Cisco CCNP ENARSI 300-410 (300-410) — Questions 601675

2152 questions total · 29pages · All types, answers revealed

Page 8

Page 9 of 29

Page 10
601
MCQeasy

What is the default BFD interval and multiplier on Cisco IOS-XE devices when BFD is enabled under an interface without explicit timer configuration?

A.interval 100 ms, min_rx 100 ms, multiplier 3
B.interval 150 ms, min_rx 150 ms, multiplier 3
C.interval 200 ms, min_rx 200 ms, multiplier 5
D.interval 50 ms, min_rx 50 ms, multiplier 3
AnswerB

Correct. The default BFD timers on Cisco IOS-XE are 150 ms interval, 150 ms min_rx, and multiplier 3.

Why this answer

If no BFD timers are configured under the interface, the default values are: interval = 150 ms, min_rx = 150 ms, multiplier = 3. These are the defaults used when 'bfd interval' is not specified.

602
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/0 13 00:12:34 10 200 0 15 1 192.168.2.2 Gi0/1 10 00:10:22 12 200 0 22 2 10.10.10.2 Gi0/2 14 00:08:15 15 200 0 18 Based on this output, which statement is correct?

A.Neighbor 192.168.1.2 has a high SRTT indicating a slow link.
B.All EIGRP neighbors are operating normally.
C.Neighbor 10.10.10.2 is experiencing packet loss due to high RTO.
D.The Q count of 0 indicates that EIGRP is not exchanging routes.
AnswerB

All neighbors show normal hold timers, uptimes, and zero queued packets.

Why this answer

The output shows three EIGRP neighbors with normal hold timers and uptimes. The Q count is 0 for all, indicating no queued packets. The SRTT and RTO values are low, indicating good network conditions.

There is no problem evident in this output.

603
MCQhard

An engineer configures an IPsec site-to-site VPN using IKEv1 with aggressive mode. The VPN tunnel establishes, but after some time, the tunnel goes down and re-establishes repeatedly. The engineer notices that the ISAKMP SA lifetime is set to 86400 seconds on one router and 3600 seconds on the other. What is the most likely explanation for the instability?

A.Aggressive mode does not negotiate ISAKMP SA lifetimes; the responder's lifetime is used, so the SA expires at different times, causing re-key failures.
B.The IPsec transform set uses ESP with null encryption, which is incompatible with aggressive mode.
C.The ISAKMP SA lifetime mismatch causes the IPsec SA to be re-keyed with different parameters, leading to a transform set mismatch.
D.Aggressive mode requires pre-shared keys to be identical, and a mismatch causes the tunnel to drop after the first re-key.
AnswerA

In aggressive mode, the initiator sends its proposal, but the responder's lifetime is used for the SA. If the lifetimes differ, the SA will expire on one side first, causing the tunnel to drop and re-establish.

Why this answer

In IKEv1 aggressive mode, the ISAKMP SA lifetime is not negotiated; the responder's configured lifetime is used. With lifetimes of 86400 seconds (24 hours) on one router and 3600 seconds (1 hour) on the other, the responder will enforce its own 3600-second lifetime. When the SA expires after 3600 seconds, the re-key occurs, but the initiator still expects the longer lifetime, causing a mismatch in the re-key timing and leading to repeated tunnel drops and re-establishments.

Exam trap

Cisco often tests the subtle difference that aggressive mode does not negotiate ISAKMP SA lifetimes, so candidates mistakenly assume both sides must match or that the mismatch only affects phase 2, when in fact the responder's lifetime is used unilaterally, causing re-key timing issues.

How to eliminate wrong answers

Option B is wrong because ESP with null encryption is fully compatible with aggressive mode; aggressive mode affects IKE phase 1 negotiation, not the IPsec transform set encryption type. Option C is wrong because the ISAKMP SA lifetime mismatch does not cause the IPsec SA to be re-keyed with different parameters—the IPsec SA parameters (transform sets) are negotiated separately in phase 2 and remain consistent; the issue is the IKE SA re-key timing. Option D is wrong because aggressive mode does require pre-shared keys to be identical, but a mismatch would prevent the tunnel from establishing at all, not cause it to drop after the first re-key.

604
MCQhard

BGP route summarization is causing unexpected path selection for prefix 172.16.0.0/16. Router R1 (AS 65001) has: router bgp 65001 neighbor 10.0.0.2 remote-as 65002 network 172.16.0.0 mask 255.255.0.0 aggregate-address 172.16.0.0 255.255.0.0 summary-only ! Router R2 (AS 65002) receives the aggregate and shows: R2# show ip bgp 172.16.0.0/16 BGP routing table entry for 172.16.0.0/16, version 2 Paths: (1 available, best #1) 65001, (aggregated by 65001 10.0.0.1) 10.0.0.1 from 10.0.0.1 (10.0.0.1) Origin IGP, localpref 100, valid, external, best However, R2 has a more specific route for 172.16.1.0/24 via another path with higher local preference. What is the root cause?

A.The summary-only keyword suppresses all more specific routes, so the /24 route is not advertised to R2, forcing R2 to use the aggregate.
B.The aggregate-address command is missing the as-set keyword, causing the aggregate to have incorrect path attributes.
C.R2's local preference for the /24 is lower than the aggregate, so it prefers the aggregate.
D.The network command for 172.16.0.0/16 is missing, so the aggregate is not generated.
AnswerA

summary-only prevents any more specific routes from being advertised.

Why this answer

The aggregate-address with summary-only suppresses all more specific routes, so R2 does not see the /24 route. Even if R2 had a better path for the /24, it is not advertised due to summary-only. This can cause suboptimal routing or blackholing if the aggregate points to a less preferred path.

The fix is to remove summary-only or use suppress-map to selectively suppress.

605
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 1 200 0 45 1 10.2.2.2 Gi0/1 12 00:11:20 2 200 0 67 2 10.3.3.2 Gi0/2 10 00:10:15 1 200 0 89 Based on this output, which statement is correct?

A.All EIGRP neighbors are fully operational with no issues.
B.The neighbor on Gi0/2 is experiencing packet loss because its hold timer is 10 seconds.
C.The neighbor on Gi0/0 has a high SRTT, indicating congestion.
D.The neighbor on Gi0/1 has a sequence number of 67, which is higher than others, indicating a routing loop.
AnswerA

The output shows stable adjacencies with low SRTT, RTO, and Q count of 0, indicating normal operation.

Why this answer

The output shows all three EIGRP neighbors with hold timers above 0, low SRTT values (1-2 ms), RTO at 200 ms, and a Q count of 0, indicating no queued packets. These metrics confirm that the neighbors are fully operational and stable, with no packet loss, congestion, or routing issues.

Exam trap

Cisco often tests the misconception that a lower hold timer or a higher sequence number indicates a problem, when in fact these values are normal operational metrics that do not imply faults unless they deviate significantly from expected baselines.

How to eliminate wrong answers

Option B is wrong because a hold timer of 10 seconds is within the default EIGRP hold time range (15 seconds by default, but can be lower if configured), and it does not indicate packet loss; packet loss would be reflected by a high SRTT or RTO, or a non-zero Q count. Option C is wrong because the SRTT for Gi0/0 is 1 ms, which is very low, not high; a high SRTT would indicate congestion or delay. Option D is wrong because the sequence number (67) is simply the last packet received from that neighbor and does not indicate a routing loop; a routing loop would be detected via EIGRP's DUAL algorithm and would show in the topology table, not in the neighbor sequence number.

606
Multi-Selecthard

Which THREE symptoms indicate a problem with route redistribution causing suboptimal routing or routing loops? (Choose THREE.)

Select 3 answers
A.Routing loops occur where packets traverse multiple routers repeatedly.
B.Traffic from one area takes a longer path than expected, even though a shorter path exists within the same routing domain.
C.CPU utilization on the redistribution router is consistently below 50%.
D.Some networks are not reachable from certain parts of the network, even though they are present in the routing table of the redistribution router.
E.The routing table on all routers is stable and converges quickly after a topology change.
AnswersA, B, D

Correct: This is a classic symptom of mutual redistribution without proper filtering.

Why this answer

Route redistribution issues often manifest as routing loops, suboptimal paths, or missing routes. A routing loop (option A) occurs when redistributed routes are re-injected back into the source protocol. Suboptimal routing (option B) happens when a router prefers a redistributed route over a more direct one.

Missing routes (option D) can occur if redistribution is not configured or if filters block routes. Option C is incorrect because high CPU may indicate many things, not specifically redistribution. Option E is incorrect because a stable routing table does not indicate a problem.

607
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After the configuration, routing loops occur. The engineer checks the routing tables and sees that the same prefix is learned from both protocols with different administrative distances. Which is the most likely explanation?

A.The redistributed routes are not tagged, so they are re-redistributed back into the original protocol, creating a loop.
B.The administrative distance of EIGRP is lower than OSPF, so the redistributed route is preferred and causes a loop.
C.The seed metric is not configured, so the redistributed route has an infinite metric and is not installed.
D.The OSPF process is configured with 'default-information originate always', which injects a default route and causes a loop.
AnswerA

Without route tagging, there is no way to prevent the redistributed route from being sent back to the original protocol, causing a routing loop.

Why this answer

Mutual redistribution without proper route tagging can cause routing loops. When a route redistributed from OSPF into EIGRP is then redistributed back into OSPF, it can be preferred if the administrative distance (AD) of the redistributed route is lower than the original. By default, OSPF external routes have AD 110, and EIGRP external routes have AD 170.

However, if the redistributed route is learned as an OSPF internal route (AD 110) vs EIGRP internal (AD 90), the loop can occur. A common edge case is when the route is redistributed with a metric that makes it appear as an internal route in the other protocol, causing a lower AD and thus a loop.

