ENCOR 350-401 (350-401) — Questions 175

2015 questions total · 27pages · All types, answers revealed

Page 1 of 27

Page 2
1
Matchingmedium

Drag and drop each NFV management layer on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lifecycle management of VNF instances (instantiate, scale, terminate)

Orchestration of network services across multiple VNFs and NFVI

Management of compute, storage, and network resources in NFVI

Service assurance, billing, and customer management layers interfacing with NFV

FCAPS management for individual VNFs

Why these pairings

VNFM manages individual VNFs; NFVO orchestrates network services; VIM controls NFVI resources.

2
MCQmedium

Review this IP SLA configuration on Router R1: ip sla 6 icmp-echo 10.6.6.6 frequency 10 ip sla schedule 6 life forever start-time now ip sla reaction-configuration 6 react timeout threshold-type immediate action-type triggerOnly Which statement is true about the 'threshold-type immediate' parameter?

A.It triggers an event immediately when a timeout occurs.
B.It triggers an event after a delay of 10 seconds.
C.It triggers an event only if the timeout persists for 5 consecutive probes.
D.It triggers an event only if the timeout occurs within the first 10 seconds.
AnswerA

'immediate' triggers on the first occurrence of the condition.

Why this answer

'threshold-type immediate' means the trigger fires as soon as the condition (timeout) occurs, without waiting for multiple occurrences.

3
Multi-Selecthard

Which three statements about Cisco DNA Center integration with external systems are true? (Choose three.)

Select 3 answers
A.Cisco DNA Center provides a RESTful API that allows external applications to retrieve network inventory and topology data.
B.Cisco DNA Center can forward syslog messages to external SIEM systems for centralized logging and analysis.
C.Cisco DNA Center can synchronize IP address pools with external IPAM solutions such as Infoblox or SolarWinds.
D.Cisco DNA Center establishes BGP peering sessions with external routers to exchange routing information.
E.Cisco DNA Center only supports SNMP traps as the northbound interface for event notifications.
AnswersA, B, C

Correct because the DNA Center REST API is a primary northbound interface for integration with third-party tools and custom scripts.

Why this answer

DNA Center integrates with various systems for extended functionality. The correct answers cover REST API integration, syslog forwarding, and IPAM synchronization. The wrong answers incorrectly claim direct BGP peering for routing and that SNMP traps are the only northbound interface.

4
MCQeasy

A network team is designing the underlay for an SD-Access fabric. The design must use a routing protocol that supports fast convergence and is commonly recommended for the fabric underlay. Which routing protocol should be used?

A.IS-IS
B.RIP
C.EIGRP
D.BGP
AnswerA

IS-IS is the preferred underlay routing protocol for SD-Access fabric.

Why this answer

IS-IS is the correct choice because it is a link-state routing protocol that provides fast convergence, is highly scalable, and is the most commonly recommended routing protocol for the underlay of an SD-Access fabric. Cisco SD-Access designs frequently use IS-IS to support the fabric's control plane and data plane requirements, leveraging its ability to handle large, flat network topologies with minimal overhead.

Exam trap

Cisco often tests the misconception that EIGRP is the best choice for fast convergence in Cisco-centric designs, but for SD-Access underlay, the recommended protocol is IS-IS due to its open standard nature and alignment with Cisco's validated fabric architecture.

How to eliminate wrong answers

Option B (RIP) is wrong because RIP is a distance-vector protocol with slow convergence, a maximum hop count of 15, and is not suitable for modern, scalable SD-Access underlays. Option C (EIGRP) is wrong because while EIGRP offers fast convergence, it is a Cisco proprietary protocol that is not recommended for SD-Access underlays; Cisco's validated designs for SD-Access specify IS-IS or OSPF for multi-vendor interoperability and fabric consistency. Option D (BGP) is wrong because BGP is a path-vector protocol designed for inter-domain routing and policy control, not for fast convergence in a single-domain underlay; it is used in SD-Access for the overlay (e.g., LISP/VXLAN) but not as the underlay routing protocol.

5
MCQmedium

An engineer is configuring a new access switch for a branch office. The switch must support multiple VLANs for different departments: VLAN 10 (Engineering), VLAN 20 (Sales), and VLAN 30 (Management). The uplink to the distribution switch is a trunk. The engineer wants to ensure that only the required VLANs are allowed on the trunk and that the native VLAN is changed from the default to VLAN 99 for security reasons. Which configuration commands should the engineer apply on the access switch's uplink interface?

A.switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
B.switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan except 10,20,30
C.switchport mode dynamic desirable; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
D.switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk native vlan 99
AnswerA

Correct because it sets the trunk, changes the native VLAN, and restricts allowed VLANs.

Why this answer

Option A is correct because it explicitly sets the interface to trunk mode, changes the native VLAN from the default VLAN 1 to VLAN 99 for security, and uses the 'allowed vlan' command to permit only VLANs 10, 20, and 30 on the trunk. This ensures that only the required department VLANs are carried, reducing unnecessary broadcast traffic and preventing VLAN hopping attacks by changing the native VLAN.

Exam trap

Cisco often tests the distinction between 'allowed vlan' and 'allowed vlan except' — candidates may confuse the syntax and select the option that excludes the required VLANs instead of permitting them.

How to eliminate wrong answers

Option B is wrong because 'switchport trunk allowed vlan except 10,20,30' permits all VLANs except 10, 20, and 30, which is the opposite of the requirement. Option C is wrong because 'switchport mode dynamic desirable' uses DTP to negotiate trunking, which is less secure and not a deterministic trunk configuration; the requirement is for a static trunk. Option D is wrong because it omits the 'switchport trunk allowed vlan' command, so all VLANs would be permitted by default, failing to restrict the trunk to only the required VLANs.

6
Multi-Selecthard

Which three statements about telemetry data collection intervals and on-change notifications are true? (Choose three.)

Select 3 answers
A.Periodic telemetry sends data at a configured interval regardless of whether the value has changed.
B.On-change telemetry sends data only when the monitored value changes, reducing network overhead.
C.A single telemetry subscription can include both periodic and on-change sensors.
D.On-change telemetry guarantees that every change, no matter how brief, will be reported.
E.Periodic telemetry is always preferred over on-change for all use cases.
AnswersA, B, C

Correct because periodic subscriptions push data on a timer, ensuring consistent updates.

Why this answer

Periodic telemetry sends data at fixed intervals, while on-change sends data only when a value changes. On-change reduces bandwidth but may miss transient events if suppression is used. Periodic ensures regular updates but increases load.

Both can be combined in a single subscription. On-change is not always supported for all YANG paths.

7
Drag & Dropmedium

Drag and drop the steps of NAPALM get_facts() retrieval from IOS-XE device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the NAPALM library, then establishing a connection to the device, calling get_facts() to retrieve device facts, processing the returned dictionary, and finally closing the connection to free resources.

8
MCQmedium

interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 mpls ip ! interface GigabitEthernet0/2 ip address 10.2.2.1 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! router ldp interface GigabitEthernet0/1 ! What is the effect of this configuration?

A.LDP will only form an adjacency over GigabitEthernet0/1; no label exchange occurs on GigabitEthernet0/2.
B.LDP will automatically enable on GigabitEthernet0/2 because MPLS is enabled there.
C.The configuration will fail because LDP must be enabled on all MPLS interfaces.
D.OSPF will automatically enable LDP on all interfaces in area 0.
AnswerA

Correct. LDP adjacencies are only formed on interfaces where LDP is explicitly enabled.

Why this answer

LDP is only enabled on GigabitEthernet0/1, not on GigabitEthernet0/2. This means LDP will not form an adjacency over GigabitEthernet0/2, and MPLS forwarding may be incomplete.

