Sample questions
ENCOR 350-401 practice questions
Drag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco router in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure VLAN Trunking Protocol (VTP) on a Cisco switch in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure port security on a Cisco switch in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps for the Spanning Tree Protocol (STP) convergence process in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A network engineer is automating configuration backups using Ansible. The playbook uses the ios_config module to retrieve running configurations from Cisco IOS XE devices. However, the playbook fails with a timeout error on a specific device. Other devices respond correctly. What is the most likely cause of the failure?
Trap 1: The device is configured for HTTP/HTTPS access only.
Ansible ios_config uses SSH, not HTTP/HTTPS.
Trap 2: The device has NetFlow enabled, consuming CPU cycles.
NetFlow does not cause SSH timeouts.
Trap 3: The device has SNMPv3 enabled with authentication traps.
SNMP is not used by the ios_config module; it uses SSH.
- A
The device is configured for HTTP/HTTPS access only.
Why wrong: Ansible ios_config uses SSH, not HTTP/HTTPS.
- B
The device has incorrect SSH credentials configured in the Ansible vault.
Incorrect SSH credentials cause authentication failure and timeout.
- C
The device has NetFlow enabled, consuming CPU cycles.
Why wrong: NetFlow does not cause SSH timeouts.
- D
The device has SNMPv3 enabled with authentication traps.
Why wrong: SNMP is not used by the ios_config module; it uses SSH.
Refer to the exhibit. A network engineer is troubleshooting a routing issue. The route for 10.0.0.0/8 is learned via EIGRP with metric 2560512. Which change would most likely cause the metric to increase?
Exhibit
Refer to the exhibit.
```
router# show ip route 10.0.0.0
Routing entry for 10.0.0.0/8
Known via "eigrp 100", distance 170, metric 2560512, type internal
Redistributing via eigrp 100
Last update from 192.168.1.1 on GigabitEthernet0/0, 00:00:05 ago
Routing Descriptor Blocks:
* 192.168.1.1, from 192.168.1.1, 00:00:05 ago, via GigabitEthernet0/0
Route metric is 2560512, traffic share count is 1
Total delay is 2000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 3
```Trap 1: Increase the bandwidth on GigabitEthernet0/0.
Incorrect; increasing bandwidth decreases metric.
Trap 2: Add a redistribute static command under EIGRP.
Incorrect; redistributing static does not affect this route's metric.
Trap 3: Change the administrative distance to 90.
Incorrect; AD does not affect metric.
- A
Increase the bandwidth on GigabitEthernet0/0.
Why wrong: Incorrect; increasing bandwidth decreases metric.
- B
Add a redistribute static command under EIGRP.
Why wrong: Incorrect; redistributing static does not affect this route's metric.
- C
Change the administrative distance to 90.
Why wrong: Incorrect; AD does not affect metric.
- D
Increase the delay on GigabitEthernet0/0.
Correct.
Which TWO statements about virtual switching in a hypervisor environment are correct?
Trap 1: A virtual switch does not support VLAN tagging.
Incorrect. Virtual switches support 802.1Q VLAN tagging for traffic segmentation.
Trap 2: A virtual switch performs routing between different subnets.
Incorrect. Virtual switches operate at Layer 2 only; routing requires a router or Layer 3 switch.
Trap 3: A virtual switch is a physical device installed in the hypervisor…
Incorrect. A virtual switch is a software-based switch running within the hypervisor.
- A
A virtual switch can be connected to a physical network through uplink ports.
Correct. Uplink ports map to physical NICs to provide connectivity to the physical network.
- B
A virtual switch does not support VLAN tagging.
Why wrong: Incorrect. Virtual switches support 802.1Q VLAN tagging for traffic segmentation.
- C
A virtual switch performs routing between different subnets.
Why wrong: Incorrect. Virtual switches operate at Layer 2 only; routing requires a router or Layer 3 switch.
- D
A virtual switch forwards frames between virtual machines based on MAC addresses.
Correct. Virtual switches use MAC address tables to forward frames.
- E
A virtual switch is a physical device installed in the hypervisor host.
Why wrong: Incorrect. A virtual switch is a software-based switch running within the hypervisor.
Which TWO features are part of Cisco TrustSec for providing role-based access control?
Trap 1: Change of Authorization (CoA)
CoA is used for mid-session policy changes, not a core TrustSec feature.
Trap 2: 802.1X authentication
802.1X is an authentication protocol, not a TrustSec feature.
