Cisco CCNP ENARSI 300-410 (300-410) — Questions 301375

2152 questions total · 29pages · All types, answers revealed

Page 4

Page 5 of 29

Page 6
301
Multi-Selecthard

Which TWO statements about BFD authentication are true? (Choose TWO.)

Select 2 answers
A.BFD authentication supports both MD5 and SHA-1 hashing algorithms.
B.BFD authentication can be configured in either strict or loose mode.
C.BFD authentication is only supported for single-hop BFD sessions.
D.The BFD authentication key is configured directly under the BFD interface configuration.
E.BFD authentication uses a pre-shared key that must be identical on both sides.
AnswersA, B

Correct. BFD authentication supports MD5 and SHA-1, and on newer platforms SHA-256 as well.

Why this answer

BFD authentication can use MD5, SHA-1, or SHA-256 (depending on platform). The authentication mode can be strict (mandatory) or loose (optional). Key chains are used to manage authentication keys, and the key chain must be configured before applying it to BFD.

BFD authentication is supported for both single-hop and multihop sessions.

302
MCQhard

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

A.The PAT port range is exhausted.
B.The router's SIP ALG is disabled, so the private IP in the SDP is not translated.
C.The phone's default gateway is misconfigured.
D.The outside interface has a firewall blocking UDP ports.
AnswerB

Correct because without SIP ALG, the router does not inspect and translate the IP addresses inside the SIP messages, causing media to be sent to the private IP.

Why this answer

SIP embeds IP addresses in the payload; PAT only translates the IP header, not the application layer. The SIP server sends media to the private IP, which is unreachable. The fix is to use SIP ALG or fixup to translate the embedded addresses.

303
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel using Teredo on a Windows host. The host can access some IPv6 resources on the internet but cannot reach a specific internal IPv6 server. The engineer suspects the Teredo relay is misconfigured. What is the most likely issue?

A.The Teredo relay is not in the same IPv4 network as the host, or the relay does not have a route to the internal IPv6 server.
B.The host's firewall is blocking Teredo traffic on UDP port 3544.
C.The internal server is not configured with an IPv6 address.
D.The Teredo client on the host is using an incorrect server.
AnswerA

Correct because the Teredo relay must be able to forward packets to the destination IPv6 network. If the relay lacks a route, traffic will be dropped.

Why this answer

Teredo relays are responsible for forwarding traffic between the Teredo IPv6 tunnel and the native IPv6 network. If the relay is not on the same IPv4 subnet as the host or lacks a route to the internal IPv6 server, the host can reach public IPv6 resources (via other relays) but fails to reach the internal server. This matches the symptom of partial connectivity.

Exam trap

Cisco often tests the distinction between Teredo relay and Teredo server roles, and the trap here is that candidates confuse a misconfigured relay (which affects specific destinations) with a misconfigured server (which breaks all Teredo connectivity).

How to eliminate wrong answers

Option B is wrong because a firewall blocking UDP 3544 would prevent all Teredo communication, not just access to a specific internal server. Option C is wrong because if the internal server lacked an IPv6 address, the host would not be able to reach it via any IPv6 method, but the question states the host can access some IPv6 resources, implying the server has an IPv6 address. Option D is wrong because an incorrect Teredo server would prevent the client from obtaining a valid Teredo address or establishing the tunnel, breaking all IPv6 connectivity, not just access to one internal server.

304
MCQhard

What is the maximum number of source ports that can be monitored in a single SPAN session on a typical Cisco Catalyst switch?

A.16
B.32
C.64
D.128
AnswerC

Up to 64 source ports can be included in a single SPAN session, though hardware-dependent.

Why this answer

A single SPAN session can monitor up to 64 source ports (or source VLANs, but not both in the same session). This is a hardware limitation on most Catalyst switches.

305
MCQmedium

Which control plane protocol packets are classified as 'critical' in the default CoPP policy?

A.ICMP echo requests and SSH
B.OSPF hello packets and BGP keepalives
C.Telnet and HTTP
D.NTP and SNMP
AnswerB

Routing protocol hello and keepalive packets are considered critical for network stability and are assigned to the critical class in CoPP.

Why this answer

Cisco's recommended CoPP policy classifies routing protocol packets (e.g., OSPF, EIGRP, BGP) and Layer 2 keepalives as critical, while ICMP and SSH are often classified as normal or management.

306
Multi-Selecthard

Which TWO configuration changes are required to enforce role-based access control (RBAC) using Cisco IOS privilege levels and AAA? (Choose TWO.)

Select 2 answers
A.Use the 'privilege exec level 15 show running-config' command to restrict the show running-config command to privilege level 15.
B.Use the 'enable secret level 15 password' command to set a password for privilege level 15 access.
C.Use the 'username admin privilege 15 secret cisco' command to create a user with privilege level 15.
D.Use the 'aaa authorization exec default local' command to enable privilege level authorization using the local database.
E.Use the 'line vty 0 4 privilege level 15' command to set all VTY lines to privilege level 15 by default.
AnswersA, C

This command sets the show running-config command to privilege level 15, so only users with privilege level 15 can execute it.

Why this answer

Option A is correct because the 'privilege exec level 15 show running-config' command restricts the 'show running-config' command to users with privilege level 15, which is a key step in enforcing RBAC by controlling which commands are available at lower privilege levels. Option C is correct because creating a user with 'username admin privilege 15 secret cisco' assigns that user to privilege level 15, allowing them to execute commands restricted to that level. Together, these two configurations ensure that only authorized users at level 15 can run sensitive commands, while lower-privilege users are blocked.

Exam trap

Cisco often tests the distinction between controlling command access (via 'privilege' commands) and controlling user authentication or session access (via 'username' or 'line' commands), and the trap here is that candidates confuse setting a default privilege level on VTY lines (Option E) with enforcing RBAC, when in fact it bypasses role-based restrictions by granting all users the same high privilege.

307
Multi-Selecthard

Which TWO statements about RSPAN configuration and operation are correct? (Choose TWO.)

Select 2 answers
A.The RSPAN VLAN must be configured as a standard VLAN and allowed on all trunk links between the source and destination switches.
B.The source session on the source switch must specify 'remote vlan <vlan-id>' to identify the RSPAN VLAN.
C.The RSPAN VLAN can be used for normal data traffic as long as it is not the native VLAN.
D.The destination session on the remote switch uses 'monitor session <session> source remote vlan <vlan-id>' and 'destination interface <interface>'.
E.Intermediate switches that only pass the RSPAN VLAN must have a monitor session configured to forward the traffic.
AnswersA, B

Correct. The RSPAN VLAN must be created and allowed on all trunks in the path to ensure the mirrored frames traverse the network.

Why this answer

RSPAN uses a dedicated VLAN to carry mirrored traffic between switches. The RSPAN VLAN must be created and configured on all intermediate switches, and the source and destination switches must have the RSPAN VLAN in the allowed list on trunk ports. The destination session reflects traffic from the RSPAN VLAN to a local monitor port.

308
Drag & Dropmedium

Drag and drop the steps to verify and validate the EIGRP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the overall EIGRP process status, then verify the neighbor table for adjacency, examine the topology table for feasible successors, review the routing table for installed routes, and finally use debug commands to validate ongoing operations if needed.

309
Multi-Selecthard

An engineer is troubleshooting a VRF-Lite setup where two VRFs (BLUE and RED) are configured on a router. Hosts in VRF BLUE cannot ping the default gateway of VRF RED. Which TWO statements correctly explain why this is expected behavior? (Choose TWO.)

Select 2 answers
A.Each VRF maintains its own separate routing table, so VRF BLUE has no route to the subnet of VRF RED.
B.The ARP cache in VRF BLUE does not contain the MAC address of the VRF RED gateway.
C.By default, a router does not forward packets between different VRFs unless inter-VRF routing is explicitly configured.
D.The default gateway in VRF RED is not reachable from VRF BLUE because the gateway interface is in a different VRF.
E.The ping fails because VRF BLUE does not have a default route pointing to the VRF RED gateway.
AnswersA, C

Correct. VRFs have isolated routing tables; without inter-VRF routing, there is no path.

Why this answer

VRF-Lite provides complete isolation between VRFs at Layer 3. By default, no traffic can flow between VRFs unless explicit inter-VRF routing is configured (e.g., using a router with two interfaces in different VRFs or using route leaking). Option A is correct because VRFs maintain separate routing tables.

Option C is correct because by default, a router does not forward packets between VRFs. Option B is incorrect because ARP is per-interface, but the issue is routing, not ARP. Option D is incorrect because the default gateway is reachable within its own VRF.

Option E is incorrect because the ping fails due to routing, not because of a missing default route in the source VRF.

310
MCQhard

An engineer configures OSPF with authentication on a point-to-point link. The adjacency forms, but routes are not being exchanged. Which is the most likely explanation?

A.One router has authentication configured on the interface, and the other has it configured at the area level, causing a mismatch.
B.The authentication key is different on both routers.
C.The OSPF network type is point-to-multipoint.
D.The OSPF process is configured with passive-interface default.
AnswerA

Authentication configured at different levels can cause the adjacency to form but prevent LSA exchange.

Why this answer

OSPF authentication can be configured at the interface level or at the area level. If authentication is configured on one interface but not the other, the adjacency may still form if the authentication type is 'null' (no authentication) on one side. However, if the authentication key is missing or mismatched, the adjacency will not form.

In this case, the adjacency forms, but routes are not exchanged because the authentication is not actually enforced on the link; the routers are exchanging hellos but not LSAs due to a mismatch in authentication settings.

311
MCQhard

A network engineer is troubleshooting an OSPFv2 adjacency issue between two routers across a Frame Relay network. R1 and R2 are connected via a point-to-point subinterface. The engineer configures 'ip ospf network point-to-point' on both subinterfaces. However, the adjacency does not form. 'show ip ospf interface' on R1 shows the interface is up and OSPF is enabled, but no neighbors are seen. What is the most likely cause?