608
Drag & Dropmedium

Drag and drop the steps to configure PAT (overload) for dynamic source NAT into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the standard Cisco IOS-XE configuration sequence: first define an access list to match interesting traffic, then create a NAT pool (if needed), then configure dynamic source translation with overload, then apply the configuration to the inside interface, and finally apply it to the outside interface.

609
MCQmedium

A network engineer is troubleshooting a BGP route reachability issue. R1 learns the prefix 10.1.1.0/24 via eBGP from R2 with an AD of 20, and via OSPF from R3 with an AD of 110. The engineer notices that R1 installs the OSPF route in the routing table instead of the eBGP route, even though the eBGP route is preferred by default. What is the most likely cause of this behavior?

A.The OSPF route has a lower metric than the eBGP route.
B.The distance bgp 20 200 200 command is configured under the BGP process, increasing the AD of eBGP routes to 200.
C.The OSPF route is an inter-area route, which has a lower AD than intra-area routes.
D.The eBGP route is not the best path because the next-hop is unreachable.
AnswerB

This command sets the AD for eBGP routes to 200, making OSPF (AD 110) preferred.

Why this answer

The default administrative distance for eBGP is 20, and for OSPF is 110, so eBGP should be preferred. However, if the distance command is applied to the eBGP neighbor or the BGP process, it can increase the AD of eBGP routes, making them less preferred than OSPF.

610
MCQhard

A network engineer is troubleshooting an ERSPAN configuration where traffic from a source router is being sent to a remote monitoring server. The engineer configures an ERSPAN source session on Router A to capture traffic on GigabitEthernet0/0 and send it to the IP address 10.1.1.100. The monitoring server does not receive any packets. The engineer verifies that IP connectivity exists between Router A and the server. What is the most likely cause?

A.The ERSPAN session is missing a tunnel interface configuration.
B.The monitoring server is not listening on the correct UDP port.
C.The source interface is not in the same subnet as the destination IP.
D.The ERSPAN session is configured with the wrong source IP address.
AnswerA

Correct because ERSPAN encapsulates monitored traffic in GRE tunnels; a tunnel interface must be configured and referenced in the monitor session.

Why this answer

ERSPAN requires a tunnel interface to encapsulate the monitored traffic. Without configuring a tunnel interface, the ERSPAN session cannot encapsulate the packets for transport to the remote destination.

611
MCQeasy

Which IP SLA operation type is used to monitor the availability of a TCP-based service by attempting a three-way handshake?

A.UDP Jitter
B.TCP Connect
C.ICMP Echo
D.HTTP
AnswerB

Correct. TCP Connect performs a TCP three-way handshake to test service availability.

Why this answer

The TCP Connect operation (type 5) attempts to establish a TCP connection to a specified port. Success indicates the service is reachable; failure indicates a problem.

612
MCQhard

Which OSPF network type defaults to a 30-second hello interval and requires a DR/BDR election?

A.Broadcast
B.Point-to-point
C.Non-broadcast (NBMA)
D.Point-to-multipoint
AnswerC

NBMA uses 30-second hello interval and elects DR/BDR.

Why this answer

Non-broadcast (NBMA) network type uses a 30-second hello interval and elects a DR/BDR, as per RFC 2328.

613
Drag & Drophard

Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by confirming the ACL is applied to the correct interface and direction; then check for implicit deny blocking traffic; verify sequence numbers and order; examine log entries for hits; finally, adjust ACL by inserting a permit statement before the deny.

614
MCQhard

An engineer configures RSPAN on a switch stack to monitor traffic from a VLAN. The RSPAN destination port is on a different stack member. The mirrored traffic works intermittently, with gaps during stack master re-election. What is the most likely explanation?

A.RSPAN traffic traverses the stack ring, which is disrupted during master re-election.
B.The RSPAN VLAN is pruned on the stack ring due to VTP pruning.
C.The RSPAN session is configured on the master only, and does not survive failover.
D.The destination port is on a different VLAN than the source, causing a mismatch.
AnswerA

The stack ring is used for inter-member communication; a master change can cause temporary disruption.

Why this answer

In a switch stack, RSPAN traffic is forwarded across the stack ring. During master re-election, the stack ring may briefly go down or reconverge, causing loss of RSPAN traffic. Additionally, if the RSPAN VLAN is not configured consistently across all stack members, traffic may be dropped.

615
MCQhard

Router R1 and R2 are connected via a serial link running OSPF. R1 has 'ip ospf network point-to-point' configured on the interface, while R2 has default broadcast network type. R1's 'show ip ospf neighbor' shows R2 in FULL state, but R2's 'show ip ospf neighbor' shows R1 in FULL state. However, R1's routing table does not contain a route to a subnet 10.10.10.0/24 that is advertised by R2 via a type-3 LSA. R2's 'show ip route 10.10.10.0' shows it as connected. What is the root cause?

A.The network type mismatch causes R1 to not install the type-3 LSA because the LSA has a DR field that is not valid for point-to-point networks.
B.R2's OSPF process has 'distance 150' set, making the route unreachable.
C.R1 has a distribute-list blocking the 10.10.10.0/24 route.
D.The subnet 10.10.10.0/24 is not in R2's OSPF database due to a missing network command.
AnswerA

OSPF network type mismatch can lead to LSA filtering; point-to-point interfaces ignore LSAs with DR information.

Why this answer

Network type mismatch on a point-to-point link can cause OSPF adjacency to form but may affect LSA propagation. With point-to-point, R1 expects no DR/BDR election and uses a different LSA format. R2, with broadcast, expects DR/BDR.

The adjacency forms because both see each other as neighbors, but the type-3 LSA from R2 might be generated incorrectly or R1 may not accept it due to network type mismatch. The correct answer is that the network type mismatch causes R1 to ignore type-3 LSAs from R2 because R1 expects the link to be point-to-point and R2's LSA includes a DR field that R1 does not process.

616
MCQmedium

Consider the following CoPP configuration: access-list 150 permit tcp any any eq 179 access-list 150 permit udp any any eq 646 ! class-map match-all COPP-CORE match access-group 150 ! policy-map COPP-POLICY class COPP-CORE police 64000 conform-action transmit exceed-action drop class class-default police 128000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY What is missing from this configuration to also protect against ICMP-based control-plane attacks?

A.Add 'permit icmp any any' to access-list 150 to include ICMP in the COPP-CORE class.
B.Change the class-default police rate to 64000 bps to match the COPP-CORE rate.
C.Add a second class-map for ICMP and apply a separate policer.
D.The configuration is complete; ICMP is not a significant control-plane threat.
AnswerA

Correct. Adding ICMP to the ACL would match it in the COPP-CORE class and apply the lower 64000 bps policer, providing better protection.

Why this answer

The ACL only matches BGP (TCP 179) and LDP (UDP 646). ICMP is not included, so ICMP traffic falls into class-default and is only limited to 128000 bps, which may be too high for protection.

617
MCQmedium

A network engineer runs the following command to troubleshoot an IPv6 First Hop Security issue: R1# debug ipv6 nd raguard *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::1, dst ff02::1 *Mar 1 00:01:23.456: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::1 is allowed by policy TRUSTED *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA received on port Fa0/0, src fe80::2, dst ff02::1 *Mar 1 00:01:24.789: IPv6-ND-RA-Guard: R1, Fa0/0, RA from fe80::2 is blocked by policy UNTRUSTED What does this output indicate?

A.RA Guard is configured with a policy that trusts fe80::1 and blocks fe80::2, preventing rogue RA attacks.
B.RA Guard is blocking all RAs regardless of source, indicating a misconfiguration.
C.RA Guard is allowing all RAs but logging them for analysis.
D.RA Guard is not configured; the debug output is from default IPv6 ND behavior.
AnswerA

The debug confirms that fe80::1 is allowed by policy TRUSTED and fe80::2 is blocked by policy UNTRUSTED, which is the expected behavior for RA Guard.

Why this answer

The debug output shows RA Guard filtering RAs based on device trust. RAs from trusted sources are allowed, while those from untrusted sources are blocked to prevent rogue RA attacks.

618
MCQeasy

A network engineer runs the following command on Router R1: R1# show crypto ipsec transform-set Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Based on this output, which statement is correct?

A.Both transform sets use tunnel mode; ESP-AES256-SHA uses stronger encryption.
B.The transform sets use transport mode.
C.The transform sets use MD5 for hashing.
D.The transform sets are not compatible with IKEv2.
AnswerA

ESP-AES256-SHA uses 256-bit AES, which is stronger than 128-bit.

Why this answer

The output shows two transform sets configured. The first uses AES-256 with SHA256 HMAC, the second uses AES-128 with SHA256 HMAC. Both use tunnel mode.

619
MCQhard

A large enterprise network is experiencing intermittent connectivity between Site A (R1) and Site B (R2) over an MPLS L3VPN. R1 has the following relevant configuration: route-map RMAP-IN permit 10 match ip address prefix-list PL-ALLOW set extcommunity rt 100:1. Router R2 shows: 'show bgp vpnv4 unicast all neighbors 10.1.1.1 received-routes' lists only the default route, but 'show ip route vrf CUSTOMER' shows no default route. What is the root cause?

A.The route-map RMAP-IN is missing a permit statement for other prefixes, causing implicit deny of all routes except the default.
B.The prefix-list PL-ALLOW is misconfigured and does not match the default route correctly.
C.The VRF CUSTOMER on R1 is missing the route-target import 100:1 command.
D.The BGP session between R1 and R2 is flapping due to a mismatch in the BGP update-source.
AnswerA

The route-map has only one permit sequence matching the default route, so all other VPNv4 routes are denied by the implicit deny at the end of the route-map. This prevents R1 from receiving routes for other prefixes.

