Cisco CCNP ENARSI 300-410 (300-410) — Questions 20262100

2152 questions total · 29pages · All types, answers revealed

Page 27

Page 28 of 29

Page 29
2026
MCQmedium

Examine this BGP configuration on router R6: router bgp 65006 bgp router-id 6.6.6.6 neighbor 10.6.6.7 remote-as 65007 neighbor 10.6.6.7 weight 200 ! What is the effect of the weight command?

A.It sets the weight of all routes learned from 10.6.6.7 to 200, making them preferred over routes with lower weight.
B.It sets the weight of routes sent to 10.6.6.7 to 200.
C.It has no effect because weight is only configurable under route-map.
D.It sets the MED value to 200 for routes from this neighbor.
AnswerA

Weight is locally significant and higher weight wins.

Why this answer

The weight command assigns a weight value to routes from a specific neighbor. Weight is a Cisco-specific attribute that is local to the router. Higher weight is preferred over other routes.

The default weight for eBGP routes is 0, so weight 200 makes routes from this neighbor preferred.

2027
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug nhrp NHRP: Receive Resolution Request via Tunnel0 10.1.1.2, target 192.168.1.1 NHRP: Send Resolution Reply via Tunnel0 to 10.1.1.2, target 192.168.1.1 What does this output indicate?

A.The router is acting as a NHRP server and successfully resolves the NBMA address for the target.
B.The router is a NHRP client and is requesting resolution for target 192.168.1.1.
C.The router is unable to resolve the target address because it does not have a mapping.
D.The NHRP process is failing due to a misconfigured authentication key.
AnswerA

The router receives a request and sends a reply, indicating it has the mapping and is providing resolution.

Why this answer

The debug output shows the router receiving a Resolution Request and immediately sending a Resolution Reply, which is the behavior of a Next Hop Resolution Protocol (NHRP) server (or hub) that has a mapping for the target 192.168.1.1. The router successfully resolves the Non-Broadcast Multiple Access (NBMA) address (10.1.1.2) for the target, indicating it is acting as a server in a DMVPN or similar overlay network.

Exam trap

Cisco often tests the distinction between NHRP client (spoke) and server (hub) roles by showing debug output; the trap here is that candidates may confuse sending a Resolution Reply with sending a Resolution Request, incorrectly assuming the router is a client.

How to eliminate wrong answers

Option B is wrong because the router is sending a Resolution Reply, not a Resolution Request, so it is not acting as a client requesting resolution. Option C is wrong because the router successfully sends a reply, meaning it does have a mapping for the target address. Option D is wrong because the debug output shows successful NHRP message exchange with no authentication errors; a misconfigured key would generate NHRP authentication failure messages, not a successful reply.

2028
MCQhard

An engineer configured IP SLA 80 to monitor a remote server (192.168.100.100) using ICMP echo. The IP SLA is used in a track object for a static route. The engineer notices that the IP SLA state is 'Active', but the track object shows 'Down'. What is the most likely cause?

A.The track object is configured with a 'delay up' timer that has not yet expired.
B.The IP SLA probe is using a different source IP than expected.
C.The track object is referencing the wrong IP SLA number.
D.The router's routing table is full, preventing the track object from updating.
AnswerA

A 'delay up' timer forces the track to wait before transitioning to 'Up' after the IP SLA becomes 'Active'. This is a common cause of mismatch.

Why this answer

The track object can be configured with a threshold (e.g., 'threshold' or 'delay') that causes it to remain 'Down' even if the IP SLA is 'Active'. For example, if the track object has a 'delay up' timer, it will not transition to 'Up' immediately.

2029
MCQmedium

Which of the following is a mandatory condition for a route to be considered a feasible successor in EIGRP?

A.The reported distance must be less than the feasible distance.
B.The metric must be equal to the successor's metric.
C.The next-hop router must be directly connected.
D.The route must be learned from the same AS.
AnswerA

This is the feasibility condition defined by EIGRP.

Why this answer

A feasible successor must have a reported distance (RD) less than the feasible distance (FD) of the successor. This ensures the path is loop-free.

2030
MCQhard

What is the default ERSPAN ID range on Cisco IOS-XE devices?

A.1 to 256
B.1 to 1023
C.1 to 4096
D.1 to 65535
AnswerB

The ERSPAN ID range is 1 to 1023 on most Cisco IOS-XE platforms.

Why this answer

ERSPAN sessions use an ID from 1 to 1023 (or 1 to 256 on some platforms) to identify the session. The default is 1 if not specified.

2031
MCQhard

An engineer configures OSPF on a link with an MTU of 1500 on one side and 1400 on the other. The OSPF neighbor state is stuck in EXSTART. What is the most likely explanation?

A.The router with the smaller MTU (1400) rejects DBD packets from the neighbor with MTU 1500 because they exceed the interface MTU, causing the EXSTART state.
B.The router with the larger MTU (1500) cannot process the smaller DBD packets from the neighbor.
C.The OSPF network type is point-to-point, which ignores MTU mismatches.
D.The 'ip ospf mtu-ignore' command is needed on both sides to bypass the MTU check.
AnswerA

OSPF DBD packets are sized based on MTU; a mismatch prevents the exchange from completing.

Why this answer

OSPF uses the MTU of the interface to determine the maximum size of Database Description (DBD) packets. If the MTU mismatches, the router with the smaller MTU will reject DBD packets that exceed its MTU, causing the neighbor to remain in EXSTART.

2032
Multi-Selecthard

Which TWO configuration steps are required to enable an Embedded Event Manager (EEM) applet that sends an SNMP trap when a specific OID is polled? (Choose TWO.)

Select 2 answers
A.Configure 'event snmp oid 1.3.6.1.4.1.9.9.117.1.1.2.1.1 get-type exact' within the applet.
B.Ensure the 'snmp-server enable traps' command is configured globally.
C.Configure 'event syslog pattern "SNMP"' to capture the SNMP poll.
D.Configure an SNMP community string with read-write access inside the applet using 'action snmp-community'.
E.Configure 'event cli command "snmpwalk" sync yes' to trigger on SNMP walks.
AnswersA, B

This defines the SNMP event trigger, specifying the OID to monitor and the type of access (exact match) that will fire the applet.

Why this answer

To trigger an EEM applet on an SNMP OID poll, you must configure the 'event snmp oid' command and ensure SNMP is enabled globally. The other options are either unnecessary (like configuring a community for the applet itself) or incorrect (like using 'event syslog' or 'event cli').

2033
MCQeasy

A network engineer runs the following command on Router R5: R5# show logging | include %LINEPROTO-5-UPDOWN *Mar 1 00:00:10.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:00:20.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *Mar 1 00:00:30.789: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:00:40.012: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *Mar 1 00:00:50.345: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:01:00.678: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down Based on this output, what is the most likely problem?

A.The interface is administratively down.
B.There is a physical layer issue causing the interface to flap.
C.The interface is configured with a high bandwidth delay product.
D.The router is experiencing a high CPU load due to routing updates.
AnswerB

Repeated line protocol up/down messages indicate a flapping interface, typically due to physical or Layer 2 issues.

Why this answer

The output shows the line protocol on GigabitEthernet0/0 flapping every 10 seconds. This is a classic symptom of a flapping interface, often due to a physical issue (bad cable, faulty transceiver) or a Layer 2 problem (e.g., spanning tree topology changes, keepalive mismatch).

2034
Multi-Selecthard

Which THREE symptoms indicate that a Cisco IOS router is experiencing issues with device access control due to misconfigured AAA local authentication? (Choose THREE.)

Select 3 answers
A.Users with correct credentials are repeatedly denied access, and the 'show aaa local user lockout' command shows no locked accounts.
B.The 'debug aaa authentication' output shows 'FAIL' for local authentication attempts even though the username and password are correctly configured.
C.Users are locked out after three failed attempts despite 'login block-for' not being configured.
D.The 'show aaa servers' output shows the RADIUS server status as 'DEAD'.
E.The 'show line' command shows that the line is in 'ready' state but login prompts are not displayed.
AnswersA, B, C

This suggests the authentication method list may not reference 'local' or the local database is not properly configured, causing failures without lockouts.

Why this answer

Option A is correct because when AAA local authentication is misconfigured, users with valid credentials can be repeatedly denied access without any lockout entries. The 'show aaa local user lockout' command would show locked accounts only if the 'aaa local authentication attempts max-fail' feature is enabled, but the absence of lockouts indicates the issue is not due to failed attempts but rather a misconfiguration in the local username/password database or AAA method list.

Exam trap

Cisco often tests the distinction between local authentication lockout (controlled by 'aaa local authentication attempts max-fail') and login blocking (controlled by 'login block-for'), causing candidates to incorrectly associate lockout behavior with the 'login block-for' feature rather than AAA local authentication parameters.

2035
MCQmedium

Examine the following IPv6 ACL applied to an interface: ipv6 access-list FILTER permit ipv6 any any fragments deny ipv6 any any interface GigabitEthernet0/1 ipv6 traffic-filter FILTER in What is the effect of this configuration?

A.All IPv6 traffic is permitted because the permit statement matches any packet.
B.Only fragmented IPv6 packets are permitted; all other IPv6 traffic is denied.
C.The ACL is invalid because 'fragments' cannot be used with 'any any'.
D.The interface command is missing the 'ipv6 enable' prerequisite.
AnswerB

The first ACE permits only fragments; the second denies everything else, so only fragments pass.

Why this answer

Option B is correct because the ACL explicitly permits only fragmented IPv6 packets via the 'permit ipv6 any any fragments' statement, while the subsequent 'deny ipv6 any any' statement denies all other IPv6 traffic. Since ACLs are processed sequentially, the permit for fragments is evaluated first, allowing only fragmented packets; all non-fragmented packets are then denied by the second entry.

