Cisco CCNP ENARSI 300-410 (300-410) — Questions 19512025

2152 questions total · 29pages · All types, answers revealed

Page 26

Page 27 of 29

Page 28
1951
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection using a transform set that includes ESP encryption and authentication. The tunnel comes up, but OSPFv3 over the tunnel fails to form adjacency. The engineer notices that the tunnel interface has an MTU of 1400. What is the most likely explanation?

A.The IPsec transform set includes both ESP encryption and authentication, which adds 50+ bytes of overhead; the tunnel MTU of 1400 is too high for the actual path MTU after encapsulation.
B.OSPFv3 requires the tunnel interface to be configured with 'ipv6 ospf network point-to-point' to work over GRE.
C.The IPsec configuration is missing the 'crypto map' applied to the tunnel interface.
D.The GRE tunnel mode should be 'tunnel mode gre ipv6' instead of the default.
AnswerA

With ESP encryption and authentication, the total overhead can be 50-60 bytes. The tunnel MTU of 1400 does not account for this, causing OSPFv3 packets to be fragmented or dropped.

Why this answer

The correct answer is A. When IPsec ESP encryption and authentication are applied to a GRE tunnel, the combined overhead (typically 50–60 bytes for ESP headers, trailers, and authentication data) reduces the effective payload MTU. With a tunnel interface MTU of 1400, the actual packet size after adding GRE (20 bytes) and IPsec overhead can exceed the path MTU, causing fragmentation or drops.

OSPFv3 uses large hello packets (often 1500 bytes), and if the encapsulated packet exceeds the path MTU, adjacency cannot form.

Exam trap

Cisco often tests the concept that IPsec overhead must be accounted for when setting tunnel MTU, and candidates mistakenly assume that a tunnel MTU of 1400 is always safe for IPv6 over GRE with IPsec, ignoring the cumulative encapsulation overhead.

How to eliminate wrong answers

Option B is wrong because OSPFv3 over GRE does not require the 'ipv6 ospf network point-to-point' command; GRE tunnels are inherently point-to-point, and OSPFv3 automatically detects the network type as point-to-point over a GRE tunnel. Option C is wrong because the question states that the tunnel comes up, and IPsec protection is configured via a transform set; the crypto map is likely applied to the physical interface or tunnel interface, and the tunnel being up indicates IPsec is functioning. Option D is wrong because 'tunnel mode gre ipv6' is used for IPv6 transport over IPv6, not for IPv6 over IPv4 GRE; the default 'tunnel mode gre ip' is correct for encapsulating IPv6 in IPv4.

1952
MCQeasy

What is the default dead interval on a Cisco IOS-XE router for OSPF on a broadcast network type?

A.10 seconds
B.30 seconds
C.40 seconds
D.120 seconds
AnswerC

Correct. The dead interval is 4 × hello interval (4 × 10 = 40 seconds) by default on broadcast and point-to-point networks.

Why this answer

On a broadcast network type, OSPF uses a default dead interval of 40 seconds, which is four times the default hello interval of 10 seconds. This relationship is defined in RFC 2328, ensuring that a neighbor is declared down only after missing four consecutive hello packets.

Exam trap

Cisco often tests the default OSPF timers for different network types, and the trap here is confusing the default dead interval for broadcast (40 seconds) with the default hello interval (10 seconds) or with the dead interval for other network types like NBMA (30 seconds).

How to eliminate wrong answers

Option A is wrong because 10 seconds is the default hello interval on broadcast networks, not the dead interval. Option B is wrong because 30 seconds is the default dead interval for OSPF on non-broadcast multi-access (NBMA) networks, not broadcast. Option D is wrong because 120 seconds is the default dead interval for OSPF virtual links or point-to-multipoint networks, not for broadcast network types.

1953
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the IKE Phase 1 SA to ensure the control plane is established, then verify the IPsec Phase 2 SA for data-plane encryption. Confirm the tunnel interface is up/up, examine the crypto map to ensure it is active, and finally test traffic flow with a ping or extended ping.

1954
MCQhard

An MPLS network with IPv6 over MPLS (6PE) is experiencing loss of IPv6 routes from a remote provider edge (PE) router. Router PE1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip interface Loopback0 ip address 192.0.2.1 255.255.255.255 router ospf 1 router-id 192.0.2.1 redistribute bgp 65000 subnets. Router PE2 shows: PE2# show bgp ipv6 unicast 2001:DB8:2::/64 % Network not in table. PE2# show mpls forwarding-table 192.0.2.1 Label: 16, Interface: GigabitEthernet0/1. What is the root cause?

A.PE1 is missing the network 2001:DB8:2::/64 command under router bgp for IPv6 unicast address family.
B.The MPLS label distribution between PE1 and PE2 is failing due to LDP mismatch.
C.OSPF is not redistributing the IPv6 prefix correctly.
D.The IPv6 address family is not enabled under router bgp on PE1.
AnswerA

Without this, the IPv6 prefix is not injected into BGP, so PE2 never learns it.

Why this answer

The correct answer is A because the output shows that PE2 has an MPLS label (16) for PE1's loopback (192.0.2.1) and can forward labeled traffic, but the IPv6 route 2001:DB8:2::/64 is missing from the BGP table. This indicates that PE1 is not advertising the IPv6 prefix into BGP. The missing `network 2001:DB8:2::/64` command under the IPv6 unicast address family on PE1 prevents the prefix from being injected into BGP, even though the interface is configured with the IPv6 address and OSPF redistribution is in place.

Exam trap

Cisco often tests the distinction between interface configuration and BGP advertisement, where candidates assume that having an IPv6 address on an interface automatically makes it reachable via BGP in a 6PE design.

How to eliminate wrong answers

Option B is wrong because the `show mpls forwarding-table` output shows a valid label (16) for PE1's loopback, proving that LDP is functioning correctly and there is no mismatch. Option C is wrong because OSPF redistribution of BGP routes is not required for 6PE; 6PE relies on BGP to carry IPv6 prefixes over the MPLS core, and OSPF is only used for IPv4 IGP reachability of the loopbacks. Option D is wrong because the IPv6 address family is implicitly enabled when the `network` command is used under `router bgp` for IPv6 unicast; the issue is the missing network statement, not the absence of the address family itself.

1955
MCQmedium

A network engineer runs the following command to troubleshoot an RSPAN issue: R1# show monitor session 2 detail Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/0 Destination RSPAN VLAN : 100 What does this output indicate?

A.The session is correctly configured as an RSPAN source session.
B.The session is misconfigured because the destination must be a port, not a VLAN.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the RSPAN VLAN must be configured as a remote-span VLAN.
AnswerA

The output confirms an RSPAN source session with a specified RSPAN VLAN.

Why this answer

The output shows an RSPAN source session with source port Gi0/0 and destination RSPAN VLAN 100. This is the source side of an RSPAN configuration.

1956
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps class-map: ATTACK (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 100 packets, 10000 bytes; actions: drop conformed 0 bps, exceed 0 bps Based on this output, what is happening to traffic matching class ATTACK?

A.All traffic in class ATTACK is being transmitted.
B.All traffic in class ATTACK is being dropped.
C.Traffic in class ATTACK is being rate-limited but not dropped.
D.Traffic in class ATTACK is being marked down.
AnswerB

Exceeded 100 packets, all dropped.

Why this answer

The output shows that for class ATTACK, 100 packets were exceeded and dropped. This means the traffic rate exceeded the committed information rate (CIR) of 8000 bps, and all packets were dropped as per the exceed action.

1957
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.10.10.0/24 should be forwarded to next-hop 192.168.100.2. The route map 'PBR-10' is configured with 'match ip address 130' and 'set ip next-hop 192.168.100.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is dropping packets instead of forwarding them. The engineer checks the ACL 130 and confirms it matches 10.10.10.0/24. What is the most likely cause?

A.The route map has a deny statement that matches the traffic, causing packets to be dropped.
B.The next-hop 192.168.100.2 is unreachable, and PBR drops packets when the next-hop is down.
C.The 'ip policy route-map' command is applied to the wrong interface, and the router is dropping packets due to ACL filtering.
D.The ACL 130 is missing the 'permit' keyword, causing all traffic to be denied.
AnswerA

Correct because a deny statement in the route map will cause the router to drop the packet if no other permit statement matches.

Why this answer

If PBR is dropping packets, it could be because the next-hop is unreachable and the route map has a 'set ip next-hop' command that fails, causing the router to drop the packet if no fallback is configured. However, by default, if the next-hop is unreachable, the router should use the routing table. But if the route map has a 'set ip next-hop' with 'verify-availability' and the next-hop is down, the router may drop the packet.

Another possibility is that the route map has a 'deny' statement that drops traffic. The most likely cause is that the route map has a 'deny' statement that matches the traffic, causing it to be dropped.

1958
MCQhard

A DMVPN network uses IPv6 with EIGRP as the routing protocol. Spoke routers R2 and R3 are behind NAT and use mGRE tunnels. The hub R1 has an IPv6 ACL applied inbound on the tunnel interface that permits only EIGRP and denies all other IPv6 traffic. Spoke-to-spoke traffic fails even though direct tunnels are established. R2 shows 'ping 2001:db8:3::1 source loopback0' fails, but 'ping 2001:db8:1::1' (hub) succeeds. What is the root cause?

