 Neighbor Discovery (ND) uses ICMPv6 types 133-137 (router solicitation, router advertisement, neighbor solicitation, neighbor advertisement, redirect). If the ACL denies all ICMPv6 types except echo, ND packets are dropped, preventing address resolution and neighbor reachability. This is a common misconfiguration: engineers forget that ND is essential for IPv6 operation and must be permitted.

1919
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip ospf interface detail FastEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0.0.0.0, Attached via Network Statement Process ID 1, Router ID 10.1.1.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 10.1.1.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.1.1.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) What does this output indicate?

A.OSPF is not forming adjacencies due to CoPP dropping Hello packets.
B.OSPF is operating normally with one neighbor, suggesting CoPP is not impacting OSPF.
C.OSPF is experiencing DR/BDR election issues due to CoPP.
D.OSPF is not receiving Hello packets due to CoPP.
AnswerB

The interface is up, timers are normal, and an adjacency exists.

Why this answer

The detailed OSPF interface output shows that FastEthernet0/0 is operational, with a neighbor count of 1 and an adjacent neighbor (10.1.1.2) as BDR. This indicates OSPF is functioning correctly, and CoPP is not blocking OSPF packets.

1920
MCQhard

An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?

A.The hostname and domain name are not configured.
B.The VTY lines are not configured with 'transport input ssh'.
C.The RSA key modulus is too small.
D.The IP address on GigabitEthernet0/0 is not in the same subnet as the client.
AnswerA

Correct because SSH uses the hostname and domain name to generate the RSA key pair; without them, the SSH server may not function.

Why this answer

SSH requires a fully qualified domain name (FQDN) to generate RSA keys. Without a configured hostname and domain name, the 'crypto key generate rsa' command may appear to succeed but actually generates default keys that are not bound to the router's identity, causing SSH to refuse connections. The 'ip domain-name' and 'hostname' commands are prerequisites for proper RSA key generation and SSH operation.

Exam trap

Cisco often tests the prerequisite order for SSH configuration, trapping candidates who focus on VTY transport settings or key modulus size instead of the fundamental requirement of a domain name for RSA key generation.

How to eliminate wrong answers

Option B is wrong because while 'transport input ssh' is required on VTY lines for SSH access, the immediate failure with 'Connection refused' typically occurs before VTY negotiation, and the question states SSH connections fail entirely, not that they are rejected after transport negotiation. Option C is wrong because a 2048-bit modulus is considered secure and is the recommended minimum for SSH; the issue is not key size but missing domain configuration. Option D is wrong because subnet mismatch would cause a timeout or unreachable error, not 'Connection refused', which indicates the router is actively rejecting the TCP connection to port 22.

1921
MCQhard

A network engineer configures Flexible NetFlow on a router that also runs CoPP (Control Plane Policing). After applying the flow monitor to the ingress interface, the router's CPU spikes and management traffic (SSH, SNMP) becomes intermittent. Router R1 shows: show policy-map control-plane | include (class|police) class CoPP-MGMT police rate 10000 pps. show flow monitor FLOW-MONITOR statistics | include (Packets|Dropped) Packets dropped: 5000. What is the root cause?

A.The flow monitor's cache size is too small, causing packet drops and CPU spikes due to cache overflow.
B.CoPP is rate-limiting NetFlow export packets because they are classified as management traffic, causing export failures and cache buildup.
C.The flow exporter is configured with a wrong destination IP, causing all export packets to be dropped by the router.
D.The flow monitor is applied in the output direction, causing a loop.
AnswerB

NetFlow export packets are sent from the control plane and are subject to CoPP. If the CoPP policy rate-limits management traffic, export packets will be dropped, leading to cache overflow and CPU spikes.

Why this answer

Flexible NetFlow can generate a large number of packets for export, especially if the flow monitor is configured to export all flows. These export packets are sent from the router's control plane, and if CoPP is policing management traffic, the export packets might be classified as management traffic and dropped. However, the show output indicates that the flow monitor itself is dropping packets, which suggests that the flow monitor's cache is full or that the export process is overwhelmed.

The correct answer is that the flow monitor's cache is too small, causing packets to be dropped before they can be exported, and the CPU spike is due to the export process consuming resources. But the CoPP is also rate-limiting the export packets, causing further drops. The root cause is that CoPP is rate-limiting the NetFlow export traffic, which is classified as management traffic, causing the export to fail and the cache to fill up.

