CCNA Vrf Lite Questions

75 of 76 questions · Page 1/2 · Vrf Lite topic · Answers revealed

1
MCQmedium

Consider the following configuration: ``` ip vrf CUSTOMER_E rd 200:1 route-target export 200:1 route-target import 200:1 ! interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_E ip address 172.16.0.1 255.255.255.0 ! interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_E ip address 172.16.1.1 255.255.255.0 ``` What is the effect of the route-target commands in this VRF-Lite scenario?

A.The route-targets enable automatic route redistribution between VRFs.
B.The route-targets are ignored because VRF-Lite does not use MP-BGP.
C.The route-targets cause the VRF to import and export routes from the global routing table.
D.The configuration will fail because route-targets are not allowed in VRF-Lite.
AnswerB

This is correct. In VRF-Lite, route-targets are not processed unless there is an MP-BGP configuration.

Why this answer

In VRF-Lite, route-targets are not used unless route leaking is configured. They are typically used in MPLS VPN environments. Here, they have no effect because there is no MP-BGP or route leaking configured.

2
MCQmedium

Which loop prevention mechanism is used by default in RIP within a VRF-Lite configuration?

A.Split horizon
B.Route poisoning
C.Hold-down timer
D.TTL expiry
AnswerA

Split horizon is enabled by default on RIP interfaces.

Why this answer

RIP uses split horizon as a default loop prevention mechanism, which prevents a route from being advertised out the interface from which it was learned.

3
MCQhard

A router is configured with uRPF (Unicast Reverse Path Forwarding) in strict mode on an interface that belongs to a VRF. The network uses asymmetric routing for load balancing. The engineer notices that legitimate traffic from a customer is being dropped. Which is the most likely explanation?

A.The uRPF strict mode requires that the source IP address be reachable via the same interface, but asymmetric routing causes the return path to use a different interface.
B.The uRPF loose mode is configured instead of strict mode, which only checks that a route exists for the source IP, not the interface.
C.The VRF has a default route that points to the incoming interface, causing uRPF to always succeed.
D.The 'ip verify unicast source reachable-via any' command is used, which is the loose mode, not strict.
AnswerA

Strict uRPF fails if the best route to the source is not via the incoming interface. Asymmetric routing violates this assumption.

Why this answer

Strict uRPF checks that the source IP address of incoming packets has a route in the routing table that points back to the same interface. In asymmetric routing, the return path may be different (e.g., out another interface), so the source IP may not have a route back to the incoming interface. This causes legitimate traffic to be dropped.

The edge case is that uRPF strict mode does not account for asymmetric routing, while loose mode does.

4
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite MPLS LDP issue: R1# show mpls ldp bindings vrf CUSTOMER_F Output: lib entry: 10.4.4.0/24, rev 2 local binding: label: 16 remote binding: lsr: 2.2.2.2:0, label: 20 lib entry: 10.5.5.0/24, rev 3 local binding: label: 17 remote binding: lsr: 2.2.2.2:0, label: 21 What does this output indicate?

A.MPLS LDP has not established a session with the remote LSR 2.2.2.2.
B.The VRF CUSTOMER_F has two prefixes with local labels 16 and 17, and remote labels 20 and 21 from LSR 2.2.2.2.
C.The labels are not being used because the VRF is not configured correctly.
D.The remote LSR is using the same labels as the local router.
AnswerB

Correct. The output shows local and remote label bindings for two prefixes.

Why this answer

The 'show mpls ldp bindings vrf' command displays MPLS label bindings for a specific VRF. The output shows two prefixes (10.4.4.0/24 and 10.5.5.0/24) with local labels (16 and 17) and remote labels (20 and 21) from LSR 2.2.2.2. This indicates that LDP has successfully exchanged labels for these prefixes within the VRF.

5
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route vrf BLUE Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 C 10.1.2.0/24 is directly connected, GigabitEthernet0/1 O 10.2.0.0/16 [110/20] via 10.1.1.2, 00:00:15, GigabitEthernet0/0 Based on this output, what is the problem?

A.The OSPF route 10.2.0.0/16 has a next hop of 10.1.1.2, which is unreachable.
B.The OSPF route was learned 15 seconds ago, indicating a recent flap.
C.The VRF BLUE has no default route, which is a problem.
D.The connected routes are not in the routing table.
AnswerB

The age of 00:00:15 suggests the route was recently installed, which could indicate a flapping OSPF neighbor or route instability.

Why this answer

The output shows the routing table for VRF BLUE. It has two connected routes and one OSPF route. The OSPF route (10.2.0.0/16) has been learned recently (00:00:15), which may indicate a flapping neighbor or recent convergence.

However, the key observation is that the OSPF route's next hop is 10.1.1.2, which is reachable via GigabitEthernet0/0. The output is normal; no problem is evident. But if the question implies a problem, it might be that the OSPF route age is very recent, suggesting instability.

However, the correct answer here is that the VRF routing table is correctly populated.

6
MCQmedium

A network engineer is troubleshooting a VRF-Lite configuration on a Cisco router. The router has two VRFs (VRF_RED and VRF_BLUE) configured with OSPF as the routing protocol. The engineer notices that OSPF neighborships are not forming between routers in VRF_RED. The 'show ip ospf neighbor' command shows no neighbors. What is the most likely cause?

A.The OSPF process ID is not unique across VRFs.
B.The interfaces in VRF_RED are missing the 'ip ospf network point-to-point' command.
C.The OSPF process is not configured with the 'vrf VRF_RED' command.
D.The 'router-id' command is missing in the OSPF process.
AnswerC

Without the VRF association in the OSPF process, OSPF will not form neighborships on interfaces belonging to that VRF.

Why this answer

OSPF neighborships in VRF-Lite require that the OSPF process is associated with the correct VRF and that interfaces are placed in the correct VRF. Missing VRF association in the OSPF process or incorrect interface VRF assignment are common issues.

7
MCQhard

Router R1 has an ACL applied to interface Gig0/0 in VRF-A that permits only specific management traffic. The ACL is: access-list 100 permit udp any any eq snmp, access-list 100 permit tcp any any eq ssh, access-list 100 deny ip any any. The router's SNMP and SSH services are configured globally. Management stations in the global table cannot reach the router's VRF interface IP. What is the root cause?

A.The ACL does not permit the source IP address of the management station, causing traffic to be denied.
B.The ACL should be applied outbound on the VRF interface.
C.The management station must be in the same VRF.
D.The ACL is missing a permit statement for the management station's source IP.
AnswerA

Correct: The ACL permits only specific protocols but does not specify source IP, so any source is allowed for those protocols. However, if the management station uses a different protocol (e.g., HTTP), it is denied. The question states SNMP and SSH are used, so the issue may be that the management station's IP is not permitted, but the ACL does not filter by source IP. The root cause is that the ACL is applied inbound on the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; if the global table has no route to the VRF interface, traffic is dropped before the ACL. The most likely root cause is missing route.

Why this answer

The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL.

If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work.

The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction.

However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.

8
MCQmedium

A network engineer is troubleshooting a VRF-Lite setup where two customer VRFs (VRF_A and VRF_B) are configured on a router. The engineer notices that routes from VRF_A are appearing in the routing table of VRF_B, causing traffic misdirection. The router is running IOS-XE 17.3. What is the most likely cause of this issue?

A.The router has 'ip routing' disabled globally.
B.The 'route-target import' and 'route-target export' commands are misconfigured, causing VRF_A routes to be imported into VRF_B.
C.The 'ip vrf forwarding' command is missing on the interfaces.
D.The router is running OSPF with the same process ID in both VRFs.
AnswerB

Incorrect route-target configuration can lead to unintended route leaking between VRFs.

Why this answer

The issue is caused by route leaking between VRFs, which can occur if VRF route import/export configurations are misapplied or if routes are accidentally redistributed between VRFs. In VRF-Lite, VRFs are isolated by default, and any cross-VRF route sharing must be explicitly configured.

9
MCQmedium

In a VRF-Lite setup using RIP, what is the default update timer value?

A.30 seconds
B.60 seconds
C.90 seconds
D.180 seconds
AnswerA

RIP uses a default update timer of 30 seconds.

Why this answer

RIP sends routing updates every 30 seconds by default, as defined in RFC 1058.

10
MCQmedium

Consider this partial configuration: ``` ip vrf CUSTOMER_B rd 65000:1 route-target export 65000:1 route-target import 65000:1 ``` What statement is true about this VRF configuration?

A.The VRF will not function because route-targets are mandatory for VRF-Lite.
B.The VRF is correctly configured for VRF-Lite with a unique RD and optional route-targets.
C.The RD must match the route-target value exactly.
D.The VRF will only work if 'vrf forwarding' is applied to an interface.
AnswerB

This is correct. The RD is required, and route-targets are optional but often configured for consistency.

Why this answer

In VRF-Lite, route-targets are not strictly required because there is no MP-BGP exchange. However, they are used for interoperability and to define import/export policies if needed. The RD is mandatory to create the VRF.

