Cisco CCNP ENARSI 300-410 (300-410) — Questions 526600

2152 questions total · 29pages · All types, answers revealed

Page 7

Page 8 of 29

Page 9
526
MCQeasy

What is the default role of an interface in IPv6 Neighbor Discovery Inspection when no policy is explicitly applied?

A.Untrusted
B.Trusted
C.Server
D.Host
AnswerA

The default role is untrusted, so ND messages are inspected.

Why this answer

By default, all interfaces are considered untrusted for ND inspection, meaning they are subject to validation checks unless explicitly trusted.

527
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite BGP route advertisement issue: R1# show bgp vpnv4 vrf CUSTOMER_D 10.2.2.0/24 Output: BGP routing table entry for 10.2.2.0/24, version 5 Paths: (1 available, best #1, table CUSTOMER_D) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 (metric 20) from 10.1.1.2 (2.2.2.2) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:200 mpls labels in/out nolabel/20 What does this output indicate?

A.The route 10.2.2.0/24 is learned via an external BGP peer and is not the best path.
B.The route 10.2.2.0/24 is learned from 10.1.1.2 with an MPLS label of 20 and is the best path.
C.The route 10.2.2.0/24 is not advertised to any update groups.
D.The route 10.2.2.0/24 has no extended community attached.
AnswerB

Correct. The output shows the route is internal, best, and has an MPLS label of 20.

Why this answer

The 'show bgp vpnv4 vrf' command displays BGP VPNv4 route details for a specific VRF. The output shows route 10.2.2.0/24 is learned from neighbor 10.1.1.2 (router ID 2.2.2.2) with a metric of 20. It is valid, internal, and the best path.

The route has an extended community RT:100:200 and an MPLS label of 20 (outgoing).

528
MCQmedium

What is the default flow-cache timeout for NetFlow version 9 on Cisco IOS-XE?

A.15 minutes
B.30 minutes
C.60 minutes
D.5 minutes
AnswerB

Correct. The default flow-cache timeout for NetFlow v9 is 30 minutes.

Why this answer

The default flow-cache timeout for NetFlow version 9 is 30 minutes, after which inactive flows are aged out.

529
Multi-Selecthard

Which TWO statements about PBR and route-map sequence numbers are true? (Choose TWO.)

Select 2 answers
A.If a packet matches a route-map sequence with a 'permit' keyword, the set actions are applied, and no further sequences are evaluated.
B.If a packet matches a route-map sequence with a 'deny' keyword, the packet is dropped immediately.
C.The 'match ip address' command in a PBR route map can reference a named or numbered ACL, but not a prefix list.
D.If no sequence in a PBR route map matches a packet, the packet is forwarded using the routing table (normal routing).
E.The 'set ip next-hop' command can be used in a route-map sequence with a 'deny' keyword to override the default behavior.
AnswersA, D

Correct. Once a packet matches a permit sequence, the set actions are applied and evaluation stops; subsequent sequences are ignored.

Why this answer

Route maps used for PBR are evaluated in sequence number order. Each sequence can have match and set statements. If a packet does not match any permit sequence, it is subject to normal routing (implicit deny).

The 'match ip address' command can reference an ACL or prefix list. The 'set' commands in a permit sequence are executed only when the match conditions are met.

530
MCQhard

An engineer configures Control Plane Policing (CoPP) with a policy that denies all traffic in class-default. After applying the policy, BGP sessions to the router fail. What is the most likely explanation?

A.The class-default has an explicit 'drop' action, which overrides the implicit permit and drops all unmatched traffic, including BGP packets.
B.The CoPP policy was applied to the wrong interface, so BGP packets are dropped by the interface ACL.
C.The BGP packets are matched by another class with a 'drop' action, but the class-default is irrelevant.
D.The CoPP policy uses 'rate-limit' in bps instead of pps, causing BGP packets to be dropped due to rate limiting.
AnswerA

Explicit deny in class-default changes the default behavior from permit to drop.

Why this answer

CoPP class-default has an implicit permit at the end, but if an explicit deny is configured in class-default, it will drop all traffic not matched by other classes, including BGP control packets. The explicit deny overrides the implicit permit.

531
Multi-Selecthard

An engineer is troubleshooting a PAT overload configuration on a Cisco router. Inside hosts can access the Internet, but some applications (e.g., FTP, SIP) fail. Which TWO commands can be used to verify the NAT translations and identify the issue? (Choose TWO.)

Select 2 answers
A.'show ip nat translations'
B.'debug ip nat detailed'
C.'show ip nat statistics'
D.'show ip access-lists'
E.'show running-config | include nat'
AnswersA, B

Correct. This shows the current NAT table, including inside local, inside global, outside local, and outside global addresses and ports.

Why this answer

'show ip nat translations' displays active translations including ports, which helps verify if PAT is working and if ports are being allocated. 'debug ip nat' with 'detailed' shows packet-level translation events, useful for seeing if application-layer protocols are being handled correctly. 'show ip nat statistics' shows counts but not per-translation details. 'show ip access-lists' does not show NAT info. 'show running-config | include nat' only shows configuration, not operational state.

532
Drag & Drophard

Drag and drop the steps to troubleshoot Control Plane Policing (CoPP) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting CoPP failures starts by checking if the control-plane policy is applied, then verifying the class-map matches the correct protocol, checking for dropped packets, temporarily disabling CoPP to test, and finally adjusting the policy to permit the necessary traffic. This systematic approach isolates the issue without disrupting the network.

533
MCQhard

Router R1 is configured with ip nat inside source list 100 interface Loopback0 overload. Internal hosts at 192.168.1.0/24 can access the internet, but external hosts cannot initiate connections to an internal server at 10.1.1.10 that is also behind NAT. The server is supposed to be reachable via static NAT. Configuration: ip nat inside source static tcp 10.1.1.10 80 interface Loopback0 80. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global tcp 10.1.1.10:80 10.1.1.10:80 --- ---. External users get connection timeouts. What is the root cause?

A.The static NAT should use a specific global IP address instead of the interface; configure ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80.
B.The access-list 100 is blocking inbound traffic.
C.The Loopback0 interface is not in the routing table.
D.The static NAT entry is missing the 'add-route' option.
AnswerA

Using the interface IP for static NAT is not supported; a specific global IP must be defined.

Why this answer

The static NAT entry is correctly configured, but the issue is that the Loopback0 interface is used as the inside global interface. For static NAT to work for inbound connections, the outside interface must be the one facing the external network. The Loopback0 is likely not the correct egress interface; the static NAT should be applied to the actual outside interface (e.g., GigabitEthernet0/1).

Additionally, the 'interface' keyword in the static NAT command is incorrect; it should use 'ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80' with a specific global IP.

534
MCQmedium

A network engineer runs the following command to troubleshoot a BFD issue: R1# debug bfd event *Mar 1 00:12:34.567: BFD: [R1-to-R2] state DOWN -> UP (async) *Mar 1 00:12:34.568: BFD: [R1-to-R2] echo mode enabled, min-echo-rx-interval 50 ms *Mar 1 00:12:34.569: BFD: [R1-to-R2] starting echo timer, interval 50 ms *Mar 1 00:12:34.570: BFD: [R1-to-R2] sending async packet, state UP, interval 300 ms What does this output indicate?

A.BFD session is flapping between DOWN and UP states.
B.BFD session is established and echo mode is active.
C.BFD session is down due to echo failure.
D.BFD async interval is misconfigured at 300 ms.
AnswerB

The output confirms BFD session is UP, echo mode enabled, and timers are running.

Why this answer

The debug output shows BFD session transitioning from DOWN to UP, with echo mode enabled and the async interval set to 300 ms. This indicates a successful BFD session establishment.

535
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic is not establishing dynamically. The engineer verifies that NHRP is configured and that the hub is configured as an NHRP server. Which is the most likely explanation?

A.The hub is not configured with 'no ip next-hop-self' for the routing protocol on the tunnel interface
B.NHRP authentication is mismatched between spokes
C.The spoke routers have not enabled NHRP redirect
D.The tunnel mode is set to GRE multipoint on the spokes
AnswerA

Correct. In Phase 2, the hub must not change the next-hop to itself; otherwise, spokes cannot build direct tunnels.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spoke routers have a route to the remote spoke's tunnel IP address via the hub. This is achieved by the hub advertising the spoke's prefix with the next-hop set to the spoke's tunnel IP. However, if the hub does not configure 'no ip next-hop-self eigrp' (or similar for the routing protocol), the hub will set the next-hop to itself, preventing the spoke from directly reaching the remote spoke.

This is a common edge case because the default behavior of routing protocols is to set the next-hop to the router's own IP.

536
MCQhard

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

A.Add an 'ip nat outside' command on the inside interface.
B.Configure a route-map to exempt the VPN traffic from NAT.
C.Ensure that the router has a route to the remote site's public IP via the outside interface, and that the static NAT entry is correctly applied.
D.Change the static NAT to 'ip nat inside source static 10.0.0.10 203.0.113.10 extendable'.
AnswerC

Correct because if the return traffic from the server is routed out a different interface (e.g., a VPN tunnel interface), the NAT might not be applied; the router needs to route the traffic via the outside interface where NAT is configured.

