Cisco CCNP ENARSI 300-410 (300-410) — Questions 226300

2152 questions total · 29pages · All types, answers revealed

Page 3

Page 4 of 29

Page 5
226
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Neighbor_Down R1# show bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 5 5 1 0 0 00:02:00 Established Based on this output, which statement is correct?

A.The BGP neighbor is down.
B.The EEM policy has been triggered.
C.The BGP neighbor is up and the EEM policy has not been triggered.
D.The EEM policy is disabled.
AnswerC

The Established state confirms the neighbor is up, so the down event has not occurred.

Why this answer

The EEM policy BGP_Neighbor_Down is registered, but the BGP neighbor is in Established state. The correct answer is that the BGP neighbor is up and the EEM policy has not been triggered.

227
MCQhard

An engineer configures an RSPAN session on a Cisco switch to monitor traffic from VLAN 30 and send it to a remote switch. The engineer creates RSPAN VLAN 200 on both switches and configures the trunk to allow VLAN 200. On the remote switch, the engineer configures the destination port as GigabitEthernet0/4 in VLAN 200. The engineer notices that the destination port is forwarding traffic, but the traffic is not from the source VLAN 30; instead, it is broadcast traffic from other VLANs. What is the most likely cause?

A.The RSPAN VLAN is also being used for other VLAN traffic due to misconfiguration.
B.The source VLAN is not configured correctly on the source switch.
C.The destination port is in the wrong VLAN.
D.The trunk is not pruning VLAN 200 correctly.
AnswerA

Correct because the RSPAN VLAN should be a dedicated VLAN; if it is also used as a native VLAN or for other traffic, it will carry unwanted broadcasts.

Why this answer

RSPAN VLANs should be used exclusively for RSPAN traffic and should not have any other VLANs mapped to them. If the RSPAN VLAN is also used for other purposes, it may carry unintended traffic.

228
Multi-Selecthard

Which TWO statements about the 'ip access-list resequence' command are true? (Choose TWO.)

Select 2 answers
A.The 'ip access-list resequence' command can be applied to both numbered and named ACLs.
B.The default starting sequence number for the resequence command is 10, and the default increment is 10.
C.The resequence command changes the order in which ACL entries are evaluated.
D.The resequence command is useful when you need to insert a new ACE between two existing entries with consecutive sequence numbers.
E.The resequence command can only be used on extended named ACLs, not standard named ACLs.
AnswersB, D

Correct. By default, the command renumbers starting at 10 with an increment of 10, unless custom values are specified.

Why this answer

Option B is correct because the default starting sequence number for the 'ip access-list resequence' command is 10, and the default increment is also 10. This allows you to renumber the Access Control Entries (ACEs) within an ACL so that you can later insert new entries between existing ones without having to remove and re-add the entire list.

Exam trap

Cisco often tests the misconception that resequencing changes the evaluation order of ACL entries, when in fact it only renumbers the entries without altering their sequence of evaluation.

229
MCQmedium

Consider this partial configuration: ``` ip vrf CUSTOMER_B rd 65000:1 route-target export 65000:1 route-target import 65000:1 ``` What statement is true about this VRF configuration?

A.The VRF will not function because route-targets are mandatory for VRF-Lite.
B.The VRF is correctly configured for VRF-Lite with a unique RD and optional route-targets.
C.The RD must match the route-target value exactly.
D.The VRF will only work if 'vrf forwarding' is applied to an interface.
AnswerB

This is correct. The RD is required, and route-targets are optional but often configured for consistency.

Why this answer

In VRF-Lite, route-targets are not strictly required because there is no MP-BGP exchange. However, they are used for interoperability and to define import/export policies if needed. The RD is mandatory to create the VRF.

230
Multi-Selecthard

An engineer is troubleshooting a BGP route advertisement issue. Which TWO commands can be used to verify whether a prefix is being advertised to a specific BGP neighbor? (Choose TWO.)

Select 2 answers
A.show ip bgp neighbors <neighbor> routes
B.show ip bgp <prefix>
C.show ip bgp neighbors <neighbor> advertised-routes
D.debug ip bgp updates
E.show ip bgp summary
AnswersB, C

Correct. This command displays the BGP entry for a prefix, including the neighbor(s) to which the route is advertised.

Why this answer

To verify BGP advertisement to a neighbor, 'show ip bgp neighbors <neighbor> advertised-routes' shows all routes advertised to that neighbor. 'show ip bgp <prefix>' includes an entry for each neighbor the route is advertised to. 'show ip bgp neighbors <neighbor> routes' shows routes received from the neighbor, not advertised. 'debug ip bgp updates' is a debug command, not a verification command. 'show ip bgp summary' shows neighbor states and counts, not specific prefix advertisement.

231
MCQhard

An engineer configures an IPv4 ACL with a deny statement for OSPF protocol (IP protocol 89) on a router's serial interface inbound. OSPF neighbors are established, but routes are not exchanged and the neighbor state remains in EXSTART. What is the most likely explanation?

A.The ACL is blocking OSPF hello packets, preventing the neighbor from reaching FULL state.
B.The MTU on the interface is mismatched with the neighbor, causing DBD packets to be fragmented.
C.The ACL is applied outbound instead of inbound, filtering OSPF updates.
D.The router has a distribute-list in OSPF that is filtering routes.
AnswerA

An ACL denying protocol 89 blocks all OSPF packets, including hellos and DBDs, causing the neighbor to remain in EXSTART as DBD exchange fails.

Why this answer

When an ACL denies OSPF (IP protocol 89) inbound on a serial interface, it blocks all OSPF packets, including Hello packets. Without Hello packets, the neighbor cannot transition from EXSTART to FULL state because the OSPF adjacency process requires Hello exchange for neighbor discovery and maintenance. The EXSTART state indicates that the routers have formed a neighbor relationship but cannot exchange Database Description (DBD) packets, which occurs because the ACL is filtering the Hello packets that are needed to confirm bidirectional communication and proceed to the Exchange state.

Exam trap

Cisco often tests the misconception that an ACL blocking OSPF protocol 89 only affects route updates, when in fact it blocks all OSPF packets including Hello, which prevents the adjacency from reaching FULL state.

How to eliminate wrong answers

Option B is wrong because MTU mismatch causes DBD packets to be silently dropped or rejected, leading to a stuck EXSTART state, but the question specifies that the ACL is the configured issue, and MTU mismatch is not related to ACL filtering. Option C is wrong because if the ACL were applied outbound, it would filter OSPF updates leaving the router, but the neighbor would still receive Hello packets and could reach FULL state; the problem states the ACL is applied inbound, so this is a misdirection. Option D is wrong because a distribute-list filters routes within the OSPF process after adjacency is formed, but it does not prevent the neighbor from reaching FULL state; the neighbor would still exchange Hello and DBD packets and become FULL, but routes would be missing from the routing table.

232
MCQhard

A network engineer is troubleshooting an OSPFv3 issue where a router R1 is not learning routes from a neighbor R2. The adjacency is FULL, but 'show ipv6 route ospf' on R1 shows only a default route. R2 is an ASBR redistributing connected routes into OSPFv3. 'show ipv6 ospf database external' on R1 shows the external routes, but they are not installed in the routing table. What is the most likely cause?

A.The router R1 has a distribute-list in the OSPFv3 process that filters out the external routes.
B.The external routes have a metric of 16777214, which is considered infinite.
C.The router R1 does not have IPv6 unicast routing enabled.
D.The external routes are type 5 LSAs but the router is in a totally stubby area.
AnswerA

A distribute-list can filter routes from being installed in the routing table even if they are in the LSDB.

Why this answer

In OSPFv3, external routes are not installed if the router has a route to the forwarding address that is not reachable. However, the more common cause is that the OSPFv3 process on R1 has 'no ipv6 unicast-routing' or the router is missing a default route to reach the external destinations. Another possibility is that the external routes have a metric that is too high or the route is suppressed by a filter.

The most likely cause is that the router has a route map or distribute list that is filtering the external routes from being installed.

233
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip sla statistics IPSLAs Latest Statistics: Round Trip Time (RTT) for Index 1 Latest RTT: 10 ms Latest RTT (milliseconds): 10 Number of successes: 100 Number of failures: 0 Operation time to live: 3000 Operation frequency: 60 seconds Next operation start time: 00:00:45 Based on this output, what is the status of the IP SLA operation?

A.The IP SLA operation has failed 100 times.
B.The IP SLA operation is successful and has a low RTT.
C.The IP SLA operation is not configured correctly.
D.The IP SLA operation is about to expire.
AnswerB

100 successes and 10 ms RTT indicate good performance.

Why this answer

The output shows 100 successes and 0 failures, with a latest RTT of 10 ms. This indicates the IP SLA operation is functioning correctly.

234
MCQhard

A network engineer runs the following command to troubleshoot SNMPv3 group configuration: R1# show snmp group group name: admin-group security model: v3 auth priv read view: v1default write view: v1default notify view: v1default Group name: monitor-group security model: v3 auth no priv read view: v1default write view: none notify view: v1default What does this output indicate?

A.The 'admin-group' requires authentication and encryption, while 'monitor-group' requires only authentication.
B.Both groups require authentication and encryption.
C.The 'monitor-group' has read-write access.
D.The groups use SNMPv2c security model.
AnswerA

admin-group uses 'auth priv' (auth + encryption), monitor-group uses 'auth no priv' (auth only).