11
Drag & Dropmedium

Drag and drop the steps to configure inter-VRF route leaking using static routes in VRF-Lite into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define both VRFs and assign an RD. Then configure the import/export RTs to allow route exchange. Next, assign interfaces to the respective VRFs.

After that, configure static routes pointing to the next-hop in the other VRF. Finally, verify the leaked routes are present in the VRF routing table.

12
Multi-Selecthard

An engineer is troubleshooting a VRF-Lite setup where two VRFs (BLUE and RED) are configured on a router. Hosts in VRF BLUE cannot ping the default gateway of VRF RED. Which TWO statements correctly explain why this is expected behavior? (Choose TWO.)

Select 2 answers
A.Each VRF maintains its own separate routing table, so VRF BLUE has no route to the subnet of VRF RED.
B.The ARP cache in VRF BLUE does not contain the MAC address of the VRF RED gateway.
C.By default, a router does not forward packets between different VRFs unless inter-VRF routing is explicitly configured.
D.The default gateway in VRF RED is not reachable from VRF BLUE because the gateway interface is in a different VRF.
E.The ping fails because VRF BLUE does not have a default route pointing to the VRF RED gateway.
AnswersA, C

Correct. VRFs have isolated routing tables; without inter-VRF routing, there is no path.

Why this answer

VRF-Lite provides complete isolation between VRFs at Layer 3. By default, no traffic can flow between VRFs unless explicit inter-VRF routing is configured (e.g., using a router with two interfaces in different VRFs or using route leaking). Option A is correct because VRFs maintain separate routing tables.

Option C is correct because by default, a router does not forward packets between VRFs. Option B is incorrect because ARP is per-interface, but the issue is routing, not ARP. Option D is incorrect because the default gateway is reachable within its own VRF.

Option E is incorrect because the ping fails due to routing, not because of a missing default route in the source VRF.

13
MCQhard

A DMVPN Phase 2 network is configured with VRF-Lite. Spokes can communicate with the hub, but spoke-to-spoke traffic is not working. The engineer verifies that NHRP registrations are successful and that the spoke routers have the correct NHRP mappings for other spokes. Which is the most likely explanation?

A.The hub router has 'next-hop-self' configured under BGP, causing spokes to send traffic to the hub instead of directly to the destination spoke.
B.The NHRP authentication is mismatched between spokes, preventing the establishment of spoke-to-spoke tunnels.
C.The spoke routers have a lower MTU on the physical interface, causing fragmentation issues for the GRE/IPsec packets.
D.The DMVPN phase is actually Phase 3, which requires additional configuration for spoke-to-spoke traffic.
AnswerA

In Phase 2, spokes need to know the next-hop is the remote spoke's tunnel IP. 'next-hop-self' on the hub overrides this, forcing traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are created dynamically using NHRP. However, for spoke-to-spoke traffic to work, the spoke routers must have a route to the destination subnet via the tunnel interface. Additionally, the next-hop for the spoke-to-spoke route must be the spoke router's tunnel IP, not the hub.

If the hub is configured with 'next-hop-self' under BGP or if the IGP is not propagating the correct next-hop, spoke-to-spoke traffic may be forwarded through the hub instead of directly.

14
MCQhard

A network engineer configures VRF-Lite with OSPF as the routing protocol. Two routers in the same VRF are directly connected, but the OSPF neighbor state remains stuck in EXSTART/EXCHANGE. The engineer verifies that the MTU on both interfaces is 1500. Which is the most likely explanation?

A.The OSPF network type is set to point-to-multipoint on one side and broadcast on the other, causing a mismatch in DBD packet size.
B.The 'ip mtu' command is configured on one interface with a value lower than 1500, causing the DBD packet to be larger than the receiving interface's IP MTU.
C.The VRF forwarding table is missing the OSPF route for the neighbor's router ID, preventing the exchange of DBD packets.
D.The OSPF dead interval is set to 40 seconds on one router and 120 seconds on the other, causing a mismatch in hello parameters.
AnswerB

OSPF uses the IP MTU for DBD packets. If one interface has a lower IP MTU (e.g., 1400), the DBD packet from the other side (1500) is dropped, causing the stuck state.

Why this answer

OSPF uses the IP MTU of the outgoing interface to set the size of Database Description (DBD) packets. If the receiving interface has a smaller IP MTU, the DBD packet is silently dropped, causing the neighbor to stay in EXSTART/EXCHANGE. Even if the physical MTU is 1500, the IP MTU can be lowered via 'ip mtu' command, and OSPF will use that lower value.

The MTU mismatch is not necessarily the physical MTU but the IP MTU, which is a common edge case.

15
MCQhard

In a VRF-Lite environment running EIGRP, what is the default maximum hop count for routes?

A.15
B.100
C.255
D.16
AnswerB

EIGRP defaults to a maximum hop count of 100.

Why this answer

EIGRP uses a maximum hop count of 100 by default, though it is not a metric but a TTL-like limit to prevent routing loops.

16
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite DMVPN issue: R1# show ip nhrp vrf CUSTOMER_G detail Output: 10.6.6.1/32 via 10.6.6.1, Tunnel0 created 00:01:00, expire 01:59:00 Type: dynamic, Flags: used NBMA address: 192.168.1.1 (no-socket) Registration handle: 0x00000001 Cache entries: 1 What does this output indicate?

A.The NHRP mapping is static and was manually configured.
B.The NHRP mapping for 10.6.6.1 is dynamic, with NBMA address 192.168.1.1, and is actively used.
C.The NHRP mapping has expired and needs to be refreshed.
D.The NHRP mapping is for a multicast group address.
AnswerB

Correct. The output shows a dynamic mapping with NBMA address 192.168.1.1 and the 'used' flag.

Why this answer

The 'show ip nhrp vrf detail' command displays NHRP cache entries for a specific VRF. The output shows a dynamic NHRP mapping for destination 10.6.6.1/32, with NBMA address 192.168.1.1, learned via Tunnel0. The entry was created 1 minute ago and will expire in 1 hour 59 minutes.

The 'used' flag indicates the mapping is actively being used.

17
MCQhard

Router R1 is leaking routes from VRF-A to the global table using route-map LEAK. The global table receives the routes, but traffic from the global table to destinations in VRF-A is dropped. R1 configuration: ip vrf VRF-A, rd 100:1, route-target export 100:1, route-target import 100:1. The route-map LEAK is applied to the VRF export. The global table has a default route pointing to null0. What is the root cause?

A.The leaked routes have a next-hop that is only reachable within VRF-A, not in the global routing table, causing traffic to be dropped.
B.The global table default route is overriding the leaked routes.
C.The route-map should be applied to the VRF import instead of export.
D.The VRF must have a route to the global table.
AnswerA

Correct: When leaking, the next-hop must be reachable in the destination table; otherwise, packets are dropped.

Why this answer

When routes are leaked from VRF to global, the global table installs them, but the reverse path (global to VRF) requires proper routing. If the global table has a default route pointing to null0, traffic to the leaked prefixes may match the default and be discarded if the leaked routes are less specific. However, the more specific leaked routes should override the default.

The issue could be that the leaked routes are not being installed due to administrative distance or that the default route is preferred. But the most common cause is that the route-map does not set the next-hop correctly, or the VRF interface is not reachable from the global table. The root cause is that the leaked routes have a next-hop that is not reachable in the global table, often because the next-hop is in the VRF.

19
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite issue: R1# show ip eigrp vrf CUSTOMER_B topology 10.1.1.0/24 Output: IP-EIGRP (AS 100): Topology entry for 10.1.1.0/24 for VRF CUSTOMER_B State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131072 Routing Descriptor Blocks: 10.1.1.1 (GigabitEthernet0/1), from 10.1.1.1, Send flag is 0x0 Composite metric is (131072/128256), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 What does this output indicate?

A.The route 10.1.1.0/24 is in Active state, indicating an EIGRP query is in progress.
B.The route 10.1.1.0/24 has one successor with a feasible distance of 131072 and is learned via 10.1.1.1.
C.The route 10.1.1.0/24 is an external EIGRP route redistributed into the VRF.
D.The route 10.1.1.0/24 has multiple successors due to equal-cost paths.
AnswerB

Correct. The output shows one successor, FD 131072, and next hop 10.1.1.1.

Why this answer

The 'show ip eigrp vrf topology' command displays the EIGRP topology table entry for a specific prefix within a VRF. The output shows the route 10.1.1.0/24 is in Passive state, meaning no EIGRP query is pending. It has one successor (the best path) with a feasible distance (FD) of 131072.

The next hop is 10.1.1.1 via GigabitEthernet0/1.

20
MCQhard

In a VRF-Lite network, OSPF is configured with a distribute-list that filters routes from being installed in the routing table. The engineer notices that the distribute-list is working, but the filtered routes are still being advertised to OSPF neighbors. Which is the most likely explanation?

A.The distribute-list is applied inbound, which only prevents the route from being installed in the RIB, but the route remains in the OSPF LSDB and is advertised to neighbors.
B.The distribute-list is applied outbound, but the neighbor has a higher priority, so the route is still advertised.
C.The OSPF process has the 'database-filter all out' command configured, which overrides the distribute-list.
D.The distribute-list uses an ACL that does not match the route correctly, so the route is not filtered.
AnswerA

Distribute-list in filters routes from the RIB, not the LSDB. OSPF advertises based on the LSDB, so the route is still advertised.