Why this answer

For NAT to work bidirectionally, the router must translate the source IP of the server's outbound traffic to the public IP. Static NAT should handle this automatically, but if the traffic is not matching the NAT rule, it might be due to routing or interface NAT direction.

537
MCQeasy

What is the default action for a packet that does not match any route-map entry in a PBR policy?

A.The packet is dropped.
B.The packet is forwarded using the routing table.
C.The packet is sent to the CPU for processing.
D.The router sends an ICMP unreachable message.
AnswerB

This is the default behavior for unmatched packets.

Why this answer

If no route-map entry matches, the packet is forwarded using the normal routing table lookup. PBR does not drop unmatched packets by default.

538
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 access-list FILTER-IPv6 IPv6 access list FILTER-IPv6 permit ipv6 2001:DB8:1::/48 any sequence 10 deny ipv6 any any sequence 20 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It denies all IPv6 traffic from 2001:DB8:1::/48
C.It permits only IPv6 traffic from 2001:DB8:1::/48 and denies everything else
D.It permits all IPv6 traffic except from 2001:DB8:1::/48
AnswerC

Sequence 10 permits the prefix, sequence 20 denies all other traffic.

Why this answer

The access list FILTER-IPv6 has two entries: a permit statement for source 2001:DB8:1::/48 to any destination (sequence 10), followed by an implicit deny all (sequence 20). When applied to an interface, only traffic matching the permit entry is allowed; all other IPv6 traffic is denied by the implicit deny rule at the end of the list. This results in permitting only traffic from the specified prefix and denying everything else.

Exam trap

Cisco often tests the implicit deny all at the end of an access list, and the trap here is that candidates may overlook the deny ipv6 any any entry (sequence 20) or assume it is not present, leading them to incorrectly think the ACL permits all traffic (Option A) or permits all except the specified prefix (Option D).

How to eliminate wrong answers

Option A is wrong because the access list includes an explicit deny ipv6 any any (sequence 20), which blocks all traffic not matching the permit statement, so it does not permit all IPv6 traffic. Option B is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it; the deny statement applies to all other traffic. Option D is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it, and the deny statement blocks all other traffic, so the effect is the opposite of what is described.

539
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS can poll the router successfully. After a router reload, the NMS fails to poll the router, but the SNMP configuration is unchanged. Which is the most likely explanation?

A.The SNMP engine ID changed after the reload because it was not explicitly configured, causing authentication keys to be recalculated.
B.The router lost its SNMP configuration due to a failed startup config.
C.The NMS's SNMPv3 credentials were deleted during the reload.
D.The router's SNMP process failed to start after reload.
AnswerA

SNMPv3 keys are derived from the engine ID; if the engine ID changes, the NMS must be reconfigured with the new engine ID or the router must have a persistent engine ID configured.

Why this answer

The SNMP engine ID is generated based on the router's MAC address or a configured value. If the router's MAC address changes (e.g., due to a hardware change) or if the engine ID is not explicitly configured, the engine ID may change after reload, causing key mismatch.

540
MCQhard

R1 and R2 are OSPF neighbors over a tunnel interface with BFD enabled. R1#show ip ospf interface tunnel0 shows 'BFD is enabled' but R1#show bfd neighbors shows the session as 'Down'. R2#show bfd neighbors shows the session as 'Down'. The tunnel is up and OSPF adjacency is full. R1 has 'bfd interval 100 min_rx 100 multiplier 3' under tunnel0. R2 has same. What is the root cause?

A.BFD is not supported over tunnel interfaces; it requires physical interfaces.
B.The tunnel mode must be changed to 'ipsec' for BFD to work.
C.OSPF must be configured with 'bfd all-interfaces' to work over tunnels.
D.The BFD timers must be increased for tunnel interfaces.
AnswerA

BFD cannot be used over tunnel interfaces because BFD requires direct layer 2 connectivity; tunnels are layer 3 virtual interfaces.

Why this answer

BFD over tunnel interfaces requires that the underlying transport (e.g., GRE) supports BFD. BFD cannot be established over a tunnel if the tunnel endpoint IP addresses are not directly connected; BFD requires physical connectivity. Since OSPF is full, the tunnel is working, but BFD fails because the tunnel is considered a virtual interface and BFD expects a direct physical link.

541
Multi-Selecthard

Which TWO statements about the configuration of an ERSPAN destination session are correct? (Choose TWO.)

Select 2 answers
A.The destination session must be configured with 'monitor session <session> type erspan-destination'.
B.The source of the destination session must specify the 'erspan-id' and the source IP address of the ERSPAN tunnel.
C.The destination session can have multiple destination interfaces to send the decapsulated traffic to multiple analyzers.
D.The destination session automatically creates a GRE tunnel interface that appears in 'show ip interface brief'.
E.The destination session must be in the same VRF as the source session's destination IP to ensure reachability.
AnswersA, B

Correct. The 'type erspan-destination' keyword is required to define the session as an ERSPAN destination.

Why this answer

The ERSPAN destination session decapsulates GRE-encapsulated traffic and sends it to a local port. It must be configured with 'type erspan-destination', the source must specify the ERSPAN ID and the source IP address (the same as the destination IP of the source session), and the destination is a local interface. The session must be in the same VRF as the incoming ERSPAN traffic.

542
Multi-Selecthard

Which TWO statements about redistributing connected routes into a routing protocol are true? (Choose TWO.)

Select 2 answers
A.The 'redistribute connected' command will redistribute all interfaces that are up/up, including loopback interfaces, unless filtered.
B.To redistribute only specific connected interfaces, a route map with 'match interface' can be used with the 'redistribute connected' command.
C.The 'redistribute connected' command requires a corresponding 'network' statement under the routing protocol to include those interfaces.
D.Redistributing connected routes automatically includes the default route (0.0.0.0/0) if one is present.
E.The 'redistribute connected' command is only available in OSPF and EIGRP, not in other routing protocols like RIP.
AnswersA, B

Correct. By default, 'redistribute connected' redistributes all active connected interfaces, including loopbacks, unless a route map or distribute list filters them out.

Why this answer

Redistributing connected routes can be done explicitly with the 'redistribute connected' command or implicitly by using the 'redistribute static' command if a static route points to the interface. The 'redistribute connected' command does not require a network statement under the routing protocol. However, redistributing connected routes does not automatically include loopback interfaces unless they are explicitly matched or included.

The 'default-information originate' command does not redistribute connected routes.

543
MCQhard

An engineer configures BGP between two iBGP peers in the same AS. The engineer sets 'next-hop-self' on the neighbor statement. However, the routes received from the iBGP peer still show the original next-hop as unreachable. What is the most likely explanation?

A.The 'next-hop-self' command was applied under the wrong address-family.
B.The 'next-hop-self' command is not supported for iBGP peers.
C.The 'synchronization' command is enabled, causing the next-hop to be preserved.
D.The 'bgp bestpath as-path multipath-relax' command is interfering.
AnswerA

In BGP, 'next-hop-self' can be configured per address-family. If it is applied under the IPv4 unicast address-family but the routes are being exchanged in a different address-family (e.g., VPNv4), it will not take effect.

Why this answer

The 'next-hop-self' command in BGP modifies the next-hop attribute for routes advertised to the neighbor. However, if the route is received from an eBGP peer and then advertised to an iBGP peer, the next-hop is changed only for the iBGP peer if 'next-hop-self' is configured. But if the iBGP peer is also a route reflector client, the route reflector does not change the next-hop unless 'next-hop-self' is configured on the route reflector itself.

The edge case here is that the engineer may have configured 'next-hop-self' on the wrong router or the command is applied to the wrong address-family.

544
MCQmedium

A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?

A.The crypto map is applied to the wrong interface.
B.The access-list in the crypto map does not permit the traffic.
C.The ISAKMP policy is misconfigured.
D.The transform set is incorrect.
AnswerA

Correct because crypto maps should be applied to the inbound direction of the interface to match traffic for encryption.

Why this answer

The crypto map must be applied to the interface through which VPN traffic exits. If it is applied to the wrong interface (e.g., a loopback or a LAN interface instead of the WAN-facing interface), the router will not encrypt outbound traffic or decrypt inbound traffic for the VPN, even though the tunnel (ISAKMP/IPsec SA) may be established. The show crypto map output confirming the map is on the outbound interface indicates a misapplication, as the correct interface is the one facing the remote peer.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees traffic flow, but the trap here is that the crypto map must be applied to the correct interface (the one with the route to the remote peer) for encryption to occur, and candidates may overlook this by focusing on ACL or policy issues instead.

How to eliminate wrong answers

Option B is wrong because if the access-list in the crypto map does not permit the traffic, the tunnel would still be up (since IKE and IPsec SAs can form for permitted traffic), but no interesting traffic would trigger encryption; however, the question states the tunnel is up, and the issue is traffic not passing, which could also be caused by ACL mismatch, but the given clue about the crypto map being on the outbound interface points directly to interface misapplication. Option C is wrong because a misconfigured ISAKMP policy would prevent the tunnel from coming up (Phase 1 failure), but the tunnel is up, so ISAKMP negotiation succeeded. Option D is wrong because an incorrect transform set would cause Phase 2 negotiation to fail, preventing the IPsec SA from forming, but the tunnel being up implies both Phase 1 and Phase 2 completed successfully.