Why this answer

The show snmp group command displays SNMPv3 groups. The output shows 'admin-group' with auth and privacy (encryption) and full access, while 'monitor-group' has auth but no privacy and read-only access.

235
MCQhard

A DMVPN Phase 3 network uses BGP for routing between hubs and spokes. R1 (hub) and R2 (spoke) have an eBGP peering. R2 advertises a prefix 192.168.1.0/24 to R1. R3 (another spoke) receives this prefix via R1 but with a higher local preference than expected, causing R3 to prefer the path through R1 even though a direct spoke-to-spoke tunnel exists. What is the root cause?

A.R1 has a route-map that sets local preference to 200 for prefixes received from R2, causing R3 to prefer the path through R1 over the direct path.
B.R3 has a static route pointing to R1 for 192.168.1.0/24, overriding BGP.
C.NHRP redirect is disabled on R1, preventing spoke-to-spoke tunnel establishment.
D.R2 is advertising the prefix with a MED of 0, causing R3 to prefer the path through R1.
AnswerA

Correct. BGP local preference is propagated to iBGP peers. If R1 sets a high local preference on routes from R2, R3 will prefer the path via R1, even if a direct spoke-to-spoke tunnel is available.

Why this answer

BGP local preference is manipulated on the hub (R1) using route-maps or policy, causing the prefix to have a higher local preference when advertised to other spokes. This overrides the normal BGP path selection and forces traffic through the hub, even if a direct spoke-to-spoke tunnel is available.

236
MCQhard

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 6 detail Session 6 --------- Type : ERSPAN Source Session Source VLANs : Both : 10-20 Destination IP : 10.1.1.3 ERSPAN ID : 200 What does this output indicate?

A.The session is correctly configured to monitor VLANs 10 through 20.
B.The session is misconfigured because ERSPAN cannot use VLANs as source.
C.The session is misconfigured because the ERSPAN ID must be less than 100.
D.The session is misconfigured because the destination IP must be on the same subnet.
AnswerA

ERSPAN can use VLANs as the source for monitoring.

Why this answer

The output shows an ERSPAN source session with source VLANs 10-20, destination IP 10.1.1.3, and ERSPAN ID 200. This is a valid ERSPAN source session using VLANs as the source.

237
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where CE1 can ping the PE1 interface but cannot ping CE2. On PE1, show ip route vrf CUSTOMER shows the route to CE2's subnet, but show bgp vpnv4 unicast all neighbors 10.0.0.2 advertised-routes does not show the route. The BGP session between PE1 and PE2 is established. What is the most likely cause?

A.The VRF export route-target does not match the import route-target on the remote PE.
B.A route-map applied to the VRF export is filtering the route.
C.The BGP session is not using the correct update-source.
D.The next-hop-self command is missing under the VRF address-family.
AnswerB

Correct because a route-map on VRF export can filter routes before they are advertised to BGP, preventing the route from being sent to the remote PE.

Why this answer

The route is present in the VRF but not advertised to the remote PE, indicating a BGP policy issue. Since the BGP session is up, the most likely cause is that the route is not being redistributed into BGP or is being filtered by a route-map or prefix-list on the VRF export.

238
MCQeasy

A network engineer runs the following command on Router PE5: PE5# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.7 1 FULL/DR 00:00:32 10.1.1.7 GigabitEthernet0/0 10.0.0.8 1 FULL/BDR 00:00:35 10.2.2.8 GigabitEthernet0/1 Based on this output, which statement is correct?

A.Both OSPF adjacencies are fully established.
B.One neighbor is in the EXSTART state.
C.The router is not the DR for any segment.
D.There is a mismatch in OSPF area IDs.
AnswerA

The state is FULL for both neighbors, indicating full adjacency.

Why this answer

The show ip ospf neighbor output displays two OSPF neighbors in FULL state, one as DR and one as BDR. This indicates that OSPF adjacencies are fully established and functioning correctly.

239
Multi-Selecthard

Which TWO statements about IP SLA responder configuration are true? (Choose TWO.)

Select 2 answers
A.The 'ip sla responder' command must be configured on the destination device for UDP jitter probes to obtain accurate round-trip time.
B.The responder can be configured to listen on a specific UDP port using the 'ip sla responder udp-echo' command.
C.The responder is automatically enabled on all Cisco routers running IOS 15.0 or later.
D.The ICMP echo probe type requires the responder to be configured on the destination for accurate results.
E.The responder can provide hardware-based timestamping to improve accuracy when the 'timestamp' option is configured.
AnswersA, B

Correct. UDP jitter probes require the responder to timestamp the packets for accurate delay and jitter calculations.

Why this answer

The IP SLA responder is a component that listens for probe requests and sends replies. It is required for certain probe types like UDP jitter and TCP connect to ensure accurate measurements. The responder must be enabled on the destination device with the 'ip sla responder' global command.

It does not require a specific port for ICMP echo, and it does not automatically adjust timestamps without the 'timestamp' option.

240
MCQhard

A dual-stack network using IPv6 over IPv4 GRE tunnels with OSPFv3 is experiencing routing loops. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 ipv6 ospf network point-to-point ipv6 ospf 1 area 0. Router R2 shows: R2# show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 192.0.2.2 1 FULL/ - 00:00:33 7 Tunnel0. R2# show ipv6 route 2001:DB8:3::/64 O 2001:DB8:3::/64 [110/2] via 2001:DB8:1::1, Tunnel0. What is the root cause?

A.The OSPF network type on Tunnel0 should be broadcast to match the underlying GRE tunnel.
B.The tunnel destination on R1 is incorrect, causing OSPF adjacencies to form with the wrong router.
C.R1 has a higher metric for the same prefix via another interface, causing a routing loop due to OSPF's SPF algorithm.
D.IPv6 unicast-routing is not enabled on R1.
AnswerC

If R1 learns the prefix via a different path with a higher metric, it may still prefer the tunnel route, but if that tunnel route points back to R2, a loop occurs.

Why this answer

The routing loop is caused by R1 having a higher metric for the prefix 2001:DB8:3::/64 via another interface, which OSPF's SPF algorithm still installs in the routing table. Since R2's best path to that prefix points to R1 via Tunnel0 (metric 2), and R1's best path points back to R2 via a different interface with a higher metric, traffic bounces between them. This is a classic OSPF metric asymmetry issue in a dual-stack GRE tunnel environment.

Exam trap

Cisco often tests the misconception that routing loops in OSPF are caused by network type mismatches or tunnel misconfigurations, when the real issue is metric asymmetry between routers leading to recursive routing.

How to eliminate wrong answers

Option A is wrong because OSPFv3 over a point-to-point GRE tunnel should use the point-to-point network type to avoid DR/BDR elections and simplify adjacency formation; changing to broadcast would add unnecessary overhead and not fix a routing loop. Option B is wrong because the tunnel destination on R1 (198.51.100.1) is correct for reaching R2, and the OSPF neighbor output confirms a full adjacency with Neighbor ID 192.0.2.2, indicating the tunnel is properly formed. Option D is wrong because if IPv6 unicast-routing were not enabled on R1, OSPFv3 would not form adjacencies or install routes, but the show output shows an active OSPF neighbor and a route via Tunnel0, proving it is enabled.

241
MCQhard

An engineer configures BFD for EIGRP in named mode. The BFD session is up, but the EIGRP neighbor relationship is not forming. The engineer checks that the K values match and that the interfaces are up. What is the most likely explanation?

A.The 'no neighbor' command is configured under the af-interface, disabling EIGRP on that interface.
B.The 'bfd' command is configured under the af-interface, but the 'bfd all-interfaces' command is missing under the EIGRP process.
C.The EIGRP router ID is the same on both routers, causing a conflict.
D.The interface is configured with 'ip bandwidth-percent eigrp' set to 0, preventing EIGRP from using the interface.
AnswerA

Correct. In named mode, the 'no neighbor' command under the af-interface prevents EIGRP from forming adjacencies on that interface, even if BFD is up.

Why this answer

In EIGRP named mode, the 'af-interface' configuration can have different settings than classic mode. Specifically, the 'no neighbor' command under the af-interface can disable EIGRP on that interface, preventing adjacency formation. BFD is configured under the af-interface as well, but if the interface is disabled for EIGRP, BFD will not help.

242
MCQhard

An engineer configures BFD on an OSPF link that is part of a virtual link. The BFD session between the two endpoints of the virtual link is up, but OSPF adjacency over the virtual link is not forming. What is the most likely explanation?

A.BFD cannot be used with OSPF virtual links; BFD only works on physical interfaces.
B.The virtual link is configured with a different hello interval than the BFD interval, causing a mismatch.
C.The 'bfd all-interfaces' command is not configured under the OSPF process, so OSPF ignores BFD for virtual links.
D.The virtual link is using a different authentication type than the BFD session.
AnswerA

Correct. OSPF virtual links are not supported with BFD. The BFD session on the underlying physical interface does not affect the virtual link adjacency.

Why this answer

BFD does not support virtual links in OSPF. BFD can only be configured on physical interfaces or subinterfaces, not on virtual links. Therefore, even if BFD is up on the underlying physical link, it will not help detect failures of the virtual link.

The virtual link adjacency may fail due to other issues, such as mismatched area IDs or authentication.