Exam trap

Cisco often tests the misconception that 'permit ipv6 any any' without the 'fragments' keyword matches all packets, but here the 'fragments' keyword narrows the match, causing candidates to overlook the sequential processing of ACL entries and incorrectly assume all traffic is permitted.

How to eliminate wrong answers

Option A is wrong because the permit statement includes the 'fragments' keyword, which restricts the match to only fragmented IPv6 packets, not all IPv6 traffic; thus, non-fragmented packets are denied by the subsequent deny statement. Option C is wrong because the 'fragments' keyword is fully valid with 'any any' in an IPv6 ACL; it simply limits the match to fragmented packets, and the ACL is syntactically correct. Option D is wrong because the 'ipv6 traffic-filter' command does not require the 'ipv6 enable' interface command as a prerequisite; IPv6 traffic filtering works independently as long as IPv6 is configured on the interface.

2036
MCQmedium

A network engineer runs the following command on Router R7: R7# show ip route 172.16.0.0 Routing entry for 172.16.0.0/16 Known via "bgp 65000", distance 200, metric 0 Redistributing via bgp 65000 Last update from 10.0.0.1 00:00:20 ago Routing Descriptor Blocks: * 10.0.0.1, from 10.0.0.1, 00:00:20 ago Route metric is 0, traffic share count is 1 Based on this output, what type of BGP route is this?

A.This is an eBGP route because the distance is 200.
B.This is an iBGP route because the distance is 200.
C.This is a redistributed route from OSPF into BGP.
D.The distance of 200 is non-default and manually configured.
AnswerB

iBGP routes have a default administrative distance of 200, matching this output.

Why this answer

The administrative distance of 200 is the default for iBGP routes. eBGP routes have a default distance of 20. Therefore, this is an iBGP route.

2037
MCQhard

An engineer configures SNMPv2c with a read-only community string 'public' on a router. The NMS can poll interface statistics, but when trying to poll OSPF neighbor states, the NMS receives no response. Which is the most likely explanation?

A.The OSPF MIB is not supported or not loaded on the router.
B.The community string 'public' is not allowed to access the OSPF MIB due to a missing 'snmp-server view' command.
C.OSPF neighbor states are only available via SNMPv3 due to security restrictions.
D.The NMS must use the OSPF process ID in the OID to poll neighbor states.
AnswerA

Some routers require the 'snmp-server enable traps ospf' command or the OSPF process to be configured to load the OSPF MIB; otherwise, the MIB objects are not available.

Why this answer

SNMP view-based access control (VACM) can restrict which MIB objects are accessible. The default view for SNMPv2c includes many objects, but OSPF MIB objects may be excluded if the view is customized or if the OSPF MIB is not loaded.

2038
MCQhard

An enterprise uses BGP to exchange routes with a service provider. After redistributing OSPF into BGP, some prefixes are missing. Router R1 config: router bgp 65001 redistribute ospf 1 match internal external 1 external 2 ! router ospf 1 redistribute bgp 65001 subnets R1# show ip bgp 10.10.10.0 % Network not in table R1# show ip ospf database external 10.10.10.0 Type-5 AS External Link States LS age: 360 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.10.10.0 (External Network Number) Advertising Router: 192.168.1.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 What is the root cause?

A.The OSPF external route is not installed in the routing table because of a mismatched metric type or LSA filtering.
B.The BGP redistribute command is missing the route-map to set the metric.
C.The OSPF process is not configured with the default-information originate command.
D.The BGP table is full and cannot accept more routes.
AnswerA

The route appears in the database but not in the routing table, so BGP cannot redistribute it.

Why this answer

The OSPF external route 10.10.10.0/24 has a Forward Address of 0.0.0.0, which means it is reachable via the advertising router. However, BGP redistribution of OSPF requires the route to be in the OSPF routing table, not just the database. The route may be missing due to an OSPF LSA filtering or a mismatched area.

The correct fix is to ensure the OSPF route is fully installed and not filtered.

2039
MCQmedium

Given this IP SLA configuration on router R4: ip sla 40 icmp-echo 10.10.10.1 source-ip 172.16.1.1 frequency 15 ip sla schedule 40 life forever start-time now Which statement is true?

A.The source IP 172.16.1.1 must be configured on an interface of R4.
B.The source IP 172.16.1.1 can be any IP address, even if not local.
C.The operation will fail because frequency 15 is too high.
D.The operation will use TCP instead of ICMP.
AnswerA

The source-ip must belong to a local interface for the probe to be sourced correctly.

Why this answer

The configuration sends ICMP echo probes from 172.16.1.1 to 10.10.10.1 every 15 seconds. The source IP is explicitly set.

2040
Multi-Selecthard

Which TWO statements about the 'ip domain-lookup' and DNS configuration on a Cisco IOS router are true? (Choose TWO.)

Select 2 answers
A.The 'ip domain-lookup' command is disabled by default on Cisco IOS routers.
B.The 'ip name-server' command can specify up to six DNS servers.
C.The 'ip domain-list' command adds a domain suffix to the search list for DNS queries.
D.The 'ip host' command creates a dynamic DNS entry that can be overwritten by a DNS server.
E.The 'show hosts' command displays only statically configured host entries.
AnswersB, C

Correct. The 'ip name-server' command allows configuring up to six DNS server addresses. The router will query them in order.

Why this answer

The 'ip domain-lookup' command enables DNS resolution; it is enabled by default. The 'ip name-server' command specifies DNS servers. The 'ip domain-list' command adds a domain suffix to be appended to unqualified names.

The 'ip host' command creates a static host entry. The 'show hosts' command displays both static and dynamically learned DNS entries. The 'ip domain-lookup' must be enabled for dynamic DNS resolution to work.

2041
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:1:1::1, subnet is 2001:DB8:1:1::/64 Joined group address(es): FF02::1 FF02::2 ICMP redirects are enabled ICMP unreachables are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. IPv6 uRPF: strict mode (drop invalid packets) Based on this output, what is the operational state of uRPF on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF is active.

Why this answer

The output explicitly states 'IPv6 uRPF: strict mode (drop invalid packets)', which confirms that unicast Reverse Path Forwarding (uRPF) is enabled on the interface and operating in strict mode. In strict mode, the router verifies that the source address of an incoming packet matches a route in the FIB pointing back to the same interface; if not, the packet is dropped. This is a direct read of the operational state from the show command.

Exam trap

Cisco often tests the ability to read the exact operational state from the 'show ipv6 interface' output, where candidates may overlook the explicit 'strict mode' line and instead assume uRPF is disabled or confuse it with loose mode based on incomplete knowledge of the command syntax.

How to eliminate wrong answers

Option A is wrong because the output clearly shows 'IPv6 uRPF: strict mode', indicating uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode would only require a matching route in the FIB regardless of the incoming interface. Option D is wrong because uRPF operates on unicast traffic, not multicast; the output makes no mention of multicast filtering, and uRPF is not designed for multicast.

2042
MCQeasy

An engineer is troubleshooting why the NMS is not receiving SNMP traps from router R8 after a recent configuration change. The engineer added 'snmp-server host 10.1.1.100 version 2c public' and 'snmp-server enable traps' but forgot to remove the old 'snmp-server host 10.1.1.200 version 2c public' command. The NMS at 10.1.1.100 can receive traps from other devices. What is the most likely cause?

A.The engineer did not configure the SNMP community string 'public' on the router.
B.The old 'snmp-server host' command for 10.1.1.200 is causing a conflict, preventing traps to the new host.
C.The engineer needs to remove the old host command before adding the new one.
D.The router requires a reload after adding a new 'snmp-server host' command.
AnswerA

Correct because the 'snmp-server host' command references a community string that must be defined; without it, traps are not sent.

Why this answer

The router can have multiple 'snmp-server host' commands, and all are active. The old host is still configured, but that should not prevent traps to the new host. The issue might be that the old host is causing the router to send traps to both, but the new host should still receive them.

However, if the old host is unreachable, the router might be delaying traps due to retransmission? No, traps are sent without acknowledgment. The most likely cause is that the engineer did not enable the specific trap types. The 'snmp-server enable traps' command without keywords enables only a default set, which may not include all traps.

But the NMS can receive traps from other devices, so the NMS is fine. A better cause: the new host command is missing the 'trap' keyword? No, it's default. Actually, a common mistake is that the engineer used 'snmp-server host' with the wrong community string.

But the stem says 'public'. Let me think: if the router has two host commands with the same community, both should work. The issue could be that the old host command is using a different community that conflicts? No.

Perhaps the engineer configured the new host command on the wrong VRF? The stem doesn't mention VRF. I'll go with a different angle: the engineer forgot to configure the SNMP community string 'public' on the router. The 'snmp-server host' command references 'public', but if the community 'public' is not defined with 'snmp-server community public RO', the router will not send traps because the community is invalid.

That is a plausible cause.

2043
MCQhard

A large enterprise network is experiencing intermittent BGP session resets between R1 and R2. R1 has the following relevant configuration: ! R1 control-plane service-policy input CoPP ! access-list 100 permit tcp any any eq bgp class-map match-all BGP-CLASS match access-group 100 ! policy-map CoPP class BGP-CLASS police 8000 conform-action transmit exceed-action drop class class-default police 1000000 conform-action transmit exceed-action drop ! R2 shows: R2#show ip bgp summary BGP router identifier 2.2.2.2, local AS number 65002 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 1.1.1.1 4 65001 12345 12345 0 0 0 00:02:34 0 What is the root cause?

A.The BGP session is flapping because the CoPP policy drops BGP keepalive packets when the police rate is exceeded.
B.The access-list 100 is misconfigured; it should match TCP port 179 specifically.
C.The class-default police rate is too low, causing all traffic to be dropped, including BGP.
D.The CoPP policy should be applied to the control-plane input direction, but the service-policy is missing the 'control-plane' keyword.
AnswerA

BGP keepalives are small, but if the overall BGP traffic (including updates) exceeds 8000 bps, the policer drops packets, causing keepalive loss and hold timer expiry.