Why this answer

The route-map RMAP-IN on R1 is configured to set the route-target extended community (RT) on incoming BGP VPNv4 routes. However, the route-map is applied inbound on the BGP session, which means it modifies routes received from R2. The match condition uses prefix-list PL-ALLOW, which likely permits only the default route.

The set extcommunity rt 100:1 command overwrites or adds the RT, but if the route-map does not explicitly permit other routes (e.g., via a subsequent permit statement), those routes are denied by the implicit deny at the end of the route-map. This causes R1 to reject all routes except the default, but the default route may not be installed in the VRF due to missing RT matching or other VRF configuration issues. The correct fix is to add a permit statement for all necessary prefixes or remove the route-map from the neighbor statement.

620
MCQmedium

A network engineer runs the following command to verify IPv6 ND inspection policy: R1# show ipv6 nd inspection policy INSPECT Policy: INSPECT Status: Active Device role: node Trusted ports: none Untrusted ports: Fa0/0 ND inspection: enabled Validation: - Source MAC address: verify - Destination MAC address: verify - IPv6 source address: verify - IPv6 destination address: verify - Nonce: disabled - Timestamp: disabled What does this output indicate?

A.The policy INSPECT validates source and destination MAC and IPv6 addresses on untrusted port Fa0/0.
B.The policy INSPECT only validates source MAC addresses on trusted ports.
C.The policy INSPECT disables ND inspection and logs all ND messages.
D.The policy INSPECT is inactive and not applied to any interface.
AnswerA

All four validation checks are enabled, and the port is untrusted.

Why this answer

The show command displays the ND inspection policy. The policy INSPECT is active on untrusted port Fa0/0, with validation of MAC and IPv6 addresses enabled.

621
MCQhard

A network engineer configures an EEM applet to monitor uRPF (Unicast Reverse Path Forwarding) failures using the event syslog pattern 'IP-3-URPF'. The applet is designed to log when uRPF drops packets due to strict mode. The network has asymmetric routing, and packets are dropped. The EEM applet does not trigger. Which is the most likely explanation?

A.uRPF strict mode drops packets silently without generating a syslog message unless the 'log' keyword is used.
B.The EEM applet must use 'event routing' to capture uRPF events.
C.Asymmetric routing causes uRPF to generate a different syslog pattern, such as 'IP-4-URPF'.
D.The uRPF must be configured in loose mode to generate syslog messages.
AnswerA

Correct. uRPF drops are not logged by default; the 'log' keyword must be added to the verification command.

Why this answer

uRPF strict mode drops packets when the source IP address is not reachable via the incoming interface. However, the syslog message 'IP-3-URPF' is generated only when the 'ip verify unicast source reachable-via' command is configured with the 'allow-default' option or when the drop is logged explicitly. In strict mode without 'allow-default', the router may drop packets silently without generating a syslog message, especially if the drop is due to asymmetric routing.

The EEM applet will not trigger because no syslog is generated for the drop.

622
MCQmedium

Examine the following configuration on a PE router: ip vrf CUSTOMER-C rd 200:1 ! interface GigabitEthernet0/3 ip vrf forwarding CUSTOMER-C ip address 10.2.2.1 255.255.255.252 ! router ospf 1 vrf CUSTOMER-C network 10.2.2.0 0.0.0.3 area 0 ! router bgp 65000 address-family ipv4 vrf CUSTOMER-C redistribute ospf 1 exit-address-family What is missing from this configuration?

A.The VRF is missing route-target export and import commands.
B.The OSPF network command should use a wildcard mask of 0.0.0.0.
C.The BGP neighbor must be configured under the VRF address-family.
D.The VRF must have a route distinguisher that matches the route-target.
AnswerA

Route-targets are required for MPLS L3VPN to control the distribution of VPNv4 routes between PEs. Without them, the routes are not properly tagged.

Why this answer

The VRF is missing route-target import and export commands. Without route-targets, the VPNv4 routes will not be tagged with an RT, and the remote PE will not know which VRF to import them into. Also, the OSPF process is configured under the VRF, and redistribution is done, but the RT is missing.

623
MCQhard

An engineer configures IPv6 uRPF loose mode on an interface that connects to a DMVPN spoke. The spoke router uses NHRP to register with the hub and establishes a tunnel. Traffic from the spoke to destinations behind the hub is dropped. Which is the most likely explanation?

A.The spoke's tunnel IPv6 address is not in the global routing table because it is only known via NHRP, causing uRPF loose mode to drop packets sourced from that address.
B.The hub has uRPF strict mode configured, which breaks the DMVPN tunnel because of asymmetric routing.
C.The spoke's NHRP registration packets are filtered by the uRPF check because they use multicast destination.
D.The tunnel interface has an IPv6 ACL that denies traffic from the spoke's tunnel address, overriding uRPF.
AnswerA

Correct. uRPF loose mode requires that the source address be present in the routing table (any interface). If the address is only in NHRP cache, not in the routing table, packets are dropped.

Why this answer

In DMVPN Phase 2 or 3, spoke-to-spoke traffic may use direct tunnels. With uRPF loose mode, the router checks that the source address of incoming packets has a routing table entry (any interface). However, if the spoke's tunnel interface uses an IPv6 address that is not advertised via routing protocols (e.g., only NHRP), the source address may not be in the routing table, causing uRPF loose mode to drop the packet.

Additionally, asymmetric routing is common in DMVPN, and uRPF loose mode may still drop if the source address is not reachable at all.

624
MCQeasy

What is the default active flow timeout value in Cisco IOS Flexible NetFlow?

A.60 seconds
B.1800 seconds
C.300 seconds
D.30 seconds
AnswerB

The default active flow timeout is 1800 seconds (30 minutes). This means active flows are exported every 30 minutes.

Why this answer

This question tests recall of default timer values in Flexible NetFlow.

625
Multi-Selecthard

Which TWO statements about the 'log' keyword in IPv4 ACL entries are correct? (Choose TWO.)

Select 2 answers
A.The 'log' keyword causes the router to generate a syslog message for every packet that matches the ACE.
B.The log message includes the source and destination IP addresses and the protocol.
C.The 'log' keyword can be used with both permit and deny ACEs.
D.The 'log' keyword is only available in extended ACLs, not standard ACLs.
E.Using the 'log' keyword significantly improves router performance by offloading logging to the CPU.
AnswersB, C

Correct. The log entry typically shows the source IP, destination IP, protocol (e.g., TCP), and the interface where the match occurred.

Why this answer

Option B is correct because when the 'log' keyword is configured on an ACL entry, the router generates a syslog message that includes the source and destination IP addresses, the protocol (e.g., TCP, UDP, ICMP), and for TCP/UDP, the source and destination port numbers. This logging provides essential information for troubleshooting and security monitoring.

Exam trap

Cisco often tests the misconception that the 'log' keyword logs every packet, when in fact it uses rate-limiting to avoid overwhelming the router's CPU.

626
Multi-Selecthard

An engineer configures Flexible NetFlow with a user-defined flow record that includes 'match ipv4 source address' and 'collect counter bytes'. Which TWO additional statements about this configuration are true? (Choose TWO.)

Select 2 answers
A.The flow record must be applied directly to an interface using the 'ip flow record' command.
B.The 'match ipv4 source address' command defines a key field that is used to uniquely identify flows.
C.The 'collect counter bytes' command causes the router to count the total number of bytes for each unique flow.
D.If no 'match' commands are configured, the router will use the default match fields from the 'netflow-original' record.
E.The flow record can be used by both IPv4 and IPv6 traffic simultaneously without additional configuration.
AnswersB, C

Correct. Match fields are key fields; flows are differentiated based on their values. Here, only the source IP is used as a key.

Why this answer

In Flexible NetFlow, the 'match' fields define the flow key; flows are uniquely identified by the combination of all match fields. The 'collect' fields define non-key data that is aggregated per flow. The flow record must be referenced by a flow monitor, which is then applied to an interface.

The default flow record is 'netflow-original', which includes many default keys. The 'match' fields cannot be omitted; at least one match field is required. The 'collect' fields are optional and can include counters, timestamps, etc.

627
Multi-Selectmedium

Which TWO statements about NAT overload (PAT) are true? (Choose TWO.)

Select 2 answers
A.PAT allows multiple inside hosts to share a single public IP address by using unique source port numbers.
B.PAT is only supported with a single public IP address configured on the outside interface.
C.PAT is also known as NAT overload and is defined in RFC 2663.
D.PAT cannot translate traffic for protocols that use static port numbers, such as DNS or HTTP.
E.PAT requires the ip nat inside source list command with the overload keyword.
AnswersA, C

PAT translates the source port to create a unique session identifier, enabling many hosts to share one global address.

Why this answer

PAT uses port numbers to multiplex multiple inside hosts to a single public IP, and it is commonly used to conserve public IPv4 addresses. PAT can also be used with a pool of addresses, not just a single interface IP.

628
MCQmedium

A network engineer is troubleshooting an intermittent BGP session failure between two routers. The BGP session drops every few hours and recovers after a few seconds. The engineer checks the logs and sees that an EEM applet is triggered just before each failure. The applet is configured to run a script that clears the BGP session when a specific syslog message is generated. What is the most likely cause of the BGP session failure?

A.The BGP session is failing due to a physical layer issue.
B.The EEM applet is clearing the BGP session as part of its configured action.
C.The BGP session is failing due to a routing loop.
D.The EEM applet is causing a memory leak that crashes the BGP process.
AnswerB

Correct because the applet's action to clear the BGP session directly causes the session failure when triggered.