A.The OSPF network type is set to broadcast, causing a DR/BDR election that fails on a point-to-point subinterface.
B.The subinterface is not configured with an IP address.
C.The Frame Relay map is missing or the DLCI is not assigned to the subinterface.
D.The OSPF hello and dead timers are mismatched between R1 and R2.
AnswerC

Without a proper DLCI mapping, the router cannot send Layer 2 frames to the neighbor, preventing OSPF hello packets from being exchanged.

Why this answer

On Frame Relay point-to-point subinterfaces, the OSPF network type should be point-to-point, but the adjacency may still fail if the Layer 2 mapping is incorrect. The subinterface must be mapped to the correct DLCI. If the 'frame-relay interface-dlci' command is missing or misconfigured, the router cannot send packets to the neighbor, even though OSPF is enabled.

The engineer should verify the DLCI mapping.

312
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured with EIGRP stub leaking. R2 is a stub router with 'eigrp stub connected summary'. R3 (another spoke) is not a stub. R2's loopback 10.0.0.1/32 is not reachable from R3, even though R2 advertises it via EIGRP. What is the root cause?

A.R2 is configured with 'eigrp stub receive-only', which prevents it from advertising any routes, including connected ones.
B.R3 has a distribute-list filtering the prefix 10.0.0.1/32 from EIGRP updates.
C.R2's loopback is not in the same EIGRP autonomous system as the tunnel.
D.NHRP is not configured on R2, preventing route advertisement.
AnswerA

Correct. The 'receive-only' keyword in EIGRP stub configuration prevents the router from advertising any routes, including connected and summary routes.

Why this answer

EIGRP stub with 'connected summary' only advertises connected routes and summary routes. However, the stub router does not advertise routes learned from other peers, and the 'summary' keyword ensures that only the summary route (if configured) is advertised. The loopback is connected, so it should be advertised, but if R2 is also configured with 'eigrp stub receive-only', it would not advertise anything.

The most likely cause is that R2's stub configuration is 'receive-only' or 'static', which blocks advertisement of connected routes.

313
MCQmedium

A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?

A.The SNMP community string is not associated with an ACL that permits the management station.
B.The SNMP version is not configured.
C.The router's SNMP agent is disabled.
D.The management station is using the wrong SNMP port.
AnswerA

Correct because without an ACL, the default behavior is to deny all SNMP access; the community must be bound to an ACL that permits the management station.

Why this answer

The 'snmp-server community public RO' command configures an SNMP community string but does not restrict access by default. If no access control list (ACL) is associated with the community string, the router will respond to SNMP polls from any source. However, if an ACL is implicitly or explicitly applied that does not permit the management station's IP address, the router will silently drop the SNMP requests.

Since the management station can ping the router, Layer 3 connectivity is confirmed, isolating the issue to SNMP-specific access control.

Exam trap

Cisco often tests the nuance that an SNMP community string can have an implicit ACL (e.g., from a previous configuration or a default deny) that blocks management stations, leading candidates to overlook access control as the root cause when basic connectivity exists.

How to eliminate wrong answers

Option B is wrong because SNMP version configuration is not required for basic SNMPv2c operation; the default SNMP version is v2c when a community string is configured, and the router will respond to v2c polls without an explicit version command. Option C is wrong because the 'snmp-server community' command implicitly enables the SNMP agent on the router; the agent is not disabled unless explicitly turned off with 'no snmp-server'. Option D is wrong because SNMP polls use UDP port 161 by default, and the management station can ping the router, indicating no IP connectivity issue; if the management station were using the wrong port, the router would still receive the packet but the SNMP agent would not process it, yet the question states the router is 'not responding'—a port mismatch would typically result in an ICMP port unreachable, not a silent failure.

314
MCQhard

A network engineer is troubleshooting a router that fails to apply a specific configuration change after a reload. The engineer has an EEM applet that runs at boot time to apply a set of commands. After a reload, the engineer checks the configuration and finds that the commands were not applied. The applet is configured with event syslog pattern 'SYS-5-RESTART' and action cli command 'configure terminal'. What is the most likely cause of the failure?

A.The EEM applet is not enabled globally.
B.The syslog pattern 'SYS-5-RESTART' is misspelled.
C.The EEM applet runs before the router is fully booted, so the CLI commands fail.
D.The EEM applet requires a 'event manager directory user' command to be configured.
AnswerC

Correct because the syslog message may be generated early in the boot process, and the router may not be ready to accept configuration commands at that point.

Why this answer

The EEM applet uses the wrong event trigger. The 'SYS-5-RESTART' syslog message may not be generated or may be generated too early before the router is fully ready for configuration commands. The engineer should use 'event none' with a manual trigger or use 'event timer' to delay execution.

315
MCQhard

A DMVPN Phase 2 network is configured with VRF-Lite. Spokes can communicate with the hub, but spoke-to-spoke traffic is not working. The engineer verifies that NHRP registrations are successful and that the spoke routers have the correct NHRP mappings for other spokes. Which is the most likely explanation?

A.The hub router has 'next-hop-self' configured under BGP, causing spokes to send traffic to the hub instead of directly to the destination spoke.
B.The NHRP authentication is mismatched between spokes, preventing the establishment of spoke-to-spoke tunnels.
C.The spoke routers have a lower MTU on the physical interface, causing fragmentation issues for the GRE/IPsec packets.
D.The DMVPN phase is actually Phase 3, which requires additional configuration for spoke-to-spoke traffic.
AnswerA

In Phase 2, spokes need to know the next-hop is the remote spoke's tunnel IP. 'next-hop-self' on the hub overrides this, forcing traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are created dynamically using NHRP. However, for spoke-to-spoke traffic to work, the spoke routers must have a route to the destination subnet via the tunnel interface. Additionally, the next-hop for the spoke-to-spoke route must be the spoke router's tunnel IP, not the hub.

If the hub is configured with 'next-hop-self' under BGP or if the IGP is not propagating the correct next-hop, spoke-to-spoke traffic may be forwarded through the hub instead of directly.

316
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show mpls ldp bindings 10.10.10.0 24 lib entry: 10.10.10.0/24, rev 2 local binding: label: 101 remote binding: lsr: 10.1.1.2:0, label: 102 remote binding: lsr: 10.1.2.2:0, label: 103 What does this output indicate?

A.The router has a local label of 101 for the prefix and has learned two remote labels from two different neighbors.
B.The router has only a local label of 101; the remote bindings are not used because they are from the same LSR.
C.The label 102 is the local label for the prefix 10.10.10.0/24.
D.The router has no label for the prefix because the lib entry is incomplete.
AnswerA

The output clearly shows one local binding and two remote bindings from different LSRs.

Why this answer

The output of 'show mpls ldp bindings 10.10.10.0 24' displays the Label Information Base (LIB) entry for prefix 10.10.10.0/24. The 'local binding: label: 101' indicates that this router has assigned label 101 to the prefix. The two 'remote binding' lines show that two different LDP neighbors (LSR IDs 10.1.1.2 and 10.1.2.2) have advertised labels 102 and 103 respectively for the same prefix.

This is the normal operation of LDP, where a router learns multiple remote labels for the same FEC from different peers.

Exam trap

Cisco often tests the distinction between local and remote bindings in the LIB, and the trap here is that candidates may confuse the 'local binding' with a remote label or assume that multiple remote bindings from different LSRs are not used, when in fact they are all valid entries for potential forwarding paths.

How to eliminate wrong answers

Option B is wrong because the remote bindings are indeed used; they are from two different LSRs (10.1.1.2 and 10.1.2.2), not the same LSR, and each provides a viable label-switched path. Option C is wrong because label 102 is a remote binding learned from LSR 10.1.1.2, not a local binding; the local label is 101. Option D is wrong because the LIB entry is complete, showing both a local binding and two remote bindings, which is a fully populated entry for the prefix.

317
MCQhard

An engineer is troubleshooting an EIGRP convergence issue. After a link failure, the network takes an unusually long time to converge. The engineer notices that the EIGRP hello and hold timers are set to the default values. The network has many routers in a hub-and-spoke topology. What is the most likely cause of the slow convergence?

A.The hub router has too many EIGRP neighbors, causing CPU overload and dropped hello packets.
B.The EIGRP stub feature is not enabled on the spoke routers.
C.The EIGRP variance command is configured, causing unequal-cost load balancing.
D.The EIGRP router ID is not configured, so it defaults to the highest loopback IP.
AnswerA

Correct because a high number of neighbors can overwhelm the hub, leading to missed hello packets and adjacency resets, which prolongs convergence.

Why this answer

In a hub-and-spoke topology, if the hub router has a large number of neighbors, the default EIGRP timers may cause slow convergence because the hub must process many updates. Increasing the hello and hold timers on the hub can help reduce the load, but the issue here is that the timers are default, which can be too fast for a large number of neighbors, causing the hub to drop packets and reset adjacencies.

318
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the status of local authentication and authorization for device access control on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show aaa local user lockout
B.show running-config | include aaa authentication login
C.show aaa servers
D.debug aaa authentication
E.show ip local policy
AnswersA, B

This command shows users locked out due to failed authentication attempts, which is part of verifying local AAA behavior.

Why this answer

Option A is correct because 'show aaa local user lockout' displays whether local users have been locked out due to failed authentication attempts, which is directly relevant to verifying local authentication and authorization status. Option B is correct because 'show running-config | include aaa authentication login' shows the configured AAA authentication method lists for login, allowing verification of local authentication policies.

Exam trap

Cisco often tests the distinction between commands that verify configuration (show commands) versus those that monitor live events (debug commands), and between local AAA status versus external server status, leading candidates to mistakenly select 'show aaa servers' or 'debug aaa authentication'.

319
MCQmedium

In Flexible NetFlow, which of the following is true regarding the 'match' and 'collect' commands in a flow record?