A.R1's inbound ACL on the tunnel interface permits only EIGRP, dropping all other traffic including spoke-to-spoke data packets.
B.NAT traversal is broken for spoke-to-spoke traffic due to IPsec encryption issues.
C.EIGRP is not advertising spoke loopbacks to other spokes, causing no route.
D.The mGRE tunnel on R2 does not have a destination for R3, preventing direct communication.
AnswerA

Spoke-to-spoke traffic is forwarded through the hub if the routing table points to the hub. The ACL on the hub's tunnel interface filters this traffic.

Why this answer

The ACL on R1's tunnel interface blocks spoke-to-spoke traffic because it is not sourced from the hub. Even though the spokes have a direct tunnel, the traffic still traverses the hub's tunnel interface if the routing is not optimized. The ACL permits only EIGRP, so data traffic is dropped.

1959
MCQhard

What is the default OSPF metric for a route redistributed from another routing protocol into OSPF?

A.0
B.1
C.20
D.10
AnswerC

Correct. The default OSPF metric for redistributed routes (except BGP) is 20.

Why this answer

When a route is redistributed from another routing protocol into OSPF, the default metric is 20 for routes that are not BGP. This is defined in RFC 2328 and is the seed metric used when no explicit metric is configured with the redistribute command. The value 20 applies to most external routes (Type 2 by default), while BGP redistributed routes default to 1.

Exam trap

Cisco often tests the distinction between the default OSPF metric for redistributed routes (20) and the default metric for BGP redistributed routes (1), causing candidates to mistakenly choose 1 for all protocols.

How to eliminate wrong answers

Option A is wrong because 0 is not a valid default OSPF metric for redistributed routes; a metric of 0 would imply the route is directly connected, which is not the case for redistributed routes. Option B is wrong because 1 is the default metric for routes redistributed from BGP into OSPF, not for routes from other protocols like EIGRP or RIP. Option D is wrong because 10 is the default cost for a Gigabit Ethernet interface in OSPF, not the default metric for redistributed routes.

1960
Multi-Selecthard

Which TWO statements about using a route-map with the "set metric" command to influence route selection in EIGRP are true? (Choose TWO.)

Select 2 answers
A.The set metric command in a route-map can set the EIGRP composite metric components such as bandwidth and delay.
B.A route-map applied to a redistribute command under EIGRP can modify the metric of redistributed routes.
C.The route-map must be applied to the EIGRP process using the "route-map" command under router eigrp to affect all updates.
D.The set metric command can also change the administrative distance of the route.
E.The route-map can only be used to set the metric to a single value, not multiple components.
AnswersA, B

Correct. EIGRP metric components can be set using set metric bandwidth delay reliability load mtu.

Why this answer

In EIGRP, the metric is composite (bandwidth, delay, etc.). The set metric command can modify these values. A route-map can be applied to redistribute routes into EIGRP or to filter outbound updates.

The set metric command can set multiple components. However, the route-map must be applied to the redistribution or neighbor statement to affect EIGRP. The set metric command does not affect the administrative distance.

1961
Multi-Selecthard

Which TWO statements about AAA authentication on Cisco IOS-XE are true? (Choose TWO.)

Select 2 answers
A.If no AAA authentication method list is explicitly configured, the default method list uses the local user database.
B.The 'aaa authentication login default local' command creates a default method list that uses the local user database for login authentication.
C.When a named method list is applied to a line with 'login authentication LISTNAME', the default method list is ignored for that line.
D.The 'aaa authentication login default group radius local' command will first try RADIUS, and if RADIUS fails (not just rejects), it will fall back to local.
E.The 'aaa authentication login default method' command creates a method list with no authentication methods, which denies all login attempts.
AnswersB, C

This command defines the default method list for login authentication, using the local database as the first (and only) method.

Why this answer

Option B is correct because the 'aaa authentication login default local' command explicitly configures the default method list to use the local user database for login authentication. This is the standard way to define a fallback or primary local authentication method for all lines that do not have a named method list applied.

Exam trap

Cisco often tests the distinction between a method list 'failure' (which allows fallback) and a 'reject' (which denies access immediately), and the fact that an unconfigured AAA defaults to line password authentication, not local database.

1962
MCQmedium

A network engineer is troubleshooting a route redistribution issue between two EIGRP processes. Router R1 runs EIGRP AS 100 and EIGRP AS 200, and redistributes routes between them. The engineer notices that routes from EIGRP AS 100 are not appearing in the EIGRP topology table of AS 200 on R1. The redistribute eigrp 100 command is configured under EIGRP AS 200. What is the most likely cause?

A.The redistribute eigrp 100 command under EIGRP AS 200 is missing the metric specification.
B.EIGRP AS 100 has a higher administrative distance than EIGRP AS 200.
C.The redistribute eigrp 100 command under EIGRP AS 200 is missing the subnets keyword.
D.EIGRP AS 200 has a route map that is filtering all routes.
AnswerA

Correct: Without a metric, EIGRP does not accept redistributed routes.

Why this answer

When redistributing between EIGRP processes, the redistribute command must include the metric values (bandwidth, delay, reliability, load, MTU) or a default-metric must be configured. Without a metric, the redistributed routes are not accepted.

1963
MCQhard

Which EIGRP loop prevention mechanism prevents a router from installing a route that was originally learned from itself?

A.Split horizon
B.Route poisoning
C.Feasibility condition
D.Hold-down timer
AnswerC

Correct. The feasibility condition ensures that the reported distance is less than the feasible distance, preventing loops.

Why this answer

EIGRP uses the Feasibility Condition (FC) to ensure loop-free paths. A route is feasible if the reported distance from the neighbor is less than the current feasible distance. This prevents a router from accepting a route that could loop back.

1964
MCQmedium

What is the default administrative distance for routes redistributed into EIGRP from another protocol?

A.90
B.110
C.170
D.200
AnswerC

Cisco IOS assigns a default administrative distance of 170 to all routes redistributed into EIGRP, matching the distance of external EIGRP routes.

Why this answer

By default, EIGRP assigns an administrative distance of 170 to routes learned via redistribution, distinguishing them from internal EIGRP routes (AD 90) and external EIGRP routes (AD 170).

1965
Multi-Selecthard

An engineer configures PBR on a Cisco router using the following commands: 'route-map PBR permit 10', 'match ip address 100', 'set ip next-hop 10.1.1.1', and applies it inbound on interface GigabitEthernet0/1. Which TWO statements about this configuration are true? (Choose TWO.)

Select 2 answers
A.The command 'ip policy route-map PBR' must be applied under interface GigabitEthernet0/1 in global configuration mode.
B.If the next hop 10.1.1.1 becomes unreachable, packets that match ACL 100 will be dropped by default.
C.Packets that do not match ACL 100 will be forwarded using the normal routing table.
D.The command 'debug ip policy' can be used to verify which packets are being policy-routed and to which next hop.
E.The route map must also include a 'match interface' statement to specify the incoming interface.
AnswersC, D

Correct. Only packets matching the route-map (via ACL 100) are policy-routed; others are forwarded normally.

Why this answer

PBR is applied inbound on an interface. The route map matches packets using ACL 100. If the next hop is unreachable, the packet is forwarded using the routing table (if a default route exists) or dropped.

PBR can be verified using 'show route-map' and 'debug ip policy'. The route map must be applied to the interface using 'ip policy route-map PBR'.

1966
MCQhard

What is the default SNMP community string on a Cisco IOS device that has not been configured with any SNMP commands?

A.public
B.private
C.cisco
D.No default community string exists; SNMP is disabled.
AnswerD

Cisco IOS does not preconfigure any community; the device must have an snmp-server community command to enable SNMP.

Why this answer

By default, no community strings exist; SNMP is disabled until a community is configured.

1967
MCQhard

A network engineer configures BGP synchronization on an iBGP router. The IGP (OSPF) does not carry the BGP routes. Unexpectedly, the router does not advertise these iBGP routes to eBGP neighbors. What is the most likely explanation?

A.The router has 'bgp synchronization' enabled, and the iBGP route is not in the OSPF routing table, so it is not considered valid for advertisement.
B.The router has 'bgp bestpath as-path multipath-relax' configured, which suppresses eBGP advertisements for iBGP routes.
C.The iBGP session is not using 'next-hop-self', so the next hop is unreachable.
D.The router has 'bgp suppress-duplicates' enabled, which drops identical routes.
AnswerA

With synchronization enabled, the router checks the IGP for the prefix. If missing, the route is not advertised to eBGP.

Why this answer

BGP synchronization requires that an iBGP route must be present in the IGP before it can be advertised to eBGP neighbors. If the IGP does not carry the route, the router will not advertise it, even if it is in the BGP table.

1968
Multi-Selecthard

Which TWO configuration changes will prevent a specific route from being redistributed from OSPF into EIGRP using a route-map? (Choose TWO.)

Select 2 answers
A.Configure a route-map with a deny clause that matches the route, and apply it to the redistribution command.
B.Apply a distribute-list out under the EIGRP process that denies the route.
C.Use a route-map with a permit clause and no match statement, then apply it to the redistribution.
D.Create a prefix-list that denies the route, then use match ip address prefix-list in a route-map permit clause.
E.Add a match ip address prefix-list command that references a prefix-list with a deny entry, inside a route-map deny clause.
AnswersA, E

Correct. A deny clause in the route-map will prevent the route from being redistributed.

Why this answer

To block redistribution, you can either match the route with a deny clause in the route-map, or use a prefix-list that denies the route and reference it in a match clause. A distribute-list under EIGRP is not used for redistribution filtering. A route-map with a permit clause and no match will permit all routes.

