CCNA Device Access Control Questions

75 of 76 questions · Page 1/2 · Device Access Control topic · Answers revealed

1
MCQmedium

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 192.168.2.2:0, Local LDP Ident: 192.168.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:45:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.2 Addresses bound to peer LDP Ident: 10.1.1.2 192.168.2.2 Based on this output, what is the state of the LDP session?

A.The LDP session is operational and exchanging label information.
B.The LDP session is in a down state due to a TCP reset.
C.The LDP session is in initialization state because no labels have been exchanged.
D.The LDP session is using UDP instead of TCP.
AnswerA

The 'State: Oper' indicates the session is operational, and the message counts confirm label exchange.

Why this answer

The output shows 'State: Oper', which indicates the LDP session is operational. The 'Downstream' label distribution mode and the fact that messages have been sent and received (100/100) confirm that the session is actively exchanging label information. This matches the correct answer that the LDP session is operational and exchanging label information.

Exam trap

Cisco often tests the distinction between LDP discovery (UDP) and session establishment (TCP), and the trap here is that candidates may confuse the 'Oper' state with an initialization state or incorrectly assume UDP is used for the entire LDP process.

How to eliminate wrong answers

Option B is wrong because the state is 'Oper' (operational), not down; a TCP reset would show a different state like 'Down' or 'Initialized'. Option C is wrong because the 'Oper' state indicates the session is fully established and labels are being exchanged, not in an initialization state where no labels have been exchanged. Option D is wrong because LDP uses TCP (port 646) for session establishment and label exchange, as shown in the output (TCP connection: 10.1.1.2.646 - 10.1.1.1.646); UDP is used only for LDP discovery (hello messages).

2
MCQhard

An MPLS network is experiencing label distribution failures. Router R1 is an LSR connected to R2. R1's show mpls ldp neighbor shows R2 in OPERATIONAL state, but show mpls ldp bindings shows no label bindings for prefixes learned via OSPF from R2. R1's mpls ldp router-id is 1.1.1.1, and R2's is 2.2.2.2. The OSPF process on R1 advertises the loopback0 interface with ip address 1.1.1.1 255.255.255.255, and R2's loopback0 is 2.2.2.2. The link between them is 192.168.1.0/30. What is the root cause?

A.The LDP router-id on R1 is not reachable from R2 because OSPF is not advertising the loopback0 route, causing LDP to not exchange label bindings.
B.The mpls ldp label allocation is configured as 'per-prefix' instead of 'per-interface'.
C.The OSPF process on R1 has a route-map filtering the loopback route.
D.The LDP session is using the interface IP address as transport, but OSPF is not advertising the interface network.
AnswerA

If the router-id is not reachable, LDP session may form using the link address, but label bindings for prefixes learned via OSPF may fail because the transport address is not routable.

Why this answer

R1 shows R2 as an LDP neighbor in OPERATIONAL state, meaning the LDP session (TCP port 646) is established. However, no label bindings are exchanged for OSPF-learned prefixes from R2. LDP uses the router-id (1.1.1.1) as the transport address for label binding exchange.

If OSPF does not advertise R1's loopback0 (1.1.1.1/32), R2 cannot reach this address, so LDP cannot complete the label mapping exchange, even though the neighbor session is up. The correct root cause is that R1's LDP router-id is not reachable from R2.

Exam trap

Cisco often tests the distinction between LDP neighbor adjacency (which can form using link-local addresses) and the actual exchange of label bindings, which requires the LDP router-id to be reachable via the IGP; candidates mistakenly assume an OPERATIONAL neighbor state guarantees full label exchange.

How to eliminate wrong answers

Option B is wrong because 'per-prefix' vs 'per-interface' label allocation affects how labels are assigned to FECs, not the exchange of label bindings between LDP peers; the issue is reachability of the transport address. Option C is wrong because there is no evidence of a route-map filtering the loopback route; the question states OSPF advertises the loopback0 interface, and a missing route is more likely due to OSPF not including the loopback in the routing process (e.g., not configured under router ospf). Option D is wrong because LDP sessions use the LDP router-id (not the interface IP) as the transport address by default; even if the interface network is advertised, the session transport address must be reachable, and the problem is specifically the loopback route.

3
Drag & Dropmedium

Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying physical connectivity with ping to isolate Layer 1/2 issues. Then check the access control configuration on the interface to ensure it is not blocking traffic. Next, examine the adjacency table to confirm neighbor relationships.

After that, review logs for authentication or authorization errors. Finally, use debug commands to capture real-time access control events.

4
Multi-Selectmedium

Which TWO configuration steps are required to enable TACACS+ authentication for device access control on a Cisco IOS router, assuming the TACACS+ server is already reachable? (Choose TWO.)

Select 2 answers
A.Configure the TACACS+ server with the 'tacacs server' command and specify the server IP and key.
B.Create an AAA authentication login method list using 'aaa authentication login default group tacacs+' to use TACACS+ as the primary method.
C.Configure 'aaa authorization exec default group tacacs+' to authorize user commands after authentication.
D.Use 'radius-server host' to define the authentication server.
E.Enable 'aaa new-model' to activate AAA services.
AnswersA, B

This is required to define the TACACS+ server for the router to communicate with.

Why this answer

Option A is correct because the 'tacacs server' command is required to define the TACACS+ server's IP address and the shared secret key, which is necessary for the router to communicate securely with the server. Option B is correct because 'aaa authentication login default group tacacs+' creates an authentication method list that tells the router to use TACACS+ as the primary method for login authentication, which is essential for device access control.

Exam trap

Cisco often tests the distinction between authentication (verifying identity) and authorization (granting permissions), so candidates mistakenly select authorization commands like 'aaa authorization exec' when the question explicitly asks for authentication steps.

5
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection I - IKE Initiatior, R - IKE Responder C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 D What does this output indicate?

A.An IKE Phase 1 SA is established with the remote peer using AES encryption and SHA hash.
B.The IKE Phase 1 SA is in a failed state because the authentication method is MD5.
C.The IKE Phase 2 SA is established with the remote peer.
D.The router is the initiator of the IKE Phase 1 SA.
AnswerA

The SA is ACTIVE with the specified parameters: aes encryption, sha hash, md5 auth, DH group 2.

Why this answer

The output from 'show crypto isakmp sa detail' displays an IKE Phase 1 (ISAKMP) security association with status 'ACTIVE', indicating successful Phase 1 negotiation. The 'Encr' column shows 'aes', 'Hash' shows 'sha', and 'Auth' shows 'md5', confirming AES encryption and SHA hash are used. This matches option A, which correctly identifies an established IKE Phase 1 SA with those parameters.

Exam trap

Cisco often tests the distinction between IKE Phase 1 and Phase 2 SAs, and candidates may confuse 'show crypto isakmp sa' (Phase 1) with 'show crypto ipsec sa' (Phase 2), leading them to incorrectly select option C.

How to eliminate wrong answers

Option B is wrong because the status is 'ACTIVE', not failed; MD5 is used for authentication (Auth column), not as a hash algorithm, and while MD5 is weak, it does not cause a failure here. Option C is wrong because this command shows IKE Phase 1 (ISAKMP) SAs, not Phase 2 (IPsec) SAs; Phase 2 is verified with 'show crypto ipsec sa'. Option D is wrong because the 'I-VRF' column is empty and the 'Cap.' column shows 'D' (Dead Peer Detection), but there is no 'I' (Initiator) or 'R' (Responder) flag in the output; the 'C-id' and other fields do not indicate the initiator role.

6
Multi-Selecthard

Which TWO configuration changes are required to enforce role-based access control (RBAC) using Cisco IOS privilege levels and AAA? (Choose TWO.)

Select 2 answers
A.Use the 'privilege exec level 15 show running-config' command to restrict the show running-config command to privilege level 15.
B.Use the 'enable secret level 15 password' command to set a password for privilege level 15 access.
C.Use the 'username admin privilege 15 secret cisco' command to create a user with privilege level 15.
D.Use the 'aaa authorization exec default local' command to enable privilege level authorization using the local database.
E.Use the 'line vty 0 4 privilege level 15' command to set all VTY lines to privilege level 15 by default.
AnswersA, C

This command sets the show running-config command to privilege level 15, so only users with privilege level 15 can execute it.

Why this answer

Option A is correct because the 'privilege exec level 15 show running-config' command restricts the 'show running-config' command to users with privilege level 15, which is a key step in enforcing RBAC by controlling which commands are available at lower privilege levels. Option C is correct because creating a user with 'username admin privilege 15 secret cisco' assigns that user to privilege level 15, allowing them to execute commands restricted to that level. Together, these two configurations ensure that only authorized users at level 15 can run sensitive commands, while lower-privilege users are blocked.

Exam trap

Cisco often tests the distinction between controlling command access (via 'privilege' commands) and controlling user authentication or session access (via 'username' or 'line' commands), and the trap here is that candidates confuse setting a default privilege level on VTY lines (Option E) with enforcing RBAC, when in fact it bypasses role-based restrictions by granting all users the same high privilege.

7
MCQmedium

A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?

A.The SNMP community string is not associated with an ACL that permits the management station.
B.The SNMP version is not configured.
C.The router's SNMP agent is disabled.
D.The management station is using the wrong SNMP port.
AnswerA

Correct because without an ACL, the default behavior is to deny all SNMP access; the community must be bound to an ACL that permits the management station.

Why this answer

The 'snmp-server community public RO' command configures an SNMP community string but does not restrict access by default. If no access control list (ACL) is associated with the community string, the router will respond to SNMP polls from any source. However, if an ACL is implicitly or explicitly applied that does not permit the management station's IP address, the router will silently drop the SNMP requests.

Since the management station can ping the router, Layer 3 connectivity is confirmed, isolating the issue to SNMP-specific access control.

Exam trap

Cisco often tests the nuance that an SNMP community string can have an implicit ACL (e.g., from a previous configuration or a default deny) that blocks management stations, leading candidates to overlook access control as the root cause when basic connectivity exists.

How to eliminate wrong answers

Option B is wrong because SNMP version configuration is not required for basic SNMPv2c operation; the default SNMP version is v2c when a community string is configured, and the router will respond to v2c polls without an explicit version command. Option C is wrong because the 'snmp-server community' command implicitly enables the SNMP agent on the router; the agent is not disabled unless explicitly turned off with 'no snmp-server'. Option D is wrong because SNMP polls use UDP port 161 by default, and the management station can ping the router, indicating no IP connectivity issue; if the management station were using the wrong port, the router would still receive the packet but the SNMP agent would not process it, yet the question states the router is 'not responding'—a port mismatch would typically result in an ICMP port unreachable, not a silent failure.

8
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show mpls ldp bindings 10.10.10.0 24 lib entry: 10.10.10.0/24, rev 2 local binding: label: 101 remote binding: lsr: 10.1.1.2:0, label: 102 remote binding: lsr: 10.1.2.2:0, label: 103 What does this output indicate?

A.The router has a local label of 101 for the prefix and has learned two remote labels from two different neighbors.
B.The router has only a local label of 101; the remote bindings are not used because they are from the same LSR.
C.The label 102 is the local label for the prefix 10.10.10.0/24.
D.The router has no label for the prefix because the lib entry is incomplete.
AnswerA

The output clearly shows one local binding and two remote bindings from different LSRs.

Why this answer

The output of 'show mpls ldp bindings 10.10.10.0 24' displays the Label Information Base (LIB) entry for prefix 10.10.10.0/24. The 'local binding: label: 101' indicates that this router has assigned label 101 to the prefix. The two 'remote binding' lines show that two different LDP neighbors (LSR IDs 10.1.1.2 and 10.1.2.2) have advertised labels 102 and 103 respectively for the same prefix.

This is the normal operation of LDP, where a router learns multiple remote labels for the same FEC from different peers.

Exam trap

Cisco often tests the distinction between local and remote bindings in the LIB, and the trap here is that candidates may confuse the 'local binding' with a remote label or assume that multiple remote bindings from different LSRs are not used, when in fact they are all valid entries for potential forwarding paths.

How to eliminate wrong answers

Option B is wrong because the remote bindings are indeed used; they are from two different LSRs (10.1.1.2 and 10.1.2.2), not the same LSR, and each provides a viable label-switched path. Option C is wrong because label 102 is a remote binding learned from LSR 10.1.1.2, not a local binding; the local label is 101. Option D is wrong because the LIB entry is complete, showing both a local binding and two remote bindings, which is a fully populated entry for the prefix.

9
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the status of local authentication and authorization for device access control on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show aaa local user lockout
B.show running-config | include aaa authentication login
C.show aaa servers
D.debug aaa authentication
E.show ip local policy
AnswersA, B

This command shows users locked out due to failed authentication attempts, which is part of verifying local AAA behavior.

Why this answer

Option A is correct because 'show aaa local user lockout' displays whether local users have been locked out due to failed authentication attempts, which is directly relevant to verifying local authentication and authorization status. Option B is correct because 'show running-config | include aaa authentication login' shows the configured AAA authentication method lists for login, allowing verification of local authentication policies.

Exam trap

Cisco often tests the distinction between commands that verify configuration (show commands) versus those that monitor live events (debug commands), and between local AAA status versus external server status, leading candidates to mistakenly select 'show aaa servers' or 'debug aaa authentication'.

10
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip ospf database router 10.1.1.2 OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 150 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 10.1.1.2 Advertising Router: 10.1.1.2 LS Seq Number: 80000002 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.The router 10.1.1.2 is advertising two links: one to a transit network and one to a stub network, both with cost 10.
B.The router 10.1.1.2 is the DR for the transit network 10.1.1.0/24.
C.The router 10.1.1.2 is advertising a single link to a point-to-point network.
D.The router 10.1.1.2 has a misconfigured network type because it shows both transit and stub links.
AnswerA

The LSA shows exactly that: a transit link (to a DR) and a stub link (192.168.1.0/24), both with metric 10.

Why this answer

The output shows two links in the Router LSA from router 10.1.1.2: a transit network link (to a DR) and a stub network link (to a subnet). Both links have a metric of 10, confirming that router 10.1.1.2 is advertising exactly two links with equal cost. This matches option A exactly.

Exam trap

Cisco often tests the ability to interpret the 'Link connected to' fields in a Router LSA, where candidates may mistakenly think a transit link implies a point-to-point connection or that a stub link indicates a misconfiguration, rather than recognizing both are normal for a DR on a multi-access network.

How to eliminate wrong answers

Option B is wrong because the transit network link shows the Designated Router address as 10.1.1.2, which indicates that 10.1.1.2 is the DR for that segment, but the question asks what the output indicates overall, and the output shows two links, not just the DR role. Option C is wrong because the output clearly lists two links (transit and stub), not a single point-to-point link. Option D is wrong because having both a transit link and a stub link in a Router LSA is normal for a multi-access network where the router is the DR; it is not a misconfiguration.

11
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 192.168.2.2 1 2WAY/DROTHER 00:00:32 10.2.2.2 GigabitEthernet0/1 192.168.3.2 1 FULL/BDR 00:00:38 10.3.3.2 GigabitEthernet0/2 Based on this output, what is a potential issue?