1922
MCQmedium

What is the default administrative distance for a static route pointing to an interface (e.g., 'ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1')?

A.0
B.1
C.5
D.110
AnswerA

When a static route uses only an exit interface, it is considered directly connected and gets AD 0.

Why this answer

A static route configured with an exit interface (not a next-hop IP) has a default AD of 0, because it is treated as a directly connected route. However, if a next-hop IP is specified, the default AD is 1.

1923
MCQmedium

Examine this configuration on Router R4: ``` interface Tunnel0 ip address 10.0.0.1 255.255.255.252 ipv6 address 2001:DB8:6::1/64 tunnel source GigabitEthernet0/0 tunnel destination 172.16.1.2 tunnel mode gre ip ``` What will be the effect?

A.The tunnel will only carry IPv4 traffic because the mode is 'gre ip'.
B.The tunnel will successfully encapsulate both IPv4 and IPv6 payloads over IPv4.
C.The tunnel will fail because the tunnel source is an interface, not an IP address.
D.The tunnel mode should be 'ipv6ip' to carry IPv6 traffic.
AnswerB

GRE allows multiprotocol payload; the IPv4 and IPv6 addresses on the tunnel interface are valid.

Why this answer

The 'tunnel mode gre ip' command creates a generic routing encapsulation (GRE) tunnel over IPv4. GRE is protocol-agnostic and can encapsulate any Layer 3 protocol, including IPv4 and IPv6. The IPv6 address configured on the tunnel interface allows IPv6 traffic to be routed into the tunnel, where it is encapsulated in IPv4 packets and sent to the tunnel destination.

Therefore, the tunnel will successfully carry both IPv4 and IPv6 payloads.

Exam trap

Cisco often tests the misconception that 'tunnel mode gre ip' only supports IPv4 traffic, when in fact GRE is protocol-agnostic and can carry IPv6, IPX, or other Layer 3 protocols as payload.

How to eliminate wrong answers

Option A is wrong because 'gre ip' mode does not restrict the tunnel to only IPv4 payloads; GRE can encapsulate multiple protocols, including IPv6. Option C is wrong because the tunnel source can be specified as an interface (e.g., GigabitEthernet0/0), and the router will use that interface's primary IP address as the source; this is a valid configuration. Option D is wrong because 'ipv6ip' mode is a specific tunnel type for IPv6-in-IPv4 encapsulation without GRE overhead, but GRE is fully capable of carrying IPv6 traffic and is often preferred for its flexibility and support for additional features like multipoint or encryption.

1924
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. After a few minutes, the router's CPU spikes and routing loops occur. Which is the most likely explanation?

A.The seed metric for EIGRP was not configured, causing the route to be redistributed with an infinite metric.
B.The administrative distance of the redistributed routes is lower than the original, causing them to be preferred.
C.Routes redistributed from OSPF into EIGRP are then redistributed back into OSPF, creating a feedback loop.
D.The OSPF process ID must match on all routers; otherwise, redistribution fails.
AnswerC

Without filtering or tagging, redistributed routes can be re-injected into the original protocol, causing instability.

Why this answer

Mutual redistribution without route tagging or filtering can cause a routing loop. A route redistributed from OSPF into EIGRP can be redistributed back into OSPF, creating a feedback loop. This is a classic redistribution loop.

1925
Multi-Selecthard

Which TWO statements correctly describe the behavior of EIGRP stub routing and its impact on troubleshooting? (Choose TWO.)

Select 2 answers
A.A stub router configured with the 'leak-map' option can advertise specific routes learned from other EIGRP neighbors beyond the stub restrictions.
B.When a router is configured as an EIGRP stub with the 'connected' keyword, it automatically advertises all connected interfaces, including passive interfaces, to its neighbors.
C.If a stub router receives a query from its neighbor, it will reply with an 'infinite metric' (unreachable) for all routes that are not in its routing table, including those learned via redistribution.
D.The command 'show ip eigrp topology all-links' on a stub router displays only the routes that are in the routing table, as stub routers do not store feasible successors.
E.An EIGRP stub router configured with the 'static' keyword will automatically redistribute all static routes into EIGRP, even if the 'redistribute static' command is not present.
AnswersA, C

The leak-map feature allows a stub router to selectively advertise routes that would otherwise be blocked by the stub restriction, enabling controlled transit of certain routes.