243
MCQhard

An engineer configures mutual redistribution between EIGRP and OSPF on a router. EIGRP routes are redistributed into OSPF with a route-map that sets metric-type type-1, and OSPF routes are redistributed into EIGRP with default metric 10000 100 255 1 1500. Unexpectedly, the router starts flapping routes between the two protocols, causing instability. Which is the most likely explanation?

A.The redistribution is not using route tags, so routes are being re-redistributed back and forth, causing route flapping.
B.The OSPF metric-type type-1 is incompatible with EIGRP, causing the route to be rejected.
C.The EIGRP default metric is missing the reliability and load values, so redistribution fails.
D.The router must have `redistribute connected` under both protocols to avoid flapping.
AnswerA

Without tags, there is no loop prevention; routes can be redistributed multiple times.

Why this answer

Without route tagging, mutual redistribution can cause a routing loop where a route redistributed from EIGRP into OSPF is then redistributed back into EIGRP with a different metric, creating a feedback loop. The router sees the same prefix from both protocols and may prefer one over the other, causing continuous updates. The solution is to use route tags to prevent re-redistribution.

244
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 5 network entries using 720 bytes of memory 5 path entries using 400 bytes of memory 3/2 BGP path/bestpath attribute entries using 456 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1600 total bytes of memory BGP activity 10/5 prefixes, 10/5 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:DB8::2 4 65002 100 99 10 0 0 00:45:12 3 Based on this output, which statement is correct?

A.BGP is not configured for IPv6.
B.The BGP session is down.
C.BGP is peering over IPv6 and 3 prefixes are learned from the neighbor.
D.The router is in AS 65002.
AnswerC

The neighbor is IPv6 and PfxRcd shows 3.

Why this answer

The output shows that the neighbor 2001:DB8::2 (IPv6 address) is in state '3' under 'State/PfxRcd', which indicates the BGP session is established and 3 IPv6 prefixes have been received from that neighbor. The 'Up/Down' time of 00:45:12 confirms the session is active, and the 'MsgRcvd/MsgSent' counters show bidirectional communication. Therefore, BGP is peering over IPv6 and has learned 3 prefixes from the neighbor, making option C correct.

Exam trap

Cisco often tests the interpretation of the 'State/PfxRcd' column in 'show bgp ipv6 unicast summary' (or 'show ipv6 bgp summary'), where a numeric value indicates an established session and received prefixes, while a state name indicates a session problem, leading candidates to mistakenly think the session is down when they see a number instead of a state.

How to eliminate wrong answers

Option A is wrong because the command 'show ipv6 bgp summary' explicitly displays IPv6 BGP information, and the neighbor is an IPv6 address (2001:DB8::2), proving BGP is configured for IPv6. Option B is wrong because the 'State/PfxRcd' column shows '3' (not an idle/active/connect state), and the 'Up/Down' timer is 00:45:12, indicating the session is up and exchanging prefixes. Option D is wrong because the output clearly states 'local AS number 65001' in the BGP router identifier line, and the neighbor AS is 65002; the router is in AS 65001, not 65002.

245
MCQeasy

A network engineer runs the following command on Router R1: R1# show flow interface GigabitEthernet0/1 Interface GigabitEthernet0/1 FNF: monitor Monitor: FLOW-MONITOR-1 direction: Input traffic-statistics: enabled Based on this output, what can be concluded?

A.The flow monitor is applied only to incoming traffic on this interface.
B.The flow monitor is applied to both input and output traffic.
C.Traffic statistics are disabled.
D.The flow monitor is not attached to any interface.
AnswerA

The direction is specified as 'Input', meaning only inbound traffic is monitored.

Why this answer

The output shows that flow monitor FLOW-MONITOR-1 is applied to GigabitEthernet0/1 in the input direction with traffic statistics enabled.

246
MCQhard

A large enterprise network is experiencing intermittent loss of NetFlow data from multiple routers. Router R1 has the following relevant configuration: flow exporter EXPORTER-1 destination 10.1.1.1 source Loopback0 transport udp 2055 export-protocol netflow-v9. Router R2 shows: R2# show flow exporter EXPORTER-1 statistics | include (Packets|Errors) Packets exported: 0, Errors: 0. The network uses OSPF, and R1's Loopback0 is reachable via a summary route. What is the root cause?

A.The flow exporter is misconfigured with the wrong export protocol; it should be netflow-v5.
B.The collector IP is not reachable due to a missing route; the summary route for Loopback0's subnet does not include the /32 host route.
C.The UDP port 2055 is blocked by an ACL on R1's outbound interface.
D.The flow monitor is not applied to any interface, so no flows are being exported.
AnswerB

If Loopback0's /32 is not in the routing table of the collector's router, packets from that source may be dropped. The summary route may not cover the exact host address.

Why this answer

The issue is that the NetFlow exporter's source interface (Loopback0) is not the same as the interface used to reach the collector (10.1.1.1). OSPF summarization may cause the source IP to be unreachable from the collector's perspective due to routing asymmetry or the summary route not including the specific /32. The correct fix is to ensure the source interface is the one with a route to the collector, or to use a loopback that is explicitly advertised.

247
MCQeasy

What is the default behavior of a local SPAN session if no direction (rx, tx, both) is specified?

A.Only ingress traffic is monitored.
B.Only egress traffic is monitored.
C.Both ingress and egress traffic are monitored.
D.No traffic is monitored until direction is explicitly set.
AnswerC

This is the default behavior.

Why this answer

If no direction is specified, the default is to monitor both ingress and egress traffic on the source interface.

248
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the status of IPsec security associations on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show crypto ipsec sa
B.show crypto isakmp sa
C.show crypto map
D.show ip route
E.show crypto engine connections active
AnswersA, B

This command shows IPsec security associations, including SPI, encapsulation mode, and packet statistics.

Why this answer

The 'show crypto ipsec sa' command displays the IPsec security associations (SAs) that have been negotiated, including their SPI numbers, encryption and authentication algorithms, and packet counters. This is the primary command to verify that IPsec SAs are active and that traffic is being encrypted and decrypted correctly. The 'show crypto isakmp sa' command shows the IKE (ISAKMP) phase 1 SAs, which are necessary for establishing the IPsec SAs, making it a complementary verification step.

Exam trap

Cisco often tests the distinction between IKE phase 1 (ISAKMP) and IPsec phase 2 (IPsec) SAs, and candidates may incorrectly think 'show crypto isakmp sa' alone is sufficient to verify IPsec SAs, or they may confuse 'show crypto engine connections active' with IPsec SA status.

249
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow exporter EXPORTER-1 statistics Flow Exporter: EXPORTER-1 Packet send statistics (last 30 seconds): Packets sent: 0 Packets dropped: 0 Packets unsent: 0 Client send statistics: Packets sent: 0 Packets dropped: 0 Packets unsent: 0 Export statistics: Number of Flows exported: 0 Number of Packets exported: 0 Number of Source IP address unreachable: 0 Number of Packets dropped (no route): 0 Number of Packets dropped (queue full): 0 Based on this output, what is the most likely cause of no exports?

A.The destination IP address is unreachable.
B.The flow exporter is not referenced in any flow monitor, or the flow monitor is not attached to an interface.
C.The UDP port is blocked by a firewall.
D.The source IP address is not configured on any interface.
AnswerB

No flows exported and no errors indicate the exporter is idle, which occurs when no flow monitor using it is active.

Why this answer

The exporter statistics show no flows exported and no errors. This typically means the exporter is not receiving any flows from a flow monitor, likely because the flow monitor is not attached to an interface or the flow monitor does not reference this exporter.

250
MCQhard

Which statement about administrative distance is true regarding the selection of routes in a routing table?

A.Routes with higher administrative distance are always preferred.
B.Administrative distance is only considered when metrics are equal.
C.The route with the lowest administrative distance is installed in the routing table.
D.Administrative distance is used to select the best path within the same routing protocol.
AnswerC

AD is the first tiebreaker when routes from different protocols exist; lower AD wins.

Why this answer

When a router receives multiple routes to the same destination from different routing protocols, the route with the lowest administrative distance is installed in the routing table, regardless of metric.

251
Multi-Selecthard

Which THREE commands can be used to verify the effects of a route-map applied to a BGP neighbor for outbound route filtering? (Choose THREE.)

Select 3 answers
A.show ip bgp neighbor X.X.X.X advertised-routes
B.show route-map
C.show ip bgp
D.show ip bgp neighbors
E.show ip prefix-list
AnswersA, B, C

Correct. This shows the routes actually advertised to the neighbor, reflecting the outbound route-map filtering.

Why this answer

To verify outbound route-map filtering on a BGP neighbor, you can check the route-map itself, the BGP table for routes that should be filtered, and the neighbor's advertised routes. show ip bgp neighbor advertised-routes shows what the router is actually sending. show route-map displays the route-map configuration and match counts. show ip bgp shows the BGP table with path attributes. show ip bgp neighbors displays neighbor information but not the filtered routes. show ip prefix-list shows prefix-list entries but not the route-map application.

252
MCQhard

An engineer configures OSPFv3 on two routers. Both routers are in the same area, but they fail to form an adjacency. Which is the most likely explanation?

A.The link-local addresses on the interfaces are not configured.
B.The OSPFv3 process is not enabled with an IPv6 unicast address-family.
C.The routers are using different OSPFv3 router IDs.
D.The OSPFv3 network type is set to broadcast on both routers.
AnswerA

OSPFv3 requires link-local addresses to form adjacencies; without them, the routers cannot communicate.