A.The neighbor on Gi0/1 is not forming a full adjacency because it is in 2WAY state.
B.The neighbor on Gi0/0 is the DR, which is causing high CPU usage.
C.The neighbor on Gi0/2 is the BDR, which is a problem because it should be the DR.
D.All neighbors are in FULL state, indicating no issues.
AnswerA

In OSPF, the 2WAY state indicates that the router has received a Hello from the neighbor but has not yet exchanged database descriptors; a FULL state is required for complete adjacency.

Why this answer

The neighbor on Gi0/1 is in the 2WAY/DROTHER state, which is normal for non-DR/BDR routers on a multi-access network; however, the question implies a potential issue because the engineer might expect all neighbors to reach FULL state. In OSPF, the 2WAY state is a valid adjacency state for DROTHER routers, but if the network is a point-to-point link or the engineer expects full connectivity, this state indicates that the neighbor is not exchanging LSAs (Link State Advertisements) with this router, which could be a problem if the link is not a broadcast multi-access network. The 2WAY state is formed after the two-way communication is established, but it does not progress to FULL unless the router is the DR or BDR, so this is not necessarily an error, but it is the only state that is not FULL, making it the potential issue highlighted in the question.

Exam trap

Cisco often tests the misconception that any state other than FULL indicates a problem, but in OSPF multi-access networks, the 2WAY state between DROTHER routers is normal and expected, so candidates must recognize that the 'issue' is context-dependent and that the output shows a valid adjacency state for a non-DR/BDR router.

How to eliminate wrong answers

Option B is wrong because the neighbor on Gi0/0 being in FULL/DR state is normal and does not inherently cause high CPU usage; DR election is a standard OSPF process, and high CPU would depend on network size and LSA flooding, not simply the DR role. Option C is wrong because the neighbor on Gi0/2 being in FULL/BDR state is perfectly valid; the BDR is a backup to the DR, and there is no requirement that a specific router should be the DR—election is based on priority and Router ID. Option D is wrong because not all neighbors are in FULL state; the neighbor on Gi0/1 is in 2WAY state, which is not FULL, so stating 'all neighbors are in FULL state' is factually incorrect based on the output.

12
MCQhard

A network administrator notices that SSH access to router R1 from a management station 10.10.10.10 is failing intermittently. R1 has the following configuration: access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 192.168.1.1 eq 22, line vty 0 4 access-class 100 in, and control-plane host control-plane security copp policy-map COPP class MANAGEMENT police cir 8000 bc 1500 conform-action transmit exceed-action drop. The management station is on a different subnet than the management interface. The failure occurs during peak hours. What is the root cause?

A.The access-class on the VTY lines is incorrectly configured, blocking SSH traffic from the management station.
B.The CoPP policy is rate-limiting SSH traffic to 8 kbps, and during peak hours, the traffic exceeds this rate, causing drops.
C.The management station is not reachable due to a routing issue.
D.The SSH server on R1 has a maximum session limit that is being reached.
AnswerB

The police command limits SSH traffic, and exceed-action drop causes intermittent failures when the rate is exceeded.

Why this answer

The CoPP policy-map COPP class MANAGEMENT applies a police rate of 8000 bps (8 kbps) with a burst of 1500 bytes to SSH traffic destined for the control plane. During peak hours, the SSH traffic from the management station exceeds this rate, causing packets to be dropped by the exceed-action drop. This intermittent failure aligns with the rate-limiting behavior of CoPP, not with access-list or routing issues.

Exam trap

Cisco often tests the interaction between CoPP and VTY access-class, where candidates mistakenly think the access-class is the issue, but the real culprit is CoPP rate-limiting the control plane traffic before it reaches the VTY lines.

How to eliminate wrong answers

Option A is wrong because the access-list 100 permits tcp from subnet 10.10.10.0/24 to host 192.168.1.1 on port 22, and the access-class 100 in on VTY lines correctly applies this permit to inbound SSH sessions; it does not block traffic. Option C is wrong because the management station is on a different subnet, but the question states the failure is intermittent and during peak hours, not a persistent unreachability; a routing issue would cause constant failure, not intermittent. Option D is wrong because there is no mention of an SSH session limit in the configuration; the default SSH server on Cisco IOS does not have a maximum session limit that would cause intermittent drops during peak hours, and the symptom matches rate-limiting, not session exhaustion.

13
MCQhard

An engineer configures EIGRP named mode on a router. After making a change to the metric weights, the router becomes stuck-in-active (SIA) for a route. Why does this happen in named mode but not in classic mode?

A.Named mode EIGRP uses a different metric calculation algorithm that is more sensitive to weight changes.
B.Named mode EIGRP requires a 'metric weights' change to be followed by a 'clear ip eigrp neighbors' command; otherwise, the router sends incorrect queries.
C.Named mode EIGRP does not support changing k-values on the fly; it must be done during maintenance.
D.Named mode EIGRP automatically adjusts the metric weights to match neighbors, causing a temporary SIA.
AnswerB

In named mode, changing k-values without resetting neighbors causes the router to use the new metric for new queries but the old metric for existing routes, leading to inconsistencies and SIA.

Why this answer

In named mode EIGRP, changing metric weights (k-values) does not automatically trigger a neighbor reset. Without a 'clear ip eigrp neighbors' command, the router continues to use the old k-values for existing neighbors while sending queries with the new k-values, causing a mismatch that leads to stuck-in-active (SIA) routes. Classic mode EIGRP automatically resets neighbors when metric weights change, avoiding this issue.

Exam trap

Cisco often tests the subtle difference that named mode EIGRP requires an explicit 'clear ip eigrp neighbors' after changing metric weights, while classic mode handles it automatically, leading candidates to assume both modes behave identically.

How to eliminate wrong answers

Option A is wrong because both named and classic mode EIGRP use the same composite metric calculation algorithm (based on bandwidth, delay, reliability, load, and MTU); named mode is not inherently more sensitive to weight changes. Option C is wrong because named mode EIGRP does support changing k-values on the fly, but it requires a manual neighbor reset to avoid SIA; it is not restricted to maintenance windows. Option D is wrong because named mode EIGRP does not automatically adjust metric weights to match neighbors; it uses the locally configured k-values, and mismatches cause SIA, not automatic adjustment.

14
MCQmedium

In BGP, what is the default value of the keepalive timer?

A.30 seconds
B.60 seconds
C.90 seconds
D.180 seconds
AnswerB

Correct. The default BGP keepalive timer is 60 seconds.

Why this answer

In BGP, the default keepalive timer is 60 seconds, as specified in RFC 4271. This timer determines how often a BGP speaker sends Keepalive messages to its peer to maintain the session. The hold timer, which is three times the keepalive interval (default 180 seconds), triggers session teardown if no Keepalive or update is received within that period.

Exam trap

Cisco often tests the distinction between the keepalive timer (60 seconds) and the hold timer (180 seconds), and candidates frequently confuse the two or misremember the default as 30 seconds due to familiarity with other routing protocols like EIGRP.

How to eliminate wrong answers

Option A is wrong because 30 seconds is the default keepalive interval for EIGRP, not BGP. Option C is wrong because 90 seconds is not a standard BGP timer value; it might be confused with the OSPF dead interval (which is 40 seconds by default). Option D is wrong because 180 seconds is the default BGP hold timer, not the keepalive timer; the keepalive timer is one-third of the hold timer.

15
MCQhard

A DMVPN network with NHRP is configured for spoke-to-spoke tunnels. Spoke routers R1 and R2 are both connected to a hub router H1. Spoke-to-spoke traffic is not working. R1's show dmvpn shows a dynamic NHRP mapping for R2's tunnel IP to R2's physical IP, but ping from R1's tunnel IP to R2's tunnel IP fails. R1's show ip nhrp shows the mapping as 'dynamic' with no flags. The hub has no special configuration. What is the root cause?

A.The hub is missing the ip nhrp redirect command, and the spokes are missing ip nhrp shortcut, preventing spoke-to-spoke direct communication.
B.The spoke routers have incorrect NHRP authentication, causing the mapping to be invalid.
C.The tunnel interface on R1 is not in the correct VRF.
D.The IPsec transform set is mismatched between spokes.
AnswerA

Without these commands, the hub does not trigger NHRP resolution for spoke-to-spoke traffic, and spokes do not install the necessary routes.

Why this answer

The correct answer is A because in a DMVPN phase 3 network, spoke-to-spoke traffic requires the hub to send NHRP redirect messages and the spokes to process them via the `ip nhrp shortcut` command. Without `ip nhrp redirect` on the hub, the hub forwards traffic between spokes without signaling them to establish a direct tunnel. The dynamic NHRP mapping on R1 for R2's tunnel IP indicates that R1 has learned R2's physical address via NHRP registration, but without the shortcut flag, R1 will not use that mapping to send traffic directly; instead, it continues to send traffic through the hub, which fails if the hub does not have a route or if the spoke-to-spoke tunnel is not triggered.

Exam trap

Cisco often tests the distinction between DMVPN phase 2 (where spokes automatically build direct tunnels without redirect) and phase 3 (which requires explicit redirect and shortcut commands), leading candidates to assume that a dynamic NHRP mapping alone is sufficient for spoke-to-spoke communication.

How to eliminate wrong answers

Option B is wrong because incorrect NHRP authentication would prevent the NHRP registration and mapping from being created at all; the show dmvpn output shows a dynamic mapping, so authentication is not the issue. Option C is wrong because a VRF mismatch would typically prevent the tunnel interface from being reachable or routing correctly, but the presence of a dynamic NHRP mapping indicates that the tunnel interface is operational and in the correct VRF. Option D is wrong because an IPsec transform set mismatch would cause the IPsec tunnel to fail to establish, but the question states that the mapping is present and the ping fails at the tunnel IP level, not at the IPsec level; DMVPN can operate without IPsec, and the issue is with NHRP routing, not encryption.

16
MCQmedium

A network engineer is troubleshooting a Cisco router that is configured for TACACS+ authentication. The engineer issues 'test aaa group tacacs+ admin cisco123 new-code' and receives 'FAILED'. The router can ping the TACACS+ server. What is the most likely cause?

A.TCP port 49 is blocked between the router and the TACACS+ server.
B.The TACACS+ server shared key is incorrect.
C.The username 'admin' does not exist on the TACACS+ server.
D.The TACACS+ server is not configured for the router's IP address.
AnswerA

Correct because TACACS+ uses TCP port 49; if blocked, the router cannot establish a connection to the server.

Why this answer

The 'test aaa group tacacs+ admin cisco123 new-code' command uses the 'new-code' flag, which forces the test to use the TACACS+ protocol (TCP port 49) rather than the older, less secure method. Since the router can ping the TACACS+ server, Layer 3 connectivity is fine, but a failed authentication with 'new-code' strongly indicates that TCP port 49 is blocked by a firewall or ACL between the router and the server. TACACS+ relies on TCP port 49 for all communication, so blocking this port causes immediate failure.

Exam trap

Cisco often tests the distinction between Layer 3 reachability (ping) and Layer 4 connectivity (TCP port 49), trapping candidates who assume that successful ping implies full connectivity to the TACACS+ server.

How to eliminate wrong answers

Option B is wrong because if the shared key were incorrect, the TACACS+ server would typically respond with an authentication failure (e.g., 'authen failed') rather than a generic 'FAILED' from the test command, and the 'new-code' flag does not bypass key validation. Option C is wrong because the 'test aaa' command simulates authentication against the TACACS+ server; if the username 'admin' did not exist, the server would return a 'user not found' or similar error, not a generic 'FAILED' from the router's perspective. Option D is wrong because if the TACACS+ server were not configured for the router's IP address, the server would either drop the packet silently or respond with a rejection, but the router's ability to ping the server suggests no Layer 3 filtering; however, the server's configuration for the router's IP is a server-side setting that would cause a different failure mode (e.g., no response), not a generic 'FAILED' from the test command.

17
MCQhard

An engineer configures OSPF on a link between two routers with MTU 1500 on one side and MTU 1400 on the other. The adjacency forms but is stuck in EXSTART. Which is the most likely explanation?

A.The router with the larger MTU sends DBD packets that exceed the smaller MTU, causing them to be dropped silently.
B.The router with the smaller MTU cannot process OSPF hello packets from the larger MTU side.
C.The adjacency is stuck because OSPF network type mismatch prevents DBD exchange.
D.The router with the larger MTU must have 'ip ospf mtu-ignore' configured to bypass the MTU check.
AnswerA

OSPF DBD packets are sized based on the outgoing interface MTU. If the packet is larger than the receiving interface MTU, it is dropped, preventing the exchange of LSAs.

Why this answer

When OSPF routers have mismatched MTUs, the router with the larger MTU (1500) will send Database Description (DBD) packets that include the full MTU size in the interface MTU field. The router with the smaller MTU (1400) will reject these packets because they exceed its MTU, causing them to be silently dropped. This prevents the DBD exchange from completing, leaving the adjacency stuck in EXSTART state.

Exam trap

Cisco often tests the specific state where the adjacency gets stuck (EXSTART) to distinguish between MTU mismatch and other OSPF issues, and the trap here is that candidates may incorrectly attribute the problem to hello packet failures or network type mismatches rather than the silent dropping of DBD packets due to MTU mismatch.

How to eliminate wrong answers

Option B is wrong because OSPF hello packets are small (typically 44 bytes) and will not be dropped due to MTU mismatch; the issue is with DBD packets, not hello packets. Option C is wrong because a network type mismatch would typically prevent the adjacency from forming at all or cause it to be stuck in INIT/2WAY, not EXSTART; EXSTART specifically indicates the DBD exchange phase has begun but cannot complete. Option D is wrong because the 'ip ospf mtu-ignore' command is used to bypass the MTU check on the router receiving the DBD packets, but it is not a requirement for the larger MTU side; the command should be configured on the router with the smaller MTU to allow larger DBD packets to be accepted.

18
MCQmedium

A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?

A.The crypto map is applied to the wrong interface.
B.The access-list in the crypto map does not permit the traffic.
C.The ISAKMP policy is misconfigured.
D.The transform set is incorrect.
AnswerA

Correct because crypto maps should be applied to the inbound direction of the interface to match traffic for encryption.

Why this answer

The crypto map must be applied to the interface through which VPN traffic exits. If it is applied to the wrong interface (e.g., a loopback or a LAN interface instead of the WAN-facing interface), the router will not encrypt outbound traffic or decrypt inbound traffic for the VPN, even though the tunnel (ISAKMP/IPsec SA) may be established. The show crypto map output confirming the map is on the outbound interface indicates a misapplication, as the correct interface is the one facing the remote peer.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees traffic flow, but the trap here is that the crypto map must be applied to the correct interface (the one with the route to the remote peer) for encryption to occur, and candidates may overlook this by focusing on ACL or policy issues instead.