9
MCQhard

An engineer is deploying a new SD-WAN solution using Cisco vManage. The WAN edge routers are connected to two different transport networks: MPLS and Internet. The engineer wants to ensure that voice traffic is always sent over the MPLS link when available, and only fails over to the Internet link if the MPLS link goes down. The engineer has configured a policy to set the preferred color for voice traffic to 'mpls'. However, during a test, voice traffic is still using the Internet link even though the MPLS link is up. What is the most likely cause?

A.The policy is not attached to the correct VPN or site list.
B.The voice traffic is using a different DSCP value than the one defined in the policy.
C.The MPLS link is not in the 'up' state in the vManage overlay.
D.The policy is configured as a local policy instead of a centralized policy.
AnswerA

Correct. In vManage, policies must be associated with specific VPNs or sites. If the policy is not attached to the VPN that carries voice traffic, it will not be applied.

Why this answer

In Cisco SD-WAN, policy is applied in a specific order: centralized data policy, centralized app-route policy, and then local policy. The preferred color is set in the centralized data policy, but if there is also a centralized app-route policy that does not consider the preferred color, or if the policy is not properly attached to the correct VPN or site, it may not take effect. Additionally, the policy must be applied to the correct direction (service-side vs. transport-side).

10
Drag & Dropmedium

Drag and drop the steps of SVI configuration for inter-VLAN routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First create the SVI interface, assign an IP address, enable it, and then configure routing or ACLs as needed.

11
MCQmedium

An enterprise is deploying a leaf-spine architecture in its data center to support high-bandwidth east-west traffic. The design must include QoS to prioritize storage replication traffic (iSCSI) over backup traffic, while ensuring low latency for real-time applications. Where should the architect apply QoS classification and queuing policies in this topology?

A.Apply classification and marking on the leaf switches at ingress, and queuing policies on egress interfaces of both leaf and spine switches.
B.Apply all QoS policies only on the spine switches, since they handle inter-leaf traffic.
C.Configure QoS only on the default gateway router, which is upstream of the leaf-spine fabric.
D.Use a single QoS policy on all interfaces with default settings, relying on hardware buffers.
AnswerA

Ingress classification at the leaf marks traffic; egress queuing on leaf and spine ensures consistent PHB across the fabric.

Why this answer

In a leaf-spine architecture, QoS classification and marking must occur at the ingress of leaf switches (where traffic enters the fabric) to identify iSCSI, backup, and real-time flows. Queuing policies must be applied on egress interfaces of both leaf and spine switches to manage congestion and prioritize latency-sensitive traffic across the entire path, ensuring end-to-end QoS for east-west traffic.

Exam trap

Cisco often tests the misconception that QoS policies should be applied only at the core or spine layer, but the correct approach requires classification at the edge (leaf ingress) and queuing on all egress interfaces to ensure end-to-end treatment across the fabric.

How to eliminate wrong answers

Option B is wrong because applying QoS only on spine switches ignores the need for classification at the network edge (leaf switches) and fails to manage congestion on leaf egress interfaces, where traffic first enters the fabric. Option C is wrong because the default gateway router is upstream of the leaf-spine fabric and does not handle inter-leaf east-west traffic; QoS must be applied within the fabric itself. Option D is wrong because relying on default settings and hardware buffers does not provide the granular classification, marking, and queuing required to differentiate iSCSI, backup, and real-time traffic, leading to potential packet loss and latency issues.

12
Drag & Dropmedium

Drag and drop the steps of hierarchical LAN design implementation phases into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Hierarchical LAN design starts with the access layer for endpoint connectivity, then the distribution layer for policy and aggregation, followed by the core layer for high-speed transport. After physical design, VLANs and trunking are configured, and finally routing protocols are deployed for inter-VLAN communication.

13
Multi-Selecthard

Which TWO statements are correct about Cisco SD-Access architecture? (Choose two.)

Select 2 answers
A.VXLAN encapsulation is used for data plane traffic within the fabric.
B.Control plane nodes host the LISP mapping database.
C.Wireless access points must be directly connected to the fabric edge switches.
D.Fabric edge nodes are responsible for connecting the fabric to external networks.
E.The fabric uses VLANs to isolate tenant traffic.
AnswersA, B

VXLAN is the encapsulation used to carry Layer 2 frames over Layer 3 fabric.

Why this answer

Option A is correct because VXLAN is the encapsulation protocol used in the Cisco SD-Access fabric to carry data plane traffic between fabric edge nodes. VXLAN provides a Layer 2 overlay over a Layer 3 underlay, enabling scalable segmentation and mobility without VLAN limitations.

Exam trap

Cisco often tests the misconception that VLANs are used for fabric segmentation, but the correct answer is VXLAN VNIs; similarly, candidates may confuse the roles of fabric edge and border nodes, thinking edges handle external connectivity.

14
Drag & Dropmedium

Drag and drop the steps of DHCP snooping and dynamic ARP inspection flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping builds a binding table used by DAI. The switch validates DHCP messages, creates bindings, then intercepts ARP packets and compares them against the binding table to prevent spoofing.

15
Matchingmedium

Drag and drop each CAPWAP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages AP configuration and keepalive

Carries user traffic between AP and controller

AP finds available controllers

AP associates with a controller

Controller pushes settings to AP

Why these pairings

Control messages manage the AP (e.g., configuration, keepalive); Data messages carry user traffic; Discovery messages find controllers; Join messages establish the AP-controller association; Configuration messages push settings to the AP.

16
Drag & Dropmedium

Drag and drop the steps of configuring a local SPAN session on a Cisco IOS switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with removing any existing SPAN session, then specifying the source interfaces or VLANs to monitor, then defining the destination interface for the analyzer, then optionally enabling encapsulation replication for trunk ports, and finally verifying the session is active.

17
MCQhard

A network engineer is configuring CoPP on a Cisco Nexus 9000 switch to protect the control plane from a potential DoS attack. The engineer creates a class-map that matches traffic with a specific DSCP value (AF41) and applies a police rate of 10 Mbps. After applying the policy, the engineer notices that legitimate traffic with DSCP AF41 is being dropped even though the traffic rate is only 5 Mbps. What is the most likely cause?

A.The CoPP policy has a conform-action of drop, which drops all traffic matching the class.
B.The police rate is too low, and the traffic is being dropped due to exceeding the rate.
C.The DSCP value AF41 is not supported on Nexus switches.
D.The CoPP policy is applied to the wrong queue, causing all traffic to be dropped.
AnswerA

Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.

Why this answer

The correct answer is that the CoPP policy is using a conform-action of drop, which drops all traffic that matches the class, regardless of rate. Option B is incorrect because the police rate is not exceeded. Option C is incorrect because DSCP AF41 is a valid value.

Option D is incorrect because CoPP does not require a specific queue; it uses policing.

18
Multi-Selecthard

Which three statements about IPsec VPNs are true? (Choose three.)

Select 3 answers
A.IPsec transport mode encrypts the entire original IP packet, including the IP header.
B.IKEv2 is more resilient to network changes than IKEv1 because it supports Dead Peer Detection (DPD) as a built-in feature.
C.AES is a symmetric encryption algorithm commonly used in IPsec to provide data confidentiality.
D.IKE uses TCP port 500 for key exchange and negotiation of security associations.
E.ESP in tunnel mode can provide both encryption and authentication for the entire IP packet.
AnswersB, C, E

Correct because IKEv2 includes DPD as a standard mechanism to detect peer liveness, whereas IKEv1 requires separate configuration.