Why this answer

The OSPF distribute-list in (or out) filters routes from being installed in the routing table (RIB) but does not affect the OSPF link-state database (LSDB) or the advertisement of routes. To filter routes from being advertised, the distribute-list must be applied outbound, or an area filter (using 'area range' with 'not-advertise') must be used. This is a common misconception: distribute-list in only affects local RIB installation, not LSDB propagation.

21
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite redistribution issue: R1# debug ip routing vrf CUSTOMER_E Output: RT: add 10.3.3.0/24 via 10.1.1.2, ospf 200 metric [110/20] RT: add 10.3.3.0/24 via 10.1.1.2, eigrp 100 metric [90/131072] tag 0 RT: closer admin distance for 10.3.3.0/24, adding via eigrp 100 RT: add 10.3.3.0/24 to routing table, via eigrp 100 What does this output indicate?

A.The route 10.3.3.0/24 is added from OSPF 200 because it has a lower metric.
B.The route 10.3.3.0/24 is added from EIGRP 100 because it has a lower administrative distance than OSPF.
C.The route 10.3.3.0/24 is added from both OSPF and EIGRP, creating an equal-cost path.
D.The route 10.3.3.0/24 is not added to the routing table due to a tag mismatch.
AnswerB

Correct. EIGRP AD 90 is lower than OSPF AD 110, so EIGRP route is preferred.

Why this answer

The 'debug ip routing vrf' command shows route insertion and selection events for a specific VRF. The output shows that route 10.3.3.0/24 is learned from both OSPF 200 (with administrative distance 110) and EIGRP 100 (with administrative distance 90). Because EIGRP has a lower administrative distance, it is chosen as the best path and added to the routing table.

22
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite BGP route advertisement issue: R1# show bgp vpnv4 vrf CUSTOMER_D 10.2.2.0/24 Output: BGP routing table entry for 10.2.2.0/24, version 5 Paths: (1 available, best #1, table CUSTOMER_D) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 (metric 20) from 10.1.1.2 (2.2.2.2) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:200 mpls labels in/out nolabel/20 What does this output indicate?

A.The route 10.2.2.0/24 is learned via an external BGP peer and is not the best path.
B.The route 10.2.2.0/24 is learned from 10.1.1.2 with an MPLS label of 20 and is the best path.
C.The route 10.2.2.0/24 is not advertised to any update groups.
D.The route 10.2.2.0/24 has no extended community attached.
AnswerB

Correct. The output shows the route is internal, best, and has an MPLS label of 20.

Why this answer

The 'show bgp vpnv4 vrf' command displays BGP VPNv4 route details for a specific VRF. The output shows route 10.2.2.0/24 is learned from neighbor 10.1.1.2 (router ID 2.2.2.2) with a metric of 20. It is valid, internal, and the best path.

The route has an extended community RT:100:200 and an MPLS label of 20 (outgoing).

23
MCQhard

In a DMVPN network with VRF-Lite, Router R1 (hub) and R2 (spoke) are configured for VRF-A. The DMVPN tunnel is up, but spoke-to-spoke traffic between R2 and R3 (another spoke) fails. R1 has configuration: interface Tunnel0, ip vrf forwarding VRF-A, ip address 172.16.0.1 255.255.255.0, tunnel source Gig0/0, tunnel mode gre multipoint. R2 has similar configuration with tunnel destination dynamic. The NHRP map for R3 is missing on R2. What is the root cause?

A.The NHRP mapping for R3 is missing on R2, preventing direct spoke-to-spoke tunnel establishment.
B.The tunnel mode should be gre multipoint on all spokes.
C.The VRF must be removed from the tunnel interface for DMVPN to work.
D.The hub router must have a static route for each spoke.
AnswerA

Correct: Without NHRP mapping, R2 cannot send traffic directly to R3; it must go through the hub.

Why this answer

In DMVPN, spoke-to-spoke tunnels require NHRP resolution. If R2 does not have an NHRP map for R3, it cannot establish a direct tunnel. The hub (R1) should facilitate NHRP resolution, but if the VRF configuration is not properly propagated, NHRP may fail.

The root cause is that the NHRP mapping is missing, often due to VRF mismatch in NHRP configuration or because the hub is not properly forwarding NHRP requests.

24
Multi-Selectmedium

Which TWO configuration steps are required to enable VRF-Lite on a Cisco IOS-XE router for a customer with two separate routing domains? (Choose TWO.)

Select 2 answers
A.Create the VRF using the 'vrf definition <vrf-name>' command and assign a route distinguisher with the 'rd' command.
B.Assign the VRF to an interface using the 'vrf forwarding <vrf-name>' command under interface configuration.
C.Configure route target import/export statements under the VRF.
D.Apply an import map and export map to control route redistribution.
E.Enable BGP to exchange routes between VRFs.
AnswersA, B

This defines the VRF and its route distinguisher, which is mandatory for VRF-Lite.

Why this answer

The two essential steps are: creating the VRF with a route distinguisher using 'vrf definition <name>' and 'rd <value>', and assigning interfaces to the VRF with 'vrf forwarding <name>' under the interface. The other options are incorrect: 'ip vrf <name>' is legacy syntax but still works; however, 'rd' is required. Route targets are for MPLS VPN, not VRF-Lite.

Import/export maps are optional. BGP is not mandatory.

25
MCQhard

Router R1 is configured for VRF-Lite with MPLS. The interface Gig0/0 is in VRF-A and is running LDP. The LDP neighbor with R2 is not establishing. R1 configuration: mpls ip, mpls label protocol ldp, interface Gig0/0, ip vrf forwarding VRF-A, ip address 10.0.0.1 255.255.255.252. R2 has similar configuration without VRF. The LDP hello packets are sent but not received. What is the root cause?

A.LDP cannot form a session between a VRF interface and a global interface; both must be in the same VRF or both in the global table.
B.The MPLS label protocol must be TDP on both sides.
C.The interface IP addresses must be in the same subnet.
D.The mpls ip command must be applied under the VRF address-family.
AnswerA

Correct: LDP sessions require matching VRF context; mismatch prevents session establishment.

Why this answer

LDP uses UDP and TCP, and the transport address is typically the router ID. In a VRF, the LDP session must be established within the same VRF. If R1 has VRF-A and R2 does not, the LDP hellos are sent in the VRF context, but R2's LDP process is in the global table.

The hellos are not recognized because the VRF label space is different. LDP requires matching VRF or global configuration.

26
Multi-Selecthard

Which TWO statements about VRF-Lite and DHCP are true? (Choose TWO.)

Select 2 answers
A.The 'ip dhcp relay' command can be configured with the 'vrf' keyword to forward DHCP requests from a VRF to a DHCP server in a different VRF.
B.DHCP clients in a VRF cannot obtain an IP address from a DHCP server that is in the same VRF.
C.The 'ip dhcp pool' command supports a 'vrf' keyword to associate the pool with a specific VRF.
D.A DHCP server in the global routing table can serve clients in a VRF if the relay agent is configured appropriately.
E.DHCP snooping must be enabled globally for DHCP to work across VRFs.
AnswersA, D

Correct. Example: 'ip dhcp relay vrf BLUE 10.1.1.1' relays requests from VRF BLUE to the DHCP server at 10.1.1.1 (which could be in another VRF or global).

Why this answer

In VRF-Lite, DHCP can be configured to operate within a specific VRF. The 'ip dhcp relay' command can be used with the 'vrf' keyword to relay DHCP requests from a VRF to a DHCP server in another VRF or the global table. Option A is correct because the relay can forward to a server in a different VRF.

Option D is correct because the DHCP server can be in the global routing table and still serve clients in a VRF if the relay is configured correctly. Option B is incorrect because DHCP clients can obtain addresses from a server in the same VRF without relay. Option C is incorrect because the 'ip dhcp pool' command does not have a 'vrf' keyword; pools are global.

Option E is incorrect because DHCP snooping is not required for VRF-Lite DHCP to work.

27
Multi-Selectmedium

Which TWO commands can be used to verify the VRF configuration and associated interfaces on a Cisco IOS-XE router running VRF-Lite? (Choose TWO.)

Select 2 answers
A.show vrf
B.show ip vrf interfaces
C.show ip route vrf <vrf-name>
D.show running-config | section vrf
E.show ip interface brief
AnswersA, B

Displays a summary of all VRFs, including route distinguisher and interface assignments.

Why this answer

The 'show vrf' command displays a summary of all VRFs, including their RD and interfaces, while 'show ip vrf interfaces' lists each VRF with its associated interfaces and IP addresses. The other options are incorrect: 'show ip route vrf' shows the routing table for a specific VRF but not the interfaces, 'show running-config | section vrf' shows configuration but not operational status, and 'show ip interface brief' does not display VRF information.