How to eliminate wrong answers

Option B is wrong because if the access-list in the crypto map does not permit the traffic, the tunnel would still be up (since IKE and IPsec SAs can form for permitted traffic), but no interesting traffic would trigger encryption; however, the question states the tunnel is up, and the issue is traffic not passing, which could also be caused by ACL mismatch, but the given clue about the crypto map being on the outbound interface points directly to interface misapplication. Option C is wrong because a misconfigured ISAKMP policy would prevent the tunnel from coming up (Phase 1 failure), but the tunnel is up, so ISAKMP negotiation succeeded. Option D is wrong because an incorrect transform set would cause Phase 2 negotiation to fail, preventing the IPsec SA from forming, but the tunnel being up implies both Phase 1 and Phase 2 completed successfully.

19
MCQmedium

Examine the following partial configuration: ip access-list extended MGMT_ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 permit tcp 10.0.0.0 0.255.255.255 any eq 443 deny ip any any ! line vty 0 4 access-class MGMT_ACCESS in transport input ssh login local What is the effect of the 'access-class' command?

A.Only SSH and HTTPS connections from the 10.0.0.0/8 network are allowed to the VTY lines.
B.The ACL filters traffic leaving the VTY lines, allowing SSH and HTTPS from any source.
C.All traffic from the 10.0.0.0/8 network is permitted to the router.
D.The configuration is missing 'permit ip any any' to allow other management protocols.
AnswerA

The ACL permits TCP ports 22 and 443 from the specified source, and the access-class filters inbound VTY connections.

Why this answer

The `access-class` command applied to VTY lines with the `in` keyword filters inbound Telnet/SSH sessions to the router. The ACL `MGMT_ACCESS` permits TCP ports 22 (SSH) and 443 (HTTPS) from source network 10.0.0.0/8, and denies all other traffic. This restricts management access to only SSH and HTTPS connections originating from the 10.0.0.0/8 network.

Exam trap

Cisco often tests the distinction between `access-class` (applied to VTY lines for management access control) and `access-group` (applied to interfaces for transit traffic), leading candidates to confuse the direction or scope of the ACL.

How to eliminate wrong answers

Option B is wrong because the `in` keyword on `access-class` filters traffic entering the VTY lines (inbound to the router), not traffic leaving them. Option C is wrong because the ACL only permits TCP ports 22 and 443, not all traffic from 10.0.0.0/8; the implicit deny at the end blocks everything else. Option D is wrong because the configuration is complete as intended; adding `permit ip any any` would bypass the security restriction and allow all management protocols, which contradicts the purpose of the ACL.

20
Drag & Dropmedium

Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, check the AAA server reachability to ensure the backend is accessible. Then verify the active authentication method list applied globally. Next, confirm the authorization method list for exec or commands.

After that, validate the accounting configuration to track access. Finally, test the actual access control by attempting a remote login.

21
MCQhard

Which statement correctly describes the behavior of OSPF network type 'point-to-multipoint' regarding neighbor discovery?

A.Neighbors are discovered via multicast hello packets and a DR/BDR is elected.
B.Neighbors are discovered via unicast hello packets and no DR/BDR is elected.
C.Neighbors are discovered via multicast hello packets but no DR/BDR is elected.
D.Neighbors are discovered via unicast hello packets and a DR/BDR is elected.
AnswerB

Correct. Point-to-multipoint uses unicast hellos and no DR/BDR election.

Why this answer

In OSPF point-to-multipoint network type, neighbors are manually configured or discovered via unicast hello packets because the network does not support broadcast or multicast flooding. No Designated Router (DR) or Backup Designated Router (BDR) is elected because the network is treated as a collection of point-to-point links, avoiding the need for a central adjacency point.

Exam trap

Cisco often tests the misconception that point-to-multipoint uses multicast hellos (like broadcast or point-to-point) or that it still requires a DR/BDR (like NBMA), leading candidates to confuse it with other OSPF network types.

How to eliminate wrong answers

Option A is wrong because point-to-multipoint uses unicast hello packets, not multicast, and does not elect a DR/BDR. Option C is wrong because although it correctly states no DR/BDR is elected, it incorrectly claims neighbors are discovered via multicast hello packets. Option D is wrong because it incorrectly states that a DR/BDR is elected, which is not true for point-to-multipoint; this behavior is characteristic of broadcast or non-broadcast multi-access (NBMA) networks.

22
Multi-Selecthard

Which TWO commands can be used to verify the configured AAA authentication method lists on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show aaa
B.show aaa method-lists
C.show running-config | include aaa authentication
D.show aaa authentication
E.show authentication method-lists
AnswersB, C

This command displays all configured AAA method lists for authentication, authorization, and accounting.

Why this answer

Option B is correct because 'show aaa method-lists' directly displays all configured AAA authentication, authorization, and accounting method lists, including the default lists and any custom lists. Option C is correct because 'show running-config | include aaa authentication' filters the running configuration to show only lines containing 'aaa authentication', which explicitly lists the authentication method lists configured. Both commands provide a reliable way to verify the AAA authentication method lists on a Cisco IOS-XE device.

Exam trap

Cisco often tests the exact command syntax, and the trap here is that candidates confuse 'show aaa method-lists' with non-existent commands like 'show aaa authentication' or 'show authentication method-lists', or they forget that 'show running-config | include aaa authentication' is a valid verification method.

23
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 1 200 0 45 1 10.2.2.2 Gi0/1 12 00:11:20 2 200 0 67 2 10.3.3.2 Gi0/2 10 00:10:15 1 200 0 89 Based on this output, which statement is correct?

A.All EIGRP neighbors are fully operational with no issues.
B.The neighbor on Gi0/2 is experiencing packet loss because its hold timer is 10 seconds.
C.The neighbor on Gi0/0 has a high SRTT, indicating congestion.
D.The neighbor on Gi0/1 has a sequence number of 67, which is higher than others, indicating a routing loop.
AnswerA

The output shows stable adjacencies with low SRTT, RTO, and Q count of 0, indicating normal operation.

Why this answer

The output shows all three EIGRP neighbors with hold timers above 0, low SRTT values (1-2 ms), RTO at 200 ms, and a Q count of 0, indicating no queued packets. These metrics confirm that the neighbors are fully operational and stable, with no packet loss, congestion, or routing issues.

Exam trap

Cisco often tests the misconception that a lower hold timer or a higher sequence number indicates a problem, when in fact these values are normal operational metrics that do not imply faults unless they deviate significantly from expected baselines.

How to eliminate wrong answers

Option B is wrong because a hold timer of 10 seconds is within the default EIGRP hold time range (15 seconds by default, but can be lower if configured), and it does not indicate packet loss; packet loss would be reflected by a high SRTT or RTO, or a non-zero Q count. Option C is wrong because the SRTT for Gi0/0 is 1 ms, which is very low, not high; a high SRTT would indicate congestion or delay. Option D is wrong because the sequence number (67) is simply the last packet received from that neighbor and does not indicate a routing loop; a routing loop would be detected via EIGRP's DUAL algorithm and would show in the topology table, not in the neighbor sequence number.

24
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 100 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Based on this output, which statement is correct?

A.All management traffic has been transmitted without any drops.
B.Management traffic is being dropped because the police rate is too low.
C.The CoPP policy is not applied because the control plane is not specified.
D.The class-map MANAGEMENT is not matching any traffic.
AnswerA

The 'conformed' count shows 100 packets transmitted, and 'exceeded' is 0, meaning no drops.

Why this answer

Option A is correct because the output shows that all 100 packets matched by the MANAGEMENT class-map were conformed (100 packets, 10000 bytes) and the action for conformed traffic is 'transmit', with zero exceeded packets. This indicates that the policing rate of 8000 bps (CIR) was sufficient for the offered traffic, and no packets were dropped. The 'exceeded 0 packets' field confirms no drops occurred.

Exam trap

Cisco often tests the misconception that a low police rate automatically implies drops, but the trap here is that the output must be read carefully—'exceeded 0 packets' proves no drops occurred, regardless of the configured CIR.

How to eliminate wrong answers

Option B is wrong because the police rate of 8000 bps is not causing drops; the output shows 0 exceeded packets, meaning the traffic rate is within the CIR. Option C is wrong because the command 'show policy-map control-plane' explicitly displays the policy applied to the control plane, and the output confirms 'Service-policy input: CoPP' is active. Option D is wrong because the class-map MANAGEMENT is matching traffic, as evidenced by the 100 packets and 10000 bytes counted under that class.

25
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65002 1200 1200 10 0 0 01:00:00 5 10.2.2.2 4 65003 0 0 0 0 0 never Active Based on this output, what is the problem with the neighbor 10.2.2.2?

A.The neighbor is not reachable or is not configured to accept BGP connections.
B.The neighbor is in Idle state because of a hold timer expiry.
C.The neighbor has received 5 prefixes, indicating a successful session.
D.The BGP table version is 10, meaning there is a routing loop.
AnswerA

The Active state indicates that the router is attempting to establish a TCP connection but is not receiving a response, likely due to unreachability or misconfiguration.

Why this answer

The 'Active' state in BGP indicates that the router is actively trying to establish a TCP connection to the neighbor but has not yet succeeded. This typically occurs because the neighbor is unreachable (no route to the destination IP), the neighbor is not configured to accept BGP connections (e.g., no BGP process or incorrect ACL), or a firewall is blocking TCP port 179. The output shows 0 messages sent/received and 'never' uptime, confirming no session has ever been established.

Exam trap

Cisco often tests the distinction between 'Idle' and 'Active' states, where candidates mistakenly assume 'Active' means the session is up or that prefixes are being exchanged, when in fact it indicates a failed or pending TCP connection attempt.

How to eliminate wrong answers

Option B is wrong because the 'Idle' state is the initial state before any connection attempt, and hold timer expiry would cause the session to go to 'Idle' after being established, not remain in 'Active' with zero message counts. Option C is wrong because the neighbor 10.2.2.2 has 0 prefixes received (PfxRcd column shows 0), not 5; the 5 prefixes belong to neighbor 10.1.1.2. Option D is wrong because the BGP table version being 10 is a normal operational value indicating the number of changes processed, not an indicator of a routing loop; routing loops are detected via AS-path loop prevention, not table version.

26
MCQeasy

What is the maximum hop count for a route in RIP?

A.15
B.16
C.255
D.32
AnswerA

Correct. The maximum valid hop count is 15; 16 indicates unreachable.

Why this answer

RIP (Routing Information Protocol) uses a maximum hop count of 15 to prevent routing loops. A route with a hop count of 16 is considered unreachable (infinite metric). This limit is defined in RFC 1058 for RIPv1 and RFC 2453 for RIPv2, ensuring that the network diameter remains small and loop-free.

Exam trap

Cisco often tests the distinction between the maximum hop count (15) and the unreachable metric (16), tricking candidates who think 16 is a valid route metric rather than a poison value.

How to eliminate wrong answers

Option B is wrong because a hop count of 16 in RIP is not a valid route metric; it is used to signify an unreachable route (infinite metric) and triggers route poisoning. Option C is wrong because 255 is the maximum TTL value in IP packets, not the RIP hop count limit; RIP uses a 4-bit metric field, which can only represent values 0–15. Option D is wrong because 32 is the maximum prefix length for IPv4 subnets, not a RIP hop count; RIP metrics are limited to 15 hops.

27
MCQmedium

Which statement accurately describes the default behavior of auto-summary in EIGRP on Cisco IOS-XE?

A.Auto-summary is enabled by default, causing EIGRP to summarize at classful boundaries.
B.Auto-summary is disabled by default, and EIGRP advertises subnets without automatic summarization.
C.Auto-summary is enabled by default but only for external routes.
D.Auto-summary is disabled by default unless the network is configured with a classful mask.
AnswerB

Correct. IOS-XE defaults to no auto-summary, preserving subnet information.

Why this answer

In Cisco IOS-XE, EIGRP auto-summary is disabled by default. This means that EIGRP advertises subnets without automatically summarizing them at classful boundaries, allowing for more granular route advertisement and preventing routing issues in discontiguous networks.

Exam trap

Cisco often tests the misconception that auto-summary is still enabled by default in EIGRP on modern IOS-XE, when in fact it was changed to disabled by default starting from IOS 15.0(1)M and later.

How to eliminate wrong answers

Option A is wrong because auto-summary is not enabled by default on Cisco IOS-XE; it was enabled by default in older IOS versions but is now disabled. Option C is wrong because auto-summary, when enabled, applies to all routes, not just external routes; there is no such distinction in the default behavior. Option D is wrong because auto-summary is disabled by default regardless of whether the network is configured with a classful mask; the classful mask configuration does not re-enable auto-summary.

28
MCQhard

An engineer configures an IPsec site-to-site VPN. The tunnel comes up, but no traffic passes. The engineer checks the crypto map and access-lists. Which is the most likely explanation?

A.The crypto map is applied to the wrong interface, causing the traffic to bypass encryption.
B.The access-list defining interesting traffic is missing the 'permit' statement for the actual traffic flow.
C.The IPsec transform set uses ESP with no encryption, so traffic is sent in clear.
D.The IKE phase 1 policy uses aggressive mode, which is incompatible with the crypto map.
AnswerB

IPsec only encrypts traffic that matches the permit statements in the crypto access-list. If the traffic is not matched, it is sent in clear or dropped, depending on the crypto map configuration.

Why this answer

Option B is correct because the access-list defining interesting traffic for the crypto map must explicitly include a 'permit' statement for the traffic that should be encrypted. Without this permit, the router will not classify the traffic as interesting, so IPsec will not attempt to encrypt it, and the traffic will be dropped or sent in clear depending on the crypto map configuration. The tunnel can still come up because IKE and IPsec SA negotiation is triggered by interesting traffic, but if the access-list is missing the permit, no traffic triggers the SA establishment, and existing SAs may remain idle.

Exam trap

Cisco often tests the misconception that a crypto map applied to an interface automatically encrypts all traffic, when in reality the access-list must explicitly permit the traffic to be encrypted, and a missing permit causes the tunnel to appear up but pass no traffic.

How to eliminate wrong answers

Option A is wrong because if the crypto map is applied to the wrong interface, the tunnel would likely not come up at all, or traffic on the correct interface would not be encrypted, but the question states the tunnel comes up, indicating the crypto map is correctly applied to at least one interface. Option C is wrong because an IPsec transform set using ESP with no encryption (ESP-NULL) still provides authentication and integrity, but the traffic would be sent in clear only if encryption is disabled; however, the tunnel coming up and no traffic passing is not explained by this, as traffic would still pass (in clear) if the transform set were misconfigured. Option D is wrong because IKE phase 1 aggressive mode is compatible with crypto maps; it is a negotiation mode that exchanges more information in fewer packets, but it does not prevent traffic from passing once the tunnel is established.

29
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip bgp vpnv4 vrf CUSTOMER-A 10.10.10.0/24 BGP routing table entry for 10.10.10.0/24, version 2 Paths: (1 available, best #1, table CUSTOMER-A) Not advertised to any peer Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:100 mpls labels in/out nolabel/101 What does this output indicate?

A.The route 10.10.10.0/24 is installed in VRF CUSTOMER-A with an MPLS label of 101 for forwarding.
B.The route 10.10.10.0/24 is not installed because it is not advertised to any peer.
C.The route 10.10.10.0/24 is learned from an external BGP peer.
D.The route 10.10.10.0/24 has no MPLS label and will be forwarded using IP lookup.
AnswerA

The output shows the route is best and has an MPLS label of 101 for outbound forwarding.