Why this answer

IPsec VPNs can operate in transport mode (protecting payload only) or tunnel mode (protecting entire IP packet). IKEv2 is more robust than IKEv1, supporting EAP authentication and built-in DPD. AES is a symmetric encryption algorithm used for data confidentiality.

SHA is used for integrity, not encryption. IKE uses UDP port 500, not TCP. ESP can provide both encryption and authentication, but authentication is optional in some implementations.

19
Matchingmedium

Drag and drop each Python data structure on the left to its matching network config use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Storing key-value pairs for device configuration parameters

Ordered collection of configuration commands or interface names

Immutable sequence for storing device credentials

Unordered collection of unique VLAN IDs

Immutable set of allowed SNMP communities

Why these pairings

dict stores key-value config pairs like interface settings, list stores ordered config lines, tuple stores immutable device credentials, set stores unique VLAN IDs, and frozenset stores immutable sets of allowed protocols.

20
Matchingmedium

Drag and drop each IP SLA threshold type on the left to its trigger condition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Triggers when a value exceeds a set threshold

Triggers on the first violation

Triggers after a specified number of consecutive violations

Triggers when value rises above a threshold

Triggers when value falls below a threshold

Why these pairings

Over-threshold triggers when a value exceeds a set threshold; immediate triggers on the first violation; consecutive triggers after a specified number of consecutive violations.

21
MCQmedium

A network engineer is troubleshooting intermittent packet loss on a WAN link connecting two data centers. The engineer suspects that certain traffic types are being dropped but needs to confirm this without impacting production. The engineer has access to Cisco IOS-XE routers at both ends. Which approach should the engineer use to identify the specific flows being dropped?

A.Configure Flexible NetFlow on the routers with a flow monitor that includes the 'drop' keyword to capture dropped packets per flow.
B.Enable SNMP polling of interface counters to identify the total number of dropped packets on the WAN interface.
C.Use Embedded Event Manager (EEM) to trigger on interface drops and capture a packet trace.
D.Deploy IP SLA probes to measure latency and jitter, and correlate with drop events.
AnswerA

Correct because Flexible NetFlow with the 'drop' keyword allows per-flow drop monitoring, directly identifying which flows are being dropped.

Why this answer

NetFlow can be used to monitor traffic flows and identify drops, but traditional NetFlow does not capture drops. The correct answer uses Flexible NetFlow with a flow monitor that includes the 'drop' keyword to capture dropped packets, which is the most direct method. Option B is incorrect because SNMP polling of interface counters shows aggregate drops but not per-flow.

Option C is incorrect because EEM alone cannot capture per-flow drop details. Option D is incorrect because IP SLA measures performance but not drop causation per flow.

22
Drag & Drophard

Drag and drop the steps of BGP best path selection process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BGP best path selection follows a strict order: first, prefer the path with the highest weight (Cisco proprietary). If equal, prefer highest local preference. Next, prefer locally originated routes (network/aggregate).

Then, prefer the shortest AS_PATH. Finally, prefer the lowest MED (if same AS).

23
MCQeasy

A network engineer is upgrading a legacy wireless network that uses autonomous access points to a centralized WLC-based architecture. The engineer has installed a Cisco 9800 WLC and is converting the autonomous APs to lightweight mode. After the conversion, the APs join the WLC, but the engineer notices that the APs are not broadcasting any SSIDs. What is the most likely cause?

A.The APs are in discovery mode and have not yet downloaded their configuration from the WLC.
B.The APs require a separate management IP address to broadcast SSIDs.
C.The WLC is running an IOS version that does not support the AP model.
D.The APs must be rebooted after joining the WLC to start broadcasting SSIDs.
AnswerA

Correct because lightweight APs initially join the WLC in discovery mode and then download the full configuration, including SSID definitions.

Why this answer

The correct answer is that the APs are in discovery mode and have not yet received their configuration from the WLC. In lightweight mode, APs download their configuration from the WLC, including SSID settings. The other options are incorrect: APs do not need a separate management IP, the WLC does not need a specific IOS version for basic operation, and APs do not need to be rebooted again after joining.

24
Drag & Dropmedium

Drag and drop the steps of Rapid PVST+ topology change notification process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Rapid PVST+, when a port transitions to forwarding, the switch sends a proposal message. The neighbor receives it, synchronizes, and sends an agreement. The switch then sets the port to forwarding and propagates the topology change via TC messages.

25
Multi-Selecthard

Which three statements about DMVPN Phase 3 are true? (Choose three.)

Select 3 answers
A.In DMVPN Phase 3, the hub router must always be in the data path for all traffic between spokes.
B.Spokes register their physical (non-NBMA) addresses with the NHRP server (hub) to enable dynamic tunnel establishment.
C.NHRP redirect messages are sent by the hub to inform a spoke that a better path exists directly to another spoke.
D.DMVPN Phase 3 uses point-to-point GRE tunnels for spoke-to-spoke connections.
E.DMVPN Phase 3 supports dynamic spoke-to-spoke tunnel establishment using NHRP and mGRE.
AnswersB, C, E

Correct because spokes send NHRP registration requests to the hub, including their real interface IP addresses, so the hub can resolve NBMA addresses.

Why this answer

DMVPN Phase 3 introduces per-destination NHRP redirects to allow spoke-to-spoke tunnels without requiring the hub to proxy all traffic. Spokes register their real (physical) IP addresses with the NHRP server (hub). The hub does not need to be part of the data path after the spoke-to-spoke tunnel is established.

Phase 3 uses NHRP redirect messages from the hub to inform spokes of better paths. The spoke-to-spoke tunnel is built dynamically using mGRE, not p2p GRE. Phase 3 supports both IPv4 and IPv6.

26
Multi-Selecteasy

Which TWO of the following are benefits of using network virtualization with VXLAN? (Choose two.)

Select 2 answers
A.Enables Layer 2 extension across Layer 3 boundaries.
B.Eliminates the need for STP by using a centralized controller.
C.Uses only multicast for control plane learning.
D.Supports up to 16 million logical networks.
E.Provides native encryption for data in transit.
AnswersA, D

VXLAN tunnels Layer 2 over Layer 3.

Why this answer

VXLAN encapsulates Layer 2 frames in UDP packets over IP, allowing Layer 2 segments to be stretched across Layer 3 networks. This enables virtual machine mobility and multi-tenant environments without being constrained by physical network boundaries.

Exam trap

Cisco often tests the misconception that VXLAN eliminates STP or provides native encryption, but VXLAN is an overlay technology that still relies on the underlay network's STP and does not include encryption by default.

27
Multi-Selectmedium

Which two statements about Rapid PVST+ are true? (Choose two.)

Select 2 answers
A.Rapid PVST+ converges faster than classic STP because it uses synchronized handshakes between switches.
B.Rapid PVST+ uses a separate BPDU version for each VLAN to maintain per-VLAN spanning-tree instances.
C.In Rapid PVST+, an alternate port provides a backup path to the root bridge and is in a discarding state when the root port is operational.
D.Rapid PVST+ requires the use of UplinkFast and BackboneFast features to achieve sub-second convergence.
E.Rapid PVST+ supports only one spanning-tree instance per VLAN, but it can load-balance traffic across multiple VLANs.
AnswersA, C

Correct. RSTP uses a proposal-agreement handshake mechanism to achieve rapid transition to forwarding state, unlike classic STP which relies on timers.

Why this answer

Rapid PVST+ is the Cisco implementation of RSTP per VLAN. It provides faster convergence than classic STP and uses port roles (root, designated, alternate, backup) and port states (discarding, learning, forwarding). The alternate port provides a backup to the root port, and the backup port provides a backup to the designated port.

