CCNA Logging Syslog Questions

75 of 76 questions · Page 1/2 · Logging Syslog topic · Answers revealed

1
MCQhard

Two routers R1 and R2 are connected via Ethernet. R1 has: interface GigabitEthernet0/0 ip ospf network point-to-point R2 has default OSPF network type (broadcast). R1 shows: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.2.2.2 0 FULL/ - 00:00:35 10.1.1.2 GigabitEthernet0/0 R2 shows: R2# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 1 FULL/DR 00:00:30 10.1.1.1 GigabitEthernet0/0 R1 is not installing OSPF routes from R2. What is the root cause?

A.OSPF network type mismatch prevents proper LSA exchange, causing R1 to ignore routes from R2.
B.R1 has a higher OSPF priority, causing it to become DR and not accept routes.
C.The dead timer mismatch causes adjacency to be unstable.
D.R2 is not configured with the same OSPF process ID.
AnswerA

R1 is configured as point-to-point, R2 as broadcast. This causes R1 to not process Type 2 LSAs from R2.

Why this answer

OSPF network type mismatch: R1 is point-to-point, R2 is broadcast. On the point-to-point side, R1 expects no DR/BDR election and uses a different LSA format. The broadcast side sees R1 as DR (because R1's priority is 0? Actually R1 has priority 0? Output shows R1's neighbor has priority 0, but R2 shows R1 as DR.

This inconsistency causes adjacency but routes are not exchanged properly due to LSA type mismatch. The fix is to match network types.

2
MCQhard

DMVPN network with hub R1 and spoke R2. R1 has: interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp authentication cisco123 R2 has: interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 172.16.1.1 ip nhrp authentication cisco123 R2 shows: R2# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete NHRP domain: 1 Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHC:172.16.1.2, NBMA:10.2.2.2 (no NHRP mappings) R2# ping 172.16.1.1 source 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What is the root cause?

A.The hub R1 is missing the 'ip nhrp map multicast dynamic' command.
B.The authentication string is mismatched between hub and spoke.
C.The tunnel mode on R2 should be 'tunnel mode gre ip' instead of multipoint.
D.The NHRP network ID must be different on hub and spoke.
AnswerA

Without this command, the hub does not accept NHRP registrations from spokes, so the spoke cannot build a mapping.

Why this answer

The NHRP authentication strings do not match: R1 has 'cisco123', R2 has 'cisco123'? They match. But the output shows no NHRP mappings. The issue is that the spoke R2 has not registered with the hub.

This could be due to a mismatch in NHRP network ID, but they match. Another possibility is that the hub's tunnel interface is not configured with 'ip nhrp map multicast dynamic' to accept registrations. Without that, the hub does not add the spoke to its NHRP database, and the spoke cannot resolve the hub's NBMA address.

The ping fails because the spoke has no NHRP mapping for the hub.

3
MCQhard

Two VRFs on router R1: VRF A and VRF B. R1 has: ip vrf A rd 100:1 route-target export 100:1 route-target import 100:2 ip vrf B rd 100:2 route-target export 100:2 route-target import 100:1 R1 shows: R1# show ip route vrf A B 10.1.1.0/24 [200/0] via 10.2.2.2, 00:00:10 R1# show ip route vrf B B 10.1.1.0/24 [200/0] via 10.2.2.2, 00:00:10 Router R2 (in VRF A) can ping 10.1.1.1, but router R3 (in VRF B) cannot. What is the root cause?

A.The next hop 10.2.2.2 is not reachable from VRF B due to missing interface in VRF B.
B.The route targets are reversed, causing VRF B to not import the route.
C.BGP is not configured to advertise VPNv4 routes.
D.R3 has a firewall blocking ICMP.
AnswerA

The route is present, but the next hop is not in VRF B, so the route is not usable.

Why this answer

The route targets are misconfigured for route leaking. VRF A exports with RT 100:1 and imports RT 100:2. VRF B exports with RT 100:2 and imports RT 100:1.

This creates a two-way leak, but the route 10.1.1.0/24 is learned via BGP from R2. If R2 is in VRF A, the route is exported with RT 100:1. VRF B imports RT 100:1, so VRF B should have the route.

However, the issue might be that the route is not being advertised to R3 due to BGP next-hop resolution or VRF interface issues. The output shows both VRFs have the route, so the problem is likely that R3 cannot reach the next hop 10.2.2.2 because it is in a different VRF or the interface is not in VRF B. The root cause is that the next hop is not reachable from VRF B.

4
MCQeasy

What is the default size of the logging buffer on a Cisco IOS-XE router if not explicitly configured?

A.4096 bytes
B.8192 bytes
C.16384 bytes
D.No buffer is allocated by default.
AnswerA

The default buffer size is 4096 bytes.

Why this answer

The default logging buffer size on most Cisco IOS-XE platforms is 4096 bytes. This is a standard default value that candidates should know.

5
MCQmedium

Given the following partial configuration on a Cisco IOS-XE router: logging host 10.1.1.1 transport tcp port 514 logging source-interface GigabitEthernet0/1 logging on What is missing or incorrect in this configuration?

A.The configuration is correct; no changes are needed.
B.The 'logging on' command is redundant because logging is enabled by default.
C.The syslog server must support TCP syslog, which is not defined in RFC 3164.
D.The port number should be 5140 for TCP syslog.
AnswerC

RFC 3164 defines syslog over UDP. TCP syslog is defined in RFC 6587 but is not universally supported. This configuration may fail if the server does not accept TCP.

Why this answer

By default, syslog uses UDP port 514. When using TCP transport, the syslog server must be configured to accept TCP connections, and this is not a common configuration. The configuration itself is syntactically correct, but the question tests knowledge that TCP transport for syslog is non-standard and may not work with typical syslog servers.

6
MCQhard

A network engineer runs the following command on Router R7: R7# show logging | include %SYS-2-MALLOCFAIL *Mar 1 00:05:10.123: %SYS-2-MALLOCFAIL: Memory allocation failed for size 1024, from process 0x12345678, pool Processor *Mar 1 00:06:20.456: %SYS-2-MALLOCFAIL: Memory allocation failed for size 2048, from process 0x12345678, pool Processor *Mar 1 00:07:30.789: %SYS-2-MALLOCFAIL: Memory allocation failed for size 512, from process 0x12345678, pool Processor Based on this output, what is the most likely problem?

A.The router has a memory leak or is running out of memory in the Processor pool.
B.The router is experiencing high CPU utilization due to routing protocol updates.
C.The router's logging buffer is full and cannot store new messages.
D.The router has a hardware failure in the memory module.
AnswerA

Multiple MALLOCFAIL messages indicate that the router cannot allocate memory, which is a sign of memory exhaustion or a leak.

Why this answer

The output shows memory allocation failures in the Processor pool. This indicates that the router is running low on memory, which can cause various issues including process crashes, inability to allocate buffers, and overall instability. The process ID 0x12345678 is likely a specific process that is consuming memory or failing to allocate.

7
MCQhard

Which syslog facility code is used by default for Cisco IOS messages when sent to a syslog server?

A.Facility 16 (local0)
B.Facility 20 (local4)
C.Facility 23 (local7)
D.Facility 24 (no default)
AnswerB

Cisco IOS uses local4 (facility 20) as the default syslog facility.

Why this answer

Cisco IOS defaults to facility code 20 (local4) for syslog messages.

8
Multi-Selecthard

Which TWO statements about the syslog message format and its fields are correct? (Choose TWO.)

Select 1 answer
A.The facility code in a syslog message identifies the type of process that generated the message, such as local7 (value 23).
B.The severity level in a syslog message ranges from 0 (debugging) to 7 (emergency).
C.By default, Cisco IOS includes a sequence number in every syslog message when logging is enabled.
D.The timestamp in a syslog message from a Cisco device is formatted as DD/MM/YYYY HH:MM:SS by default.
E.The hostname field in a syslog message is derived from the IP address of the interface that sends the message.
AnswersA

Correct. Facility codes indicate the source process; local7 is commonly used for Cisco network devices and has a value of 23.

Why this answer

Syslog messages follow RFC 5424 or the older BSD format. The facility code indicates the source process (e.g., local7 is 23), and the severity level is from 0 (emergency) to 7 (debugging). The sequence number is optional and not present by default.

The timestamp format is typically MMM DD HH:MM:SS in IOS, not DD/MM/YYYY. The hostname is the device's configured hostname, not the IP address of the sending interface.