Trap 3: MACsec encryption
MACsec provides encryption, not access control.
- A
Security Group Access Control Lists (SGACLs)
SGACLs enforce policies based on SGTs.
- B
Change of Authorization (CoA)
Why wrong: CoA is used for mid-session policy changes, not a core TrustSec feature.
- C
802.1X authentication
Why wrong: 802.1X is an authentication protocol, not a TrustSec feature.
- D
Security Group Tags (SGTs)
SGTs are used to classify traffic based on user/device identity.
- E
MACsec encryption
Why wrong: MACsec provides encryption, not access control.
Which TWO characteristics are true about the operation of Rapid PVST+? (Choose two.)
Trap 1: It runs a single spanning-tree instance for all VLANs.
Incorrect: That's MST; Rapid PVST+ runs per VLAN.
Trap 2: It eliminates the need for BPDUs.
Incorrect: BPDUs are still used for topology discovery.
Trap 3: It uses a separate root bridge per VLAN.
Incorrect: That's PVST+; Rapid PVST+ uses a single root per VLAN but not separate.
- A
It runs a single spanning-tree instance for all VLANs.
Why wrong: Incorrect: That's MST; Rapid PVST+ runs per VLAN.
- B
It eliminates the need for BPDUs.
Why wrong: Incorrect: BPDUs are still used for topology discovery.
- C
It supports PortFast to enable immediate transition to forwarding.
Correct: PortFast allows edge ports to skip listening/learning.
- D
It uses a separate root bridge per VLAN.
Why wrong: Incorrect: That's PVST+; Rapid PVST+ uses a single root per VLAN but not separate.
- E
It provides faster convergence than PVST+.
Correct: Rapid PVST+ reduces convergence time via RSTP enhancements.
Which TWO statements about Cisco DNA Center's Assurance capabilities are correct?
Trap 1: It supports only wired networks and not wireless.
Incorrect; it supports both.
Trap 2: It is a fully cloud-based solution with no on-premises components.
Incorrect; it has on-premises components.
Trap 3: It only displays network device health scores and does not provide…
Incorrect; it does provide path tracing.
- A
It uses streaming telemetry to collect data for real-time analytics.
Correct.
- B
It supports only wired networks and not wireless.
Why wrong: Incorrect; it supports both.
- C
It is a fully cloud-based solution with no on-premises components.
Why wrong: Incorrect; it has on-premises components.
- D
It only displays network device health scores and does not provide path tracing.
Why wrong: Incorrect; it does provide path tracing.
- E
It can proactively detect potential issues based on historical trends.
Correct.
Refer to the exhibit. A network engineer has configured VRFs on a router. A packet arrives on Gi0/1/0 with destination IP 10.1.1.2. Which VRF is used for routing this packet?
Exhibit
Refer to the exhibit. ! Output from 'show vrf' on a router VRF-Name Interfaces Mgmt-intf Gi0/0/0 CUSTOMER-A Gi0/1/0, Gi0/1/1.10 CUSTOMER-B Gi0/2/0, Gi0/2/1.20 ! Output from 'show ip interface brief' for Gi0/1/0 Interface IP-Address OK? Method Status Protocol Gi0/1/0 10.1.1.1 YES manual up up ! Output from 'show ip interface brief' for Gi0/1/1.10 Interface IP-Address OK? Method Status Protocol Gi0/1/1.10 10.1.1.2 YES manual up up
Trap 1: Global routing table
Incorrect. The interface Gi0/1/0 is in VRF CUSTOMER-A, so the global routing table is not used.
Trap 2: Mgmt-intf
Incorrect. Mgmt-intf VRF is only for interface Gi0/0/0.
Trap 3: CUSTOMER-B
Incorrect. CUSTOMER-B VRF includes different interfaces.
- A
Global routing table
Why wrong: Incorrect. The interface Gi0/1/0 is in VRF CUSTOMER-A, so the global routing table is not used.
- B
Mgmt-intf
Why wrong: Incorrect. Mgmt-intf VRF is only for interface Gi0/0/0.
- C
CUSTOMER-B
Why wrong: Incorrect. CUSTOMER-B VRF includes different interfaces.
- D
CUSTOMER-A
Correct. The packet arrives on Gi0/1/0 which belongs to VRF CUSTOMER-A, so routing occurs within that VRF.
Refer to the exhibit. R1 has two equal-cost OSPF E2 routes to 10.1.1.0/24 via two different next hops. However, when tracing to 10.1.1.1, all traffic uses the path through 10.0.1.2. What is the most likely reason?