Rapid PVST+ does not use a separate BPDU version for each VLAN; it uses the same RSTP BPDU format. It does not require UplinkFast or BackboneFast since those features are integrated into RSTP.

28
Multi-Selecthard

Which THREE are valid methods for automating network device configuration using Cisco IOS XE? (Choose three.)

Select 3 answers
A.NETCONF/YANG
B.SNMP Set requests
C.Telnet with Expect scripts
D.CLI via SSH with Python (e.g., Netmiko)
E.RESTCONF
AnswersA, D, E

NETCONF is a standard protocol for configuration.

Why this answer

NETCONF/YANG is a valid method for automating network device configuration on Cisco IOS XE. NETCONF (RFC 6241) uses an XML-based RPC protocol to establish a secure SSH session (port 830) for configuration operations, while YANG (RFC 7950) provides a structured data model to define the configuration and state data. This combination allows for programmatic, transactional, and standardized configuration management, making it a core automation technology supported by Cisco.

Exam trap

Cisco often tests the distinction between monitoring protocols (SNMP) and configuration automation protocols (NETCONF/RESTCONF), and the trap here is that candidates mistakenly think SNMP Set requests are a valid configuration automation method, overlooking that SNMP is designed for read-heavy monitoring and lacks the transactional, model-driven capabilities of YANG-based protocols.

29
MCQmedium

An enterprise network uses a Cisco Catalyst 9300 switch as a distribution layer device. The network team notices that ICMP echo requests from a monitoring server (192.168.1.100) to the switch's management IP are being dropped intermittently. The switch has a CoPP policy that includes a class-map matching ICMP traffic. The engineer checks the CoPP statistics and sees that ICMP packets from the monitoring server are being dropped by the policy. What is the most likely cause of this issue?

A.The CoPP policy is policing ICMP traffic to a rate that is too low for the monitoring server's traffic.
B.An ACL applied to the management interface is blocking ICMP from the monitoring server.
C.The monitoring server is sending ICMP packets with a TTL of 1, causing them to be dropped.
D.The switch's CPU is overloaded, causing CoPP to drop all packets.
AnswerA

Correct because CoPP polices traffic to the control plane; if the rate is too low, legitimate ICMP packets may be dropped.

Why this answer

The correct answer is that the CoPP policy is policing ICMP traffic to a rate that is too low for the monitoring server's traffic. Option B is incorrect because the ACL is not mentioned as blocking ICMP. Option C is incorrect because the monitoring server is not the source of the issue; it is the target.

Option D is incorrect because the switch's CPU is not necessarily overloaded; the drops are due to CoPP policing.

30
MCQeasy

A network engineer runs the following command on Router R9: R9# show mpls ldp bindings 10.9.9.0 255.255.255.0 lib entry: 10.9.9.0/24, rev 10 local binding: label: 22 remote binding: lsr: 10.9.9.1:0, label: 23 remote binding: lsr: 10.9.9.2:0, label: 24 remote binding: lsr: 10.9.9.3:0, label: 25 Based on this output, how many remote LDP peers have advertised a label for the prefix 10.9.9.0/24?

A.1
B.2
C.3
D.4
AnswerC

Three remote LSRs are listed: 10.9.9.1:0, 10.9.9.2:0, and 10.9.9.3:0.

Why this answer

The output shows three remote bindings from different LSRs (10.9.9.1, 10.9.9.2, 10.9.9.3), each with a different label. So three remote peers have advertised labels.

31
MCQmedium

Given this telemetry configuration on a Cisco IOS-XE device: telemetry ietf subscription 400 encoding encode-kvgpb filter xpath /interfaces/interface/state stream yang-push update-policy periodic 1000 receiver ip address 10.1.1.1 50000 protocol grpc source-interface Loopback0 What is the effect of the source-interface Loopback0 command?

A.It forces the telemetry receiver to listen on Loopback0.
B.It uses the IP address of Loopback0 as the source for telemetry packets to the receiver.
C.It restricts the telemetry data to only Loopback0 interface counters.
D.It changes the update policy to on-change for Loopback0.
AnswerB

This is the standard behavior of source-interface in telemetry configuration.

Why this answer

The source-interface command ensures that all telemetry packets sent to the receiver use the IP address of Loopback0 as the source.

32
Drag & Dropmedium

Drag and drop the steps of BGP graceful restart negotiation steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Graceful restart begins with the restarting router sending an OPEN message with the graceful restart capability, followed by the peer acknowledging, then the restarting router marking routes as stale, and finally the peer sending End-of-RIB markers.

33
Multi-Selecthard

Which two statements about DHCP snooping are true? (Choose two.)

Select 2 answers
A.DHCP snooping treats all ports as untrusted by default, except those explicitly configured as trusted.
B.The ip dhcp snooping trust command is applied on ports connected to DHCP clients.
C.DHCP snooping builds a binding database that maps client MAC addresses, IP addresses, VLAN, and port information.
D.DHCP snooping can be configured globally without enabling it on specific VLANs.
E.DHCP snooping drops all DHCP packets that contain option 82 information from untrusted ports.
AnswersA, C

Correct because DHCP snooping defaults all ports to untrusted to prevent rogue DHCP server attacks; only trusted ports (usually uplink to legitimate DHCP server) are configured.

Why this answer

This question tests detailed knowledge of DHCP snooping operation and configuration, including trusted/untrusted ports and option 82.

34
MCQmedium

A network engineer runs the following command on Router R7: R7# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- create: 03/01/2025 09:00:00, use: 03/01/2025 09:05:00 timeout: never, flags: static --- 192.0.2.11 10.0.0.11 --- --- create: 03/01/2025 09:00:00, use: 03/01/2025 09:06:00 timeout: never, flags: static Based on this output, what can be concluded?

A.These translations will expire after a configurable timeout.
B.The translations are dynamic and will be removed after idle timeout.
C.The router is performing PAT for these addresses.
D.The translations are static and will remain until manually removed.
AnswerD

Static NAT entries with timeout 'never' persist indefinitely.

Why this answer

The verbose output shows static NAT entries with 'timeout: never' and 'flags: static'. These translations will not time out and are manually configured.

35
Matchingmedium

Drag and drop each WPA security version on the left to its matching authentication method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

TKIP with PSK or 802.1X

CCMP (AES) with PSK or 802.1X

GCMP-256 with SAE or 802.1X

PSK

802.1X with GCMP-256

Why these pairings

WPA uses TKIP with PSK or 802.1X; WPA2 uses CCMP (AES) with PSK or 802.1X; WPA3 uses GCMP-256 with SAE or 802.1X; WPA2-Personal uses PSK; WPA3-Enterprise uses 802.1X with GCMP-256.

36
Drag & Dropmedium

Drag and drop the steps of NAT overload (PAT) packet translation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PAT translates private source IPs to a public IP with unique port numbers. The host sends a packet, the router creates a translation entry, replaces the source IP and port, forwards the packet, and reverses the process on the return.

37
Multi-Selectmedium

Which two statements about IP SLA responder configuration are true? (Choose two.)

Select 2 answers
A.The IP SLA responder must be enabled on the destination device for UDP jitter probes to function correctly.
B.The 'ip sla responder' command is entered in global configuration mode to enable the responder globally.
C.The IP SLA responder must be enabled on every intermediate router along the path for accurate one-way delay measurements.
D.ICMP echo probes require the IP SLA responder to be enabled on the target device.
E.The IP SLA responder can be configured to respond only to specific source IP addresses using an access list.
AnswersA, B

Correct because UDP jitter probes require the responder on the destination to timestamp packets and calculate delay, jitter, and packet loss.