A match ip address prefix-list with a permit entry will permit the route.

1969
MCQhard

An engineer applies a Control Plane Policing (CoPP) policy to a router. After applying, the router becomes unreachable via SSH and SNMP, even though the policy allows management traffic. Which is the most likely explanation?

A.The CoPP policy was applied to the wrong interface; it must be applied to the management interface.
B.The class-map for management traffic does not include all required protocols, and the class-default action is drop.
C.The CoPP policy uses rate-limit in bps instead of pps, causing all traffic to be policed.
D.The CoPP policy was applied before the class-maps were fully configured.
AnswerB

If class-default is not configured with a permit action, the implicit deny drops unmatched traffic, including management traffic not explicitly matched.

Why this answer

CoPP policies have an implicit deny at the end of the class-map. If the class-map for management traffic does not explicitly match all management protocols (e.g., SSH, SNMP, NTP), or if the policy does not have a class-default action to permit, the traffic is dropped.

1970
MCQhard

Router R1 is running EIGRP in VRF-A with two neighbors: R2 and R3. R2 is a directly connected router, R3 is reachable via R2. The network is experiencing EIGRP stuck-in-active (SIA) routes for prefixes learned from R3. R1 configuration: router eigrp 100, address-family ipv4 vrf VRF-A, network 10.0.0.0. R2 is configured similarly. The link between R1 and R2 is a serial link with low bandwidth. What is the root cause?

A.The low-bandwidth serial link between R1 and R2 causes EIGRP query packets to be delayed, exceeding the active timer and resulting in SIA.
B.The VRF configuration on R2 is missing the network statement for the link to R3.
C.EIGRP is not supported in VRF-Lite.
D.The active timer should be increased to prevent SIA.
AnswerA

Correct: Slow link can delay query/reply packets, leading to SIA.

Why this answer

EIGRP SIA occurs when a query is sent to a neighbor and the reply is not received within the active timer (default 3 minutes). In a VRF-Lite scenario, if the query scope is not limited, the query may propagate to R3 via R2, but if the serial link has low bandwidth or high delay, the query may time out. However, the most common cause in VRF-Lite is that the query is sent to all neighbors, and if one neighbor (R2) does not reply due to a slow link, SIA occurs.

The issue is that the query scope includes R2, but the link is slow, causing the active timer to expire.

1971
Multi-Selectmedium

Which THREE symptoms indicate a BFD session failure? (Choose THREE.)

Select 3 answers
A.The BFD neighbor state shows 'Down'
B.The OSPF neighbor state changes from Full to Down
C.BFD timer expiry messages appear in logs
D.The interface MTU is set to 1500
E.The BFD discriminator value is zero
AnswersA, B, C

A 'Down' state directly indicates session failure.

Why this answer

A BFD session failure typically results in the neighbor state being 'Down', the routing protocol (like OSPF or EIGRP) neighbor going down due to BFD's fast detection, and BFD timers expiring. The other options are not direct symptoms of a BFD session failure.

1972
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp ipv4 unicast summary BGP router identifier 1.1.1.1, local AS number 65000 BGP table version is 15, main routing table version 15 2 network entries using 288 bytes of memory 2 path entries using 160 bytes of memory 2/2 BGP path/bestpath attribute entries using 296 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory BGP using 800 total bytes of memory BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65001 15 15 15 0 0 00:12:34 2 10.2.2.2 4 65002 10 12 15 0 0 00:08:21 0 What does this output indicate?

A.Both neighbors are fully operational and exchanging routes.
B.Neighbor 10.1.1.2 is not sending any routes.
C.Neighbor 10.2.2.2 is not sending any routes, possibly due to filtering or no routes to advertise.
D.The BGP session with 10.2.2.2 is down.
AnswerC

The PfxRcd column shows 0 for 10.2.2.2, meaning no prefixes are received from that neighbor.

Why this answer

The show bgp summary output shows BGP neighbor states and prefix counts. Neighbor 10.1.1.2 is up and has sent 2 prefixes. Neighbor 10.2.2.2 is up but has sent 0 prefixes, indicating a possible issue with route advertisement or filtering.

1973
Drag & Dropmedium

Drag and drop the steps to configure SNMPv3 with auth-priv and verify traps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the SNMPv3 group with security model and privacy settings. Next, create the user with authentication and privacy passwords. Then, enable SNMP traps globally.

After that, specify the trap receiver host with the correct security parameters. Finally, verify the configuration using show snmp user and show snmp host.

1974
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router. After configuration, OSPF neighbors are flapping. Which is the most likely explanation?

A.The class-default is configured with a police action that drops OSPF packets exceeding the rate.
B.The CoPP policy is applied to the wrong direction (input vs output).
C.The access-list used to classify OSPF packets is missing the 'permit' statement for OSPF protocol.
D.The CoPP policy uses 'drop' action for OSPF class.
AnswerA

If OSPF packets are not explicitly classified and permitted, they fall into class-default. The police action in class-default will drop packets that exceed the configured rate, causing OSPF hello packets to be dropped and neighbors to flap.

Why this answer

CoPP applies a policy-map to the control plane. If the default class-default is used without an explicit permit for OSPF packets, the implicit deny at the end of the policy-map will drop OSPF packets. The default class-default action is 'drop' if not explicitly configured, but even if a 'police' action is configured, the default behavior is to drop packets that exceed the rate.

1975
MCQhard

A network administrator configures 'ipv6 nd raguard' on a switch port connected to a router. The router is sending Router Advertisements with a non-zero Router Lifetime. The switch logs indicate that RAs are being dropped, and the port goes into err-disable state. The engineer checks the RA Guard policy and sees that the default policy is applied. What is the most likely reason for the drops?

A.The RA has a hop-limit less than 255, which RA Guard treats as invalid and drops.
B.The RA Guard policy is configured to block all RAs regardless of source.
C.The router is using a multicast MAC address that is not allowed by RA Guard.
D.The switch port is in access mode, and RA Guard only works on trunk ports.
AnswerA

RA Guard expects hop-limit of 255 for locally generated RAs.

Why this answer

RA Guard by default uses a policy that blocks RAs from all ports except those explicitly configured as 'trusted'. Even if the router is legitimate, the port must be trusted. However, the edge case here is that the default RA Guard policy also checks the 'hop-limit' field in the RA.

If the router sends RAs with a hop-limit other than 255 (the default for locally generated packets), RA Guard will drop them. This can happen if the router is multiple hops away or if the RA is forwarded (e.g., via a tunnel). The most common misconfiguration is that the router's RA has a hop-limit less than 255, which is considered invalid by RA Guard.

1976
MCQmedium

In IPv6 FHS, which protocol is used to secure Neighbor Discovery messages with cryptographic authentication?

A.IPsec
B.SEND
C.SSL/TLS
D.MACsec
AnswerB

Correct. SEND (Secure Neighbor Discovery) uses CGAs and RSA signatures to authenticate ND messages.

Why this answer

Secure Neighbor Discovery (SEND) is defined in RFC 3971 and uses Cryptographically Generated Addresses (CGAs) to authenticate ND messages. It is an IPv6 FHS mechanism to prevent ND spoofing.

1977
MCQmedium

Given the following partial configuration on router R1: ``` interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_A ip address 192.168.1.1 255.255.255.0 ``` What is the effect of this configuration?

A.The interface is placed into VRF CUSTOMER_A, and the IP address is assigned correctly.
B.The interface is placed into VRF CUSTOMER_A, but the IP address is ignored because it must be configured before the VRF command.
C.The VRF name is misspelled; it should be 'vrf forwarding CUSTOMER_A' under the interface.
D.The configuration will fail because VRF CUSTOMER_A must be created globally first.
AnswerA

This is correct. The VRF association is applied before the IP address, so the IP address is associated with the VRF.

Why this answer

The 'ip vrf forwarding' command associates the interface with a VRF. It removes the IP address if one was previously configured, requiring it to be re-applied. This ensures traffic on this interface is forwarded using the VRF's routing table.

1978
MCQhard

What is the default MTU size for ERSPAN encapsulated packets on Cisco IOS-XE?

A.1500 bytes
B.1492 bytes
C.The ERSPAN packet inherits the interface MTU, with no separate default.
D.The default ERSPAN MTU is 1518 bytes.
AnswerC

ERSPAN does not have a configurable MTU; it uses the interface MTU, and the encapsulation adds 8 bytes (Type II) overhead.

Why this answer

ERSPAN adds a GRE header (4 bytes) and an ERSPAN header (4 bytes for Type II) to the original packet. The default system MTU is 1500 bytes, but the ERSPAN packet may exceed this; however, the default MTU for the ERSPAN session itself is not explicitly set—it inherits the interface MTU. There is no separate default ERSPAN MTU; the question tests understanding that ERSPAN adds 8 bytes overhead.

1979
MCQmedium

Examine the following configuration: ``` interface GigabitEthernet0/3 ip access-group WEB_ONLY out ! ip access-list extended WEB_ONLY permit tcp any any eq 80 permit tcp any any eq 443 ``` What is the effect of this ACL when applied outbound on GigabitEthernet0/3?

A.It permits all web traffic entering the interface.
B.It permits only HTTP and HTTPS traffic to leave the interface; all other traffic is denied.
C.It permits all TCP traffic to any destination.
D.It has no effect because the ACL is missing a deny statement.
AnswerB

Correct. The ACL permits web traffic and implicitly denies everything else.