Exhibit
Refer to the exhibit. R1# show ip route | include 10.1.1.0 O E2 10.1.1.0/24 [110/20] via 10.0.1.2, 00:00:34, GigabitEthernet0/0 O E2 10.1.1.0/24 [110/20] via 10.0.2.2, 00:00:34, GigabitEthernet0/1 R1# show ip ospf interface GigabitEthernet0/0 | include Cost Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 R1# show ip ospf interface GigabitEthernet0/1 | include Cost Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 100 R1# traceroute 10.1.1.1 source Loopback0 Type escape sequence to abort. Tracing the route to 10.1.1.1 1 10.0.1.2 4 msec 4 msec 4 msec 2 10.0.3.2 8 msec 8 msec 8 msec
Trap 1: One route has a higher administrative distance.
Incorrect: Both routes have AD 110.
Trap 2: A default route is overriding the specific route.
Incorrect: No default route is shown.
Trap 3: The route via 10.0.2.2 is an E1 route.
Incorrect: Both are E2 as shown.
- A
One route has a higher administrative distance.
Why wrong: Incorrect: Both routes have AD 110.
- B
A default route is overriding the specific route.
Why wrong: Incorrect: No default route is shown.
- C
The route via 10.0.2.2 is an E1 route.
Why wrong: Incorrect: Both are E2 as shown.
- D
OSPF E2 routes do not factor interface cost; but the router uses the interface cost as a tie-breaker for equal-cost routes.
Correct: When E2 metrics are equal, some implementations prefer the path with lower interface cost.
A network administrator is troubleshooting a performance issue in a large enterprise campus network. The network consists of Cisco Catalyst 9300 switches acting as access switches and Cisco Catalyst 9500 switches as distribution. Users on VLAN 10 report intermittent slow file transfers to a server on VLAN 20. The administrator has verified that there are no errors on the links, CPU utilization is normal, and STP topology is stable. The administrator suspects a possible QoS issue. Upon checking the QoS configuration on the access switch, the administrator finds that the default QoS configuration is in place, which trusts the CoS value at the port level. The connected devices are IP phones and PCs; the IP phones mark voice traffic with CoS 5. The server on VLAN 20 is connected to a distribution switch. Which action should the administrator take to most likely resolve the issue?
Trap 1: Apply a policy map that polices voice traffic to 128 kbps to free…
Incorrect; policing voice may cause call quality degradation.
Trap 2: Disable QoS entirely on all switches to eliminate any potential…
Incorrect; disabling QoS may cause voice quality issues.
Trap 3: Configure trust DSCP on the access ports to prioritize all traffic…
Incorrect; endpoints may not set DSCP appropriately.
- A
Apply a policy map that polices voice traffic to 128 kbps to free bandwidth for data.
Why wrong: Incorrect; policing voice may cause call quality degradation.
- B
Disable QoS entirely on all switches to eliminate any potential QoS-related drops.
Why wrong: Incorrect; disabling QoS may cause voice quality issues.
- C
Configure auto QoS for VoIP on the access ports to ensure proper classification and queuing.
Correct.
- D
Configure trust DSCP on the access ports to prioritize all traffic based on DSCP values.
Why wrong: Incorrect; endpoints may not set DSCP appropriately.
A network engineer applies the above CoPP policy on a router. The router has BGP peers, SSH management, and SNMP monitoring. After applying this policy, which traffic will be affected?
Trap 1: Data plane traffic will be dropped.
CoPP only applies to control-plane.
Trap 2: Only SSH sessions will be rate-limited.
SSH is matched but so are others.
Trap 3: SNMP and SSH will be unaffected because they are explicitly…
Permitted traffic is still rate-limited.
- A
BGP sessions may flap due to dropped keepalives.
BGP keepalives are matched and subject to the policer.
- B
Data plane traffic will be dropped.
Why wrong: CoPP only applies to control-plane.
- C
Only SSH sessions will be rate-limited.
Why wrong: SSH is matched but so are others.
- D
SNMP and SSH will be unaffected because they are explicitly permitted.
Why wrong: Permitted traffic is still rate-limited.
Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?
Trap 1: Manually shut down the access ports that have unknown MAC addresses…
This does not address the DHCP server response being dropped.
Trap 2: Disable Dynamic ARP Inspection on VLAN 10.
DAI validates ARP packets, not DHCP messages.