Why this answer

The IP SLA responder is required for certain probe types to ensure accurate measurements. The 'ip sla responder' command enables the responder globally, and it can be further refined with an access list to limit which source IPs are allowed to trigger the responder. The responder does not need to be enabled on every device in the path, only on the destination device for UDP-based probes.

The responder is not used for ICMP echo probes, and it does not require a control protocol like SNMP to function.

38
Multi-Selectmedium

Which two statements about REST API HTTP methods are true? (Choose two.)

Select 2 answers
A.GET requests are idempotent and safe.
B.POST requests are idempotent and safe.
C.PUT requests are idempotent.
D.DELETE requests are safe.
E.PATCH requests are always idempotent.
AnswersA, C

Correct because GET is designed to retrieve data without modifying state, making it both idempotent and safe.

Why this answer

In REST APIs, the GET method is used to retrieve a representation of a resource without side effects (idempotent and safe). The PUT method is used to update or create a resource at a specific URI and is idempotent, meaning multiple identical requests have the same effect as a single request. POST is not idempotent; it is typically used to create a new resource at a server-defined URI.

DELETE is idempotent but not safe. PATCH is used for partial updates and is not necessarily idempotent.

39
MCQeasy

What is the maximum number of active member links supported in a single EtherChannel on Cisco Catalyst switches?

A.4
B.8
C.16
D.32
AnswerB

Correct. Up to 8 active links are supported in a single EtherChannel.

Why this answer

Cisco Catalyst switches support up to 8 active member links in a single EtherChannel. Some platforms also support up to 16 links with 8 active and 8 standby using LACP, but the maximum active links is 8.

40
MCQhard

Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?

A.The traffic is blocked because the host is not using DHCP, so IPSG drops all non-DHCP traffic.
B.The traffic is permitted only if the destination is also in the 10.0.0.0/8 range.
C.The traffic is blocked because IP Source Guard requires a static binding for the host.
D.The traffic is permitted because the host's IP is within the allowed subnet and the MAC is valid according to port-security.
AnswerD

Correct: IP source guard checks that the source IP is in the binding table; if valid, traffic passes ACL.

Why this answer

Option D is correct because IP Source Guard (IPSG) on a switch port typically uses DHCP snooping bindings to validate traffic. However, when port-security is also enabled and the host's IP (10.1.1.1) falls within the configured subnet (e.g., 10.0.0.0/8), and the MAC address (00:1A:2B:3C:4D:5E) matches a port-security secure MAC address, the switch can permit the traffic. IPSG does not inherently block all non-DHCP traffic; it can be configured with static bindings or rely on DHCP snooping, but in this scenario, the combination of a valid subnet and port-security allows the traffic.

Exam trap

Cisco often tests the misconception that IPSG always requires DHCP snooping and blocks all non-DHCP traffic, but in reality, IPSG can be configured with port-security to allow traffic from statically assigned hosts within a valid subnet.

How to eliminate wrong answers

Option A is wrong because IPSG does not drop all non-DHCP traffic; it filters based on IP-to-MAC bindings from DHCP snooping or static entries, not the source of the IP assignment. Option B is wrong because IPSG does not restrict traffic based on the destination IP address; it only validates the source IP and MAC of the host. Option C is wrong because IPSG does not require a static binding for the host; it can use dynamic DHCP snooping bindings, and in this case, port-security provides an alternative validation mechanism.

41
MCQeasy

An engineer is troubleshooting a site-to-site VPN that uses IPsec with IKEv1. The tunnel is established, but traffic is intermittently dropped. The engineer checks the 'show crypto ipsec sa' output and sees that the number of packets that failed anti-replay check is increasing. What is the most likely cause of this issue?

A.The IPsec SA is using a weak encryption algorithm.
B.The IPsec SA is using ESP in tunnel mode with authentication only.
C.The traffic is taking multiple paths, causing packets to arrive out of order.
D.The IPsec SA lifetime is too short, causing frequent rekeying.
AnswerC

Correct. Anti-replay checks rely on sequence numbers. If packets arrive out of order, the receiver may drop them if they fall outside the anti-replay window.

Why this answer

Anti-replay is a security feature in IPsec that uses sequence numbers to prevent replay attacks. If packets arrive out of order (e.g., due to different paths or latency), the anti-replay window may drop them. This is common when there are multiple paths or when the IPsec SA is used for traffic that is load-balanced across different links.

42
Matchingmedium

Drag and drop each congestion avoidance mechanism on the left to its matching method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Drops all arriving packets when the queue is full

Drops packets probabilistically based on average queue depth before the queue is full

Drops packets probabilistically with different thresholds per IP precedence or DSCP value

Marks packets instead of dropping them when RED is enabled and endpoints support ECN

Drops packets based on a per-class drop threshold but still drops all when threshold exceeded

Why these pairings

Tail-drop drops all packets when queue is full; RED starts dropping packets probabilistically before queue full; WRED uses IP precedence or DSCP to vary drop probability per class.

43
MCQmedium

Review the following telemetry configuration snippet: telemetry ietf subscription 300 encoding encode-kvgpb filter xpath /interfaces/interface/state/counters stream yang-push update-policy periodic 100 receiver ip address 10.1.1.1 50000 protocol grpc What is missing or incorrect in this configuration?

A.The configuration is correct and complete.
B.The update-policy period of 100 milliseconds is too fast and may cause performance issues.
C.The receiver should specify a source interface to ensure consistent source IP for the telemetry stream.
D.The encoding should be encode-xml for IETF subscriptions.
AnswerC

Adding source-interface (e.g., Loopback0) is recommended for reliability and management.

Why this answer

The configuration is missing a source interface or source IP address, which is recommended for telemetry receivers to ensure reachability and consistent source addressing.

44
MCQhard

An engineer configures IP SLA 100 to monitor the jitter and latency of a VoIP call path between two branch routers. The configuration uses UDP jitter with a target of 192.168.2.2 on port 16384. The engineer notices that the IP SLA operation shows 'State: Active' but no jitter or latency statistics are collected. The router is generating the probe packets, but the remote router does not respond. What is the most likely reason?

A.The IP SLA operation must be configured with a 'request-data-size' value to match the remote router's MTU.
B.The remote router must have an IP SLA responder configured to process the UDP jitter probes.
C.The source router needs a 'frequency' setting that matches the remote router's response interval.
D.The firewall on the remote router is blocking the UDP port 16384, preventing the probe from reaching the target.
AnswerB

Correct. For UDP jitter (and other UDP-based probes), the destination router must run the IP SLA responder to echo the packets back. Without it, the source cannot compute one-way metrics.

Why this answer

UDP jitter probes require a responder on the destination router to echo the packets back. Without the responder, the source router sends probes but receives no response, so no jitter statistics can be computed.

45
Drag & Dropmedium

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 fragmentation occurs when the IKE packet exceeds the MTU. The sender fragments the packet, marks it with a fragment number, and sends all fragments. The receiver reassembles them.

DPD keepalives are sent periodically to verify the peer is still reachable; if no response is received, the peer is declared dead.

46
Matchingmedium

Drag and drop each Ansible component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines the list of managed hosts and groups

YAML file containing ordered tasks to execute

Structured directory for reusable variables, tasks, and handlers

Executable code that performs a specific configuration or operational task

Special task triggered only when notified by another task

Why these pairings

Each component has a distinct role: Inventory defines managed nodes, Playbook is the execution blueprint, Role organizes content, Module is the execution unit, and Handler reacts to changes.