Why this answer

The CoPP policy is policing BGP traffic to 8000 bps. If the BGP session carries a full routing table, the update messages can exceed this rate, causing drops. The router drops packets, leading to BGP hold timer expiry and session resets.

The fix is to increase the police rate for BGP traffic or use a more specific match to avoid policing keepalives.

2044
MCQmedium

A network engineer runs the following command to troubleshoot an OSPF adjacency issue: R1# debug ip ospf adj OSPF: Interface GigabitEthernet0/0 going Up OSPF: Send with youngest orig age 0 OSPF: Rcv DBD from 2.2.2.2 seq 0x1A opt 0x52 flag 0x7 len 32 mtu 1500 state INIT OSPF: First DBD and we are not SLAVE OSPF: Rcv DBD from 2.2.2.2 seq 0x1A opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART OSPF: Nbr 2.2.2.2 has larger interface MTU What does this output indicate?

A.OSPF adjacency is forming correctly, moving to FULL state.
B.OSPF adjacency is stuck due to MTU mismatch; the neighbor has a larger MTU.
C.OSPF adjacency is stuck because the router is not the DR/BDR.
D.OSPF adjacency is stuck due to authentication mismatch.
AnswerB

The debug explicitly states 'Nbr has larger interface MTU', which blocks adjacency.

Why this answer

The debug shows that the OSPF neighbor has a larger interface MTU, which prevents the adjacency from forming. OSPF requires matching MTU values on the link.

2045
MCQhard

Consider the following configuration on Router R4: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 router ospf 1 redistribute eigrp 100 metric 20 metric-type 1 subnets What is a potential issue with this configuration?

A.The configuration is correct and will work without issues.
B.The 'metric-type 1' in OSPF redistribution may cause EIGRP routes to be preferred over OSPF routes.
C.Mutual redistribution without route filtering can cause routing loops or suboptimal routing.
D.The EIGRP metric values are invalid because load must be between 1 and 255.
AnswerC

Without filtering, routes can be redistributed back and forth, causing loops.

Why this answer

Mutual redistribution without route filtering or administrative distance adjustments can cause routing loops or suboptimal routing. The configuration does not include any route-maps or distribute-lists to control which routes are redistributed, which is a common pitfall.

2046
MCQmedium

Examine the following partial configuration: username admin privilege 15 secret 5 $1$abcdefg$hashedvalue username operator privilege 1 password cisco ! line console 0 login local ! line vty 0 4 login local transport input ssh What is a potential security issue with this configuration?

A.The 'operator' username uses a password instead of a secret, which is stored insecurely in the configuration.
B.The 'admin' user has privilege 15, which is too high for administrative access.
C.The console line is missing the 'transport input' command.
D.The VTY lines should use 'login' without 'local' to allow remote authentication.
AnswerA

The 'password' keyword stores the password in a reversible format (type 7 or clear), whereas 'secret' uses MD5 hashing.

Why this answer

Option A is correct because the 'operator' username uses a 'password' keyword instead of 'secret', which means the password is stored in plaintext (or weakly hashed) in the running configuration. Cisco recommends using 'secret' with a strong hash algorithm (e.g., MD5 or SHA-256) to protect credentials from being easily compromised if the configuration is viewed. This is a direct violation of secure device access best practices.

Exam trap

Cisco often tests the distinction between 'password' and 'secret' in username configurations, and the trap here is that candidates may overlook the security implications of using 'password' instead of 'secret' for non-privileged users, assuming it only matters for enable passwords.

How to eliminate wrong answers

Option B is wrong because privilege 15 is the standard highest privilege level for full administrative access, and it is appropriate for an 'admin' user; there is no security issue with using privilege 15 for administrative accounts. Option C is wrong because the console line does not require a 'transport input' command by default, as console access is out-of-band and typically uses a direct serial connection; the absence of 'transport input' does not create a security vulnerability. Option D is wrong because 'login local' on VTY lines is the correct method to enforce local username/password authentication; using 'login' without 'local' would allow any password (including no password) if no other authentication method is configured, which is less secure.

2047
MCQmedium

A network engineer is troubleshooting a connectivity issue between two routers R1 and R2 connected via GigabitEthernet0/0. The engineer notices that R1 can ping its own IPv6 address 2001:db8:1::1/64, but cannot ping R2's interface address 2001:db8:1::2/64. The output of 'show ipv6 interface GigabitEthernet0/0' on R1 indicates that IPv6 is enabled and the interface is up/up. The engineer checks the access list applied to the interface and sees an inbound IPv6 ACL that permits only ICMPv6 echo requests from a specific source. What is the most likely cause of the ping failure?

A.The ACL is applied inbound on R1 and does not permit ICMPv6 echo replies from R2.
B.The ACL is applied outbound on R1 and blocks the echo request.
C.IPv6 unicast-routing is not enabled on R1.
D.The ACL is missing a permit statement for IPv6 neighbor discovery (ND) messages.
AnswerA

Correct because ICMPv6 echo replies are sourced from the destination address (R2) and must be permitted inbound on R1 for the ping to succeed.

Why this answer

The inbound ACL on R1 is blocking the ICMPv6 echo reply from R2, because the ACL only permits echo requests from a specific source, not replies. For a successful ping, both the echo request and echo reply must be permitted. The reply is sourced from R2's address, which is not matched by the permit statement.

2048
MCQhard

An enterprise is redistributing EIGRP into OSPF on router R1. R1 has the following configuration: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map RMAP-OSPF. Router R2 (OSPF-only) shows: 'show ip route 10.1.1.0' as an O E2 route with metric 20, but 'show ip ospf database external 10.1.1.0' shows the forwarding address is 0.0.0.0. Router R3 (also OSPF) cannot reach 10.1.1.0. What is the root cause?

A.The redistributed route's next-hop is not reachable via OSPF, causing the forwarding address to be 0.0.0.0, but R1's router ID is not reachable from R3 due to a missing OSPF network statement.
B.The route-map RMAP-OSPF is setting the metric to 20, which is too high and causes the route to be suppressed.
C.The EIGRP process on R1 has a distribute-list blocking the route.
D.The OSPF process on R1 has a route-map applied inbound that filters the route.
AnswerA

If the next-hop is not in OSPF, the forwarding address is set to 0.0.0.0, meaning the packet should be sent to the advertising router (R1). If R1's router ID is not reachable (e.g., R1's OSPF interfaces are not advertised correctly), R3 cannot reach the route.

Why this answer

When redistributing into OSPF, if the redistributed route's next-hop is not reachable via OSPF (e.g., it is an EIGRP-learned route with a next-hop that is not in the OSPF domain), the forwarding address is set to 0.0.0.0. This causes other OSPF routers to try to reach the originating router (R1) as the next-hop. However, if R1's OSPF router ID is not reachable or if there is a filtering issue, the route may be installed but unreachable.

In this scenario, the route-map RMAP-OSPF may be filtering the route or setting incorrect metrics, but the forwarding address issue suggests that the next-hop is not being advertised correctly. The root cause is likely that the redistributed route's next-hop is not in the OSPF domain, so R1 should use a route-map to set the forwarding address to itself (e.g., set forwarding-address 0.0.0.0 is default, but if the next-hop is reachable, it should be set to the router's own interface IP).

2049
MCQhard

A network engineer configured IP SLA 50 to monitor a remote router's loopback (5.5.5.5) using ICMP echo. The IP SLA is linked to a track object that is used in a PBR (policy-based routing) route-map. The engineer notices that the PBR is not applying the alternate path when the IP SLA goes down. The track object shows 'Down'. What is the most likely misconfiguration?

A.The route-map is missing the 'set ip next-hop verify-availability' command with the track object.
B.The IP SLA probe is using the wrong source interface.
C.The track object is configured with a delay that prevents immediate reaction.
D.The PBR is applied to the wrong interface.
AnswerA

Without 'verify-availability', PBR does not check the track state and will continue using the primary next-hop even if the track is down.

Why this answer

PBR with set ip next-hop verify-availability requires the track object to be referenced correctly in the route-map. If the route-map uses 'set ip next-hop verify-availability' but does not include the track keyword, PBR will not react to the IP SLA state.

2050
MCQhard

A network engineer is troubleshooting a connectivity issue where a host on VLAN 10 cannot reach a server on VLAN 20. Both VLANs are on the same switch, which is running IPv6. The engineer checks the switch and finds that uRPF (unicast Reverse Path Forwarding) is enabled in strict mode on the VLAN 20 interface. The host's IPv6 address is 2001:db8:10::100/64, and the server's address is 2001:db8:20::200/64. The switch has a default route pointing to a next-hop router. The host sends traffic to the server, but the switch drops the packets. What is the most likely cause?

A.The uRPF strict mode check fails because the switch does not have a specific route to the host's subnet pointing back to the VLAN 10 interface.
B.The uRPF mode should be loose mode to allow traffic from any source as long as there is a route in the FIB.
C.The host's IPv6 address is not in the switch's neighbor cache.
D.The switch has an ACL that blocks traffic between VLANs.
AnswerA

Correct because uRPF strict mode requires a matching route in the FIB that points to the same interface on which the packet was received; a default route does not satisfy this requirement.

Why this answer

With uRPF strict mode enabled on the VLAN 20 interface, the switch checks that the source IP address of incoming packets (2001:db8:10::100) is reachable via the same interface on which the packet arrived. Since the switch only has a default route pointing to a next-hop router and no specific route for the 2001:db8:10::/64 subnet pointing back to the VLAN 10 interface, the FIB lookup for the source address fails the strict uRPF check, causing the switch to drop the packet.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates assume a default route is sufficient for strict mode, not realizing that strict mode requires a specific route pointing back to the source's ingress interface.