Why this answer

The ACL named WEB_ONLY explicitly permits TCP traffic destined for ports 80 (HTTP) and 443 (HTTPS). When applied outbound on GigabitEthernet0/3, it filters traffic leaving the interface. Since every ACL has an implicit deny any at the end, only HTTP and HTTPS traffic is permitted outbound; all other traffic is denied.

Exam trap

Cisco often tests the implicit deny any concept and the distinction between inbound and outbound ACL application, causing candidates to overlook that an ACL without an explicit deny still denies all non-permitted traffic.

How to eliminate wrong answers

Option A is wrong because the ACL is applied outbound, not inbound, so it filters traffic leaving the interface, not entering. Option C is wrong because the ACL only permits TCP traffic to ports 80 and 443, not all TCP traffic to any destination. Option D is wrong because an explicit deny statement is not required; every ACL has an implicit deny any at the end, so the ACL does have an effect by denying all other traffic.

1980
MCQmedium

What is the default behavior of EIGRP auto-summary in IOS-XE 15.x and later?

A.Auto-summary is enabled by default
B.Auto-summary is disabled by default
C.Auto-summary is enabled only for connected routes
D.Auto-summary is disabled only for point-to-point links
AnswerB

Correct. IOS-XE 15.x and later disable auto-summary by default to avoid suboptimal routing.

Why this answer

Starting from IOS 15.0(1)M, EIGRP auto-summary is disabled by default. This prevents automatic summarization at classful boundaries, which can cause routing issues in discontiguous networks.

1981
Multi-Selecthard

Which THREE commands would a network engineer use to troubleshoot an MPLS L3VPN issue where a CE router cannot reach a remote CE? (Choose THREE.)

Select 3 answers
A.show ip route vrf CUSTOMER_A
B.show ip bgp vpnv4 vrf CUSTOMER_A
C.show mpls forwarding-table vrf CUSTOMER_A
D.ping vrf CUSTOMER_A <remote-ce-ip>
E.show mpls ldp neighbor
AnswersA, B, C

Checks if the remote CE prefix is in the VRF routing table.

Why this answer

Troubleshooting end-to-end connectivity involves checking the VRF routing table, the BGP VPNv4 table, and the MPLS forwarding table. 'show ip route vrf <vrf>' verifies that the remote prefix is present. 'show ip bgp vpnv4 vrf <vrf>' confirms BGP has the route. 'show mpls forwarding-table vrf <vrf>' checks for label entries. 'ping vrf' tests connectivity from the PE. 'show mpls ldp neighbor' checks LDP status, which is important for the underlay but not directly for VPN route presence.

1982
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-VOICE R1# show route-map PBR-VOICE route-map PBR-VOICE, permit, sequence 10 Match clauses: ip address (access-lists): 130 Set clauses: ip next-hop 192.168.10.1 Policy routing matches: 0 packets, 0 bytes R1# show access-lists 130 Extended IP access list 130 10 permit udp any any range 16384 32767 R1# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 R1# show ip route 192.168.10.1 % Network not in routing table Based on this output, what is the most likely problem?

A.The access list 130 is not matching any traffic.
B.The next-hop 192.168.10.1 is not reachable.
C.The interface GigabitEthernet0/0 is down.
D.The route map is missing a permit statement.
AnswerB

The show ip route output indicates the network is not in the routing table, so the next-hop is unreachable, causing PBR to fail to apply the set clause.

Why this answer

The next-hop 192.168.10.1 is not in the routing table. For PBR to forward packets to a next-hop, that next-hop must be reachable (in the routing table). If it is not, packets that match the route map are forwarded using the normal routing table instead.

The zero matches could be because no traffic matching ACL 130 has arrived, or because the next-hop is missing, but the missing route is a clear issue.

1983
MCQmedium

Consider the following BGP configuration on router R5: router bgp 65005 bgp router-id 5.5.5.5 neighbor 10.5.5.6 remote-as 65006 neighbor 10.5.5.6 route-map SET-LP in ! route-map SET-LP permit 10 set local-preference 150 ! What is the result of this configuration?

A.All routes from 10.5.5.6 have their local preference set to 150, making them more preferred.
B.Only routes that match a prefix-list are affected; otherwise, default local preference is used.
C.Local preference is set to 150 for routes sent to 10.5.5.6.
D.The route-map is ignored because local-preference can only be set outbound.
AnswerA

The route-map matches all routes (no match condition) and sets local-preference to 150.

Why this answer

The route-map SET-LP is applied inbound. It sets the local preference to 150 for all routes received from 10.5.5.6. This makes those routes more preferred within the local AS compared to routes with default local preference (100).

1984
Multi-Selecthard

An engineer is redistributing OSPF routes into EIGRP. Which TWO commands can be used to verify that the redistribution is working correctly? (Choose TWO.)

Select 2 answers
A.show ip route eigrp
B.show ip eigrp topology
C.show ip ospf database
D.show ip protocols
E.show ip route ospf
AnswersA, B

Correct. This command displays EIGRP routes in the routing table. If OSPF routes are successfully redistributed into EIGRP, they will appear as EIGRP routes (usually marked with 'D EX' for external).

Why this answer

To verify redistribution, you can check the routing table of the receiving protocol (EIGRP) to see if the redistributed routes appear. Additionally, 'show ip eigrp topology' shows the EIGRP topology table, which includes redistributed routes. 'show ip ospf database' is for OSPF LSDB and does not show redistributed routes into EIGRP. 'show ip protocols' shows redistribution configuration but not active routes. 'show ip route eigrp' shows only EIGRP routes, but if redistribution is working, those routes should appear there.

1985
Multi-Selectmedium

Which THREE symptoms indicate that Policy-Based Routing (PBR) is not working as expected? (Choose THREE.)

Select 3 answers
A.Traffic that should be policy-routed follows the routing table instead.
B.High CPU usage on the router when processing PBR traffic.
C.The 'show ip policy' command shows the route-map applied to the interface.
D.Packets are dropped when the 'set interface' specifies a down interface.
E.The routing table is updated with new routes from PBR.
AnswersA, B, D

This indicates PBR is not matching the traffic or not applied correctly.

Why this answer

If traffic that should be policy-routed follows the routing table instead, PBR may not be applied or the route-map may not match. High CPU usage can occur if PBR is process-switched and ACLs are large. If the 'set interface' specifies a down interface, packets are dropped.

The 'show ip policy' command shows PBR application, not a symptom of failure. PBR does not affect routing table updates. A mismatch in ACLs can cause unintended forwarding.

1986
Multi-Selecthard

Which TWO statements about PBR and the 'set ip next-hop recursive' command are true? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop recursive' command can specify a next-hop address that is not directly connected, and the router will perform a recursive lookup to determine the outgoing interface.
B.The 'set ip next-hop recursive' command is the default behavior for 'set ip next-hop' when the next hop is not directly connected.
C.Using 'set ip next-hop recursive' can cause the router to perform additional routing table lookups, potentially increasing CPU utilization.
D.The 'set ip next-hop recursive' command is only supported on Cisco IOS-XE platforms, not on classic IOS.
E.When using 'set ip next-hop recursive', the router will drop the packet if the recursive lookup fails to find a route to the next hop.
AnswersA, C

Correct. This command is designed for non-directly connected next hops; the router uses the routing table to resolve the next hop recursively.

Why this answer

The 'set ip next-hop recursive' command allows PBR to use a next-hop address that is not directly connected; the router performs recursive lookup to find the outgoing interface. This is different from 'set ip next-hop' which requires a directly connected next hop. The recursive option is useful when the next hop is multiple hops away.

However, it can impact performance due to the recursive lookup.

1987
MCQhard

A network engineer runs the following command to debug Flexible NetFlow cache events: R1# debug flow monitor FLOW-MONITOR-1 Flow Monitor FLOW-MONITOR-1 debugging is on R1# *Mar 1 00:10:15.123: FLOW MONITOR: Cache entry created for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) *Mar 1 00:10:15.124: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 1460, packets: 1 *Mar 1 00:10:15.125: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 2920, packets: 2 *Mar 1 00:10:45.123: FLOW MONITOR: Cache entry aged for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - reason: inactive timeout What does this output indicate?

A.The flow was aged due to active timeout after 1800 seconds.
B.The flow was created, updated twice, and then aged due to inactive timeout, indicating a normal flow lifecycle.
C.The flow was dropped because the cache was full.
D.The flow is still active in the cache.
AnswerB

The debug shows creation, two updates as packets arrive, and eventual aging due to inactivity, which is expected.

Why this answer

The debug output shows the lifecycle of a flow in the Flexible NetFlow cache. A flow is created, then updated as packets are received, and eventually aged out due to inactive timeout after 30 seconds of inactivity (the default is 15 seconds, but this may be configured differently). This is normal behavior for a TCP connection that has ended.

1988
MCQmedium

Which BGP attribute is used as the first tie-breaker in the route selection process when comparing routes from different peers?

A.Local preference
B.Weight
C.AS path length
D.MED
AnswerB

Correct. Weight is the first attribute checked; it is Cisco proprietary.

Why this answer

The BGP best-path selection algorithm first prefers the path with the highest weight (Cisco proprietary), then highest local preference, then locally originated routes.

1989
MCQhard

An engineer configures a Cisco router with 'ip http server' and 'ip http authentication local' for web-based management. The engineer creates a local username 'admin' with privilege level 15. However, when accessing the router via HTTP, the engineer is prompted for credentials but access is denied. What is the most likely cause?