47
Matchingmedium

Drag and drop each DSCP PHB on the left to its matching queue treatment on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Expedited forwarding, strict priority queuing, low delay and jitter

Assured forwarding, four classes with three drop probabilities per class

Class selector, backward compatible with IP precedence, simple priority queuing

Best-effort, default queue, no guarantees

Default forwarding, same as best-effort (DSCP 0)

Why these pairings

EF PHB (DSCP 46) is for low-loss, low-latency traffic; AF PHBs (AF1x-AF4x) provide assured forwarding with four classes and three drop precedences; CS PHBs (CS1-CS7) are backward-compatible with IP precedence; BE (DSCP 0) is best-effort; DF (DSCP 0) is the default PHB.

48
Drag & Dropmedium

Drag and drop the steps of NUMA-aware VM placement process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NUMA-aware placement begins with checking the host topology. Then, the VM's vCPU count is compared to the NUMA node size. Next, the VM is assigned to a specific NUMA node.

After that, memory is allocated from that node. Finally, the VM is started to enforce the placement.

49
Drag & Dropmedium

Drag and drop the steps of PPPoE session establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PPPoE session establishment begins with the Discovery stage: the client sends a PADI to find a server, the server responds with a PADO, the client selects a server and sends a PADR, the server assigns a session ID via PADS. Finally, the PPP link is negotiated using LCP and authentication.

50
MCQhard

A network engineer is troubleshooting a BGP issue where a router is not installing a specific prefix in its routing table, even though the prefix is present in the BGP table. The engineer runs 'show ip bgp 10.0.0.0/24' and sees that the route is valid but not best. The BGP table shows that the route has a higher local preference than the current best path, but the AS_PATH is longer. What is the most likely reason the route is not being selected as best?

A.The route with higher local preference has a lower weight than the current best path.
B.The route with higher local preference has a higher MED value.
C.The route with higher local preference is not synchronized with IGP.
D.The route with higher local preference was learned from an eBGP peer, while the current best path is from an iBGP peer.
AnswerA

Correct because weight is checked before local preference in BGP path selection; a higher weight on the current best path would make it preferred even if local preference is lower.

Why this answer

BGP selects the best path based on a sequence of comparison steps. Local preference is checked before AS_PATH length, so a higher local preference should normally win. However, weight is the very first criterion in the BGP best-path selection algorithm.

If the current best path has a higher weight than the route with higher local preference, weight overrides local preference, making the higher-local-preference route not best.

Exam trap

Cisco often tests the order of BGP best-path selection steps, specifically that weight is evaluated before local preference, leading candidates to incorrectly assume that a higher local preference always wins regardless of weight.

How to eliminate wrong answers

Option B is wrong because MED is compared only after the AS_PATH length and origin code, and it is not relevant when a higher local preference is present; the issue here is that weight, which is checked first, is higher on the current best path. Option C is wrong because BGP synchronization is a Cisco-specific feature that requires an IGP route for the next-hop before installing an iBGP route, but it does not affect the best-path selection process; the route is already in the BGP table as valid, and synchronization would prevent installation, not selection as best. Option D is wrong because eBGP routes are preferred over iBGP routes only if all earlier steps (weight, local preference, locally originated) are equal; here, local preference is higher on the candidate route, but weight is the first tiebreaker and is higher on the current best path, so the eBGP vs iBGP comparison never occurs.

51
Matchingmedium

Drag and drop each HTTP method on the left to its matching REST operation on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Replace an existing resource entirely

Remove a resource

Apply partial modifications to a resource

Why these pairings

GET retrieves; POST creates; PUT replaces; DELETE removes; PATCH partially updates.

52
MCQeasy

A network engineer is using the Cisco DNA Center REST API to retrieve the health score of a specific device. The API response is as follows: { "response": [ { "deviceId": "1234567890", "hostname": "Core-Switch-1", "score": 8, "overallHealth": "good", "timestamp": 1623456789 } ], "version": "1.0" } The engineer wants to extract the 'overallHealth' value. Which Python code correctly extracts it?

A.health = response['response'][0]['overallHealth']
B.health = response['overallHealth']
C.health = response['response']['overallHealth']
D.health = response[0]['overallHealth']
AnswerA

Correct. This accesses the first element of the list inside 'response' and then retrieves 'overallHealth'.

Why this answer

The response is a dictionary with a key 'response' that contains a list. The list has one dictionary. To access 'overallHealth', you need to index the list and then the key.

53
Drag & Dropmedium

Drag and drop the steps of Q-in-Q (802.1ad) double-tagging configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Q-in-Q configuration requires first enabling the feature globally, then configuring the trunk port as a dot1q tunnel port, setting the native VLAN, and finally applying the service instance to encapsulate traffic. Verification ensures proper double-tagging.

54
Matchingmedium

Drag and drop each trunk encapsulation type on the left to its matching standard or characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Open standard (IEEE); inserts 4-byte tag; supports native VLAN

Cisco proprietary; encapsulates entire frame; no native VLAN concept

VLAN 1 by default; frames sent untagged on trunk

Adds 26-byte header and 4-byte trailer

Contains 12-bit VLAN ID (0–4095)

Why these pairings

802.1Q is an open standard that inserts a 4-byte tag, supports native VLAN, and is the default on modern switches. ISL is Cisco proprietary, encapsulates the entire frame, and does not support native VLAN.

55
Matchingmedium

Drag and drop each BGP attribute on the left to its preferred value (highest or lowest) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest

Highest

Lowest

Lowest

Lowest

Why these pairings

Higher WEIGHT and LOCAL_PREF are preferred; lower MED, AS_PATH length, and IGP metric to next-hop are preferred.

56
Drag & Dropmedium

Drag and drop the steps of RESTCONF GET with depth and field query parameters into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process starts with constructing the URI, then appending depth and field parameters, sending the GET request, the server filtering the response, and finally the client parsing the returned data.

57
MCQmedium

Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?

A.Local preference
B.AS path length
C.MED
D.Origin code
AnswerA

Correct. After weight, BGP compares local preference (higher is better).

Why this answer

BGP uses the local preference attribute as the second tie-breaker (after weight). Higher local preference is preferred.

58
MCQeasy

What is the default EIGRP hello interval on a point-to-point serial link?

A.5 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerA

Correct. The default hello interval for point-to-point serial links is 5 seconds.

Why this answer

The default EIGRP hello interval on a point-to-point serial link is 5 seconds. EIGRP uses different hello intervals depending on the media type: for high-speed broadcast links (e.g., Ethernet) and point-to-point links, the default is 5 seconds; for multipoint non-broadcast links (e.g., Frame Relay), the default is 60 seconds.

Exam trap

Cisco often tests the distinction between EIGRP and OSPF hello intervals, so the trap here is that candidates confuse the 10-second OSPF default with EIGRP's 5-second default on point-to-point links.

How to eliminate wrong answers

Option B (10 seconds) is wrong because 10 seconds is the default hello interval for OSPF on broadcast and point-to-point links, not for EIGRP. Option C (30 seconds) is wrong because 30 seconds is not a standard EIGRP hello interval; it is the default hold time multiplier factor (3x hello) on some links, but not the hello timer itself. Option D (60 seconds) is wrong because 60 seconds is the default EIGRP hello interval only on low-speed multipoint non-broadcast links (e.g., Frame Relay multipoint), not on point-to-point serial links.

59
MCQmedium

An architect is designing an SD-WAN deployment for a multinational enterprise. The design must ensure that control plane traffic remains separate from data plane traffic and that the solution can scale to thousands of sites. Which architectural component is responsible for maintaining the control plane and distributing routing information?

A.vBond orchestrator
B.vManage NMS
C.vSmart controller
D.vEdge router
AnswerC

vSmart is the control plane element that distributes routes and policies.