28
MCQhard

A network engineer configures iBGP within a VRF-Lite environment. The VRF has an IGP (OSPF) running, and BGP is used to exchange customer routes. The engineer notices that BGP routes are not being installed in the VRF routing table, even though they are present in the BGP table. The 'bgp redistribute-internal' command is not configured. Which is the most likely explanation?

A.The BGP synchronization rule is enabled, and the IGP does not have a route for the prefix, so BGP does not advertise the route.
B.The next-hop of the iBGP route is not reachable via any route in the VRF routing table, so the route is not installed.
C.The 'maximum-paths' command is set to 1, and there is already a route with a lower administrative distance.
D.The BGP table shows the route as 'rR' (rIBGP and RIB-failure), indicating a RIB failure due to a higher metric.
AnswerB

iBGP requires the next-hop to be reachable. If the next-hop (e.g., a loopback) is not in the IGP, the route is not installed.

Why this answer

In iBGP, the next-hop for a route learned from an iBGP peer must be reachable via an IGP or static route. If the next-hop is not reachable, the route is not installed in the routing table. Additionally, if the IGP does not carry the next-hop route (e.g., because it is a loopback not advertised), the route remains hidden.

This is a common edge case where synchronization is not the issue, but next-hop reachability is.

29
MCQeasy

A network engineer is troubleshooting a VRF-Lite deployment where a router is configured with VRF_ORANGE. The engineer attempts to configure a static route in VRF_ORANGE using the command 'ip route vrf VRF_ORANGE 192.168.10.0 255.255.255.0 10.1.1.1', but the route does not appear in the routing table. The 'show ip route vrf VRF_ORANGE' does not show the static route. What is the most likely cause?

A.The next-hop IP address 10.1.1.1 is not reachable in VRF_ORANGE.
B.The 'ip classless' command is disabled.
C.The static route is missing the 'permanent' keyword.
D.The router has 'no ip routing' configured.
AnswerA

The static route will only be installed if the next-hop is reachable via a connected or dynamic route in the same VRF.

Why this answer

Static routes in VRF-Lite require that the next-hop IP address is reachable within the same VRF. If the next-hop is not in the VRF's routing table, the static route will not be installed.

30
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor vrf BLUE Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:32 10.1.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:35 10.1.2.2 GigabitEthernet0/1 Based on this output, which statement is correct?

A.Neighbor 10.0.0.3 is not forming a full adjacency because it is a DROTHER.
B.Neighbor 10.0.0.2 is the Backup Designated Router.
C.Both neighbors are in the FULL state.
D.The OSPF adjacencies are functioning normally.
AnswerD

The states are appropriate for the network type; FULL for DR and 2WAY for DROTHER.

Why this answer

The output shows two OSPF neighbors for VRF BLUE. Neighbor 10.0.0.2 is in FULL state and is the DR on GigabitEthernet0/0. Neighbor 10.0.0.3 is in 2WAY state and is a DROTHER on GigabitEthernet0/1.

The 2WAY state is normal for neighbors that are not DR/BDR on a multi-access network. No problem is evident.

31
Multi-Selecthard

Which THREE commands are used to troubleshoot VRF-Lite connectivity issues on a Cisco IOS-XE router? (Choose THREE.)

Select 3 answers
A.show ip route vrf <vrf-name>
B.ping vrf <vrf-name> <destination>
C.show vrf
D.traceroute <destination>
E.show ip cef
AnswersA, B, C

Shows the routing table for the specified VRF, critical for verifying route presence.

Why this answer

These three commands provide essential troubleshooting information: 'show ip route vrf' displays the VRF routing table, 'ping vrf' tests connectivity from within a VRF, and 'show vrf' shows VRF status and interfaces. The other options: 'traceroute' without VRF context may not work correctly, and 'show ip cef' without VRF shows global CEF, not VRF-specific.

32
MCQeasy

What is the default OSPF dead timer interval on a point-to-point interface within a VRF-Lite configuration?

A.30 seconds
B.40 seconds
C.120 seconds
D.10 seconds
AnswerB

The default OSPF dead timer is 40 seconds on point-to-point and broadcast interfaces.

Why this answer

OSPF defaults to a dead timer of 40 seconds on point-to-point and broadcast interfaces, which is four times the default hello timer of 10 seconds.

33
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip bgp vpnv4 vrf RED summary BGP router identifier 192.168.0.1, local AS number 65001 BGP table version is 5, main routing table version 5 4 network entries using 576 bytes of memory 4 path entries using 320 bytes of memory 2/1 BGP path/bestpath attribute entries using 320 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1216 total bytes of memory BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65001 23 25 5 0 0 00:12:34 2 10.1.2.2 4 65002 18 20 5 0 0 00:10:15 1 Based on this output, which statement is correct?

A.Both BGP neighbors are in the Established state.
B.Neighbor 10.1.2.2 is in the Idle state.
C.The local AS number is 65002.
D.Neighbor 10.1.1.2 is in AS 65002.
AnswerA

The State/PfxRcd column shows numbers (2 and 1), indicating established state with prefixes received.

Why this answer

The 'show bgp vpnv4 vrf RED summary' command displays BGP neighbors for VRF RED. It shows two neighbors: 10.1.1.2 (AS 65001) and 10.1.2.2 (AS 65002). Both are in the Established state with prefixes received.

The neighbor 10.1.1.2 has received 2 prefixes, and 10.1.2.2 has received 1 prefix.

34
MCQhard

In a VRF-Lite network, redistribution is configured between OSPF and EIGRP. The engineer notices that some routes are being redistributed in a loop, causing instability. The network uses route tagging, but the loop persists. Which is the most likely explanation?

A.The route tag is not being propagated correctly because OSPF uses a 32-bit tag and EIGRP uses a 32-bit tag, but the tag is lost during redistribution.
B.The seed metric for EIGRP is set to a low value (e.g., 1), causing the redistributed route to be preferred over the original OSPF route, leading to a loop.
C.The administrative distance of OSPF (110) is lower than EIGRP (90), so the redistributed route is always preferred.
D.The 'redistribute connected' command is used under OSPF, which redistributes all connected interfaces, including the loopback used for router ID.
AnswerB

If the seed metric is too low, the redistributed route may have a lower composite metric than the original, causing it to be selected and re-redistributed, creating a loop.

Why this answer

Mutual redistribution can cause routing loops if routes are not properly tagged and filtered. However, even with tags, if the seed metric is not set correctly, the redistributed route may have a lower metric than the original, causing it to be preferred and re-redistributed. The edge case here is that the seed metric for EIGRP (default is infinity) must be set, but if set too low, it can cause loops.

Additionally, if the same prefix exists in both protocols, the administrative distance comparison may cause the redistributed route to be preferred over the original, leading to a loop.

35
MCQhard

A network engineer runs the following command on Router R1: R1# show route-map VRF_RED_MAP route-map VRF_RED_MAP, permit, sequence 10 Match clauses: ip address prefix-list RED_PREFIXES Set clauses: tag 100 Policy routing matches: 0 packets, 0 bytes Based on this output, what is the problem?

A.The route-map is not applied to any interface.
B.The prefix-list RED_PREFIXES is empty.
C.The set clause is incorrect.
D.The route-map sequence is invalid.
AnswerA

The 0 packets matched suggests the route-map is not being used, likely because it is not applied.

Why this answer

The route-map VRF_RED_MAP has a match clause for prefix-list RED_PREFIXES and a set clause to tag 100. The policy routing matches show 0 packets, meaning the route-map has never been used. This could indicate that the route-map is not applied to any interface or that no traffic matches the prefix-list.

36
Multi-Selecthard

Which THREE symptoms indicate a misconfiguration in a VRF-Lite deployment where two routers are connected via a trunk link and each VRF should have connectivity? (Choose THREE.)

Select 3 answers
A.Pings between hosts in the same VRF across the trunk link fail.
B.The 'show ip route vrf <vrf-name>' command shows no routes for the connected subnet.
C.The interface assigned to the VRF is in 'up/down' state.
D.The global routing table contains a default route pointing to the ISP.
E.The router CPU utilization is consistently above 90%.
AnswersA, B, C

Indicates that the VRF forwarding or subinterface configuration may be incorrect.

Why this answer

Common symptoms include: pings failing between devices in the same VRF across the link, missing routes in the VRF routing table, and the VRF interface showing up/down due to misconfiguration. The incorrect options: a default route in the global table is not a VRF-Lite symptom; high CPU is not specific to VRF-Lite.

37
Drag & Dropmedium

Drag and drop the steps to verify and validate VRF-Lite operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by listing all configured VRFs. Then confirm which interfaces belong to each VRF. Next, check the VRF-specific routing table for expected routes.

After that, test reachability to a remote destination within the VRF. Finally, validate end-to-end connectivity with extended ping or traceroute using the VRF.

38
MCQhard

A network engineer is troubleshooting a VRF-Lite scenario where a router is configured with two VRFs (VRF_X and VRF_Y). The engineer notices that routes from VRF_X are not being advertised to the neighbor router via eBGP. The BGP configuration includes 'neighbor 10.1.1.2 remote-as 65002' under the VRF_X BGP address-family. The 'show bgp vpnv4 unicast all neighbors' command shows the BGP session is established. What is the most likely cause?