Why this answer

EIGRP stub routing restricts the types of queries sent to a stub router and prevents it from acting as a transit router. Leak-map allows selective leaking of routes. The stub router does not send queries to its neighbors, but it can still receive queries from them. 'show ip eigrp topology' shows all routes, not just stub-learned ones.

The 'connected' keyword only advertises connected routes, not summary or static unless specified.

1926
MCQeasy

A network engineer runs the following command to troubleshoot an EIGRP issue: R1# show ip eigrp interfaces detail Interface GigabitEthernet0/0 EIGRP interface state: Enabled, Up Hello interval: 5 sec, Hold time: 15 sec Split horizon: Enabled Next multicast: 0.0.0.0, Next update: 0.0.0.0 Bandwidth: 10000 Kbit, Delay: 100 us Reliability: 255/255, Load: 1/255, MTU: 1500 Packets sent: 100, received: 95 Authentication: MD5, key chain: EIGRP-KEY Passive interface: No What does this output indicate?

A.EIGRP is using MD5 authentication with key chain EIGRP-KEY, and the interface is actively sending and receiving EIGRP packets.
B.EIGRP is configured as a passive interface, so no hellos are sent.
C.Split horizon is disabled, allowing route advertisement back to the source.
D.The interface is using plain-text authentication.
AnswerA

The output confirms authentication and active interface state.

Why this answer

The output shows that EIGRP is enabled on GigabitEthernet0/0 with MD5 authentication using key chain EIGRP-KEY. The interface is not passive, and split horizon is enabled. The hello and hold timers are default.

1927
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.100 is being translated to a different source IP than expected. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.100 203.0.113.100. The server logs show connections from 10.1.1.1 instead of 203.0.113.1. What is the root cause?

A.The interface GigabitEthernet0/1 has a private IP address; configure a public IP or use a NAT pool.
B.The access-list 100 is incorrectly matching traffic.
C.The server is responding to the wrong IP due to asymmetric routing.
D.The NAT configuration is missing the 'overload' keyword.
AnswerA

If the interface IP is private, NAT will use that private IP, causing the issue.

Why this answer

The inside global address 10.1.1.1 is a private IP, indicating that the NAT is not translating to the public IP. This can happen if the interface GigabitEthernet0/1 has a private IP address or if there is a route-map that selects a different source. The correct fix is to ensure the interface has a public IP or use a NAT pool with public addresses.

1928
MCQmedium

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 5 detail Session 5 --------- Type : ERSPAN Destination Session Source IP : 10.1.1.2 ERSPAN ID : 100 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled What does this output indicate?

A.The session is correctly configured as an ERSPAN destination session.
B.The session is misconfigured because the source must be a VLAN, not an IP.
C.The session is misconfigured because the destination port must have ingress enabled.
D.The session is misconfigured because the ERSPAN ID must be different from the source session.
AnswerA

The output confirms an ERSPAN destination session with a source IP and ERSPAN ID.

Why this answer

The output shows an ERSPAN destination session with source IP 10.1.1.2, ERSPAN ID 100, and destination port Gi0/3. This is the destination side of an ERSPAN configuration.

1929
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface. After configuration, legitimate traffic from a directly connected network is being dropped. Which is the most likely explanation?

A.Asymmetric routing is causing the return path to use a different interface.
B.The 'allow-default' option is not configured, and a default route exists.
C.The interface is configured with an IP address that is not in the routing table.
D.The routing table has a more specific route for the source network via a different interface.
AnswerA

Strict uRPF requires the source IP to be reachable via the same interface it arrived on. Asymmetric routing violates this, causing drops.

Why this answer

Strict uRPF checks that the source IP address of incoming packets has a route in the routing table that points back to the same interface. If there is asymmetric routing where the return path uses a different interface, strict uRPF will drop the traffic. This is a common edge case in networks with multiple paths.

1930
MCQeasy

In MPLS L3VPN, what is the default behavior when a PE router receives a VPNv4 route with a Route Target that does not match any import RT on any VRF?