A.The HTTP server is not configured with an access-class that permits the client.
B.The username 'admin' does not have a password.
C.The HTTP server is using a different port.
D.The 'ip http secure-server' is required for HTTP access.
AnswerA

Correct because 'ip http access-class' is required to permit specific IP addresses; without it, HTTP access is denied by default.

Why this answer

The 'ip http authentication local' command requires the HTTP server to authenticate users against the local username database. However, even with valid credentials, the router's HTTP server may deny access if an access-class is applied to the HTTP server that does not permit the client's IP address. The access-class restricts which source IP addresses can connect to the HTTP server, and if the client is not in the permitted list, authentication will fail with a denial even if the username and password are correct.

Exam trap

Cisco often tests the nuance that an access-class on the HTTP server can block access even with correct local credentials, leading candidates to incorrectly blame password issues or missing secure-server commands.

How to eliminate wrong answers

Option B is wrong because the username 'admin' with privilege level 15 can be created without a password only if the 'username admin privilege 15' command is used without the 'secret' or 'password' keyword; however, the question states the engineer created the username, and the most common practice is to assign a password or secret, so the lack of a password is not the most likely cause given the symptom of being prompted for credentials. Option C is wrong because the default HTTP port is 80, and unless explicitly changed with 'ip http port', the router will listen on port 80; a different port would not cause a denial after credentials are entered—it would cause a connection failure or no prompt. Option D is wrong because 'ip http secure-server' is required only for HTTPS (SSL/TLS) access, not for plain HTTP; the question explicitly uses 'ip http server', which enables unencrypted HTTP, and authentication works without secure-server.

1990
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel that is used to connect two remote sites. The tunnel is configured with a tunnel source that is a loopback interface. The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address. The engineer checks the routing table and sees a route to the remote loopback's IPv4 address via a default route. What is the most likely cause?

A.The remote router does not have a route to the loopback network used as the tunnel source; it only has a default route that may not cover that prefix.
B.The tunnel destination is configured with the loopback address of the remote router, but the remote router's tunnel source is a different interface.
C.The tunnel interface is missing the 'tunnel mode ipv6ip' command.
D.The IPv6 address on the tunnel interface is not in the same subnet as the remote tunnel IPv6 address.
AnswerA

Correct because the tunnel source loopback address must be reachable from the remote router. If the default route does not include that specific prefix (e.g., due to routing policy or subnet mismatch), the tunnel cannot encapsulate packets.

Why this answer

The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address because the remote router lacks a route back to the loopback network used as the tunnel source. The remote router only has a default route, which may not cover the specific prefix of the local loopback, causing return traffic to be dropped. For IPv6 over IPv4 tunnels, the tunnel source and destination must be reachable via unicast routing; a missing or insufficient route (like a default that doesn't match) breaks bidirectional communication.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees end-to-end reachability, but the real issue is asymmetric routing caused by missing return routes for the tunnel source IPv4 address.

How to eliminate wrong answers

Option B is wrong because the tunnel destination is correctly configured with the remote router's loopback address; the issue is not about mismatched tunnel sources, but about the remote router lacking a route back to the local loopback network. Option C is wrong because if the tunnel is up, the 'tunnel mode ipv6ip' command is already applied; without it, the tunnel would not come up at all. Option D is wrong because IPv6 addresses on tunnel interfaces do not need to be in the same subnet for ping to work; they only need to be routable, and the tunnel itself provides the logical link.

1991
MCQhard

A dual-stack network uses BGP for IPv6 between two ISPs. R1 (AS 100) receives a full BGP table from R2 (AS 200). R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only BGP (TCP 179) and denies all other traffic. R1 also has uRPF configured in strict mode on the same interface. R1's BGP table has a route to 2001:db8:1::/48 with next-hop 2001:db8:2::2. R1's routing table shows the route, but traffic from R1 to 2001:db8:1::1 fails. R1 shows 'show ipv6 cef 2001:db8:1::/48' points to 2001:db8:2::2 via the interface to R2. What is the root cause?

A.The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail.
B.uRPF strict mode drops the outgoing traffic because the source address is not reachable via the interface.
C.The next-hop 2001:db8:2::2 is not reachable due to a missing ND entry.
D.BGP next-hop resolution fails because the next-hop is not in the FIB.
AnswerA

The ACL permits only BGP. Return traffic (ICMPv6 echo reply) is blocked, so the ping fails.

Why this answer

uRPF strict mode checks the source address of outgoing packets? No, it checks incoming packets. For traffic from R1 to the destination, the source is R1's own address. When the return traffic comes back, uRPF checks the source of the return packet.

But the issue is that the ACL blocks all traffic except BGP. When R1 sends data to the destination, the return traffic is blocked by the ACL because it is not BGP. The uRPF is not the issue; the ACL is blocking the return traffic.

1992
MCQhard

A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R3 is redistributing OSPF routes into EIGRP, but some OSPF external routes are not appearing in the EIGRP topology table. The engineer checks the redistribute command under EIGRP and sees a route-map named RM-OSPF that uses a prefix-list to match specific prefixes. The missing routes are permitted by the prefix-list. What is the most likely cause?

A.The route-map is missing a 'set metric' command; EIGRP requires a metric for redistributed routes.
B.The prefix-list is using the wrong sequence number and is being overridden by a later deny statement.
C.The OSPF routes are type-5 LSAs, which cannot be redistributed into EIGRP.
D.The route-map is applied to the OSPF process instead of the EIGRP process.
AnswerA

Correct because EIGRP will not accept redistributed routes without an explicit metric.

Why this answer

The route-map may have a 'set metric' command that is misconfigured, or the route-map may be missing the 'set metric' command entirely, causing EIGRP to reject the route because it requires a metric for redistributed routes. Alternatively, the route-map might have a 'match route-type' that excludes external type-2 routes.

1993
MCQhard

In a VRF-Lite environment, EIGRP is configured between two routers. The engineer notices that the EIGRP neighbor relationship is flapping intermittently. Debug output shows 'dually' messages and the route is occasionally marked as 'stuck-in-active' (SIA). The link is Ethernet with no errors. Which is the most likely explanation?

A.The EIGRP K-values are mismatched between the two routers, causing the neighbor to reset.
B.A unidirectional link issue is present, where EIGRP packets are successfully sent but not received, causing the query process to time out.
C.The EIGRP stub routing feature is enabled on one router, preventing query propagation and causing the active process to hang.
D.The 'eigrp log-neighbor-changes' command is causing excessive logging, which delays EIGRP processing.
AnswerB

Unidirectional link causes queries to be sent but replies not received, leading to SIA and neighbor flapping.

Why this answer

EIGRP uses the Reliable Transport Protocol (RTP) for updates, queries, and replies. If there is a unidirectional link issue (e.g., one direction has high latency or packet loss), the query process may not receive replies in time, causing the route to become SIA. This is a classic edge case where the link appears operational but is unidirectional for EIGRP packets.

1994
MCQmedium

According to RFC 2663, what is the term for the process of translating both the source and destination IP addresses in a packet?

A.Static NAT
B.Twice NAT
C.PAT
D.Double NAT
AnswerB

Twice NAT translates both source and destination addresses.

Why this answer

RFC 2663 defines 'Twice NAT' as the process where both source and destination addresses are translated, typically used when address spaces overlap.

1995
MCQhard

An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?

A.The console line is not configured with 'login authentication default'.
B.The username 'admin' is not in the local database.
C.The password 'cisco' is incorrect.
D.The 'aaa new-model' command is missing.
AnswerA

Correct because the default AAA login method list must be applied to the console line using the 'login authentication' command.

Why this answer

Option A is correct because, by default, the console line does not inherit the AAA authentication methods defined under 'aaa authentication login default local'. The 'login authentication default' command must be explicitly applied to the console line under line configuration to use the global AAA authentication method. Without it, the console line falls back to its default behavior, which does not use AAA, causing the login to fail despite the local user being configured.

Exam trap

Cisco often tests the distinction between defining a default AAA method list and applying it to a specific line, trapping candidates who assume that 'aaa authentication login default local' automatically applies to the console without the 'login authentication default' command.

How to eliminate wrong answers

Option B is wrong because the username 'admin' is explicitly stated as configured locally, so it is in the local database. Option C is wrong because the password 'cisco' is also stated as configured correctly, and the failure is not due to a password mismatch but due to the AAA method not being applied to the console line. Option D is wrong because the presence of 'aaa authentication login default local' and 'aaa authorization exec default local' implies that 'aaa new-model' has already been enabled; without it, these AAA commands would be rejected by the router.

1996
Multi-Selecthard

An engineer is troubleshooting an EIGRP network where some routers are not learning all routes, and suspects a route filtering issue. Which TWO statements about EIGRP route filtering are true? (Choose TWO.)

Select 3 answers
A.A distribute-list configured under the EIGRP process using an ACL will filter routes based on the source IP address of the EIGRP update, not the route prefix.
B.A prefix-list applied in a distribute-list under EIGRP can filter routes based on both the prefix and the prefix length, using ge and le operators.
C.An outbound distribute-list on an EIGRP router will prevent the router from installing filtered routes in its own routing table.
D.If a distribute-list is applied both at the EIGRP process level and on a specific interface, the process-level distribute-list takes precedence for that interface.
E.The 'distance' command configured under EIGRP can be used to filter routes by setting the administrative distance to 255, which prevents the route from being installed.
AnswersA, B, E

When using an ACL in a distribute-list under EIGRP, the ACL matches the source IP address of the router sending the update, not the route prefix itself. This is a common misconception.