545
MCQhard

An engineer configures an EEM applet to monitor CoPP (Control Plane Policing) drops using the event syslog pattern 'COPP-3-DROP'. The applet is intended to log when CoPP drops packets. The CoPP policy is applied with a rate-limit in bps, but the traffic exceeds the rate, and packets are dropped. The EEM applet does not trigger. Which is the most likely explanation?

A.CoPP does not generate syslog messages for individual drops unless the 'log' keyword is configured in the policy.
B.The EEM applet must use 'event class-map' to capture CoPP events.
C.The rate-limit in bps is incorrect; it should be in pps to generate syslog.
D.The CoPP policy must be applied to the input direction only for drops to be logged.
AnswerA

Correct. CoPP drops are not logged by default; the 'log' keyword must be added to the police action.

Why this answer

CoPP generates syslog messages only when the drop rate exceeds a certain threshold or when the policy is applied, not for every individual drop. By default, CoPP does not generate syslog messages for every dropped packet because it would overwhelm the router. The 'COPP-3-DROP' syslog is generated only if the 'police' action includes the 'log' keyword or if the drop rate is significant enough to trigger a log.

Without explicit logging configuration in the CoPP policy, no syslog is generated, and the EEM applet will not trigger.

546
MCQhard

An OSPF network is experiencing routing loops between two routers. R1 has the following configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip ospf network point-to-point. R2 has: interface GigabitEthernet0/0 ip address 10.1.1.2 255.255.255.0 ip ospf network broadcast. Both routers are in area 0. R1 shows: 'show ip ospf neighbor' lists R2 as FULL/DR, but R2 shows R1 as FULL/DROTHER. Traffic between two subnets behind each router is looping. What is the root cause?

A.The OSPF network type mismatch causes both routers to become DR/BDR, leading to incorrect LSA generation and routing loops.
B.The IP addresses are on the same subnet, but the OSPF cost is set differently, causing unequal cost load balancing.
C.The OSPF hello and dead intervals are mismatched due to the network type, causing the adjacency to flap.
D.The OSPF area is misconfigured; one router is in a different area.
AnswerA

R1's point-to-point configuration means it does not participate in DR election, so R2 becomes DR. R1 treats the link as a point-to-point link and may not advertise the correct type 2 LSA, while R2 advertises a type 2 LSA. This mismatch can cause R1 to learn routes via R2 and R2 to learn routes via R1, creating a loop.

Why this answer

OSPF network type mismatch on a multi-access link can cause adjacency issues. R1 is configured as point-to-point, which does not participate in DR/BDR election and expects a point-to-point link. R2 is configured as broadcast, which expects a DR/BDR election.

This mismatch can cause both routers to form an adjacency (since OSPF still works), but they have different views of the network. R1 thinks the link is point-to-point and does not expect a DR, so it may advertise the link as a stub network or with different metrics. R2 thinks it is the DR (since R1 is not participating in election), and it advertises the link as a transit network.

This inconsistency can cause routing loops because R1 may advertise a route via R2, and R2 may advertise the same route via R1, creating a loop. The correct fix is to match the network type on both ends.

547
MCQmedium

Examine the following partial configuration: ip access-list extended MGMT_ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 permit tcp 10.0.0.0 0.255.255.255 any eq 443 deny ip any any ! line vty 0 4 access-class MGMT_ACCESS in transport input ssh login local What is the effect of the 'access-class' command?

A.Only SSH and HTTPS connections from the 10.0.0.0/8 network are allowed to the VTY lines.
B.The ACL filters traffic leaving the VTY lines, allowing SSH and HTTPS from any source.
C.All traffic from the 10.0.0.0/8 network is permitted to the router.
D.The configuration is missing 'permit ip any any' to allow other management protocols.
AnswerA

The ACL permits TCP ports 22 and 443 from the specified source, and the access-class filters inbound VTY connections.

Why this answer

The `access-class` command applied to VTY lines with the `in` keyword filters inbound Telnet/SSH sessions to the router. The ACL `MGMT_ACCESS` permits TCP ports 22 (SSH) and 443 (HTTPS) from source network 10.0.0.0/8, and denies all other traffic. This restricts management access to only SSH and HTTPS connections originating from the 10.0.0.0/8 network.

Exam trap

Cisco often tests the distinction between `access-class` (applied to VTY lines for management access control) and `access-group` (applied to interfaces for transit traffic), leading candidates to confuse the direction or scope of the ACL.

How to eliminate wrong answers

Option B is wrong because the `in` keyword on `access-class` filters traffic entering the VTY lines (inbound to the router), not traffic leaving them. Option C is wrong because the ACL only permits TCP ports 22 and 443, not all traffic from 10.0.0.0/8; the implicit deny at the end blocks everything else. Option D is wrong because the configuration is complete as intended; adding `permit ip any any` would bypass the security restriction and allow all management protocols, which contradicts the purpose of the ACL.

548
Multi-Selecthard

Which TWO statements correctly describe the behavior of Policy-Based Routing (PBR) when using the 'set ip next-hop' and 'set ip default next-hop' commands? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop' command overrides the routing table only when the next-hop address is reachable; if unreachable, the packet is dropped unless a default route exists.
B.The 'set ip default next-hop' command is used to forward packets that match the route-map permit statement, regardless of whether a route exists in the routing table.
C.The 'set ip next-hop verify-availability' feature uses ICMP echo requests to verify next-hop reachability before applying PBR.
D.When using 'set interface' in a PBR route map, the router forwards the packet out the specified interface without requiring a next-hop IP address, but the interface must be up/up.
E.If a route map with 'set ip next-hop' is applied inbound on an interface, PBR processes only the first packet of a flow; subsequent packets use the routing table.
AnswersA, D

Correct. PBR with 'set ip next-hop' requires the next hop to be reachable; if not, the packet is forwarded using the routing table (if a default route exists) or dropped.

Why this answer

PBR uses route maps to override the routing table. The 'set ip next-hop' command is applied only if the packet matches the match criteria; if the next hop is unreachable, the packet is dropped (unless a default route exists). The 'set ip default next-hop' command is used only when the routing table has no explicit route for the destination.

The 'set ip next-hop verify-availability' option tracks reachability using CEF. The 'set interface' command does not require a next-hop IP but can be used for directly connected networks.

549
MCQeasy

What is the default uRPF mode when 'ipv6 verify unicast source reachable-via' is configured without any keyword?

A.Loose mode (any)
B.Strict mode (rx)
C.No uRPF is applied
D.Only default routes are allowed
AnswerB

Without keywords, the router uses strict uRPF, checking the source is reachable via the receiving interface.

Why this answer

If no keyword is specified, the default is strict mode (rx).

550
MCQmedium

Examine this BGP configuration on router R3: router bgp 65003 bgp router-id 3.3.3.3 neighbor 10.3.3.2 remote-as 65002 neighbor 10.3.3.2 ebgp-multihop 2 neighbor 10.3.3.2 update-source Loopback0 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 What is the likely issue with this configuration?

A.The ebgp-multihop value should be 1 for directly connected neighbors.
B.The neighbor 10.3.3.2 must be reachable via the loopback address 3.3.3.3; otherwise, the session will not come up.
C.The remote-as 65002 should be the same as the local AS for eBGP.
D.The update-source command is not needed when using ebgp-multihop.
AnswerB

BGP uses the update-source address as the source IP; the neighbor must be able to reach that IP.

Why this answer

The ebgp-multihop 2 allows the neighbor to be two hops away, but the update-source is set to Loopback0 (3.3.3.3). The neighbor 10.3.3.2 must be reachable via the loopback. If 10.3.3.2 is not reachable from 3.3.3.3, the session will not establish.

551
MCQhard

A network engineer configures EEM to monitor BGP prefix limits on R1. R1 has: event manager applet BGP-PREFIX event syslog pattern "%BGP-3-PREFIX_LIMIT" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp 10.1.1.2" action 3.0 syslog msg "Cleared BGP session". Router R2 shows: BGP session with R1 is flapping, and logs show repeated prefix limit warnings. What is the root cause?

A.The EEM applet clears the BGP session, which resets the prefix count but does not prevent the neighbor from re-sending the same prefixes.
B.The syslog pattern is incorrect; it should be %BGP-4-PREFIX_LIMIT.
C.The clear command should be 'clear ip bgp *' to reset all sessions.
D.The BGP session is flapping due to a keepalive timer mismatch.
AnswerA

Clearing the session only provides temporary relief; the prefix limit is hit again after re-establishment.

Why this answer

The EEM applet clears the BGP session when a prefix limit is reached, but this does not solve the underlying issue. The prefix limit is exceeded because the neighbor is sending too many prefixes; clearing the session only temporarily resets the count, leading to a cycle. The correct fix is to increase the prefix limit or filter prefixes.