9
Multi-Selecthard

Which THREE configuration steps are required to send syslog messages from a Cisco router to a remote syslog server? (Choose THREE.)

Select 3 answers
A.Configure the syslog server IP address using the 'logging <ip-address>' command.
B.Set the logging source interface using 'logging source-interface <interface>'.
C.Enable logging globally using 'logging on'.
D.Configure the logging trap severity level using 'logging trap <severity>'.
E.Configure NTP to ensure accurate timestamps in syslog messages.
AnswersA, C, D

This command specifies the destination syslog server.

Why this answer

To send syslog messages to a remote server, you must enable logging globally, specify the server address, and set the logging trap level (or use default). Setting the source interface is optional but recommended. Configuring NTP is not required for syslog.

Enabling SNMP is unrelated.

10
MCQmedium

A network engineer runs the following command on Router R8: R8# show logging | include %LDP-5-NBRCHG *Mar 1 00:01:10.123: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:02:20.456: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN *Mar 1 00:03:30.789: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:04:40.012: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN Based on this output, what is the most likely problem?

A.The LDP session is flapping due to an unstable IGP route to 10.0.0.2.
B.The MPLS label space is exhausted.
C.The router has a mismatched LDP router ID.
D.The LDP hello interval is set too high, causing slow detection.
AnswerA

LDP relies on IGP to establish and maintain neighbors; if the IGP route is flapping, LDP will also flap.

Why this answer

The output shows LDP neighbor 10.0.0.2 flapping between UP and DOWN. This indicates instability in the LDP session, often due to a flapping IGP route (since LDP depends on IGP reachability), or a misconfiguration of LDP parameters such as hello interval or hold time.

12
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers. The tunnel comes up, but no traffic is encrypted. The engineer verifies that the crypto map is applied to the outgoing interface and that the ACL defining interesting traffic is correct. Which is the most likely explanation?

A.The crypto ACL is not mirrored on both sides, so the SA is not established for the traffic
B.The transform-set is missing encryption or authentication
C.The crypto map is applied to the wrong interface
D.The IKE policy is not configured
AnswerA

Correct. IPsec requires that the crypto ACLs be mirror images of each other for bidirectional traffic to be encrypted.

Why this answer

A common edge case is that the ACL defining interesting traffic is applied in the wrong direction. For IPsec, the ACL should match traffic that will be encrypted, and it must be applied to the crypto map. However, if the ACL is configured with the source and destination reversed (e.g., source is local network and destination is remote network on one router, but on the other router the ACL should also have source as local network), the traffic may not match.

Additionally, if the ACL is not mirrored on both sides, the tunnel may come up but traffic will not be encrypted because the SA is not established for that traffic.

13
MCQhard

A service provider network uses OSPF with route summarization on Area Border Routers (ABRs). Router R1 (ABR) has the configuration: router ospf 1 area 1 range 10.1.0.0 255.255.240.0 area 1 range 10.1.16.0 255.255.240.0 Router R2 (internal to area 1) shows: R2# show ip route ospf 10.1.0.0/20 is subnetted, 1 subnets O IA 10.1.0.0/20 [110/2] via 10.2.1.1, 00:00:15, Serial0/0/0 10.1.16.0/20 is subnetted, 1 subnets O IA 10.1.16.0/20 [110/2] via 10.2.1.1, 00:00:10, Serial0/0/0 10.1.32.0/20 [110/3] via 10.2.1.2, 00:00:05, Serial0/0/1 R2 is missing a route to 10.1.48.0/20. What is the root cause?

A.The ABR R1 has a missing 'area 1 range 10.1.48.0 255.255.240.0' command.
B.R2 has a routing table limit that prevents installation of the route.
C.R1's OSPF process has a distribute-list blocking the route.
D.The missing route is a result of OSPF route filtering at the area boundary.
AnswerA

The summary range for 10.1.48.0/20 is not configured, so that route is not advertised into area 0.

Why this answer

The ABR R1 configured two summary ranges for area 1, but the missing route 10.1.48.0/20 is not covered by either summary. OSPF summarization on the ABR creates Type 3 LSAs for the configured ranges, but any routes not falling within those ranges are not advertised as summaries and are also not advertised as individual routes (unless the 'no discard-route' option is used). This causes the missing route.

The correct fix is to add an additional summary range covering 10.1.48.0/20 or use a broader summary.

14
MCQmedium

A network engineer runs the following command on Router R9: R9# show logging | include %DMVPN-5-ADJCHG *Mar 1 00:01:05.123: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:02:10.456: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN *Mar 1 00:03:15.789: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:04:20.012: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN Based on this output, what is the most likely problem?

A.The DMVPN tunnel is flapping due to an unstable IPsec SA.
B.The NHRP hold time is set too high.
C.The router has a mismatched DMVPN phase configuration.
D.The tunnel interface is administratively down.
AnswerA

DMVPN uses IPsec for encryption; if the IPsec SA is not established or is flapping, the NHRP peer will go up and down.

Why this answer

The output shows NHRP peer flapping on Tunnel0, indicating that the DMVPN tunnel is unstable. This is often due to a flaking physical interface, IPsec SA expiration, or routing issues. The peer 10.0.0.1 is going up and down repeatedly.

15
MCQhard

In an iBGP network, router R1 has: router bgp 65000 bgp bestpath as-path multipath-relax neighbor 10.1.1.2 route-map SET-MED in route-map SET-MED permit 10 set metric 50 neighbor 10.1.1.3 route-map SET-MED2 in route-map SET-MED2 permit 10 set metric 100 Router R2 shows: R2# show ip bgp 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 2 Paths: (2 available, best #2) Path #1: via 10.1.1.1, metric 50 Path #2: via 10.1.1.4, metric 100 R2# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "bgp 65000", distance 200, metric 100 Last update from 10.1.1.4 00:00:10 Serial0/0/1 R2 is choosing the path with higher metric. What is the root cause?

A.The path with lower MED is from a different AS, so MED is not compared.
B.The route-map on R1 is misconfigured; it should set metric on the neighbor statement.
C.R2 has a higher local preference for the path via 10.1.1.4.
D.The 'bgp bestpath as-path multipath-relax' command causes MED to be ignored.
AnswerA

MED is only compared between paths from the same AS. The path via 10.1.1.1 might have a different AS_PATH.

Why this answer

BGP best path selection compares MED only if paths come from the same AS. If the paths have different AS_PATH lengths, MED is ignored. The output shows two paths, but the path via 10.1.1.1 might have a different AS_PATH length.

The 'bgp bestpath as-path multipath-relax' allows multipath but does not affect MED comparison. The higher metric path is chosen due to a different tie-breaker (e.g., lower neighbor IP).

16
MCQmedium

Examine the following partial router configuration: logging buffered 16384 logging console warnings logging monitor notifications logging trap debugging logging source-interface Loopback0 logging 192.168.1.100 What is the effect of this configuration?

A.Syslog messages of severity 0 through 7 are sent to the server 192.168.1.100.
B.Only syslog messages of severity 0 through 4 are sent to the server 192.168.1.100.
C.The syslog server receives messages with the IP address of the outgoing interface as the source.
D.The logging buffer stores up to 16384 syslog messages.
AnswerA

The 'logging trap debugging' command sets the syslog trap level to debugging, which includes all severities (0-7).

Why this answer

This configuration sets up logging with different severity levels for different destinations. The 'logging trap debugging' sends all messages (severity 0-7) to the syslog server at 192.168.1.100, while console gets only warnings (severity 4) and monitor gets notifications (severity 5). The buffer is set to 16384 bytes.

17
MCQhard

Router R1 has an ACL applied to its VTY lines for SSH access: access-list 10 permit 10.1.1.0 0.0.0.255 line vty 0 4 access-class 10 in transport input ssh R1 also has CoPP policy: class-map match-all SSH-CLASS match access-group name SSH-ACL policy-map COPP class SSH-CLASS police cir 8000 bc 1500 conform-action transmit exceed-action drop R2 (10.1.1.2) shows: R2# ssh -l admin 10.2.2.1 % Connection refused by remote host R2# telnet 10.2.2.1 Trying 10.2.2.1 ... % Connection timed out; remote host not responding What is the root cause?

A.The CoPP policy is rate-limiting SSH traffic from R2, causing drops.
B.The access-class on VTY lines blocks R2's IP address.
C.SSH is not enabled on R1's VTY lines.
D.The SSH-ACL in the class-map does not match SSH traffic.
AnswerA

The police rate of 8000 bps is too low, causing exceed-action drop for SSH packets.