Why this answer

EIGRP route filtering can be applied using distribute-lists with ACLs or prefix-lists, and can filter inbound or outbound. Distribute-lists applied to the EIGRP process affect all interfaces, while interface-specific distribute-lists override the process-level. The 'prefix-list' can match prefixes and prefix lengths.

The 'route-map' can also filter but is more complex. The 'distance' command does not filter routes; it changes administrative distance.

1997
Drag & Dropmedium

Drag and drop the steps to configure uRPF in strict mode on an edge router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then configuring the interface, enabling IPv6 on the interface, applying uRPF strict mode, and finally verifying the configuration with a show command.

1998
MCQmedium

Examine this CoPP configuration: ip access-list extended PROTECT-ACL permit tcp any any eq 22 permit tcp any any eq 23 permit tcp any any eq 179 ! class-map match-all PROTECT-CLASS match access-group name PROTECT-ACL ! policy-map PROTECT-POLICY class PROTECT-CLASS police 16000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input PROTECT-POLICY What will happen to SSH traffic that exceeds 16000 bps?

A.SSH traffic exceeding 16000 bps is dropped.
B.SSH traffic exceeding 16000 bps is still accepted because SSH is critical.
C.SSH traffic is not affected because the ACL uses 'permit' and the class-map uses 'match-all'.
D.SSH traffic exceeding 16000 bps is sent with a lower priority.
AnswerA

Correct. The exceed-action is drop, so any SSH traffic above the conform rate is dropped.

Why this answer

The policer for class PROTECT-CLASS drops packets that exceed the conform rate. SSH traffic is matched by the ACL and thus subject to the 16000 bps policer.

1999
Multi-Selecthard

Which TWO statements correctly describe the behavior of VRF-Lite when using OSPF as the IGP? (Choose TWO.)

Select 2 answers
A.The OSPF process must be configured with the 'vrf <name>' keyword to associate it with a specific VRF.
B.OSPF in VRF-Lite requires an MP-BGP session to exchange routes between VRFs.
C.By default, OSPF automatically redistributes all connected routes in the VRF into OSPF.
D.The 'network' command under the OSPF process can be used to enable OSPF on interfaces belonging to the VRF.
E.OSPF in VRF-Lite uses different LSA types compared to global OSPF.
AnswersA, D

Correct. The command 'router ospf <pid> vrf <name>' creates a VRF-aware OSPF instance.

Why this answer

In VRF-Lite, OSPF can be configured per VRF, and the OSPF process uses the VRF's routing table. The 'router ospf <process-id> vrf <name>' command creates a VRF-aware OSPF process. By default, OSPF uses the VRF's route table, not the global table.

The 'network' statement under the OSPF process is still used to enable OSPF on interfaces, but the interface must be in the same VRF. Option A is correct because the OSPF process is VRF-specific. Option D is correct because the 'network' command is still valid.

Option B is incorrect because OSPF does not require BGP; it can run directly. Option C is incorrect because OSPF does not automatically redistribute connected routes; a redistribution command is needed. Option E is incorrect because OSPF LSA types are the same in VRF-Lite.

2000
MCQhard

An engineer is troubleshooting why SNMPv3 informs are not being received by the NMS from router R6. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.100 informs version 3 priv admin'. The NMS can receive SNMPv3 traps from other routers. What is the most likely cause?

A.The NMS is not configured to respond to SNMP informs, so the router does not receive acknowledgment.
B.The 'snmp-server host' command should use 'traps' instead of 'informs' for SNMPv3.
C.The router needs the 'snmp-server enable informs' command globally.
D.The SNMPv3 user must have the 'auth' privilege instead of 'priv' to send informs.
AnswerA

Correct because informs require an acknowledgment; if the NMS does not support it, informs fail.

Why this answer

SNMP informs require a response from the NMS, and the NMS must be configured to send back an acknowledgment. If the NMS does not support informs or has not enabled inform processing, the router will keep retrying and eventually fail. The router's configuration is correct, so the issue is on the NMS side.

2003
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- ----------------- --------------- ----- -------- ----- 1 10.0.0.2 10.1.1.2 UP 00:10:00 D 2 10.0.0.3 10.1.1.3 UP 00:05:00 D Based on this output, what is the role of Router R1 in the DMVPN network?

A.Router R1 is the hub router with two active spoke connections.
B.Router R1 is a spoke router with two hub connections.
C.Router R1 is a spoke router with two other spoke connections.
D.Router R1 is not participating in DMVPN because the tunnel is down.
AnswerA

The 'Type:Hub' and two UP peers indicate it is a hub.

Why this answer

The output shows that Router R1 has a Tunnel0 interface configured as a DMVPN hub (Type:Hub) with two NHRP peers (10.1.1.2 and 10.1.1.3) in the UP state. The 'D' attribute in the Attrb column indicates these peers are directly connected spokes, confirming R1 is the hub router with two active spoke connections.

Exam trap

Cisco often tests the distinction between the 'Type:Hub' and 'Type:Spoke' fields in the show dmvpn output, and candidates may misinterpret the 'D' attribute as meaning the router is a spoke or that the tunnel is down, when it actually indicates a dynamic peer relationship on the hub.

How to eliminate wrong answers

Option B is wrong because the output explicitly shows Type:Hub, not a spoke, and a spoke router would have a single hub connection, not two hub connections. Option C is wrong because a spoke router does not have two other spoke connections in a typical DMVPN phase 2/3; spokes only connect to the hub, and the output shows the hub role. Option D is wrong because the tunnel state is UP (as indicated by the 'UP' status for both peers), meaning R1 is actively participating in DMVPN.

2004
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Session_Reset R1# show event manager history events Event History: No. Time Type Name 1 00:02:00 UTC Mar 1 syslog BGP_Session_Reset 2 00:02:05 UTC Mar 1 syslog BGP_Session_Reset 3 00:02:10 UTC Mar 1 syslog BGP_Session_Reset Based on this output, which statement is correct?

A.The BGP session reset event has occurred three times.
B.The EEM policy is not triggering any events.
C.The BGP session is stable.
D.The EEM policy is disabled.
AnswerA

The event history shows three entries for BGP_Session_Reset, each at different times.

Why this answer

The output shows one registered EEM applet policy named BGP_Session_Reset, and three triggered syslog events for that policy. The correct answer is that the BGP session reset event has occurred multiple times, indicating a persistent issue.

2005
MCQeasy

A network engineer runs the following command on Router R4: R4# show ip route 10.10.10.0 Routing entry for 10.10.10.0/24 Known via "connected", distance 0, metric 0 (connected) Redistributing via eigrp 100 Last update from 10.10.10.1 on GigabitEthernet0/0, 00:00:00 ago Routing Descriptor Blocks: * 10.10.10.1, via GigabitEthernet0/0 Route metric is 0, traffic share count is 1 Based on this output, which statement is true?

A.The route is a static route with distance 0.
B.The route is a connected route, as indicated by distance 0.
C.The route is redistributed from EIGRP into connected.
D.The administrative distance of 0 indicates a floating static route.
AnswerB

Connected routes have an administrative distance of 0, confirming this is a directly connected network.

Why this answer

The route is directly connected, as indicated by 'known via connected' and distance 0. The administrative distance of 0 is the default for connected routes.

2006
MCQhard

A network engineer is troubleshooting a DHCPv4 issue where a router configured as a DHCP server is not assigning addresses from a pool to clients on a specific VLAN. The pool is configured with 'network 10.1.1.0 255.255.255.0' and 'default-router 10.1.1.1'. The router's interface Gi0/0.10 (subinterface) has encapsulation dot1Q 10 and IP 10.1.1.1/24. Clients send DISCOVER messages, but the router does not respond. The engineer notices that the router has multiple DHCP pools configured. What is the most likely cause?

A.The DHCP pool is configured under a VRF, but the interface is not in that VRF.
B.The subinterface is missing the 'ip helper-address' command.
C.The 'ip dhcp server' command is missing globally.
D.The encapsulation dot1Q 10 is misconfigured, causing the router to not receive broadcasts.
AnswerA

Correct because if the pool is defined with 'vrf <name>', it will only respond to DHCP requests on interfaces belonging to that VRF; the subinterface is not in any VRF, so the pool is ignored.

Why this answer

The router has multiple DHCP pools configured, and the pool for VLAN 10 is likely bound to a VRF. When a DHCP pool is configured under a VRF, the router only responds to DHCP DISCOVER messages received on interfaces that belong to that same VRF. Since the subinterface Gi0/0.10 is not in the VRF, the router ignores the client broadcasts, even though the IP address and subnet match the pool.

Exam trap

Cisco often tests the VRF-aware DHCP concept by presenting a scenario where a DHCP server has multiple pools and clients are not getting addresses, leading candidates to incorrectly suspect missing helper addresses or global DHCP commands, when the real issue is a VRF mismatch between the pool and the interface.

How to eliminate wrong answers

Option B is wrong because the 'ip helper-address' command is used to forward DHCP broadcasts to a remote DHCP server, not to enable a local DHCP server to respond; the router is acting as the DHCP server itself, so this command is unnecessary. Option C is wrong because the global 'ip dhcp server' command does not exist in Cisco IOS; DHCP server functionality is enabled by default when a pool is configured, and the correct global command is 'service dhcp' (which is enabled by default). Option D is wrong because the encapsulation dot1Q 10 is correctly configured for the subinterface to receive VLAN 10 traffic; if it were misconfigured, the router would not receive any frames from that VLAN, but the question states clients send DISCOVER messages, implying the router receives them.