Why this answer

OSPFv3 uses link-local addresses for neighbor adjacencies. If the link-local addresses are not configured or are in the same subnet, OSPFv3 will not form an adjacency because it cannot determine the next hop for routing updates.

253
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 dhcp interface Gi0/0/0 Gi0/0/0 is in server mode Uses prefix 2001:DB8:1::/64 Rapid-Commit is disabled Preference value: 0 Information refresh option: 86400 DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 Pool: DHCP_POOL Based on this output, which statement is correct?

A.The router is acting as a DHCPv6 client on Gi0/0/0.
B.The router is acting as a DHCPv6 server on Gi0/0/0 and has 5 active clients.
C.Rapid-Commit is enabled.
D.The interface is using SLAAC for address assignment.
AnswerB

Server mode with active clients indicates DHCPv6 server functionality.

Why this answer

The interface is configured as a DHCPv6 server with a prefix, DNS server, and domain name. It has 5 active clients. This means the router is providing DHCPv6 services on that interface.

254
MCQeasy

What is the default value of the RA lifetime (Router Lifetime) in IPv6 Router Advertisements on Cisco IOS-XE?

A.600 seconds
B.1800 seconds
C.3600 seconds
D.0 seconds
AnswerB

Correct. The default Router Lifetime is 1800 seconds on Cisco IOS-XE.

Why this answer

The default Router Lifetime in RA messages on Cisco IOS-XE is 1800 seconds (30 minutes), as per RFC 4861, which recommends a default of 3 times the default RA interval (600 seconds). However, Cisco defaults to 1800 seconds.

255
MCQhard

In DMVPN Phase 3, which loop prevention mechanism is used by default to prevent routing loops when using EIGRP?

A.Split horizon
B.Route poisoning
C.Feasibility Condition
D.Hold-down timers
AnswerC

Correct. EIGRP's DUAL algorithm uses the Feasibility Condition to prevent loops.

Why this answer

EIGRP uses the Feasibility Condition (FC) as its loop prevention mechanism. In DMVPN Phase 3, with EIGRP stub routing and summarization, the FC ensures that only feasible successors are used, preventing loops. Additionally, the 'no ip split-horizon' is often required on the hub, but loop prevention relies on EIGRP's DUAL algorithm and the FC.

256
MCQmedium

A network engineer runs the following command to troubleshoot IPsec on a DMVPN tunnel: R1# debug crypto isakmp ISAKMP: received peer 192.168.1.2, port 500, local 192.168.1.1 ISAKMP: SA created, initiating IKE Main Mode ISAKMP: sent MM_SA proposal to 192.168.1.2 ISAKMP: received MM_SA response from 192.168.1.2 ISAKMP: Main Mode complete, starting Quick Mode ISAKMP: sent QM_SA request to 192.168.1.2 ISAKMP: received QM_SA response from 192.168.1.2 ISAKMP: Quick Mode done, IPsec SA established What does this output indicate?

A.IKE negotiation failed; no IPsec SA was established.
B.IKE negotiation succeeded and an IPsec SA is now active.
C.The peer 192.168.1.2 is not responding to IKE requests.
D.IKE is using Aggressive Mode instead of Main Mode.
AnswerB

Correct: The debug confirms Main Mode and Quick Mode completion, and states 'IPsec SA established'.

Why this answer

The debug shows successful IKE Main Mode and Quick Mode exchanges, resulting in an established IPsec SA between 192.168.1.1 and 192.168.1.2.

257
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp neighbors 10.1.12.2 advertised-routes BGP table version is 15, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.1.1.0/24 0.0.0.0 0 32768 i *> 10.2.2.0/24 10.1.12.2 0 0 65002 i Total number of prefixes 2 Based on this output, what can be concluded about the route 10.2.2.0/24?

A.The route 10.2.2.0/24 is being advertised back to the neighbor from which it was learned, which is incorrect.
B.The route 10.2.2.0/24 is locally originated.
C.The route 10.2.2.0/24 has a weight of 0.
D.The route 10.2.2.0/24 is not valid.
AnswerA

The next hop is 10.1.12.2, the same as the neighbor, indicating the route is being sent back to the source, which violates BGP loop prevention unless the AS path is manipulated.

Why this answer

The route 10.2.2.0/24 is being advertised to the neighbor 10.1.12.2 with next hop 10.1.12.2 itself. This indicates that R1 is advertising a route it learned from the same neighbor back to it, which is a classic case of BGP split-horizon or route advertisement causing a potential loop. However, since it is advertised, it may be due to missing AS-path filtering or a misconfiguration.

258
MCQmedium

Examine the following configuration: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 bfd interval 50 min_rx 50 multiplier 5 ! router eigrp TEST network 192.168.1.0 bfd interface GigabitEthernet0/0 ! Which statement is true about BFD operation on this interface?

A.BFD will detect a failure in 250 ms (5 x 50 ms).
B.BFD will detect a failure in 50 ms because the interval is set to 50 ms.
C.BFD is enabled but only for EIGRP; it will not affect any other routing protocol.
D.The configuration is missing 'bfd all-interfaces' under EIGRP, so BFD will not work.
AnswerA

Correct. The detection time is multiplier * the negotiated interval, which in this case is 5 * 50 ms = 250 ms.

Why this answer

The 'bfd interface' command under EIGRP enables BFD for that specific interface. The BFD session will negotiate timers; the multiplier of 5 means the session will declare a neighbor down after 5 * max(min_rx, negotiated interval) = 5 * 50 = 250 ms of missed packets.

259
Drag & Dropmedium

Drag and drop the steps to configure inter-VRF route leaking using static routes in VRF-Lite into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define both VRFs and assign an RD. Then configure the import/export RTs to allow route exchange. Next, assign interfaces to the respective VRFs.

After that, configure static routes pointing to the next-hop in the other VRF. Finally, verify the leaked routes are present in the VRF routing table.

260
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers. The tunnel comes up, but no traffic is encrypted. The engineer verifies that the crypto map is applied to the outgoing interface and that the ACL defining interesting traffic is correct. Which is the most likely explanation?

A.The crypto ACL is not mirrored on both sides, so the SA is not established for the traffic
B.The transform-set is missing encryption or authentication
C.The crypto map is applied to the wrong interface
D.The IKE policy is not configured
AnswerA

Correct. IPsec requires that the crypto ACLs be mirror images of each other for bidirectional traffic to be encrypted.

Why this answer

A common edge case is that the ACL defining interesting traffic is applied in the wrong direction. For IPsec, the ACL should match traffic that will be encrypted, and it must be applied to the crypto map. However, if the ACL is configured with the source and destination reversed (e.g., source is local network and destination is remote network on one router, but on the other router the ACL should also have source as local network), the traffic may not match.

Additionally, if the ACL is not mirrored on both sides, the tunnel may come up but traffic will not be encrypted because the SA is not established for that traffic.

261
MCQmedium

Which statement about RSPAN source session is correct?

A.The RSPAN source session can send mirrored traffic to multiple RSPAN VLANs simultaneously.
B.The RSPAN source session can monitor both a VLAN and individual ports at the same time.
C.The RSPAN source session must specify a destination RSPAN VLAN.
D.The RSPAN source session can use a physical interface as a destination instead of a VLAN.
AnswerC

The destination for an RSPAN source session is always an RSPAN VLAN, which must be configured with 'remote-span'.

Why this answer

An RSPAN source session mirrors traffic from source ports to an RSPAN VLAN. The source session can monitor a single VLAN or a set of ports, but not both in the same session. The destination is always the RSPAN VLAN.

262
MCQhard

Router R1 and R2 are iBGP peers in the same AS. R1 learns a route 172.16.1.0/24 from an eBGP peer with AS_PATH 100 200. R2 learns the same prefix from another eBGP peer with AS_PATH 100. Both routers redistribute the route into OSPF with default administrative distance. R3, an OSPF internal router, sees two OSPF external routes for 172.16.1.0/24: one from R1 (type-5, metric 20) and one from R2 (type-5, metric 30). R3's 'show ip route 172.16.1.0' shows the route via R1. What is the root cause of R3 preferring the route via R1?

A.R3 prefers the route with the lower metric (20) over the higher metric (30), which is correct OSPF behavior.
B.R3 has a static route with AD 1 that overrides both OSPF routes.
C.The route from R1 is an OSPF inter-area route (AD 110) while from R2 is external (AD 110), so they are equal; metric decides.
D.R3's OSPF process has 'distance 150' configured, making all OSPF routes AD 150, but the route from R2 is redistributed from BGP with a lower AD.
AnswerA

OSPF external routes are compared by metric first when the same type; lower metric wins.

Why this answer

OSPF prefers external routes based on metric (cost) first for type-5 routes. The route from R1 has metric 20, R2 has metric 30, so R1 is preferred. However, if the administrative distance of OSPF external routes is changed via 'distance ospf external 150', then the route with lower AD is chosen.

The correct answer is that the default AD for OSPF external is 110, so metric decides. The question implies a trick: the route from R2 might have a higher metric but lower AD due to a configuration, but the default is unchanged.

263
MCQmedium

Which IP SLA operation type is specifically designed to measure one-way delay, jitter, and packet loss using UDP packets with sequence numbers and timestamps?

A.UDP Echo
B.UDP Jitter
C.ICMP Path Echo
D.TCP Connect
AnswerB

Correct. UDP Jitter is designed for one-way delay, jitter, and packet loss measurement.