Why this answer

The EEM applet is the root cause because it is configured to clear the BGP session upon a specific syslog event. The engineer should review the applet's trigger condition and action to identify why it is being triggered incorrectly or unnecessarily.

629
MCQmedium

A router has a CoPP policy that includes a class-map matching all TCP traffic with a police rate of 5000 bps. The engineer notices that Telnet sessions to the router are timing out, but SSH sessions work fine. The router is configured to accept both Telnet and SSH. What is the most likely cause?

A.The CoPP policy has a separate class for Telnet with a lower police rate or a drop action.
B.The SSH traffic is encrypted, so it uses less bandwidth than Telnet.
C.The Telnet server on the router is not responding due to a configuration error.
D.The CoPP policy is rate-limiting TCP traffic to 5000 bps, which is enough for SSH but not for Telnet.
AnswerA

If Telnet is in a different class with a lower rate or drop, it would explain why Telnet fails while SSH works.

Why this answer

Both Telnet and SSH use TCP, so they should both be affected by the same police rate. However, if the CoPP policy has separate classes for Telnet and SSH, or if the police rate is applied per class, the issue might be that Telnet traffic is being policed more aggressively. Alternatively, the Telnet traffic might be hitting a different class that drops it.

630
Multi-Selectmedium

Which TWO commands can be used to verify DHCP IPv4 server operation and address pool utilization on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip dhcp binding
B.show ip dhcp pool
C.show ip dhcp conflict
D.debug ip dhcp server events
E.show ip interface
AnswersA, B

Displays all active DHCP leases (IP address, MAC, lease time, etc.).

Why this answer

Option A is correct because the 'show ip dhcp binding' command displays the list of active DHCP address bindings, including the IP address, MAC address, lease expiration, and type (automatic, manual, or dynamic). This directly verifies that the DHCP server is operating and has allocated addresses from its pool. Option B is correct because the 'show ip dhcp pool' command shows the pool name, utilization statistics (e.g., total addresses, leased addresses, and excluded addresses), and pool configuration, confirming address pool utilization.

Exam trap

Cisco often tests the distinction between verification commands (show) and troubleshooting/debugging commands (debug), leading candidates to mistakenly select 'debug ip dhcp server events' as a verification tool when it is actually a real-time diagnostic command that can impact router performance.

631
MCQhard

Router R1 is configured for VRF-Lite with MPLS. The interface Gig0/0 is in VRF-A and is running LDP. The LDP neighbor with R2 is not establishing. R1 configuration: mpls ip, mpls label protocol ldp, interface Gig0/0, ip vrf forwarding VRF-A, ip address 10.0.0.1 255.255.255.252. R2 has similar configuration without VRF. The LDP hello packets are sent but not received. What is the root cause?

A.LDP cannot form a session between a VRF interface and a global interface; both must be in the same VRF or both in the global table.
B.The MPLS label protocol must be TDP on both sides.
C.The interface IP addresses must be in the same subnet.
D.The mpls ip command must be applied under the VRF address-family.
AnswerA

Correct: LDP sessions require matching VRF context; mismatch prevents session establishment.

Why this answer

LDP uses UDP and TCP, and the transport address is typically the router ID. In a VRF, the LDP session must be established within the same VRF. If R1 has VRF-A and R2 does not, the LDP hellos are sent in the VRF context, but R2's LDP process is in the global table.

The hellos are not recognized because the VRF label space is different. LDP requires matching VRF or global configuration.

632
MCQhard

A network engineer runs the following command on Router R1: R1# show ip dhcp server statistics Memory usage 26140 Address conflicts 0 Pool statistics Pool IP addresses Requests Offers Acks Naks Declines Releases POOL1 10-20 50 45 40 5 2 3 Based on this output, which statement is correct?

A.The DHCP server is operating without any issues.
B.The DHCP server is rejecting requests (Naks) and clients are declining offers, indicating possible pool exhaustion or address conflicts.
C.The DHCP server has a memory problem.
D.The DHCP server has no address conflicts.
AnswerB

Naks and Declines are signs of issues.

Why this answer

The output shows 5 NAKs and 2 Declines, indicating that the DHCP server is rejecting requests (NAKs) and clients are declining offers (Declines). NAKs typically occur when a client requests an IP address that is no longer valid or available, while Declines happen when a client detects an address conflict via ARP. This combination strongly suggests pool exhaustion or address conflicts, making option B correct.

Exam trap

Cisco often tests the distinction between server-tracked address conflicts (shown in the 'Address conflicts' counter) and client-detected conflicts (shown as Declines), leading candidates to incorrectly assume zero conflicts means no issues.

How to eliminate wrong answers

Option A is wrong because the presence of NAKs and Declines indicates issues, so the server is not operating without any issues. Option C is wrong because the memory usage of 26140 is not specified as problematic, and no memory-related errors or warnings are shown in the output. Option D is wrong because while the 'Address conflicts' counter is 0, the 2 Declines indicate that clients are detecting address conflicts on their own, which is a separate issue from server-tracked conflicts.

633
MCQmedium

Consider the following partial configuration on router R2: flow exporter EXPORTER-1 destination 192.168.1.100 source Loopback0 transport udp 2055 ! flow monitor MONITOR-2 exporter EXPORTER-1 record netflow ipv4 original-input cache timeout active 30 ! interface GigabitEthernet0/2 ip flow monitor MONITOR-2 input ! What is the effect of this configuration?

A.The router will export NetFlow version 9 records containing IPv4 source and destination addresses, protocol, and packet/byte counts.
B.The router will export NetFlow version 5 records because the exporter uses UDP port 2055.
C.The flow monitor will only collect traffic on the input direction of GigabitEthernet0/2, but no export will occur because the exporter is not applied to the monitor.
D.The flow monitor will export flows every 30 seconds only if the flow is idle for that period.
AnswerA

The record 'netflow ipv4 original-input' is a predefined Flexible NetFlow record that matches traditional NetFlow fields (source/destination IP, protocol, etc.) and exports them in NetFlow v9 format.

Why this answer

This question tests knowledge of the 'record netflow ipv4 original-input' predefined record and its behavior.

634
MCQhard

An engineer configures an EEM applet to monitor OSPF neighbor state changes using the event syslog pattern 'OSPF-5-ADJCHG'. The applet triggers a custom syslog message. The OSPF adjacency between two routers fails due to an MTU mismatch, but the EEM applet does not trigger. Which is the most likely explanation?

A.The OSPF-5-ADJCHG syslog message is not generated for MTU mismatch failures because the neighbor never reaches FULL state.
B.The EEM applet has a typo in the event syslog pattern; it should match 'OSPF-5-ADJCHG' with a wildcard.
C.The EEM applet requires the 'event manager run' command to be enabled globally.
D.The MTU mismatch causes a routing loop that suppresses syslog generation.
AnswerA

Correct. MTU mismatch causes the adjacency to fail in EXSTART, and the syslog message is OSPF-4-ERRRCV instead of OSPF-5-ADJCHG.

Why this answer

When an OSPF adjacency fails due to MTU mismatch, the neighbor state transitions from EXSTART to DOWN without generating the standard OSPF-5-ADJCHG syslog message. The adjacency never reaches FULL, so the state change from EXSTART to DOWN is logged as a different syslog pattern (OSPF-4-ERRRCV or OSPF-5-ADJCHG may not fire). EEM applets that rely on the exact pattern 'OSPF-5-ADJCHG' will not trigger because that message is only generated when the neighbor state changes from FULL to DOWN or vice versa.

635
Multi-Selectmedium

Which TWO statements about Embedded Event Manager (EEM) applet configuration are true? (Choose TWO.)

Select 2 answers
A.An EEM applet can be configured with multiple event statements using the 'event' command with the 'or' operator.
B.The 'action' command within an EEM applet can execute a Cisco IOS CLI command using the 'cli' keyword.
C.An EEM applet must include a Tcl script to perform any actions.
D.An EEM applet can only have a single action command.
E.The 'event none' configuration is not allowed in an EEM applet.
AnswersA, B

EEM supports multiple event triggers combined with the 'or' operator, allowing the applet to fire on any of the specified events.

Why this answer

EEM applets can use multiple event statements combined with a Boolean operator, and the 'action' command supports Cisco IOS CLI commands via the 'cli' keyword. The other statements are false: applets do not require a Tcl script, multiple actions are allowed, and the 'event none' option is valid for manual triggering.

636
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down 2 applet 00:01:23 UTC Mar 1 2025 OSPF_Neighbor_Flap Based on this output, which statement is correct?

A.Two EEM applet policies are registered and active.
B.Two EEM applet policies are registered but disabled.
C.Only one EEM applet policy is registered.
D.The EEM applet policies are triggered by syslog events.
AnswerA

The output shows two applet policies registered, meaning they are loaded and ready to trigger based on their defined events.

Why this answer

The 'show event manager policy registered' command lists all EEM policies registered on the device. The output shows two applet policies registered, but no trigger events are shown. The correct answer is that two EEM applet policies are registered, but the output does not indicate whether they are enabled or disabled; registration means they are loaded and ready to trigger.

637
MCQhard

An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?

A.The DHCPv6 Guard policy is applied globally, and the port connected to the DHCP server is not configured as a trusted port for DHCPv6 server messages.
B.RA Guard is blocking the DHCPv6 server's Router Advertisements, causing hosts to not send Solicit messages.
C.IPv6 Source Guard is filtering the server's responses because the server's IPv6 address is not in the binding table.
D.The switch has DHCP snooping enabled for IPv4, which is interfering with IPv6 DHCPv6 operation.
AnswerA

Correct because DHCPv6 Guard by default blocks server messages on untrusted ports; the server port must be explicitly trusted.