A.The 'match' command defines fields that are used to identify unique flows, while 'collect' defines additional fields to include in the exported record.
B.Both 'match' and 'collect' define key fields; the difference is that 'match' fields are required and 'collect' fields are optional.
C.The 'match' command is used for input flows, and 'collect' is used for output flows.
D.The 'collect' command is used to aggregate flows, while 'match' is used to filter them.
AnswerA

Match fields are used to create flow keys (e.g., source/destination IP, protocol), while collect fields are non-key fields that are included in the exported data.

Why this answer

This question tests understanding of the difference between match and collect in flow record definition.

320
MCQeasy

Which BFD session state indicates that the session is fully established and operational?

A.Down
B.Init
C.Up
D.AdminDown
AnswerC

Up is the state where the BFD session is fully established and both routers agree on parameters.

Why this answer

The Up state indicates that the BFD session is fully established, and both routers are exchanging control packets successfully.

321
MCQhard

An EIGRP network is experiencing stuck-in-active (SIA) routes after a link failure. Router R1 has the following relevant configuration: router eigrp 100 network 10.0.0.0 0.255.255.255 Router R2 shows: show ip eigrp topology 10.1.1.0/24 IP-EIGRP topology entry for 10.1.1.0/24 State: Active, 00:01:30, Reply status 10.2.2.2, 10.3.3.3 What is the root cause?

A.Query scope is too wide; configure stub routing or summarization to limit queries.
B.The K-values are mismatched; check metric weights.
C.The network command includes too many interfaces; use passive-interface.
D.The hold time is too short; increase to 180 seconds.
AnswerA

EIGRP queries propagate to all neighbors; if a router has no alternate path, it queries further, causing SIA. Stub routing or summarization reduces query domain.

Why this answer

The route is stuck-in-active because queries are sent to all neighbors and one or more are not replying. This can be due to query scope issue where routers in the query path have no route and keep querying further, causing timeout. The correct fix is to use summary routes or distribute-lists to limit query scope.

322
MCQhard

A network engineer configures mutual redistribution between EIGRP and OSPF on a DMVPN hub router. The EIGRP domain includes the DMVPN tunnel network, and OSPF includes a corporate backbone. Unexpectedly, after a few minutes, the routing table on the hub shows oscillating routes between EIGRP and OSPF for the same prefix, causing intermittent connectivity. Which is the most likely explanation?

A.The mutual redistribution creates a routing loop because the redistributed routes are re-injected into the original protocol without proper filtering, causing the hub to prefer the redistributed route with a lower AD.
B.The DMVPN tunnel interface is not included in the OSPF process, causing the redistributed routes to have an incorrect next-hop that points to the tunnel interface.
C.The EIGRP and OSPF processes are using different metric styles, causing the redistributed routes to have infinite metrics and be ignored.
D.The hub router's routing table is overloaded due to the DMVPN tunnel being a multipoint interface, causing route flapping.
AnswerA

Without route tagging, a route redistributed from EIGRP into OSPF (AD 110) and then back into EIGRP (AD 170) may be preferred over the original EIGRP internal route (AD 90) if the AD is misconfigured, but typically the original internal route has lower AD. However, if the route is external in EIGRP, the AD is 170, so the OSPF route (110) is preferred, causing a loop.

Why this answer

Mutual redistribution without route tagging or filtering can cause routing loops. When a route is redistributed from EIGRP into OSPF, it is then redistributed back into EIGRP with a different administrative distance (AD). Since OSPF has AD 110 and EIGRP has AD 90 (internal) or 170 (external), the redistributed route may be preferred over the original, causing a feedback loop.

The corner case is that the default AD values cause the redistributed route to be installed, and then the router advertises it back, leading to instability. The fix is to use route tags or distribute-lists to prevent re-redistribution.

323
MCQhard

An engineer configures a site-to-site IPsec VPN between two routers using OSPF as the routing protocol. The OSPF neighbor becomes stuck in EXSTART state. The engineer verifies that the IPsec tunnel is up and that both routers can ping each other's tunnel interfaces. What is the most likely cause of the OSPF adjacency issue?

A.The OSPF network type on the tunnel interface is set to non-broadcast, preventing DBD exchange.
B.The IPsec transform set uses ESP with authentication, adding 22 bytes of overhead, reducing the tunnel MTU to 1478 bytes, causing OSPF DBD packets larger than 1478 bytes to be dropped.
C.The OSPF hello and dead intervals are mismatched between the two routers.
D.The IPsec tunnel is using transport mode instead of tunnel mode, corrupting OSPF packets.
AnswerB

IPsec encapsulation adds overhead (e.g., 22 bytes for ESP-AES + SHA), reducing the effective MTU. OSPF DBD packets default to 1500 bytes on Ethernet, but if the tunnel MTU is lower, they are fragmented or dropped, leading to EXSTART state.

Why this answer

When OSPF neighbors are stuck in EXSTART state, it indicates a problem with Database Description (DBD) packet exchange. With an IPsec tunnel MTU of 1478 bytes (1500 minus 22 bytes for ESP authentication overhead), OSPF DBD packets that exceed this size are fragmented or dropped. Since IPsec does not support fragmentation of encrypted packets, the DBD exchange fails, preventing OSPF from progressing past EXSTART.

Exam trap

Cisco often tests the distinction between OSPF states—candidates confuse EXSTART (DBD exchange failure) with other states like INIT (hello mismatch) or 2-WAY (neighbor discovery), and overlook the impact of IPsec overhead on MTU and packet fragmentation.

How to eliminate wrong answers

Option A is wrong because the non-broadcast network type does not prevent DBD exchange; it only requires manual neighbor configuration and uses unicast for OSPF packets, but DBD exchange can still occur. Option C is wrong because mismatched hello/dead intervals cause OSPF to get stuck in INIT or 2-WAY state, not EXSTART; EXSTART is specifically about DBD negotiation. Option D is wrong because transport mode is used for host-to-host VPNs and does not inherently corrupt OSPF packets; tunnel mode is typical for site-to-site VPNs, but mode choice does not cause EXSTART issues.

324
Multi-Selecthard

Which TWO statements about BFD echo mode are true? (Choose TWO.)

Select 2 answers
A.Echo packets are generated by the sending router and forwarded back by the remote router.
B.Echo mode reduces the processing load on the remote router's control plane.
C.Echo mode requires a separate BFD session for each direction.
D.Echo mode increases the number of BFD control packets sent between routers.
E.Echo mode is enabled by default on all interfaces.
AnswersA, B

The sending router creates echo packets that the remote router loops back.

Why this answer

In BFD echo mode, the sending router generates echo packets that are looped back by the remote router, allowing detection of failures without involving the remote router's control plane. This reduces CPU load on the remote router. The other statements are false because echo mode does not require a separate session for each direction, and it does not increase the number of BFD control packets.

325
MCQhard

A service provider network uses OSPF with route summarization on Area Border Routers (ABRs). Router R1 (ABR) has the configuration: router ospf 1 area 1 range 10.1.0.0 255.255.240.0 area 1 range 10.1.16.0 255.255.240.0 Router R2 (internal to area 1) shows: R2# show ip route ospf 10.1.0.0/20 is subnetted, 1 subnets O IA 10.1.0.0/20 [110/2] via 10.2.1.1, 00:00:15, Serial0/0/0 10.1.16.0/20 is subnetted, 1 subnets O IA 10.1.16.0/20 [110/2] via 10.2.1.1, 00:00:10, Serial0/0/0 10.1.32.0/20 [110/3] via 10.2.1.2, 00:00:05, Serial0/0/1 R2 is missing a route to 10.1.48.0/20. What is the root cause?

A.The ABR R1 has a missing 'area 1 range 10.1.48.0 255.255.240.0' command.
B.R2 has a routing table limit that prevents installation of the route.
C.R1's OSPF process has a distribute-list blocking the route.
D.The missing route is a result of OSPF route filtering at the area boundary.
AnswerA

The summary range for 10.1.48.0/20 is not configured, so that route is not advertised into area 0.

Why this answer

The ABR R1 configured two summary ranges for area 1, but the missing route 10.1.48.0/20 is not covered by either summary. OSPF summarization on the ABR creates Type 3 LSAs for the configured ranges, but any routes not falling within those ranges are not advertised as summaries and are also not advertised as individual routes (unless the 'no discard-route' option is used). This causes the missing route.

The correct fix is to add an additional summary range covering 10.1.48.0/20 or use a broader summary.

326
MCQhard

A network engineer is troubleshooting an OSPF network where an ABR (R1) is configured with the 'area 1 range 10.0.0.0 255.255.0.0' command to summarize routes from area 1 into area 0. After the configuration, routers in area 0 lose connectivity to the 10.0.1.0/24 subnet, although the summary route 10.0.0.0/16 is present in their routing tables. What is the most likely cause?

A.The summary route 10.0.0.0/16 is being advertised with a metric of 0, causing routers to prefer a default route instead.
B.The ABR is not generating the summary route because the component routes are not all in the same area.
C.The 10.0.1.0/24 subnet is not included in the summary range because the range command uses a network mask that does not match the subnet's network address.
D.The summary route is installed, but the next-hop IP address for the summary route is not reachable from routers in area 0, causing traffic to be dropped.
AnswerD

Correct. In OSPF, the summary route's next hop is set to the ABR's interface IP. If that interface is down or the path is not reachable, traffic to the summary may fail, and since specific routes are suppressed, connectivity to the subnet is lost.

Why this answer

The issue is that the summary route may be installed, but the more specific routes are suppressed. If the summary route points to a next hop that is not reachable or has a higher metric, traffic may be black-holed.

327
Multi-Selecthard

Which TWO statements about verifying SPAN, RSPAN, and ERSPAN sessions are correct? (Choose TWO.)