How to eliminate wrong answers

Option B is wrong because loose mode only requires that a route exists in the FIB for the source address, not that it points back to the incoming interface; while that would allow the traffic, it is not the most likely cause given that strict mode is already enabled and failing. Option C is wrong because the neighbor cache is used for Layer 2 address resolution (NDP), not for uRPF validation; uRPF checks the FIB for a matching route, not the neighbor cache. Option D is wrong because the question states that uRPF is enabled and the symptom matches a uRPF failure; an ACL would produce a different drop reason (e.g., 'denied by ACL') and is not indicated as the cause.

2051
Multi-Selecthard

Which TWO statements about MPLS Traffic Engineering (MPLS-TE) are true? (Choose TWO.)

Select 2 answers
A.MPLS-TE uses RSVP-TE to signal label-switched paths (LSPs) and reserve bandwidth.
B.The command 'show mpls traffic-eng tunnels' displays the status of MPLS-TE tunnels.
C.MPLS-TE uses LDP to distribute labels for the TE tunnels.
D.MPLS-TE requires BGP to carry the TE attributes across the network.
E.MPLS-TE requires a full mesh of IBGP sessions between all routers.
AnswersA, B

Correct. RSVP-TE is the standard signaling protocol for MPLS-TE.

Why this answer

MPLS-TE allows explicit path selection using RSVP-TE to reserve bandwidth and set up LSPs. The 'show mpls traffic-eng tunnels' command displays tunnel status. Option A is correct: RSVP-TE is the signaling protocol used for MPLS-TE.

Option B is correct: 'show mpls traffic-eng tunnels' is a valid verification command. Option C is false: MPLS-TE does not use LDP; it uses RSVP-TE. Option D is false: MPLS-TE uses the Resource Reservation Protocol (RSVP) for signaling, not BGP.

Option E is false: MPLS-TE does not require a full mesh of IBGP sessions; it uses IGP with TE extensions.

2052
MCQmedium

In MPLS, what is the purpose of the TTL propagation feature?

A.It propagates the MPLS label stack to all routers in the domain.
B.It copies the IP TTL into the MPLS TTL at the ingress LER, allowing traceroute to see each hop in the MPLS path.
C.It prevents TTL from being decremented in the MPLS core for security purposes.
D.It ensures that the MPLS TTL is always equal to the IP TTL at the egress LER.
AnswerB

When enabled, the IP TTL is decremented and copied to the MPLS label, so each LSR decrements the TTL, making traceroute visible.

Why this answer

The TTL propagation feature controls how the IP TTL is handled when packets enter an MPLS domain. By default, the IP TTL is copied to the MPLS TTL (propagation), allowing traceroute to work across the MPLS network. When disabled, the MPLS TTL is set to 255, hiding the core from traceroute.

2053
MCQhard

A network uses PBR to route traffic from a specific host (10.1.1.1) through a VPN tunnel (next-hop 10.10.10.2). After a VPN tunnel failure, traffic from this host is being dropped. Router R1 shows: 'show ip policy' shows PBR applied, 'debug ip policy' shows 'PBR: no route to next-hop 10.10.10.2', but 'show ip route 10.10.10.2' shows a route via a different interface. What is the root cause?

A.The next-hop 10.10.10.2 is not directly connected; it is reachable via a route. PBR requires the next-hop to be directly connected. Use a directly connected next-hop or configure a static route to make it directly connected.
B.The route-map is missing a 'set ip next-hop verify-availability' command, causing PBR to use the next-hop even when it is not reachable.
C.The routing table on R1 has a better route to the destination via the VPN tunnel, overriding PBR.
D.The VPN tunnel is down, causing the next-hop to be unreachable.
AnswerA

PBR's 'set ip next-hop' command requires the next-hop to be on a directly connected subnet. If it is reachable via a route, PBR will not use it and will drop the packet. This is a common misconfiguration when the next-hop is on a remote subnet.

Why this answer

PBR requires the next-hop to be directly reachable (i.e., on a directly connected subnet). If the next-hop is reachable via a route (e.g., through another router), PBR will not use it because it expects a direct connection. In this case, 10.10.10.2 is reachable via a route, not directly connected, so PBR drops the traffic.

The solution is to ensure the next-hop is directly connected or use a different next-hop that is directly connected.

2054
Drag & Dropmedium

Drag and drop the steps to set up a PE-CE BGP session in an MPLS L3VPN into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the VRF and its RD/RT on the PE, then assigning the VRF to the CE-facing interface. After that, the PE interface is configured with an IP address and BGP is enabled in the VRF address-family. Finally, the BGP neighbor is activated under the VRF address-family to establish the PE-CE session.

2055
MCQhard

An engineer configures route redistribution from EIGRP into OSPF. The redistributed routes appear in the OSPF database but are not installed in the routing table of other OSPF routers. Which is the most likely explanation?

A.The OSPF process on the redistributing router does not have a router-id configured.
B.The redistributed routes have a metric of 0, which OSPF treats as unreachable.
C.The administrative distance of OSPF external routes (110) is higher than EIGRP (90), so the EIGRP routes are preferred.
D.The redistribute command is missing the subnets keyword, causing only classful routes to be redistributed.
AnswerB

OSPF requires a non-zero metric for external routes; a metric of 0 (default for type 1) can cause the route to be ignored.

Why this answer

When redistributing into OSPF, a seed metric must be specified. If not, OSPF defaults to a metric of 20 for external type 2 routes, but if the metric-type is set to 1, the default metric is 0, which may cause the route to be considered unreachable or not installed.

2056
MCQhard

An enterprise network uses EIGRP with route summarization. Router R1 has the following configuration: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.1.0.0 255.255.252.0. Router R2, connected to R1 via GigabitEthernet0/0, shows: 'show ip route eigrp' includes 10.1.0.0/22 but not the more specific route 10.1.1.0/24. Hosts in subnet 10.1.1.0/24 are unreachable from R2. What is the root cause?

A.R1 has a missing null0 route for the summary, causing it to not advertise the summary correctly.
B.The summary address 10.1.0.0/22 is configured on the wrong interface; it should be on the interface facing the internal network.
C.R1's summary address 10.1.0.0/22 includes the 10.1.1.0/24 subnet, so R1 suppresses the more specific route, and R2 only learns the summary. This is expected behavior, but if the summary does not match the actual network, reachability fails.
D.R2 has a route filter that blocks the 10.1.1.0/24 route.
AnswerC

EIGRP automatically suppresses more specific routes when a summary is configured. If the summary is correct, this is normal; however, if the summary is too broad or incorrect, specific subnets may be unreachable.

Why this answer

The summary address 10.1.0.0/22 is being advertised by R1, which suppresses the more specific 10.1.1.0/24 route. This is a common issue when summarization is configured on an interface without proper null0 route or when the summary is too broad, causing loss of reachability to specific subnets.

2057
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 170, metric 2560000 Redistributing via eigrp 100 Advertised by eigrp 100 (self originated) Last update from 10.2.2.2 on GigabitEthernet0/1, 00:00:10 ago Routing Descriptor Blocks: * 10.2.2.2, from 10.2.2.2, 00:00:10 ago, via GigabitEthernet0/1 Route metric is 2560000, traffic share count is 1 Total delay is 100 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 Loading 1/255, Hops 1 Based on this output, what is the problem?

A.The route 10.1.1.0/24 is an internal EIGRP route because the administrative distance is 90.
B.The route is redistributed into EIGRP from another protocol, as indicated by the distance of 170 and the 'self originated' message.
C.The route is learned from a neighbor with a metric of 2560000, which is the default for redistributed routes.
D.The route is not being advertised to any EIGRP neighbors because it is marked as 'self originated'.
AnswerB

The distance of 170 and the 'self originated' flag indicate redistribution into EIGRP.

Why this answer

The output shows a route learned via EIGRP with an administrative distance of 170, which is the default for external EIGRP routes. The route is marked as 'Redistributing via eigrp 100' and 'Advertised by eigrp 100 (self originated)', indicating that this route was redistributed into EIGRP from another protocol. The problem is that the route is both learned and redistributed by the same router, which could cause a routing loop if not filtered.

2058
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the management plane. After applying the policy, the router becomes unreachable via SSH, but the console is still accessible. The engineer checks the CoPP policy and sees that SSH traffic is permitted. Which is the most likely explanation?

A.The class-map for SSH uses 'match protocol ssh' but the SSH server is configured on a non-default port, so the traffic is not matched and is dropped by the default class.
B.The CoPP policy is applied in the input direction, but SSH traffic is generated by the router itself, so it is not affected by input policing.
C.The CoPP policy uses 'rate-limit' in bps instead of pps, causing all traffic to be dropped due to a misconfiguration.
D.The CoPP policy has an explicit deny statement before the permit statement for SSH, so SSH traffic is denied.
AnswerA

CoPP class-maps that match by protocol may not match non-standard ports. If the default class has a drop action, SSH traffic will be dropped.

Why this answer

CoPP policies have an implicit deny at the end. If the class-map for SSH does not match the traffic correctly (e.g., using the wrong protocol or port), SSH packets will fall through to the default class, which may have a deny action. Additionally, the default class behavior is to permit traffic if not explicitly configured, but if the default class is configured with a drop action, all unmatched traffic is dropped.

A common edge case is when the class-map uses 'match protocol ssh' but the router uses a different port for SSH (e.g., port 2222), so the traffic is not matched and is dropped by the default class.

2059
MCQhard

A network engineer runs the following command to troubleshoot PAT exhaustion: R1# show ip nat statistics Total active translations: 1024 (0 static, 1024 dynamic; 1024 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50000 Misses: 10 CEF Translated packets: 45000, CEF Punted packets: 5000 Expired translations: 2000 Dynamic mappings: -- Inside Source [Id: 1] access-list NAT permit ip 10.0.0.0 0.255.255.255 any refcount 1024, pool MyPool pool MyPool: netmask 255.255.255.240 start 203.0.113.1 end 203.0.113.14 type generic, total addresses 14, allocated 14 (100%), misses 0 What is the most likely issue?