2007
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show crypto engine connections active Output: Crypto Engine Connections ID Type Algorithm State Connection-ID 1 IPsec AES256-SHA Active 100 2 IPsec AES256-SHA Active 101 3 ISAKMP SHA Active 200 What does this output indicate?

A.The router has two active IPsec tunnels and one active ISAKMP session.
B.The router is experiencing IPsec authentication failures.
C.The router has no active crypto connections.
D.The router is using only IPsec and no ISAKMP.
AnswerA

Two IPsec connections (IDs 1 and 2) and one ISAKMP connection (ID 3) are active.

Why this answer

The output shows active crypto engine connections, including IPsec and ISAKMP sessions. This indicates that the router is processing encrypted traffic.

2008
MCQhard

A network engineer configures OSPF on two routers connected via Ethernet. The adjacency forms but remains stuck in EXSTART state. Both routers have identical OSPF configuration except for MTU. Which is the most likely explanation?

A.The OSPF network type is point-to-point on one side and broadcast on the other.
B.The MTU on the interfaces is mismatched, causing DBD packet rejection.
C.The OSPF router ID is identical on both routers.
D.The 'ip ospf authentication' is configured only on one side.
AnswerB

MTU mismatch is a classic cause of EXSTART state.

Why this answer

OSPF uses the interface MTU in Database Description (DBD) packets. If MTU values differ, the neighbor will reject DBD packets larger than its own MTU, causing the adjacency to stall in EXSTART. The fix is to use 'ip ospf mtu-ignore' or match MTU.

2009
MCQhard

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy rejected *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy routed *Mar 1 00:15:30.789: IP: FastEthernet0/0 to GigabitEthernet0/1 192.168.1.1 What does this output indicate?

A.The route-map has multiple sequences or ACL entries; one source is permitted, the other is denied or fails next-hop check.
B.Both packets should have been rejected due to a misconfiguration.
C.The next-hop 192.168.1.1 is unreachable for the first packet.
D.The ACL is blocking all traffic from 10.0.0.1.
AnswerA

The different treatment indicates different match conditions or set clause outcomes.

Why this answer

The debug shows two packets: the first from 10.0.0.1 was rejected, while the second from 10.0.0.2 was successfully routed to 192.168.1.1. This suggests that the route-map may have multiple sequences or the ACL differentiates between the sources.

2010
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 tunnel brief Tunnel2: IPv6/IP, intf id 0/0/2, 6to4, mtu 1280 Source: 192.168.1.1 (GigabitEthernet0/0) Destination: 192.168.2.1 Tunnel transport: IPv4 Based on this output, which statement is correct?

A.This is a correctly configured 6to4 tunnel.
B.This tunnel is actually a manually configured IPv6/IP tunnel, not a 6to4 tunnel.
C.The tunnel is an ISATAP tunnel.
D.The tunnel is in an up/up state and passing traffic.
AnswerB

The presence of a specific destination address indicates a manual tunnel; 6to4 tunnels have no configured destination.

Why this answer

The output shows a manually configured IPv6/IP tunnel because it specifies both a source and destination IPv4 address. In a true 6to4 tunnel, the destination is automatically derived from the 6to4 prefix (2002::/16) and the destination IPv4 address, not statically configured. The presence of a static destination address indicates this is a manually configured tunnel, not a 6to4 tunnel.

Exam trap

Cisco often tests the distinction between automatic 6to4 tunnels (where the destination is derived from the IPv6 address) and manually configured tunnels (where both source and destination are explicitly set), leading candidates to assume any tunnel with '6to4' in the output is correctly configured.

How to eliminate wrong answers

Option A is wrong because a correctly configured 6to4 tunnel does not have a statically configured destination IPv4 address; the destination is derived automatically from the 6to4 prefix. Option C is wrong because an ISATAP tunnel uses a different interface identifier format (::0:5EFE:IPv4-address) and typically does not show a static destination address in this manner. Option D is wrong because the output does not show interface status or traffic statistics; 'show ipv6 tunnel brief' only displays configuration parameters, not operational state.

2011
MCQeasy

What is the maximum number of VRFs that can be configured on a Cisco IOS router?

A.256
B.1024
C.Platform-dependent, typically limited by available memory.
D.Unlimited
AnswerC

This is correct. The number of VRFs is constrained by hardware resources.

Why this answer

The maximum number of VRFs is platform-dependent. There is no fixed IOS-wide limit; it varies based on hardware and software resources.

2012
MCQhard

An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers have MP-BGP peering and the VRF is configured with route-target import 100:100. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, but the show ip route vrf CUSTOMER command does not have this route. The show ip bgp vpnv4 all 10.2.2.0/24 command on PE1 shows the route is received but not best. What is the most likely cause?

A.The route-target import on PE1 is missing.
B.The BGP next-hop (PE2 loopback) is not reachable in the global routing table.
C.The VRF on PE1 has a different route-target export.
D.The MP-BGP session is using an incorrect address family.
AnswerB

Correct: BGP requires the next-hop to be reachable for the route to be considered best and installed.

Why this answer

The route is received but not marked as best, so it is not installed in the routing table. Common reasons include the route being suppressed due to a higher AD from another source or the next-hop being unreachable. In this scenario, the most likely cause is that the BGP next-hop is not reachable in the global routing table.

2013
MCQeasy

Which statement correctly describes the default behavior of EIGRP auto-summary on Cisco IOS-XE?

A.Auto-summary is enabled by default, summarizing classful boundaries.
B.Auto-summary is disabled by default, so subnets are advertised without summarization.
C.Auto-summary is enabled only for EIGRP named mode configurations.
D.Auto-summary is disabled by default, but only for IPv6 EIGRP.
AnswerB

Correct: In IOS-XE, auto-summary is off by default, preventing unwanted classful summarization.

Why this answer

In modern Cisco IOS-XE releases (15.x and later), EIGRP auto-summary is disabled by default. This changed from older IOS versions where auto-summary was enabled by default.

2014
Multi-Selectmedium

Which TWO commands can be used to verify the NHRP shortcut route creation in a DMVPN Phase 3 network? (Choose TWO.)

Select 2 answers
A.show ip nhrp
B.show ip route
C.show dmvpn
D.show crypto ipsec sa
E.show ip eigrp topology
AnswersA, B

This command shows NHRP cache entries, including shortcut routes with the 'shortcut' flag.

Why this answer

In DMVPN Phase 3, shortcut routes are created by NHRP. The 'show ip nhrp' command displays the NHRP cache, which includes shortcut entries. The 'show ip route' command shows the routing table, where shortcut routes appear as NHRP-learned routes.

The other commands do not show shortcut route information.

2015
MCQhard

A network engineer notices that after redistributing EIGRP into OSPF, a routing loop occurs between two routers. Router R1 config: router ospf 1 redistribute eigrp 100 subnets ! router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 R1# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "eigrp 100", distance 90, metric 128256 Redistributing via eigrp 100 Last update from 10.1.1.2 on GigabitEthernet0/0 R2# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "ospf 1", distance 110, metric 20 Redistributing via ospf 1 Last update from 10.1.1.1 on GigabitEthernet0/0 What is the root cause?

A.The redistribute commands are missing route-map filters, causing mutual redistribution and a loop.
B.The EIGRP metric is too low, causing OSPF to prefer the redistributed route.
C.The OSPF administrative distance is higher than EIGRP, causing suboptimal path selection.
D.The subnets keyword under OSPF redistribution is causing classful behavior.
AnswerA

Without filtering, routes learned from one protocol are redistributed back, creating a loop.

Why this answer

Mutual redistribution between EIGRP and OSPF without route filtering causes a routing loop. R1 learns the route via EIGRP and redistributes into OSPF; R2 learns via OSPF and redistributes back into EIGRP, creating a loop. The fix is to use route-maps to filter redistributed routes or set administrative distance to prefer one source.

2016
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 traffic | include tunnel 0 tunnel packets received 0 tunnel packets sent 0 tunnel packets dropped Based on this output, what can be concluded?

A.The tunnel is passing traffic normally.
B.The tunnel is not carrying any IPv6 traffic.
C.The tunnel is dropping all packets.
D.The tunnel is using IPsec encryption.
AnswerB

All counters are zero, meaning no traffic.

Why this answer

The 'show ipv6 traffic | include tunnel' command filters the output to show only lines containing 'tunnel'. The counters for packets received, sent, and dropped are all zero, which indicates that no IPv6 packets have been encapsulated or decapsulated by any tunnel interface. This means the tunnel is not carrying any IPv6 traffic, making option B correct.

Exam trap

Cisco often tests the misinterpretation of zero counters as 'no issues' (option A) or as 'dropping all packets' (option C), when in fact zero counters simply indicate no activity on the tunnel.

How to eliminate wrong answers

Option A is wrong because zero packets received and sent indicates no traffic is passing, not normal operation. Option C is wrong because zero packets dropped means no packets have been discarded; dropping all packets would show non-zero drop counters. Option D is wrong because the output provides no information about IPsec encryption; IPsec status is verified with commands like 'show crypto ipsec sa' or 'show crypto map', not from IPv6 traffic counters.

2017
Drag & Drophard

Drag and drop the steps to troubleshoot SNMP adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic IP connectivity using ping to the SNMP manager. Next, verify that the SNMP agent is enabled and listening on the correct port. Then, review ACLs and firewall rules that might block SNMP traffic.