Why this answer

The ACL on VTY lines permits only 10.1.1.0/24, but the SSH connection from R2 (10.1.1.2) should be allowed. However, the CoPP policy is rate-limiting SSH traffic to 8000 bps. If the police rate is exceeded, packets are dropped.

The SSH connection might be failing due to CoPP dropping the packets. The telnet is also failing because it is not permitted by the access-class (only SSH is allowed). The root cause is CoPP rate-limiting SSH traffic, causing drops.

18
MCQmedium

Examine the following configuration: logging host 10.1.1.1 logging host 10.1.1.2 logging host 10.1.1.3 logging origin-id hostname logging facility local7 What is the purpose of the 'logging origin-id hostname' command?

A.It causes the syslog messages to include the router's hostname as the origin, overriding the default IP address.
B.It sets the syslog message format to include the hostname in the timestamp field.
C.It configures the router to send syslog messages only when the hostname changes.
D.It is used to authenticate syslog messages using the hostname as a key.
AnswerA

The origin-id hostname replaces the default source IP with the hostname in the syslog message header.

Why this answer

The 'logging origin-id' command sets the origin identifier in syslog messages. When set to 'hostname', the router's hostname is used as the origin ID instead of the default (which is the IP address of the source interface). This helps identify the source of messages in a multi-device environment.

19
MCQhard

An engineer configures syslog logging to a remote server using the 'logging host' command. The engineer notices that syslog messages are not being received on the server, but the router can ping the server successfully. The engineer verifies that the logging level is set to debugging and that the server is configured to receive syslog messages. Which is the most likely explanation?

A.An ACL on the router is blocking UDP port 514 outbound
B.The logging host command requires the 'transport tcp' option to work
C.The syslog server is not configured to accept messages from the router's IP
D.The logging level is set to emergencies only
AnswerA

Correct. If an ACL is applied to the interface that blocks UDP 514, syslog messages will not reach the server.

Why this answer

A common edge case is that the syslog messages are sent via UDP port 514, but the router may have a firewall or ACL that blocks UDP traffic. Additionally, the 'logging source-interface' command might be configured, but if the source interface is not reachable from the server (e.g., due to routing issues), the server may drop the messages. Another possibility is that the server is listening on a different port or the router is using a different port due to configuration.

However, a less obvious issue is that the 'logging monitor' or 'logging buffered' commands can interfere if the logging process is overwhelmed, but the most likely is that the syslog messages are being sent but the server's firewall or the router's own ACL is blocking them.

20
MCQmedium

What is the default behavior of the 'logging buffered' command in Cisco IOS-XE when no severity level is specified?

A.It captures only messages of severity 0 through 4.
B.It captures only messages of severity 0 through 5.
C.It captures only messages of severity 0 through 6.
D.It captures messages of severity 0 through 7.
AnswerD

The default severity for buffered logging is 7, so all messages from emergencies to debugging are logged.

Why this answer

When 'logging buffered' is configured without a severity level, it defaults to severity 7 (debugging), capturing all messages.

21
MCQhard

A network engineer runs the following command on Router R3: R3# show logging | include %OSPF-5-ADJCHG *Mar 1 00:05:10.123: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done *Mar 1 00:06:20.456: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired *Mar 1 00:07:30.789: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from DOWN to INIT, Received Hello *Mar 1 00:08:40.012: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from INIT to EXSTART, Event: start *Mar 1 00:09:50.345: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from EXSTART to EXCHANGE, Event: Negotiation Done *Mar 1 00:10:00.678: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from EXCHANGE to LOADING, Event: Exchange Done *Mar 1 00:11:10.901: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done *Mar 1 00:12:20.234: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired Based on this output, what is the most likely problem?

A.The OSPF process is misconfigured with mismatched area IDs.
B.There is a Layer 1 or Layer 2 issue causing intermittent connectivity on GigabitEthernet0/0.
C.The OSPF dead timer is set too high, causing slow convergence.
D.The router is running out of memory, causing OSPF process restarts.
AnswerB

The dead timer expiration indicates that hello packets are not received in time, which is often due to flapping interfaces or high error rates.

Why this answer

The output shows repeated OSPF adjacency changes between R3 and neighbor 10.0.0.1, with the neighbor going from FULL to DOWN due to dead timer expiration, then re-establishing. This pattern indicates an unstable OSPF neighbor relationship, likely due to a flapping interface, mismatched timers, or Layer 1 issues. The dead timer expiration suggests that hello packets are not being received consistently.

22
MCQhard

MPLS network with LDP enabled. Routers R1 and R2 are directly connected. R1 has: mpls ip interface Serial0/0/0 mpls ip R2 has: mpls ip interface Serial0/0/0 mpls ip R1 shows: R1# show mpls ldp neighbor Peer LDP Ident: 10.2.2.2:0; Local LDP Ident: 10.1.1.1:0 TCP connection: 10.2.2.2.646 - 10.1.1.1.646 State: Oper; Msgs sent/rcvd: 10/10; Downstream Up time: 00:00:30 LDP discovery sources: Serial0/0/0, Src IP addr: 10.2.2.2 R1# show mpls forwarding-table Local tag Outgoing tag Prefix Bytes tag switched Outgoing interface 16 Untagged 10.3.3.0/24 0 Serial0/0/0 R2 shows: R2# show mpls forwarding-table Local tag Outgoing tag Prefix Bytes tag switched Outgoing interface 16 17 10.3.3.0/24 0 Serial0/0/0 R1 is not installing a label for 10.3.3.0/24 from R2. What is the root cause?

A.R1 has an 'mpls ldp advertise-labels' command that filters the label for 10.3.3.0/24.
B.R2 is not running LDP on the interface.
C.The prefix 10.3.3.0/24 is not in R2's routing table.
D.There is an MTU mismatch on the serial link.
AnswerA

This command can prevent R1 from advertising labels for certain prefixes, causing R1 to receive 'Untagged'.

Why this answer

LDP neighbors are established, but R1 is not receiving a label for 10.3.3.0/24 from R2. This could be due to a label filtering or the route not being in R2's routing table. The output shows R2 has an outgoing label 17 for that prefix, but R1 shows 'Untagged'.

This indicates that R2 is not advertising a label to R1 for that prefix. Possible causes: R2 has a 'mpls ldp label' filter blocking the advertisement, or R1 is not requesting labels due to a 'mpls ldp advertise-labels' command. The correct answer is that R1 has a label advertisement filter.

23
Drag & Dropmedium

Drag and drop the steps to verify and validate syslog operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, check the logging status with show logging. Then, verify that syslog messages are being sent to the configured server. Next, confirm the severity level of logged messages.

After that, validate that the syslog server is receiving messages. Finally, test by generating a test log message.

24
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic is not establishing dynamically. The engineer verifies that NHRP is configured and that the hub is configured as an NHRP server. Which is the most likely explanation?

A.The hub is not configured with 'no ip next-hop-self' for the routing protocol on the tunnel interface
B.NHRP authentication is mismatched between spokes
C.The spoke routers have not enabled NHRP redirect
D.The tunnel mode is set to GRE multipoint on the spokes
AnswerA

Correct. In Phase 2, the hub must not change the next-hop to itself; otherwise, spokes cannot build direct tunnels.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spoke routers have a route to the remote spoke's tunnel IP address via the hub. This is achieved by the hub advertising the spoke's prefix with the next-hop set to the spoke's tunnel IP. However, if the hub does not configure 'no ip next-hop-self eigrp' (or similar for the routing protocol), the hub will set the next-hop to itself, preventing the spoke from directly reaching the remote spoke.

This is a common edge case because the default behavior of routing protocols is to set the next-hop to the router's own IP.

25
Drag & Drophard

Drag and drop the steps to troubleshoot syslog connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify reachability to the syslog server using ping. Then, check if the syslog server port (UDP 514) is open. Next, review the logging configuration on the router.

After that, examine ACLs that may block syslog traffic. Finally, enable debug ip udp to monitor syslog packet flow.