A.The 'network' command for the prefix is configured under the global BGP configuration, not under the VRF address-family.
B.The BGP session is not using the correct update-source interface.
C.The 'maximum-paths' command is set to 1.
D.The 'bgp router-id' command is missing.
AnswerA

For VRF-Lite, the network command must be under the VRF address-family to advertise routes from that VRF.

Why this answer

In VRF-Lite with BGP, routes must be explicitly injected into the VRF BGP table. Missing the 'network' command or redistribution under the VRF address-family is a common issue.

39
MCQhard

A network engineer is troubleshooting a VRF-Lite setup where two routers are connected via a serial link. Each router has VRF_SALES configured. The engineer configures EIGRP in VRF_SALES. The 'show ip eigrp vrf VRF_SALES neighbors' shows no neighbors. The 'show ip eigrp vrf VRF_SALES interfaces' shows the serial interface is passive. What is the most likely cause?

A.The 'passive-interface default' command is configured under the EIGRP process for VRF_SALES.
B.The 'network' command for the serial interface's subnet is missing.
C.The 'autonomous-system' number is different on the two routers.
D.The 'metric weights' command is misconfigured.
AnswerA

This command makes all interfaces passive by default, and if the serial interface is not explicitly set to no passive, it will remain passive.

Why this answer

If an interface is marked as passive in EIGRP, it will not send or receive hello packets, preventing neighbor formation. This is a common misconfiguration.

40
MCQhard

Router R1 is leaking a summary route 10.0.0.0/8 from VRF-A into the global routing table, but hosts in the global table cannot reach subnet 10.1.1.0/24 within VRF-A. R1 configuration: ip vrf VRF-A, rd 100:1, route-target export 100:1, route-target import 100:1. Interface Gig0/0 in VRF-A has ip address 10.1.1.1 255.255.255.0. The leaking is done via route-map: route-map LEAK permit 10, match ip address prefix-list SUMMARY, set global. Prefix-list SUMMARY permits 10.0.0.0/8. What is the root cause?

A.The summary route 10.0.0.0/8 is being installed in the global table, but the more specific route 10.1.1.0/24 is not leaked, causing traffic to be dropped.
B.The route-map should use match ip address prefix-list SPECIFIC instead of SUMMARY.
C.The VRF must have a default route to reach the global table.
D.The prefix-list should permit 10.1.1.0/24 only.
AnswerA

Correct: The summary lacks the specific route; traffic to 10.1.1.0/24 matches the summary but may be discarded if the summary points to null or is not resolved.

Why this answer

The summary route 10.0.0.0/8 covers the more specific subnet 10.1.1.0/24, but the route-map only leaks the summary, not the specific. When the global table has the summary, traffic to 10.1.1.0/24 is forwarded based on the summary, but since the specific route is not leaked, the packet may be dropped or sent to a null interface if the summary points to a discard. The issue is that the summary route does not provide reachability to the specific subnet because the specific route is not leaked.

41
MCQmedium

Which EIGRP packet type is used to confirm receipt of an update during reliable transport in a VRF-Lite configuration?

A.Hello
B.Update
C.ACK
D.Query
AnswerC

ACK packets are used to acknowledge receipt of reliable EIGRP packets.

Why this answer

EIGRP uses ACK packets, which are hello packets with no data, to acknowledge reliable packets (updates, queries, replies).

42
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite CoPP issue: R1# show policy-map control-plane input class CoPP-ACL vrf CUSTOMER_I Output: Class-map: CoPP-ACL (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?

A.The CoPP policy is dropping all packets that match access-group 100.
B.The CoPP policy is rate-limiting traffic to 8000 bps, but no traffic has matched the class yet.
C.The CoPP policy has matched many packets and is dropping them due to exceeding the rate.
D.The CoPP policy is not applied to the control plane for this VRF.
AnswerB

Correct. The police rate is 8000 bps, but all counters are zero, so no matching traffic has been seen.

Why this answer

The 'show policy-map control-plane input class vrf' command displays CoPP policy statistics for a specific VRF. The output shows class CoPP-ACL matching access-group 100, with a police rate of 8000 bps. All counters are zero, indicating no traffic has matched this class.

This could mean the ACL is not matching any packets, or no traffic is being sent to the control plane for this VRF.

43
Drag & Drophard

Drag and drop the steps to troubleshoot VRF-Lite adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking if the VRF is defined correctly with show vrf. Then verify interface assignment to the correct VRF. Next, confirm that the IP address on the interface is in the VRF context.

After that, test basic connectivity with ping using the VRF keyword. Finally, examine routing protocol adjacency status within the VRF.

44
Multi-Selecthard

Which THREE commands can be used to verify VRF-Lite configuration and operation on a Cisco IOS-XE router? (Choose THREE.)

Select 3 answers
A.show vrf
B.show ip route vrf BLUE
C.show ip interface vrf BLUE
D.show vrf interfaces
E.show vrf detail
AnswersA, B, C

Correct. This command lists all VRFs, their route distinguishers (RD), and interfaces.

Why this answer

Common verification commands for VRF-Lite include: 'show vrf' to list VRFs and their RD/RT, 'show ip route vrf <name>' to display the VRF-specific routing table, and 'show ip interface vrf <name>' to show interfaces assigned to a VRF. Option A is correct. Option B is correct.

Option C is correct. Option D is incorrect because 'show ip vrf interfaces' is the correct command, not 'show vrf interfaces'. Option E is incorrect because 'show vrf detail' is not a valid command; the correct command is 'show vrf' or 'show vrf <name>'.

45
Multi-Selectmedium

Which TWO statements are true regarding the use of VRF-Lite in a Cisco Enterprise network? (Choose TWO.)

Select 2 answers
A.VRF-Lite enables multiple virtual routing tables on a single router, providing traffic separation without MPLS.
B.VRF-Lite supports dynamic routing protocols such as OSPF and EIGRP within each VRF.
C.VRF-Lite requires MPLS to exchange VPNv4 routes between routers.
D.VRF-Lite can automatically encrypt traffic between VRFs using IPsec.
E.VRF-Lite can only be used with static routing.
AnswersA, B

VRF-Lite creates separate routing tables per VRF, isolating traffic at Layer 3 without needing MPLS.

Why this answer

VRF-Lite allows multiple routing tables on a single router, enabling traffic separation without MPLS. It relies on static routes or dynamic routing protocols like OSPF, EIGRP, or BGP within each VRF. The incorrect options: MPLS is not required for VRF-Lite; VRF-Lite does not support MPLS VPNv4 route exchange (that requires MPLS); and VRF-Lite does not inherently provide encryption.

46
MCQhard

In a VRF-Lite environment running EIGRP, what is the default hello timer value on a Frame Relay multipoint interface?

A.5 seconds
B.10 seconds
C.60 seconds
D.30 seconds
AnswerC

EIGRP defaults to a 60-second hello timer on low-speed NBMA interfaces (e.g., Frame Relay multipoint with bandwidth < T1).

Why this answer

By default, EIGRP uses a hello timer of 60 seconds on NBMA networks with bandwidth less than T1, including Frame Relay multipoint interfaces, and 5 seconds on high-speed NBMA links.

47
Multi-Selecthard

Which TWO configuration changes are required to enable inter-VRF route leaking between VRF A and VRF B using static routes? (Choose TWO.)

Select 2 answers
A.Configure a static route in VRF B with the 'vrf A' keyword to specify the source VRF for the next-hop.
B.Use the 'ip route vrf B <prefix> <mask> <next-hop> source-vrf A' command syntax.
C.The next-hop IP address must be the interface address of the destination VRF.
D.The next-hop IP address must be reachable in the source VRF (VRF A).
E.A dynamic routing protocol must be configured in both VRFs to redistribute the leaked routes.
AnswersA, D

Correct. Example: 'ip route vrf B 10.1.2.0 255.255.255.0 10.1.1.1 vrf A' leaks the route from VRF A to VRF B.

Why this answer

Route leaking between VRFs can be done using static routes with the 'global' or 'vrf' keywords. To leak a route from VRF A to VRF B, you configure a static route in VRF B pointing to the next-hop in VRF A, and use the 'vrf' keyword to specify the source VRF. Option A is correct because the static route must specify the source VRF.

Option D is correct because the next-hop must be reachable in the source VRF. Option B is incorrect because the 'ip route' command does not use 'source-vrf'; it uses 'vrf'. Option C is incorrect because the destination network is the one being leaked, not the next-hop.

Option E is incorrect because route leaking does not require a routing protocol; static routes are sufficient.

48
MCQmedium

Examine this partial configuration: ``` interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_F ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_G ip address 10.10.20.1 255.255.255.0 ``` What is required to enable communication between VRF CUSTOMER_F and VRF CUSTOMER_G?

A.No additional configuration is needed; VRFs can communicate by default.
B.Configure a route-map and import/export route-targets between the VRFs.
C.Add static routes with the 'vrf' keyword to point to the other VRF's next hop.
D.Use the 'ip route vrf' command to create a global route that points to the VRF interface.
AnswerC

This is correct. Static routes can be used to leak routes between VRFs.