Why this answer

DHCPv6 Guard on the switch port connected to the DHCP server will drop DHCPv6 server messages (Advertise, Reply) unless the port is configured as a trusted DHCPv6 server port. If the port is not trusted, the server's responses are dropped.

638
MCQeasy

Which BGP attribute is used for loop prevention in eBGP?

A.NEXT_HOP
B.LOCAL_PREF
C.AS_PATH
D.MED
AnswerC

AS_PATH is used to detect loops by checking if the local AS is already in the path.

Why this answer

The AS_PATH attribute contains the list of AS numbers a route has traversed. If a BGP router receives a route with its own AS number in the AS_PATH, it discards the route to prevent loops.

639
MCQhard

A network engineer runs the following command to troubleshoot IPv6 ND inspection: R1# debug ipv6 nd inspection *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, options: SLLA 0011.2233.4455 *Mar 1 00:02:34.567: IPv6-ND-Inspection: R1, Fa0/0, NS from fe80::1 to ff02::1, target 2001:db8::1, SLLA 0011.2233.4455 is allowed by policy INSPECT *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, options: TLLA 00aa.bbcc.ddee *Mar 1 00:02:35.890: IPv6-ND-Inspection: R1, Fa0/0, NA from fe80::2 to fe80::1, target 2001:db8::2, TLLA 00aa.bbcc.ddee is blocked by policy INSPECT What does this output indicate?

A.ND inspection is allowing NS messages but blocking NA messages from fe80::2, likely due to a MAC address mismatch or policy violation.
B.ND inspection is blocking all NS and NA messages, indicating a misconfiguration.
C.ND inspection is allowing all messages but logging them for analysis.
D.ND inspection is not configured; the debug output is from default ND behavior.
AnswerA

The NA is blocked, which could be due to the source MAC not matching the TLLA or policy rules.

Why this answer

The debug shows ND inspection processing NS and NA messages. The NS from fe80::1 is allowed, but the NA from fe80::2 is blocked, indicating a possible spoofing attempt or policy violation.

640
MCQeasy

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto map Crypto Map "CMAP" 10 ipsec-isakmp Peer = 192.168.2.2 Extended IP access list 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={myset, } Interfaces using crypto map CMAP: Tunnel0 What does this output indicate?

A.The crypto map is misconfigured because it uses an extended ACL with source and destination subnets.
B.The crypto map is correctly configured for a site-to-site VPN with the peer 192.168.2.2.
C.The crypto map is missing the transform set.
D.The crypto map should be applied to the physical interface instead of the tunnel.
AnswerB

The configuration matches typical site-to-site VPN requirements.

Why this answer

Option B is correct because the output shows a properly configured IPsec site-to-site VPN crypto map. It includes a peer (192.168.2.2), an extended ACL (101) that correctly matches the local and remote subnets (192.168.1.0/24 and 192.168.2.0/24), a transform set (myset), and is applied to Tunnel0, which is typical for a site-to-site VPN. The security association lifetime and PFS settings are also present, confirming a valid configuration.

Exam trap

Cisco often tests the misconception that an extended ACL in a crypto map is a misconfiguration, when in fact it is required for site-to-site VPNs to define the traffic to be encrypted.

How to eliminate wrong answers

Option A is wrong because using an extended ACL with source and destination subnets is correct for a site-to-site VPN; it defines which traffic should be encrypted, not a misconfiguration. Option C is wrong because the output explicitly shows 'Transform sets={myset,}', indicating a transform set is configured. Option D is wrong because applying the crypto map to a tunnel interface (Tunnel0) is valid and common for site-to-site VPNs; it does not need to be on the physical interface.

641
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor 10.1.1.2 Neighbor 10.1.1.2, interface address 192.168.12.2 In the area 0 via interface GigabitEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 10.1.1.2, BDR is 10.1.1.1 Options is 0x12 (L L S R) Dead timer due in 00:00:36 Neighbor is up for 00:15:42 Index 1/1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, time is 0 msec Last retransmission scan time is 0 msec Based on this output, what is the role of Router R1 on this segment?

A.Router R1 is the Designated Router.
B.Router R1 is the Backup Designated Router.
C.Router R1 is a DROTHER router.
D.Router R1 has no special role on this segment.
AnswerB

The BDR is 10.1.1.1, which is R1's router ID.

Why this answer

The output shows that the BDR is 10.1.1.1, which is Router R1's router ID. Therefore, R1 is the Backup Designated Router. The DR is 10.1.1.2.

642
MCQmedium

Given the following partial configuration on router R5: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 ip pim sparse-mode ! router ospf 1 router-id 5.5.5.5 network 10.0.0.0 0.255.255.255 area 0 What is the effect of this configuration?

A.OSPF will not form adjacencies because PIM sparse-mode is enabled on the interfaces.
B.OSPF will form adjacencies on both interfaces, and PIM sparse-mode will operate normally; the configuration is valid.
C.OSPF will only form adjacency on GigabitEthernet0/0 because the network statement does not match GigabitEthernet0/1.
D.PIM sparse-mode will not work because there is no rendezvous point (RP) configured.
AnswerB

Both protocols work together. OSPF handles unicast routing, PIM handles multicast. No issues.

Why this answer

The configuration enables OSPF on both interfaces via the network statement (since both are in 10.0.0.0/8). It also enables PIM sparse-mode on each interface. This is typical for multicast routing.

OSPF will form adjacencies and PIM will operate. There is no conflict.

643
MCQeasy

A network engineer runs the following command on Router R1: R1# show snmp mib ifmib ifindex ifIndex: 1 Interface: GigabitEthernet0/0 Description: GigabitEthernet0/0 ifIndex: 2 Interface: GigabitEthernet0/1 Description: GigabitEthernet0/1 ifIndex: 3 Interface: Loopback0 Description: Loopback0 ifIndex: 10 Interface: Tunnel0 Description: Tunnel0 Based on this output, which statement is correct?

A.The ifIndex for Loopback0 is 3.
B.The ifIndex values are assigned sequentially starting from 0.
C.GigabitEthernet0/0 has ifIndex 2.
D.Tunnel0 has ifIndex 3.
AnswerA

The output clearly shows Loopback0 with ifIndex 3.

Why this answer

The output shows the mapping between SNMP ifIndex values and interface names. The ifIndex values are not sequential (1,2,3,10), which is normal. The Tunnel0 interface has ifIndex 10.

This mapping is used by SNMP managers to identify interfaces.

644
MCQhard

CoPP (Control Plane Policing) rate-limit impacts legitimate traffic. Router R1 has CoPP policy applied: 'class-map match-all BGP class-map match-all SSH match protocol bgp match protocol ssh policy-map COPP class BGP police 10000 conform-action transmit exceed-action drop'. Network engineers cannot SSH to R1, but BGP sessions are stable. 'show policy-map control-plane' output shows 'BGP class: 0 packets, 0 bytes' and 'SSH class: 0 packets, 0 bytes'. What is the root cause?

A.The class-map uses 'match-all' instead of 'match-any', causing SSH traffic not to match the class and be dropped by default action.
B.The police rate is too low for SSH traffic; need to increase.
C.ACL on the interface blocks SSH before CoPP is applied.
D.CoPP is applied to the wrong direction; should be input.
AnswerA

With match-all, a packet must be both BGP and SSH, which is impossible; SSH packets go to default class, likely drop.

Why this answer

The class-map uses 'match protocol bgp' and 'match protocol ssh' with match-all, meaning both conditions must be true for a packet to match. SSH packets do not match protocol bgp, so they fall through to the default class, which may have a drop policy. The class-map should be match-any or separate classes for each protocol.

645
Multi-Selecthard

Which TWO statements correctly describe the behavior of BGP route summarization using the 'aggregate-address' command? (Choose TWO.)

Select 2 answers
A.By default, the aggregate route is advertised with the ATOMIC_AGGREGATE attribute set.
B.The 'aggregate-address' command automatically suppresses the advertisement of all more specific routes.
C.The aggregate route inherits the AS_PATH of the longest matching more specific route.
D.The 'aggregate-address' command can be used to summarize both IPv4 and IPv6 prefixes in the same configuration.
E.The aggregate route is installed in the BGP table only if at least one more specific route exists in the BGP table.
AnswersA, E

Correct. When an aggregate is created, BGP sets the ATOMIC_AGGREGATE attribute to indicate that the path information might be incomplete.

Why this answer

The BGP 'aggregate-address' command creates a summary route in the BGP table. By default, the summary is advertised with the ATOMIC_AGGREGATE attribute and the aggregator router ID, but the more specific routes are still advertised unless the 'summary-only' keyword is used. The summary inherits the AS_PATH from the component routes, but the 'as-set' keyword is required to include the AS_PATH information in the aggregate.

The summary does not automatically suppress the component routes.

646
MCQhard

What is the default DHCPv4 server lease time on a Cisco IOS-XE router configured as a DHCP server?

A.3600 seconds (1 hour)
B.43200 seconds (12 hours)
C.86400 seconds (1 day)
D.604800 seconds (7 days)
AnswerC

The default lease time for Cisco IOS-XE DHCP server is 86400 seconds.

Why this answer

Cisco IOS-XE DHCP server defaults to a lease time of 86400 seconds (1 day) unless explicitly configured otherwise.

647
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 100 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Based on this output, which statement is correct?