552
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 route | include Tunnel O 2001:DB8:1::/48 [110/2] via FE80::1, Tunnel0 O 2001:DB8:2::/48 [110/3] via FE80::2, Tunnel1 Based on this output, which statement is correct?

A.The routes are learned via EIGRP.
B.The tunnels are using IPv4 as the transport.
C.OSPFv3 is running over the tunnel interfaces and these routes are reachable.
D.Tunnel0 has a higher metric than Tunnel1.
AnswerC

The OSPF routes are present with next-hop addresses via tunnel interfaces.

Why this answer

The output shows OSPF routes (indicated by 'O') learned over tunnel interfaces. Since the routes are IPv6 (2001:DB8::/48) and OSPFv3 is the IPv6-capable version of OSPF, the correct interpretation is that OSPFv3 is running over the tunnels. The 'via FE80::1, Tunnel0' confirms the next hop is a link-local address reachable through the tunnel, meaning the routes are reachable via OSPFv3 over those tunnels.

Exam trap

Cisco often tests the distinction between OSPFv3 and OSPFv2 by using the route code 'O' in IPv6 routing tables, leading candidates to mistakenly think it could be EIGRP or that the transport must be IPv4, when in fact 'O' always means OSPF in any routing table context.

How to eliminate wrong answers

Option A is wrong because the route code 'O' indicates OSPF, not EIGRP (which would show 'D' for EIGRP). Option B is wrong because the output shows IPv6 next-hop addresses (FE80::1, FE80::2) and IPv6 prefixes, so the tunnels are using IPv6 as the transport, not IPv4. Option D is wrong because a higher administrative distance value (110/3) indicates a worse metric, not better; Tunnel0 has a metric of 2 (lower) and Tunnel1 has a metric of 3 (higher), so Tunnel0 actually has a lower (better) metric.

553
MCQmedium

Consider the following configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 If the remote peer has an ISAKMP policy with encryption 3des, what will happen?

A.The tunnel will use 3DES because the remote peer's policy is accepted.
B.IKE phase 1 will fail due to encryption algorithm mismatch.
C.The router will automatically adjust to use 3DES.
D.The tunnel will establish but use AES 256 anyway.
AnswerB

The encryption algorithm must match; AES 256 vs 3DES is a mismatch.

Why this answer

IKE phase 1 requires both peers to have a matching ISAKMP policy, including the encryption algorithm. Since R1 is configured with AES 256 and the remote peer uses 3DES, there is no common proposal, causing phase 1 to fail. Cisco IOS does not automatically negotiate or fall back to a different encryption algorithm; the mismatch results in a failed IKE SA.

Exam trap

Cisco often tests the misconception that IKE will automatically negotiate or fall back to a weaker algorithm, but in reality, IKE phase 1 requires an exact match of all policy parameters, and a mismatch causes the entire VPN to fail.

How to eliminate wrong answers

Option A is wrong because IKE phase 1 does not simply accept the remote peer's policy; both peers must have a matching proposal, and a mismatch causes failure. Option C is wrong because Cisco IOS does not automatically adjust encryption algorithms; each peer must have a compatible policy configured. Option D is wrong because the tunnel cannot establish if IKE phase 1 fails; no IPsec SA can be created without a successful IKE SA.

554
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.3.3.0/24 BGP routing table entry for 10.3.3.0/24, version 10 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65003 65004 10.1.13.3 from 10.1.13.3 (10.3.3.3) Origin IGP, metric 0, localpref 100, valid, external rx pathid: 0, tx pathid: 0 Refresh Epoch 1 65005 10.1.15.5 from 10.1.15.5 (10.5.5.5) Origin IGP, metric 0, localpref 200, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, why is the path via 10.1.15.5 chosen as best?

A.Because it has a shorter AS path (65005 vs 65003 65004).
B.Because it has a higher local preference of 200.
C.Because it has a lower metric (0 vs 0).
D.Because it was learned from a lower neighbor IP address.
AnswerB

Local preference is compared before AS path length. The path with localpref 200 is preferred over 100.

Why this answer

BGP selects the best path based on several criteria. Here, both paths are external, valid, and have the same weight (default 0). The path via 10.1.15.5 has a higher local preference (200 vs 100), which is the first tiebreaker after weight.

Therefore, it is chosen as best.

555
MCQeasy

According to Cisco IOS default behavior, if a router learns the same route via both RIP and OSPF, which route will be installed in the routing table?

A.The RIP route, because RIP has a lower metric.
B.The OSPF route, because OSPF has a lower administrative distance.
C.Both routes are installed, and load balancing occurs.
D.Neither route is installed; the router will use a default route.
AnswerB

OSPF AD 110 < RIP AD 120.

Why this answer

OSPF has a default AD of 110, RIP has 120. Lower AD is preferred, so OSPF route is installed.

556
MCQmedium

Which statement correctly describes the behavior of ISATAP tunneling regarding host configuration?

A.ISATAP requires manual configuration of the entire IPv6 address on each host.
B.ISATAP uses the prefix 2002::/16 for global addresses.
C.ISATAP embeds the IPv4 address into the interface identifier (last 64 bits) of the IPv6 address.
D.ISATAP is only used for site-to-site tunnels.
AnswerC

ISATAP uses the format ::5EFE:IPv4-address for the interface identifier.

Why this answer

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) automatically generates the IPv6 address by embedding the host's IPv4 address into the interface identifier (the last 64 bits of the IPv6 address). This allows hosts to obtain a complete IPv6 address without manual configuration of the full 128-bit address, as the IPv4 address is used to form the unique interface ID. Option C correctly describes this behavior.

Exam trap

Cisco often tests the distinction between ISATAP and 6to4 tunneling, and the trap here is confusing the 2002::/16 prefix (used by 6to4) with ISATAP's use of a site-specific prefix and the embedded IPv4 address in the interface ID.

How to eliminate wrong answers

Option A is wrong because ISATAP does not require manual configuration of the entire IPv6 address; it automatically derives the interface identifier from the IPv4 address, and the prefix can be obtained via router discovery or DHCPv6. Option B is wrong because the prefix 2002::/16 is used by 6to4 tunneling, not ISATAP; ISATAP typically uses a site-specific unicast prefix (e.g., a global or unique local prefix) advertised by an ISATAP router. Option D is wrong because ISATAP is designed for host-to-router and host-to-host tunnels within a site, not exclusively for site-to-site tunnels; site-to-site tunnels are typically implemented with manual IPv6-in-IPv4 tunnels or GRE tunnels.

557
MCQmedium

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

A.The router is under a DDoS attack generating many NAT translations.
B.The NAT translation timeout is set too high, causing old entries to remain.
C.The ACL is too permissive, allowing traffic from outside to initiate NAT.
D.The outside interface is using a different IP than configured.
AnswerB

Correct because if the timeout (e.g., 'ip nat translation timeout') is high, entries for short-lived flows (like DNS) stay longer, accumulating and consuming CPU.

Why this answer

High CPU and many NAT entries could indicate a DoS attack or misconfiguration causing many short-lived sessions. However, a common issue is that the NAT timeout is too long, causing stale entries to accumulate.

558
Multi-Selecthard

Which TWO statements about the interaction between administrative distance and floating static routes are true? (Choose TWO.)

Select 2 answers
A.A floating static route must have an administrative distance higher than the primary route's AD to serve as a backup.
B.The default administrative distance for a static route is 0.
C.A floating static route will be installed in the routing table immediately after the primary route is removed, even if the next-hop is unreachable.
D.The 'ip route' command can be used to configure a floating static route by specifying an administrative distance value.
E.A floating static route can only be used with OSPF as the primary routing protocol.
AnswersA, D

Correct. The floating static route is configured with a higher AD so it is only used when the primary route (with lower AD) is not available.

Why this answer

A floating static route is a static route with an administrative distance greater than the dynamic routing protocol's AD, so it only appears in the routing table when the dynamic route is lost. The default AD for a static route is 1, but it can be changed. The floating static route will be installed when the primary route (with lower AD) is removed.

The backup route must have a higher AD than the primary route. The distance command under the routing protocol does not affect the static route's AD.

559
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 192.168.1.2 advertised-routes BGP table version is 14, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 192.168.1.2 0 0 65001 i *> 10.20.20.0/24 192.168.1.2 0 0 65001 i Total number of prefixes 2 Based on this output, what is a likely issue?

A.The neighbor 192.168.1.2 is not receiving all routes because a route-map is filtering them.
B.The BGP session is down because there are no prefixes advertised.
C.The router is not receiving updates from its peers.
D.The prefix-list is misconfigured and blocking all routes.
AnswerA

Only two prefixes are advertised; a route-map applied to the neighbor could be restricting the advertisement.

Why this answer

The output shows only two prefixes advertised to the neighbor, but the network likely has more routes. The route-map applied to the neighbor may be filtering routes. The correct answer identifies that a route-map is likely filtering out other prefixes.