Trap 3: Disable IP Source Guard on all access ports in VLAN 10.
IPSG filters IP traffic based on binding table, not DHCP messages.
- A
Manually shut down the access ports that have unknown MAC addresses in the binding table.
Why wrong: This does not address the DHCP server response being dropped.
- B
Disable Dynamic ARP Inspection on VLAN 10.
Why wrong: DAI validates ARP packets, not DHCP messages.
- C
Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping.
DHCP snooping drops DHCP server responses on untrusted ports.
- D
Disable IP Source Guard on all access ports in VLAN 10.
Why wrong: IPSG filters IP traffic based on binding table, not DHCP messages.
Which TWO statements are true about RESTCONF and NETCONF in a Cisco IOS XE environment? (Choose two.)
Trap 1: RESTCONF supports the candidate datastore for editing…
RESTCONF works only on the running datastore; candidate is supported by NETCONF.
Trap 2: NETCONF uses HTTP as its transport protocol.
NETCONF uses SSH as its transport, not HTTP.
Trap 3: RESTCONF and NETCONF both support JSON and XML encoding.
NETCONF uses XML only; RESTCONF supports both.
- A
RESTCONF uses HTTP methods (GET, POST, PUT, DELETE) and supports JSON and XML encoding.
RESTCONF indeed uses HTTP methods and supports JSON and XML.
- B
RESTCONF supports the candidate datastore for editing configurations.
Why wrong: RESTCONF works only on the running datastore; candidate is supported by NETCONF.
- C
NETCONF uses HTTP as its transport protocol.
Why wrong: NETCONF uses SSH as its transport, not HTTP.
- D
RESTCONF and NETCONF both support JSON and XML encoding.
Why wrong: NETCONF uses XML only; RESTCONF supports both.
- E
NETCONF uses XML-encoded RPCs over a secure SSH session.
NETCONF uses XML over SSH.
Refer to the exhibit. A network engineer sends a RESTCONF PATCH request with the above JSON payload to the URL https://192.168.1.100/restconf/data/ietf-interfaces:interface=GigabitEthernet0/0/0. What is the expected outcome?
Exhibit
Refer to the exhibit.
{
"ietf-interfaces:interface": {
"name": "GigabitEthernet0/0/0",
"description": "Link to Core",
"enabled": true,
"ietf-ip:ipv4": {
"address": [
{
"ip": "192.168.1.1",
"netmask": "255.255.255.0"
}
]
}
}
}Trap 1: A new interface GigabitEthernet0/0/0 is created with the specified…
PATCH modifies an existing resource; it does not create one.
Trap 2: The request fails because a GET request must be sent first to…
No prior GET is required for PATCH.
Trap 3: The entire interface configuration is replaced with only the fields…
PATCH merges; PUT replaces the entire resource.
- A
A new interface GigabitEthernet0/0/0 is created with the specified IP address.
Why wrong: PATCH modifies an existing resource; it does not create one.
- B
The description and IP address of the existing interface are updated, and the interface remains enabled.
PATCH merges the provided fields with the existing configuration.
- C
The request fails because a GET request must be sent first to retrieve the current configuration.
Why wrong: No prior GET is required for PATCH.
- D
The entire interface configuration is replaced with only the fields in the payload.
Why wrong: PATCH merges; PUT replaces the entire resource.
A network engineer is designing a campus network and needs to ensure high availability for the core layer. Which design best practice should be implemented?
Trap 1: Use a single distribution switch to simplify management.
A single distribution switch is a single point of failure and not recommended for high availability.
Trap 2: Configure the core layer for Layer 2 switching only.
Layer 2 only in the core limits scalability and does not inherently provide high availability.
Trap 3: Use spanning-tree PortFast on all core switch ports.
Spanning-tree PortFast speeds up host connectivity but does not provide redundancy.
- A
Use a single distribution switch to simplify management.
Why wrong: A single distribution switch is a single point of failure and not recommended for high availability.
- B
Deploy two core switches configured with VSS or StackWise.
Dual core switches with VSS or StackWise provide redundancy and sub-second failover.
- C
Configure the core layer for Layer 2 switching only.
Why wrong: Layer 2 only in the core limits scalability and does not inherently provide high availability.
- D
Use spanning-tree PortFast on all core switch ports.
Why wrong: Spanning-tree PortFast speeds up host connectivity but does not provide redundancy.
Which THREE of the following are valid considerations when planning a wireless network for high-density environments?