A.All management traffic has been transmitted without any drops.
B.Management traffic is being dropped because the police rate is too low.
C.The CoPP policy is not applied because the control plane is not specified.
D.The class-map MANAGEMENT is not matching any traffic.
AnswerA

The 'conformed' count shows 100 packets transmitted, and 'exceeded' is 0, meaning no drops.

Why this answer

Option A is correct because the output shows that all 100 packets matched by the MANAGEMENT class-map were conformed (100 packets, 10000 bytes) and the action for conformed traffic is 'transmit', with zero exceeded packets. This indicates that the policing rate of 8000 bps (CIR) was sufficient for the offered traffic, and no packets were dropped. The 'exceeded 0 packets' field confirms no drops occurred.

Exam trap

Cisco often tests the misconception that a low police rate automatically implies drops, but the trap here is that the output must be read carefully—'exceeded 0 packets' proves no drops occurred, regardless of the configured CIR.

How to eliminate wrong answers

Option B is wrong because the police rate of 8000 bps is not causing drops; the output shows 0 exceeded packets, meaning the traffic rate is within the CIR. Option C is wrong because the command 'show policy-map control-plane' explicitly displays the policy applied to the control plane, and the output confirms 'Service-policy input: CoPP' is active. Option D is wrong because the class-map MANAGEMENT is matching traffic, as evidenced by the 100 packets and 10000 bytes counted under that class.

648
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a port that is also a SPAN destination for another session. The switch rejects the configuration. What is the most likely reason?

A.A SPAN destination port cannot be a SPAN source port due to hardware restrictions.
B.The SPAN session ID must be unique; overlapping sessions cause conflicts.
C.The switch has reached the maximum number of SPAN sessions.
D.The port is a trunk, and SPAN cannot monitor trunk ports as destinations.
AnswerA

The switch enforces that a port used as a destination cannot also be a source, as it would create a loop in the monitoring path.

Why this answer

A SPAN destination port cannot be used as a SPAN source port in any session. This is a hardware limitation: the port is dedicated to receiving mirrored traffic and cannot also be monitored. The switch will return an error if you try to configure it as a source.

649
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a PE router in an MPLS L3VPN. The engineer does not configure any route tagging or filtering. After a few minutes, the OSPF and EIGRP domains become unstable, with routes flapping and high CPU usage. What is the most likely explanation?

A.The mutual redistribution creates a routing loop because routes are redistributed back into the original protocol without any loop-prevention mechanism.
B.The OSPF and EIGRP administrative distances conflict, causing the router to prefer the wrong route.
C.The 'default-information originate' command is missing, so the redistributed routes are not advertised.
D.The 'subnets' keyword is missing in the OSPF redistribution command, causing only classful routes to be advertised.
AnswerA

Correct. Without route tagging or filtering, routes can be re-redistributed indefinitely, causing instability.

Why this answer

Mutual redistribution without route tagging or filtering can cause a routing loop. When OSPF routes are redistributed into EIGRP, and then those EIGRP routes are redistributed back into OSPF, the same prefixes can be learned from both protocols. Without a route tag or a filter to prevent re-redistribution, the router will continuously re-advertise the same routes, causing route flapping and high CPU.

This is a classic edge case in redistribution. The solution is to use route tags and filtering to prevent loops.

650
MCQeasy

What is the default tunnel mode for an IPv6 tunnel configured on Cisco IOS-XE?

A.IPv6IP
B.GRE
C.ISATAP
D.6to4
AnswerB

GRE is the default tunnel mode for IPv6 tunnels in IOS-XE.

Why this answer

The default tunnel mode for an IPv6 tunnel on Cisco IOS-XE is GRE (Generic Routing Encapsulation), as specified by the 'tunnel mode gre ipv6' command. When you create a tunnel interface and configure an IPv6 tunnel source and destination without explicitly setting the tunnel mode, the router defaults to GRE encapsulation, which provides a multiprotocol transport capable of carrying both IPv4 and IPv6 payloads.

Exam trap

Cisco often tests the misconception that the default tunnel mode for IPv6 tunnels is 'ipv6ip' (manual IPv6-over-IPv4) because of its simplicity, but the actual default is GRE, which is a more feature-rich encapsulation.

How to eliminate wrong answers

Option A (IPv6IP) is wrong because IPv6IP is not a default tunnel mode; it is a specific mode used for IPv6-over-IPv4 manual tunnels, configured with 'tunnel mode ipv6ip', and must be explicitly set. Option C (ISATAP) is wrong because ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is a specific automatic tunneling mechanism that uses a non-default tunnel mode and requires explicit configuration with 'tunnel mode ipv6ip isatap'. Option D (6to4) is wrong because 6to4 is another automatic tunneling technique that uses a non-default tunnel mode, configured with 'tunnel mode ipv6ip 6to4', and is not the default; it also relies on a specific IPv6 prefix (2002::/16).

651
MCQmedium

Consider the following partial configuration on Router R1: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 router ospf 1 redistribute eigrp 100 subnets Which statement about this configuration is true?

A.Redistributed OSPF routes into EIGRP will have a default metric of 10000 100 255 1 1500.
B.OSPF routes redistributed into EIGRP will have a metric of 20 by default.
C.EIGRP routes redistributed into OSPF will be Type 1 external LSAs.
D.The 'subnets' keyword in OSPF redistribution is optional but recommended.
AnswerA

The 'metric' keyword in the redistribute command sets the EIGRP metric for all redistributed routes.

Why this answer

The configuration redistributes OSPF routes into EIGRP with specific bandwidth, delay, reliability, load, and MTU metrics. The 'subnets' keyword in OSPF redistribution ensures that all subnets (including classless prefixes) are redistributed. Without 'subnets', only classful networks are redistributed.

652
MCQhard

Router R1 and R2 are OSPF neighbors over a FastEthernet link with BFD enabled. R1 has 'ip ospf network point-to-point' configured. R2 does not. After a reload, BFD sessions fail to establish. R1#show bfd neighbors shows no sessions. R2#show bfd neighbors shows no sessions. What is the root cause?

A.BFD is not supported on FastEthernet interfaces.
B.OSPF network type mismatch between R1 and R2 prevents BFD session establishment.
C.BFD timers are not configured globally.
D.OSPF hello/dead intervals must match for BFD to work.
AnswerB

Mismatched OSPF network types cause BFD to fail because BFD uses interface parameters derived from OSPF network type.

Why this answer

BFD requires matching OSPF network types on the same link for proper session establishment. When R1 is configured as point-to-point and R2 remains as broadcast, OSPF forms a neighbor relationship but BFD sessions fail because BFD expects consistent interface parameters.

653
Multi-Selecthard

An engineer must ensure that all syslog messages with severity level 4 (warning) and higher are sent to a remote syslog server at 10.1.1.100, while also logging messages of severity 6 (informational) to the console. Which TWO configuration commands are required? (Choose TWO.)

Select 2 answers
A.logging host 10.1.1.100 trap 4
B.logging console 6
C.logging buffered 6
D.logging source-interface Loopback0
E.logging monitor 4
AnswersA, B

Correct. This sets the remote syslog server and limits messages sent to severity 4 (warning) and higher (0-4).

Why this answer

The 'logging host' command with the 'trap' keyword sets the severity filter for remote logging; default trap level is 6 (informational), so to limit to level 4 and higher, the trap level must be set to 4. The 'logging console' command controls console logging; default is level 7 (debugging), so setting it to 6 allows informational and higher (0-6). The 'logging buffered' command affects buffer logging, not console.

The 'logging source-interface' sets the source IP but does not filter severity. The 'logging monitor' affects terminal lines, not console.

654
MCQmedium

In EIGRP, which of the following K values is disabled by default, meaning it is not used in the metric calculation?

A.K5 (MTU)
B.K1 (bandwidth)
C.K3 (delay)
D.K2 (load)
AnswerA

K5 is set to 0 by default, so MTU is not used in metric calculation.

Why this answer

By default, EIGRP uses K1 (bandwidth) and K3 (delay) with values of 1, and K2 (load), K4 (reliability), and K5 (MTU) are set to 0, meaning they are not used. K5 is disabled by default.

655
Multi-Selecthard

Which TWO statements about VRF-Lite and DHCP are true? (Choose TWO.)

Select 2 answers
A.The 'ip dhcp relay' command can be configured with the 'vrf' keyword to forward DHCP requests from a VRF to a DHCP server in a different VRF.
B.DHCP clients in a VRF cannot obtain an IP address from a DHCP server that is in the same VRF.
C.The 'ip dhcp pool' command supports a 'vrf' keyword to associate the pool with a specific VRF.
D.A DHCP server in the global routing table can serve clients in a VRF if the relay agent is configured appropriately.
E.DHCP snooping must be enabled globally for DHCP to work across VRFs.
AnswersA, D

Correct. Example: 'ip dhcp relay vrf BLUE 10.1.1.1' relays requests from VRF BLUE to the DHCP server at 10.1.1.1 (which could be in another VRF or global).

Why this answer

In VRF-Lite, DHCP can be configured to operate within a specific VRF. The 'ip dhcp relay' command can be used with the 'vrf' keyword to relay DHCP requests from a VRF to a DHCP server in another VRF or the global table. Option A is correct because the relay can forward to a server in a different VRF.

Option D is correct because the DHCP server can be in the global routing table and still serve clients in a VRF if the relay is configured correctly. Option B is incorrect because DHCP clients can obtain addresses from a server in the same VRF without relay. Option C is incorrect because the 'ip dhcp pool' command does not have a 'vrf' keyword; pools are global.

Option E is incorrect because DHCP snooping is not required for VRF-Lite DHCP to work.

656
MCQeasy

Which NetFlow version is the default export format when using Flexible NetFlow with the 'record netflow ipv4 original-input' command?