Why this answer

The vSmart controller is the centralized control plane component in Cisco SD-WAN that distributes routing information (OMP routes) and policies to all vEdge/cEdge routers. It maintains the control plane by separating route advertisement and policy enforcement from the data plane, which is handled by the vEdge routers. This separation allows the solution to scale to thousands of sites because vSmart controllers can be clustered and do not process actual data traffic.

Exam trap

Cisco often tests the misconception that the vBond orchestrator handles control plane functions because of its role in initial authentication and orchestration, but vBond does not distribute routing information—that is exclusively the vSmart controller's role.

How to eliminate wrong answers

Option A is wrong because the vBond orchestrator is responsible for initial authentication, NAT traversal, and orchestrating connections between vSmart, vManage, and vEdge devices, not for maintaining the control plane or distributing routing information. Option B is wrong because vManage NMS is the network management system that provides centralized configuration, monitoring, and analytics, but it does not participate in the control plane or distribute routing updates. Option D is wrong because the vEdge router is a data plane device that forwards traffic based on routes learned from the vSmart controller; it does not originate or distribute routing information to other sites.

60
MCQhard

A network engineer runs the following command on Router R9: R9# show policy-map interface GigabitEthernet0/0.900 GigabitEthernet0/0.900 Service-policy input: QOS_POLICY_VRF_G Class-map: CLASS_VOICE (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) police: cir 1000000 bps, bc 31250 bytes, be 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: CLASS_DATA (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) police: cir 2000000 bps, bc 62500 bytes, be 62500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Based on this output, what can be concluded?

A.No QoS policy is applied to this interface
B.The policy only polices voice traffic
C.A QoS policy is applied inbound on GigabitEthernet0/0.900, policing voice and data traffic
D.The policy is applied outbound
AnswerC

The policy is applied input, with classes for voice (DSCP EF) and data (DSCP AF31), each with police actions.

Why this answer

The output shows the 'Service-policy input: QOS_POLICY_VRF_G' line, confirming that a QoS policy is applied inbound on GigabitEthernet0/0.900. The policy contains two user-defined class maps: CLASS_VOICE (matching DSCP EF) with a police rate of 1 Mbps and CLASS_DATA (matching DSCP AF31) with a police rate of 2 Mbps, both with conform/transmit and exceed/violate drop actions. This demonstrates that both voice and data traffic are being policed, making option C correct.

Exam trap

Cisco often tests the ability to read the 'Service-policy input' or 'output' direction in the command output, as candidates may overlook the direction keyword and incorrectly assume the policy is applied outbound or not applied at all.

How to eliminate wrong answers

Option A is wrong because the 'Service-policy input: QOS_POLICY_VRF_G' line explicitly shows a QoS policy is applied inbound on the subinterface. Option B is wrong because the policy includes both CLASS_VOICE and CLASS_DATA class maps, each with policing actions, so it polices both voice and data traffic, not just voice. Option D is wrong because the command output specifies 'Service-policy input', indicating the policy is applied inbound, not outbound.

61
MCQmedium

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

A.The IKEv2 proposal does not match between hub and spoke.
B.The certificate authority is not trusted by the hub.
C.The tunnel interface is not in an up/up state.
D.The loopback0 is not advertised in the routing protocol.
AnswerD

Correct because without a route, the spokes cannot reach the loopback.

Why this answer

In FlexVPN, the tunnel IP addresses are typically used for routing, and the loopback may not be advertised into the routing protocol or may not be reachable via the tunnel interface. If the hub's loopback is not included in the routing updates (e.g., via a network statement in EIGRP or OSPF), the spokes will not have a route to it. Option D is correct because the loopback is not being advertised.

Option A is incorrect because IKEv2 is working. Option B is incorrect because certificates are not the issue. Option C is incorrect because the tunnel itself is up.

62
MCQmedium

Given the following SPAN configuration on a Cisco IOS-XE switch: monitor session 4 source interface GigabitEthernet1/0/6 tx monitor session 4 destination interface GigabitEthernet1/0/7 What does this configuration do?

A.Only traffic transmitted from GigabitEthernet1/0/6 is copied to GigabitEthernet1/0/7.
B.Both ingress and egress traffic on GigabitEthernet1/0/6 is copied to GigabitEthernet1/0/7.
C.Traffic on GigabitEthernet1/0/7 is mirrored to GigabitEthernet1/0/6.
D.The configuration is invalid because the destination interface must be in the same VLAN as the source.
AnswerA

The 'tx' keyword specifies egress traffic only.

Why this answer

This SPAN session captures only egress traffic (tx) from GigabitEthernet1/0/6 and sends it to GigabitEthernet1/0/7.

63
MCQmedium

Consider the following configuration snippet: ``` interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/2 ip address 203.0.113.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface GigabitEthernet0/2 overload access-list 1 permit 192.168.1.0 0.0.0.255 ``` What is the effect of this configuration?

A.It translates all traffic from 192.168.1.0/24 to the IP address 203.0.113.1, using port address translation.
B.It performs static NAT for each host in 192.168.1.0/24 to a unique IP in the 203.0.113.0/24 network.
C.It translates only traffic from 192.168.1.1 to the outside interface IP.
D.The configuration is invalid because 'ip nat inside' and 'ip nat outside' are on the wrong interfaces.
AnswerA

Correct. The 'overload' keyword enables PAT, and the interface IP is used as the translated address.

Why this answer

The configuration enables dynamic NAT with overload (PAT) for the 192.168.1.0/24 network, translating source addresses to the IP of the outside interface.

64
Multi-Selecthard

Which three statements about the benefits and challenges of NFV are true? (Choose three.)

Select 3 answers
A.NFV reduces capital expenditure by allowing network functions to run on standard, off-the-shelf hardware.
B.NFV enables faster time-to-market for new services by decoupling software from hardware.
C.One challenge of NFV is the potential performance overhead introduced by the virtualization layer.
D.NFV reduces the overall security attack surface by consolidating multiple functions into a single physical device.
E.NFV eliminates the need for physical cabling in the data center.
AnswersA, B, C

Correct because NFV replaces proprietary appliances with software on commodity servers, lowering hardware costs.

Why this answer

NFV offers reduced hardware costs, faster service deployment, and operational agility. However, it introduces challenges such as performance overhead from virtualization and increased complexity in management. Option A is correct because NFV reduces CAPEX by using commodity hardware.

Option B is correct because NFV enables rapid deployment of new services. Option C is correct because virtualization can introduce latency and throughput overhead. Option D is incorrect because NFV typically increases, not decreases, the attack surface.

Option E is incorrect because NFV does not eliminate the need for physical cabling; it only virtualizes network functions.

65
MCQmedium

A network engineer is automating the deployment of VLAN configurations on a set of Cisco IOS-XE switches using Ansible. The playbook uses the ios_vlans module and runs successfully on the first switch, but fails on the second switch with an error indicating that the module is not found. Both switches are running the same IOS-XE version and have the same management access configured. What is the most likely cause of this issue?

A.The second switch does not have the ios_vlans module installed locally.
B.The cisco.ios collection is not installed on the Ansible control node.
C.The second switch has a different SSH key that is not accepted by the Ansible control node.
D.The playbook uses a fully qualified collection name (FQCN) incorrectly.
AnswerB

The ios_vlans module is part of the cisco.ios collection; without it, the playbook fails on any device.

Why this answer

The ios_vlans module is part of the cisco.ios collection, which must be installed on the Ansible control node, not on the managed devices. The error 'module not found' typically indicates the collection is missing or not properly referenced in the playbook. The switches themselves do not need to have the module installed.