A.The route is stored in the BGP table but not installed in any VRF routing table.
B.The route is discarded and not stored in the BGP table.
C.The route is installed in the global routing table.
D.The route is advertised to all other PEs.
AnswerA

BGP keeps all received routes in its table; the VRF import filter determines which routes are actually used in the VRF.

Why this answer

The PE will still store the route in its BGP table (since BGP accepts all routes by default), but it will not install it into any VRF routing table because the import filter rejects it.

1931
MCQmedium

Given this configuration on router R2: ``` ip vrf CUSTOMER_D rd 100:1 ! interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_D ip address 192.168.2.1 255.255.255.0 ! router ospf 1 vrf CUSTOMER_D network 192.168.2.0 0.0.0.255 area 0 ``` What will happen when this configuration is applied?

A.OSPF will run on GigabitEthernet0/0 and form adjacencies within VRF CUSTOMER_D.
B.OSPF will fail because the OSPF process must be configured globally, not under the VRF.
C.OSPF will run on all interfaces, including those not in VRF CUSTOMER_D.
D.The network command is invalid because it uses a wildcard mask instead of a subnet mask.
AnswerA

This is correct. The OSPF process is VRF-aware and will operate only on interfaces in that VRF.

Why this answer

The OSPF process is tied to VRF CUSTOMER_D, so it only runs on interfaces that belong to that VRF. The network command matches the interface, so OSPF will form adjacencies on that interface within the VRF.

1932
Drag & Dropmedium

Drag and drop the steps to verify and validate NetFlow and Flexible NetFlow operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification starts with checking that the flow monitor is active on the interface, then confirming flow records are being generated, then checking exporter statistics for sent packets, then validating the collector receives the data, and finally comparing flow counts to interface counters for accuracy.

1933
MCQhard

Which statement correctly describes the default 'match' direction in a Flexible NetFlow flow record?

A.The default match direction is 'output' (egress).
B.The default match direction is 'both' (input and output).
C.The default match direction is 'input' (ingress).
D.There is no default direction; it must always be specified.
AnswerC

Correct. Flexible NetFlow matches on input by default.

Why this answer

The default match direction is 'input' (ingress), meaning flows are matched on incoming traffic only.

1934
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access: R1# show snmp community Community name: public Community Index: public Storage-Type: nonvolatile Access: read-only View: v1default Community name: private Community Index: private Storage-Type: nonvolatile Access: read-write View: v1default What does this output indicate?

A.The router has two SNMP communities: 'public' for read-only and 'private' for read-write access.
B.The router only allows SNMP writes with the 'public' community.
C.The router is not configured for SNMP because no community strings are shown.
D.The router uses SNMPv3 and these communities are for backward compatibility.
AnswerA

The output clearly shows 'public' with read-only and 'private' with read-write access.

Why this answer

The show snmp community command displays configured SNMP community strings and their access levels. The output shows two communities: 'public' with read-only access and 'private' with read-write access, both using the default view.

1935
MCQmedium

A network engineer is troubleshooting missing BGP routes on R3. R1 (AS 65001) is an eBGP peer of R2 (AS 65002), and R2 is an iBGP peer of R3 (AS 65002). R1 advertises the prefix 172.16.1.0/24 to R2. On R2, 'show ip bgp' shows the prefix with next-hop 10.1.1.1 (R1's interface). R3's BGP table does not contain this prefix. R2 and R3 are not route reflectors, and there are no other iBGP peers. What is the most likely cause?

A.R2 does not have the 'neighbor 10.1.1.3 activate' command under the BGP configuration for the iBGP session.
B.R2 is not advertising the route because the next-hop 10.1.1.1 is not reachable from R3.
C.R2 is not advertising the route because BGP synchronization is enabled and the IGP does not have the route.
D.R2 is not advertising the route because the prefix is being filtered by an inbound route-map on R3.
AnswerA

Correct because without the activate command, BGP will not advertise any prefixes to the neighbor, even if the session is up.

Why this answer

In iBGP, by default, routes learned from an iBGP peer are not advertised to other iBGP peers (split horizon). Since R2 learned the route from eBGP, it should advertise it to R3. However, if R3 learned the route via iBGP from another source, it might not be advertised.