Select 2 answers
A.The command 'show monitor session all' displays a summary of all configured SPAN, RSPAN, and ERSPAN sessions.
B.The command 'show monitor session <session> detail' displays the operational status and any errors for that session.
C.The command 'show monitor session <session> type erspan-source' is used to verify ERSPAN source sessions.
D.The command 'show spanning-tree vlan <rspan-vlan>' can confirm that the RSPAN VLAN is correctly configured and forwarding.
E.The command 'show monitor session <session> statistics' provides packet counts for mirrored traffic.
AnswersA, B

Correct. 'show monitor session all' lists all sessions with their status, source, and destination.

Why this answer

Verification commands include 'show monitor session <session>' for detailed status, 'show monitor' for a summary, and 'show monitor session <session> detail' for more granular info. For ERSPAN, 'show monitor session <session> type erspan-source' can be used. The 'show spanning-tree' command is unrelated.

328
MCQeasy

A network engineer runs the following command to troubleshoot a VRF route issue: R1# show ip route vrf CUSTOMER summary IP routing table name is CUSTOMER (0x1) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 2 0 0 320 static 1 0 0 160 eigrp 100 3 0 0 480 Internal 3 Total 6 0 0 960 What does this output indicate?

A.The VRF CUSTOMER routing table has 6 routes, including static and EIGRP routes.
B.The VRF CUSTOMER routing table is empty.
C.The VRF CUSTOMER has only connected routes.
D.The VRF CUSTOMER routing table has an error due to overlapping subnets.
AnswerA

The summary shows connected, static, and EIGRP routes totaling 6.

Why this answer

The output shows the routing table summary for VRF CUSTOMER, with 6 total routes: 2 connected, 1 static, and 3 EIGRP routes. No red flags are present.

329
Drag & Dropmedium

Drag and drop the steps to establish a BFD session with OSPF into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with enabling BFD globally, then configuring BFD on the interface, enabling OSPF BFD support, verifying the BFD session, and finally verifying OSPF neighbor state reflects BFD integration.

330
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/1 PBR-MAP R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop verify-availability 10.1.1.2 10 track 1 Policy routing matches: 150 packets, 12000 bytes R1# show track 1 Track 1 IP SLA 1 reachability Reachability is Down 1 change, last change 00:05:20 Latest operation return code: timeout Tracked by: ROUTE-MAP 0 Based on this output, what is the most likely outcome?

A.Packets matching ACL 101 are forwarded to 10.1.1.2 regardless.
B.Packets matching ACL 101 are dropped.
C.Packets matching ACL 101 are routed normally via the routing table.
D.The route map is removed from the interface due to the track failure.
AnswerC

When the tracked object is down, PBR skips the set clause and the packet is forwarded using the destination-based routing table.

Why this answer

The route map uses 'ip next-hop verify-availability' with tracking. Track 1 is down because IP SLA 1 reports unreachability. Therefore, the set clause will not be applied, and packets matching ACL 101 will not be forwarded to 10.1.1.2; they will be routed normally via the routing table.

331
MCQmedium

A network engineer runs the following command to verify BFD with EIGRP: R1# show ip eigrp 100 topology 10.2.2.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(10.2.2.0/24) State: Passive, Query origin flag: 1, 1 Successor(s), FD is 131072 Descriptor Blocks: 10.1.1.2 (GigabitEthernet0/0), from 10.1.1.2, Send flag: 0x0 Composite metric: (131072/130816), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Originating router is 2.2.2.2 BFD enabled, BFD state: UP What does this output indicate?

A.EIGRP is using BFD with state UP, providing sub-second convergence.
B.EIGRP has no BFD session for this neighbor.
C.BFD is down, so EIGRP relies on its own hello/dead timers.
D.EIGRP is using BFD in passive mode only.
AnswerA

BFD is enabled and UP, allowing EIGRP to detect failures faster than EIGRP hello/dead timers.

Why this answer

The output shows that BFD is enabled for the EIGRP neighbor and the BFD state is UP, indicating fast failure detection is active for this route.

332
MCQmedium

A network engineer runs the following command on Router R9: R9# show logging | include %DMVPN-5-ADJCHG *Mar 1 00:01:05.123: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:02:10.456: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN *Mar 1 00:03:15.789: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:04:20.012: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN Based on this output, what is the most likely problem?

A.The DMVPN tunnel is flapping due to an unstable IPsec SA.
B.The NHRP hold time is set too high.
C.The router has a mismatched DMVPN phase configuration.
D.The tunnel interface is administratively down.
AnswerA

DMVPN uses IPsec for encryption; if the IPsec SA is not established or is flapping, the NHRP peer will go up and down.

Why this answer

The output shows NHRP peer flapping on Tunnel0, indicating that the DMVPN tunnel is unstable. This is often due to a flaking physical interface, IPsec SA expiration, or routing issues. The peer 10.0.0.1 is going up and down repeatedly.

333
MCQmedium

Consider the following partial configuration on router R6: router bgp 65001 bgp router-id 6.6.6.6 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 What is the effect of this configuration?

A.Only routes that match a specific prefix will have MED set to 50; other routes will not be advertised.
B.The route-map will set the MED to 50 for all routes advertised to neighbor 10.0.0.2, and all routes will be advertised.
C.The configuration is invalid because the route-map must have a match clause.
D.The MED will only be set if the neighbor is also configured with a route-map for inbound updates.
AnswerB

The route-map has no match, so it matches all routes. The set metric command applies to all matched routes, setting MED to 50.

Why this answer

The route-map SET-MED is applied to outbound updates to neighbor 10.0.0.2. It sets the MED (multi-exit discriminator) attribute to 50 for all routes advertised to that neighbor. However, the route-map does not have a match clause, so it matches all routes.

This is valid; all routes sent to that neighbor will have MED set to 50.

334
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using OSPF with the CEs and MP-BGP between them. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route as well. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 but the output interface is 'no route'. What is the most likely cause?

A.The OSPF process on PE1 is not redistributing connected routes.
B.The PE2 loopback is not advertised into the IGP (OSPF/IS-IS) of the service provider core.
C.The VRF route-target import is misconfigured.
D.MPLS is not enabled on the core-facing interfaces.
AnswerB

Correct: The BGP next-hop must be reachable via IGP for CEF to resolve the output interface.

Why this answer

CEF has a next-hop but no output interface because the recursive routing table lookup for the BGP next-hop (192.168.1.2) fails. The IGP (OSPF or IS-IS) does not have a route to the PE2 loopback, so CEF cannot resolve the adjacency.

335
MCQhard

A network engineer configures VRF-Lite with OSPF as the routing protocol. Two routers in the same VRF are directly connected, but the OSPF neighbor state remains stuck in EXSTART/EXCHANGE. The engineer verifies that the MTU on both interfaces is 1500. Which is the most likely explanation?

A.The OSPF network type is set to point-to-multipoint on one side and broadcast on the other, causing a mismatch in DBD packet size.
B.The 'ip mtu' command is configured on one interface with a value lower than 1500, causing the DBD packet to be larger than the receiving interface's IP MTU.
C.The VRF forwarding table is missing the OSPF route for the neighbor's router ID, preventing the exchange of DBD packets.
D.The OSPF dead interval is set to 40 seconds on one router and 120 seconds on the other, causing a mismatch in hello parameters.
AnswerB

OSPF uses the IP MTU for DBD packets. If one interface has a lower IP MTU (e.g., 1400), the DBD packet from the other side (1500) is dropped, causing the stuck state.

Why this answer

OSPF uses the IP MTU of the outgoing interface to set the size of Database Description (DBD) packets. If the receiving interface has a smaller IP MTU, the DBD packet is silently dropped, causing the neighbor to stay in EXSTART/EXCHANGE. Even if the physical MTU is 1500, the IP MTU can be lowered via 'ip mtu' command, and OSPF will use that lower value.

The MTU mismatch is not necessarily the physical MTU but the IP MTU, which is a common edge case.

336
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can ping external host 203.0.113.50, but cannot establish a TCP connection to port 443. Router R1 shows: debug ip nat: NAT: s=192.168.1.10->203.0.113.1, d=203.0.113.50 [0]. The external host shows no received packets. What is the root cause?

A.An ACL on the outside interface is blocking TCP port 443; configure an ACL to permit it.
B.The NAT translation is failing for TCP due to port exhaustion.
C.The internal host has a firewall blocking outbound TCP.
D.The external host is not responding to TCP SYN packets.
AnswerA

ICMP is permitted, but TCP 443 is likely denied by an implicit or explicit ACL.

Why this answer

Ping works because ICMP is allowed, but TCP port 443 may be blocked by an ACL on the outside interface. The debug shows NAT translation occurring, but the packet may be dropped after translation. The correct fix is to check the ACL on the outside interface (e.g., GigabitEthernet0/1) for inbound/outbound rules that block TCP 443.

337
Multi-Selectmedium

Which TWO statements about route targets (RT) in MPLS L3VPN are true? (Choose TWO.)

Select 2 answers
A.The export RT is added to VPNv4 routes when they are advertised from a PE to a P router.
B.The import RT is used to filter incoming VPNv4 routes into a VRF on the receiving PE.
C.Route targets are 64-bit values typically formatted as an IP address and a 16-bit number.
D.Route targets are used by LDP to distribute VPN labels between PEs.
E.The route target must match the route distinguisher for the VRF to function.
AnswersB, C

Import RT determines which routes are installed into the VRF routing table.

Why this answer

Route targets control the import and export of VPNv4 routes between VRFs. The export RT is attached to routes when they are advertised from a VRF to MP-BGP. The import RT determines which routes are imported into a VRF.

RTs are not used for label distribution (LDP handles that) and do not affect the IGP. They are not directly involved in the VRF route distinguisher (RD) process, though RD and RT are often configured together.

338
MCQmedium

Consider the following BGP configuration on router R2: router bgp 65002 bgp router-id 2.2.2.2 neighbor 10.2.2.1 remote-as 65001 neighbor 10.2.2.1 route-map FILTER in ! route-map FILTER deny 10 match ip address prefix-list BLOCKED ! route-map FILTER permit 20 ! ip prefix-list BLOCKED permit 10.0.0.0/8 le 32 Which statement is true about routes received from 10.2.2.1?