Trap 1: Increase AP transmit power to maximize coverage.
Higher power increases cell overlap and co-channel interference.
Trap 2: Enable 2.4 GHz band only to maximize range.
2.4 GHz has limited channels and is more prone to interference.
- A
Use a channel reuse plan that minimizes co-channel interference.
Proper channel planning is essential in high-density environments.
- B
Prefer the 5 GHz band over 2.4 GHz for client connectivity.
5 GHz offers more non-overlapping channels and less interference.
- C
Lower AP transmit power to reduce cell size and increase capacity.
Lower power creates smaller cells, allowing more APs and higher capacity.
- D
Increase AP transmit power to maximize coverage.
Why wrong: Higher power increases cell overlap and co-channel interference.
- E
Enable 2.4 GHz band only to maximize range.
Why wrong: 2.4 GHz has limited channels and is more prone to interference.
An organization is migrating from a traditional three-tier architecture to a leaf-spine fabric using VXLAN EVPN. The design requires that virtual machines can move between racks without IP address changes. Which technology must be enabled at the leaf switches to support this mobility?
Trap 1: Overlay Transport Virtualization (OTV).
OTV is for data center interconnect, not internal fabric mobility.
Trap 2: VRF-Lite with route redistribution.
VRF-Lite does not extend Layer 2 across IP networks.
Trap 3: MPLS L3VPN with BGP.
MPLS L3VPN is a Layer 3 VPN, does not support Layer 2 mobility.
- A
Overlay Transport Virtualization (OTV).
Why wrong: OTV is for data center interconnect, not internal fabric mobility.
- B
VXLAN with EVPN control plane.
Provides Layer 2 overlay over Layer 3 underlay, enabling VM mobility.
- C
VRF-Lite with route redistribution.
Why wrong: VRF-Lite does not extend Layer 2 across IP networks.
- D
MPLS L3VPN with BGP.
Why wrong: MPLS L3VPN is a Layer 3 VPN, does not support Layer 2 mobility.
An engineer is troubleshooting intermittent connectivity issues between two data center switches. The link is a 10GE LACP port-channel. Which misconfiguration could cause packet loss?
Trap 1: MTU size is set to 1500 on one switch and 9000 on the other.
MTU mismatch can cause fragmentation but not intermittent loss on a port-channel.
Trap 2: Auto-negotiation is disabled on both ends.
10GE fiber links typically do not use auto-negotiation; this is normal.
Trap 3: Spanning-tree BPDU guard is enabled on the port-channel.
BPDU guard would shut down the port if BPDUs are received, not cause intermittent loss.
- A
MTU size is set to 1500 on one switch and 9000 on the other.
Why wrong: MTU mismatch can cause fragmentation but not intermittent loss on a port-channel.
- B
Auto-negotiation is disabled on both ends.
Why wrong: 10GE fiber links typically do not use auto-negotiation; this is normal.
- C
Spanning-tree BPDU guard is enabled on the port-channel.
Why wrong: BPDU guard would shut down the port if BPDUs are received, not cause intermittent loss.
- D
One switch is configured with active LACP and the other with passive LACP.
Active-passive LACP is a valid combination; but if one is passive and the other is also passive (or off), the channel fails. This question assumes the misconfiguration is passive-passive, leading to no LACP negotiation.
A global enterprise is transitioning from a traditional three-tier campus architecture to a software-defined access (SD-Access) fabric. Which architectural consideration is most critical for the underlay network?
Trap 1: Implement PIM-SM for multicast routing in the underlay.
Multicast is not required for the underlay; the overlay handles group communication.
Trap 2: Preserve existing VLANs across the fabric to minimize changes.
The underlay should be IP routed; VLANs are not used in the underlay.
Trap 3: Deploy VRF-lite on all edge nodes to isolate tenants.
VRF-lite is not a requirement; the overlay provides segmentation.
- A
Configure a routed access layer with a link-state routing protocol (IS-IS or OSPF).
A routed underlay with IS-IS or OSPF is a key design requirement for SD-Access.
- B
Implement PIM-SM for multicast routing in the underlay.
Why wrong: Multicast is not required for the underlay; the overlay handles group communication.
- C
Preserve existing VLANs across the fabric to minimize changes.
Why wrong: The underlay should be IP routed; VLANs are not used in the underlay.
- D
Deploy VRF-lite on all edge nodes to isolate tenants.
Why wrong: VRF-lite is not a requirement; the overlay provides segmentation.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.