But the scenario implies R2 is not advertising to R3. The most common cause is that R2 has a route-map or filter blocking the advertisement, or the next-hop is unreachable from R3. However, given the information, the likely issue is that R2 does not have the route in its BGP table as best, or the next-hop is not reachable.

But the stem says R2 shows the prefix. The correct answer is that R2 is not advertising because the next-hop (10.1.1.1) is not reachable from R3, but that would affect R3's ability to use the route, not R2's advertisement. Actually, R2 will advertise to iBGP peers regardless of next-hop reachability on the receiver.

So the issue must be that R2 is not advertising due to a missing 'neighbor R3 activate' or a filter. The most plausible is that the network statement or redistribution is missing on R2 for the prefix? No, R2 has it. Let me re-read: R2's BGP table shows the prefix.

The missing route on R3 could be due to R2 not having the 'neighbor 10.1.1.3 activate' under the BGP process, or a route-map blocking. The stem does not mention any filters. The most common cause in such scenarios is that the BGP session between R2 and R3 is not configured to exchange prefixes (missing activate).

1936
MCQhard

A large enterprise is using a DMVPN Phase 2 hub-and-spoke topology with IPsec protection. Spoke routers R3 and R4 are both behind NAT. The hub R1 has a tunnel interface with IPsec profile and mGRE. Spoke-to-spoke dynamic tunnels do not form. R3 can ping R4's tunnel IP via the hub, but R3's show dmvpn detail shows no NHRP redirect or shortcut. R4's show crypto ipsec sa shows no inbound/outbound SA for the R3-to-R4 traffic. What is the root cause?

A.The hub is missing the 'ip nhrp redirect' command under the tunnel interface.
B.The IPsec profile on the hub does not include perfect forward secrecy (PFS).
C.The spokes are using different ISAKMP policies.
D.The NAT traversal feature is disabled on the hub.
AnswerA

Without NHRP redirect, the hub does not inform spokes of peer public addresses, preventing dynamic spoke-to-spoke tunnel formation.

Why this answer

In a DMVPN Phase 2 topology, spoke-to-spoke dynamic tunnels require the hub to send NHRP redirect messages to inform a spoke that the destination it is trying to reach is behind another spoke. Without the 'ip nhrp redirect' command on the hub's tunnel interface, the hub forwards traffic between spokes but never signals the source spoke to initiate a direct tunnel. This explains why R3 can ping R4's tunnel IP via the hub but no NHRP redirect or shortcut is seen, and no IPsec SA is built between the spokes.

Exam trap

Cisco often tests the distinction between DMVPN Phase 2 and Phase 3, where Phase 3 uses 'ip nhrp redirect' on the hub and 'ip nhrp shortcut' on spokes, and candidates may incorrectly assume that spoke-to-spoke tunnels form automatically without explicit NHRP redirect configuration.

How to eliminate wrong answers

Option B is wrong because PFS (Perfect Forward Secrecy) is not required for DMVPN Phase 2 spoke-to-spoke tunnel establishment; PFS is an optional security enhancement for IPsec key exchange and does not affect NHRP redirect or shortcut creation. Option C is wrong because if the spokes were using different ISAKMP policies, they would not be able to form IPsec SAs with the hub at all, but the problem states that R3 can ping R4's tunnel IP via the hub, indicating that both spokes have working IPsec tunnels to the hub. Option D is wrong because NAT traversal (NAT-T) is automatically enabled in IOS when a NAT device is detected and is not a command that needs to be explicitly enabled on the hub; disabling it would prevent the hub from establishing tunnels with NATed spokes, but the spokes already have connectivity to the hub.

1937
MCQhard

A network engineer is troubleshooting a router that is not generating any EEM applet actions even though the applets are configured and enabled. The engineer checks the 'show event manager status' command and sees that the EEM server is running. The engineer also checks the syslog and sees that the trigger events are occurring. What is the most likely cause?

A.The EEM applets are not registered due to a syntax error in the configuration.
B.The EEM server is not listening for syslog events.
C.The router's logging level is set to emergencies only.
D.The EEM applets are configured with 'event none' and need manual triggering.
AnswerA

Correct because a syntax error prevents the applet from being registered, even if the EEM server is running.