A.All routes are accepted because the deny statement is misconfigured.
B.Routes with prefix 10.0.0.0/8 or more specific are denied; all others are permitted.
C.Only routes exactly matching 10.0.0.0/8 are denied; other 10.x.x.x routes are permitted.
D.The route-map is applied outbound, so it affects routes sent to 10.2.2.1.
AnswerB

Prefix-list BLOCKED matches 10.0.0.0/8 and any more specific prefix (le 32), so those are denied. Sequence 20 permits the rest.

Why this answer

The route-map FILTER is applied inbound. Sequence 10 denies any route matching prefix-list BLOCKED (10.0.0.0/8 and more specific). Sequence 20 permits all other routes.

Routes with 10.x.x.x are denied.

339
MCQmedium

Which SNMP version introduced the use of a User-based Security Model (USM) and View-based Access Control Model (VACM)?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv2u
AnswerC

SNMPv3 introduced USM and VACM for security and access control.

Why this answer

SNMPv3 introduced USM for authentication and encryption, and VACM for fine-grained access control. SNMPv1 and v2c use community strings and do not support these security models.

340
Drag & Dropmedium

Drag and drop the steps to verify and validate BGP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the BGP summary for session state; then examine the BGP table for received prefixes; next verify prefix advertisement with show ip bgp neighbors; then check route propagation with show ip route bgp; finally validate path selection with show ip bgp bestpath.

341
MCQmedium

A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?

A.The RA Guard policy is configured with 'device-role router' on the port connected to the legitimate router, but the router's MAC address is not in the allowed list.
B.DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router, preventing hosts from obtaining IPv6 addresses.
C.IPv6 Source Guard is dropping packets from the router because the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, causing it to send its own RAs and override the legitimate router.
AnswerA

Correct because RA Guard requires explicit authorization of routers; if the legitimate router's MAC is not allowed, its RAs are dropped.

Why this answer

RA Guard is configured to drop RAs from unauthorized routers. If the legitimate router's MAC address is not in the RA Guard policy's allowed list or the policy is misconfigured, valid RAs will be dropped, causing hosts to lose their default gateway.

342
Multi-Selecthard

Which THREE commands can be used to troubleshoot NAT issues on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show ip nat translations
B.debug ip nat
C.clear ip nat translation
D.show ip nat verbose
E.show ip interface brief
AnswersA, B, C

Displays active translations, which helps verify if mappings are created correctly.

Why this answer

The commands show ip nat translations, debug ip nat, and clear ip nat translation are all useful for troubleshooting. The other options are either non-existent or unrelated.

343
MCQhard

An engineer is troubleshooting a BGP peering problem between two routers, R1 (AS 65001) and R2 (AS 65002), connected via a firewall. The BGP session is flapping every few seconds. The engineer notices that the TCP connection is established, but BGP OPEN messages are not exchanged. The firewall logs show that TCP port 179 is allowed, but packets with the BGP marker (0xFFFFFFFF) are being dropped. What is the most likely cause?

A.The firewall is dropping BGP packets because the BGP marker (0xFFFFFFFF) is being flagged as a potential attack or malformed packet.
B.The BGP session is flapping because the keepalive timer is set too low on both routers.
C.The BGP session is flapping because the routers have mismatched BGP AS numbers.
D.The BGP session is flapping because the firewall is performing TCP sequence number randomization, breaking the BGP session.
AnswerA

Correct because some security devices inspect BGP messages and may drop packets with the all-ones marker, especially if they are not configured to allow BGP properly.

Why this answer

BGP uses a 16-byte marker (all 0xFF) in its messages. Some firewalls or intrusion prevention systems may misinterpret this as a malformed packet and drop it, preventing BGP from establishing.

344
Multi-Selecthard

Which TWO statements about the 'show ip bgp vpnv4 vrf <vrf-name>' command output are correct? (Choose TWO.)

Select 2 answers
A.The output displays only routes that are locally originated by the PE router.
B.The output includes the Route Distinguisher (RD) for each prefix.
C.The output shows the MPLS label assigned to each route.
D.The output is equivalent to 'show ip route vrf <vrf-name>'.
E.The output provides the CEF forwarding information for each prefix.
AnswersB, C

Correct. The RD is displayed as part of the prefix (e.g., '100:1:10.1.1.0/24').

Why this answer

The command 'show ip bgp vpnv4 vrf <vrf-name>' displays the BGP table for the specified VRF, including VPNv4 routes that have been imported. It shows the RD, the next-hop, and the route label. It does not show the full VRF routing table (which is seen with 'show ip route vrf'), nor does it show the CEF forwarding table.

The output includes both locally originated and remote routes that have been accepted. The label information is present in the output.

345
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface AA:BB:CC:01:02:03 192.168.1.10 86400 dhcp-snooping 10 GigabitEthernet0/1 AA:BB:CC:01:02:04 192.168.1.11 86400 dhcp-snooping 10 GigabitEthernet0/1 AA:BB:CC:01:02:05 192.168.1.12 86400 dhcp-snooping 10 GigabitEthernet0/2 Based on this output, which statement is correct?

A.DHCP snooping is enabled and has recorded bindings for three clients.
B.DHCP snooping has detected a rogue DHCP server on GigabitEthernet0/1.
C.DHCP snooping is not functioning because the bindings are not trusted.
D.DHCP snooping has a conflict because two clients are on the same interface.
AnswerA

The table shows valid bindings.

Why this answer

Option A is correct because the output shows three DHCP snooping bindings with MAC addresses, IP addresses, lease times, and associated VLANs and interfaces, which indicates that DHCP snooping is enabled and has successfully recorded these bindings for clients. The 'dhcp-snooping' type confirms these are dynamically learned from DHCP messages, and the presence of multiple clients on the same interface (GigabitEthernet0/1) is valid as long as they are on the same VLAN.

Exam trap

Cisco often tests the misconception that multiple DHCP clients on the same interface indicate a conflict or misconfiguration, but DHCP snooping bindings can legitimately show multiple entries per interface as long as they are in the same VLAN and have unique MAC/IP pairs.

How to eliminate wrong answers

Option B is wrong because the output shows only DHCP snooping bindings, not any information about a rogue DHCP server; a rogue server would be detected via DHCP snooping's 'trusted' and 'untrusted' port configuration, which is not displayed here. Option C is wrong because the bindings are present and valid, indicating DHCP snooping is functioning correctly; the 'trusted' status applies to ports, not bindings, and untrusted ports can still have valid bindings. Option D is wrong because having two clients on the same interface (GigabitEthernet0/1) is not a conflict; DHCP snooping allows multiple bindings per interface as long as they are in the same VLAN and have unique MAC/IP pairs.

346
MCQmedium

A network engineer is troubleshooting a BGP peering issue between two directly connected routers, R1 and R2. R1 is configured with 'neighbor 10.1.1.2 remote-as 65002' and 'neighbor 10.1.1.2 update-source Loopback0', while R2 uses 'neighbor 10.1.1.1 remote-as 65001' and 'neighbor 10.1.1.1 update-source Loopback0'. The loopback interfaces are not advertised into any IGP, and there is no static route for the loopback addresses. The BGP session remains in Idle state. What is the most likely cause?

A.The BGP session is stuck in Idle because the neighbor statements reference loopback interfaces that are not reachable.
B.The BGP session is stuck in Idle because the remote-as values are mismatched.
C.The BGP session is stuck in Idle because the update-source command is not allowed on directly connected interfaces.
D.The BGP session is stuck in Idle because the neighbor statements must use the directly connected interface IP addresses.
AnswerA

Correct because BGP uses the update-source address for peering; without reachability, TCP cannot establish.

Why this answer

BGP requires reachability to the neighbor's update-source address. Since the loopback addresses are not reachable via any routing protocol or static route, the TCP connection fails, keeping the session in Idle state.

347
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip ospf database router 10.1.1.2 OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 150 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 10.1.1.2 Advertising Router: 10.1.1.2 LS Seq Number: 80000002 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.The router 10.1.1.2 is advertising two links: one to a transit network and one to a stub network, both with cost 10.
B.The router 10.1.1.2 is the DR for the transit network 10.1.1.0/24.
C.The router 10.1.1.2 is advertising a single link to a point-to-point network.
D.The router 10.1.1.2 has a misconfigured network type because it shows both transit and stub links.
AnswerA

The LSA shows exactly that: a transit link (to a DR) and a stub link (192.168.1.0/24), both with metric 10.

Why this answer

The output shows two links in the Router LSA from router 10.1.1.2: a transit network link (to a DR) and a stub network link (to a subnet). Both links have a metric of 10, confirming that router 10.1.1.2 is advertising exactly two links with equal cost. This matches option A exactly.

Exam trap

Cisco often tests the ability to interpret the 'Link connected to' fields in a Router LSA, where candidates may mistakenly think a transit link implies a point-to-point connection or that a stub link indicates a misconfiguration, rather than recognizing both are normal for a DR on a multi-access network.

How to eliminate wrong answers

Option B is wrong because the transit network link shows the Designated Router address as 10.1.1.2, which indicates that 10.1.1.2 is the DR for that segment, but the question asks what the output indicates overall, and the output shows two links, not just the DR role. Option C is wrong because the output clearly lists two links (transit and stub), not a single point-to-point link. Option D is wrong because having both a transit link and a stub link in a Router LSA is normal for a multi-access network where the router is the DR; it is not a misconfiguration.

348
MCQmedium

Consider this configuration on Router R2: ``` interface Tunnel0 ipv6 address 2001:DB8:3::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre ipv6 tunnel destination 2001:DB8:4::2 ``` Which statement is true?

A.This tunnel can only carry IPv6 traffic.
B.The tunnel source and destination must be IPv4 addresses.
C.This tunnel will encapsulate packets using GRE over an IPv6 transport.
D.The tunnel mode should be 'ipv6ip' for IPv6 transport.
AnswerC

GRE over IPv6 is correctly configured, allowing multiprotocol payload.