After that, examine SNMP community strings or security credentials for mismatches. Finally, enable debug snmp packets to capture and analyze packet exchanges.

2018
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp interfaces EIGRP-IPv4 Interfaces for AS(100) Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/0 1 0/0 12 0/10 50 0 Gi0/1 1 0/0 15 0/10 50 0 Gi0/2 1 0/0 18 0/10 50 0 Gi0/3 1 0/0 20 0/10 50 0 Gi0/4 0 0/0 0 0/10 50 0 Based on this output, which statement is correct?

A.Interface Gi0/4 has no EIGRP neighbor, which may indicate a configuration issue or lack of connectivity.
B.All interfaces have at least one EIGRP neighbor.
C.The mean SRTT on Gi0/2 is 18 ms, which is too high and indicates a problem.
D.The pending routes count of 0 on all interfaces indicates a routing loop.
AnswerA

A peer count of 0 means no EIGRP adjacency exists on that interface.

Why this answer

The show ip eigrp interfaces command shows EIGRP-enabled interfaces and their statistics. Gi0/4 has 0 peers, meaning no EIGRP neighbor is formed on that interface. The other interfaces have 1 peer each, indicating a neighbor relationship.

2019
MCQmedium

A network engineer runs the following command to troubleshoot DMVPN with NHRP filtering: R1# show ip nhrp detail 10.1.1.2/8 via 10.1.1.2, Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: authoritative unique registered NBMA address: 192.168.1.2 (no-socket) (no-socket) What does this output indicate?

A.The spoke at 10.1.1.2 has registered with the hub and is reachable via NBMA address 192.168.1.2.
B.The spoke is being filtered by an NHRP filter.
C.The NHRP entry is static and configured manually.
D.The spoke is not reachable because the NBMA address is incorrect.
AnswerA

The entry shows a dynamic registration with the NBMA address, indicating successful NHRP registration.

Why this answer

The output shows an NHRP cache entry for a remote spoke (10.1.1.2) with NBMA address 192.168.1.2. The entry is dynamic and registered, indicating that the spoke has successfully registered with the hub.

2020
MCQmedium

In an extended IPv4 ACL, what is the default action if only a source and destination are specified without a protocol?

A.The ACL matches all IP traffic.
B.The ACL matches only TCP traffic.
C.The command is rejected by the IOS parser.
D.The ACL matches only UDP traffic.
AnswerC

Extended ACL syntax requires a protocol field; omission causes a syntax error.

Why this answer

In an extended IPv4 ACL, the protocol keyword is mandatory. If you omit it, the IOS parser rejects the command because it cannot determine which protocol to filter. The correct syntax requires a protocol (e.g., ip, tcp, udp) after the permit or deny keyword; without it, the parser returns an error.

Exam trap

Cisco often tests the mandatory nature of the protocol field in extended ACLs, trapping candidates who assume a default protocol (like IP, TCP, or UDP) is applied when none is specified.

How to eliminate wrong answers

Option A is wrong because an extended ACL does not default to matching all IP traffic when only source and destination are specified; the protocol field is required, and omitting it causes a parser error, not an implicit 'permit ip any any'. Option B is wrong because there is no default protocol of TCP; the ACL command is invalid without a protocol keyword. Option D is wrong because there is no default protocol of UDP; the command is rejected, not interpreted as UDP traffic.

2021
MCQmedium

A network engineer runs the following command to troubleshoot OSPF over DMVPN: R1# debug ip ospf adj OSPF: 2 Way Communication to 10.0.0.2 on Tunnel0, state 2WAY OSPF: Send DBD to 10.0.0.2 on Tunnel0 seq 0x1234 opt 0x52 flag 0x7 OSPF: Rcv DBD from 10.0.0.2 on Tunnel0 seq 0x1235 opt 0x52 flag 0x2 OSPF: Exchange Done with 10.0.0.2 on Tunnel0 OSPF: Build router LSA for area 0, router ID 1.1.1.1 What does this output indicate?

A.OSPF adjacency with 10.0.0.2 is stuck in 2WAY state and not progressing.
B.OSPF adjacency with 10.0.0.2 is forming successfully and will reach FULL state.
C.OSPF is not enabled on Tunnel0.
D.There is an OSPF MTU mismatch causing the adjacency to fail.
AnswerB

Correct: The sequence shows normal adjacency formation steps.

Why this answer

The debug shows OSPF adjacency formation: 2-way state, database description exchange, and exchange done, indicating a full adjacency is being established.

2022
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip eigrp topology 10.10.10.0/24 all-links P 10.10.10.0/24, 1 successors, FD is 1310720 via 10.1.1.2 (1310720/1310720), GigabitEthernet0/0 via 10.1.2.2 (1310720/1310720), GigabitEthernet0/1 What does this output indicate?

A.There are two equal-cost paths to 10.10.10.0/24, and EIGRP will load balance across them.
B.Only the first path via 10.1.1.2 is installed because the second path has a higher FD.
C.The path via 10.1.2.2 is a feasible successor but is not used because it has a higher RD.
D.The router has no route to 10.10.10.0/24 because the FD is the same as the RD.
AnswerA

Both paths have the same FD and RD, making them equal-cost successors; EIGRP will install both and load balance.

Why this answer

The output shows two EIGRP routes to 10.10.10.0/24 with identical Feasible Distances (FD) of 1310720, indicating equal-cost paths. EIGRP installs up to four equal-cost routes by default and performs per-destination load balancing across them, so both paths are active and used.

Exam trap

Cisco often tests the distinction between equal-cost paths (same FD) and feasible successors (RD < FD), leading candidates to mistakenly label an equal-cost path as a feasible successor or assume only the first path is used.

How to eliminate wrong answers

Option B is wrong because both paths have the same FD (1310720), so the second path is not rejected due to a higher FD; it is an equal-cost path. Option C is wrong because a feasible successor must have a Reported Distance (RD) less than the current successor's FD; here both RDs equal the FD (1310720), so the second path is not a feasible successor—it is an equal-cost successor. Option D is wrong because the router does have a route to 10.10.10.0/24; the FD and RD being the same is normal for directly connected or redistributed routes and does not prevent route installation.

2023
Multi-Selecthard

Which TWO statements correctly describe the verification of route summarization using Cisco IOS commands? (Choose TWO.)

Select 3 answers
A.The 'show ip route' command displays the summary route with a next-hop of Null0 for EIGRP and OSPF summarization.
B.The 'show ip eigrp topology' command displays all configured summary addresses and their metrics.
C.The 'show ip protocols' command lists the configured summary-address ranges under each routing process.
D.The 'debug ip routing' command provides detailed information about summary route creation and suppression.
E.The 'show ip ospf database summary' command displays the Type 3 LSAs, including those generated by the 'area range' command.
AnswersA, C, E

Correct. Both EIGRP and OSPF install a discard route (to Null0) for the summary prefix to prevent loops, visible in 'show ip route'.

Why this answer

To verify route summarization, engineers use 'show ip route' to see the summary route and discard entry, 'show ip protocols' to view configured summary addresses, and 'show ip ospf database' to see Type 3 summary LSAs. The 'show ip eigrp topology' command does not show summary routes by default, and 'debug ip routing' shows routing table changes but not summary-specific events.

2024
MCQhard

An engineer configures CoPP on a router with the following policy: class-map match-any PROTECT, match protocol ospf, police 1000 pps; class class-default, police 500 pps. After applying, OSPF neighbors form, but the router's CPU utilization remains high. Which is the most likely explanation?

A.The class-default police rate is too low, causing ARP packets to be dropped, but CPU is high due to the policing overhead.
B.OSPF traffic is being policed to 1000 pps, which is too high, causing CPU overload.
C.CoPP only works on hardware-switched platforms, not software.
D.The class-default should have a higher rate than the OSPF class.
AnswerA

Policing itself consumes CPU, and dropping packets may cause retries, increasing CPU.

Why this answer

The class-default police rate of 500 pps is lower than the OSPF class rate of 1000 pps. However, traffic not matching OSPF (e.g., ARP, ICMP) is limited to 500 pps. If such traffic exceeds 500 pps, it is dropped, but the CPU may still be high due to the policing process itself or because OSPF traffic is still allowed at 1000 pps.

The edge case is that the class-default rate may be too low, causing drops of essential traffic like ARP, but the CPU issue persists because the router is still processing the policed packets.

2025
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp vrf RED neighbors EIGRP-IPv4 Neighbors for AS(100) VRF RED H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/2 13 00:15:30 12 200 0 45 1 192.168.2.2 Gi0/3 12 00:14:20 15 200 0 32 Based on this output, what is the problem?

A.The EIGRP neighbors are not exchanging routes because the Seq numbers are low.
B.Both neighbors are in the Init state.
C.The EIGRP adjacency is functioning correctly.
D.The hold time of 13 seconds indicates a problem.
AnswerC

The neighbors are up with low SRTT and no Q count, indicating stable adjacencies.

Why this answer

The output shows two EIGRP neighbors for VRF RED. Both are in normal state with low SRTT and no Q count. There is no obvious problem.

However, the hold times are 13 and 12 seconds, which are typical. The uptimes are similar. The output is healthy.

But if the question implies a problem, it might be that the neighbors are not exchanging routes? But the Seq numbers are incrementing, indicating activity. Actually, no problem is evident. The correct answer should be that the EIGRP adjacency is functioning correctly.

Page 26

Page 27 of 29

Page 28