A.The pool is exhausted; PAT is using all addresses, but port exhaustion may occur.
B.The access list is misconfigured, blocking traffic.
C.The outside interface is down.
D.Static translations are missing.
AnswerA

All 14 addresses are allocated, meaning PAT is using them, but with 1024 translations, ports may be running out.

Why this answer

The pool has only 14 addresses, and all are allocated (100%). With 1024 active translations, this indicates PAT is using all addresses and may be running out of ports.

2060
Multi-Selecthard

Which TWO actions will prevent unauthorized access to a Cisco IOS-XE device's console port? (Choose TWO.)

Select 2 answers
A.Configure 'login authentication default' under the console line to require AAA authentication.
B.Configure 'exec-timeout 0 0' under the console line to prevent idle sessions from timing out.
C.Configure 'transport input none' under the console line to block all inbound connections.
D.Configure 'no exec' under the console line to disable EXEC sessions on the console port.
E.Configure 'password cisco' and 'login' under the console line to require a local password.
AnswersA, E

This command applies the default AAA authentication method list to the console line, requiring users to authenticate before gaining access.

Why this answer

Option A is correct because configuring 'login authentication default' under the console line forces the device to use AAA (Authentication, Authorization, and Accounting) services for console login. This prevents unauthorized access by requiring valid credentials verified by a centralized AAA server (e.g., RADIUS or TACACS+), rather than relying on a local password that could be compromised or shared.

Exam trap

Cisco often tests the distinction between commands that actually prevent unauthorized access versus those that modify session behavior or apply to different line types, so the trap here is assuming that disabling idle timeout (exec-timeout 0 0) or blocking transport input enhances security, when in fact they either weaken it or are irrelevant to console port access.

2061
Multi-Selecthard

Which TWO statements about SNMPv3 security models are true? (Choose TWO.)

Select 2 answers
A.The noAuthNoPriv security level provides no authentication and no encryption.
B.The authPriv security level requires both authentication and encryption.
C.The authNoPriv security level uses encryption but no authentication.
D.SNMPv3 always requires encryption for all security levels.
E.The 'priv' keyword in the snmp-server group command disables authentication.
AnswersA, B

This is the least secure level, often used for read-only access.

Why this answer

SNMPv3 supports three security levels: noAuthNoPriv (no authentication, no encryption), authNoPriv (authentication with MD5 or SHA, no encryption), and authPriv (authentication and encryption using DES or AES). The 'priv' keyword enables encryption, and authentication is required for both authNoPriv and authPriv.

2062
MCQeasy

What is the default severity level for syslog messages sent to the console on a Cisco IOS device?

A.Debugging (level 7)
B.Informational (level 6)
C.Warnings (level 4)
D.Notifications (level 5)
AnswerA

The default console logging level is debugging, which includes all severities.

Why this answer

By default, the console logging level is 'debugging' (severity 7), meaning all messages from 0 to 7 are displayed on the console. This is a common fact for ENARSI.

2063
Drag & Dropmedium

Drag and drop the steps to verify and validate DHCP (IPv4 and IPv6) operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the DHCP pool utilization and bindings. Then, verify that clients have received addresses from the correct pool. Next, confirm that the DHCP relay agent is forwarding packets.

After that, validate DHCPv6 prefix delegation if used. Finally, ensure that the DHCP server is not running out of addresses.

2064
MCQmedium

Which OSPF LSA type is flooded only within the originating area and is used for loop prevention by describing the topology of the area?

A.Type 1 LSA (Router LSA)
B.Type 2 LSA (Network LSA)
C.Type 3 LSA (Summary LSA)
D.Type 4 LSA (ASBR Summary LSA)
AnswerA

Correct. Router LSAs are area-scoped and describe the router's interfaces and neighbors.

Why this answer

Type 1 Router LSAs describe the router's links and are flooded only within the area. They provide topology information for loop prevention within the area.

2065
MCQhard

An MPLS network with EIGRP as the IGP is experiencing label distribution failures. Router R1 shows: 'show mpls ldp neighbor' does not list R2. R1's configuration: mpls ip on interfaces, but no router-id configured. R2's configuration: mpls ldp router-id Loopback0 force. R1 and R2 are directly connected. What is the root cause?

A.R1's LDP router-id is not configured, so it uses the IP of the interface facing R2, which may not be reachable from R2's loopback.
B.R2 has a loopback interface that is not advertised via EIGRP, so R1 cannot reach it.
C.R1 has an ACL that blocks LDP UDP packets (port 646).
D.R2's 'force' keyword causes it to use the loopback even if it is not reachable.
AnswerA

LDP requires a reachable router-id. Without explicit configuration, R1 uses the interface IP, which may not be in R2's routing table.

Why this answer

LDP uses a router-id to establish sessions. If R1 does not have a router-id configured, it may use an interface IP that is not reachable from R2, causing the LDP session to fail.

2066
MCQeasy

What is the default route distinguisher (RD) format when using the 'ip vrf' command without specifying an RD?

A.The RD defaults to 0:0.
B.The RD is automatically derived from the router ID.
C.The VRF will not be created until an RD is configured.
D.The RD defaults to the ASN:1 format.
AnswerC

This is correct. The RD is required to create a VRF.

Why this answer

The RD is mandatory when creating a VRF. If not specified, the VRF will not be created. There is no default RD.

2067
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp neighbors 10.1.1.2 received-routes BGP table version is 10, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.3.3.0/24 10.1.1.2 0 100 0 i Total number of prefixes 1 What does this output indicate?

A.BGP is not receiving any routes due to CoPP dropping updates.
B.BGP is receiving routes correctly, and CoPP is not interfering with inbound updates.
C.BGP is receiving routes but not installing them in the routing table due to CoPP.
D.BGP session is flapping due to CoPP.
AnswerB

The route is received from neighbor 10.1.1.2 with valid attributes.

Why this answer

The command shows routes received from BGP neighbor 10.1.1.2. One prefix (10.3.3.0/24) is being received. This indicates that BGP updates are being received, so CoPP is not blocking inbound BGP traffic.

2068
MCQhard

A DMVPN network with hub R1 and spokes R2 and R3 is configured with mGRE and NHRP. Spoke-to-spoke tunnels fail to form. R1 configuration: interface Tunnel0, ip address 10.0.0.1 255.255.255.0, tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp map multicast dynamic. R2 shows: 'show dmvpn' shows no dynamic sessions. R3 shows: 'show ip nhrp' shows no entries for R2. What is the root cause?

A.The spokes are missing the 'ip nhrp nhs' command to point to the hub, preventing registration and resolution of spoke-to-spoke addresses.
B.The tunnel mode is mGRE, but the spokes are configured with point-to-point GRE tunnels.
C.The NHRP network-id is different on R2 and R3, preventing communication.
D.The tunnel source interface is not reachable between spokes.
AnswerA

Without NHS configuration, spokes do not register with the hub, so NHRP cannot provide the mapping for spoke-to-spoke tunnels.

Why this answer

For spoke-to-spoke tunnels to form, NHRP must be configured to allow spoke registration and resolution. The hub configuration includes 'ip nhrp map multicast dynamic', which allows spokes to register, but spokes must also have 'ip nhrp nhs' pointing to the hub. If R2 and R3 do not have NHRP server configuration, they will not register, and thus cannot learn each other's addresses.

The root cause is missing NHRP NHS configuration on the spokes.

2069
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/0 | include access list Outgoing access list is 102 Inbound access list is not set Then the engineer checks: R1# show ip access-lists 102 Extended IP access list 102 10 deny tcp any any eq 23 20 permit ip any any What does this output indicate?

A.ACL 102 is applied outbound on GigabitEthernet0/0, denying Telnet traffic and permitting all other traffic.
B.ACL 102 is applied inbound on GigabitEthernet0/0, blocking Telnet.
C.ACL 102 is not applied to any interface.
D.ACL 102 is applied inbound and outbound on GigabitEthernet0/0.
AnswerA

The output shows the ACL is outbound and its entries.

Why this answer

The output of 'show ip interface GigabitEthernet0/0 | include access list' shows 'Outgoing access list is 102', which means ACL 102 is applied in the outbound direction on that interface. The ACL itself contains a deny statement for TCP traffic destined to port 23 (Telnet) followed by a permit ip any any, so it denies Telnet traffic while permitting all other IP traffic. Option A correctly summarizes this behavior.

Exam trap

Cisco often tests the distinction between the ACL being 'applied' to an interface versus the ACL's content, and the trap here is that candidates see the ACL content and assume it is applied inbound without checking the interface output for direction.

How to eliminate wrong answers

Option B is wrong because the interface output explicitly states 'Inbound access list is not set', so ACL 102 is not applied inbound. Option C is wrong because the interface output confirms ACL 102 is applied outbound on GigabitEthernet0/0. Option D is wrong because the interface output shows only an outbound ACL; the inbound access list is not set, so it is not applied in both directions.

2070
MCQhard

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are established, but traffic between spokes is taking a suboptimal path through the hub. The engineer checks 'show ip nhrp shortcut' on the spoke and sees no shortcut entries. The hub has 'ip nhrp redirect' enabled, and the spoke has 'ip nhrp shortcut' enabled. The engineer also verifies that the spoke's routing table has a route to the remote spoke's LAN via the hub. What is the most likely cause?

A.The hub router does not have a route to the remote spoke's LAN subnet.
B.The spoke's 'ip nhrp shortcut' command is missing on the tunnel interface.
C.The spoke's routing table has a static route to the remote spoke's LAN via the hub.
D.The hub's tunnel interface has 'no ip nhrp redirect' configured.
AnswerA

Correct because the hub must have a route to the destination subnet to send an NHRP redirect.