A.NetFlow version 5
B.NetFlow version 9
C.IPFIX (NetFlow version 10)
D.NetFlow version 1
AnswerB

Flexible NetFlow uses NetFlow v9 as the default export format because it supports template-based records.

Why this answer

This question tests knowledge of the default export version for Flexible NetFlow predefined records.

657
MCQhard

A multi-router network uses PBR to steer traffic from subnet 172.16.1.0/24 through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being dropped. Router R1 shows: 'show route-map' indicates the route-map is applied, 'show ip policy' shows the policy on the interface, but 'debug ip policy' shows 'PBR: no route to next-hop 10.10.10.2'. What is the root cause?

A.The next-hop 10.10.10.2 is not reachable, and PBR drops packets when no route to the next-hop exists. Configure a fallback route or use 'set ip default next-hop'.
B.The ACL in the route-map is incorrectly denying traffic from 172.16.1.0/24, causing PBR to not match the traffic.
C.The interface where PBR is applied is in a different VRF, causing the next-hop to be unreachable.
D.The next-hop 10.10.10.2 is reachable but the route-map has a 'match ip address' that is too specific, excluding some traffic.
AnswerA

PBR drops packets if the set next-hop is not reachable. Using 'set ip default next-hop' allows PBR to use the routing table as a fallback if the next-hop is unreachable.

Why this answer

PBR requires the next-hop to be reachable via a route in the routing table. If the next-hop is not reachable (e.g., due to a routing change or a missing route), PBR will drop the packet unless a fallback is configured. In this case, the next-hop 10.10.10.2 is not reachable, so PBR drops the traffic.

The solution is to either ensure the next-hop is reachable or configure a default route or fallback action.

658
MCQmedium

Given the following partial configuration on router R1: ip sla 10 icmp-echo 192.168.1.1 source-ip 10.0.0.1 frequency 10 ip sla schedule 10 life forever start-time now Which statement best describes the effect of this configuration?

A.It sends ICMP echo requests from 10.0.0.1 to 192.168.1.1 every 10 seconds.
B.It sends ICMP echo requests from 192.168.1.1 to 10.0.0.1 every 10 seconds.
C.It sends ICMP echo requests every 10 seconds but only after the first successful reply.
D.It sends ICMP echo requests only once and then stops.
AnswerA

The icmp-echo command defines the destination, source-ip sets the source, and frequency sets the interval.

Why this answer

The configuration creates an IP SLA operation that sends ICMP echo probes to 192.168.1.1 every 10 seconds, using source IP 10.0.0.1. The schedule starts immediately and runs indefinitely.

659
Multi-Selectmedium

Which TWO commands can be used to verify the VRF configuration and associated interfaces on a Cisco IOS-XE router running VRF-Lite? (Choose TWO.)

Select 2 answers
A.show vrf
B.show ip vrf interfaces
C.show ip route vrf <vrf-name>
D.show running-config | section vrf
E.show ip interface brief
AnswersA, B

Displays a summary of all VRFs, including route distinguisher and interface assignments.

Why this answer

The 'show vrf' command displays a summary of all VRFs, including their RD and interfaces, while 'show ip vrf interfaces' lists each VRF with its associated interfaces and IP addresses. The other options are incorrect: 'show ip route vrf' shows the routing table for a specific VRF but not the interfaces, 'show running-config | section vrf' shows configuration but not operational status, and 'show ip interface brief' does not display VRF information.

660
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip dhcp relay information trusted Interface Trusted GigabitEthernet0/1 Yes GigabitEthernet0/2 No Based on this output, which statement is correct?

A.DHCP relay information is trusted on GigabitEthernet0/1, so option 82 packets are accepted on that interface.
B.DHCP relay information is trusted on both interfaces.
C.DHCP relay information is not configured on any interface.
D.DHCP relay information is trusted on GigabitEthernet0/2, so option 82 packets are dropped.
AnswerA

Trusted interfaces accept option 82.

Why this answer

The command 'show ip dhcp relay information trusted' displays the trust status of each interface for DHCP relay information (option 82). When an interface is marked as 'Yes' under the Trusted column, it means the router will accept and forward DHCP packets that already contain option 82 information from that interface. Therefore, on GigabitEthernet0/1, option 82 packets are accepted.

Exam trap

Cisco often tests the misconception that 'trusted' means the interface is trusted to send DHCP requests, when in fact it means the interface is trusted to receive and forward packets that already contain option 82 information.

How to eliminate wrong answers

Option B is wrong because the output clearly shows that GigabitEthernet0/2 is marked as 'No', indicating it is not trusted, so both interfaces are not trusted. Option C is wrong because the output explicitly shows that DHCP relay information is configured and trusted on at least one interface (GigabitEthernet0/1). Option D is wrong because GigabitEthernet0/2 is not trusted (marked 'No'), and on untrusted interfaces, option 82 packets are dropped, not accepted; the statement incorrectly says option 82 packets are dropped on a trusted interface.

661
Drag & Dropmedium

Drag and drop the steps to enable and verify RESTCONF on IOS-XE into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

RESTCONF requires enabling the HTTPS server first, then the RESTCONF service, followed by authentication configuration, verifying the interface, and finally testing via a REST client.

662
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 traffic filtering and uRPF adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting starts with checking the uRPF configuration on the interface, then verifying the routing table for the source prefix, checking for ACLs that might block traffic, examining uRPF drop counters, and finally using debug ipv6 packet to capture dropped packets.

663
MCQeasy

What is the default EIGRP hello interval on a point-to-point serial interface?

A.5 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerA

Default hello interval is 5 seconds for point-to-point links.

Why this answer

EIGRP uses a default hello interval of 5 seconds on most interfaces, including point-to-point serial links. On NBMA interfaces like Frame Relay, the default may be different, but for point-to-point it is 5 seconds.

664
MCQmedium

A network engineer is troubleshooting a BGP route-map that is supposed to prepend AS-path to routes from a specific neighbor. The engineer configures a route-map with 'set as-path prepend 65001' and applies it outbound to the neighbor. After the configuration, the engineer checks the BGP table on the neighbor and sees that the AS-path does not include the prepended AS. What is the most likely cause?

A.The route-map is missing a 'match' statement; without it, the set command is not applied to any routes.
B.The AS 65001 is the same as the neighbor's AS, so BGP ignores the prepend.
C.The route-map is applied inbound instead of outbound.
D.The neighbor has 'soft-reconfiguration inbound' which prevents AS-path changes.
AnswerA

Correct because a route-map without a match statement will not match any routes, so the set command is not executed.

Why this answer

The 'set as-path prepend' command must be used with 'ip as-path access-list' or in a route-map, but the route-map must be applied in the correct direction. If the route-map is applied outbound, it modifies the AS-path before sending. However, if the neighbor is an eBGP neighbor, the router will not prepend its own AS unless the AS is different from the neighbor's AS.

Also, the route-map must have a 'match' statement that matches the routes.

665
MCQhard

An engineer notices that NetFlow export packets are being sent from a router but the collector reports missing data for certain flows. The engineer checks 'show ip flow export' and sees 'Exporting flows to 10.1.1.100 (2055)' with packets being sent. However, 'show flow monitor name MONITOR cache' shows many flows with zero byte counts. What is the most likely cause?

A.The flow exporter is using UDP port 2055, but the collector expects TCP.
B.The flow record includes 'collect counter packets' but not 'collect counter bytes'.
C.The router's CPU is overloaded, causing byte counters to not update.
D.The flow monitor is applied in egress direction, which does not support byte collection.
AnswerB

Without 'collect counter bytes', the byte counter remains zero. The engineer must add this directive to the record.

Why this answer

If the flow record only collects packet counts but not byte counts, the byte counter will remain zero. This is a configuration error in the flow record definition.

666
Multi-Selecthard

Which TWO statements about EEM applet configuration and execution are correct? (Choose TWO.)

Select 2 answers
A.An EEM applet can be triggered by multiple event types if the 'event' statements are configured under the same applet using the 'multiple' keyword.
B.The 'action info type routername' command stores the router hostname in the '$_info_type_routername' environment variable.
C.The 'event cli' pattern matching is case-insensitive by default.
D.The 'event timer countdown' command uses the 'time' keyword to specify the duration in seconds.
E.The 'action string' command can be used to trim leading and trailing whitespace from a variable using the 'trim' subcommand.
AnswersA, B

Correct. The 'event multiple' keyword allows an applet to wait for any of several specified events.

Why this answer

EEM applets can be configured with multiple events using the 'multiple' keyword. The 'action info type routername' command retrieves the router hostname. The 'event cli' pattern is case-sensitive by default.

The 'event timer countdown' does not support the 'time' keyword; it uses 'countdown-time'. The 'action string' does not support 'trim' as a subcommand.

667
Multi-Selectmedium

Which TWO commands can be used to verify IPv6 unicast RPF operation on an interface? (Choose TWO.)

Select 2 answers
A.show ipv6 interface
B.show ipv6 cef detail
C.show ipv6 access-list
D.show ipv6 route
E.show ipv6 traffic
AnswersA, B

Displays IPv6 interface configuration including uRPF status (e.g., 'ipv6 verify unicast source reachable-via any').

Why this answer

The show ipv6 interface command displays uRPF status per interface, and show ipv6 cef detail reveals CEF forwarding details including RPF checks. show ipv6 access-list is for ACLs, not uRPF; show ipv6 route does not show uRPF; show ipv6 traffic shows packet statistics, not per-interface uRPF status.

668
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65002 1200 1200 10 0 0 01:00:00 5 10.2.2.2 4 65003 0 0 0 0 0 never Active Based on this output, what is the problem with the neighbor 10.2.2.2?