560
Drag & Dropmedium

Drag and drop the steps to verify and validate the MPLS L3VPN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the VRF routing table with 'show ip route vrf <name>' to confirm CE routes are present. Then verify that VPNv4 routes are installed using 'show bgp vpnv4 unicast all'. Next, confirm the MPLS forwarding entry for a specific prefix with 'show mpls forwarding-table'.

After that, test end-to-end connectivity with a ping from the CE to a remote CE. Finally, validate that the label stack is correctly imposed using 'show ip cef vrf <name> <prefix>'.

561
MCQhard

An engineer configures ERSPAN on a Cisco router to send mirrored traffic to a remote collector via IP. The collector receives the ERSPAN packets, but the payload appears truncated or malformed. What is the most likely cause?

A.The ERSPAN GRE encapsulation adds overhead exceeding the path MTU, causing fragmentation or drop.
B.The collector is not configured to reassemble IP fragments.
C.The ERSPAN session is configured with the wrong source interface, causing incorrect IP headers.
D.The router has IPsec configured on the egress interface, encrypting the ERSPAN packets.
AnswerA

ERSPAN adds 50 bytes of overhead; if the original packet is near MTU, the encapsulated packet exceeds it, leading to fragmentation or loss.

Why this answer

ERSPAN encapsulates mirrored packets in GRE with an additional ERSPAN header. The MTU of the path between the source and collector must accommodate the extra overhead (typically 50 bytes for GRE + ERSPAN). If the path MTU is too small, packets are fragmented or dropped, causing truncation.

562
MCQmedium

Which DHCPv4 option is used by a client to request a specific IP address in the DHCPREQUEST message?

A.Option 12 (Host Name)
B.Option 50 (Requested IP Address)
C.Option 54 (Server Identifier)
D.Option 51 (IP Address Lease Time)
AnswerB

Option 50 carries the requested IP address in DHCPREQUEST.

Why this answer

Option 50 (Requested IP Address) is used by the client in DHCPREQUEST to specify the desired IP address, per RFC 2132.

563
MCQmedium

A network engineer notices that a router is sending SNMP traps for interface state changes even when there is no actual interface flapping. The engineer checks the running configuration and finds an EEM applet that monitors interface state changes and sends a syslog message. The applet is configured with a trigger condition that matches any interface state change. What should the engineer do to resolve the issue?

A.Remove the EEM applet entirely.
B.Modify the EEM applet trigger to match only the specific interfaces of interest.
C.Increase the debounce timer on the interface to reduce flapping.
D.Disable SNMP traps for interface state changes.
AnswerB

Correct because narrowing the trigger condition prevents false positives while retaining monitoring capability.

Why this answer

The EEM applet is too broadly triggered, causing unnecessary syslog messages that may be interpreted as traps. The engineer should narrow the trigger condition to match only specific interfaces or use a more specific event filter.

564
MCQmedium

A network engineer runs the following command to troubleshoot DHCPv6 guard: R1# debug ipv6 dhcp guard *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234 *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012 *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY What does this output indicate?

A.DHCPv6 guard is allowing client messages but blocking server messages from untrusted sources, preventing rogue DHCPv6 servers.
B.DHCPv6 guard is blocking all DHCPv6 messages, indicating a misconfiguration.
C.DHCPv6 guard is allowing all messages but logging them for analysis.
D.DHCPv6 guard is not configured; the debug output is from default DHCPv6 behavior.
AnswerA

The ADVERTISE from fe80::4 is blocked, which is typical for DHCPv6 guard on untrusted ports.

Why this answer

The debug shows DHCPv6 guard filtering DHCPv6 messages. Client SOLICIT is allowed, but server ADVERTISE from fe80::4 is blocked, indicating the source is not a trusted DHCPv6 server.

565
Multi-Selecthard

Which THREE symptoms indicate a potential OSPFv2 neighbor adjacency problem due to a mismatch in configuration? (Choose THREE.)

Select 3 answers
A.The neighbor state remains stuck in INIT or EXSTART.
B.The neighbor state is 2WAY/DROTHER.
C.The 'show ip ospf neighbor' output shows the neighbor but with a state of DOWN.
D.The 'show ip ospf neighbor' output shows the neighbor but with a state of EXSTART/EXCHANGE.
E.The OSPF routes are missing from the routing table.
AnswersA, D, E

Mismatched parameters (e.g., timers, area ID) often prevent full adjacency, leaving the state in INIT or EXSTART.

Why this answer

A mismatch in hello/dead timers, area ID, or authentication causes neighbors to stay stuck in INIT or EXSTART state. A mismatched MTU can cause stuck in EXSTART/EXCHANGE. A mismatched network type can also cause issues.

Routes missing from the routing table is a symptom of many issues, not specific to mismatches.

566
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers using iBGP for routing. The BGP session comes up, but routes learned from the remote site are not installed in the routing table. The engineer verifies that the IPsec tunnel is up and that the BGP prefixes are present in the BGP table. What is the most likely explanation?

A.The BGP synchronization rule is enabled, and the IGP does not carry the BGP routes, preventing installation.
B.The next-hop address for the BGP routes is the physical interface IP of the remote router, which is not reachable through the tunnel, so the route is not installed.
C.The IPsec transform set uses SHA-2 authentication, which is incompatible with BGP MD5 authentication.
D.The BGP session is using loopback interfaces, and the IPsec tunnel is not configured to encrypt traffic to the loopback.
AnswerB

iBGP does not change the next hop by default. If the BGP session is over the tunnel, but the next hop is the physical IP, the router cannot reach it unless the IGP or a static route points to the tunnel. The fix is to use next-hop-self on the neighbor.

Why this answer

In iBGP, the next-hop for routes learned from an eBGP peer is not changed by default. When the remote router advertises prefixes, it sets the next-hop to its physical interface IP address. If the IPsec tunnel is configured to encrypt traffic between the two routers' tunnel endpoints (e.g., virtual tunnel interfaces or crypto maps applied to physical interfaces), the physical interface IP of the remote router may not be reachable through the tunnel.

BGP will not install a route in the routing table if the next-hop is not reachable via a valid route in the routing table, even if the BGP session is up and the prefixes are in the BGP table.

Exam trap

Cisco often tests the concept that BGP route installation depends on next-hop reachability, and candidates mistakenly assume that a working BGP session and IPsec tunnel guarantee route installation, ignoring the need for the next-hop to be reachable via the routing table.

How to eliminate wrong answers

Option A is wrong because BGP synchronization is a Cisco IOS default that requires the IGP to carry the same prefix before BGP installs it, but this rule is disabled by default in modern IOS versions and is not the most likely cause when the next-hop is unreachable. Option C is wrong because IPsec transform set authentication (SHA-2) and BGP MD5 authentication are independent mechanisms; SHA-2 is used for IPsec packet integrity, while MD5 is used for BGP TCP session authentication, and they do not conflict. Option D is wrong because using loopback interfaces for the BGP session does not inherently prevent route installation; the IPsec tunnel can be configured to encrypt traffic to loopback addresses, and the issue is specifically about next-hop reachability, not the BGP session source/destination.

567
Drag & Dropmedium

Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, check the AAA server reachability to ensure the backend is accessible. Then verify the active authentication method list applied globally. Next, confirm the authorization method list for exec or commands.

After that, validate the accounting configuration to track access. Finally, test the actual access control by attempting a remote login.

568
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DROTHER 00:00:35 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 FULL/DR 00:00:32 192.168.13.3 GigabitEthernet0/1 Based on this output, which statement is correct?

A.Router R1 is the DR on the segment connected to GigabitEthernet0/0.
B.Router R1 has a full adjacency with both neighbors and is in a stable state.
C.Router R1 is experiencing a neighbor timeout on GigabitEthernet0/1.
D.Router R1 is not receiving hello packets from 10.1.1.2.
AnswerB

Both neighbors show FULL state, indicating complete adjacency. Dead times are decreasing normally, so adjacencies are stable.

Why this answer

The output shows two OSPF neighbors. The neighbor with state FULL/DROTHER indicates it is not the DR or BDR on that segment. The neighbor with state FULL/DR is the designated router.

The dead times are within normal range, indicating the adjacency is stable.

569
MCQmedium

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

A.The host's IP address is statically assigned and conflicts with another device.
B.The host has a misconfigured subnet mask or default gateway.
C.The NAT pool is exhausted.
D.The router's inside interface is administratively down.
AnswerB

Correct because if the host's default gateway is not the router's inside interface (or subnet mask is wrong), the host will not send traffic to the router, so no NAT translation is attempted.

Why this answer

If the ACL and NAT configuration are correct, the issue might be that the host's traffic is not reaching the router's inside interface, or the router is not processing the traffic due to a routing or interface issue. However, since other hosts work, the problem is specific to that host.

570
MCQeasy

What is the default CoPP policer action for packets that exceed the committed information rate (CIR)?

A.Transmit with best-effort
B.Drop
C.Set DSCP to 0
D.Queue for later transmission
AnswerB

The default policer action for exceeding traffic is to drop the packets.

Why this answer

By default, the CoPP policer uses a single-rate two-color marker where packets exceeding the CIR are dropped.