Why this answer

The configuration shows a tunnel with `tunnel mode gre ipv6`, which explicitly sets the tunnel to use GRE encapsulation over an IPv6 transport. The tunnel source and destination are IPv6 addresses, and GRE can carry multiple protocols (including IPv4, IPv6, and others) over the IPv6 transport. Therefore, option C is correct because the tunnel encapsulates packets using GRE over an IPv6 transport.

Exam trap

Cisco often tests the distinction between 'tunnel mode gre ipv6' (GRE over IPv6 transport) and 'tunnel mode ipv6ip' (IPv6 over IPv4 transport), and candidates mistakenly assume that any tunnel with IPv6 addresses must use ipv6ip mode.

How to eliminate wrong answers

Option A is wrong because GRE tunnels can carry multiple protocol types (IPv4, IPv6, MPLS, etc.), not just IPv6 traffic. Option B is wrong because the tunnel source and destination are explicitly configured as IPv6 addresses (2001:DB8:3::1 and 2001:DB8:4::2), not IPv4 addresses. Option D is wrong because 'tunnel mode ipv6ip' is used for IPv6-over-IPv4 tunnels (6in4), not for GRE over IPv6; the correct mode for GRE over IPv6 is 'tunnel mode gre ipv6'.

349
MCQhard

A network engineer configures IP SLA tracking for a static route on a Cisco router. The IP SLA operation is configured with a threshold of 100 ms and a timeout of 5000 ms. The tracked object is configured with a delay of 5 seconds for both up and down transitions. The engineer notices that when the remote host becomes unreachable, the static route is not removed from the routing table immediately. Which is the most likely explanation?

A.The IP SLA operation is still in the 'pending' state and has not yet timed out.
B.The tracked object delay of 5 seconds for down transition causes a 5-second wait before the route is removed.
C.The static route has a higher administrative distance than the IP SLA tracked route, so it remains preferred.
D.The IP SLA operation is configured with a frequency that is too low, causing a delay in detection.
AnswerB

The delay down command in the tracked object introduces a hold-down period before the object state changes, so the route remains for that duration.

Why this answer

The IP SLA tracking delay configuration introduces a delay before the tracked object changes state; this is designed to prevent route flapping but can cause the static route to remain in the routing table for the configured delay period after the IP SLA operation fails.

350
MCQhard

An engineer configures OSPF on two routers connected via a serial link. Both routers have 'ip ospf network point-to-point' configured, but the link is actually a Frame Relay multipoint subinterface. The OSPF neighbors remain stuck in EXSTART state. Which is the most likely explanation?

A.The MTU on the serial link is not consistent between the two routers, causing DBD packets to be dropped.
B.The OSPF hello timer is set too high, causing the neighbor to time out.
C.The area ID is different on the two routers.
D.The OSPF router ID is duplicated.
AnswerA

Correct. OSPF uses the interface MTU for DBD packets; mismatch prevents exchange.

Why this answer

OSPF network type mismatch between the configured point-to-point and the actual multipoint topology can cause MTU mismatch issues. On a multipoint subinterface, the default MTU may be lower, and OSPF uses the interface MTU to determine the maximum packet size. If the MTU is not consistent, the Database Description (DBD) packets may be dropped, causing the neighbor to remain in EXSTART.

351
MCQhard

R1 and R2 are OSPF neighbors over a VLAN interface with BFD enabled. R1#show ip ospf interface vlan10 shows 'BFD is enabled' but R1#show bfd neighbors shows no sessions. R2#show bfd neighbors shows no sessions. R1 has 'bfd interval 100 min_rx 100 multiplier 3' under vlan10. R2 has same. The VLAN is up. What is the root cause?

A.BFD must be enabled on the physical interface as well as the VLAN interface.
B.The VLAN interface must have 'ip ospf bfd' disabled.
C.OSPF must be configured with 'bfd all-interfaces' globally.
D.The BFD timers must match exactly on both sides.
AnswerA

BFD sessions are established on the physical interface; without BFD on the physical, the VLAN interface BFD configuration is ineffective.

Why this answer

BFD on VLAN interfaces requires that the underlying physical interface also support BFD. If the physical interface (e.g., GigabitEthernet0/1) does not have BFD enabled, the VLAN interface cannot establish BFD sessions. BFD is not automatically inherited from VLAN to physical.

352
MCQmedium

A network engineer runs the following command to verify DHCPv6 pool configuration on router R1: R1# show ipv6 dhcp pool Output: Pool DHCPv6_POOL : Prefix number: 1 Prefix: 2001:DB8:1::/48 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 01 2025 12:00 PM (2592000 seconds) DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 What does this output indicate?

A.The DHCPv6 pool has 5 active clients and provides prefix delegation, DNS, and domain name.
B.The DHCPv6 pool is used only for stateless address autoconfiguration (SLAAC).
C.The DHCPv6 pool has 5 clients with addresses from the prefix 2001:DB8:1::/48.
D.The DHCPv6 pool has a preferred lifetime of 2592000 seconds.
AnswerA

The output shows a prefix for delegation, DNS server, domain name, and 5 active clients.

Why this answer

The show ipv6 dhcp pool command displays DHCPv6 pool configuration. This pool has a prefix 2001:DB8:1::/48 for delegation, DNS server, domain name, and 5 active clients. The prefix has preferred and valid lifetimes.

353
MCQhard

What is the default threshold value (in milliseconds) for an IP SLA operation?

A.1000 ms
B.5000 ms
C.10000 ms
D.No default threshold
AnswerB

Correct. The default threshold is 5000 ms, same as the default timeout.

Why this answer

The default threshold for an IP SLA operation is 5000 milliseconds (5 seconds). This is the value above which the operation is considered to have exceeded a tolerable delay, triggering reaction conditions.

354
Multi-Selecthard

Which THREE symptoms indicate that an administrative distance misconfiguration might be causing routing issues? (Choose THREE.)

Select 3 answers
A.The router prefers a route learned via a less reliable protocol over a more reliable one.
B.Routes are flapping in the routing table due to metric changes.
C.Traffic to a destination takes a suboptimal path.
D.The routing table shows two routes to the same network with different AD values.
E.Connectivity to a remote network is intermittent, depending on which protocol converges first.
AnswersA, C, E

This indicates that the AD for the less reliable protocol is set lower than for the more reliable one.

Why this answer

When AD is misconfigured, the router may prefer a less reliable route, causing suboptimal or intermittent connectivity. Common symptoms include incorrect route selection, flapping routes, and traffic taking unexpected paths. These are all signs that the AD values should be reviewed.

355
MCQeasy

What is the default transport protocol used by NetFlow exporters on Cisco IOS-XE?

A.TCP
B.UDP
C.SCTP
D.ICMP
AnswerB

Correct. NetFlow uses UDP by default.

Why this answer

The default transport protocol is UDP, typically on port 2055, though configurable.

356
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 192.168.2.2 1 2WAY/DROTHER 00:00:32 10.2.2.2 GigabitEthernet0/1 192.168.3.2 1 FULL/BDR 00:00:38 10.3.3.2 GigabitEthernet0/2 Based on this output, what is a potential issue?

A.The neighbor on Gi0/1 is not forming a full adjacency because it is in 2WAY state.
B.The neighbor on Gi0/0 is the DR, which is causing high CPU usage.
C.The neighbor on Gi0/2 is the BDR, which is a problem because it should be the DR.
D.All neighbors are in FULL state, indicating no issues.
AnswerA

In OSPF, the 2WAY state indicates that the router has received a Hello from the neighbor but has not yet exchanged database descriptors; a FULL state is required for complete adjacency.

Why this answer

The neighbor on Gi0/1 is in the 2WAY/DROTHER state, which is normal for non-DR/BDR routers on a multi-access network; however, the question implies a potential issue because the engineer might expect all neighbors to reach FULL state. In OSPF, the 2WAY state is a valid adjacency state for DROTHER routers, but if the network is a point-to-point link or the engineer expects full connectivity, this state indicates that the neighbor is not exchanging LSAs (Link State Advertisements) with this router, which could be a problem if the link is not a broadcast multi-access network. The 2WAY state is formed after the two-way communication is established, but it does not progress to FULL unless the router is the DR or BDR, so this is not necessarily an error, but it is the only state that is not FULL, making it the potential issue highlighted in the question.

Exam trap

Cisco often tests the misconception that any state other than FULL indicates a problem, but in OSPF multi-access networks, the 2WAY state between DROTHER routers is normal and expected, so candidates must recognize that the 'issue' is context-dependent and that the output shows a valid adjacency state for a non-DR/BDR router.

How to eliminate wrong answers

Option B is wrong because the neighbor on Gi0/0 being in FULL/DR state is normal and does not inherently cause high CPU usage; DR election is a standard OSPF process, and high CPU would depend on network size and LSA flooding, not simply the DR role. Option C is wrong because the neighbor on Gi0/2 being in FULL/BDR state is perfectly valid; the BDR is a backup to the DR, and there is no requirement that a specific router should be the DR—election is based on priority and Router ID. Option D is wrong because not all neighbors are in FULL state; the neighbor on Gi0/1 is in 2WAY state, which is not FULL, so stating 'all neighbors are in FULL state' is factually incorrect based on the output.

357
MCQhard

An engineer configures BGP between two routers in the same AS. The iBGP session is established, but routes learned from the eBGP neighbor are not advertised to the iBGP peer. The 'show ip bgp' output shows the routes as valid but not best. Which is the most likely explanation?

A.The 'synchronization' rule is enabled and the IGP does not carry the prefix.
B.The next-hop IP of the eBGP route is not reachable via IGP, making the route invalid.
C.The 'maximum-paths' command is set to 1, preventing load balancing.
D.The 'bgp bestpath med missing-as-worst' command causes the route to be considered worse.
AnswerB

iBGP requires next-hop reachability; without next-hop-self, the next-hop is the eBGP peer's IP.