26
MCQhard

EIGRP network with routers R1, R2, R3. R1 has: router eigrp 100 network 10.0.0.0 R2 has: router eigrp 100 network 10.0.0.0 R3 has: router eigrp 100 network 10.0.0.0 R1 shows: R1# show ip eigrp topology 10.1.1.0/24 EIGRP-IPv4 Topology Entry for 10.1.1.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256 Routing Descriptor Blocks: 10.2.1.2 (Serial0/0/0), from 10.2.1.2, Send flag is 0x0 Composite metric is (128256/156160), Route is Internal 10.3.1.3 (Serial0/0/1), from 10.3.1.3, Send flag is 0x0 Composite metric is (156160/128256), Route is Internal R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 90, metric 128256 Last update from 10.2.1.2 on Serial0/0/0 R1 is using the path with higher feasible distance as successor. What is the root cause?

A.The path with higher FD is not feasible; EIGRP always selects the lowest FD.
B.An offset-list is applied to the lower FD path, increasing its metric.
C.The route is in active state, causing EIGRP to use a backup path.
D.R1 has a distribute-list blocking the lower FD path.
AnswerA

EIGRP selects the successor based on the lowest FD. The path with FD 156160 is not the successor.

Why this answer

EIGRP selects the successor based on the lowest feasible distance (FD). The output shows two paths: one with FD 128256 and another with FD 156160. The path with FD 128256 is the successor, but the show ip route shows the metric as 128256, which is correct.

However, the question states R1 is using the higher FD path, which is not the case in the output. The root cause might be a configuration error where the lower FD path is not feasible (e.g., via a route-map or offset-list). But the output indicates the lower FD path is installed.

This scenario is tricky: the question might have a misprint, but the intended answer is that EIGRP always picks the lowest FD, so the higher FD path is not used. The correct answer is that the higher FD path is not the successor.

27
Multi-Selecthard

An engineer must ensure that all syslog messages with severity level 4 (warning) and higher are sent to a remote syslog server at 10.1.1.100, while also logging messages of severity 6 (informational) to the console. Which TWO configuration commands are required? (Choose TWO.)

Select 2 answers
A.logging host 10.1.1.100 trap 4
B.logging console 6
C.logging buffered 6
D.logging source-interface Loopback0
E.logging monitor 4
AnswersA, B

Correct. This sets the remote syslog server and limits messages sent to severity 4 (warning) and higher (0-4).

Why this answer

The 'logging host' command with the 'trap' keyword sets the severity filter for remote logging; default trap level is 6 (informational), so to limit to level 4 and higher, the trap level must be set to 4. The 'logging console' command controls console logging; default is level 7 (debugging), so setting it to 6 allows informational and higher (0-6). The 'logging buffered' command affects buffer logging, not console.

The 'logging source-interface' sets the source IP but does not filter severity. The 'logging monitor' affects terminal lines, not console.

28
MCQmedium

According to RFC 3164, which facility code is used by default for Cisco IOS syslog messages?

A.Local0
B.Local7
C.User
AnswerB

Cisco IOS defaults to facility local7 for syslog messages.

Why this answer

RFC 3164 defines facility codes. Cisco IOS uses local7 (facility 23) as the default for syslog messages, though this can be changed with the 'logging facility' command.

29
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip packet Output: IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 3 IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 4 IP: s=10.1.1.1 (GigabitEthernet0/1), d=10.2.2.2, len 100, rcvd 5 What does this output indicate?

A.The router is experiencing a routing loop, as indicated by the repeated packets with the same source and destination.
B.The router is functioning normally; these are just normal IP packets being forwarded.
C.The router is receiving multicast traffic and showing each packet individually.
D.The debug command is not working correctly because the output is too repetitive.
AnswerA

Repeated identical packets suggest a loop; debug ip packet should be used cautiously and stopped with 'undebug all'.

Why this answer

The output shows repeated packets from the same source to the same destination, which may indicate a routing loop or excessive traffic. The engineer should use 'undebug all' to stop the debug and then investigate the routing table.

30
Multi-Selectmedium

Which TWO commands would a network engineer use to verify that syslog messages are being sent to a remote syslog server? (Choose TWO.)

Select 2 answers
A.show logging
B.debug logging
C.show running-config | include logging
D.ping <syslog-server-ip>
E.show ip route
AnswersA, C

This command shows the syslog server status, buffer contents, and logging configuration.

Why this answer

The 'show logging' command displays the current logging configuration, including the syslog server address and whether logging is enabled. The 'debug logging' command is not valid; the correct command to see real-time syslog messages is 'terminal monitor' after enabling logging. 'show run | include logging' shows the running config lines for logging. 'ping' tests reachability but not syslog functionality. 'show ip route' checks routing but not logging.

31
Multi-Selecthard

Which TWO statements about the 'logging buffered' command and its interaction with other logging commands are correct? (Choose TWO.)

Select 2 answers
A.The command 'logging buffered 4096' sets the buffer size to 4096 bytes and enables logging to the buffer.
B.Disabling console logging with 'no logging console' also disables buffered logging.
C.If 'logging buffered' is configured, the buffer can be viewed using the 'show logging' command.
D.The 'logging buffered' command requires 'logging on' to be configured first; otherwise, it has no effect.
E.The 'no logging buffered' command clears the buffer and stops all logging to the buffer.
AnswersA, C

Correct. This command enables buffered logging with a buffer size of 4096 bytes.

Why this answer

The 'logging buffered' command enables logging to an internal buffer. The size can be specified in bytes. The 'logging console' and 'logging buffered' are independent; disabling one does not affect the other.

The 'logging monitor' controls terminal line logging. The 'logging on' command globally enables logging output; without it, no logging occurs. The 'no logging buffered' command disables buffer logging but does not clear the buffer.

32
MCQmedium

A network engineer runs the following command on Router R6: R6# show logging | include %SEC-6-IPACCESSLOGP *Mar 1 00:01:15.123: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12345) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:20.456: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12346) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:25.789: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12347) -> 192.168.1.1(80), 1 packet *Mar 1 00:01:30.012: %SEC-6-IPACCESSLOGP: list ACL_INBOUND denied tcp 10.0.0.100(12348) -> 192.168.1.1(80), 1 packet Based on this output, what is the most likely problem?

A.The ACL ACL_INBOUND is permitting traffic from 10.0.0.100 to 192.168.1.1 on port 80.
B.A host at 10.0.0.100 is attempting to access a web server at 192.168.1.1 and is being blocked by the ACL.
C.The router is experiencing a DoS attack from 192.168.1.1.
D.The ACL ACL_INBOUND is not configured on any interface.
AnswerB

The log messages clearly indicate that packets from 10.0.0.100 to 192.168.1.1 port 80 are being denied by ACL ACL_INBOUND.

Why this answer

The output shows repeated denied packets from source 10.0.0.100 to destination 192.168.1.1 on port 80 (HTTP). This indicates that a host at 10.0.0.100 is trying to access a web server at 192.168.1.1 but is being blocked by ACL ACL_INBOUND. The pattern suggests a possible scan or attack, or a legitimate access that is being denied due to misconfiguration.

33
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show policy-map control-plane input class class-default Output: Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any police: cir 1000000 bps, bc 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is policing control plane traffic at 1 Mbps, but no packets have been matched yet.
B.The CoPP policy is dropping all control plane traffic.
C.The CoPP policy is not applied to the control plane.
D.The CoPP policy is using a class-map that matches all traffic.
AnswerA

The policer is configured with CIR 1 Mbps, but counters show 0 packets.

Why this answer

The output shows the CoPP policy for the control plane, with a policer that limits traffic to 1 Mbps. The counters show no traffic has been matched, which may indicate that the policy is not effective or no traffic is hitting the control plane.

34
MCQmedium

An engineer is troubleshooting a router that is generating syslog messages with incorrect timestamps. The router has 'service timestamps log datetime msec' configured, but the timestamps show the wrong time zone. The router's clock is set correctly via NTP. What is the most likely cause?

A.The 'clock timezone' command is not configured on the router.
B.The NTP server is not providing timezone information.
C.The 'service timestamps log' command should use 'localtime' instead of 'datetime'.
D.The syslog server is overwriting the timestamps with its own.
AnswerA

Correct because without a timezone configuration, the router uses UTC, so timestamps will be offset from the local time even if NTP is synced.

Why this answer

The 'service timestamps log datetime msec' command uses the router's local time, but if the time zone is not configured, the timestamps will appear in UTC (the default). To show the correct local time, the 'clock timezone' command must be configured to set the appropriate offset.

35
MCQmedium

A router is configured with 'logging host 10.1.1.100' and 'logging trap informational'. The engineer notices that syslog messages with severity 5 (notice) are being sent, but messages with severity 6 (informational) are not. What is the most likely cause?