571
Drag & Drophard

Drag and drop the steps to troubleshoot Device Management adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting starts with checking basic IP connectivity, then verifying the management protocol (e.g., NETCONF/RESTCONF) status, ensuring the correct port is open, checking AAA/authorization, and finally reviewing logs for errors.

572
MCQmedium

A network engineer runs the following command to verify NAT on an interface: R1# show ip nat interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up NAT: inside, active NAT: outside, active NAT: overload, active What is the issue with this configuration?

A.The interface is configured as both inside and outside, which is invalid.
B.The interface is correctly configured for NAT.
C.The interface is down.
D.Overload is not active.
AnswerA

NAT requires separate inside and outside interfaces.

Why this answer

The interface is configured as both inside and outside, which is incorrect. An interface should be either inside or outside, not both.

573
MCQhard

In a DMVPN network with VRF-Lite, Router R1 (hub) and R2 (spoke) are configured for VRF-A. The DMVPN tunnel is up, but spoke-to-spoke traffic between R2 and R3 (another spoke) fails. R1 has configuration: interface Tunnel0, ip vrf forwarding VRF-A, ip address 172.16.0.1 255.255.255.0, tunnel source Gig0/0, tunnel mode gre multipoint. R2 has similar configuration with tunnel destination dynamic. The NHRP map for R3 is missing on R2. What is the root cause?

A.The NHRP mapping for R3 is missing on R2, preventing direct spoke-to-spoke tunnel establishment.
B.The tunnel mode should be gre multipoint on all spokes.
C.The VRF must be removed from the tunnel interface for DMVPN to work.
D.The hub router must have a static route for each spoke.
AnswerA

Correct: Without NHRP mapping, R2 cannot send traffic directly to R3; it must go through the hub.

Why this answer

In DMVPN, spoke-to-spoke tunnels require NHRP resolution. If R2 does not have an NHRP map for R3, it cannot establish a direct tunnel. The hub (R1) should facilitate NHRP resolution, but if the VRF configuration is not properly propagated, NHRP may fail.

The root cause is that the NHRP mapping is missing, often due to VRF mismatch in NHRP configuration or because the hub is not properly forwarding NHRP requests.

574
MCQhard

An engineer configures a route map to filter BGP routes based on AS-path using a regex. The route map is applied inbound to an eBGP neighbor. The engineer notices that routes with an AS-path containing the neighbor's AS are still being accepted. Which is the most likely explanation?

A.The AS-path is prepended with the local AS before the inbound route map is applied, so the regex does not match the original AS-path.
B.The route map is applied outbound instead of inbound.
C.The regex is incorrect; it should use _AS_ to match the AS number.
D.The neighbor is configured with 'send-community' which overrides the route map.
AnswerA

eBGP prepends the local AS before route map processing; the route map sees the modified path.

Why this answer

When an eBGP route is received, the router prepends its own AS to the AS-path before the route map is applied. Therefore, if the route map is trying to match the neighbor's AS in the AS-path, it will fail because the neighbor's AS is now the first AS in the path. The edge case is that the AS-path is modified before the route map is processed.

575
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.50.50.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(192.168.1.1) for 10.50.50.0/24 State: Active, Reply status: 0, Originating router: 192.168.1.1 Routing Descriptor Blocks: 10.1.1.2 (GigabitEthernet0/0), from 10.1.1.2, Send flag: 0x0 Composite metric: (4294967295/4294967295), Route is Internal Vector metric: Minimum bandwidth: 100000 Kbit Total delay: 100 microseconds Reliability: 255/255 Load: 1/255 Minimum MTU: 1500 Hop count: 1 Based on this output, what is the problem?

A.The route is in Active state with an infinite metric, indicating that the router has lost the route and is querying for a new path.
B.The route is passive and stable.
C.The metric of 4294967295 is normal for a summary route.
D.The hop count of 1 indicates the route is one hop away and reachable.
AnswerA

Active state with Infinity metric means the route is unreachable and the router is actively seeking a replacement.

Why this answer

The route to 10.50.50.0/24 is in Active state, meaning the router is actively querying for a successor. The composite metric is 4294967295 (Infinity), indicating that the route is unreachable. This is a problem because the router has lost the route and is trying to find an alternative path.

576
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-MULTI R1# show route-map PBR-MULTI route-map PBR-MULTI, permit, sequence 10 Match clauses: ip address (access-lists): 140 Set clauses: ip next-hop 10.0.0.2 10.0.0.3 Policy routing matches: 200 packets, 18000 bytes R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "eigrp 1", distance 90, metric 28160 Last update from 192.168.1.2 on GigabitEthernet0/1 R1# show ip route 10.0.0.3 % Network not in routing table Based on this output, what is the most likely behavior for packets matching ACL 140?

A.Packets are load-balanced between 10.0.0.2 and 10.0.0.3.
B.Packets are forwarded to 10.0.0.2.
C.Packets are dropped because one next-hop is unreachable.
D.Packets are forwarded to 10.0.0.3 via a recursive lookup.
AnswerB

Since 10.0.0.2 is reachable, PBR uses it. The unreachable 10.0.0.3 is ignored.

Why this answer

When multiple next-hops are specified in a set clause, PBR tries them in order. The first reachable next-hop is used. Here, 10.0.0.2 is reachable, so packets are forwarded to 10.0.0.2.

The second next-hop is not reachable, but that does not affect the first.

577
Drag & Drophard

Drag and drop the steps to troubleshoot syslog connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify reachability to the syslog server using ping. Then, check if the syslog server port (UDP 514) is open. Next, review the logging configuration on the router.

After that, examine ACLs that may block syslog traffic. Finally, enable debug ip udp to monitor syslog packet flow.

578
MCQhard

A network engineer is troubleshooting MPLS traffic engineering (TE) tunnels. A TE tunnel from Router A to Router B is configured but remains down. The engineer runs show mpls traffic-eng tunnels and sees that the tunnel is in 'down' state with the error 'Path computation failed'. The IGP is OSPF with MPLS TE enabled, and the network is fully meshed. What is the most likely root cause?

A.MPLS TE is not enabled on all interfaces along the path.
B.The tunnel destination is not reachable via the IGP.
C.RSVP is not configured on the tunnel interface.
D.The tunnel bandwidth is set too high, exceeding available bandwidth.
AnswerA

Correct because MPLS TE must be enabled on each interface to advertise link attributes into the TED; otherwise, the headend cannot compute a constraint-based path.

Why this answer

The 'Path computation failed' error indicates that the headend router cannot find a path meeting the constraints. Since OSPF TE is enabled, the issue is likely that the traffic engineering database (TED) is incomplete because MPLS TE is not enabled on all intermediate interfaces, preventing the headend from learning link attributes.

579
MCQmedium

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's negotiated receive interval?

A.The negotiated receive interval is 1000 ms.
B.The negotiated receive interval is 500 ms.
C.The negotiated receive interval is 3000 ms.
D.The negotiated receive interval is 100 ms.
AnswerA

The local MinRxInt is 1000000 microseconds = 1000 ms, meaning the router can receive packets at that interval.

Why this answer

The negotiated receive interval is the maximum of the local MinRxInt and the received MinTxInt. However, the output does not show the received MinTxInt directly. The received MinRxInt is shown, but the receive interval is determined by the local MinRxInt.

The local MinRxInt is 1000000 microseconds, so the router can receive BFD packets at intervals of 1000 ms or slower. The negotiated receive interval is typically the local MinRxInt, which is 1000 ms.

580
Multi-Selectmedium

Which TWO commands can be used to verify OSPFv2 path selection and cost metrics on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip ospf interface
B.show ip route ospf
C.show ip ospf neighbor
D.traceroute
E.show ip protocols
AnswersA, B

This command displays the OSPF cost assigned to each interface.

Why this answer

The 'show ip ospf interface' command displays the cost of the interface. The 'show ip route ospf' command shows the metric for each OSPF route. 'show ip ospf neighbor' does not show cost; 'traceroute' shows path but not OSPF cost; 'show ip protocols' shows process info but not per-route metrics.

581
MCQmedium

A network engineer runs the following command to troubleshoot OSPF route propagation: R1# show ip ospf database router 2.2.2.2 OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 45 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 2.2.2.2 Advertising Router: 2.2.2.2 LS Seq Number: 80000005 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.Router 2.2.2.2 is advertising two stub networks.
B.Router 2.2.2.2 has a link to a transit network with DR address 10.1.1.2 and a stub network 192.168.1.0/24.
C.The LSA indicates a Type 5 External LSA from ASBR.
D.The output shows the network LSA for the transit network.
AnswerB

The LSA shows exactly these two links with their types and metrics.

Why this answer

The output shows the router LSA from neighbor 2.2.2.2, listing its connected links including a transit network and a stub network.

582
Multi-Selecthard

Which TWO statements about SNMPv3 engine ID configuration are true? (Choose TWO.)