Why this answer

For iBGP, the next-hop must be reachable via IGP. If the next-hop is not reachable (e.g., no IGP route for the eBGP peer's interface IP), the route is considered invalid and not installed. This is a common edge case where next-hop-self is not configured.

358
Multi-Selecthard

Which THREE statements about IPv4 access control list sequence numbers are true? (Choose THREE.)

Select 3 answers
A.Sequence numbers allow insertion of new entries between existing ones.
B.Sequence numbers are automatically assigned in increments of 10 for numbered ACLs.
C.Named ACLs support sequence numbers.
D.The ip access-list resequence command can renumber ACL entries.
E.Resequencing an ACL changes the order of evaluation.
AnswersA, C, D

You can specify a sequence number to place an entry at a specific position in the ACL.

Why this answer

Sequence numbers in IPv4 ACLs allow administrators to insert new entries between existing ones without deleting and re-entering the entire ACL. This is because each entry is assigned a unique sequence number, and new entries can be added with a sequence number that falls between two existing numbers, enabling granular control over the order of evaluation.

Exam trap

Cisco often tests the misconception that resequencing an ACL changes the order of evaluation, but in reality, it only renumbers the entries while preserving their original sequence; the trap is confusing sequence number reassignment with rule reordering.

359
MCQhard

In an iBGP network, router R1 has: router bgp 65000 bgp bestpath as-path multipath-relax neighbor 10.1.1.2 route-map SET-MED in route-map SET-MED permit 10 set metric 50 neighbor 10.1.1.3 route-map SET-MED2 in route-map SET-MED2 permit 10 set metric 100 Router R2 shows: R2# show ip bgp 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 2 Paths: (2 available, best #2) Path #1: via 10.1.1.1, metric 50 Path #2: via 10.1.1.4, metric 100 R2# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "bgp 65000", distance 200, metric 100 Last update from 10.1.1.4 00:00:10 Serial0/0/1 R2 is choosing the path with higher metric. What is the root cause?

A.The path with lower MED is from a different AS, so MED is not compared.
B.The route-map on R1 is misconfigured; it should set metric on the neighbor statement.
C.R2 has a higher local preference for the path via 10.1.1.4.
D.The 'bgp bestpath as-path multipath-relax' command causes MED to be ignored.
AnswerA

MED is only compared between paths from the same AS. The path via 10.1.1.1 might have a different AS_PATH.

Why this answer

BGP best path selection compares MED only if paths come from the same AS. If the paths have different AS_PATH lengths, MED is ignored. The output shows two paths, but the path via 10.1.1.1 might have a different AS_PATH length.

The 'bgp bestpath as-path multipath-relax' allows multipath but does not affect MED comparison. The higher metric path is chosen due to a different tie-breaker (e.g., lower neighbor IP).

360
Multi-Selecthard

An engineer is troubleshooting an OSPF network where route summarization is configured on an ABR. Which TWO statements correctly describe the behavior of OSPF inter-area route summarization using the 'area range' command? (Choose TWO.)

Select 2 answers
A.The 'area range' command creates a single Type 3 LSA for the summary prefix and suppresses the advertisement of individual Type 3 LSAs for the component networks.
B.The cost of the summary LSA is set to the lowest cost among the component routes within the range.
C.The 'area range' command also summarizes external routes redistributed into OSPF from other protocols.
D.The summary route is advertised with a metric type of E1 or E2, depending on the original external metric type.
E.The 'area range' command can be configured only on ABRs and not on ASBRs.
AnswersA, E

Correct. The ABR generates one Type 3 LSA for the range and does not advertise the individual Type 3 LSAs for the more specific routes.

Why this answer

The 'area range' command on an ABR summarizes routes from one area into another. It creates a single Type 3 LSA for the summary prefix, suppresses the individual Type 3 LSAs for the component networks, and does not affect Type 1 or Type 2 LSAs within the area. The summary LSA is advertised with a cost equal to the highest cost among the component routes, not the lowest.

The command does not automatically summarize redistributed routes; that requires the 'summary-address' command under the OSPF process.

361
MCQhard

A network engineer is troubleshooting an EIGRP issue where a route is flapping in and out of the routing table. The engineer checks the logs and sees messages indicating that the route is being learned from two different neighbors, but the metric keeps changing. The route is a summary route. What is the most likely cause of the flapping?

A.The summary route is being advertised by multiple routers with different metrics.
B.The EIGRP stub feature is configured on one of the neighbors.
C.The passive-interface command is applied to the interface receiving the summary route.
D.The EIGRP router ID is the same on both neighbors.
AnswerA

Correct because if the summary route is originated by multiple routers, the metric may vary, causing the router to flap between the best paths.

Why this answer

If a summary route is being learned from two different neighbors, and the metric changes, it could be because one of the neighbors is advertising the summary route with a different metric, causing the router to constantly switch between the two paths. However, the most common cause is that the summary route is being originated by multiple routers, and the metric is not consistent, leading to instability.

362
MCQhard

An engineer configures EIGRP stub with `eigrp stub connected static` on a remote router. The remote router has a directly connected network and a static route redistributed into EIGRP. Unexpectedly, the hub router does not receive the static route, although the connected route is learned. Which is the most likely explanation?

A.The stub router must also have `redistribute static` configured under the EIGRP process for the static route to be advertised.
B.The hub router has a route filter that blocks the static route due to administrative distance mismatch.
C.The stub router is configured with `eigrp stub connected static` but the static route is not directly connected, so it is ignored.
D.The stub router must use `eigrp stub receive-only` to advertise static routes.
AnswerA

The `eigrp stub static` keyword only permits advertisement of static routes that are already in the EIGRP topology; redistribution is required first.

Why this answer

The `eigrp stub connected static` command only advertises connected and static routes that are directly configured on the stub router, but it does not automatically redistribute the static route into EIGRP unless redistribution is explicitly configured. The stub command only controls which routes are advertised, not the redistribution process. Without `redistribute static` under the EIGRP process, the static route is not injected into EIGRP.

363
MCQhard

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show ip bgp vpnv4 vrf CUSTOMER routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf CUSTOMER) *> 10.0.0.0/24 10.1.1.2 0 100 0 65001 i *> 192.168.1.0/24 10.1.1.2 0 100 0 65001 i Total number of prefixes 2 What does this output indicate?

A.The VRF CUSTOMER has two routes, both learned via BGP from AS 65001.
B.The VRF CUSTOMER is not receiving any routes because the RD is incorrect.
C.The VRF CUSTOMER has two routes, but they are not installed in the routing table.
D.The VRF CUSTOMER has two routes, but they are filtered by RT import policy.
AnswerA

The output shows two prefixes with path AS 65001, valid and best in the VRF.

Why this answer

The show ip bgp vpnv4 vrf CUSTOMER routes command displays BGP VPNv4 routes for a specific VRF. The output shows two routes with route distinguisher 100:1, received from AS 65001. These are the routes available in the VRF CUSTOMER.

364
MCQmedium

Given the following BGP configuration on router R1: router bgp 65001 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 65002 neighbor 10.1.1.2 route-map SET-MED out ! route-map SET-MED permit 10 match ip address prefix-list LOOPBACKS set metric 100 ! route-map SET-MED permit 20 ! ip prefix-list LOOPBACKS permit 192.168.0.0/24 What is the effect of this configuration?

A.Only the 192.168.0.0/24 route is advertised to 10.1.1.2, with MED 100.
B.All routes are advertised to 10.1.1.2; the 192.168.0.0/24 route has MED 100, others have no MED.
C.All routes are advertised with MED 100 because the route-map is applied outbound.
D.Only the 192.168.0.0/24 route is advertised with no MED because the set metric is ignored.
AnswerB

Sequence 10 matches and sets MED 100 for 192.168.0.0/24; sequence 20 permits all other routes without modifying MED.

Why this answer

The route-map SET-MED has two sequences. Sequence 10 matches prefix-list LOOPBACKS (192.168.0.0/24) and sets MED to 100. Sequence 20 permits everything else without setting MED, so other routes are advertised with their original MED.

365
MCQmedium

Examine the following partial router configuration: logging buffered 16384 logging console warnings logging monitor notifications logging trap debugging logging source-interface Loopback0 logging 192.168.1.100 What is the effect of this configuration?

A.Syslog messages of severity 0 through 7 are sent to the server 192.168.1.100.
B.Only syslog messages of severity 0 through 4 are sent to the server 192.168.1.100.
C.The syslog server receives messages with the IP address of the outgoing interface as the source.
D.The logging buffer stores up to 16384 syslog messages.
AnswerA

The 'logging trap debugging' command sets the syslog trap level to debugging, which includes all severities (0-7).

Why this answer

This configuration sets up logging with different severity levels for different destinations. The 'logging trap debugging' sends all messages (severity 0-7) to the syslog server at 192.168.1.100, while console gets only warnings (severity 4) and monitor gets notifications (severity 5). The buffer is set to 16384 bytes.

366
MCQmedium

A network engineer runs the following command to debug NetFlow export: R1# debug ip flow export IP Flow export debugging is on R1# *Mar 1 00:05:23.123: FLOW: export v9 flow 1 with 30 packets *Mar 1 00:05:23.124: FLOW: export v9 flow 2 with 15 packets *Mar 1 00:05:23.125: FLOW: export v9 flow 3 with 22 packets *Mar 1 00:05:23.126: FLOW: export v9 flow 4 with 8 packets *Mar 1 00:05:23.127: FLOW: export v9 flow 5 with 12 packets What does this output indicate?

A.NetFlow export is failing because the flows are too small.
B.NetFlow version 9 export is functioning correctly, exporting multiple flows with their packet counts.
C.Only one flow is being exported at a time.
D.The export is using NetFlow version 5.
AnswerB

The debug messages confirm that NetFlow v9 export is operational and exporting flows with their respective packet counts.