Why this answer

By default, VRFs are isolated. To enable communication between them, route leaking must be configured, typically using static routes with the 'vrf' keyword or using route-replicate commands.

49
MCQmedium

Which BGP attribute is used as the first tie-breaker when selecting the best path in a VRF-Lite environment?

A.Local preference
B.Weight
C.AS path length
D.MED
AnswerB

Weight is a Cisco-proprietary attribute and is checked first in the BGP best-path selection process.

Why this answer

BGP selects the path with the highest weight (Cisco proprietary) as the first tie-breaker, followed by local preference.

50
MCQmedium

Examine the following configuration: ``` interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_C ip address 10.1.1.1 255.255.255.0 no shutdown ``` What is missing from this configuration to ensure that routes from VRF CUSTOMER_C are properly isolated?

A.A route-target import/export statement under the VRF definition.
B.The command 'ip vrf forwarding CUSTOMER_C' must be preceded by 'no ip address' to avoid IP address removal.
C.Nothing is missing; this configuration provides proper VRF isolation.
D.A 'vrf definition CUSTOMER_C' must be used instead of 'ip vrf' on newer IOS versions.
AnswerC

This is correct. The interface is in a VRF, so all traffic uses the VRF-specific routing table, ensuring isolation.

Why this answer

The configuration is complete for basic VRF-Lite. VRF isolation is achieved by associating the interface with a VRF, which creates a separate routing table. No additional commands are required for isolation.

51
MCQhard

An engineer configures IPsec between two VRF-Lite routers using a site-to-site VPN. The tunnel is established, but no traffic is encrypted. The engineer verifies that the crypto map is applied to the correct interface and that the ACL for interesting traffic matches the VRF traffic. Which is the most likely explanation?

A.The crypto map is applied to the wrong interface; it should be applied to the VRF interface, not the physical interface.
B.The ACL for interesting traffic is not matching the VRF traffic because the ACL is evaluated in the global routing table, not the VRF.
C.The IPsec transform set has a mismatch in the encryption algorithm, causing the tunnel to fail to establish.
D.The 'crypto isakmp key' command is missing the VRF keyword, causing IKE to fail.
AnswerB

IPsec crypto maps are evaluated in the global routing table. VRF traffic must be redirected to the global table using PBR or the crypto map must be VRF-aware.

Why this answer

In VRF-Lite, traffic is forwarded based on the VRF routing table. However, IPsec crypto maps operate on the global routing table by default. If the traffic is in a VRF, the crypto map must be applied with the VRF keyword or the traffic must be redirected using a policy-based route (PBR) to the global table.

Without this, the crypto engine does not see the traffic as interesting, so it is not encrypted.

52
MCQeasy

In a VRF-Lite scenario with OSPF, what is the default network type on a physical Ethernet interface?

A.Point-to-point
B.Broadcast
C.Non-broadcast
D.Point-to-multipoint
AnswerB

Ethernet defaults to broadcast network type in OSPF.

Why this answer

By default, OSPF sets the network type to broadcast on Ethernet interfaces, which enables DR/BDR election.

53
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip route vrf RED 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via GigabitEthernet0/2 Route metric is 0, traffic share count is 1 Based on this output, which statement is correct?

A.The route is learned via OSPF.
B.The route is a static route.
C.The route is directly connected via GigabitEthernet0/2.
D.The route has a metric of 1.
AnswerC

The output states it is directly connected via GigabitEthernet0/2.

Why this answer

The output shows the route for 192.168.1.0/24 in VRF RED is a connected route via GigabitEthernet0/2. This is normal.

54
MCQhard

A network engineer is troubleshooting a VRF-Lite configuration on a Cisco router. The router has two VRFs (VRF_CUSTOMER_A and VRF_CUSTOMER_B). The engineer notices that traffic from VRF_CUSTOMER_A is being routed to the wrong next-hop, causing connectivity issues. The 'show ip route vrf VRF_CUSTOMER_A' shows a route to the destination via a next-hop that belongs to VRF_CUSTOMER_B. What is the most likely cause?

A.The 'route-target import' command in VRF_CUSTOMER_A is importing routes from VRF_CUSTOMER_B.
B.The router has a default route that points to the next-hop in VRF_CUSTOMER_B.
C.The 'ip cef' command is disabled globally.
D.The 'ip vrf forwarding' command is applied to the same physical interface for both VRFs.
AnswerA

This causes routes from VRF_CUSTOMER_B to appear in VRF_CUSTOMER_A's routing table, leading to incorrect next-hop selection.

Why this answer

This issue is typically caused by route leaking between VRFs, which can happen if the route-target import/export commands are misconfigured or if there is a shared interface with incorrect VRF assignment.

55
MCQhard

A large enterprise network is experiencing intermittent reachability between VRF-A on Router R1 and VRF-B on Router R2. R1 has the following relevant configuration: ip vrf VRF-A, rd 100:1, route-target export 100:1, route-target import 100:2. R2 shows: ip vrf VRF-B, rd 200:2, route-target export 200:2, route-target import 200:1. The link between R1 and R2 is configured with VRF forwarding VRF-A on R1 and VRF forwarding VRF-B on R2. What is the root cause?

A.The route-target import and export values are mismatched between the VRFs, preventing route exchange.
B.The RD values must match for VRF-Lite to work on a direct link.
C.The VRFs must have the same name on both routers for direct connectivity.
D.The interface must be in the same VRF on both ends; route-targets are irrelevant for VRF-Lite.
AnswerA

Correct: R1 exports RT 100:1, but R2 imports RT 200:1; R2 exports RT 200:2, but R1 imports RT 100:2. No common RT exists.

Why this answer

The route-target import/export values are mismatched for the VRF-Lite scenario. In VRF-Lite, route-targets are used for route leaking, but on a direct link, the VRFs must match or route leaking must be configured properly. Here, R1 imports routes with RT 100:2, which R2 exports as 200:2, not 100:2.

R2 imports RT 200:1, but R1 exports 100:1. Thus, no routes are exchanged, causing unreachability.

56
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite OSPF adjacency issue: R1# debug ip ospf adj vrf CUSTOMER_C Output: OSPF: 2 Way state received from 10.1.1.2 on interface GigabitEthernet0/1, address 10.1.1.2 OSPF: Neighbor 10.1.1.2 is eligible for DR election on interface GigabitEthernet0/1 OSPF: DR election: 10.1.1.1 (pri 1) is DR, 10.1.1.2 (pri 1) is BDR OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x80000001 OSPF: Neighbor 10.1.1.2 is FULL, state changed from LOADING to FULL What does this output indicate?

A.The OSPF adjacency failed because the neighbor remained in LOADING state.
B.The OSPF adjacency formed successfully, with 10.1.1.1 as DR and 10.1.1.2 as BDR.
C.The OSPF adjacency formed but the router ID is missing, causing instability.
D.The OSPF adjacency is stuck in 2-Way state due to mismatched area IDs.
AnswerB

Correct. The debug shows FULL state and DR/BDR election results.

Why this answer

The 'debug ip ospf adj vrf' command shows OSPF adjacency state changes for a specific VRF. The output shows a successful OSPF adjacency formation: the neighbor transitioned through 2-Way, DR election, and reached FULL state. The router with IP 10.1.1.1 became the DR, and 10.1.1.2 became the BDR.

57
MCQhard

A network engineer applies a CoPP (Control Plane Policing) policy to a router running VRF-Lite. The policy includes a class that matches SSH traffic and polices it to 1 Mbps. After applying the policy, the engineer cannot SSH into the router from any VRF. Which is the most likely explanation?

A.The CoPP policy has an explicit 'deny' in the class-default, which drops all traffic not matched by other classes.
B.The SSH traffic is being policed to 1 Mbps, but the traffic rate is below that, so it should be allowed.
C.The CoPP policy is applied to the control plane of the VRF, not the global control plane, so it does not affect SSH traffic.
D.The SSH traffic is being matched by a different class that has a 'drop' action, such as a class for ICMP.
AnswerA

If class-default has a 'police' or 'drop' action, all unmatched traffic (including SSH) is dropped. The engineer should have added a 'class class-default' with 'police' or 'permit'.

Why this answer

CoPP policies are applied to the control plane and affect all traffic destined to the router, regardless of VRF. However, CoPP uses the global routing table for classification. If the SSH traffic is sourced from a VRF, the CoPP policy may not match it correctly because the class-map might be using 'match protocol' or 'match access-group' that is evaluated in the global context.

Additionally, the default class (class-default) often has a police action that drops traffic if not explicitly allowed. A common edge case is that the engineer forgot to include a 'class-default' action to permit traffic, causing all unmatched traffic to be dropped.

58
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip vrf interfaces Interface VRF IP Address Protocol GigabitEthernet0/0 BLUE 10.1.1.1 up GigabitEthernet0/1 BLUE 10.1.2.1 up GigabitEthernet0/2 RED 192.168.1.1 up Loopback0 BLUE 10.0.0.1 up Loopback1 RED 192.168.0.1 up Based on this output, which statement is correct?