Select 2 answers
A.The engine ID must be manually configured for SNMPv3 to function.
B.If the engine ID is changed, all existing SNMPv3 users must be reconfigured.
C.The engine ID is used to generate the authentication and encryption keys for SNMPv3 users.
D.The engine ID can be up to 64 octets in length.
E.The engine ID is automatically generated based on the router's serial number.
AnswersB, C

Changing the engine ID invalidates the authentication and encryption keys derived from the old engine ID, requiring users to be reconfigured.

Why this answer

The SNMP engine ID uniquely identifies an SNMPv3 entity. It can be manually configured with the 'snmp-server engine-id' command. If not configured, it is automatically generated based on the router's MAC address.

The engine ID must be unique within a management domain. Changing the engine ID invalidates existing SNMPv3 users (keys are re-derived). The engine ID is used for message processing and key generation.

583
MCQhard

Examine this configuration on Router R6: router ospf 1 redistribute eigrp 100 subnets default-information originate always What is a likely problem with this configuration?

A.The 'default-information originate always' command is not allowed with redistribution.
B.The router will advertise a default route into OSPF even if it does not have a default route itself, potentially causing blackholing.
C.The 'subnets' keyword is missing for EIGRP redistribution.
D.The redistribution will only work if EIGRP routes have a metric set.
AnswerB

The 'always' keyword forces the default route advertisement regardless of the local routing table.

Why this answer

The 'default-information originate always' will generate a default route into OSPF regardless of whether a default route exists in the routing table. This can cause routing issues if the router does not actually have a default route, as it will attract traffic for unknown destinations.

584
MCQeasy

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 statistics Monitor: FLOW-MONITOR-1 Record: netflow-original Exporter: EXPORTER-1 Cache size: 1000 Current entries: 0 Flows exported: 0 Packets exported: 0 Sampler: Not configured Flow Monitor is not attached to any interface Based on this output, what action should the engineer take to resolve the issue?

A.Configure a sampler on the flow monitor.
B.Apply the flow monitor to an interface using the 'ip flow monitor FLOW-MONITOR-1 input' command.
C.Increase the cache size to 2000 entries.
D.Change the record type to netflow ipv4 original.
AnswerB

The flow monitor must be attached to an interface to capture traffic.

Why this answer

The output explicitly states 'Flow Monitor is not attached to any interface'. The solution is to apply the flow monitor to an interface using the 'ip flow monitor' command.

585
MCQhard

EIGRP stuck-in-active (SIA) occurs in a large network. Router R1 shows 'show ip eigrp topology 10.0.0.0/24' output: 'P 10.0.0.0/24, 1 successors, FD is 128000, Q is 0, SIA is 00:01:00' and 'show ip eigrp neighbors' shows neighbor R2 in state 'Active'. R1 configuration includes 'router eigrp 100 network 10.0.0.0 passive-interface default'. What is the root cause?

A.R2 has 'passive-interface default' configured, which prevents it from sending query replies back to R1.
B.R1 has a route-map that filters the query for prefix 10.0.0.0/24.
C.The EIGRP K-values mismatch between R1 and R2 causes neighbor relationship issues.
D.The network 10.0.0.0 is not directly connected; need redistribution.
AnswerA

Passive interface on R2 blocks EIGRP packets, including replies, causing SIA on R1.

Why this answer

EIGRP SIA occurs when a query is not replied within the active timer. The 'passive-interface default' command makes all interfaces passive, preventing EIGRP hellos and queries from being sent on those interfaces. If R1 has a passive interface to R2, no queries are sent, but if R1 is the query originator and R2 is not responding due to passive interface on R2's side, SIA can occur.

However, the scenario shows R1's neighbor R2 is in Active state, meaning R1 sent a query to R2 but R2 did not reply. This could be because R2 has a passive interface to R1, blocking the query reply.

586
Drag & Drophard

Drag and drop the steps for troubleshooting MPLS operations adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying LDP neighbor state, then check interface MPLS enablement, inspect label bindings, test end-to-end LSP connectivity, and finally validate TTL propagation for troubleshooting.

587
MCQhard

A network engineer runs the following command on Router R1: R1# show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 10.1.1.0/24 0 Gi0/0 192.168.1.2 17 21 10.2.2.0/24 1500 Gi0/0 192.168.1.2 18 Untagged 10.3.3.0/24 0 Gi0/1 192.168.2.2 Based on this output, what is the problem with the label entry for 10.3.3.0/24?

A.The label 18 is being swapped correctly.
B.The prefix 10.3.3.0/24 is being forwarded with MPLS label 18.
C.The next-hop router 192.168.2.2 is not an LDP neighbor for this prefix.
D.The label 18 is being popped by the next-hop router.
AnswerC

'Untagged' indicates the next hop did not provide a label.

Why this answer

The entry for 10.3.3.0/24 shows 'Untagged' in the outgoing label column, meaning the router is forwarding IP packets without an MPLS label. This indicates that the next-hop router (192.168.2.2) did not assign a label for this prefix, possibly because LDP is not enabled on that interface or the neighbor is not an LDP peer.

588
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 3 map-id 1 overload [Id] ip nat inside source list ACL1 pool POOL1 overload refcount 3 Based on this output, which statement is correct?

A.PAT is working correctly; translations are dynamic and overload is enabled.
B.NAT is failing because the pool is exhausted.
C.Static NAT is configured, but dynamic NAT is not working.
D.The inside and outside interfaces are reversed.
AnswerA

The output shows dynamic mappings with overload, and translations are active. No errors or misses indicate proper operation.

Why this answer

The output shows dynamic NAT with overload (PAT). The pool has 16 addresses (192.0.2.10–192.0.2.20), but only 3 translations are active. The '---' in the protocol column indicates no protocol-specific translation (e.g., TCP/UDP), which is normal for PAT when only one host per inside global is used.

The correct answer is that PAT is working correctly.

589
MCQhard

EIGRP network with routers R1, R2, R3. R1 has: router eigrp 100 network 10.0.0.0 R2 has: router eigrp 100 network 10.0.0.0 R3 has: router eigrp 100 network 10.0.0.0 R1 shows: R1# show ip eigrp topology 10.1.1.0/24 EIGRP-IPv4 Topology Entry for 10.1.1.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256 Routing Descriptor Blocks: 10.2.1.2 (Serial0/0/0), from 10.2.1.2, Send flag is 0x0 Composite metric is (128256/156160), Route is Internal 10.3.1.3 (Serial0/0/1), from 10.3.1.3, Send flag is 0x0 Composite metric is (156160/128256), Route is Internal R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 90, metric 128256 Last update from 10.2.1.2 on Serial0/0/0 R1 is using the path with higher feasible distance as successor. What is the root cause?

A.The path with higher FD is not feasible; EIGRP always selects the lowest FD.
B.An offset-list is applied to the lower FD path, increasing its metric.
C.The route is in active state, causing EIGRP to use a backup path.
D.R1 has a distribute-list blocking the lower FD path.
AnswerA

EIGRP selects the successor based on the lowest FD. The path with FD 156160 is not the successor.

Why this answer

EIGRP selects the successor based on the lowest feasible distance (FD). The output shows two paths: one with FD 128256 and another with FD 156160. The path with FD 128256 is the successor, but the show ip route shows the metric as 128256, which is correct.

However, the question states R1 is using the higher FD path, which is not the case in the output. The root cause might be a configuration error where the lower FD path is not feasible (e.g., via a route-map or offset-list). But the output indicates the lower FD path is installed.

This scenario is tricky: the question might have a misprint, but the intended answer is that EIGRP always picks the lowest FD, so the higher FD path is not used. The correct answer is that the higher FD path is not the successor.

590
Drag & Dropmedium

Drag and drop the steps to verify and validate IPv6 First Hop Security operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking global IPv6 snooping status. Then display the binding table for learned entries. Verify interface-specific FHS policies.

Check the RA Guard policy counters for drops. Finally, validate the neighbor cache for correct MAC-to-IPv6 mappings.

591
MCQhard

A network engineer notices that BGP sessions between two directly connected routers are flapping every few minutes. The routers are running IOS-XE 17.3 and have CoPP enabled. The engineer checks the CoPP policy and sees a class-map matching BGP packets with a police rate of 8000 bps. The BGP session uses MD5 authentication and the routers exchange a full BGP table with 500,000 prefixes. What is the most likely cause of the BGP session flapping?

A.The BGP MD5 authentication is causing excessive CPU utilization, triggering CoPP drops.
B.The CoPP police rate of 8000 bps is too low for the BGP keepalive and update traffic, causing packet drops.
C.The CoPP class-map is not matching BGP packets correctly because it uses a wrong access-list.
D.The BGP hold timer is set too low, causing the session to reset before CoPP drops are noticed.
AnswerB

BGP with 500,000 prefixes generates significant update traffic, and 8000 bps is insufficient, leading to dropped packets and session flapping.

Why this answer

The CoPP policy is policing BGP control plane packets at a rate of 8000 bps, which is insufficient for the BGP keepalive and update traffic. BGP keepalives are sent every 60 seconds by default, but with 500,000 prefixes, the initial BGP update traffic can easily exceed 8000 bps, causing packets to be dropped and the session to flap.

592
MCQhard

An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?