Why this answer

The output shows that the route 10.10.10.0/24 is installed in VRF CUSTOMER-A (table CUSTOMER-A) with an MPLS label of 101 for outgoing forwarding, as indicated by 'mpls labels in/out nolabel/101'. The route is valid, internal, and best, meaning it is used for forwarding despite not being advertised to any peer. This confirms that the MPLS label is applied for forwarding within the VRF context.

Exam trap

Cisco often tests the misconception that 'not advertised to any peer' means the route is not installed or usable, but in MPLS VPN contexts, a route can be installed and used for forwarding even if it is not advertised to BGP peers.

How to eliminate wrong answers

Option B is wrong because the route is marked as 'best' and installed in the VRF table, so it is used for forwarding even though it is not advertised to any peer; non-advertisement does not prevent installation. Option C is wrong because the path is labeled 'Local' and 'internal', and the neighbor 10.1.1.2 is an iBGP peer (same AS), not an external BGP peer. Option D is wrong because the output explicitly shows an MPLS label of 101 for outgoing packets, so forwarding will use label switching, not IP lookup.

30
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 rcv UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0, path 65002 BGP(0): 10.1.1.2 rcv UPDATE about 192.168.1.0/24 -- DENIED due to: community no-export; What does this output indicate?

A.The route 192.168.1.0/24 is accepted and installed in the BGP table because the community is no-export.
B.The route 192.168.1.0/24 is denied because of the no-export community, which prevents it from being advertised to any peer.
C.The route 192.168.1.0/24 is denied because of an inbound prefix-list filter.
D.The route 192.168.1.0/24 is accepted but marked with no-export for outbound filtering.
AnswerB

The no-export community causes the route to be denied from being advertised to any eBGP peer; this debug confirms the denial.

Why this answer

The debug output explicitly states 'DENIED due to: community no-export'. The no-export community (0xFFFFFF01) prevents the route from being advertised to any eBGP peer, but it does not prevent the route from being received or installed in the local BGP table. However, in this context, the router is denying the incoming update because of an inbound policy that matches the no-export community and rejects the route.

Option B correctly identifies that the route is denied due to the no-export community, which stops it from being advertised to any peer.

Exam trap

Cisco often tests the distinction between a route being denied due to an inbound filter versus being accepted but then restricted from outbound advertisement; the trap here is assuming that the no-export community only affects outbound behavior, when in fact it can be used in inbound policies to reject routes entirely.

How to eliminate wrong answers

Option A is wrong because the route is explicitly denied (not accepted) due to the no-export community, and the no-export community does not cause acceptance—it restricts outbound advertisement. Option C is wrong because the debug output clearly states the denial reason is 'community no-export', not a prefix-list filter; if a prefix-list were the cause, the message would indicate 'DENIED due to: prefix-list' or similar. Option D is wrong because the route is denied (not accepted), and the no-export community is applied inbound, not outbound; the debug shows the update is received and denied, not accepted and marked.

31
MCQeasy

Which of the following is true regarding the use of the 'transport input' command on a VTY line?

A.If 'transport input' is not configured, the VTY line defaults to allowing both Telnet and SSH.
B.The 'transport input ssh' command allows only SSH connections, blocking Telnet.
C.The 'transport input none' command allows all protocols.
D.The 'transport input' command applies to both inbound and outbound VTY connections.
AnswerB

This restricts the VTY to SSH only, enhancing security.

Why this answer

Option B is correct because the 'transport input ssh' command explicitly restricts the VTY line to accept only SSH connections, blocking Telnet and other protocols. This is a common security best practice to ensure encrypted remote administration.

Exam trap

Cisco often tests the default behavior of 'transport input' — many candidates mistakenly believe it defaults to allowing both Telnet and SSH, but the actual default is to allow only Telnet (or 'all' on some platforms, but not both).

How to eliminate wrong answers

Option A is wrong because if 'transport input' is not configured, the VTY line defaults to allowing only Telnet (not SSH) on Cisco IOS devices. Option C is wrong because 'transport input none' blocks all inbound connections, including Telnet and SSH, rather than allowing all protocols. Option D is wrong because the 'transport input' command applies only to inbound VTY connections (i.e., connections initiated to the router), not outbound connections.

32
MCQeasy

What is the default OSPF dead interval on a broadcast multi-access network (e.g., Ethernet) when the hello interval is 10 seconds?

A.40 seconds
B.30 seconds
C.20 seconds
D.10 seconds
AnswerA

The dead interval is 4 * hello interval (10 seconds) = 40 seconds.

Why this answer

On broadcast multi-access networks like Ethernet, OSPF defaults to a hello interval of 10 seconds. The dead interval is calculated as 4 times the hello interval, resulting in a default dead interval of 40 seconds. This ensures that a router has multiple missed hello opportunities before being declared dead, providing stability against transient network issues.

Exam trap

The trap here is that candidates often confuse the default dead interval multiplier (thinking it is 3 instead of 4) or mistakenly apply the NBMA dead interval logic to broadcast networks, leading them to select 30 or 20 seconds.

How to eliminate wrong answers

Option B (30 seconds) is wrong because it incorrectly assumes a multiplier of 3, but the OSPF standard (RFC 2328) specifies a multiplier of 4 for broadcast networks. Option C (20 seconds) is wrong because it suggests a multiplier of 2, which is used for NBMA networks (e.g., Frame Relay) where the hello interval is 30 seconds and the dead interval is 120 seconds, not for Ethernet. Option D (10 seconds) is wrong because it confuses the hello interval with the dead interval; the dead interval must be longer to allow for missed hellos.

33
MCQmedium

Consider the following partial configuration: ip access-list extended SECURE_ACCESS permit icmp any any echo permit icmp any any echo-reply permit tcp any host 192.168.1.1 eq 22 permit tcp any host 192.168.1.1 eq 443 deny ip any any ! interface GigabitEthernet0/0 ip access-group SECURE_ACCESS in ! interface GigabitEthernet0/1 ip access-group SECURE_ACCESS out What is a potential issue with this ACL placement?

A.The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.
B.The ACL is missing a 'permit ip any any' statement, so all traffic is denied.
C.The ACL should be applied only inbound on both interfaces.
D.The ACL permits ICMP echo and echo-reply, which could allow ping floods.
AnswerA

Traffic from Gi0/0 to Gi0/1 is filtered inbound on Gi0/0 and outbound on Gi0/1, potentially blocking non-matching traffic.

Why this answer

The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1.

If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.

Exam trap

Cisco often tests the concept that applying an ACL in both directions (inbound on one interface and outbound on another) can cause unintended filtering of traffic that must pass through the router, leading candidates to overlook the fact that the ACL is evaluated twice and that the permit entries may not cover all necessary flows.

How to eliminate wrong answers

Option B is wrong because the ACL already ends with 'deny ip any any', which is an explicit deny-all; adding 'permit ip any any' would defeat the purpose of the ACL by allowing all traffic, and the issue is not about missing a permit-all but about the ACL being applied in both directions causing double filtering. Option C is wrong because applying the ACL inbound on both interfaces would still filter traffic entering each interface, but it would not solve the problem of traffic being filtered twice when crossing from one interface to the other; the issue is the dual-direction application, not the direction of application. Option D is wrong because while permitting ICMP echo and echo-reply could theoretically allow ping floods, that is not the primary issue described in the question; the question asks about a potential issue with the ACL placement, and the correct answer focuses on the blocking of traffic due to bidirectional application, not the security risk of ICMP.

34
Drag & Dropmedium

Drag and drop the steps to configure SSH access with local AAA on a Cisco router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, a hostname and domain name must be set to generate the RSA key pair. Then the RSA key pair is generated with the crypto key generate rsa command. Next, local AAA authentication is enabled with aaa new-model and aaa authentication login default local.

The VTY lines are then configured to use SSH transport and the local login authentication. Finally, the SSH version is set to 2 for enhanced security.

35
MCQhard

An EIGRP network with multiple routers is experiencing frequent stuck-in-active (SIA) events for prefix 10.10.10.0/24. The network topology includes a slow WAN link between R1 and R2. R1's show ip eigrp topology 10.10.10.0/24 shows the route in active state with a query outstanding to R2. R2's show ip eigrp topology shows the same prefix in passive state. The EIGRP timers are default. What is the root cause?

A.The active timer on R1 is too short for the slow WAN link; it should be increased to accommodate query propagation delays.
B.R2 has a query outstanding to a neighbor over a slow link, preventing it from replying to R1 within the active timer.
C.The EIGRP hello timer mismatch between R1 and R2 is causing neighbor flapping.
D.The prefix 10.10.10.0/24 is being summarized, causing the query to be sent for the summary instead.
AnswerB

R2 cannot reply until it receives all replies to its own queries. If a downstream neighbor is slow or unresponsive, R2's reply to R1 is delayed, causing SIA.

Why this answer

The correct answer is B because R2 has the prefix in passive state, meaning it has not yet received a reply from one of its own neighbors over a slow link. Since R2 cannot reply to R1 until it gets that reply, R1's active timer expires, causing a stuck-in-active (SIA) event. This is a classic scenario where the query propagation delay exceeds the default active timer (3 minutes) due to a slow WAN link downstream from R2.

Exam trap

Cisco often tests the misconception that the SIA is caused by the directly connected slow link (between R1 and R2), when in fact the root cause is a slow link further downstream on R2, preventing R2 from replying in time.

How to eliminate wrong answers

Option A is wrong because the active timer on R1 is not the issue; R1's active timer is default (3 minutes), and the problem is that R2 is waiting for a reply from its own neighbor over a slow link, not that R1's timer is too short. Option C is wrong because EIGRP hello timer mismatch does not cause SIA events; it would cause neighbor flapping or adjacency loss, which is not indicated here since R1 and R2 remain neighbors (R1 has a query outstanding to R2). Option D is wrong because summarization would cause queries to be sent for the summary route, not the specific prefix, and the question states the prefix is 10.10.10.0/24, with no evidence of summarization; SIA events are not typically caused by summarization alone.

36
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 1 Type of operation: icmp-echo Latest RTT: 20 milliseconds Latest operation start time: 12:00:00 UTC Mon Mar 1 2021 Latest operation return code: OK Number of successes: 100 Number of failures: 0 Based on this output, which statement is correct?

A.The IP SLA probe is successfully reaching the target with no failures.
B.The IP SLA probe has failed 100 times.
C.The IP SLA probe is using UDP jitter.
D.The IP SLA probe is not configured because the operation ID is 1.
AnswerA

The return code is OK, and there are 100 successes with 0 failures.

Why this answer

The output shows 100 successes and 0 failures for the ICMP echo operation, with a latest return code of OK, confirming that the IP SLA probe is successfully reaching the target without any failures. The 'Number of successes: 100' and 'Number of failures: 0' directly indicate a 100% success rate for the probe.

Exam trap

Cisco often tests the ability to interpret the 'Number of successes' and 'Number of failures' fields correctly, where candidates may mistakenly associate the count with failures instead of successes, or confuse the operation type (ICMP echo vs. UDP jitter) based on the operation ID alone.

How to eliminate wrong answers

Option B is wrong because the output shows 100 successes, not 100 failures; the 'Number of failures: 0' explicitly contradicts this claim. Option C is wrong because the 'Type of operation: icmp-echo' clearly indicates ICMP echo, not UDP jitter, which would require a different operation type (e.g., 'udp-jitter'). Option D is wrong because operation ID 1 is present and has statistics, meaning the IP SLA probe is configured and active; an unconfigured operation would not display any statistics.

37
MCQhard

A BGP-speaking router R1 is experiencing unexpected path selection for prefix 10.0.0.0/8. R1 receives two BGP updates: one from neighbor 192.168.1.2 with local preference 150, AS path 65001 65002, and MED 50; another from neighbor 192.168.2.2 with local preference 100, AS path 65001, and MED 100. R1's BGP configuration includes: bgp always-compare-med. The show ip bgp 10.0.0.0/8 output shows the path via 192.168.1.2 as best, but the network team expects the path via 192.168.2.2 to be best due to shorter AS path. What is the root cause?

A.The bgp always-compare-med command causes MED comparison across different AS paths, making the path with lower MED (50) preferred over the shorter AS path.
B.The local preference on the path via 192.168.1.2 is higher (150 vs 100), overriding AS path length.
C.The MED value of 50 on the first path is lower, but without always-compare-med, the second path would be best due to shorter AS path. However, the command is not present, so the behavior is normal.
D.The AS path length is not considered because the paths have different neighbor AS; BGP prefers the path with the lower neighbor AS.
AnswerA

This command forces MED comparison regardless of AS path length, contradicting the expectation that shorter AS path should win.

Why this answer

The `bgp always-compare-med` command forces BGP to compare MED values even when the paths originate from different neighboring ASes. In this scenario, the path via 192.168.1.2 has MED 50 and the path via 192.168.2.2 has MED 100. Without this command, MED would not be compared because the AS paths differ (65001 65002 vs. 65001), and the shorter AS path (65001) would be preferred.

However, with `bgp always-compare-med` enabled, the lower MED (50) overrides the AS path length, making the path via 192.168.1.2 the best.

Exam trap

Cisco often tests the interaction between `bgp always-compare-med` and the AS path length tie-breaker, trapping candidates who forget that MED comparison occurs after AS path length only when the command is enabled, or who mistakenly think local preference is always overridden by AS path length.

How to eliminate wrong answers

Option B is wrong because local preference is compared before AS path length in the BGP best-path selection process, but here both paths have local preference values (150 and 100) that are compared first; however, the higher local preference (150) would normally win, but the question states the network team expects the shorter AS path to be best, implying they believe AS path length should override local preference, which is incorrect because local preference is a higher-priority criterion. Option C is wrong because the `bgp always-compare-med` command is explicitly stated as present in the configuration, so the behavior is not normal without it; the command is present, causing MED to be compared across ASes. Option D is wrong because BGP does not prefer a path based on lower neighbor AS; the neighbor AS is not a standard BGP path selection criterion, and AS path length is compared as a whole, not the first AS in the path.

38
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip vrf CUSTOMER Name Default RD Interfaces CUSTOMER 65001:100 Gi0/0.100 Gi0/1.100 Based on this output, which statement is correct?

A.The VRF CUSTOMER is configured with two subinterfaces.
B.The VRF CUSTOMER has no route distinguisher configured.
C.The VRF CUSTOMER is not active because no routes are shown.
D.The VRF CUSTOMER is using OSPF as the routing protocol.
AnswerA

The output lists two interfaces under the VRF.

Why this answer

The output of 'show ip vrf CUSTOMER' displays the VRF name, its default route distinguisher (RD) of 65001:100, and the interfaces assigned to it. The interfaces listed are Gi0/0.100 and Gi0/1.100, which are both subinterfaces (indicated by the .100 suffix). Therefore, the VRF CUSTOMER is correctly configured with two subinterfaces.

Exam trap

Cisco often tests the distinction between VRF configuration output and routing information; the trap here is that candidates may assume a VRF is inactive or misconfigured because no routes are shown, when in fact 'show ip vrf' only displays the VRF name, RD, and interface assignments.