A.All interfaces are in the global routing table.
B.GigabitEthernet0/2 is in VRF RED with IP address 192.168.1.1.
C.Loopback0 is in VRF RED.
D.GigabitEthernet0/1 has IP address 10.1.2.2.
AnswerB

The output shows GigabitEthernet0/2 is in VRF RED with IP 192.168.1.1 and protocol up.

Why this answer

The 'show ip vrf interfaces' command displays all interfaces assigned to VRFs and their IP addresses. The output shows that GigabitEthernet0/0, GigabitEthernet0/1, and Loopback0 are in VRF BLUE, while GigabitEthernet0/2 and Loopback1 are in VRF RED. There are no interfaces in the global routing table shown here, but that is normal for VRF-Lite.

59
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite issue: R1# show ip route vrf CUSTOMER_A summary Output: IP routing table name: CUSTOMER_A (0x00000001) IP routing table maximum-paths: 32 Route Source Networks Subnets Replicates Overhead Memory (bytes) connected 2 0 0 0 576 static 1 0 0 0 288 eigrp 100 3 0 0 0 864 Internal 3 0 0 0 864 External 0 0 0 0 0 ospf 200 0 0 0 0 0 Intra-area 0 0 0 0 0 Inter-area 0 0 0 0 0 External-1 0 0 0 0 0 External-2 0 0 0 0 0 NSSA-1 0 0 0 0 0 NSSA-2 0 0 0 0 0 bgp 65000 0 0 0 0 0 Internal 0 0 0 0 0 External 0 0 0 0 0 Total 6 0 0 0 1728 What does this output indicate?

A.The VRF CUSTOMER_A has 6 routes, with EIGRP 100 providing 3 internal routes.
B.The VRF CUSTOMER_A has 6 routes, all redistributed from BGP 65000.
C.The VRF CUSTOMER_A has 6 routes, with OSPF 200 providing 3 external routes.
D.The VRF CUSTOMER_A has 6 routes, all from connected and static only.
AnswerA

Correct. The summary shows 6 total routes, with EIGRP 100 contributing 3 internal routes.

Why this answer

The 'show ip route vrf summary' command displays the routing table summary for a specific VRF. It shows the number of routes from each routing protocol source. In this output, the VRF CUSTOMER_A has 6 total routes: 2 connected, 1 static, and 3 from EIGRP 100.

OSPF and BGP have 0 routes, indicating they are not contributing to the VRF's routing table.

60
MCQmedium

A network engineer is troubleshooting a VRF-Lite configuration where a router is using RIP as the routing protocol in VRF_BLUE. The engineer notices that RIP routes are not being learned from a neighbor router. The 'show ip rip database vrf VRF_BLUE' shows no entries. The 'show ip vrf interfaces VRF_BLUE' shows the correct interface. What is the most likely cause?

A.The 'network' command is configured under the global RIP process, not under the VRF address-family.
B.The 'version 2' command is missing under the VRF address-family.
C.The 'no auto-summary' command is missing.
D.The 'timers basic' command is set to a very low value.
AnswerA

For RIP to operate in a VRF, the network command must be under the VRF address-family.

Why this answer

RIP in VRF-Lite requires that the RIP process be associated with the VRF and that the network command is issued under the VRF context. Missing the 'address-family ipv4 vrf VRF_BLUE' configuration is a common oversight.

61
MCQmedium

A network engineer is troubleshooting a VRF-Lite setup where a router is configured with VRF_GREEN. The engineer pings the gateway IP of a host in VRF_GREEN from the router, but the ping fails. The 'show ip route vrf VRF_GREEN' command shows the connected network for the host's subnet. The 'show ip interface brief' shows the interface is up/up. What is the most likely cause?

A.The host's default gateway is not set to the router's interface IP in VRF_GREEN.
B.The router's interface in VRF_GREEN has 'ip proxy-arp' disabled.
C.The host's IP address is not in the same subnet as the router's interface IP in VRF_GREEN.
D.The 'ip routing' command is disabled in VRF_GREEN.
AnswerC

If the host's IP is in a different subnet, the router will not have a connected route for that host, and ARP will fail.

Why this answer

If the interface is up and the route is present, the issue might be with ARP resolution or the host's configuration. However, in VRF-Lite, the router might not be able to ping the gateway if the gateway IP is not in the same subnet as the interface IP, or if the host has a firewall blocking ICMP.

62
MCQhard

Router R1 is configured with VRF-A and VRF-B. Route leaking is configured between them using route-targets. However, routes from VRF-A are appearing in VRF-B with incorrect next-hop addresses, causing traffic to be black-holed. R1 configuration: ip vrf VRF-A, rd 100:1, route-target both 100:1. ip vrf VRF-B, rd 200:2, route-target both 200:2. Additionally, a route-map is applied to the VRF-A export: route-map LEAK, set global. The route-map does not modify the next-hop. What is the root cause?

A.The route-map uses 'set global', which is intended for leaking to the global table, not between VRFs, causing incorrect next-hop.
B.The route-targets must be the same for both VRFs for route leaking.
C.The VRF names must be the same for route leaking.
D.The route-map should be applied to the VRF-B import instead.
AnswerA

Correct: 'set global' is for global table; for VRF-to-VRF, the route-map should not include that command.

Why this answer

When leaking routes between VRFs, the next-hop is typically the local router's interface IP in the source VRF. If the route-map does not set the next-hop to a reachable address in the destination VRF, the route may be installed with an unreachable next-hop. In this case, the route-map sets 'set global', which is used for leaking to the global table, not between VRFs.

For VRF-to-VRF leaking, the route-map should not use 'set global' but rather rely on the default behavior. The 'set global' command causes the route to be leaked to the global table instead of VRF-B, or it may cause the next-hop to be set incorrectly. The root cause is that the route-map is misconfigured for VRF-to-VRF leaking.

63
MCQmedium

In VRF-Lite, which routing protocols can be used within a VRF?

A.Only static routing is supported in VRF-Lite.
B.OSPF, EIGRP, RIP, and BGP can all be configured per VRF.
C.Only OSPF and EIGRP are supported in VRF-Lite.
D.BGP cannot be used within a VRF in VRF-Lite.
AnswerB

This is correct. These protocols have VRF-aware capabilities.

Why this answer

Most routing protocols (RIP, EIGRP, OSPF, BGP) support VRF-aware configurations. The protocol must be configured with the 'vrf' keyword to operate within a specific VRF.

64
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp vpnv4 vrf RED neighbors 10.1.1.2 advertised-routes BGP table version is 5, local router ID is 192.168.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, L long-lived-stale, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0/24 0.0.0.0 0 32768 i *> 192.168.2.0/24 0.0.0.0 0 32768 i Total number of prefixes 2 Based on this output, what is the problem?

A.The routes are advertised with next hop 0.0.0.0, which will cause the neighbor to drop them.
B.The routes are being advertised correctly.
C.The BGP table version is 5, indicating a problem.
D.The routes have weight 0, which is incorrect.
AnswerB

The output shows two routes being advertised with valid attributes.

Why this answer

The output shows the routes advertised to BGP neighbor 10.1.1.2 for VRF RED. It advertises two networks: 192.168.1.0/24 and 192.168.2.0/24, both with next hop 0.0.0.0 (meaning self). This is normal.

However, the next hop 0.0.0.0 might be problematic if the neighbor expects a valid next hop. But in BGP, 0.0.0.0 is used for locally originated routes. The problem could be that the routes are not being advertised with the correct next hop, but for VRF-Lite, this is typical.

Actually, no problem is evident. The correct answer might be that the routes are being advertised correctly.

65
MCQhard

A network engineer is troubleshooting a VRF-Lite deployment where two routers are connected via a trunk link. Each router has two VRFs (VRF_A and VRF_B). The engineer configures subinterfaces on the trunk link, assigning each subinterface to a different VRF. However, traffic between the two routers for VRF_A is not working. The 'show vrf' command shows the VRFs are active. What is the most likely issue?

A.The subinterface on Router1 is configured with 'encapsulation dot1q 10', but the subinterface on Router2 is configured with 'encapsulation dot1q 20'.
B.The 'ip vrf forwarding VRF_A' command is missing on the main interface.
C.The 'no ip routing' command is configured globally.
D.The 'mtu' command is set differently on the two subinterfaces.
AnswerA

Mismatched VLAN IDs prevent the Layer 2 frames from being correctly tagged and forwarded between the VRFs.

Why this answer

In VRF-Lite with trunk links, subinterfaces must be associated with the correct VRF and VLAN. A common mistake is not matching the VLAN IDs on the subinterfaces of both routers, or missing the 'encapsulation dot1q' command.

66
MCQmedium

Given this configuration on router R2: ``` ip vrf CUSTOMER_D rd 100:1 ! interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_D ip address 192.168.2.1 255.255.255.0 ! router ospf 1 vrf CUSTOMER_D network 192.168.2.0 0.0.0.255 area 0 ``` What will happen when this configuration is applied?