Why this answer

Even if the EEM server is running, the applets may not be registered if they have syntax errors or if the 'event manager applet' command is missing. The engineer should use 'show event manager policy available' or 'show event manager policy registered' to verify if the applets are registered.

1938
MCQeasy

A network engineer is troubleshooting a DHCPv4 issue where clients on a subnet are getting IP addresses from the correct pool, but they cannot reach the default gateway. The router is configured as a DHCP server with pool 'POOL' that includes 'default-router 192.168.1.1'. The router's interface IP is 192.168.1.1/24. Clients receive the address and default gateway, but pings to 192.168.1.1 fail. What is the most likely cause?

A.The DHCP pool has the wrong subnet mask.
B.The router interface Gi0/0 is administratively down.
C.The 'ip helper-address' command is interfering with DHCP.
D.The clients have a static ARP entry for the gateway.
AnswerB

Correct because if the interface is down, the router cannot respond to ARP requests or pings from clients, even though DHCP assignments are still possible (the server process runs independently).

Why this answer

If the router's interface is up and has the correct IP, but clients cannot ping the gateway, the issue is often that the interface is in a different VLAN or the clients are on a different broadcast domain. However, the most common misconfiguration is that the 'default-router' command points to an IP that is not actually configured on the router's interface, or the interface is down. Given that the symptom is specific to the gateway, the likely cause is that the interface is shut down or has a different IP.

1939
MCQhard

A network engineer is troubleshooting a scenario where two routers running EIGRP are not forming an adjacency. Both routers have BFD configured under the EIGRP process and on the interfaces. The BFD session is up and operational. However, the EIGRP neighbor status shows 'Pending' and never transitions to 'Up'. What is the most likely cause?

A.The BFD timers are set too high, causing EIGRP to time out before BFD can respond.
B.EIGRP is configured with 'no auto-summary' on one router and 'auto-summary' on the other.
C.The EIGRP K-values are mismatched between the two routers.
D.The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor expects different values.
AnswerC

EIGRP K-values must match for adjacency to form; a mismatch causes the neighbor to stay in Pending state even if BFD is up.

Why this answer

EIGRP requires the BFD session to be fully established before it will bring up the adjacency. If the BFD session is up but EIGRP is stuck in Pending, the issue is often a mismatch in EIGRP K-values or authentication.

1940
MCQmedium

A network engineer configured IP SLA 70 to monitor a remote site's LAN gateway (172.16.1.1) using ICMP echo. The IP SLA is linked to a track object that is used in a static route for a backup link. The engineer notices that the IP SLA state is 'Active', but the backup static route is installed in the routing table even when the primary route is available. What is the most likely cause?

A.The static route is configured without the 'track' keyword, so it is always installed regardless of the IP SLA state.
B.The IP SLA probe is failing intermittently, causing the track object to flap.
C.The primary route has a higher administrative distance than the static route.
D.The track object is configured with a delay that causes the static route to be installed prematurely.
AnswerA

Without the 'track' keyword, the static route is permanent and will be installed if its AD is lower than the primary route.

Why this answer

If the backup static route is installed while the primary route is available, the static route likely has a lower administrative distance than the primary route, or the track object is not being used correctly (e.g., the static route does not have the 'track' keyword).

1941
MCQhard

An engineer configures OSPF on two directly connected routers with MTU 1500 on one interface and MTU 1600 on the other. The OSPF adjacency remains stuck in EXSTART/EXCHANGE state. Which is the most likely explanation?

A.The larger MTU interface sends DBD packets that are too big for the smaller MTU interface, preventing the exchange of LSAs.
B.OSPF uses TCP, and the MSS mismatch causes the adjacency to fail.
C.The MTU mismatch causes a routing loop that prevents the exchange of hello packets.
D.The router with the smaller MTU will not send hello packets because it detects the mismatch.
AnswerA

OSPF DBD packets are limited by the outgoing interface MTU; a mismatch causes the smaller MTU router to drop the packets, stalling the adjacency.

Why this answer

OSPF uses the interface MTU in the Database Description (DBD) packets. If the MTU values differ, the receiving router will reject DBD packets larger than its own MTU, causing the adjacency to stall in EXSTART/EXCHANGE. This is a common edge case because many engineers assume OSPF will negotiate MTU automatically.