How to eliminate wrong answers

Option B is wrong because the output clearly shows a default RD of 65001:100, so a route distinguisher is configured. Option C is wrong because the VRF is active; the absence of routes in this output is normal, as 'show ip vrf' only displays VRF configuration and interface assignments, not routing information. Option D is wrong because the output does not indicate any routing protocol; VRF configuration is independent of the routing protocol used (OSPF, EIGRP, BGP, etc.) and no protocol is shown here.

39
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP session comes up, but the routes learned from the eBGP neighbor are not installed in the routing table. The IGP does not carry the BGP next-hop address. Which is the most likely explanation?

A.The BGP next-hop is not reachable because the IGP does not advertise it, and no static route exists.
B.The BGP synchronization rule is enabled, causing the route to be suppressed until the IGP learns it.
C.The next-hop-self command is missing on the eBGP neighbor, so the iBGP router sees the external next-hop.
D.The BGP table shows the route as valid, but the routing table does not install it due to administrative distance.
AnswerA

BGP checks the reachability of the next-hop before installing the route. Without reachability, the route is hidden from the routing table.

Why this answer

The correct answer is A because for a BGP route to be installed in the routing table, the next-hop address must be reachable via the IGP or a static route. Since the IGP does not carry the BGP next-hop address and no static route exists, the next-hop is unreachable, causing the route to remain in the BGP table but not be installed in the routing table.

Exam trap

Cisco often tests the distinction between BGP table validity and routing table installation, where candidates mistakenly think a valid BGP route automatically installs, ignoring the next-hop reachability requirement.

How to eliminate wrong answers

Option B is wrong because BGP synchronization is disabled by default in modern IOS versions (Cisco IOS 12.2(8)T and later) and is rarely used; even if enabled, it would require the IGP to have a route to the prefix, not the next-hop. Option C is wrong because the next-hop-self command is typically configured on an eBGP neighbor to change the next-hop to the router's own IP when advertising to iBGP peers, but its absence does not prevent route installation if the next-hop is reachable via IGP or static route. Option D is wrong because administrative distance (e.g., 200 for iBGP) affects route selection among different protocols but does not prevent installation of a valid route; the route is not installed due to next-hop unreachability, not administrative distance.

40
MCQhard

A VRF-aware network has two VRFs: VRF A and VRF B. Router R1 is configured with VRF A and VRF B, and route leaking is configured between them using route-replicate. Routes from VRF A are appearing in VRF B, but traffic from VRF B to destinations in VRF A is failing. R1's configuration: ip route vrf A 10.10.10.0 255.255.255.0 192.168.1.1, and route-replicate from VRF A to VRF B. Show ip route vrf B shows the route 10.10.10.0/24 with next-hop 192.168.1.1. However, ping from a device in VRF B to 10.10.10.1 fails. What is the root cause?

A.The next-hop 192.168.1.1 is not reachable in VRF B because it belongs to VRF A; route leaking does not update the next-hop, causing recursive routing failure.
B.The route-replicate command requires a route-map to change the next-hop.
C.The VRF B has a default route that is conflicting with the leaked route.
D.The interface connected to 192.168.1.1 is not in VRF B, so the packet is dropped by CEF due to VRF mismatch.
AnswerA, D

The route is installed but the next-hop is not in VRF B, so the packet cannot be forwarded.

Why this answer

When route-replicate copies a route from VRF A to VRF B, it does not change the next-hop address. The next-hop 192.168.1.1 remains in VRF A's routing table and is not reachable within VRF B. As a result, when VRF B tries to forward traffic to 10.10.10.0/24, the recursive lookup for 192.168.1.1 fails because that next-hop is not present in VRF B's routing table, causing the ping to fail.

Exam trap

Cisco often tests the misconception that route leaking automatically adjusts the next-hop, when in fact the next-hop remains unchanged and must be reachable in the destination VRF for traffic to succeed.

How to eliminate wrong answers

Option B is wrong because route-replicate does not require a route-map to change the next-hop; a route-map can optionally be used to modify attributes, but it is not mandatory for basic route leaking. Option C is wrong because a conflicting default route in VRF B would not specifically cause failure for the leaked 10.10.10.0/24 route; the issue is the unreachable next-hop, not a routing conflict. Option D is wrong because the packet is not dropped by CEF due to VRF mismatch; CEF forwards based on the routing table of the ingress VRF, and the problem is that the next-hop is not reachable in VRF B, not that the interface is missing from VRF B.

41
MCQmedium

Which OSPF LSA type is used to advertise external routes and is flooded throughout the entire OSPF domain?

A.Type 1 (Router LSA)
B.Type 3 (Summary LSA)
C.Type 4 (ASBR Summary LSA)
D.Type 5 (AS-external LSA)
AnswerD

Correct. Type 5 LSAs are flooded throughout the entire OSPF domain (except stub areas) and advertise external routes.

Why this answer

Type 5 (AS-external LSA) is correct because it is originated by an ASBR to advertise external routes redistributed into OSPF from another routing domain. These LSAs are flooded throughout the entire OSPF domain, including all areas, and their flooding scope is AS-wide, as defined in RFC 2328.

Exam trap

Cisco often tests the distinction between Type 3 and Type 5 LSAs, where candidates mistakenly think Type 3 LSAs carry external routes because they are also 'summary' LSAs, but Type 3 LSAs only carry inter-area routes, not external routes.

How to eliminate wrong answers

Option A is wrong because Type 1 (Router LSA) describes the state and cost of a router's interfaces within a single area and is flooded only within that area, not the entire OSPF domain. Option B is wrong because Type 3 (Summary LSA) is generated by an ABR to advertise inter-area routes and is flooded only within a single area, not the entire domain. Option C is wrong because Type 4 (ASBR Summary LSA) is also generated by an ABR to advertise the location of an ASBR to other areas, but its flooding scope is limited to a single area, not the entire OSPF domain.

42
MCQmedium

Given the following partial configuration on a router: ip access-list standard FILTER_SNMP permit 192.168.1.0 0.0.0.255 deny any ! snmp-server community public RO FILTER_SNMP snmp-server location DataCenter snmp-server contact admin@example.com What is the effect of this configuration?

A.Only SNMP requests from the 192.168.1.0/24 network are allowed with the community string 'public'.
B.SNMP requests from any source are allowed because the ACL is not applied correctly.
C.The community string 'public' allows read-write access.
D.The ACL is applied outbound, so SNMP responses are filtered.
AnswerA

The ACL permits the specified subnet, and the community string is tied to that ACL.

Why this answer

The configuration applies the standard ACL 'FILTER_SNMP' to the SNMP community string 'public' with read-only (RO) access. The ACL permits only the 192.168.1.0/24 network, so SNMP requests (e.g., GET, GETNEXT) from that subnet are allowed, while all other sources are denied. This is the intended effect of using an ACL to restrict SNMP access by source IP.

Exam trap

Cisco often tests the distinction between applying an ACL to an SNMP community versus applying it to an interface; the trap here is that candidates may think the ACL filters outbound SNMP responses or that the ACL is not applied correctly, but in reality, it filters incoming SNMP requests based on source IP.

How to eliminate wrong answers

Option B is wrong because the ACL is correctly applied to the SNMP community string via the 'snmp-server community public RO FILTER_SNMP' command, which filters incoming SNMP requests. Option C is wrong because the 'RO' keyword explicitly grants read-only access, not read-write (RW). Option D is wrong because the ACL is applied to incoming SNMP requests, not outbound responses; standard ACLs on SNMP communities filter the source of the request, not the direction of the response.

43
MCQhard

An engineer configures a route-map to filter OSPF routes using a distribute-list. The distribute-list is applied inbound on an OSPF interface. Unexpectedly, the router still installs the filtered routes. Which is the most likely explanation?

A.The distribute-list is applied to the wrong direction; it should be outbound to filter routes being advertised.
B.The route is also learned via another OSPF neighbor that is not filtered by the distribute-list.
C.The distribute-list uses an ACL that does not match the route exactly, so the route is permitted.
D.The distribute-list is applied after the route is already installed in the routing table, so it has no effect.
AnswerB

A distribute-list only affects routes received on the specific interface. If the same route is learned from another neighbor, it will still be installed.

Why this answer

When a distribute-list is applied inbound on an OSPF interface, it filters routes received from that specific neighbor only. If the same route is also learned from another OSPF neighbor (or via a different OSPF process) that is not covered by the distribute-list, the router will still install that route from the unfiltered source. This is because OSPF installs the best route based on metric, regardless of the filtering applied to a single neighbor.

Exam trap

Cisco often tests the misconception that a distribute-list applied inbound on one interface will globally prevent a route from being installed, when in fact it only filters routes from that specific neighbor, and the route may still be installed from another neighbor.

How to eliminate wrong answers

Option A is wrong because the distribute-list applied inbound on an interface filters routes received from that neighbor, which is the correct direction to prevent installation; applying it outbound would affect routes being advertised to others, not incoming routes. Option C is wrong because if the ACL does not match the route exactly, the route would be denied (if the ACL is used in a permit/deny context) or permitted only if the ACL explicitly permits it; a non-matching ACL entry typically results in an implicit deny, which would filter the route, not permit it. Option D is wrong because a distribute-list applied inbound on an OSPF interface is processed before the route is installed in the routing table; it filters the route during the OSPF update processing, so it does have effect if applied correctly.

44
Multi-Selectmedium

Which TWO statements about configuring login enhancements for device access control on a Cisco IOS router are true? (Choose TWO.)

Select 2 answers
A.The 'login block-for' command specifies the duration (in seconds) that login access is blocked after a threshold of failed attempts is exceeded.
B.The 'login delay' command sets a mandatory delay (in milliseconds) between successive login attempts on a line.
C.The 'login on-failure log' command must be configured for the 'login block-for' command to function.
D.The 'login quiet-mode access-class' command is used to allow only specific IP addresses during the quiet period.
E.The 'login block-for' command can be applied per-line to override global settings.
AnswersA, B

This is correct; 'login block-for <seconds>' defines the quiet period after the failure threshold is reached.

Why this answer

Option A is correct because the 'login block-for' command specifies the duration in seconds that login access is blocked after a threshold of failed attempts is exceeded. This command is part of the login enhancements feature that provides brute-force attack mitigation by enforcing a quiet period when the number of failed login attempts reaches a configured value within a specified watch period.

Exam trap

Cisco often tests the misconception that 'login on-failure log' is a prerequisite for 'login block-for' to work, but in reality, the blocking function is independent of logging, and the logging command only adds syslog messages for failed attempts.

45
MCQeasy

Which EIGRP packet type is used to acknowledge receipt of a reliable packet?

A.Hello
B.Update
C.Reply
D.Ack
AnswerD

Correct. The Ack packet is an empty packet used to confirm receipt of reliable packets.

Why this answer

D is correct because the EIGRP Ack (Acknowledgement) packet is a special packet used exclusively to confirm the reliable delivery of EIGRP packets such as Update, Query, and Reply. Ack packets are sent as unicast to the source router and contain no data, serving only as a delivery confirmation. This mechanism ensures that EIGRP's Reliable Transport Protocol (RTP) can guarantee ordered and guaranteed delivery of critical routing information.

Exam trap

Cisco often tests the distinction between packet types that are sent reliably versus unreliably, and the trap here is that candidates confuse the Reply packet (which is a response to a Query) with an acknowledgment, when in fact Reply packets are data-carrying reliable packets that themselves require an Ack.

How to eliminate wrong answers

Option A is wrong because Hello packets are used for neighbor discovery and maintenance, not for acknowledging reliable packets; they are sent unreliably (multicast) and do not confirm receipt of any specific packet. Option B is wrong because Update packets carry routing information and are themselves sent reliably, requiring an Ack in response; they do not serve as acknowledgments. Option C is wrong because Reply packets are sent in response to Query packets during route computation and are also sent reliably, requiring their own acknowledgment; they do not function as generic acknowledgments.

46
MCQmedium

Examine the following partial configuration on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group MY_ACL in ! access-list 100 permit tcp any host 192.168.1.1 eq 22 access-list 100 deny ip any any ! line vty 0 4 transport input ssh login local ! username admin privilege 15 secret cisco What is the effect of this configuration?

A.Only SSH connections to the router are permitted; all other IP traffic is denied inbound on this interface.
B.The ACL permits SSH and HTTP traffic to the router; all other traffic is denied.
C.The ACL is applied outbound, so it filters traffic leaving the interface; SSH is permitted outbound.
D.The ACL has no effect because it is missing a 'permit ip any any' statement.
AnswerA

The ACL permits TCP port 22 (SSH) and denies all other IP traffic, applied inbound. This restricts management access to SSH only.

Why this answer

The ACL 100 is applied inbound on GigabitEthernet0/1 via the 'ip access-group MY_ACL in' command. It explicitly permits TCP traffic to host 192.168.1.1 on port 22 (SSH) and then denies all other IP traffic. Since the router's own IP address is 192.168.1.1, this allows only SSH management access from any source, while blocking all other inbound traffic to the router or through the interface.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and candidates may mistakenly think the 'in' keyword means 'into the router' for management traffic only, or they may overlook that the ACL is applied to the interface and filters all IP traffic, not just management plane traffic.

How to eliminate wrong answers

Option B is wrong because the ACL only permits TCP port 22 (SSH); it does not include any permit statement for HTTP (port 80 or 443), so HTTP traffic is denied. Option C is wrong because the ACL is applied with the 'in' keyword, making it an inbound ACL that filters traffic entering the interface, not outbound traffic. Option D is wrong because an ACL does not require a 'permit ip any any' statement to have effect; the implicit deny at the end of the ACL already denies all traffic not explicitly permitted, and the explicit 'deny ip any any' is redundant but does not negate the ACL's functionality.

47
MCQhard

An engineer configures uRPF strict mode on an interface. After configuration, legitimate traffic from a directly connected network is dropped. The network is connected via a single link, and there is no asymmetric routing. Which is the most likely explanation?

A.The router has a default route pointing to a different interface, causing the source IP to fail the reachability check.
B.The directly connected network is not in the routing table because the interface is down.
C.The uRPF command is missing the 'allow-default' option, which is required for directly connected networks.
D.The router has a static route for the source network with a different next-hop, causing the interface check to fail.
AnswerA

uRPF strict mode requires that the best route to the source IP points back out the same interface. If a default route points elsewhere, the check fails, and packets are dropped.

Why this answer

In strict uRPF mode, the router checks that the source IP address of an incoming packet is reachable via the same interface on which the packet arrived. If the router has a default route pointing out a different interface, the source IP of a directly connected network may not have a specific route back through the receiving interface, causing the reachability check to fail and legitimate traffic to be dropped.

Exam trap

Cisco often tests the misconception that uRPF strict mode only checks for a route existence, when in fact it also requires the incoming interface to match the route's outgoing interface, and a default route can interfere with this check.