A.The 'logging trap' command is set to 5 (notice) rather than 6 (informational).
B.The syslog server is dropping severity 6 messages due to its own configuration.
C.The 'logging console' command is overriding the remote logging level.
D.The router's clock is not synchronized, causing timestamp issues.
AnswerA

Correct because if the trap level is 5, only messages severity 0-5 are sent; severity 6 messages are excluded.

Why this answer

The 'logging trap informational' command sets the severity threshold to 6, meaning messages of severity 0-6 are sent. However, if the engineer sees that severity 5 messages are sent but severity 6 are not, the issue is likely that the specific informational messages are not being generated by the router, or they are being filtered by a different mechanism such as 'logging filter' or 'exception' settings. But the most common cause is that the 'logging trap' level is actually set to 5 (notice) instead of 6.

A misconfiguration or misunderstanding of the command is typical.

36
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, the router becomes unreachable via SSH, and OSPF neighbor adjacencies go down. The engineer checks the CoPP policy and sees that the class-map for SSH and OSPF traffic is configured with a police rate. Which is the most likely explanation?

A.The class-default is set to drop all traffic not matched by explicit classes
B.The police rate for OSPF traffic is too high
C.The CoPP policy is applied to the wrong interface
D.The class-map for SSH uses the wrong match criteria
AnswerA

Correct. If class-default drops traffic, OSPF and SSH packets that are not explicitly permitted will be dropped.

Why this answer

A common edge case with CoPP is that the default class (class-default) is often configured with an explicit deny or a very low rate, which can drop all traffic not matched by other classes. If the engineer does not include a 'class class-default' with an appropriate action (e.g., 'police' with a conform action of 'transmit'), all unmatched traffic, including critical control plane traffic, may be dropped. Additionally, if the police rate is too low for OSPF hello packets, adjacencies can fail.

37
MCQeasy

Which syslog severity level is used for informational messages that are not errors but may be useful for monitoring?

A.Severity 5 (Notice)
B.Severity 6 (Informational)
C.Severity 7 (Debug)
D.Severity 0 (Emergency)
AnswerB

Severity 6 is 'Informational' and is used for normal but significant conditions.

Why this answer

Severity 6 is defined as 'Informational' in RFC 5424, used for non-error messages.

38
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show ip nhrp detail Output: 10.1.1.1/32 via 10.0.0.2, Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: authoritative NBMA address: 192.168.1.2 10.2.2.2/32 via 10.0.0.3, Tunnel0 created 00:04:00, expire 01:56:00 Type: dynamic, Flags: authoritative NBMA address: 192.168.1.3 What does this output indicate?

A.The router has two NHRP mappings for dynamic spoke-to-spoke tunnels via Tunnel0.
B.The router is using static NHRP mappings.
C.The router is experiencing NHRP authentication failures.
D.The router has no NHRP entries.
AnswerA

The entries show dynamic type with NBMA addresses, indicating DMVPN dynamic tunnels.

Why this answer

The output shows NHRP cache entries with mappings between tunnel IP and NBMA addresses. This is typical for DMVPN spoke-to-spoke communication.

39
MCQhard

An engineer configures uRPF (Unicast Reverse Path Forwarding) in strict mode on a router interface facing the Internet. After configuration, legitimate traffic from customers is being dropped. The engineer verifies that the routing table has a route back to the source IP address. Which is the most likely explanation?

A.Asymmetric routing causes the return path to use a different interface
B.The uRPF allow-default option is not configured
C.The source IP address is not in the routing table
D.uRPF strict mode requires CEF to be disabled
AnswerA

Correct. Strict uRPF drops packets if the best return route does not exit the same interface.

Why this answer

Strict uRPF checks that the source IP address of incoming packets has a route back through the same interface. If asymmetric routing is present (i.e., traffic comes in one interface but the return route points out a different interface), strict uRPF will drop the packets. This is a common edge case because engineers often assume that having a route to the source is sufficient, but strict mode requires the reverse path to be via the same interface.

40
Multi-Selectmedium

Which TWO symptoms indicate that syslog messages are not being sent to the remote syslog server? (Choose TWO.)

Select 2 answers
A.The 'show logging' command shows messages in the local buffer.
B.The syslog server receives messages from other devices but not from this router.
C.The 'show log' command returns no output.
D.The 'show logging' output does not list the syslog server IP address under 'Logging to'.
E.Debug output appears on the console but not on the syslog server.
AnswersB, D

This indicates a specific issue with this router's syslog configuration or connectivity.

Why this answer

If syslog messages are not reaching the server, the 'show logging' output will not show the server address as active, and the server will not receive any messages. The 'show logging' command may still show messages in the local buffer. The 'show log' command does not exist.

Debug output on the router does not confirm remote delivery.

41
MCQmedium

Which statement correctly describes the behavior of the 'logging synchronous' command on a Cisco IOS device?

A.It disables all syslog messages on the console line.
B.It causes syslog messages to be displayed only after a carriage return.
C.It changes the severity level of messages sent to the console.
D.It enables logging to a synchronous serial interface.
AnswerB

Syslog messages are held until the user presses Enter, preventing interruption.

Why this answer

The 'logging synchronous' command prevents syslog messages from interrupting console command output by buffering them until the user finishes typing.

42
MCQmedium

A network engineer runs the following command on Router R1: R1# show logging Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, small buffer) Console logging: level debugging, 37 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level informational, 5 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 0 message lines logged Logging to 192.168.1.100 (udp port 514, audit disabled, link up), 0 message lines logged, xml disabled, filtering disabled Logging Source Interface: Loopback0 Log Buffer (4096 bytes): *Mar 1 00:01:23.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up *Mar 1 00:02:34.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up Based on this output, which statement is correct?

A.The syslog server at 192.168.1.100 is receiving messages because the link is up.
B.Buffer logging is set to debugging level, so all debug messages are stored in the buffer.
C.Console logging is set to debugging level, meaning all debug messages will appear on the console.
D.The logging buffer size is 4096 bytes, which is sufficient to store all messages without overwriting.
AnswerC

The output explicitly shows 'Console logging: level debugging', so all messages at debugging level and below will be displayed on the console.

Why this answer

The output shows that buffer logging is set to level informational, but the buffer only contains 4096 bytes and has logged only 5 messages. The trap logging (syslog server) is set to informational but has logged 0 messages, and the server 192.168.1.100 is reachable (link up). The key issue is that the syslog server is not receiving messages despite being configured correctly, likely due to the source interface being Loopback0 which may not have a route to the server or the server is not processing the messages.

However, the question asks for a correct statement based on the output. The correct answer is that console logging is set to debugging, which is the most detailed level, and this is confirmed by the output showing 'level debugging' for console logging.

43
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip bgp updates Output: BGP(0): 10.0.0.2 rcvd UPDATE w/ attr: nexthop 10.0.0.2, origin i, path 65002 BGP(0): 10.0.0.2 rcvd 10.1.1.0/24 BGP(0): 10.0.0.2 rcvd UPDATE w/ attr: nexthop 10.0.0.2, origin i, path 65002 65003 BGP(0): 10.0.0.2 rcvd 10.2.2.0/24 What does this output indicate?

A.The router is receiving BGP updates for prefixes 10.1.1.0/24 and 10.2.2.0/24 from neighbor 10.0.0.2.
B.The router is sending BGP updates to neighbor 10.0.0.2.
C.The router is experiencing a BGP route flap.
D.The router is filtering BGP updates due to a prefix list.
AnswerA

The debug shows received updates with prefixes and AS paths.

Why this answer

The output shows BGP updates being received from neighbor 10.0.0.2, including prefixes and AS path information. This indicates successful BGP peering and route exchange.

44
MCQmedium

What is the default size of the logging buffer in Cisco IOS-XE when 'logging buffered' is enabled without specifying a size?

A.1024 bytes
B.4096 bytes
C.8192 bytes
D.16384 bytes
AnswerB

The default buffer size is 4096 bytes.

Why this answer

The default logging buffer size is 4096 bytes (4 KB) on most Cisco IOS-XE platforms.

45
Multi-Selectmedium

Which TWO statements about syslog message severity levels are true? (Choose TWO.)

Select 2 answers
A.Severity level 0 (emergencies) is the most critical and indicates system instability.
B.Severity level 5 (warnings) is less severe than level 4 (notifications).
C.Severity level 7 (debugging) includes all messages from lower severity levels.
D.Severity level 6 (informational) is used for system error messages.
E.Severity level 3 (errors) is more critical than level 2 (critical).
AnswersA, C

Level 0 is the highest severity, used for system-wide emergencies.