1942
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map route-map FILTER_OSPF, permit, sequence 10 Match clauses: ip address prefix-list OSPF_ROUTES Set clauses: Policy routing matches: 0 packets, 0 bytes route-map FILTER_OSPF, deny, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, which statement is correct?

A.The route-map will permit all routes that match the prefix-list OSPF_ROUTES and deny all others.
B.The route-map will permit all routes because sequence 20 has no match clause.
C.The route-map is used for policy-based routing and has matched 0 packets.
D.The route-map will deny only routes matching the prefix-list OSPF_ROUTES.
AnswerA

Sequence 10 permits matching routes; sequence 20 denies everything else.

Why this answer

The route-map FILTER_OSPF has two sequences: sequence 10 permits routes matching prefix-list OSPF_ROUTES, and sequence 20 denies all other routes (since no match clause). The match counters show 0 packets/bytes, indicating no traffic has been matched yet, but this is a route-map used for route filtering, not policy routing. The correct answer is that the route-map will deny all routes not matching the prefix-list.

1943
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite IPsec issue: R1# show crypto ipsec transform-set vrf CUSTOMER_H Output: Transform set combined: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, } What does this output indicate?

A.The transform set uses ESP with AES 256 and SHA-HMAC in transport mode.
B.The transform set uses ESP with AES 256 and SHA-HMAC in tunnel mode.
C.The transform set uses AH with AES 256 and MD5.
D.The transform set does not specify any encryption or authentication.
AnswerB

Correct. The transform set includes esp-aes 256 and esp-sha-hmac, and will negotiate tunnel mode.

Why this answer

The 'show crypto ipsec transform-set vrf' command displays the IPsec transform set for a specific VRF. The output shows a transform set named 'combined' that uses ESP with AES 256-bit encryption and SHA-HMAC authentication. It will negotiate a tunnel mode (as opposed to transport mode).

1944
MCQhard

What is the default behavior of PBR when a 'set ip next-hop' and a 'set ip default next-hop' are both configured in the same route-map entry?

A.The 'set ip default next-hop' is always used first.
B.Both are used simultaneously, and the router load-balances.
C.The 'set ip next-hop' is used if reachable; otherwise, the 'set ip default next-hop' is used if the routing table has no explicit route.
D.The router ignores both and uses the routing table.
AnswerC

This is the correct order of evaluation.

Why this answer

The 'set ip next-hop' is evaluated first. If it is reachable, it is used. If not, then the 'set ip default next-hop' is used, but only if there is no explicit route in the routing table.

1945
MCQhard

A network uses PBR to route traffic from a specific VLAN (10.10.10.0/24) through a firewall (next-hop 192.168.1.1). After a firewall replacement, traffic from this VLAN is being dropped. Router R1 shows: 'show route-map' shows the route-map is applied, 'show ip policy' shows the policy on the VLAN interface, but 'debug ip packet' shows packets being sent to 192.168.1.1 and no response. Router R2 (firewall) shows: 'show ip route 10.10.10.0' returns a route via 192.168.2.1, but the firewall is configured to drop traffic from 10.10.10.0/24. What is the root cause?

A.The firewall is configured to drop traffic from the source subnet 10.10.10.0/24. Update the firewall policy to allow this traffic.
B.The next-hop 192.168.1.1 is not reachable from R1 due to a routing issue.
C.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing it to forward traffic to an unreachable next-hop.
D.The VLAN interface on R1 has an ACL that is blocking traffic from 10.10.10.0/24.
AnswerA

PBR successfully forwards traffic to the firewall, but the firewall drops it due to its own security policy. The routing is correct, but the firewall policy is blocking the traffic.

Why this answer

PBR forwards traffic to the firewall, but the firewall is configured to drop traffic from the source subnet (10.10.10.0/24). This is a policy issue on the firewall, not a routing issue. The solution is to update the firewall policy to allow traffic from the source subnet.

1946
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show mpls ldp neighbor detail Output: Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:10:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 10.1.1.2 10.2.2.2 What does this output indicate?

A.The router has an operational LDP session with neighbor 10.0.0.2, with addresses 10.0.0.2, 10.1.1.2, and 10.2.2.2.
B.The router is experiencing an LDP authentication failure.
C.The router is using UDP for LDP discovery.
D.The router has only one LDP neighbor.
AnswerA

The state is 'Oper' (operational) and addresses are listed.