How to eliminate wrong answers

Option B is wrong because if the interface were down, the directly connected network would not appear in the routing table, but the question states the network is directly connected via a single link, implying the interface is operational. Option C is wrong because the 'allow-default' option is used in loose mode uRPF to permit the use of a default route for the reachability check; strict mode does not support this option, and directly connected networks do not require it. Option D is wrong because a static route with a different next-hop would cause an interface check failure only if the next-hop points out a different interface than the one receiving the traffic, but the question specifies no asymmetric routing and a single link, making this scenario unlikely.

48
MCQhard

A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R1 redistributes OSPF into EIGRP, and Router R2 redistributes EIGRP into OSPF. After configuration, some routes are missing, and routing loops occur. R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map OSPF-to-EIGRP. R2 has: router ospf 1 redistribute eigrp 100 subnets route-map EIGRP-to-OSPF. Show ip route on R1 shows an OSPF route 172.16.1.0/24 learned via R2, but also an EIGRP route for the same prefix with a better administrative distance. What is the root cause?

A.The route-map OSPF-to-EIGRP on R1 should include a match clause to filter out routes learned from R2 via OSPF, preventing feedback.
B.The redistribute command on R2 should have a metric-type 1 to avoid suboptimal routing.
C.The administrative distance of OSPF should be changed to 85 on R1 to prefer OSPF over EIGRP.
D.The EIGRP metric on R1 should be set to a higher value to make the redistributed route less preferred.
AnswerA

Adding a match route-map that tags routes from R2 and denies them, or using a tag-based filter, stops the redistribution loop.

Why this answer

The correct answer is A because the route-map OSPF-to-EIGRP on R1 is not filtering out the OSPF route 172.16.1.0/24 that was originally redistributed from EIGRP into OSPF by R2. This creates a routing feedback loop: R1 learns the prefix via OSPF (from R2) and then redistributes it back into EIGRP, causing R2 to see an EIGRP route with a better administrative distance (90 vs. 110) and prefer it, leading to missing routes and loops. The route-map should include a match clause to deny routes that were originally EIGRP (e.g., via a tag or prefix-list) to prevent mutual redistribution.

Exam trap

Cisco often tests the concept of mutual redistribution and route feedback loops, where candidates mistakenly focus on metric or administrative distance adjustments instead of recognizing that a route-map filter is required to break the redistribution cycle.

How to eliminate wrong answers

Option B is wrong because changing the metric-type to 1 on R2's redistribute command would affect the OSPF metric type (E1 vs. E2) but does not address the root cause of route feedback and administrative distance preference. Option C is wrong because modifying OSPF's administrative distance to 85 on R1 would make OSPF routes preferred over EIGRP (AD 90), but this only masks the symptom; the feedback loop would still exist, and routes could still be missing or cause instability.

Option D is wrong because increasing the EIGRP metric on R1's redistribute command would make the redistributed route less preferred within EIGRP, but the problem is that R1 is redistributing a route it learned via OSPF back into EIGRP, and the metric adjustment does not prevent the feedback loop.

49
Multi-Selecthard

Which THREE commands are used to troubleshoot and verify device access control when using TACACS+ authentication on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.debug tacacs
B.show tacacs
C.test aaa group tacacs+ <username> <password>
D.debug radius authentication
E.show aaa method-list
AnswersA, B, C

This command provides detailed debugging of TACACS+ authentication and authorization packets.

Why this answer

Option A is correct because the 'debug tacacs' command enables real-time logging of TACACS+ authentication, authorization, and accounting transactions, allowing you to observe the exact packets exchanged between the router and the TACACS+ server, including authentication failures or successes. Option B is correct because 'show tacacs' displays the current TACACS+ server statistics, including the number of successful and failed authentication attempts, server status, and the number of pending requests, which is essential for verifying connectivity and performance. Option C is correct because 'test aaa group tacacs+ <username> <password>' directly tests the TACACS+ authentication process by sending a simulated authentication request to the configured TACACS+ server group, confirming whether the server is reachable and the credentials are valid.

Exam trap

Cisco often tests the distinction between TACACS+ and RADIUS troubleshooting commands, so the trap here is that candidates may confuse 'debug radius authentication' (Option D) as applicable to TACACS+ or assume that 'show aaa method-list' (Option E) is a valid command for verifying TACACS+ server status, when in fact it does not exist and the correct command is 'show aaa method-lists'.

50
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map TEST route-map TEST, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: metric 50 Policy routing matches: 0 packets, 0 bytes route-map TEST, deny, sequence 20 Match clauses: ip address (access-lists): 101 Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, which statement is correct?

A.The route-map is applied to an interface but no traffic has matched it yet.
B.The route-map is misconfigured because sequence 20 does not have a set clause.
C.The route-map will set the metric to 50 for all packets.
D.The route-map is applied globally and is affecting all routing decisions.
AnswerA

The 'Policy routing matches: 0 packets' indicates that the route-map is configured but has not yet been used to route any packets.

Why this answer

The output shows 'Policy routing matches: 0 packets, 0 bytes' for both sequences, which indicates the route-map has been applied to an interface (for policy-based routing) but no traffic has matched any of the match clauses yet. This is the only conclusion that can be drawn from the provided data.

Exam trap

Cisco often tests the distinction between route-maps used for policy-based routing (which show 'Policy routing matches' counters) versus those used for redistribution or routing protocol filtering (which do not show those counters), leading candidates to incorrectly assume a route-map is globally applied.

How to eliminate wrong answers

Option B is wrong because a set clause is not required in a deny sequence; the deny action itself is sufficient to reject matching traffic, and the set clause is irrelevant. Option C is wrong because the route-map only sets the metric to 50 for packets that match access-list 100 in sequence 10, not for all packets; packets matching sequence 20 (deny) or not matching any sequence will not have their metric set. Option D is wrong because the output shows 'Policy routing matches' which is specific to policy-based routing applied on an interface, not a global routing process; route-maps used globally (e.g., with redistribute or route-map in BGP) would not display 'Policy routing matches' counters.

51
MCQeasy

What is the default administrative distance for OSPF routes in Cisco IOS?

A.90
B.100
C.110
D.120
AnswerC

Correct. OSPF routes have a default administrative distance of 110.

Why this answer

OSPF has a default administrative distance (AD) of 110 in Cisco IOS. This value is used by the router to select the best route when multiple routing protocols provide a route to the same destination, with lower AD values being preferred. OSPF's AD of 110 is higher than that of static routes (1) and EIGRP (90/170), but lower than RIP (120) and IS-IS (115).

Exam trap

Cisco often tests the default administrative distances of OSPF, EIGRP, and RIP together, and the trap here is confusing OSPF's AD of 110 with EIGRP's AD of 90 or RIP's AD of 120, especially since OSPF is commonly associated with link-state protocols that are often considered more reliable than distance-vector protocols like RIP.

How to eliminate wrong answers

Option A is wrong because 90 is the default administrative distance for EIGRP internal routes, not OSPF. Option B is wrong because 100 is not a standard default administrative distance for any common routing protocol in Cisco IOS; it is sometimes used for iBGP or as a custom value. Option D is wrong because 120 is the default administrative distance for RIP, not OSPF.

52
Multi-Selecthard

Which TWO statements about TACACS+ and RADIUS are true? (Choose TWO.)

Select 2 answers
A.TACACS+ encrypts the entire packet body, including the username and password, using a shared secret.
B.RADIUS encrypts the entire packet payload, including the username and password, using a shared secret.
C.TACACS+ uses UDP port 49 by default for communication.
D.RADIUS combines authentication and authorization in a single packet, while TACACS+ separates them.
E.Both TACACS+ and RADIUS support per-command authorization for exec sessions.
AnswersA, D

TACACS+ encrypts the entire payload (except the header) using the shared secret, providing full confidentiality for authentication data.

Why this answer

A is correct because TACACS+ encrypts the entire packet body, including the username and password, using a shared secret. This provides confidentiality for all authentication and authorization data, unlike RADIUS which only encrypts the password field.

Exam trap

Cisco often tests the misconception that RADIUS encrypts the entire payload like TACACS+, or that TACACS+ uses UDP, leading candidates to incorrectly select option B or C.

53
MCQmedium

A network engineer is troubleshooting a Cisco router that is configured for RADIUS authentication. The engineer issues 'debug radius authentication' and sees that the RADIUS server is not responding. The router can ping the RADIUS server. What is the most likely cause?

A.UDP port 1812 is blocked between the router and the RADIUS server.
B.The RADIUS server shared key is incorrect.
C.The router's IP address is not in the RADIUS server's client list.
D.The RADIUS server is down.
AnswerA

Correct because RADIUS authentication uses UDP port 1812; if blocked, the server will not receive or respond to requests.

Why this answer

The RADIUS protocol uses UDP port 1812 for authentication. Since the router can ping the RADIUS server, network-layer connectivity exists, but the lack of response in the debug output indicates that the UDP packets are not reaching the server. A firewall or ACL blocking UDP 1812 between the router and the server is the most likely cause, as it prevents the RADIUS request from being received while ICMP (ping) traffic is permitted.

Exam trap

Cisco often tests the distinction between network-layer reachability (ping) and application-layer reachability (UDP port), leading candidates to incorrectly assume that a successful ping means the RADIUS server is fully operational and reachable.

How to eliminate wrong answers

Option B is wrong because an incorrect shared key would result in an Access-Reject or a 'RADIUS server not responding' message only after the server receives and processes the packet, but the debug shows no response at all, indicating the packet never reached the server. Option C is wrong because if the router's IP address were not in the RADIUS server's client list, the server would typically drop the packet silently or send a 'RADIUS server not responding' message, but the debug output shows no response, which is consistent with a network-level block rather than a server-side configuration issue. Option D is wrong because the router can ping the RADIUS server, proving the server is reachable at the IP layer; if the server were down, the ping would fail.

54
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show policy-map control-plane input class class-default Class-map: class-default (match-any) 140225 packets, 12345678 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any police: cir 1000000 bps, bc 31250 bytes conformed 140225 packets, 12345678 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is policing traffic to 1 Mbps, and all traffic so far has been within the limit and transmitted.
B.The CoPP policy is dropping all traffic because the CIR is too low.
C.The CoPP policy is not matching any traffic because the class-default does not match any packets.
D.The CoPP policy is only policing traffic that exceeds the CIR, but all traffic is being transmitted.
AnswerA

The conformed counter matches the total packets, and exceeded/violated counters are zero, meaning no drops.

Why this answer

The output shows that the class-default class in the CoPP policy has a police configuration with a CIR of 1,000,000 bps (1 Mbps). All 140,225 packets have been counted as conforming, with zero exceeded or violated packets, and the conform action is 'transmit'. This means all traffic has been within the policed rate and has been forwarded without drops.

Exam trap

Cisco often tests the interpretation of police counters in CoPP output, where candidates mistakenly think that a police configuration always drops traffic or that class-default does not match traffic, when in fact the counters clearly show conformed packets and zero drops.

How to eliminate wrong answers

Option B is wrong because the output shows zero exceeded and zero violated packets, indicating no traffic is being dropped; the CIR is not too low for the current traffic load. Option C is wrong because the class-default class uses 'match any', and the packet count of 140,225 proves that traffic is being matched and policed. Option D is wrong because the police configuration applies to all traffic in the class, not just traffic that exceeds the CIR; the output shows all traffic is conforming and being transmitted, not that only exceeding traffic is policed.

55
MCQmedium

A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?

A.The VTY lines are not configured with 'login authentication default'.
B.The RADIUS server shared key is incorrect.
C.The enable password is not set.
D.The 'aaa new-model' command is missing.
AnswerA

Correct because the AAA login method list must be explicitly applied to the VTY lines using the 'login authentication' command.

Why this answer

The 'login authentication default' command must be applied to the VTY lines to use the AAA authentication method set globally with 'aaa authentication login default group radius local'. Without this, the VTY lines default to using the local enable password for authentication, ignoring the AAA configuration. Since the RADIUS server is reachable and credentials are correct, the missing VTY line configuration is the most likely cause of the 'Access denied' error.

Exam trap

Cisco often tests the distinction between global AAA authentication configuration and per-line application, trapping candidates who assume 'aaa authentication login default' automatically applies to all lines without the 'login authentication default' command on the VTY lines.

How to eliminate wrong answers

Option B is wrong because if the RADIUS server shared key were incorrect, the router would not be able to communicate with the server, resulting in a timeout or fallback to local authentication (if configured), not an immediate 'Access denied' with correct credentials. Option C is wrong because the enable password is used for privilege escalation (enable mode), not for Telnet login authentication; the VTY lines are using AAA, which does not require an enable password for initial access. Option D is wrong because 'aaa new-model' is required to enable AAA services globally, and without it, the 'aaa authentication login default' command would not be accepted; the fact that the administrator configured AAA commands implies 'aaa new-model' is already present.

56
MCQhard

An engineer configures DMVPN Phase 2 with spoke-to-spoke tunnels. Spokes can ping each other's physical interfaces, but cannot establish a direct tunnel. NHRP registration is successful. Which is the most likely explanation?

A.The hub is not configured with 'ip nhrp redirect' and the spokes are not configured with 'ip nhrp shortcut'.
B.The spokes have different NHRP authentication strings, causing NHRP resolution to fail.
C.The tunnel interface on the spokes is configured with 'tunnel mode gre multipoint' but the hub uses 'tunnel mode gre ip'.
D.The spokes are using different IPsec transform sets, causing the IPsec tunnel to fail.
AnswerA

In Phase 2, the hub must send NHRP redirect messages to trigger the spoke to send a resolution request. Without these commands, spokes will not attempt to build a direct tunnel.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require NHRP redirect and shortcut mechanisms to dynamically build direct tunnels. The hub must be configured with 'ip nhrp redirect' to send redirect messages to spokes, and spokes must have 'ip nhrp shortcut' to install the NHRP-learned /32 host routes for direct traffic. Without these, spokes will forward traffic through the hub even though they can ping each other's physical interfaces, preventing the establishment of a direct tunnel.

Exam trap

Cisco often tests the misconception that successful NHRP registration alone guarantees spoke-to-spoke tunnels, when in fact the redirect and shortcut commands are mandatory for Phase 2 dynamic tunnel establishment.

How to eliminate wrong answers

Option B is wrong because if NHRP registration is successful, the authentication strings must match; mismatched authentication would cause registration to fail, not just tunnel establishment. Option C is wrong because DMVPN Phase 2 requires the hub to use 'tunnel mode gre multipoint' (mGRE) to support multiple spokes, and spokes can use either 'tunnel mode gre multipoint' or 'tunnel mode gre ip'; the hub using 'tunnel mode gre ip' would prevent spoke registration entirely. Option D is wrong because IPsec transform set mismatches would cause IPsec negotiation to fail, but the question states NHRP registration is successful, and IPsec is not required for basic DMVPN Phase 2 spoke-to-spoke tunnels (though often used for encryption).

57
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip ospf adj OSPF: 2 Way: DBD with 10.1.1.2 on GigabitEthernet0/0 OSPF: Send DBD to 10.1.1.2 seq 0x1C opt 0x52 flag 0x7 len 32 OSPF: Rcv DBD from 10.1.1.2 seq 0x1C opt 0x52 flag 0x2 len 132 mtu 1500 OSPF: Nbr 10.1.1.2 is FULL, state changed from LOADING to FULL What does this output indicate?