Why this answer

The UDP Jitter operation (type 3) sends UDP packets with embedded sequence numbers and timestamps to measure one-way delay, jitter, and packet loss between source and destination.

264
MCQmedium

Examine the following partial MPLS configuration on a Cisco IOS-XE router: interface GigabitEthernet0/0 ip address 10.0.1.1 255.255.255.252 mpls ip mpls label protocol ldp ! router ospf 1 network 10.0.1.0 0.0.0.3 area 0 ! mpls ldp router-id Loopback0 force What is the effect of this configuration?

A.LDP will establish a session with the neighbor on GigabitEthernet0/0, using Loopback0 as the transport address.
B.LDP will use the IP address of GigabitEthernet0/0 as the router ID because 'force' is not valid.
C.LDP sessions will fail because OSPF is not redistributed into LDP.
D.MPLS forwarding will not occur because 'mpls label protocol ldp' is redundant and causes a conflict.
AnswerA

The 'mpls ldp router-id Loopback0 force' command forces LDP to use Loopback0 as the router ID, which becomes the transport address for LDP sessions. The 'mpls ip' on the interface enables label switching and LDP hello messages.

Why this answer

The configuration enables LDP on the interface and globally via 'mpls ip'. The 'mpls label protocol ldp' is default but explicit. The 'mpls ldp router-id Loopback0 force' ensures LDP uses Loopback0 as the router ID, overriding any other interface.

OSPF advertises the /30 link. This is a correct minimal MPLS configuration.

265
MCQhard

A network engineer runs the following command to debug MPLS LDP errors: R1# debug mpls ldp errors Output: *Mar 1 00:01:23.456: LDP: Received malformed hello from 10.0.0.2 *Mar 1 00:01:23.789: LDP: Received malformed initialization from 10.0.0.2 *Mar 1 00:01:24.012: LDP: Session with 10.0.0.2:0 (0x1234) is DOWN What does this output indicate?

A.The LDP session with 10.0.0.2 failed due to malformed messages from the neighbor
B.The LDP session with 10.0.0.2 is up and stable
C.R1 is sending malformed messages to 10.0.0.2
D.The LDP session is using incorrect transport address
AnswerA

Malformed messages were received, leading to session teardown.

Why this answer

The debug output shows LDP errors. R1 received malformed hello and initialization messages from neighbor 10.0.0.2, causing the LDP session to go down. This indicates a configuration mismatch or software bug on the neighbor.

266
Drag & Dropmedium

Drag and drop the steps to verify and validate EEM operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by displaying registered EEM policies, then check the status of each policy (active/inactive), review event history and timestamps, examine the policy actions and variables, and finally confirm the policy triggers correctly with a test event.

267
MCQmedium

A network engineer runs the following command to troubleshoot an MPLS Operations issue: R1# debug mpls ldp transport 10.1.1.1 Output: *Mar 1 00:01:23.456: LDP: Sent hello to 10.1.1.1 (UDP 646) on GigabitEthernet0/0 *Mar 1 00:01:23.789: LDP: Received hello from 10.1.1.1 (UDP 646) on GigabitEthernet0/0 *Mar 1 00:01:24.012: LDP: Opened TCP connection to 10.1.1.1:646 *Mar 1 00:01:24.345: LDP: Initialization msg sent to 10.1.1.1 *Mar 1 00:01:24.678: LDP: Initialization msg received from 10.1.1.1 *Mar 1 00:01:25.001: LDP: Session with 10.1.1.1:0 (0x1234) is UP What does this output indicate?

A.LDP session with neighbor 10.1.1.1 is successfully established
B.LDP discovery via multicast hello failed
C.TCP connection to 10.1.1.1 was refused
D.LDP session is stuck in initialization state
AnswerA

The output shows all steps of LDP session establishment completing successfully, ending with session UP.

Why this answer

The debug output shows the LDP transport session establishment process. The sequence of events indicates a successful LDP session establishment: hello exchange, TCP connection, initialization messages, and session UP.

268
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route vrf CUSTOMER_A Routing Table: CUSTOMER_A Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks B 10.10.10.0/24 [200/0] via 192.168.1.2, 00:10:00 B 10.20.20.0/24 [200/0] via 192.168.1.2, 00:10:00 R1# show ip bgp vpnv4 vrf CUSTOMER_A BGP table version is 6, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf CUSTOMER_A) *> 10.10.10.0/24 192.168.1.2 0 0 65001 i *> 10.20.20.0/24 192.168.1.2 0 0 65001 i *> 10.30.30.0/24 192.168.1.2 0 0 65001 i Based on this output, what is the likely issue?

A.A route-map is filtering the route 10.30.30.0/24 from the VRF routing table.
B.The VRF is not properly configured.
C.The BGP session is down.
D.The route distinguisher is misconfigured.
AnswerA

BGP table has three routes, but routing table only has two, indicating filtering.

Why this answer

The VRF routing table shows only two routes, but the BGP table shows three routes for the VRF. This indicates that a route-map is filtering one of the routes from being installed in the routing table. The correct answer is that a route-map is filtering the route 10.30.30.0/24.

269
MCQhard

An engineer configures a DHCP server on a Cisco router to assign IP addresses from a pool. Clients receive addresses, but when the engineer checks 'show ip dhcp binding', no bindings are displayed. Which is the most likely explanation?

A.The DHCP pool is configured with 'lease infinite', causing bindings to be stored in a different database.
B.The 'ip dhcp excluded-address' command includes the entire pool range, so no addresses are assigned and no bindings are created.
C.The router's DHCP server is configured in 'database' mode, which stores bindings externally.
D.The clients are using DHCPv6, not DHCPv4.
AnswerB

Correct: If the excluded address range covers the pool, the server will not assign any addresses, and no bindings are created.

Why this answer

The 'show ip dhcp binding' command only displays bindings that are currently active. If the lease time is very short or the clients release addresses, bindings may not appear. However, a more subtle edge case is when the DHCP server is configured with 'ip dhcp excluded-address' that includes the pool range, causing the server to not assign addresses but still respond with NAKs.

270
MCQhard

An engineer configures uRPF strict mode on an interface that is part of an IPv6 BGP multihoming setup with two upstream providers. The router receives BGP routes from both providers and has equal-cost paths to some destinations. Traffic from the router to those destinations is intermittently dropped. Which is the most likely explanation?

A.ECMP causes asymmetric routing where packets from the same source may arrive on different interfaces, violating uRPF strict mode's single-interface check.
B.BGP routes are not installed in the routing table, so uRPF has no entry to check.
C.The router has 'ipv6 cef' disabled, causing uRPF to fail.
D.The upstream providers are using different AS paths, causing BGP to not install equal-cost paths.
AnswerA

Correct. uRPF strict mode expects symmetric routing; ECMP breaks that assumption.

Why this answer

uRPF strict mode requires that the source address of incoming packets be reachable via the same interface on which the packet arrived. With equal-cost multipath (ECMP), traffic may arrive on a different interface than the one used for the return path (asymmetric routing). uRPF strict mode drops packets that arrive on an interface that is not the best reverse path. This is a classic edge case: ECMP can cause asymmetric flows, breaking uRPF strict mode.

271
Drag & Drophard

Drag and drop the steps to troubleshoot NAT and PAT adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting NAT connectivity failures should start with verifying basic reachability using ping, then checking NAT translations with show ip nat translations, then examining the routing table to ensure return traffic is routed correctly, then verifying access lists for NAT, and finally checking for asymmetric routing or adjacency issues.

272
MCQhard

A network engineer is troubleshooting a route summarization issue in a network using OSPFv3. Router R1 is configured with the 'ipv6 summary-address 2001:db8:0:1::/64' command under the OSPFv3 process. After the configuration, routers in the same area lose connectivity to the 2001:db8:0:1:1::/80 subnet, which is one of the component routes. What is the most likely cause?

A.The summary-address command in OSPFv3 requires a prefix-length, not a mask; the engineer used a /64 prefix, which is too specific to summarize the /80 subnet.
B.The OSPFv3 process is not enabled on the interface facing the 2001:db8:0:1:1::/80 subnet.
C.The summary-address command should be applied on the interface, not under the OSPFv3 process.
D.The 2001:db8:0:1:1::/80 subnet is not in the OSPFv3 database because it is redistributed from another protocol.
AnswerA

Correct. The summary-address command in OSPFv3 uses a prefix length. A /64 summary will not include a /80 subnet because the /80 is more specific and falls outside the summary range.

Why this answer

In OSPFv3, the summary-address command works similarly to OSPFv2. The issue may be that the summary route is not being generated because the component routes are not in the OSPFv3 database, or the summary mask is too specific.

273
MCQmedium

Which of the following is a limitation of local SPAN on a Cisco switch?

A.It can only monitor one source interface per session.
B.The destination port must be in the same VLAN as the source.
C.It cannot mirror traffic to a remote switch.
D.It cannot monitor both ingress and egress traffic simultaneously.
AnswerC

Local SPAN is confined to the local switch.

Why this answer

Local SPAN can only mirror traffic to a destination port on the same switch; it cannot send mirrored traffic across the network without additional configuration like RSPAN or ERSPAN.

274
Multi-Selectmedium

Which TWO configuration steps are required to enable Flexible NetFlow on a Cisco IOS-XE interface? (Choose TWO.)