Why this answer

The output shows detailed LDP neighbor information, including TCP connection details, state, and addresses bound to the peer. This indicates a functioning LDP session.

1947
MCQmedium

Consider this OSPF configuration on router R4: router ospf 1 network 192.168.1.0 0.0.0.255 area 0 neighbor 10.0.0.2 What is the effect of the neighbor statement?

A.R4 will attempt to form an OSPF adjacency with 10.0.0.2 over any interface that can reach it.
B.The neighbor command is ignored because the network type is broadcast by default on Ethernet interfaces.
C.R4 will send unicast OSPF packets to 10.0.0.2, but only if the interface is in area 0.
D.The configuration is invalid because the neighbor command must include a priority.
AnswerB

Correct. On Ethernet, OSPF uses multicast discovery; the neighbor command is not needed and is ignored.

Why this answer

The neighbor command is used in OSPF for non-broadcast multi-access (NBMA) networks to manually specify neighbors. However, the interface used to reach 10.0.0.2 must be configured with the appropriate network type (e.g., point-to-multipoint or non-broadcast). If the network type is broadcast or point-to-point, the neighbor command is ignored.

1948
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map route-map PBR-ROUTE, permit, sequence 10 Match clauses: ip address (access-lists): ACL-PBR Set clauses: ip next-hop 192.168.1.2 Policy routing matches: 0 packets, 0 bytes route-map PBR-ROUTE, permit, sequence 20 Match clauses: Set clauses: ip next-hop 192.168.2.2 Policy routing matches: 0 packets, 0 bytes R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-ROUTE Based on this output, what is the most likely problem?

A.The route map is not applied to an interface.
B.The access list ACL-PBR does not exist or matches no traffic.
C.The next-hop 192.168.1.2 is unreachable.
D.The route map is missing a permit statement.
AnswerB

Zero matches in sequence 10 suggest ACL-PBR is not matching any packets. Sequence 20 has no match clause and would match all, but its counter is also zero, indicating no traffic is being processed by PBR at all, likely because ACL-PBR is missing or incorrect.

Why this answer

The show route-map output shows zero policy routing matches. The route map is applied to the interface, but the access list ACL-PBR may not match any traffic, or traffic is not arriving on GigabitEthernet0/0. The set clause in sequence 20 is applied unconditionally (no match clause), which would normally match all traffic, but sequence 10 must be evaluated first; if ACL-PBR matches nothing, sequence 20 would match all, yet counters still show zero, indicating no traffic is being policy-routed at all.

1949
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show ip policy Interface Route-map FastEthernet0/0 PBR-MAP Serial0/0 PBR-MAP What does this output indicate?

A.The same route-map is applied to multiple interfaces, which may lead to unintended policy routing.
B.PBR is applied globally.
C.The route-map PBR-MAP is misconfigured.
D.PBR is only active on FastEthernet0/0.
AnswerA

Applying the same route-map to multiple interfaces can cause issues if the set clauses are not interface-agnostic.

Why this answer

The output shows that the same route-map PBR-MAP is applied to both FastEthernet0/0 and Serial0/0. This could cause unexpected behavior if the route-map uses interface-specific conditions.

1950
Multi-Selecthard

Which TWO statements about the limitations of local SPAN are correct? (Choose TWO.)

Select 2 answers
A.A local SPAN session can only monitor traffic on the same switch where the session is configured.
B.A local SPAN destination port can be a routed port or a switchport in trunk mode.
C.A local SPAN session can monitor both ingress and egress traffic simultaneously on the same source interface.
D.A local SPAN session can include a VLAN as a source, which monitors all traffic in that VLAN except the control plane traffic.
E.A local SPAN session can have multiple destination ports to send the mirrored traffic to multiple analyzers.
AnswersA, C

Correct. Local SPAN is confined to a single switch; it cannot extend across switches.

Why this answer

Local SPAN has several restrictions: it cannot send traffic across Layer 3 boundaries, it can only use interfaces on the same switch, and it has limitations on the number of sessions and the types of traffic that can be mirrored (e.g., control plane traffic is not included).

Page 25

Page 26 of 29

Page 27