66
MCQmedium

A network engineer is troubleshooting a site-to-site IPsec VPN tunnel between two Cisco routers. The tunnel is established and IKEv2 Phase 1 is up, but no traffic passes. The engineer checks the crypto map and sees that the ACL is configured to permit traffic between the two LAN subnets. However, 'show crypto ipsec sa' shows that the number of packets encapsulated and decapsulated is zero. What is the most likely cause?

A.The crypto map is not applied to the correct interface.
B.The IPsec transform set uses ESP with SHA-1, but the remote router expects AES-GCM.
C.The ACL on the crypto map is missing the 'permit ip' statement for the return traffic.
D.The tunnel interface is down due to a routing issue.
AnswerB

Correct. A mismatch in the transform set (e.g., encryption or authentication algorithms) will prevent Phase 2 from establishing, even though Phase 1 (which uses a different proposal) may succeed.

Why this answer

When IKEv2 Phase 1 is up but Phase 2 (IPsec SA) is not established, the most common cause is a mismatch in the proxy identities (the interesting traffic ACL) or a mismatch in the IPsec transform set parameters. Since the ACL is configured correctly, the issue is likely a mismatch in the transform set or the IKEv2 proposal.

67
MCQmedium

A network engineer is deploying IP multicast in an OSPF-based enterprise network. The network uses PIM sparse mode with a static RP. The engineer notices that multicast traffic from a source to a group is not reaching receivers in a remote subnet, even though the RP is reachable and the receivers have sent IGMP joins. The engineer checks the multicast routing table on the last-hop router and sees that the (S,G) entry is present, but the outgoing interface list (OIL) is empty. What is the most likely reason for the empty OIL?

A.The RP is not configured on the last-hop router.
B.The multicast source is not registered with the RP.
C.PIM dense mode is enabled on the last-hop router.
D.The TTL of the multicast packets is too low.
AnswerA

Correct because without the RP configured, the router cannot send a PIM join to the RP, so the OIL remains empty.

Why this answer

In PIM sparse mode, the last-hop router must send a PIM join toward the RP to join the shared tree. If the RP is reachable but the join is not being sent because the router does not know the RP or the group-to-RP mapping, the OIL remains empty.

68
Matchingmedium

Drag and drop each OSPF packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers neighbors and maintains adjacency state

Contains a list of LSA headers for database synchronization

Requests specific LSAs from a neighbor

Sends one or more complete LSAs to a neighbor

Confirms receipt of LSU packets

Why these pairings

Hello packets discover and maintain neighbor relationships; DBD packets contain a summary of the LSDB; LSR packets request specific LSAs; LSU packets send full LSAs in response to LSRs; LSAck packets acknowledge receipt of LSUs.

69
Drag & Dropmedium

Drag and drop the steps of stateless DHCPv6 address assignment steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Stateless DHCPv6 uses SLAAC for the address and DHCPv6 for additional parameters. The host first sends an RS to discover routers. The router replies with an RA containing the prefix and flags indicating stateless DHCPv6.

The host generates its own IPv6 address using SLAAC. It then sends an Information-Request to the DHCPv6 server. The server replies with options like DNS and domain name.

70
Drag & Dropmedium

Drag and drop the steps of BGP route aggregation and suppress-map process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you define the prefix-list to match specific routes. Then you create the route-map with the suppress clause. Next, you configure the aggregate-address command referencing the route-map.

After that, you verify the aggregated route in the BGP table. Finally, you check that more specific routes are suppressed.

71
MCQhard

An engineer is writing a Python script to use the Cisco DNA Center API to assign a device to a site. The code snippet is: import requests url = "https://dna-center.local/dna/intent/api/v1/network-device/assign" headers = { "X-Auth-Token": "token", "Content-Type": "application/json" } payload = { "deviceId": "device-uuid", "siteId": "site-uuid" } response = requests.post(url, headers=headers, json=payload, verify=False) print(response.status_code) What is a potential issue with this code?

A.The HTTP method should be PUT instead of POST for assigning a device to a site.
B.The payload should include 'deviceId' and 'siteId' as a list.
C.The URL is missing the version number.
D.The code should use requests.put instead of requests.post.
AnswerA, D

Correct. The DNA Center API uses PUT for this operation.

Why this answer

The API endpoint for assigning a device to a site typically uses a PUT method, not POST. Using POST may result in a 405 Method Not Allowed error or unexpected behavior.

72
MCQeasy

An engineer is using the Cisco DNA Center GUI to create a new site hierarchy. They add a building under an existing area. After saving, they run a Python script to verify the site via API: import requests url = "https://dna-center.local/dna/intent/api/v1/site" headers = {"X-Auth-Token": "token"} response = requests.get(url, headers=headers, verify=False) sites = response.json()['response'] for site in sites: if site['name'] == 'Building-A': print(site['id']) What is the output if the building was created successfully?

A.A UUID string such as '123e4567-e89b-12d3-a456-426614174000'
B.The script will print 'Building-A'
C.The script will print the entire site dictionary
D.The script will raise an error because the API returns paginated results
AnswerA

Correct. The API returns a UUID for each site, and the script prints it.

Why this answer

The script prints the site ID of the building if it exists. The output will be a string representing the UUID of the building.

73
Drag & Dropmedium

Drag and drop the steps of IP SLA scheduling with frequency and lifetime into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, create the IP SLA operation. Then configure the frequency (how often probes are sent). Next, set the lifetime (how long the operation runs).

After that, schedule the operation with a start time. Finally, verify the scheduling parameters are active.

74
MCQhard

A network engineer is configuring a new Cisco Nexus 9000 switch to connect to an existing Cisco Catalyst 3850 switch. The link between them should be a trunk carrying VLANs 10, 20, and 30. The engineer configures the Nexus switch with 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'. However, the trunk does not come up. The Catalyst switch is configured with 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'. What is the most likely cause?

A.The Nexus switch does not have the 'switchport trunk encapsulation dot1q' command configured.
B.The Catalyst switch is set to dynamic auto mode.
C.The allowed VLAN list on the Nexus switch is missing VLAN 1.
D.The native VLAN is set to 999 on the Nexus switch.
AnswerA

Correct because some Nexus switches require explicit encapsulation configuration for trunking to work with Catalyst switches.

Why this answer

The most likely cause is that the Nexus switch defaults to 802.1Q encapsulation, but the Cisco Catalyst 3850 switch requires the explicit 'switchport trunk encapsulation dot1q' command to be configured on the Nexus side. Without this command, the Nexus switch may not properly negotiate or establish the trunk, as the Catalyst switch expects a specific encapsulation type. This is a common issue when interconnecting different Cisco switch platforms that handle trunk encapsulation defaults differently.

Exam trap

Cisco often tests the misconception that Nexus switches do not require the 'switchport trunk encapsulation dot1q' command because they only support 802.1Q, but the command is still necessary for trunk formation with certain Catalyst switches.

How to eliminate wrong answers

Option B is wrong because 'dynamic auto' mode on the Catalyst switch would actually allow the trunk to form if the other side is set to 'trunk' (as the Nexus is), so this would not prevent the trunk from coming up. Option C is wrong because VLAN 1 is not required to be in the allowed VLAN list for a trunk to form; the trunk will still come up even if VLAN 1 is excluded. Option D is wrong because the native VLAN mismatch (e.g., set to 999 on the Nexus) would cause a native VLAN mismatch error but would not prevent the trunk from coming up; the trunk would still be operational, though with potential issues for untagged traffic.

75
Drag & Dropmedium

Drag and drop the steps of troubleshooting NetFlow export issues into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying NetFlow is enabled on the interface. Then check the exporter configuration and collector reachability. Next, inspect the flow cache for active records.

Finally, review export statistics for errors.

Page 1 of 27

Page 2