A.The RA Guard policy is configured with 'device-role host' on port Gi1/0/1, which causes the switch to drop all RAs received on that port.
B.DHCPv6 Guard is configured on port Gi1/0/1, blocking the router's DHCPv6 server messages.
C.IPv6 Source Guard is enabled on the VLAN, and the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, and it is sending its own RAs, causing a conflict.
AnswerA

Correct because 'device-role host' tells the switch that only hosts are allowed on that port; RAs from a router will be dropped.

Why this answer

RA Guard drops RAs from devices that are not authorized as routers. If the legitimate router's MAC address is not included in the RA Guard policy's allowed list, or if the port is not configured with the correct device-role, the RAs will be dropped.

593
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 mld interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is FE80::1 MLD is enabled on interface Current MLD version is 2 MLD query interval is 125 seconds MLD querier timeout is 255 seconds MLD max query response time is 10 seconds Last member query response interval is 1 second MLD activity: 0 joins, 0 leaves MLD querying router is FE80::1 (this system) Based on this output, what can be concluded?

A.MLD is disabled on this interface.
B.This router is not the MLD querier.
C.There are no multicast listeners on this tunnel interface.
D.MLD version 1 is in use.
AnswerC

0 joins indicates no hosts have joined any multicast groups.

Why this answer

The output shows 'MLD activity: 0 joins, 0 leaves', indicating that no multicast listeners have joined any multicast group on this tunnel interface. Since MLD (Multicast Listener Discovery) is used to track group membership, zero joins means there are no active listeners. Therefore, option C is correct.

Exam trap

Cisco often tests the distinction between 'MLD enabled' and 'active listeners' — candidates may mistakenly think that MLD being enabled implies there are active group members, but the 'joins' counter directly reveals listener activity.

How to eliminate wrong answers

Option A is wrong because the output explicitly states 'MLD is enabled on interface', so MLD is not disabled. Option B is wrong because the output states 'MLD querying router is FE80::1 (this system)', confirming that this router is the MLD querier. Option D is wrong because the output shows 'Current MLD version is 2', not version 1.

594
MCQmedium

A network engineer has configured BFD for OSPF as shown: interface GigabitEthernet0/0 bfd interval 300 min_rx 300 multiplier 3 ! router ospf 1 bfd all-interfaces ! However, BFD sessions are not coming up. What is the most likely missing configuration?

A.The 'bfd all-interfaces' command should be replaced with 'bfd interface GigabitEthernet0/0'.
B.The interface has no IP address configured.
C.The BFD timers must be set to 100 ms or less for OSPF.
D.The router must be configured with 'bfd map' commands for each neighbor.
AnswerB

Correct. Without an IP address on the interface, OSPF cannot form a neighbor relationship, and BFD requires an established OSPF adjacency to operate.

Why this answer

BFD requires that the interface has an IP address and is up/up. The configuration shown lacks an IP address on the interface, which is necessary for BFD to establish a session.

595
Multi-Selecthard

An engineer must implement CoPP to protect the control plane of a Cisco IOS router from a DoS attack targeting SSH and SNMP. Which TWO configuration changes are required? (Choose TWO.)

Select 2 answers
A.Create an extended ACL that matches TCP port 22 (SSH) and UDP port 161 (SNMP).
B.Apply the CoPP policy under the interface configuration mode using 'service-policy input'.
C.Configure a class-map that matches the ACL created in step A.
D.Apply the CoPP policy under the control-plane configuration using 'service-policy output'.
E.Use the 'police' command with 'conform-action drop' to drop all SSH and SNMP traffic.
AnswersA, C

Correct. ACLs are used to match the specific control plane traffic (SSH and SNMP) for classification.

Why this answer

To protect SSH and SNMP, the engineer must create ACLs to match these protocols, then create a class-map that references the ACLs, and a policy-map that applies a police rate with an appropriate action (e.g., drop for attack traffic). The policy-map must be applied under the control-plane configuration with 'service-policy input'. Applying under a physical interface is incorrect.

Using 'service-policy output' is also incorrect.

596
MCQhard

Which statement correctly describes the behavior of OSPF network type 'point-to-multipoint' regarding neighbor discovery?

A.Neighbors are discovered via multicast hello packets and a DR/BDR is elected.
B.Neighbors are discovered via unicast hello packets and no DR/BDR is elected.
C.Neighbors are discovered via multicast hello packets but no DR/BDR is elected.
D.Neighbors are discovered via unicast hello packets and a DR/BDR is elected.
AnswerB

Correct. Point-to-multipoint uses unicast hellos and no DR/BDR election.

Why this answer

In OSPF point-to-multipoint network type, neighbors are manually configured or discovered via unicast hello packets because the network does not support broadcast or multicast flooding. No Designated Router (DR) or Backup Designated Router (BDR) is elected because the network is treated as a collection of point-to-point links, avoiding the need for a central adjacency point.

Exam trap

Cisco often tests the misconception that point-to-multipoint uses multicast hellos (like broadcast or point-to-point) or that it still requires a DR/BDR (like NBMA), leading candidates to confuse it with other OSPF network types.

How to eliminate wrong answers

Option A is wrong because point-to-multipoint uses unicast hello packets, not multicast, and does not elect a DR/BDR. Option C is wrong because although it correctly states no DR/BDR is elected, it incorrectly claims neighbors are discovered via multicast hello packets. Option D is wrong because it incorrectly states that a DR/BDR is elected, which is not true for point-to-multipoint; this behavior is characteristic of broadcast or non-broadcast multi-access (NBMA) networks.

597
Multi-Selectmedium

Which TWO configuration steps are required to enable VRF-Lite on a Cisco IOS-XE router for a customer with two separate routing domains? (Choose TWO.)

Select 2 answers
A.Create the VRF using the 'vrf definition <vrf-name>' command and assign a route distinguisher with the 'rd' command.
B.Assign the VRF to an interface using the 'vrf forwarding <vrf-name>' command under interface configuration.
C.Configure route target import/export statements under the VRF.
D.Apply an import map and export map to control route redistribution.
E.Enable BGP to exchange routes between VRFs.
AnswersA, B

This defines the VRF and its route distinguisher, which is mandatory for VRF-Lite.

Why this answer

The two essential steps are: creating the VRF with a route distinguisher using 'vrf definition <name>' and 'rd <value>', and assigning interfaces to the VRF with 'vrf forwarding <name>' under the interface. The other options are incorrect: 'ip vrf <name>' is legacy syntax but still works; however, 'rd' is required. Route targets are for MPLS VPN, not VRF-Lite.

Import/export maps are optional. BGP is not mandatory.

598
MCQmedium

Which OSPF LSA type is used to advertise a summary route for a network outside the area but within the same OSPF domain?

A.Type 1
B.Type 2
C.Type 3
D.Type 5
AnswerC

Type 3 LSAs are Summary LSAs, used for inter-area routes.

Why this answer

Type 3 LSAs (Summary LSAs) are generated by Area Border Routers (ABRs) to advertise inter-area routes.

599
Multi-Selecthard

Which TWO commands can be used to verify the configured AAA authentication method lists on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show aaa
B.show aaa method-lists
C.show running-config | include aaa authentication
D.show aaa authentication
E.show authentication method-lists
AnswersB, C

This command displays all configured AAA method lists for authentication, authorization, and accounting.

Why this answer

Option B is correct because 'show aaa method-lists' directly displays all configured AAA authentication, authorization, and accounting method lists, including the default lists and any custom lists. Option C is correct because 'show running-config | include aaa authentication' filters the running configuration to show only lines containing 'aaa authentication', which explicitly lists the authentication method lists configured. Both commands provide a reliable way to verify the AAA authentication method lists on a Cisco IOS-XE device.

Exam trap

Cisco often tests the exact command syntax, and the trap here is that candidates confuse 'show aaa method-lists' with non-existent commands like 'show aaa authentication' or 'show authentication method-lists', or they forget that 'show running-config | include aaa authentication' is a valid verification method.

600
Multi-Selecthard

Which THREE symptoms indicate that Control Plane Policing (CoPP) might be misconfigured or causing connectivity issues? (Choose THREE.)

Select 3 answers
A.OSPF or BGP neighbors are flapping, with log messages indicating adjacency timeouts.
B.SSH or Telnet sessions to the device are intermittent or time out.
C.CPU utilization remains high despite CoPP being configured.
D.CPU utilization is consistently low, and all control plane traffic is passing without drops.
E.Throughput on data interfaces increases significantly.
AnswersA, B, C

If CoPP drops routing protocol hello packets, neighbors may flap, indicating misclassification or overly restrictive policing.

Why this answer

Symptoms of CoPP misconfiguration include: (1) routing protocol neighbors flapping because CoPP drops hello packets, (2) management access (SSH/Telnet) becoming intermittent due to policing, and (3) high CPU utilization because CoPP is not properly filtering unwanted traffic. Option D (low CPU utilization) is the opposite of a typical CoPP issue. Option E (increased throughput on data interfaces) is unrelated to CoPP affecting the control plane.

Page 7

Page 8 of 29

Page 9