Why this answer

Syslog severity levels range from 0 (emergencies) to 7 (debugging). Level 0 is the most critical, and level 7 is the least critical. Level 5 is 'notifications', not 'warnings'; warnings are level 4.

Level 6 is 'informational'. Level 3 is 'errors'.

46
MCQmedium

A network engineer runs the following command on Router R2: R2# show logging | include %SYS-5-CONFIG_I *Mar 1 00:10:15.123: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:12:45.678: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:15:30.001: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 00:20:00.999: %SYS-5-CONFIG_I: Configured from console by console Based on this output, what is the most likely problem?

A.The router has a memory leak causing frequent reloads.
B.The router is being reconfigured repeatedly from the console, which could indicate unauthorized access or a script issue.
C.The logging buffer is full and messages are being overwritten.
D.The syslog server is not reachable, so messages are only logged locally.
AnswerB

Multiple %SYS-5-CONFIG_I messages from the console suggest repeated configuration changes, which is abnormal and could be a security issue or a misconfigured automation script.

Why this answer

The output shows multiple configuration changes being made from the console in a short period of time. This could indicate unauthorized access or a misconfiguration that is causing repeated configuration changes. However, the most likely problem is that the logging level is set too low, and these messages are being generated due to a loop or automated script.

But the key clue is that the messages are from the console, suggesting someone is making changes repeatedly. The correct answer is that the router is being reconfigured frequently, possibly due to a configuration loop or an attacker.

47
MCQeasy

A network engineer is troubleshooting a router that is not generating any syslog messages at all, even for critical events like interface flaps. The 'show logging' output shows 'Syslog logging: disabled'. What is the most likely cause?

A.The 'logging on' command is not configured.
B.The logging buffer is full and needs to be cleared.
C.The router has run out of memory to generate syslog messages.
D.The 'logging host' command is missing, so no destination is configured.
AnswerA

Correct because 'logging on' globally enables syslog; without it, no messages are produced.

Why this answer

The 'show logging' output clearly states that syslog logging is disabled. The most common cause is that the global 'logging on' command is missing from the configuration. Without this command, no syslog messages are generated or sent to any destination.

48
MCQmedium

What is the default logging severity level for messages sent to the console in Cisco IOS-XE?

A.Level 0 (emergencies)
B.Level 7 (debugging)
C.Level 5 (notifications)
D.Level 4 (warnings)
AnswerB

The default console logging severity is level 7, meaning all messages from emergencies through debugging are displayed.

Why this answer

By default, Cisco IOS-XE logs messages with severity level 7 (debugging) and higher to the console.

49
MCQmedium

Refer to the following partial configuration: logging console informational logging monitor debugging logging trap errors logging buffered 4096 Which statement is true about the logging levels?

A.The console receives messages of severity 0 through 6.
B.The monitor receives messages of severity 0 through 6.
C.The syslog server receives messages of severity 0 through 7.
D.The buffer stores messages of severity 0 through 6.
AnswerA

Console level 'informational' includes severities 0-6 (emergency through informational).

Why this answer

Logging levels: emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), debugging (7). The trap level 'errors' means only messages severity 0-3 are sent to syslog servers. Console 'informational' means 0-6.

Monitor 'debugging' means 0-7. Buffer defaults to debugging if not specified, but here it is set to 4096 bytes without a level, so it defaults to debugging.

50
MCQhard

Two OSPF domains are redistributed into each other on router R1. R1 has: router ospf 1 redistribute ospf 2 subnets router ospf 2 redistribute ospf 1 subnets Router R2 (in OSPF 1) shows: R2# show ip route ospf O E2 10.1.1.0/24 [110/20] via 10.2.1.1, 00:00:05, Serial0/0/0 O E2 10.2.1.0/24 [110/20] via 10.2.1.1, 00:00:05, Serial0/0/0 R2# traceroute 10.1.1.1 source 10.2.1.2 Type escape sequence to abort. Tracing the route to 10.1.1.1 1 10.2.1.1 4 msec 4 msec 4 msec 2 10.1.1.1 8 msec 8 msec 8 msec R2# traceroute 10.2.1.1 source 10.1.1.2 Type escape sequence to abort. Tracing the route to 10.2.1.1 1 10.1.1.1 4 msec 4 msec 4 msec 2 10.2.1.1 8 msec 8 msec 8 msec Traffic between the two domains is taking suboptimal paths. What is the root cause?

A.The redistribution is mutual without any route filtering, causing routing loops.
B.The 'subnets' keyword is missing from one of the redistribute commands.
C.OSPF administrative distance is set incorrectly, preferring external routes.
D.R1 has a routing table entry for 10.1.1.0/24 pointing to R2.
AnswerA

Routes from OSPF 1 are redistributed into OSPF 2 and then back into OSPF 1, creating a loop.

Why this answer

Mutual redistribution without route filtering creates a routing loop. Routes from OSPF 1 are redistributed into OSPF 2, and then back into OSPF 1, causing suboptimal paths. The traceroute shows traffic going through R1 twice.

The fix is to use route tagging and filtering to prevent re-redistribution.

51
Multi-Selecthard

Which TWO statements about the 'logging rate-limit' command and its effects are correct? (Choose TWO.)

Select 2 answers
A.The command 'logging rate-limit 200 all' limits all syslog messages to 200 messages per second.
B.By default, Cisco IOS applies a rate limit of 100 messages per second to all logging destinations.
C.The 'logging rate-limit' command can be applied on a per-interface basis using interface configuration mode.
D.The 'logging rate-limit' command only affects messages sent to the console port.
E.The 'show logging rate-limit' command displays the current rate-limit configuration.
AnswersA, C

Correct. The 'all' keyword applies the rate limit to every syslog message, regardless of severity.

Why this answer

The 'logging rate-limit' command limits the number of syslog messages per second to prevent CPU overload. It can be applied globally or per interface. The 'all' option applies the limit to all messages, while 'except' allows certain severities to bypass the limit.

The default rate is not unlimited; it depends on the IOS version but typically no rate limit is applied by default. The command does not affect console logging rate by default; it primarily affects logging to buffer and remote servers. The 'show logging' command displays the current rate-limit configuration.

52
MCQmedium

A router is configured to send syslog messages to two servers: 10.1.1.100 and 10.1.1.200. The engineer notices that only server 10.1.1.100 is receiving messages. The configuration shows 'logging host 10.1.1.100' and 'logging host 10.1.1.200'. Both servers are reachable via ping. What is the most likely cause?

A.The syslog service on 10.1.1.200 is not running or is blocked by a firewall.
B.The router can only send to one syslog server at a time.
C.The 'logging host 10.1.1.200' command is missing the 'transport udp' keyword.
D.The second server is configured with a different severity level using 'logging trap' under the host.
AnswerA

Correct because if the server is not listening or traffic is blocked, messages will not be received even though the router sends them.

Why this answer

Cisco IOS allows multiple logging hosts, but each must be configured with a separate 'logging host' command. If the second server is not receiving messages, it may be because the 'logging trap' level for that specific host is set to a higher severity (e.g., 'logging host 10.1.1.200 trap errors') that filters out most messages, or the server is not listening. However, a common mistake is that the second host is configured with a different port or protocol that is not supported.

But the most typical cause is that the second server's syslog service is not running or is firewalled.

53
MCQhard

What is the default rate-limit interval for the 'logging rate-limit' command in Cisco IOS-XE?

A.100 milliseconds
B.1 second
C.5 seconds
D.No default; it must be specified
AnswerB

The default interval for logging rate-limit is 1 second.

Why this answer

The default rate-limit interval is 1 second, meaning the specified number of messages per second is allowed.

54
MCQeasy

Given the configuration: logging buffered 8192 warnings logging console alerts logging monitor critical Which of the following is true?

A.The logging buffer stores messages of severity 0 through 4.
B.The console displays messages of severity 0 through 3.
C.The monitor receives messages of severity 0 through 4.
D.The buffer can store up to 8192 syslog messages.
AnswerA

Level 'warnings' (4) includes severities 0-4.

Why this answer

The buffer is set to 8192 bytes with level warnings (0-4). Console is alerts (0-2). Monitor is critical (0-3).

Note that the buffer size is in bytes, not messages.