Select 3 answers
A.Create a flow record using 'flow record <name>'.
B.Create a flow exporter using 'flow exporter <name>' and reference it in the flow monitor.
C.Enable 'ip route-cache flow' on the interface.
D.Apply the flow monitor to the interface using 'ip flow monitor <name> input'.
E.Configure a class-map and policy-map to apply the flow monitor.
AnswersA, B, D

The flow record defines match and collect fields for the flows.

Why this answer

To enable Flexible NetFlow, you must first create a flow record (defining key and non-key fields) and a flow monitor (which references the flow record and export parameters). Then, you apply the flow monitor to the interface in the appropriate direction (input or output) using the 'ip flow monitor <name> [input|output]' command. Option B is incorrect because the flow exporter is configured separately, not as part of the flow monitor.

Option C is incorrect because the 'ip route-cache flow' command is used for traditional NetFlow, not Flexible NetFlow. Option E is incorrect because the flow monitor is applied directly to the interface, not through a class-map.

275
MCQhard

Router R7 is part of an MPLS VPN network. It has multiple VRFs. The NMS is in the global routing table and needs to poll SNMP from devices in VRF BLUE. The configuration includes: snmp-server community public RO, snmp-server vrf BLUE community public RO. However, the NMS cannot poll the loopback interface of a router in VRF BLUE. The NMS can poll R7's global interfaces. What is the root cause?

A.The NMS is trying to poll a device in VRF BLUE, but the SNMP agent on R7 is not configured to respond to SNMP requests for that VRF because the 'snmp-server vrf' command is missing the 'community' keyword or the VRF is not properly associated with the SNMP process.
B.The loopback interface of the device in VRF BLUE is not advertised into the VRF's routing table.
C.The SNMP community string 'public' is not allowed in VRF BLUE due to an ACL.
D.The NMS is using SNMPv3, but the VRF configuration only supports v2c.
AnswerA

The 'snmp-server vrf BLUE community public RO' command is correct, but if the VRF is not defined or the interface is not in the VRF, SNMP may not respond. However, the most common issue is that the NMS's source IP is not in the VRF, so the SNMP agent uses the global routing table to respond, causing a mismatch.

Why this answer

SNMP community strings for VRFs require the 'snmp-server vrf' command to associate the community with the VRF. However, the NMS must have reachability to the VRF's loopback. If the NMS is in the global table, it needs a route to the VRF's loopback via route leaking or MPLS VPN.

The issue is that the NMS cannot reach the VRF loopback because there is no route. But the question states the NMS can poll R7's global interfaces, so reachability to R7 is fine. The correct answer is: 'The NMS is trying to poll a device in VRF BLUE, but the SNMP agent on R7 is not configured to respond to SNMP requests for that VRF because the 'snmp-server vrf' command is missing the 'community' keyword or the VRF is not properly associated with the SNMP process.'

276
Multi-Selecthard

Which THREE conditions must be met for a BGP route to be considered the best path and installed in the routing table? (Choose THREE.)

Select 2 answers
A.The route must have the shortest AS_PATH length.
B.The next hop must be reachable via the routing table.
C.Synchronization must be disabled or the route must be present in the IGP.
D.The route must have the lowest MED value among all paths.
E.The route must have the lowest IGP metric to the next hop.
AnswersB, C

If the next hop is unreachable, the route is not considered for best path.

Why this answer

BGP selects the best path based on several criteria: the next hop must be reachable, the route must be synchronized (if synchronization is enabled), and the path must have the highest weight (or other tie-breakers). Option A is incorrect because the AS_PATH length is compared after weight and local preference. Option D is incorrect because MED is compared only if the paths are from the same AS.

Option E is incorrect because the IGP metric is the last tie-breaker, not a requirement.

277
Multi-Selectmedium

Which THREE statements about IPsec transform sets are true? (Choose THREE.)

Select 3 answers
A.A transform set can specify both ESP and AH protocols.
B.A transform set must include an encryption algorithm.
C.Multiple transform sets can be configured and tried in order.
D.AH provides both authentication and encryption.
E.The 'crypto ipsec transform-set' command is used to define the transform set.
AnswersA, C, E

A transform set can include ESP (with or without encryption) and AH for authentication.

Why this answer

Option A is correct because an IPsec transform set can specify both ESP and AH protocols simultaneously. This allows a single transform set to define the combined use of AH for authentication and ESP for encryption (or encryption plus authentication), providing flexibility in securing IPsec traffic.

Exam trap

Cisco often tests the misconception that AH provides encryption, when in fact AH only offers authentication and integrity, while encryption is exclusively the domain of ESP.

278
MCQmedium

A network engineer runs the following command to verify CoPP (Control Plane Policing) with route-maps: R1# show policy-map control-plane input class class-default Control Plane Service-policy input: CoPP Class-map: class-default (match-any) 12234 packets, 1234567 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 12234 packets, 1234567 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is dropping all traffic because the CIR is too low.
B.The CoPP policy is allowing all traffic and not dropping any packets.
C.The CoPP policy is only matching specific traffic classes.
D.The CoPP policy is not applied to the control plane.
AnswerB

All packets have conformed to the police rate and have been transmitted, with no drops.

Why this answer

The output shows the CoPP policy applied to the control plane. The class-default matches all traffic and polices it at 8000 bps. All packets have conformed and been transmitted, with no drops.

This indicates that the CoPP policy is working and not dropping any traffic.

279
MCQhard

An engineer is troubleshooting a router that is configured to archive configurations to a TFTP server at 192.168.1.10. The 'archive' configuration includes 'path tftp://192.168.1.10/config-archive' and 'write-memory'. The engineer notices that the archive is not being created after 'copy running-config startup-config'. What is the most likely cause?

A.The TFTP server does not have write permissions for the directory.
B.The 'archive' configuration is missing the 'time-period' command.
C.The router's 'file prompt quiet' command is configured, suppressing error messages.
D.The TFTP server's IP address is incorrect in the path.
AnswerA

TFTP servers often require a pre-existing file or write permissions; if the server cannot create the file, the archive fails silently.

Why this answer

The archive 'write-memory' command triggers an archive when the startup-config is written, but the TFTP server may not allow file creation, or the path is incorrect. A common issue is that the TFTP server requires a filename, not a directory path, or the server is not reachable.

280
MCQhard

An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?

A.The server's default gateway is not the router's inside interface.
B.The 'ip nat outside' command is missing on the outside interface.
C.Static NAT does not translate the source IP for outbound traffic initiated by the inside host.
D.The router's routing table does not have a route back to the server's subnet.
AnswerC

Correct because static NAT only translates destination IP for inbound traffic; for outbound, the source remains private unless additional NAT (e.g., overload) is configured for that host.

Why this answer

Static NAT only translates the specified inside local to inside global. For the server to reach outside, the router must also translate the source of the server's traffic (which is 10.0.0.5) to a routable IP; without a matching NAT rule for outbound traffic, the server's source remains private.

281
Drag & Drophard

Drag and drop the steps to troubleshoot route summarization adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying that the summarization router has a route to the null0 interface to prevent loops. Then, confirm that the summary route is being advertised to neighbors using show ip route. Next, check that the neighbor router receives the summary in its routing table.

After that, examine the neighbor's routing table for the specific summarized prefix. Finally, test end-to-end connectivity using ping or traceroute to ensure the summary works.

282
MCQeasy

What is the default OSPF dead interval on an Ethernet broadcast network?

A.10 seconds
B.30 seconds
C.40 seconds
D.120 seconds
AnswerC

The dead interval is 4 times the hello interval (10 seconds) = 40 seconds.

Why this answer

The default OSPF dead interval is 4 times the hello interval. On broadcast networks (like Ethernet), the default hello interval is 10 seconds, so the dead interval is 40 seconds.

283
MCQmedium

A network engineer runs the following command to troubleshoot route redistribution: R1# debug ip routing IP: route table insert (10.10.10.0/24 via 192.168.1.1, ospf 1) metric [110/20] IP: route table insert (10.10.10.0/24 via 10.1.1.2, eigrp 100) metric [90/158720] IP: route table delete (10.10.10.0/24 via 192.168.1.1, ospf 1) metric [110/20] IP: route table insert (10.10.10.0/24 via 10.1.1.2, eigrp 100) metric [90/158720] What does this output indicate?

A.The router is load-balancing between OSPF and EIGRP routes.
B.The EIGRP route replaces the OSPF route due to lower administrative distance.
C.The OSPF route is preferred due to lower metric.
D.Both routes are installed in the routing table.
AnswerB

EIGRP AD 90 is lower than OSPF AD 110, so the EIGRP route is preferred.

Why this answer

The debug shows that the router initially installed an OSPF route for 10.10.10.0/24, then replaced it with an EIGRP route because EIGRP has a lower administrative distance (90 vs 110).

284
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip dhcp database URL : flash:/dhcpdb Read/write : Read/Write Last updated : Mar 01 2020 00:00:00 Status : Last read succeeded. Next write scheduled in 0 seconds. Based on this output, which statement is correct?

A.The DHCP database is stored in NVRAM and is read-only.
B.The DHCP database is stored in flash and is functioning correctly.
C.The DHCP database write failed and needs to be rescheduled.
D.The DHCP database is empty because no bindings exist.
AnswerB

The status shows success.

Why this answer

The output shows the DHCP database is stored in flash (URL: flash:/dhcpdb) with read/write access, and the status indicates the last read succeeded with a write scheduled in 0 seconds. This confirms the database is functioning correctly, as the router can read and write DHCP bindings to flash memory, which is the default storage location for DHCP database persistence.