Why this answer

The debug output shows that NetFlow version 9 export is working, with flows being exported in real time. Each line shows a flow ID and the number of packets in that flow. This indicates that NetFlow is actively exporting flow data.

367
MCQmedium

A network engineer runs the following command to troubleshoot an SNMP issue: R1# debug snmp packets SNMP: Packet received via UDP from 10.1.1.1 on port 161 SNMP: GetRequest, reqid 12345, errstat 0, errindex 0 SNMP: Community string: public SNMP: MIB object: 1.3.6.1.2.1.1.1.0 (sysDescr) SNMP: Value: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M SNMP: Packet sent via UDP to 10.1.1.1 on port 161 SNMP: GetResponse, reqid 12345, errstat 0, errindex 0 What does this debug output indicate?

A.The SNMP agent is correctly responding to a GetRequest from the NMS at 10.1.1.1.
B.The SNMP agent is failing to process the request due to a community string mismatch.
C.The SNMP agent is sending a trap to the NMS at 10.1.1.1.
D.The SNMP agent is ignoring the request due to an ACL blocking the NMS.
AnswerA

The debug output shows a GetRequest followed by a GetResponse with errstat 0, indicating successful communication.

Why this answer

The debug snmp packets command shows SNMP packet exchanges. The output shows a successful GetRequest from 10.1.1.1 with community 'public' for sysDescr, and a GetResponse with no errors, indicating the SNMP agent is responding correctly.

368
MCQhard

What is the maximum number of entries that can be configured in a single IPv4 ACL in Cisco IOS?

A.1000
B.500
C.Unlimited
D.256
AnswerA

Cisco IOS generally supports up to 1000 ACEs per ACL, though hardware limits may be lower.

Why this answer

Cisco IOS limits a single IPv4 ACL to a maximum of 1000 entries (ACE lines) to prevent performance degradation and excessive memory consumption on the router. This hard limit applies to both standard and extended numbered ACLs, as well as named ACLs, and is enforced by the software to ensure predictable forwarding behavior.

Exam trap

Cisco often tests the 1000-entry limit to catch candidates who assume ACLs are unlimited or who confuse the limit with the 256-entry limit common on older Catalyst switch ACLs.

How to eliminate wrong answers

Option B is wrong because 500 is not the maximum; it is a common misconception that the limit is lower, but Cisco documentation explicitly states 1000 as the cap. Option C is wrong because ACL entries are not unlimited; a finite limit exists to protect router CPU and memory resources, and attempting to exceed 1000 entries results in a configuration rejection. Option D is wrong because 256 is the maximum number of entries for an older or platform-specific ACL (e.g., some Catalyst switches), but for general Cisco IOS routers, the limit is 1000.

369
MCQeasy

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip route summary IP routing table name: Default-IP-Routing-Table (0x0) IP routing table maximum-paths: 32 Route entry limits: 1000000 active, 2000000 total Number of prefixes: 500 Prefixes with memory: 500 Number of paths: 600 Paths with memory: 600 Number of operations: 1200 Number of deleted entries: 0 What does this output indicate?

A.The routing table is empty due to CoPP dropping routing updates.
B.The routing table has 500 prefixes, indicating that routing protocols are functioning and CoPP is not blocking updates.
C.The routing table has too many prefixes, causing CoPP to drop packets.
D.The routing table is not being updated due to a CoPP policy.
AnswerB

A healthy routing table with no deleted entries suggests CoPP is not causing issues.

Why this answer

The command shows the IP routing table summary. It indicates that there are 500 prefixes and 600 paths in the routing table, with no deleted entries. This can be used to verify that CoPP is not affecting routing updates by checking if the routing table is stable.

370
MCQhard

An engineer configures SPAN on a Cisco switch to monitor both ingress and egress traffic on a trunk port. The monitor session shows only egress traffic, not ingress. What is the most likely explanation?

A.The trunk port is configured with 'switchport trunk allowed vlan' that excludes the VLANs carrying the ingress traffic.
B.The SPAN session is configured with 'monitor session 1 source interface gigabitethernet0/1 rx', missing the 'tx' keyword.
C.The switch has 'spanning-tree portfast' enabled on the trunk, disabling ingress monitoring.
D.The SPAN destination port is in the same VLAN as the ingress traffic, causing a loop.
AnswerA

SPAN only captures traffic on VLANs that are allowed on the trunk; pruned VLANs are not monitored.

Why this answer

When monitoring a trunk port with SPAN, the source can be specified as both ingress and egress. However, if the trunk port is configured with 'switchport trunk allowed vlan' to prune certain VLANs, ingress traffic on pruned VLANs is not forwarded to the SPAN destination. Additionally, SPAN may not capture ingress traffic on the native VLAN if the native VLAN is not explicitly included.

371
MCQmedium

Consider the following configuration on router R2: !--- R2 configuration ip prefix-list FILTER seq 5 deny 10.1.0.0/16 le 24 ip prefix-list FILTER seq 10 permit 0.0.0.0/0 le 32 ! route-map BGP-IN permit 10 match ip address prefix-list FILTER ! router bgp 65000 neighbor 192.168.1.1 route-map BGP-IN in ! What is the effect of this configuration?

A.All routes from neighbor 192.168.1.1 are accepted; the prefix-list is not applied correctly because the route-map only has a permit sequence.
B.Routes within 10.1.0.0/16 with mask length 24 or shorter are denied; all other routes are permitted.
C.Only routes with mask length exactly 24 are denied; all other routes are permitted.
D.The configuration is incomplete; a route-map must have a deny statement to filter routes.
AnswerB

Correct. The prefix-list denies 10.1.0.0/16 le 24, which includes /16 to /24 subnets; all other prefixes are permitted.

Why this answer

The prefix-list FILTER denies any prefix within 10.1.0.0/16 with a mask length less than or equal to 24 (i.e., 10.1.0.0/16 through 10.1.255.0/24). The permit statement allows all other prefixes. The route-map BGP-IN calls this prefix-list; since there is only one permit sequence, routes that match the deny statement in the prefix-list are implicitly denied by the route-map.

Therefore, routes like 10.1.0.0/16, 10.1.1.0/24, etc., are filtered out.

372
MCQhard

An experienced network engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes to the same prefix, but after redistribution, a routing loop occurs. The engineer did not use route tagging. Which is the most likely explanation?

A.The seed metric for EIGRP was not configured, causing routes to be rejected.
B.The redistribute command without route-map or tag allows routes to be re-advertised back into the source protocol, creating a loop.
C.OSPF has a lower administrative distance than EIGRP, so OSPF routes are always preferred.
D.EIGRP stub configuration on the redistributing router prevents routes from being advertised.
AnswerB

Mutual redistribution without tagging and filtering causes a feedback loop.

Why this answer

Without route tagging, redistributed routes are re-injected back into the original protocol, causing a feedback loop. Administrative distance comparison (OSPF 110 vs EIGRP 90/170) can cause suboptimal path selection, but the loop is primarily due to lack of tagging and filtering.

373
MCQhard

An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?

A.Configure RA Guard with a policy that sets the legitimate router's port as 'device-role router' and all other ports as 'device-role host', and apply the policy globally.
B.Enable DHCPv6 Guard on all ports to block any DHCPv6 server messages, which will also block RAs.
C.Use IPv6 Source Guard to filter traffic from the rogue router based on its IPv6 address.
D.Configure a static IPv6 neighbor entry for the legitimate router on the switch to override rogue RAs.
AnswerA

Correct because RA Guard will allow RAs only on ports configured as 'device-role router', blocking rogue RAs on host ports.

Why this answer

RA Guard is designed to prevent rogue RAs by allowing only authorized routers to send RAs. The correct approach is to configure RA Guard with a policy that trusts the legitimate router's port and drops RAs from all other ports.

374
MCQmedium

An engineer is troubleshooting a routing loop between two routers. R1 and R2 are running both OSPF and EIGRP. R1 learns the prefix 172.16.1.0/24 via OSPF with AD 110 and via EIGRP internal with AD 90. The engineer notices that R1 installs the EIGRP route, but traffic to 172.16.1.0/24 is being dropped. What is the most likely issue?

A.The OSPF route has a better metric, but the EIGRP route is preferred due to lower AD.
B.The EIGRP route is a summary route pointing to a null0 interface.
C.The OSPF route has a higher AD because it is a type 5 LSA.
D.The EIGRP route is an external route with AD 170.
AnswerB

If R1 has an EIGRP summary route for 172.16.1.0/24 pointing to Null0, it will be installed with AD 90 and drop traffic, causing a black hole.

Why this answer

EIGRP internal routes have AD 90, which is lower than OSPF's 110, so EIGRP is preferred. However, if the EIGRP route points to a next-hop that is not reachable or is a backup path, traffic may be dropped. The root cause could be that the EIGRP route is learned via a secondary path that is not optimal or has a next-hop issue.

375
MCQeasy

A router has a CoPP policy that includes a class-map matching all traffic from a specific source IP address (the management station) and polices it to 100000 bps. The engineer notices that SNMP polls from the management station are timing out. The SNMP traffic uses UDP port 161. The engineer checks the CoPP statistics and sees that the class for the management station has dropped packets. What is the most likely cause?

A.The CoPP police rate of 100000 bps is too low for the SNMP traffic from the management station.
B.The SNMP community string is incorrect on the management station.
C.The CoPP class-map is matching the wrong source IP address.
D.The SNMP agent on the router is not responding due to high CPU.
AnswerA

SNMP polls can be bursty, and 100000 bps may not be sufficient, leading to drops and timeouts.

Why this answer

The CoPP policy is rate-limiting traffic from the management station to 100000 bps. SNMP polls can generate bursts of traffic, especially if the router has many OIDs to query. If the police rate is too low for the SNMP traffic, packets are dropped, causing timeouts.

Page 4

Page 5 of 29

Page 6