55
MCQhard

A network engineer is troubleshooting a router that is generating excessive syslog messages, filling up the local logging buffer and causing performance issues. The engineer wants to reduce the volume of messages sent to the remote syslog server while still capturing critical alerts locally. The current configuration includes 'logging buffered 4096 debugging' and 'logging host 10.1.1.100'. What is the best approach?

A.Change 'logging buffered 4096 debugging' to 'logging buffered 4096 errors' to reduce local messages.
B.Configure 'logging trap errors' under the logging host configuration to limit remote messages to severity 3 and above.
C.Remove the 'logging buffered' command to stop all local logging.
D.Add 'logging rate-limit 10' to limit the number of messages per second.
AnswerB

Correct because 'logging trap errors' sets the remote syslog threshold to severity 3 (errors), reducing volume while keeping local debugging intact.

Why this answer

To reduce remote syslog volume without affecting local logging, the engineer should set a higher severity threshold for the remote server using 'logging trap' (e.g., 'logging trap 3' for errors only). The local buffer can remain at debugging level for detailed troubleshooting. This separates the logging levels.

56
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show ip route summary Output: Route Source Networks Subnets Overhead Memory (bytes) connected 0 2 0 0 static 0 0 0 0 ospf 1 5 10 0 0 bgp 65001 3 5 0 0 Total 8 17 0 0 What does this output indicate?

A.The routing table contains 8 networks and 17 subnets, with OSPF contributing the most routes.
B.The router has a routing table with 25 total routes.
C.The router is using BGP as the primary routing protocol.
D.The router has no static routes configured.
AnswerA

The totals show 8 networks and 17 subnets; OSPF has 5 networks and 10 subnets.

Why this answer

The output shows the routing table summary, including the number of networks and subnets from each routing protocol. This helps in understanding the routing table size and protocol contributions.

57
MCQhard

An engineer configures EIGRP named mode on two routers. The engineer notices that route summarization configured under the interface does not generate a summary route in the routing table, even though the component routes are present. The engineer confirms that the summary address is correct and the interface is up. Which is the most likely explanation?

A.The interface is not configured under the EIGRP address-family in named mode
B.The summary-address command must be configured under the EIGRP process, not the interface
C.The component routes have a higher administrative distance than the summary
D.The summary-address command requires the 'leak-map' option to be specified
AnswerA

Correct. In named mode, the interface must be explicitly enabled under the address-family for summary-address to work.

Why this answer

In EIGRP named mode, route summarization is configured under the interface configuration mode using the 'summary-address' command, but it requires that the interface is part of the EIGRP address-family under that named mode. If the interface is not explicitly configured under the address-family, the summary-address command is accepted but does not take effect. This is a common edge case because the CLI accepts the command without error, but the summary is not generated.

58
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# debug ip ospf adj Output: OSPF: 2 Way Communication to 10.0.0.2 on GigabitEthernet0/0, state 2WAY OSPF: Send hello to 224.0.0.5 on GigabitEthernet0/0 OSPF: Rcv DBD from 10.0.0.2 on GigabitEthernet0/0 seq 0x1E opt 0x52 flag 0x7 len 32 OSPF: NBR negotiation done. We are the SLAVE OSPF: Exchange done with 10.0.0.2 on GigabitEthernet0/0 OSPF: Build router LSA for area 0, router ID 10.0.0.1 What does this output indicate?

A.The router is successfully forming an OSPF adjacency with neighbor 10.0.0.2.
B.The router is experiencing an OSPF authentication failure.
C.The router is stuck in the EXSTART state due to MTU mismatch.
D.The router is flooding LSAs to all neighbors.
AnswerA

The sequence shows 2WAY, DBD exchange, and exchange done, indicating a full adjacency is being established.

Why this answer

The debug output shows the OSPF adjacency formation process, including the exchange of database descriptors and LSA building. This indicates successful adjacency formation.

59
MCQmedium

A network engineer runs the following command on Router R4: R4# show logging | include %BGP-3-NOTIFICATION *Mar 1 00:01:05.123: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes *Mar 1 00:02:10.456: %BGP-3-NOTIFICATION: received from neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes *Mar 1 00:03:15.789: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.2 4/0 (Hold Timer Expired) 0 bytes Based on this output, what is the most likely problem?

A.The BGP neighbor has a mismatched autonomous system number.
B.There is a connectivity issue causing keepalive packets to be lost.
C.The BGP update interval is too short, causing excessive updates.
D.The router is configured with soft-reconfiguration inbound, causing memory issues.
AnswerB

Hold timer expiration means keepalives are not received within the hold time, indicating packet loss or high delay.

Why this answer

The output shows BGP notifications for hold timer expiration between R4 and neighbor 10.0.0.2. This indicates that keepalive messages are not being exchanged in time, causing the BGP session to reset repeatedly. This is typically due to a flapping link, high CPU load, or mismatched hold timers.

60
Drag & Dropmedium

Drag and drop the steps to configure conditional debugging and syslog forwarding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable logging to a buffer to capture debug messages locally. Then, set the logging severity level to ensure debug messages are included. Next, configure the syslog server IP address.

After that, enable logging to the remote syslog server. Finally, enable conditional debugging to limit debug output based on specific conditions.

61
MCQeasy

According to RFC 5424, which syslog severity level corresponds to 'Critical' conditions?

A.Severity 0
B.Severity 1
C.Severity 2
D.Severity 3
AnswerC

Severity 2 is defined as 'Critical' in RFC 5424.

Why this answer

RFC 5424 defines severity level 2 as 'Critical' conditions.

62
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show logging Output: Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 100 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 100 messages logged Trap logging: level informational, 100 messages logged Logging to 192.168.1.100 (udp port 514, audit disabled) What does this output indicate?

A.The router is logging all debug-level messages to the console, monitor, buffer, and a remote syslog server.
B.The router is only logging informational messages to the remote syslog server.
C.The router has dropped 100 messages due to buffer overflow.
D.The router is logging to a remote syslog server using TCP port 514.
AnswerA

Console, monitor, and buffer are set to debugging; trap (remote) is informational, so debug messages are not sent to the server.

Why this answer

The output shows that syslog logging is enabled and messages are being sent to a remote syslog server at 192.168.1.100. The buffer logging is at debugging level, which can consume resources.

63
Multi-Selecthard

Which THREE commands can be used to verify the current syslog configuration and message flow on a Cisco IOS device? (Choose THREE.)

Select 3 answers
A.show logging
B.debug logging
C.terminal monitor
D.show running-config | include logging
E.show log
AnswersA, C, D

Correct. This command displays the current logging configuration, buffer contents, and statistics such as messages logged and dropped.

Why this answer

The 'show logging' command displays the logging configuration, buffer contents, and statistics. The 'debug logging' command is not a verification command; it enables debugging of logging itself. The 'terminal monitor' command allows a user to see syslog messages on their terminal session.

The 'show running-config | include logging' filters the running configuration for logging-related lines. The 'show log' command is not valid in Cisco IOS; the correct command is 'show logging'.

64
MCQmedium

An engineer is troubleshooting why syslog messages from a router are not being received by the syslog server at 192.168.1.10. The router configuration includes 'logging host 192.168.1.10' and 'logging trap 6'. The engineer runs 'debug ip packet' and sees packets destined for 192.168.1.10 being sent but no response. What should the engineer check first?

A.Verify that the syslog server is running and listening on UDP port 514.
B.Change the logging trap level to 7 (debugging) to ensure all messages are sent.
C.Add the 'logging source-interface' command to use a loopback interface.
D.Configure 'logging on' if it is not already enabled.
AnswerA

Correct because if the server is not listening or a firewall drops the packets, the messages will never be received despite the router sending them.

Why this answer

Syslog uses UDP, which is connectionless; the server does not send acknowledgments. The debug showing packets being sent indicates the router is transmitting, but the server may not be listening on UDP 514, or a firewall may be blocking the traffic. Checking the server's syslog service status and firewall rules is the logical first step.

65
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, the network becomes unstable with routing loops. The engineer checks the routing tables and notices that the same prefix is being learned from both protocols with different administrative distances. Which is the most likely explanation?

A.Routes are redistributed back and forth between OSPF and EIGRP without any filtering or tagging
B.The seed metric for OSPF redistribution into EIGRP is not configured
C.The administrative distance of OSPF is lower than EIGRP, causing OSPF routes to be preferred
D.The redistribute command is missing the subnets keyword under OSPF
AnswerA

Correct. Mutual redistribution without tagging or filtering causes a feedback loop, leading to routing loops.