A.The OSPF neighbor adjacency is successfully established and is in the FULL state.
B.The OSPF neighbor is stuck in the 2-Way state due to a mismatched MTU.
C.The OSPF neighbor is in the LOADING state and cannot reach FULL because of a missing network statement.
D.The OSPF neighbor is in the EXSTART state and is negotiating the master/slave relationship.
AnswerA

The output shows the neighbor state changing to FULL after DBD exchange, indicating a complete adjacency.

Why this answer

The debug output shows the OSPF neighbor transitioning from LOADING to FULL, which confirms that the adjacency has been fully established. The sequence of DBD exchanges (flag 0x7 for master, flag 0x2 for slave) and the final FULL state indicate successful database synchronization, including LSA exchange and acknowledgment.

Exam trap

Cisco often tests the misinterpretation of the '2 Way: DBD' message, leading candidates to think the neighbor is stuck in the 2-Way state, when in fact the debug output clearly shows the adjacency progressing to FULL.

How to eliminate wrong answers

Option B is wrong because the debug output shows the neighbor reaching FULL, not stuck in 2-Way; a mismatched MTU would cause the neighbor to remain in EXSTART or EXCHANGE state, not reach FULL. Option C is wrong because the neighbor transitions from LOADING to FULL, meaning the loading process completed successfully; a missing network statement would prevent the neighbor from even reaching 2-Way state. Option D is wrong because the debug shows DBD exchange with flag 0x7 (master) and flag 0x2 (slave), which occurs in EXSTART/EXCHANGE, but the final state is FULL, indicating the adjacency progressed beyond EXSTART.

58
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, routing loops occur. The engineer did not use route tagging. Which is the most likely explanation?

A.Routes redistributed from OSPF into EIGRP have a higher administrative distance than the original OSPF routes, causing them to be preferred.
B.Redistributed routes retain their original metric, which can cause them to be preferred over the original route.
C.Without route tagging, OSPF redistributes EIGRP routes back into OSPF, and EIGRP redistributes OSPF routes back into EIGRP, creating a cycle.
D.The seed metric for redistribution is not set, causing the redistributed routes to be rejected.
AnswerC

Route tagging (e.g., using a route-map) is essential to prevent redistributed routes from being re-redistributed. Without it, each protocol can re-inject the other's routes, causing loops.

Why this answer

Option C is correct because mutual redistribution without route tagging creates a feedback loop: OSPF redistributes EIGRP-learned routes back into OSPF, and EIGRP redistributes OSPF-learned routes back into EIGRP. Each protocol re-advertises the other's routes, causing them to be learned and re-injected repeatedly, which leads to routing loops. Route tagging (e.g., using a route-map to set a tag) is the standard method to prevent such cycles by filtering redistributed routes that already originated from the other protocol.

Exam trap

Cisco often tests the misconception that routing loops in mutual redistribution are caused by administrative distance or metric issues, when in fact the core problem is the lack of route tagging to prevent re-redistribution of routes back into their original protocol.

How to eliminate wrong answers

Option A is wrong because administrative distance (AD) is used to select between routes from different protocols, but in mutual redistribution, the issue is not about preferring one protocol over another—it is about the same route being re-injected and causing a loop. Option B is wrong because redistributed routes do not retain their original metric; OSPF uses a seed metric (default 20 for external routes) and EIGRP uses a seed metric (default infinity unless set), and metric manipulation does not directly cause loops—the loop stems from re-redistribution. Option D is wrong because if the seed metric is not set for EIGRP redistribution, the route is not rejected; EIGRP requires a seed metric (e.g., bandwidth, delay) to be configured, but OSPF uses a default seed metric of 20, so routes are still redistributed and can cause loops.

59
MCQhard

A large enterprise network is experiencing intermittent loss of reachability to a critical subnet 10.10.10.0/24 from remote sites. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip summary-address eigrp 100 10.10.0.0 255.255.252.0. Router R2 shows: show ip route eigrp | include 10.10.10.0 outputs nothing, but show ip eigrp topology all-links shows 10.10.10.0/24 via 192.168.1.1 with a feasible distance of 1280. What is the root cause?

A.The EIGRP summary address 10.10.0.0/22 is configured on the wrong interface; it should be on the interface facing the remote site.
B.The EIGRP summary address 10.10.0.0/22 is causing R1 to suppress the advertisement of 10.10.10.0/24, and R2 does not have a route to the summary because the summary route is not installed in R1's routing table.
C.Split horizon is enabled on R1's GigabitEthernet0/0, preventing the advertisement of 10.10.10.0/24 learned from another interface.
D.The EIGRP metric for 10.10.10.0/24 is too high, causing it to be suppressed by the summary route.
AnswerB

The summary suppresses the specific route, but if the summary is not installed (e.g., no discard route), R2 never learns any route to 10.10.10.0/24.

Why this answer

The ip summary-address eigrp 100 10.10.0.0 255.255.252.0 command on R1's GigabitEthernet0/0 creates a local summary route that suppresses all more-specific routes within the 10.10.0.0/22 range, including 10.10.10.0/24, from being advertised out that interface. However, the summary route itself is not installed in R1's routing table unless a component route exists in the table, which may not be the case if the specific route is learned via another interface or is not present. As a result, R2 never receives either the specific /24 or the summary /22, leading to the intermittent loss of reachability.

Exam trap

Cisco often tests the nuance that EIGRP summary routes suppress more-specific routes but are only advertised if a component route exists in the routing table, leading candidates to incorrectly assume the summary is always advertised or that the issue is with split horizon or interface placement.

How to eliminate wrong answers

Option A is wrong because the summary address is correctly placed on the interface facing the remote site (GigabitEthernet0/0), which is the outbound interface toward R2; moving it to another interface would not solve the suppression issue. Option C is wrong because split horizon prevents routes learned on an interface from being advertised back out the same interface, but the 10.10.10.0/24 route is not learned on GigabitEthernet0/0; it is suppressed by the summary, not by split horizon. Option D is wrong because EIGRP summary routes do not use metric comparison to suppress more-specific routes; the suppression is automatic based on the prefix range, regardless of the metric of the specific route.

60
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router. After applying the policy, OSPF neighbors go down. The engineer checks the policy and sees that OSPF packets are not explicitly matched. Which is the most likely explanation?

A.The class-default is set to 'drop', and OSPF packets fall into class-default because they are not matched by any other class.
B.The CoPP policy uses 'police' in bps, but OSPF packets are small and exceed the rate limit.
C.The CoPP policy is applied to the input direction, but OSPF packets are processed in the output direction.
D.The CoPP policy uses 'police' in pps, but OSPF hello packets are sent every 10 seconds, so they are not rate-limited.
AnswerA

CoPP processes packets in order. If OSPF is not matched by a higher class, it goes to class-default. If class-default drops, OSPF packets are dropped, causing neighbor loss.

Why this answer

When Control Plane Policing (CoPP) is configured, traffic is classified into classes based on match criteria. If OSPF packets are not explicitly matched by any configured class, they fall into the default class (class-default). If the policy-map sets class-default to 'drop', all unmatched traffic, including OSPF hello packets (which use IP protocol 89), will be dropped.

This causes OSPF neighbors to go down because the router stops receiving or sending OSPF control packets.

Exam trap

Cisco often tests the concept that class-default in CoPP can be set to 'drop', and candidates may overlook that OSPF or other routing protocols are not explicitly matched, leading to neighbor loss.

How to eliminate wrong answers

Option B is wrong because CoPP policies use 'police' in bps or pps, but the issue here is not rate-limiting; it is that OSPF packets are not matched and are dropped by class-default. Option C is wrong because CoPP is applied to the control plane, which processes both inbound and outbound control traffic; OSPF packets are sent and received via the control plane, and the input direction is the correct direction for incoming OSPF packets. Option D is wrong because even if OSPF hello packets are sent every 10 seconds, they would still be subject to rate-limiting if matched; the problem is that they are not matched at all and fall into class-default.

61
MCQhard

Two OSPF routers R1 and R2 are connected via a GigabitEthernet link in area 0. R1 has interface GigabitEthernet0/0 ip ospf network point-to-point, while R2 has the default OSPF network type broadcast. R1's show ip ospf neighbor shows R2 in FULL state, but R2's show ip ospf neighbor shows R1 in FULL state. However, routes from R1 are not appearing in R2's routing table. Show ip ospf database on R2 shows the router LSA from R1 but not the network LSA. What is the root cause?

A.The OSPF network type mismatch causes R1 to not generate a network LSA, and R2 cannot install routes that rely on that LSA.
B.The OSPF adjacency is stuck in EXSTART state due to MTU mismatch.
C.R2 has a firewall blocking Type 2 LSAs.
D.R1's router LSA has an incorrect metric, causing R2 to ignore it.
AnswerA

R1's point-to-point network type does not elect a DR or generate Type 2 LSAs, so R2 lacks the necessary topology information for transit.

Why this answer

When R1 has the OSPF network type set to point-to-point on the GigabitEthernet link, it does not elect a DR/BDR and therefore does not generate a Type 2 (Network) LSA. R2, with the default broadcast network type, expects a Network LSA to build complete routing information for the segment. Although the adjacency reaches FULL and R2 receives R1's Type 1 (Router) LSA, the missing Network LSA prevents R2 from installing routes that depend on that LSA, such as those for networks advertised by R1 that are not directly connected to the link.

Exam trap

Cisco often tests the misconception that a FULL adjacency guarantees full route exchange, but the trap here is that OSPF network type mismatch can break route installation even when neighbor state is FULL and Router LSAs are exchanged.

How to eliminate wrong answers

Option B is wrong because the adjacency is already in FULL state, not EXSTART, so an MTU mismatch is not the issue. Option C is wrong because a firewall blocking Type 2 LSAs would not affect the adjacency state or the presence of the Router LSA in the database; the problem is a missing Network LSA due to network type mismatch, not a filter. Option D is wrong because the Router LSA from R1 is present in R2's database, and there is no indication of an incorrect metric; OSPF does not ignore LSAs based solely on metric values.

62
MCQmedium

Consider the following partial configuration on a Cisco router: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface Serial0/0/0 ip access-group BLOCK_TELNET out ! line vty 0 4 transport input telnet password cisco login What is the effect of this configuration?

A.Telnet traffic from the router to remote devices via Serial0/0/0 is blocked; Telnet to the router itself is still allowed.
B.All Telnet traffic to and from the router is blocked.
C.The ACL has no effect because it is applied outbound and Telnet is a TCP protocol.
D.The configuration is invalid because the ACL name contains an underscore.
AnswerA

The outbound ACL blocks Telnet leaving the interface, but does not filter traffic destined to the router. VTY lines still accept Telnet.

Why this answer

The ACL BLOCK_TELNET is applied outbound on Serial0/0/0, so it filters traffic leaving that interface. Telnet traffic (TCP port 23) sourced from the router itself (e.g., a user initiating a Telnet session from the router's CLI) is subject to this outbound ACL and is denied. However, Telnet traffic destined to the router (i.e., incoming management sessions to the VTY lines) is not affected because the ACL is not applied inbound on any interface, and the VTY lines have their own authentication and transport input settings.

Exam trap

Cisco often tests the misconception that an outbound ACL on a router's interface will block Telnet sessions to the router itself, when in fact it only affects traffic exiting that interface, not traffic destined to the router's own IP addresses.

How to eliminate wrong answers

Option B is wrong because the ACL is applied outbound only on Serial0/0/0, so it does not block Telnet traffic entering the router (e.g., a remote user Telnetting into the router's VTY lines). Option C is wrong because an outbound ACL can filter Telnet traffic; the protocol (TCP) does not prevent outbound filtering—the ACL's direction determines which traffic is inspected. Option D is wrong because underscores are permitted in ACL names; the configuration is syntactically valid.

63
MCQhard

An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?

A.The hostname and domain name are not configured.
B.The VTY lines are not configured with 'transport input ssh'.
C.The RSA key modulus is too small.
D.The IP address on GigabitEthernet0/0 is not in the same subnet as the client.
AnswerA

Correct because SSH uses the hostname and domain name to generate the RSA key pair; without them, the SSH server may not function.

Why this answer

SSH requires a fully qualified domain name (FQDN) to generate RSA keys. Without a configured hostname and domain name, the 'crypto key generate rsa' command may appear to succeed but actually generates default keys that are not bound to the router's identity, causing SSH to refuse connections. The 'ip domain-name' and 'hostname' commands are prerequisites for proper RSA key generation and SSH operation.

Exam trap

Cisco often tests the prerequisite order for SSH configuration, trapping candidates who focus on VTY transport settings or key modulus size instead of the fundamental requirement of a domain name for RSA key generation.

How to eliminate wrong answers

Option B is wrong because while 'transport input ssh' is required on VTY lines for SSH access, the immediate failure with 'Connection refused' typically occurs before VTY negotiation, and the question states SSH connections fail entirely, not that they are rejected after transport negotiation. Option C is wrong because a 2048-bit modulus is considered secure and is the recommended minimum for SSH; the issue is not key size but missing domain configuration. Option D is wrong because subnet mismatch would cause a timeout or unreachable error, not 'Connection refused', which indicates the router is actively rejecting the TCP connection to port 22.

64
MCQeasy

What is the default dead interval on a Cisco IOS-XE router for OSPF on a broadcast network type?

A.10 seconds
B.30 seconds
C.40 seconds
D.120 seconds
AnswerC

Correct. The dead interval is 4 × hello interval (4 × 10 = 40 seconds) by default on broadcast and point-to-point networks.

Why this answer

On a broadcast network type, OSPF uses a default dead interval of 40 seconds, which is four times the default hello interval of 10 seconds. This relationship is defined in RFC 2328, ensuring that a neighbor is declared down only after missing four consecutive hello packets.

Exam trap

Cisco often tests the default OSPF timers for different network types, and the trap here is confusing the default dead interval for broadcast (40 seconds) with the default hello interval (10 seconds) or with the dead interval for other network types like NBMA (30 seconds).

How to eliminate wrong answers

Option A is wrong because 10 seconds is the default hello interval on broadcast networks, not the dead interval. Option B is wrong because 30 seconds is the default dead interval for OSPF on non-broadcast multi-access (NBMA) networks, not broadcast. Option D is wrong because 120 seconds is the default dead interval for OSPF virtual links or point-to-multipoint networks, not for broadcast network types.

65
MCQhard

What is the default OSPF metric for a route redistributed from another routing protocol into OSPF?

A.0
B.1
C.20
D.10
AnswerC

Correct. The default OSPF metric for redistributed routes (except BGP) is 20.

Why this answer

When a route is redistributed from another routing protocol into OSPF, the default metric is 20 for routes that are not BGP. This is defined in RFC 2328 and is the seed metric used when no explicit metric is configured with the redistribute command. The value 20 applies to most external routes (Type 2 by default), while BGP redistributed routes default to 1.

Exam trap

Cisco often tests the distinction between the default OSPF metric for redistributed routes (20) and the default metric for BGP redistributed routes (1), causing candidates to mistakenly choose 1 for all protocols.