Exam trap

Cisco often tests the distinction between DHCP database storage locations (flash vs. NVRAM vs. TFTP) and the interpretation of status messages like 'Last read succeeded' versus 'Last write failed', tricking candidates into assuming a failure or empty database without reading the full output.

How to eliminate wrong answers

Option A is wrong because the URL shows flash:/dhcpdb, not NVRAM, and the access is read/write, not read-only. Option C is wrong because the status clearly states 'Last read succeeded' and 'Next write scheduled in 0 seconds', indicating no failure occurred. Option D is wrong because the output does not provide any information about the number of bindings; the database could contain bindings or be empty, but the status does not indicate emptiness.

285
MCQmedium

A network engineer runs the following command to verify MPLS LDP discovery sources: R1# show mpls ldp discovery detail Output: Local LDP Identifier: 10.0.0.1:0 Discovery Sources: Interfaces: GigabitEthernet0/0 (hello interval 5 s, targeted hello interval 10 s) LDP Id: 10.0.0.2:0, transport address: 10.0.0.2 Hold time: 15 s (local: 15, peer: 15) GigabitEthernet0/1 (hello interval 5 s, targeted hello interval 10 s) LDP Id: 10.0.0.3:0, transport address: 10.0.0.3 Hold time: 15 s (local: 15, peer: 15) What does this output indicate?

A.R1 has discovered two LDP neighbors via link hellos on two different interfaces
B.R1 is using targeted hellos only
C.R1 has no LDP neighbors
D.The LDP session with 10.0.0.2 is down
AnswerA

The output shows two interfaces with LDP neighbors discovered via link hellos.

Why this answer

The output shows LDP discovery sources. R1 has discovered two LDP neighbors via link hellos on interfaces GigabitEthernet0/0 and GigabitEthernet0/1. Both neighbors have a hold time of 15 seconds.

286
MCQhard

Router R1 is configured as an ERSPAN source to monitor traffic on interface GigabitEthernet0/0/0. The destination is a collector at 10.10.10.10. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 3 ip address 10.10.10.10 origin ip address 192.168.1.1. The router has an ACL applied to the interface Gi0/0/0 that denies all IP traffic from source 192.168.1.1. The collector receives no packets. What is the root cause?

A.The ACL on Gi0/0/0 blocks the original traffic, so there is no traffic to mirror.
B.The ACL on Gi0/0/0 blocks the encapsulated ERSPAN packets because the source IP 192.168.1.1 is denied.
C.The ERSPAN session is missing the 'no shutdown' command.
D.The destination IP 10.10.10.10 is not reachable.
AnswerB

If the encapsulated packets are sent out Gi0/0/0, the ACL will block them because the source IP is 192.168.1.1, which is denied.

Why this answer

ERSPAN encapsulates the mirrored packets with a new IP header that has the source IP address specified in the 'origin ip address' command. The encapsulated packet is then sent out of the router using the routing table. However, the ACL on the source interface Gi0/0/0 is applied to the original traffic entering the interface, not to the encapsulated packets.

The encapsulated packets are generated by the router and are not subject to the ACL on the source interface. The ACL would affect the original traffic being mirrored, but the symptom is that the collector receives no packets. The correct root cause is that the ACL is blocking the original traffic, so there is nothing to mirror.

But the scenario says the collector receives no packets, meaning the mirrored packets are not being sent. The more likely issue is that the ACL is applied to the outgoing direction on the interface that sends the encapsulated packets, but the scenario says the ACL is applied to Gi0/0/0, which is the source interface. The encapsulated packets are sent out of a different interface (the one that has the route to the collector).

The ACL on Gi0/0/0 does not affect the encapsulated packets. However, if the router uses the same interface to send the encapsulated packets, the ACL might block them. The correct answer is that the ACL is applied to the source interface and may block the encapsulated packets if they are sent out that interface.

287
Multi-Selecthard

Which TWO statements about DHCPv6 prefix delegation are true? (Choose TWO.)

Select 2 answers
A.The requesting router uses the IA_NA option to request a prefix.
B.The delegating router must have a DHCPv6 pool configured with a prefix-delegation statement.
C.The requesting router uses the 'ipv6 dhcp client pd' command on its upstream interface to request a prefix.
D.The delegating router must be configured with 'ipv6 dhcp server' under the downstream interface facing the requesting router.
E.The requesting router can only use the delegated prefix on the interface that received it.
AnswersB, C

Correct. The delegating router uses a DHCPv6 pool with the 'prefix-delegation' command to define the prefix to be delegated.

Why this answer

DHCPv6 prefix delegation allows a delegating router to assign a prefix (e.g., /48) to a requesting router, which then sub-delegates /64 prefixes to downstream interfaces. The requesting router uses the IA_PD option, not IA_NA. The delegating router must be configured with a prefix delegation pool and an interface DHCP configuration referencing that pool.

The requesting router typically uses 'ipv6 dhcp client pd' on its upstream interface. The 'ipv6 dhcp server' command is used on the delegating router, not the requesting router.

288
Multi-Selectmedium

Which TWO commands can be used to verify the SNMP configuration on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show snmp
B.show snmp host
C.show running-config | include snmp
D.show ip snmp
E.show snmp community
AnswersA, B

This command displays the SNMP engine ID, community strings, and trap status.

Why this answer

The 'show snmp' command displays SNMP engine ID, community strings, and traps. The 'show snmp host' command lists the configured trap receivers and their associated community strings. The other options either show unrelated information or do not exist.

289
MCQhard

An engineer configures a 6rd tunnel on a router. The tunnel comes up and the router can reach IPv6 hosts on the 6rd domain, but IPv6 hosts behind the router cannot reach the internet (native IPv6). The 6rd border relay is configured correctly. What is the most likely cause?

A.The 6rd router does not have a default route pointing to the tunnel interface; a static route to ::/0 via the tunnel is required.
B.The 6rd prefix length is incorrect; it must be /32 for the tunnel to work.
C.The border relay is not configured with the same 6rd prefix.
D.The router's IPv4 address is not in the 6rd delegated prefix range.
AnswerA

6rd does not automatically install a default route. Without a default route via the tunnel, traffic to native IPv6 destinations is dropped.

Why this answer

The 6rd tunnel is up and the router can reach IPv6 hosts on the 6rd domain, but native IPv6 hosts behind the router cannot reach the internet. This indicates that the tunnel encapsulation works, but return traffic from the native IPv6 internet cannot reach the hosts because the router lacks a default route pointing to the tunnel interface. A static route to ::/0 via the tunnel interface is required to forward all non-6rd IPv6 traffic to the border relay, which then encapsulates it for the native IPv6 internet.

Exam trap

Cisco often tests the nuance that a tunnel being up and reachable within the 6rd domain does not imply a default route exists for native IPv6 internet access, leading candidates to overlook the missing static route.

How to eliminate wrong answers

Option B is wrong because the 6rd prefix length is not fixed at /32; it can vary (e.g., /32, /48, /56) and must match the operator's delegated prefix. Option C is wrong because the border relay is already configured correctly per the question, and a mismatch in the 6rd prefix would prevent the tunnel from coming up or reaching the 6rd domain, which is not the case here. Option D is wrong because the router's IPv4 address does not need to be in the 6rd delegated prefix range; the 6rd prefix is derived from the IPv4 address and the configured 6rd prefix/mask, and the tunnel works, so the IPv4 address is valid.

290
MCQmedium

Consider the following partial configuration on router R6: flow exporter EXPORTER-3 destination 192.168.2.200 source Loopback0 transport udp 2055 template data timeout 120 ! flow monitor MONITOR-6 exporter EXPORTER-3 record netflow ipv4 original-input ! interface GigabitEthernet0/6 ip flow monitor MONITOR-6 input ! What is the effect of the 'template data timeout 120' command?

A.The router will resend the NetFlow v9 template to the collector every 120 seconds to ensure the collector has the latest template.
B.The router will wait 120 seconds before sending any flow data after the first template is sent.
C.The router will export flow data only if the template has been successfully acknowledged by the collector within 120 seconds.
D.The router will store flow data for 120 seconds before exporting to allow batching.
AnswerA

The 'template data timeout' command controls how often the router re-sends the template to the collector, which is necessary because NetFlow v9 uses templates that may be lost.

Why this answer

This question tests understanding of template refresh timing in NetFlow v9 export.

291
Multi-Selecthard

Which THREE symptoms indicate a potential IPsec site-to-site VPN failure due to mismatched IKE parameters? (Choose THREE.)

Select 3 answers
A.The 'show crypto isakmp sa' output shows 'MM_NO_STATE'.
B.The 'show crypto ipsec sa' output shows packet errors.
C.The router logs display '%CRYPTO-4-IKMP_NO_POLICY' error messages.
D.The 'show crypto isakmp sa' output shows 'ACTIVE' state.
E.Pings across the VPN fail, and 'show crypto isakmp sa' shows no SA.
AnswersA, C, E

MM_NO_STATE indicates that IKE phase 1 has not completed, often due to mismatched parameters.

Why this answer

Option A is correct because the 'show crypto isakmp sa' output showing 'MM_NO_STATE' indicates that the IKE Phase 1 negotiation has failed to progress past the Main Mode initial exchange. This typically occurs when IKE parameters such as encryption, hash, Diffie-Hellman group, or authentication method do not match between the two VPN peers, preventing the establishment of an ISAKMP security association.