Why this answer

Mutual redistribution without proper route tagging can cause routing loops because each protocol redistributes routes back into the other, creating a feedback loop. The administrative distance of the redistributed routes may cause one protocol to prefer the redistributed route over the original, leading to instability. Using route tags and filtering can prevent this, but without them, loops are common.

66
Multi-Selecthard

Which THREE are valid syslog severity levels defined in RFC 5424? (Choose THREE.)

Select 3 answers
A.Emergency (0)
B.Fatal (1)
C.Warning (4)
D.Trace (8)
E.Informational (6)
AnswersA, C, E

Level 0 is the highest severity, indicating system is unusable.

Why this answer

RFC 5424 defines eight severity levels from 0 to 7. Levels 0 (Emergency), 1 (Alert), 2 (Critical), 3 (Error), 4 (Warning), 5 (Notice), 6 (Informational), and 7 (Debug). 'Fatal' is not a standard level; it is sometimes used informally. 'Trace' is not a standard level. 'Severe' is not a standard level.

67
MCQhard

An engineer configures OSPF on two routers connected via a serial link. Both routers show the neighbor state as EXSTART/EXSTART, and no LSAs are exchanged. The engineer verifies that the OSPF process IDs are the same, areas match, and authentication is correct. Which is the most likely explanation?

A.MTU mismatch between the two routers
B.OSPF network type mismatch (e.g., point-to-point vs broadcast)
C.OSPF hello interval mismatch
D.OSPF dead interval mismatch
AnswerA

Correct. An MTU mismatch causes DBD packets to be dropped, preventing the neighbor from advancing past EXSTART.

Why this answer

In OSPF, when neighbors are stuck in EXSTART, it often indicates an MTU mismatch. OSPF uses the interface MTU to determine the size of Database Description (DBD) packets. If the MTU differs, the receiving router will reject DBD packets larger than its own MTU, causing the neighbor to remain in EXSTART.

This is a common edge case because MTU is not always checked during initial troubleshooting.

68
MCQeasy

Consider the configuration snippet: logging 192.168.1.10 vrf Mgmt-intf logging source-interface Vlan1 logging trap 6 What is the effect of the 'logging trap 6' command?

A.Only messages of severity 6 are sent to the syslog server.
B.Messages of severity 0 through 6 are sent to the syslog server.
C.Messages of severity 6 through 7 are sent to the syslog server.
D.The number 6 is invalid; only named levels are accepted.
AnswerB

Level 6 (informational) includes severities 0-6.

Why this answer

The 'logging trap' command accepts either a severity level name or number. Level 6 corresponds to 'informational'. This means messages with severity 0-6 are sent to the syslog server.

69
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show mpls ldp neighbor detail Output: Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:10:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 10.1.1.2 10.2.2.2 What does this output indicate?

A.The router has an operational LDP session with neighbor 10.0.0.2, with addresses 10.0.0.2, 10.1.1.2, and 10.2.2.2.
B.The router is experiencing an LDP authentication failure.
C.The router is using UDP for LDP discovery.
D.The router has only one LDP neighbor.
AnswerA

The state is 'Oper' (operational) and addresses are listed.

Why this answer

The output shows detailed LDP neighbor information, including TCP connection details, state, and addresses bound to the peer. This indicates a functioning LDP session.

70
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show crypto engine connections active Output: Crypto Engine Connections ID Type Algorithm State Connection-ID 1 IPsec AES256-SHA Active 100 2 IPsec AES256-SHA Active 101 3 ISAKMP SHA Active 200 What does this output indicate?

A.The router has two active IPsec tunnels and one active ISAKMP session.
B.The router is experiencing IPsec authentication failures.
C.The router has no active crypto connections.
D.The router is using only IPsec and no ISAKMP.
AnswerA

Two IPsec connections (IDs 1 and 2) and one ISAKMP connection (ID 3) are active.

Why this answer

The output shows active crypto engine connections, including IPsec and ISAKMP sessions. This indicates that the router is processing encrypted traffic.

71
MCQeasy

A network engineer runs the following command on Router R5: R5# show logging | include %LINEPROTO-5-UPDOWN *Mar 1 00:00:10.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:00:20.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *Mar 1 00:00:30.789: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:00:40.012: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *Mar 1 00:00:50.345: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up *Mar 1 00:01:00.678: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down Based on this output, what is the most likely problem?

A.The interface is administratively down.
B.There is a physical layer issue causing the interface to flap.
C.The interface is configured with a high bandwidth delay product.
D.The router is experiencing a high CPU load due to routing updates.
AnswerB

Repeated line protocol up/down messages indicate a flapping interface, typically due to physical or Layer 2 issues.

Why this answer

The output shows the line protocol on GigabitEthernet0/0 flapping every 10 seconds. This is a classic symptom of a flapping interface, often due to a physical issue (bad cable, faulty transceiver) or a Layer 2 problem (e.g., spanning tree topology changes, keepalive mismatch).

72
MCQeasy

What is the default severity level for syslog messages sent to the console on a Cisco IOS device?

A.Debugging (level 7)
B.Informational (level 6)
C.Warnings (level 4)
D.Notifications (level 5)
AnswerA

The default console logging level is debugging, which includes all severities.

Why this answer

By default, the console logging level is 'debugging' (severity 7), meaning all messages from 0 to 7 are displayed on the console. This is a common fact for ENARSI.

73
MCQhard

A router is configured with 'logging host 10.1.1.100' and 'logging trap debugging'. The engineer notices that the router is sending a large number of debug messages to the syslog server, causing high CPU usage. The engineer wants to stop sending debug messages to the remote server but keep them in the local buffer. What is the best command to achieve this?

A.Configure 'no logging trap debugging' globally.
B.Configure 'logging host 10.1.1.100 trap notifications' to set the remote threshold to severity 5.
C.Use 'undebug all' to stop all debug output.
D.Set 'logging buffered 4096 notifications' to limit local buffer to severity 5.
AnswerB

Correct because this command sets the severity level for that specific host only, allowing local logging to remain at debugging.

Why this answer

To stop sending debug messages to the remote server without affecting local logging, the engineer should change the remote logging severity to a higher level (e.g., 'logging host 10.1.1.100 trap notifications' to set severity 5). This will exclude debug (severity 7) messages from being sent to that specific host. The local buffer can remain at debugging level.

74
MCQhard

An engineer configures iBGP between two routers in the same AS. The engineer notices that routes learned from one iBGP neighbor are not being advertised to another iBGP neighbor, even though the next-hop is reachable. The engineer verifies that the BGP session is established and that the routes are present in the BGP table. Which is the most likely explanation?

A.iBGP split-horizon rule prevents advertising iBGP-learned routes to other iBGP neighbors
B.The next-hop-self command is required for iBGP
C.The BGP synchronization rule is enabled
D.The routes are not valid because the next-hop is not reachable
AnswerA

Correct. iBGP does not advertise routes learned from one iBGP neighbor to another iBGP neighbor by default.

Why this answer

By default, iBGP routers do not advertise routes learned from one iBGP neighbor to another iBGP neighbor because of the split-horizon rule. This is a fundamental behavior to prevent routing loops, but it often catches engineers who expect iBGP to behave like eBGP. To overcome this, a route reflector or confederation must be used.

75
MCQmedium

A network engineer notices that the syslog server at 10.1.1.100 is not receiving any log messages from a Cisco router running IOS-XE 16.9. The engineer has configured 'logging host 10.1.1.100' and 'logging trap debugging'. The router can ping the syslog server successfully. What is the most likely cause of the missing syslog messages?

A.The 'logging on' command is not configured globally.
B.The syslog server is using UDP port 514, but the router is sending over TCP.
C.The 'logging source-interface' is set to a loopback that is not advertised in the routing table.
D.The 'logging buffered' command is overriding the remote logging configuration.
AnswerA

Correct because 'logging on' must be enabled to allow any syslog messages to be sent to a remote server. Without it, all syslog output is suppressed.

Why this answer

The 'logging trap debugging' command sets the severity level to 7 (debugging), but the default logging source interface is the lowest-numbered IP address on the router. If that interface is not reachable from the syslog server, messages may be dropped. However, the more common issue is that the 'logging on' command is missing, which globally disables syslog output.

Without 'logging on', no messages are sent to any syslog server regardless of other configurations.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Logging Syslog questions.