How to eliminate wrong answers

Option A is wrong because 0 is not a valid default OSPF metric for redistributed routes; a metric of 0 would imply the route is directly connected, which is not the case for redistributed routes. Option B is wrong because 1 is the default metric for routes redistributed from BGP into OSPF, not for routes from other protocols like EIGRP or RIP. Option D is wrong because 10 is the default cost for a Gigabit Ethernet interface in OSPF, not the default metric for redistributed routes.

66
Multi-Selecthard

Which TWO statements about AAA authentication on Cisco IOS-XE are true? (Choose TWO.)

Select 2 answers
A.If no AAA authentication method list is explicitly configured, the default method list uses the local user database.
B.The 'aaa authentication login default local' command creates a default method list that uses the local user database for login authentication.
C.When a named method list is applied to a line with 'login authentication LISTNAME', the default method list is ignored for that line.
D.The 'aaa authentication login default group radius local' command will first try RADIUS, and if RADIUS fails (not just rejects), it will fall back to local.
E.The 'aaa authentication login default method' command creates a method list with no authentication methods, which denies all login attempts.
AnswersB, C

This command defines the default method list for login authentication, using the local database as the first (and only) method.

Why this answer

Option B is correct because the 'aaa authentication login default local' command explicitly configures the default method list to use the local user database for login authentication. This is the standard way to define a fallback or primary local authentication method for all lines that do not have a named method list applied.

Exam trap

Cisco often tests the distinction between a method list 'failure' (which allows fallback) and a 'reject' (which denies access immediately), and the fact that an unconfigured AAA defaults to line password authentication, not local database.

67
MCQhard

An engineer configures a Cisco router with 'ip http server' and 'ip http authentication local' for web-based management. The engineer creates a local username 'admin' with privilege level 15. However, when accessing the router via HTTP, the engineer is prompted for credentials but access is denied. What is the most likely cause?

A.The HTTP server is not configured with an access-class that permits the client.
B.The username 'admin' does not have a password.
C.The HTTP server is using a different port.
D.The 'ip http secure-server' is required for HTTP access.
AnswerA

Correct because 'ip http access-class' is required to permit specific IP addresses; without it, HTTP access is denied by default.

Why this answer

The 'ip http authentication local' command requires the HTTP server to authenticate users against the local username database. However, even with valid credentials, the router's HTTP server may deny access if an access-class is applied to the HTTP server that does not permit the client's IP address. The access-class restricts which source IP addresses can connect to the HTTP server, and if the client is not in the permitted list, authentication will fail with a denial even if the username and password are correct.

Exam trap

Cisco often tests the nuance that an access-class on the HTTP server can block access even with correct local credentials, leading candidates to incorrectly blame password issues or missing secure-server commands.

How to eliminate wrong answers

Option B is wrong because the username 'admin' with privilege level 15 can be created without a password only if the 'username admin privilege 15' command is used without the 'secret' or 'password' keyword; however, the question states the engineer created the username, and the most common practice is to assign a password or secret, so the lack of a password is not the most likely cause given the symptom of being prompted for credentials. Option C is wrong because the default HTTP port is 80, and unless explicitly changed with 'ip http port', the router will listen on port 80; a different port would not cause a denial after credentials are entered—it would cause a connection failure or no prompt. Option D is wrong because 'ip http secure-server' is required only for HTTPS (SSL/TLS) access, not for plain HTTP; the question explicitly uses 'ip http server', which enables unencrypted HTTP, and authentication works without secure-server.

68
MCQhard

An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?

A.The console line is not configured with 'login authentication default'.
B.The username 'admin' is not in the local database.
C.The password 'cisco' is incorrect.
D.The 'aaa new-model' command is missing.
AnswerA

Correct because the default AAA login method list must be applied to the console line using the 'login authentication' command.

Why this answer

Option A is correct because, by default, the console line does not inherit the AAA authentication methods defined under 'aaa authentication login default local'. The 'login authentication default' command must be explicitly applied to the console line under line configuration to use the global AAA authentication method. Without it, the console line falls back to its default behavior, which does not use AAA, causing the login to fail despite the local user being configured.

Exam trap

Cisco often tests the distinction between defining a default AAA method list and applying it to a specific line, trapping candidates who assume that 'aaa authentication login default local' automatically applies to the console without the 'login authentication default' command.

How to eliminate wrong answers

Option B is wrong because the username 'admin' is explicitly stated as configured locally, so it is in the local database. Option C is wrong because the password 'cisco' is also stated as configured correctly, and the failure is not due to a password mismatch but due to the AAA method not being applied to the console line. Option D is wrong because the presence of 'aaa authentication login default local' and 'aaa authorization exec default local' implies that 'aaa new-model' has already been enabled; without it, these AAA commands would be rejected by the router.

69
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- ----------------- --------------- ----- -------- ----- 1 10.0.0.2 10.1.1.2 UP 00:10:00 D 2 10.0.0.3 10.1.1.3 UP 00:05:00 D Based on this output, what is the role of Router R1 in the DMVPN network?

A.Router R1 is the hub router with two active spoke connections.
B.Router R1 is a spoke router with two hub connections.
C.Router R1 is a spoke router with two other spoke connections.
D.Router R1 is not participating in DMVPN because the tunnel is down.
AnswerA

The 'Type:Hub' and two UP peers indicate it is a hub.

Why this answer

The output shows that Router R1 has a Tunnel0 interface configured as a DMVPN hub (Type:Hub) with two NHRP peers (10.1.1.2 and 10.1.1.3) in the UP state. The 'D' attribute in the Attrb column indicates these peers are directly connected spokes, confirming R1 is the hub router with two active spoke connections.

Exam trap

Cisco often tests the distinction between the 'Type:Hub' and 'Type:Spoke' fields in the show dmvpn output, and candidates may misinterpret the 'D' attribute as meaning the router is a spoke or that the tunnel is down, when it actually indicates a dynamic peer relationship on the hub.

How to eliminate wrong answers

Option B is wrong because the output explicitly shows Type:Hub, not a spoke, and a spoke router would have a single hub connection, not two hub connections. Option C is wrong because a spoke router does not have two other spoke connections in a typical DMVPN phase 2/3; spokes only connect to the hub, and the output shows the hub role. Option D is wrong because the tunnel state is UP (as indicated by the 'UP' status for both peers), meaning R1 is actively participating in DMVPN.

70
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip eigrp topology 10.10.10.0/24 all-links P 10.10.10.0/24, 1 successors, FD is 1310720 via 10.1.1.2 (1310720/1310720), GigabitEthernet0/0 via 10.1.2.2 (1310720/1310720), GigabitEthernet0/1 What does this output indicate?

A.There are two equal-cost paths to 10.10.10.0/24, and EIGRP will load balance across them.
B.Only the first path via 10.1.1.2 is installed because the second path has a higher FD.
C.The path via 10.1.2.2 is a feasible successor but is not used because it has a higher RD.
D.The router has no route to 10.10.10.0/24 because the FD is the same as the RD.
AnswerA

Both paths have the same FD and RD, making them equal-cost successors; EIGRP will install both and load balance.

Why this answer

The output shows two EIGRP routes to 10.10.10.0/24 with identical Feasible Distances (FD) of 1310720, indicating equal-cost paths. EIGRP installs up to four equal-cost routes by default and performs per-destination load balancing across them, so both paths are active and used.

Exam trap

Cisco often tests the distinction between equal-cost paths (same FD) and feasible successors (RD < FD), leading candidates to mistakenly label an equal-cost path as a feasible successor or assume only the first path is used.

How to eliminate wrong answers

Option B is wrong because both paths have the same FD (1310720), so the second path is not rejected due to a higher FD; it is an equal-cost path. Option C is wrong because a feasible successor must have a Reported Distance (RD) less than the current successor's FD; here both RDs equal the FD (1310720), so the second path is not a feasible successor—it is an equal-cost successor. Option D is wrong because the router does have a route to 10.10.10.0/24; the FD and RD being the same is normal for directly connected or redistributed routes and does not prevent route installation.

71
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug nhrp NHRP: Receive Resolution Request via Tunnel0 10.1.1.2, target 192.168.1.1 NHRP: Send Resolution Reply via Tunnel0 to 10.1.1.2, target 192.168.1.1 What does this output indicate?

A.The router is acting as a NHRP server and successfully resolves the NBMA address for the target.
B.The router is a NHRP client and is requesting resolution for target 192.168.1.1.
C.The router is unable to resolve the target address because it does not have a mapping.
D.The NHRP process is failing due to a misconfigured authentication key.
AnswerA

The router receives a request and sends a reply, indicating it has the mapping and is providing resolution.

Why this answer

The debug output shows the router receiving a Resolution Request and immediately sending a Resolution Reply, which is the behavior of a Next Hop Resolution Protocol (NHRP) server (or hub) that has a mapping for the target 192.168.1.1. The router successfully resolves the Non-Broadcast Multiple Access (NBMA) address (10.1.1.2) for the target, indicating it is acting as a server in a DMVPN or similar overlay network.

Exam trap

Cisco often tests the distinction between NHRP client (spoke) and server (hub) roles by showing debug output; the trap here is that candidates may confuse sending a Resolution Reply with sending a Resolution Request, incorrectly assuming the router is a client.

How to eliminate wrong answers

Option B is wrong because the router is sending a Resolution Reply, not a Resolution Request, so it is not acting as a client requesting resolution. Option C is wrong because the router successfully sends a reply, meaning it does have a mapping for the target address. Option D is wrong because the debug output shows successful NHRP message exchange with no authentication errors; a misconfigured key would generate NHRP authentication failure messages, not a successful reply.

72
Multi-Selecthard

Which THREE symptoms indicate that a Cisco IOS router is experiencing issues with device access control due to misconfigured AAA local authentication? (Choose THREE.)

Select 3 answers
A.Users with correct credentials are repeatedly denied access, and the 'show aaa local user lockout' command shows no locked accounts.
B.The 'debug aaa authentication' output shows 'FAIL' for local authentication attempts even though the username and password are correctly configured.
C.Users are locked out after three failed attempts despite 'login block-for' not being configured.
D.The 'show aaa servers' output shows the RADIUS server status as 'DEAD'.
E.The 'show line' command shows that the line is in 'ready' state but login prompts are not displayed.
AnswersA, B, C

This suggests the authentication method list may not reference 'local' or the local database is not properly configured, causing failures without lockouts.

Why this answer

Option A is correct because when AAA local authentication is misconfigured, users with valid credentials can be repeatedly denied access without any lockout entries. The 'show aaa local user lockout' command would show locked accounts only if the 'aaa local authentication attempts max-fail' feature is enabled, but the absence of lockouts indicates the issue is not due to failed attempts but rather a misconfiguration in the local username/password database or AAA method list.

Exam trap

Cisco often tests the distinction between local authentication lockout (controlled by 'aaa local authentication attempts max-fail') and login blocking (controlled by 'login block-for'), causing candidates to incorrectly associate lockout behavior with the 'login block-for' feature rather than AAA local authentication parameters.

73
MCQmedium

Examine the following partial configuration: username admin privilege 15 secret 5 $1$abcdefg$hashedvalue username operator privilege 1 password cisco ! line console 0 login local ! line vty 0 4 login local transport input ssh What is a potential security issue with this configuration?

A.The 'operator' username uses a password instead of a secret, which is stored insecurely in the configuration.
B.The 'admin' user has privilege 15, which is too high for administrative access.
C.The console line is missing the 'transport input' command.
D.The VTY lines should use 'login' without 'local' to allow remote authentication.
AnswerA

The 'password' keyword stores the password in a reversible format (type 7 or clear), whereas 'secret' uses MD5 hashing.

Why this answer

Option A is correct because the 'operator' username uses a 'password' keyword instead of 'secret', which means the password is stored in plaintext (or weakly hashed) in the running configuration. Cisco recommends using 'secret' with a strong hash algorithm (e.g., MD5 or SHA-256) to protect credentials from being easily compromised if the configuration is viewed. This is a direct violation of secure device access best practices.

Exam trap

Cisco often tests the distinction between 'password' and 'secret' in username configurations, and the trap here is that candidates may overlook the security implications of using 'password' instead of 'secret' for non-privileged users, assuming it only matters for enable passwords.

How to eliminate wrong answers

Option B is wrong because privilege 15 is the standard highest privilege level for full administrative access, and it is appropriate for an 'admin' user; there is no security issue with using privilege 15 for administrative accounts. Option C is wrong because the console line does not require a 'transport input' command by default, as console access is out-of-band and typically uses a direct serial connection; the absence of 'transport input' does not create a security vulnerability. Option D is wrong because 'login local' on VTY lines is the correct method to enforce local username/password authentication; using 'login' without 'local' would allow any password (including no password) if no other authentication method is configured, which is less secure.

74
Multi-Selecthard

Which TWO actions will prevent unauthorized access to a Cisco IOS-XE device's console port? (Choose TWO.)

Select 2 answers
A.Configure 'login authentication default' under the console line to require AAA authentication.
B.Configure 'exec-timeout 0 0' under the console line to prevent idle sessions from timing out.
C.Configure 'transport input none' under the console line to block all inbound connections.
D.Configure 'no exec' under the console line to disable EXEC sessions on the console port.
E.Configure 'password cisco' and 'login' under the console line to require a local password.
AnswersA, E

This command applies the default AAA authentication method list to the console line, requiring users to authenticate before gaining access.

Why this answer

Option A is correct because configuring 'login authentication default' under the console line forces the device to use AAA (Authentication, Authorization, and Accounting) services for console login. This prevents unauthorized access by requiring valid credentials verified by a centralized AAA server (e.g., RADIUS or TACACS+), rather than relying on a local password that could be compromised or shared.

Exam trap

Cisco often tests the distinction between commands that actually prevent unauthorized access versus those that modify session behavior or apply to different line types, so the trap here is assuming that disabling idle timeout (exec-timeout 0 0) or blocking transport input enhances security, when in fact they either weaken it or are irrelevant to console port access.

75
MCQmedium

In EIGRP, which metric component is disabled by default and must be explicitly enabled using the 'metric weights' command?

A.Reliability and load
B.Bandwidth and delay
C.MTU
D.Hop count
AnswerA

K4 (reliability) and K5 (load) are set to 0 by default, disabling them.

Why this answer

In EIGRP, the composite metric is calculated by default using bandwidth and delay. Reliability and load are included in the metric formula but are disabled by default (their K-values are set to 0). To enable them, you must use the 'metric weights' command to adjust the K-values (e.g., K2 for load and K3 for reliability).

Exam trap

Cisco often tests the misconception that all five K-values are active by default, when in fact only bandwidth and delay are used, and reliability and load require explicit configuration.

How to eliminate wrong answers

Option B is wrong because bandwidth and delay are the default metric components enabled in EIGRP, not disabled. Option C is wrong because MTU is never a component of the EIGRP metric; it is only used for path selection in certain routing protocols like OSPF. Option D is wrong because hop count is not a metric component in EIGRP; it is used in RIP.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Device Access Control questions.