Why this answer

In DMVPN phase 3, for spoke-to-spoke shortcuts to be installed, the spoke must receive an NHRP redirect from the hub. If the hub does not send a redirect, the spoke will not create a shortcut. The hub sends a redirect only if it has a route to the destination subnet.

If the hub does not have a route to the remote spoke's LAN, it will not send a redirect.

2071
MCQmedium

An engineer is troubleshooting an IPv6 deployment where hosts on a subnet are not receiving IPv6 addresses via SLAAC. The router is configured with 'ipv6 unicast-routing' and the interface has 'ipv6 address 2001:db8:1::1/64' and 'ipv6 nd other-config-flag'. The hosts are sending Router Solicitations but receive no Router Advertisements. What is the root cause?

A.The interface is missing the 'ipv6 enable' command.
B.The 'ipv6 nd ra suppress' command is configured on the interface.
C.The 'ipv6 nd prefix' command is missing for the subnet.
D.The hosts are using DHCPv6 instead of SLAAC.
AnswerB

Correct because this command suppresses Router Advertisements, preventing hosts from receiving RAs even though the interface has an IPv6 address.

Why this answer

For SLAAC to work, the router must send Router Advertisements (RAs). The 'ipv6 nd other-config-flag' only sets the 'O' flag for additional information (like DNS), but does not enable RA generation. The interface must have an 'ipv6 enable' command or a configured unicast address to automatically enable RA generation, but here the address is configured, so RA generation should be on by default.

However, the 'ipv6 nd prefix' command may be missing or the interface may be administratively down. The most common cause is that the interface is not 'no shutdown' or the RA interval is set to 0. Given the symptom, the likely cause is that the interface is in a state where RAs are suppressed, such as when 'ipv6 nd ra suppress' is configured.

2072
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# debug ip sla trace IP SLAs trace debugging is on *Mar 1 12:34:56.789: IP SLAs: Starting operation 10 *Mar 1 12:34:56.789: IP SLAs: Sending ICMP echo request to 192.168.1.1 *Mar 1 12:34:56.790: IP SLAs: Received ICMP echo reply from 192.168.1.1 *Mar 1 12:34:56.790: IP SLAs: RTT = 12 ms *Mar 1 12:34:56.790: IP SLAs: Operation 10 completed successfully *Mar 1 12:35:56.789: IP SLAs: Starting operation 10 *Mar 1 12:35:56.789: IP SLAs: Sending ICMP echo request to 192.168.1.1 *Mar 1 12:35:56.790: IP SLAs: Received ICMP echo reply from 192.168.1.1 *Mar 1 12:35:56.790: IP SLAs: RTT = 14 ms *Mar 1 12:35:56.790: IP SLAs: Operation 10 completed successfully What does this output indicate?

A.The IP SLA operation is failing because the RTT values are too high.
B.The IP SLA operation is successfully completing each probe cycle.
C.The IP SLA operation is not configured because no configuration is shown.
D.The IP SLA operation is timing out because no reply is received.
AnswerB

Each cycle shows 'completed successfully'.

Why this answer

This debug output shows the IP SLA trace for operation 10 (newer command). It confirms successful ICMP echo probes with RTT values, indicating the operation is functioning correctly.

2073
MCQmedium

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# debug crypto ipsec *Mar 1 00:02:34.567: IPSEC(sa_request): , (key eng. msg.) src=10.0.0.1, dst=10.0.0.2, src_proxy=192.168.1.0/255.255.255.0/0/0, dst_proxy=192.168.2.0/255.255.255.0/0/0, *Mar 1 00:02:34.567: IPSEC(validate_proposal): transform proposal (esp-3des esp-sha-hmac) not supported for proxy 192.168.1.0/255.255.255.0/0/0 *Mar 1 00:02:34.567: IPSEC(validate_proposal): proposal doesn't match! *Mar 1 00:02:34.568: IPSEC(create_sa): SA created with (0x1234, 0x5678) but no inbound or outbound SPI What does this output indicate?

A.The IPsec SA is established successfully with ESP 3DES and SHA.
B.The transform set on the remote peer does not match the local transform set, causing IPsec SA negotiation to fail.
C.The ACL for the crypto map is misconfigured, causing the traffic to not match.
D.The IKE phase 1 SA is not established before IPsec negotiation.
AnswerB

The debug explicitly states the proposal is not supported, meaning a mismatch in transform set.

Why this answer

The debug output shows that the IPsec SA request is generated, but the transform proposal (esp-3des esp-sha-hmac) is rejected with 'not supported for proxy'. This indicates that the remote peer does not support or is configured with a different transform set, causing the proposal to fail validation. The SA is created with placeholder SPIs (0x1234, 0x5678) but no actual inbound/outbound SPI, confirming negotiation failure due to transform set mismatch.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures; the trap here is that candidates might assume the SA creation message with SPIs indicates success, but the 'no inbound or outbound SPI' line reveals the SA is incomplete, pointing to a transform set mismatch rather than ACL or IKE phase 1 issues.

How to eliminate wrong answers

Option A is wrong because the debug clearly shows 'proposal doesn't match' and 'no inbound or outbound SPI', meaning the SA is not established successfully. Option C is wrong because the debug output shows the correct proxy identities (src=192.168.1.0/24, dst=192.168.2.0/24), indicating the ACL is matching traffic; the failure is at the transform proposal validation stage, not ACL misconfiguration. Option D is wrong because the debug output shows an IPsec SA request is being processed, which implies IKE phase 1 (ISAKMP SA) has already been established; if IKE phase 1 were not up, the debug would not reach the IPsec SA negotiation stage.

2074
MCQhard

A router is configured with 'logging host 10.1.1.100' and 'logging trap debugging'. The engineer notices that the router is sending a large number of debug messages to the syslog server, causing high CPU usage. The engineer wants to stop sending debug messages to the remote server but keep them in the local buffer. What is the best command to achieve this?

A.Configure 'no logging trap debugging' globally.
B.Configure 'logging host 10.1.1.100 trap notifications' to set the remote threshold to severity 5.
C.Use 'undebug all' to stop all debug output.
D.Set 'logging buffered 4096 notifications' to limit local buffer to severity 5.
AnswerB

Correct because this command sets the severity level for that specific host only, allowing local logging to remain at debugging.

Why this answer

To stop sending debug messages to the remote server without affecting local logging, the engineer should change the remote logging severity to a higher level (e.g., 'logging host 10.1.1.100 trap notifications' to set severity 5). This will exclude debug (severity 7) messages from being sent to that specific host. The local buffer can remain at debugging level.

2075
Drag & Drophard

Drag and drop the steps to troubleshoot Policy-Based Routing (PBR) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking if PBR is applied on the correct interface. Then verify the route map sequence and match statements. Check the set next-hop reachability via routing table.

Use 'debug ip policy' to see packet matches. Finally, test with extended ping or traceroute to confirm path.

2076
MCQhard

In a VRF-Lite setup, Router R1 and R2 are running OSPF in VRF-A. R1 has interface Gig0/0 in VRF-A with ip ospf network point-to-point. R2 has interface Gig0/1 in VRF-A with default network type (broadcast). The link between them is a direct Ethernet connection. OSPF neighbors are not forming. What is the root cause?

A.The OSPF network types are mismatched: one side is point-to-point, the other is broadcast, causing neighbor adjacency failure.
B.The VRF names must match for OSPF to form neighbors.
C.The OSPF process ID must be the same on both routers.
D.The interface must be configured with the same IP subnet mask.
AnswerA

Correct: OSPF requires matching network types on the same link; mismatch leads to no neighbor formation.

Why this answer

OSPF network type mismatch prevents neighbor formation. On a broadcast network, OSPF expects DR/BDR elections, while point-to-point expects no election. The mismatch causes hello packets to be ignored because the OSPF interface parameters (like hello interval, dead interval, and network type) differ.

Specifically, on a point-to-point link, the neighbor state machine expects a different packet format and does not process broadcast hellos.

2077
Multi-Selecthard

An engineer wants to use EEM to automatically back up the running configuration to a TFTP server whenever a 'write memory' command is executed. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Configure 'event cli pattern "write memory" sync no' under the applet.
B.Use 'action cli command "copy running-config tftp://10.1.1.1/backup-config"' to perform the backup.
C.Define the applet using the 'event manager policy' command instead of 'event manager applet'.
D.Add an 'event syslog pattern "WRITE"' to detect the write memory operation.
E.Include an 'action cli command "enable"' before the copy command to ensure privileged access.
AnswersA, B

Correct. This event triggers on the 'write memory' command without synchronizing, allowing the backup to proceed asynchronously.

Why this answer

The 'event cli' with 'sync no' is needed to avoid blocking the CLI. The 'action cli command' must use the 'copy running-config tftp:' command. The 'event manager applet' is correct, not 'event manager policy'.

The 'event syslog' with pattern 'WRITE' is not precise enough. The 'action cli command' should not use 'enable' as a separate action because the applet runs in the same privilege level as the triggering user.

2078
MCQmedium

What is the default timeout value (in milliseconds) for an IP SLA operation?

A.1000 ms
B.5000 ms
C.10000 ms
D.60000 ms
AnswerB

Correct. The default timeout is 5000 ms (5 seconds).

Why this answer

The default timeout for an IP SLA operation is 5000 milliseconds (5 seconds). If a response is not received within this time, the probe is considered failed.

2079
MCQeasy

Which of the following EEM event types can be used to trigger an applet based on a specific IOS command being entered?

A.event syslog
B.event snmp
C.event cli
D.event timer
AnswerC

Correct. 'event cli' is used to trigger on CLI commands.