Exam trap

Cisco often tests the distinction between IKE Phase 1 and Phase 2 failure symptoms, and the trap here is confusing packet errors in 'show crypto ipsec sa' (Phase 2) with IKE parameter mismatches (Phase 1), leading candidates to incorrectly select option B.

292
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the BGP next-hop reachability issue when a route is not being installed in the routing table? (Choose TWO.)

Select 2 answers
A.show ip bgp
B.show ip route
C.show ip bgp neighbors
D.show ip bgp summary
E.debug ip bgp updates
AnswersA, B

Displays the BGP table; routes with unreachable next hops may show as 'r' or not be installed.

Why this answer

The show ip bgp command displays the BGP table with status codes; if the next hop is not reachable, the route will show as 'r' (RIB-failure) or not be installed. The show ip route command verifies if the next-hop IP is present in the routing table. show ip bgp neighbors displays neighbor state but not next-hop reachability. show ip bgp summary shows neighbor summary, not route details. debug ip bgp updates is a debug command, not a verification command.

293
Multi-Selecthard

Which THREE symptoms indicate that NetFlow data export is failing or misconfigured? (Choose THREE.)

Select 3 answers
A.The 'show ip cache flow' output shows a high number of active flows but zero export packets sent.
B.The 'show ip flow export' output shows 'Export state: active'.
C.The 'show ip flow export' output shows 'Export state: idle'.
D.The 'show ip flow export' output shows 'Export packets discarded: 150' with reason 'no route'.
E.The 'show flow monitor name FLOW-MON cache' output displays multiple flow entries with valid timestamps.
AnswersA, C, D

This indicates flows are being created but not exported, likely due to export configuration issues.

Why this answer

When NetFlow export fails, the 'show ip cache flow' output will show increasing flows but no export packets. A 'show ip flow export' output with 'Export state: idle' indicates the exporter is not sending data. If the destination collector is unreachable, the router will report 'Export packets discarded' due to no route.

Option B is incorrect because 'Export state: active' is normal. Option E is incorrect because 'show flow monitor cache' showing entries means flows are being cached, but export may still fail.

294
Multi-Selecthard

Which TWO configuration steps are required to use IP SLA for tracking an object in a routing protocol like EIGRP? (Choose TWO.)

Select 2 answers
A.Configure an IP SLA operation (e.g., icmp-echo).
B.Create a tracking object that references the IP SLA operation.
C.Configure a static route pointing to the tracked interface.
D.Apply a prefix-list to filter routes based on the tracking object.
E.Schedule the IP SLA operation with the 'ip sla schedule' command.
AnswersA, B

The IP SLA operation must be defined first to generate the probe data.

Why this answer

To use IP SLA for routing protocol tracking, you must first configure an IP SLA operation (e.g., ICMP echo) and then create a tracking object that references the IP SLA operation. The tracking object is then used in the routing protocol configuration (e.g., 'track 1 ip sla 1 reachability'). Configuring a static route or a prefix-list is not required for tracking itself.

The 'ip sla schedule' is needed to start the operation, but the question asks for steps to use it for tracking, so the tracking object and its reference are key.

295
MCQmedium

In MPLS LDP, what is the default label retention mode on Cisco IOS-XE routers?

A.Liberal Label Retention mode
B.Conservative Label Retention mode
C.Ordered Label Retention mode
D.Independent Label Retention mode
AnswerA

Liberal retention is the default; it allows faster convergence but uses more memory.

Why this answer

The default label retention mode is Liberal, meaning that a router retains all label bindings received from neighbors, even if the neighbor is not the next hop for the FEC.

296
MCQhard

Two routers are configured with EIGRP and have a neighbor relationship. One router has a route to 192.168.1.0/24 with metric 100. The other router has a route to the same prefix with metric 200. An engineer configures an offset-list on the first router to increase the metric of 192.168.1.0/24 by 50, expecting the second router to prefer its own route. Unexpectedly, the second router still prefers the first router's route after the offset. Which is the most likely explanation?

A.The offset-list increased the metric from 100 to 150, which is still lower than the second router's metric of 200, so the second router still prefers the first router's route.
B.The offset-list must be applied inbound on the second router to increase the metric of the received route.
C.The offset-list command only affects feasible distance, not advertised distance, so the second router ignores it.
D.The second router has a higher administrative distance for the route, so it always prefers the first router's route.
AnswerA

The offset was insufficient to flip the preference; the second router's metric (200) is still higher than 150.

Why this answer

The offset-list affects the metric of the route as advertised to the neighbor. However, if the offset-list is applied inbound on the second router, it increases the metric of the received route, making it less preferred. But if the offset-list is applied outbound on the first router, it increases the metric of the route sent to the second router.

The second router then compares the received metric (150) with its own metric (200) and still prefers the lower metric (150). The engineer likely applied the offset-list outbound on the first router, but the increase was insufficient to make the second router's route better.

297
MCQmedium

A network engineer is troubleshooting an IPv6 connectivity issue on a router that is receiving routes via EIGRP for IPv6. The engineer notices that some routes are not being installed in the routing table, even though the EIGRP neighbor relationship is established. The engineer checks the interface configuration and finds an inbound IPv6 ACL that permits only certain EIGRP packets. The ACL permits EIGRP hello packets and updates, but not EIGRP queries or replies. What is the most likely cause of the missing routes?

A.The ACL is blocking EIGRP query and reply packets, which are necessary for the EIGRP process to install routes.
B.The EIGRP router ID is not configured.
C.The ACL is applied outbound, blocking the EIGRP updates from being sent.
D.The EIGRP for IPv6 is not enabled on the interface.
AnswerA

Correct because EIGRP queries and replies are used to ensure route consistency and convergence; blocking them can prevent route installation.

Why this answer

EIGRP for IPv6 uses multicast address FF02::A for all EIGRP packets, including hello, update, query, and reply. The ACL permits only hello and update packets, blocking query and reply packets. EIGRP requires query and reply packets for the Diffusing Update Algorithm (DUAL) to converge and install routes; without them, the router cannot complete the route installation process, even though the neighbor relationship is established.

Exam trap

Cisco often tests the misconception that only hello and update packets are needed for EIGRP route installation, but the trap here is that query and reply packets are essential for DUAL convergence and route installation, even when neighbors are up.

How to eliminate wrong answers

Option B is wrong because the EIGRP router ID is not required for EIGRP for IPv6; it uses a 32-bit router ID derived from an IPv4 address or manually configured, but its absence does not prevent route installation if neighbors are established. Option C is wrong because the engineer checked the interface configuration and found an inbound ACL, not outbound; an outbound ACL would affect sending updates, not receiving them, and the issue is with missing routes, not updates being sent. Option D is wrong because the neighbor relationship is established, which confirms that EIGRP for IPv6 is enabled on the interface; if it were not enabled, no neighbors would form.

298
MCQmedium

A network engineer runs the following command to verify MPLS L3VPN operation: R1# show mpls ldp bindings Output: lib entry: 10.1.1.0/24, rev 2 local binding: label: 101 remote binding: lsr: 10.0.0.2:0, label: 201 lib entry: 10.2.2.0/24, rev 4 local binding: label: 102 remote binding: lsr: 10.0.0.2:0, label: 202 lib entry: 10.3.3.0/24, rev 6 local binding: label: 103 remote binding: lsr: 10.0.0.2:0, label: imp-null What does this output indicate?

A.The router has learned labels for three prefixes from LSR 10.0.0.2
B.The router is using MPLS TE
C.The router is a route reflector
D.The router has a label for 10.3.3.0/24 that is implicit null
AnswerA

The output shows three LIB entries with remote bindings from 10.0.0.2.

Why this answer

The show mpls ldp bindings command displays the Label Information Base (LIB) entries. Each entry shows a prefix, the local label assigned by this router, and the remote label learned from a specific LSR (10.0.0.2). The third entry shows 'imp-null' for the remote label, meaning the neighbor is using implicit null (label 3) for that prefix, typically for BGP-free core or PHP.

299
MCQmedium

Consider the following partial configuration on router R4: flow exporter EXPORTER-2 destination 10.10.10.1 source Loopback0 transport udp 9996 option interface-table option sampler-table ! flow monitor MONITOR-4 exporter EXPORTER-2 record netflow ipv4 original-input ! interface GigabitEthernet0/4 ip flow monitor MONITOR-4 input ! What is the purpose of the 'option interface-table' and 'option sampler-table' commands under the exporter?

A.They instruct the router to periodically export metadata about interfaces and samplers to the collector, aiding in data interpretation.
B.They enable the router to sample traffic based on interface and sampler tables before exporting.
C.They limit the export to only interface and sampler statistics, ignoring flow records.
D.They are required for the exporter to function; without them, no data is exported.
AnswerA

Option templates provide additional context (e.g., interface names, sampler rates) that the collector needs to interpret flow data correctly.

Why this answer

This question tests knowledge of option templates in Flexible NetFlow exporters.

300
MCQeasy

What is the default OSPF hello interval on a Cisco IOS-XE router for a broadcast network type?

A.10 seconds
B.30 seconds
C.40 seconds
D.60 seconds
AnswerA

Correct. The default hello interval is 10 seconds for broadcast and point-to-point networks.

Why this answer

The default hello interval for OSPF on broadcast and point-to-point networks is 10 seconds, as defined by RFC 2328 and implemented in Cisco IOS-XE.

Page 3

Page 4 of 29

Page 5