A.The neighbor is not reachable or is not configured to accept BGP connections.
B.The neighbor is in Idle state because of a hold timer expiry.
C.The neighbor has received 5 prefixes, indicating a successful session.
D.The BGP table version is 10, meaning there is a routing loop.
AnswerA

The Active state indicates that the router is attempting to establish a TCP connection but is not receiving a response, likely due to unreachability or misconfiguration.

Why this answer

The 'Active' state in BGP indicates that the router is actively trying to establish a TCP connection to the neighbor but has not yet succeeded. This typically occurs because the neighbor is unreachable (no route to the destination IP), the neighbor is not configured to accept BGP connections (e.g., no BGP process or incorrect ACL), or a firewall is blocking TCP port 179. The output shows 0 messages sent/received and 'never' uptime, confirming no session has ever been established.

Exam trap

Cisco often tests the distinction between 'Idle' and 'Active' states, where candidates mistakenly assume 'Active' means the session is up or that prefixes are being exchanged, when in fact it indicates a failed or pending TCP connection attempt.

How to eliminate wrong answers

Option B is wrong because the 'Idle' state is the initial state before any connection attempt, and hold timer expiry would cause the session to go to 'Idle' after being established, not remain in 'Active' with zero message counts. Option C is wrong because the neighbor 10.2.2.2 has 0 prefixes received (PfxRcd column shows 0), not 5; the 5 prefixes belong to neighbor 10.1.1.2. Option D is wrong because the BGP table version being 10 is a normal operational value indicating the number of changes processed, not an indicator of a routing loop; routing loops are detected via AS-path loop prevention, not table version.

669
MCQmedium

Which Diffie-Hellman group is considered the minimum recommended for secure IPsec site-to-site VPNs according to current best practices?

A.Group 1
B.Group 2
C.Group 14
D.Group 5
AnswerC

Group 14 uses 2048-bit modulus, the current minimum recommendation.

Why this answer

Diffie-Hellman Group 14 (2048-bit MODP) is the minimum recommended for secure IPsec site-to-site VPNs because it provides sufficient key strength against modern computational attacks, including those from quantum-capable adversaries in the near future. Groups 1 and 2 (768-bit and 1024-bit) are considered weak and deprecated due to the Logjam attack (CVE-2015-4000) and advances in factoring, while Group 5 (1536-bit) is also no longer recommended as it does not meet current NIST SP 800-131A guidelines for minimum 2048-bit Diffie-Hellman strength.

Exam trap

Cisco often tests the misconception that Group 5 (1536-bit) is still acceptable because it was once the default in older IOS versions, but current best practices require at least Group 14 (2048-bit) for compliance with security standards like NIST SP 800-131A.

How to eliminate wrong answers

Option A is wrong because Diffie-Hellman Group 1 (768-bit MODP) is severely weak and deprecated, as it can be broken by state-level actors and is vulnerable to the Logjam attack. Option B is wrong because Diffie-Hellman Group 2 (1024-bit MODP) is also considered insecure and deprecated in modern VPN deployments, as 1024-bit DH is no longer recommended by NIST or IETF for secure key exchange. Option D is wrong because Diffie-Hellman Group 5 (1536-bit MODP) is stronger than Groups 1 and 2 but still falls short of the current minimum recommendation of 2048 bits (Group 14) for IPsec VPNs, and is not considered secure for long-term use.

670
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic does not trigger a direct tunnel. Which is the most likely explanation?

A.The hub router is missing the 'ip nhrp redirect' command.
B.The spoke routers have 'ip nhrp shortcut' configured.
C.The tunnel mode is set to gre multipoint on the spokes.
D.The NHRP authentication is mismatched.
AnswerA

Correct. Redirect is required for Phase 2 spoke-to-spoke.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require NHRP redirect messages from the hub and NHRP shortcut requests from the spoke. If the hub does not have 'ip nhrp redirect' configured, it will not send redirect messages, and spokes will not attempt to build a direct tunnel.

671
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show bgp ipv4 unicast 10.1.1.0/24 BGP routing table entry for 10.1.1.0/24, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, external, best Last update: Mon Mar 1 00:05:23 2024 What does this output indicate?

A.BGP is not receiving updates due to CoPP dropping packets.
B.BGP is functioning correctly, and CoPP is not interfering with BGP sessions.
C.BGP is stuck in idle state due to CoPP.
D.BGP is only advertising routes locally.
AnswerB

The route is learned from 10.1.1.2 and is best, indicating BGP is working.

Why this answer

The BGP route for 10.1.1.0/24 is present and valid, with a last update time of 00:05:23. This indicates that BGP updates are being received and processed, suggesting CoPP is not blocking BGP traffic.

672
MCQhard

A network engineer runs the following command to examine MPLS LDP neighbor details: R1# show mpls ldp neighbor detail Output: Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.55432 State: Oper; Msgs sent/rcvd: 123/456; Downstream on demand Up time: 1w2d LDP discovery sources: GigabitEthernet0/0, hello interval: 5 s, targeted: no Addresses bound to peer LDP Ident: 10.0.0.2 10.0.1.2 192.168.1.1 What does this output indicate?

A.The LDP session with 10.0.0.2 is operational and was discovered via link hello on GigabitEthernet0/0
B.The LDP session is using targeted hello
C.The LDP session has been up for 1 minute and 2 seconds
D.The neighbor is using downstream-on-demand label advertisement mode
AnswerA

State is Oper, and discovery source is GigabitEthernet0/0 with no targeted hello.

Why this answer

The output shows detailed LDP neighbor information. The session is operational (State: Oper) for 1 week 2 days. The neighbor is directly connected via GigabitEthernet0/0 (non-targeted hello).

The peer has multiple addresses bound to its LDP identifier.

673
MCQhard

A large enterprise network is experiencing intermittent IPv6 connectivity loss for hosts on VLAN 100. Router R1 has the following relevant configuration: interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ipv6 address 2001:DB8:1:100::1/64 ipv6 nd raguard ipv6 nd prefix default ipv6 dhcp relay destination 2001:DB8:1:200::1 ! Router R2 shows: debug ipv6 dhcp relay output indicates that DHCPv6 requests from VLAN 100 are being relayed, but the server never receives the SOLICIT messages. What is the root cause?

A.The 'ipv6 nd raguard' command on the interface filters DHCPv6 SOLICIT messages, preventing relay.
B.The DHCPv6 relay destination is in a different VRF, and the relay is not configured to use that VRF.
C.An IPv6 ACL applied to GigabitEthernet0/0.100 has an implicit deny that blocks the relayed DHCPv6 traffic.
D.The DHCPv6 server is not configured to accept relayed messages from this relay agent.
AnswerC

The implicit deny at the end of an IPv6 ACL can block DHCPv6 relay packets if no explicit permit statement exists for the relay destination.

Why this answer

The issue is that the DHCPv6 relay agent is configured with 'ipv6 nd raguard' which filters Router Advertisement messages but does not affect DHCPv6 relay. However, the relay destination is unreachable due to a missing route or ACL. The correct answer identifies that an implicit deny in an IPv6 ACL applied to the relay interface is blocking the relayed traffic, a common oversight when combining First Hop Security features with ACLs.

674
Multi-Selecthard

Which THREE commands can be used to verify IPv6 First Hop Security (FHS) bindings or operations? (Choose THREE.)

Select 3 answers
A.show ipv6 neighbors
B.show ipv6 dhcp snooping binding
C.show ipv6 route
D.show ipv6 source-guard
E.show ipv6 traffic
AnswersA, B, D

Correct. This command displays the IPv6 neighbor discovery cache, which includes bindings used by FHS features like ND inspection.

Why this answer

Various show commands are used to verify FHS features. 'show ipv6 neighbors' displays the ND cache, which includes bindings learned via ND snooping. 'show ipv6 dhcp snooping binding' displays DHCPv6 snooping bindings. 'show ipv6 source-guard' shows Source Guard policy and statistics. Option A is correct: 'show ipv6 neighbors' shows ND entries that FHS uses. Option B is correct: 'show ipv6 dhcp snooping binding' shows DHCPv6 bindings used by Source Guard.

Option D is correct: 'show ipv6 source-guard' displays Source Guard configuration and drops. Option C is incorrect: 'show ipv6 route' shows routing table, not FHS bindings. Option E is incorrect: 'show ipv6 traffic' shows packet statistics, not FHS-specific bindings.

675
MCQhard

R1 and R2 are EIGRP neighbors over a serial link with BFD enabled. R1#show ip eigrp neighbors shows R2 in state 'Pending' for BFD. R2#show bfd neighbors shows the session as 'Up'. R1 has 'bfd interval 50 min_rx 50 multiplier 3'. R2 has 'bfd interval 200 min_rx 200 multiplier 3'. What is the root cause?

A.The BFD multiplier on R1 is too low.
B.R1's min_rx interval is lower than R2's min_tx interval, causing BFD session failure.
C.EIGRP must be configured with 'bfd all-interfaces' to work.
D.The serial link requires 'no ip split-horizon' for BFD.
AnswerB

R1's min_rx of 50 ms is less than R2's min_tx of 200 ms, so R2 cannot meet the required receive rate, causing BFD session to fail.

Why this answer

EIGRP BFD requires that the BFD session be established before EIGRP can form adjacency. If the BFD session is up on one side but not the other, it indicates a timer mismatch. However, BFD timers are negotiated; the issue is that R1's min_rx of 50 ms is lower than R2's min_rx of 200 ms, causing R2 to reject the session because it cannot transmit at that rate.

Page 8

Page 9 of 29

Page 10