Why this answer

EEM provides the 'event cli' event type to match on CLI commands. The syntax is 'event cli pattern <string>' where the pattern can be a regular expression to match the command. Other event types like 'event syslog' match syslog messages, not CLI commands.

2080
MCQhard

DMVPN spoke-to-spoke tunnel is not forming between two spokes. Hub router R1 has the following relevant configuration: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 1 ip nhrp map multicast dynamic ip ospf 1 area 0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint Spoke R2 shows: show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers: 1 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb 1 192.168.1.1 10.0.0.1 UP 00:10:00 D Spoke R3 shows similar, but no spoke-to-spoke tunnel. What is the root cause?

A.Missing ip nhrp redirect on hub and ip nhrp shortcut on spokes.
B.OSPF network type is broadcast; change to point-to-multipoint.
C.IPsec is not configured; DMVPN requires encryption.
D.The tunnel key is mismatched; configure tunnel key on all routers.
AnswerA

NHRP redirect triggers shortcut creation; without it, spokes always use hub.

Why this answer

Spoke-to-spoke tunnel requires NHRP redirect and shortcut route. Without ip nhrp redirect on hub and ip nhrp shortcut on spokes, traffic between spokes goes through hub. OSPF over DMVPN may also need mtu or ipsec issues.

The correct fix is to enable NHRP redirect on hub and shortcut on spokes.

2081
MCQmedium

A network engineer is troubleshooting an OSPFv2 adjacency issue between two routers connected via a VLAN trunk. R1 and R2 are in different VLANs but are connected through a Layer 2 switch. The engineer has configured 'ip ospf 1 area 0' on the subinterfaces. The adjacency forms but is stuck in INIT state. What is the most likely cause?

A.The routers have the same OSPF router ID.
B.The OSPF hello interval is mismatched between the two routers.
C.The subinterfaces are in different VLANs, preventing Layer 2 communication.
D.The OSPF network type is set to point-to-point on one side and broadcast on the other.
AnswerA

When a router receives a hello packet with its own router ID, it ignores it, causing the adjacency to stay in INIT.

Why this answer

The INIT state indicates that the router has received a hello packet from the neighbor but the neighbor has not seen its own router ID in the hello packet. This is often due to a mismatch in the OSPF network type or a unicast communication issue. In a VLAN trunk scenario, if the subinterfaces are not in the same VLAN, the routers may not be able to communicate at Layer 2.

However, the most common cause is that the routers are using the same router ID, which causes the hello packet to be ignored because the router sees its own router ID in the neighbor list.

2082
Multi-Selecthard

Which TWO statements about the 'time-range' feature in IPv4 ACLs are correct? (Choose TWO.)

Select 2 answers
A.A time-range can include both absolute and periodic statements simultaneously.
B.The time-range is applied to the entire ACL, not individual ACEs.
C.If the router's clock is not set, the time-range will be considered active at all times.
D.The time-range feature can only be used with extended named ACLs, not standard ACLs.
E.The time-range must be configured before it is referenced in an ACE.
AnswersA, E

Correct. A time-range can have one absolute statement and multiple periodic statements; the ACE is active if any of the conditions are met.

Why this answer

Option A is correct because the 'time-range' feature in Cisco IOS allows both absolute (specific start/end dates) and periodic (recurring days/times) statements to be combined within a single time-range definition. This enables flexible scheduling, such as allowing traffic only during business hours on weekdays while also specifying an absolute end date for the policy.

Exam trap

Cisco often tests the misconception that a time-range applies to the entire ACL rather than individual ACEs, leading candidates to incorrectly select option B.

2083
MCQhard

What is the maximum hop count for an EIGRP route?

A.15
B.255
C.224
D.Unlimited
AnswerC

Correct. EIGRP limits hop count to 224 by default.

Why this answer

EIGRP uses a maximum hop count of 224 (or 255 in some implementations) to prevent routing loops. However, the default metric calculation does not include hop count; it is only used as a tie-breaker or limit.

2084
MCQmedium

Consider the following partial configuration on a Cisco IOS-XE router: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 What is the effect of this configuration?

A.All traffic from 192.168.1.0/24 is translated to 203.0.113.1 using PAT.
B.Only traffic from 192.168.1.1 is translated to 203.0.113.1 using PAT.
C.Traffic is translated using static NAT to 203.0.113.1.
D.The configuration is incomplete; a NAT pool is required for dynamic translation.
AnswerA

The 'overload' keyword enables PAT, and the ACL matches the inside network.

Why this answer

The configuration enables NAT overload (PAT) for the 192.168.1.0/24 network, translating all inside addresses to the IP of GigabitEthernet0/1 (203.0.113.1) with port multiplexing.

2085
MCQhard

A network engineer notices that routes redistributed from EIGRP into OSPF are causing routing loops. Router R1 has the following relevant configuration: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 router ospf 1 redistribute eigrp 100 subnets metric-type 1 Router R2 shows: show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "ospf 1", distance 110, metric 20, type E1 Last update from 10.1.1.1, 00:01:30 ago Also, R2 has a default route via R1. What is the root cause?

A.Mutual redistribution without filtering causes a routing loop; apply distribute-list or route-map with tags.
B.The metric-type 1 should be type 2 to avoid loops.
C.The EIGRP metric values are incorrect; they should match OSPF cost.
D.The subnets keyword is missing in the redistribute command for OSPF.
AnswerA

Without filtering, routes are redistributed back and forth, creating loops. Tags and filters break the cycle.

Why this answer

The mutual redistribution between EIGRP and OSPF without route filtering can cause a routing loop. R1 redistributes OSPF into EIGRP, and EIGRP back into OSPF, creating a feedback loop. The E1 metric of 20 suggests the route was redistributed twice.

The correct fix is to implement route tagging and filtering to prevent loop.

2086
MCQmedium

What is the default EIGRP composite metric formula used for route calculation?

A.metric = bandwidth + delay + load + reliability
B.metric = (K1 * bandwidth) + (K3 * delay)
C.metric = bandwidth + delay + MTU
D.metric = (K1 * bandwidth) + (K2 * load) + (K3 * delay) + (K5 / (K4 + reliability))
AnswerB

Correct: With default K values (K1=1, K3=1, others=0), the formula simplifies to bandwidth + delay.

Why this answer

The default EIGRP metric formula uses bandwidth and delay only: metric = (K1 * bandwidth) + (K3 * delay). By default, K1=1, K3=1, and K2, K4, K5 are set to 0, so load and reliability are ignored.

2087
MCQhard

What is the default keepalive interval for a GRE tunnel interface on Cisco IOS-XE?

A.5 seconds
B.10 seconds
C.15 seconds
D.20 seconds
AnswerB

The default keepalive interval is 10 seconds.

Why this answer

The default keepalive interval for a GRE tunnel interface on Cisco IOS-XE is 10 seconds. This is defined by the default behavior of the `keepalive` command on tunnel interfaces, which sends periodic keepalive packets to verify the reachability of the tunnel destination. If no keepalive reply is received within three consecutive intervals (30 seconds by default), the tunnel interface is marked as down.

Exam trap

Cisco often tests the default keepalive interval for GRE tunnels, and the trap here is that candidates confuse it with the default keepalive interval for other interface types (e.g., serial interfaces default to 10 seconds as well, but some assume 5 or 15 seconds based on unrelated protocols like EIGRP hello timers).

How to eliminate wrong answers

Option A is wrong because 5 seconds is not the default; it is a common misconfiguration or a value used for faster failure detection but not the Cisco IOS-XE default. Option C is wrong because 15 seconds is not the default; it might be confused with the default keepalive interval for other interface types like serial interfaces (which default to 10 seconds as well, but not 15). Option D is wrong because 20 seconds is not the default; it could be mistaken for the default dead interval (three keepalive intervals) which is 30 seconds, not 20.

2088
MCQeasy

Which IPv6 FHS feature uses a 'device tracking' database to maintain reachability information for hosts?

A.RA Guard
B.DHCPv6 Guard
C.Device Tracking
D.PACL
AnswerC

Correct. Device Tracking maintains a database of IPv6 addresses and their reachability.

Why this answer

Device Tracking is an IPv6 FHS feature that maintains a database of IPv6 addresses and their reachability status on a per-interface basis. It is used by other FHS features like ND Snooping and Source Guard.

2089
MCQeasy

Which DHCP message type is used by a client to renew its lease before it expires?

A.DHCPREQUEST
B.DHCPDISCOVER
C.DHCPACK
D.DHCPRELEASE
AnswerA

The client uses DHCPREQUEST to renew its lease, sent unicast to the DHCP server.

Why this answer

When a DHCP client wants to renew its existing lease before it expires, it sends a unicast DHCPREQUEST message directly to the DHCP server that originally granted the lease. This is part of the renewal process defined in RFC 2131, where the client transitions from the BOUND state to the RENEWING state and uses the server's IP address to request an extension of the lease time.

Exam trap

Cisco often tests the distinction between the unicast DHCPREQUEST used for lease renewal and the broadcast DHCPREQUEST used during the initial DORA process, leading candidates to mistakenly think DHCPDISCOVER is involved in renewal.

How to eliminate wrong answers

Option B (DHCPDISCOVER) is wrong because it is used by a client to locate available DHCP servers when it has no current lease or is starting from the INIT state, not for renewing an existing lease. Option C (DHCPACK) is wrong because it is a server-to-client response that acknowledges and grants the lease or renewal, not a message sent by the client. Option D (DHCPRELEASE) is wrong because it is used by a client to voluntarily relinquish its IP address lease to the server, not to renew it.

2090
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches) 20 permit udp any any eq dns (500 matches) 30 deny ip any any (200 matches) Based on this output, what is the problem?

A.The ACL is correctly permitting web and DNS traffic.
B.The ACL is blocking all traffic except web and DNS, which may be too restrictive.
C.The ACL has no effect because it is not applied.
D.The ACL allows all traffic because of the permit statements.
AnswerB

The deny ip any any with matches shows that other traffic is being denied, which could be a problem.