A.OSPF will run on GigabitEthernet0/0 and form adjacencies within VRF CUSTOMER_D.
B.OSPF will fail because the OSPF process must be configured globally, not under the VRF.
C.OSPF will run on all interfaces, including those not in VRF CUSTOMER_D.
D.The network command is invalid because it uses a wildcard mask instead of a subnet mask.
AnswerA

This is correct. The OSPF process is VRF-aware and will operate only on interfaces in that VRF.

Why this answer

The OSPF process is tied to VRF CUSTOMER_D, so it only runs on interfaces that belong to that VRF. The network command matches the interface, so OSPF will form adjacencies on that interface within the VRF.

67
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite IPsec issue: R1# show crypto ipsec transform-set vrf CUSTOMER_H Output: Transform set combined: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, } What does this output indicate?

A.The transform set uses ESP with AES 256 and SHA-HMAC in transport mode.
B.The transform set uses ESP with AES 256 and SHA-HMAC in tunnel mode.
C.The transform set uses AH with AES 256 and MD5.
D.The transform set does not specify any encryption or authentication.
AnswerB

Correct. The transform set includes esp-aes 256 and esp-sha-hmac, and will negotiate tunnel mode.

Why this answer

The 'show crypto ipsec transform-set vrf' command displays the IPsec transform set for a specific VRF. The output shows a transform set named 'combined' that uses ESP with AES 256-bit encryption and SHA-HMAC authentication. It will negotiate a tunnel mode (as opposed to transport mode).

68
MCQhard

Router R1 is running EIGRP in VRF-A with two neighbors: R2 and R3. R2 is a directly connected router, R3 is reachable via R2. The network is experiencing EIGRP stuck-in-active (SIA) routes for prefixes learned from R3. R1 configuration: router eigrp 100, address-family ipv4 vrf VRF-A, network 10.0.0.0. R2 is configured similarly. The link between R1 and R2 is a serial link with low bandwidth. What is the root cause?

A.The low-bandwidth serial link between R1 and R2 causes EIGRP query packets to be delayed, exceeding the active timer and resulting in SIA.
B.The VRF configuration on R2 is missing the network statement for the link to R3.
C.EIGRP is not supported in VRF-Lite.
D.The active timer should be increased to prevent SIA.
AnswerA

Correct: Slow link can delay query/reply packets, leading to SIA.

Why this answer

EIGRP SIA occurs when a query is sent to a neighbor and the reply is not received within the active timer (default 3 minutes). In a VRF-Lite scenario, if the query scope is not limited, the query may propagate to R3 via R2, but if the serial link has low bandwidth or high delay, the query may time out. However, the most common cause in VRF-Lite is that the query is sent to all neighbors, and if one neighbor (R2) does not reply due to a slow link, SIA occurs.

The issue is that the query scope includes R2, but the link is slow, causing the active timer to expire.

69
MCQmedium

Given the following partial configuration on router R1: ``` interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_A ip address 192.168.1.1 255.255.255.0 ``` What is the effect of this configuration?

A.The interface is placed into VRF CUSTOMER_A, and the IP address is assigned correctly.
B.The interface is placed into VRF CUSTOMER_A, but the IP address is ignored because it must be configured before the VRF command.
C.The VRF name is misspelled; it should be 'vrf forwarding CUSTOMER_A' under the interface.
D.The configuration will fail because VRF CUSTOMER_A must be created globally first.
AnswerA

This is correct. The VRF association is applied before the IP address, so the IP address is associated with the VRF.

Why this answer

The 'ip vrf forwarding' command associates the interface with a VRF. It removes the IP address if one was previously configured, requiring it to be re-applied. This ensures traffic on this interface is forwarded using the VRF's routing table.

70
MCQhard

In a VRF-Lite environment, EIGRP is configured between two routers. The engineer notices that the EIGRP neighbor relationship is flapping intermittently. Debug output shows 'dually' messages and the route is occasionally marked as 'stuck-in-active' (SIA). The link is Ethernet with no errors. Which is the most likely explanation?

A.The EIGRP K-values are mismatched between the two routers, causing the neighbor to reset.
B.A unidirectional link issue is present, where EIGRP packets are successfully sent but not received, causing the query process to time out.
C.The EIGRP stub routing feature is enabled on one router, preventing query propagation and causing the active process to hang.
D.The 'eigrp log-neighbor-changes' command is causing excessive logging, which delays EIGRP processing.
AnswerB

Unidirectional link causes queries to be sent but replies not received, leading to SIA and neighbor flapping.

Why this answer

EIGRP uses the Reliable Transport Protocol (RTP) for updates, queries, and replies. If there is a unidirectional link issue (e.g., one direction has high latency or packet loss), the query process may not receive replies in time, causing the route to become SIA. This is a classic edge case where the link appears operational but is unidirectional for EIGRP packets.

71
Multi-Selecthard

Which TWO statements correctly describe the behavior of VRF-Lite when using OSPF as the IGP? (Choose TWO.)

Select 2 answers
A.The OSPF process must be configured with the 'vrf <name>' keyword to associate it with a specific VRF.
B.OSPF in VRF-Lite requires an MP-BGP session to exchange routes between VRFs.
C.By default, OSPF automatically redistributes all connected routes in the VRF into OSPF.
D.The 'network' command under the OSPF process can be used to enable OSPF on interfaces belonging to the VRF.
E.OSPF in VRF-Lite uses different LSA types compared to global OSPF.
AnswersA, D

Correct. The command 'router ospf <pid> vrf <name>' creates a VRF-aware OSPF instance.

Why this answer

In VRF-Lite, OSPF can be configured per VRF, and the OSPF process uses the VRF's routing table. The 'router ospf <process-id> vrf <name>' command creates a VRF-aware OSPF process. By default, OSPF uses the VRF's route table, not the global table.

The 'network' statement under the OSPF process is still used to enable OSPF on interfaces, but the interface must be in the same VRF. Option A is correct because the OSPF process is VRF-specific. Option D is correct because the 'network' command is still valid.

Option B is incorrect because OSPF does not require BGP; it can run directly. Option C is incorrect because OSPF does not automatically redistribute connected routes; a redistribution command is needed. Option E is incorrect because OSPF LSA types are the same in VRF-Lite.

72
MCQeasy

What is the maximum number of VRFs that can be configured on a Cisco IOS router?

A.256
B.1024
C.Platform-dependent, typically limited by available memory.
D.Unlimited
AnswerC

This is correct. The number of VRFs is constrained by hardware resources.

Why this answer

The maximum number of VRFs is platform-dependent. There is no fixed IOS-wide limit; it varies based on hardware and software resources.

73
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp vrf RED neighbors EIGRP-IPv4 Neighbors for AS(100) VRF RED H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/2 13 00:15:30 12 200 0 45 1 192.168.2.2 Gi0/3 12 00:14:20 15 200 0 32 Based on this output, what is the problem?

A.The EIGRP neighbors are not exchanging routes because the Seq numbers are low.
B.Both neighbors are in the Init state.
C.The EIGRP adjacency is functioning correctly.
D.The hold time of 13 seconds indicates a problem.
AnswerC

The neighbors are up with low SRTT and no Q count, indicating stable adjacencies.

Why this answer

The output shows two EIGRP neighbors for VRF RED. Both are in normal state with low SRTT and no Q count. There is no obvious problem.

However, the hold times are 13 and 12 seconds, which are typical. The uptimes are similar. The output is healthy.

But if the question implies a problem, it might be that the neighbors are not exchanging routes? But the Seq numbers are incrementing, indicating activity. Actually, no problem is evident. The correct answer should be that the EIGRP adjacency is functioning correctly.

74
MCQeasy

What is the default route distinguisher (RD) format when using the 'ip vrf' command without specifying an RD?

A.The RD defaults to 0:0.
B.The RD is automatically derived from the router ID.
C.The VRF will not be created until an RD is configured.
D.The RD defaults to the ASN:1 format.
AnswerC

This is correct. The RD is required to create a VRF.

Why this answer

The RD is mandatory when creating a VRF. If not specified, the VRF will not be created. There is no default RD.

75
MCQhard

In a VRF-Lite setup, Router R1 and R2 are running OSPF in VRF-A. R1 has interface Gig0/0 in VRF-A with ip ospf network point-to-point. R2 has interface Gig0/1 in VRF-A with default network type (broadcast). The link between them is a direct Ethernet connection. OSPF neighbors are not forming. What is the root cause?

A.The OSPF network types are mismatched: one side is point-to-point, the other is broadcast, causing neighbor adjacency failure.
B.The VRF names must match for OSPF to form neighbors.
C.The OSPF process ID must be the same on both routers.
D.The interface must be configured with the same IP subnet mask.
AnswerA

Correct: OSPF requires matching network types on the same link; mismatch leads to no neighbor formation.

Why this answer

OSPF network type mismatch prevents neighbor formation. On a broadcast network, OSPF expects DR/BDR elections, while point-to-point expects no election. The mismatch causes hello packets to be ignored because the OSPF interface parameters (like hello interval, dead interval, and network type) differ.

Specifically, on a point-to-point link, the neighbor state machine expects a different packet format and does not process broadcast hellos.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Vrf Lite questions.