Why this answer

Option B is correct because the ACL explicitly permits only TCP port 80 (www) and UDP port 53 (dns) traffic, while the final deny ip any any statement blocks all other traffic. With only 1000 matches for web and 500 for DNS, the ACL is likely too restrictive for a production network, as it would drop essential traffic such as routing protocols, management traffic (e.g., SSH, SNMP), or other application flows. The output shows the ACL is present and has hit counts, but its restrictive nature is the problem.

Exam trap

Cisco often tests the misconception that an ACL with permit statements is automatically 'correct' or 'permissive,' when in fact the explicit deny at the end makes it highly restrictive, and candidates may overlook the need to evaluate whether the ACL matches the intended security policy.

How to eliminate wrong answers

Option A is wrong because the ACL does not 'correctly permit' all necessary traffic; it only permits web and DNS, while blocking everything else, which is typically too restrictive for a functioning network. Option C is wrong because the ACL is defined and has match counts (1000, 500, 200), indicating it is applied to an interface; an unapplied ACL would show zero matches. Option D is wrong because the permit statements do not allow all traffic; the explicit deny ip any any at line 30 blocks all traffic not matching the earlier permit entries.

2091
MCQhard

An engineer configures RSPAN VLAN 100 on two switches to monitor traffic across the network. The remote switch shows the RSPAN source as active, but the destination switch receives no mirrored traffic. What is the most likely cause?

A.The RSPAN VLAN is not allowed on a trunk link between the source and destination switches.
B.The RSPAN VLAN is configured as a native VLAN on the trunk, causing VLAN tagging issues.
C.The destination switch has a different RSPAN VLAN ID configured for the session.
D.The source switch has not enabled RSPAN globally with the 'monitor session' command.
AnswerA

RSPAN traffic traverses the network in the RSPAN VLAN; if that VLAN is not permitted on an intermediate trunk, the traffic is dropped.

Why this answer

RSPAN requires that the RSPAN VLAN be created and allowed on all intermediate switches (trunks) between source and destination. If the RSPAN VLAN is pruned or not allowed on a trunk, the mirrored traffic never reaches the destination. Additionally, the RSPAN VLAN must not be used for user data.

2092
MCQhard

A large enterprise network is experiencing intermittent SNMP polling failures from the NMS to router R2. R1 and R2 are connected via a serial link running OSPF. R1 has the following relevant configuration: snmp-server community public RO, snmp-server community private RW, snmp-server trap-source Loopback0, snmp-server enable traps ospf. R2 shows: debug ip packet shows packets from NMS (10.1.1.100) to R2's Loopback0 (10.2.2.2) being dropped with 'access-list violation'. No ACL is applied to any interface on R2. What is the root cause?

A.An ACL is applied to the SNMP community string that does not permit the NMS IP address.
B.OSPF network type mismatch between R1 and R2 causes routing blackhole.
C.The NMS is using SNMPv3 with incorrect credentials, causing authentication failure.
D.R2's loopback interface is not advertised into OSPF, making it unreachable.
AnswerA

The snmp-server community command can have an optional ACL. If configured, it filters SNMP access. The debug shows ACL violation, so this is the direct cause.

Why this answer

The NMS is sending SNMP requests to R2's Loopback0 IP, but R2's OSPF configuration includes an implicit deny in the route map or distribution list that blocks the return path. However, the debug output indicates an ACL violation. The root cause is that R2 has a CoPP policy that rate-limits or drops SNMP traffic, but the debug shows ACL violation, so it is likely an implicit deny in the access-class applied to the VTY lines or an SNMP ACL.

Given no interface ACL, the most common cause is an 'access-class' under line vty that denies the NMS IP, or an 'snmp-server community' with an ACL that implicitly denies the NMS. The correct answer is: 'An ACL is applied to the SNMP community string that does not permit the NMS IP address.'

2093
Drag & Dropmedium

Drag and drop the steps to verify and validate DMVPN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validating DMVPN starts with checking the tunnel interface status, then verifying NHRP mappings and IPsec security associations. Next, confirm routing protocol adjacencies over the tunnel. Finally, test end-to-end reachability to ensure the DMVPN network is fully operational.

2094
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the MPLS label forwarding table on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.show mpls forwarding-table
B.show mpls ldp neighbor
C.show mpls label table
D.show ip route
E.show mpls interfaces
AnswersA, C

This command displays the MPLS forwarding table, including incoming labels, outgoing labels, and next-hop information.

Why this answer

The MPLS label forwarding table is verified using 'show mpls forwarding-table' and 'show mpls label table'. The former displays outgoing labels for prefixes, while the latter shows local label bindings. Other commands either show LDP neighbors or are invalid.

2095
Multi-Selectmedium

Which TWO statements about IPv6 Neighbor Discovery (ND) Inspection are true? (Choose TWO.)

Select 2 answers
A.It validates Neighbor Solicitation and Neighbor Advertisement messages against the IPv6 snooping binding table.
B.It can be configured to rate-limit ND packets on a per-interface basis.
C.It prevents rogue DHCPv6 servers from assigning malicious addresses.
D.It uses a prefix list to determine which source addresses are allowed.
E.It is enabled globally and cannot be applied on a per-interface basis.
AnswersA, B

ND Inspection checks NS and NA messages against the binding table to prevent spoofing attacks.

Why this answer

ND Inspection is a security feature that validates ND messages against a binding table. It drops invalid messages and can rate-limit ND packets. The other statements are incorrect: ND Inspection does not protect against DHCPv6 attacks, and it does not use a prefix list by default.

2096
MCQmedium

Examine this OSPF configuration snippet on router R3: router ospf 1 network 10.1.1.0 0.0.0.255 area 0 default-information originate always What is the effect of the default-information originate always command?

A.R3 will advertise a default route into OSPF only if it has a default route in its routing table.
B.R3 will unconditionally advertise a default route into OSPF as an external LSA type 5.
C.R3 will advertise a default route only if it is an ASBR.
D.The command is invalid because default-information originate requires a route-map.
AnswerB

Correct. The 'always' keyword forces advertisement regardless of the presence of a default route.

Why this answer

The command injects a default route (0.0.0.0/0) into the OSPF domain as an external LSA type 5, regardless of whether the router has a default route in its routing table. The 'always' keyword forces advertisement even without a default route.

2097
MCQhard

An engineer configures CoPP on a router running EIGRP. The policy includes a class-map matching EIGRP traffic with a police rate of 1000 pps. After applying the policy, EIGRP neighbors form but occasionally go active and become stuck-in-active (SIA). Which is the most likely explanation?

A.EIGRP uses multicast, and CoPP cannot police multicast traffic.
B.The police rate in pps is too low, causing EIGRP reliable packets (queries/replies) to be dropped, leading to SIA.
C.CoPP only affects incoming traffic, but EIGRP SIA is caused by outgoing packet drops.
D.EIGRP uses TCP, and CoPP only polices UDP.
AnswerB

EIGRP's reliable transport requires all packets to be acknowledged; drops cause retransmissions and potential SIA.

Why this answer

EIGRP uses reliable transport for updates and queries. If CoPP drops EIGRP packets, queries may be lost, causing the neighbor to wait for a reply and eventually go SIA. The police rate may be too low for the query/reply traffic during convergence.

2098
MCQmedium

A network engineer is troubleshooting MPLS traffic where packets are being dropped at a P router. The engineer runs show mpls forwarding-table and sees that the outgoing label for a specific FEC is 'Untagged' instead of a valid label. The IGP is running correctly, and LDP neighbors are established. What is the most likely cause?

A.LDP is not enabled on the outgoing interface.
B.The IGP metric is too high, causing LDP to prefer a different path.
C.The mpls label range is exhausted.
D.The router is configured with mpls ldp advertise-labels for host routes only.
AnswerA

Correct because LDP must be enabled on each interface to assign a label for the FEC; without it, the label remains 'Untagged' and packets are dropped.

Why this answer

The 'Untagged' label in the LFIB indicates that LDP has not assigned a label for that FEC on the outgoing interface. This typically happens when LDP is not enabled on the outgoing interface, either because the interface is not configured with mpls ip or because the interface is passive under LDP.

2099
MCQhard

A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# show bgp vpnv4 vrf CUSTOMER-A 10.1.1.0/24 Output: BGP routing table entry for 10.1.1.0/24, version 10 Paths: (1 available, best #1, table CUSTOMER-A) Advertised to update-groups: 1 Refresh Epoch 1 Local 0.0.0.0 from 0.0.0.0 (10.0.0.1) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:100:100 mpls labels in/out nolabel/nolabel What does this output indicate?

A.The route is locally originated and has no MPLS label
B.The route is learned from a BGP peer
C.The route has an MPLS label of 100
D.The route is not best
AnswerA

The route is sourced locally (0.0.0.0 from 0.0.0.0) and the mpls labels are nolabel/nolabel.

Why this answer

This shows a VPNv4 route for prefix 10.1.1.0/24 in VRF CUSTOMER-A. The path is local (sourced from this router), with next hop 0.0.0.0, and the route is valid and best. The extended community is RT:100:100.

The mpls labels show nolabel/nolabel, meaning no MPLS label is assigned for this prefix, which could indicate a problem if labels are expected.

2100
MCQeasy

Which of the following is NOT a valid match criterion for a class-map used in Control Plane Policing?

A.match access-group
B.match ip dscp
C.match protocol
D.match ip precedence
AnswerC

Correct. match protocol is not supported in CoPP; only ACLs, DSCP, or IP precedence are allowed.

Why this answer

CoPP supports match access-group (ACL), match ip dscp, and match ip precedence. match protocol is not supported in CoPP class-maps.

Page 27

Page 28 of 29

Page 29