ENCOR 350-401 (350-401) — Questions 676750

2015 questions total · 27pages · All types, answers revealed

Page 9

Page 10 of 27

Page 11
676
Matchingmedium

Drag and drop each protocol on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP transport

Encrypts entire packet payload

Why these pairings

RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP and encrypts the entire packet. RADIUS combines authentication and authorization; TACACS+ separates them. RADIUS is commonly used for network access; TACACS+ for device administration.

677
MCQmedium

Which BGP attribute is preferred when it has the lowest value?

A.WEIGHT
B.LOCAL_PREF
C.MED
D.ORIGIN
AnswerC

MED is the attribute where a lower value is preferred.

Why this answer

BGP uses multiple attributes to determine the best path. The WEIGHT attribute is Cisco-specific and is preferred when it has the highest value, not lowest. The LOCAL_PREF attribute is preferred with the highest value.

The MED (Multi-Exit Discriminator) attribute is preferred with the lowest value. The ORIGIN attribute prefers IGP over EGP and incomplete.

678
MCQmedium

A network engineer is troubleshooting a problem where Cisco DNA Center is not receiving syslog messages from a critical core switch. The switch is configured to send syslog to the DNA Center's IP address. The engineer checks the DNA Center syslog collector and finds that it is enabled. What should the engineer check next?

A.Verify that the syslog port (UDP 514) is not blocked by a firewall or ACL.
B.Check if the syslog messages are in the correct format.
C.Ensure that the switch is in the Inventory and managed by DNA Center.
D.Restart the syslog collector service on DNA Center.
AnswerA

Correct because syslog uses UDP 514, and if the port is blocked, messages will not reach DNA Center.

Why this answer

Cisco DNA Center's syslog collector listens on specific ports (default UDP 514). If the switch is configured to send syslog but DNA Center is not receiving it, a common issue is that the syslog port is blocked by a firewall or ACL between the switch and DNA Center. The engineer should verify network connectivity and port accessibility.

679
MCQmedium

Examine the following configuration on a Cisco 9800 WLC: wireless profile policy test-policy no security wpa no security wpa2 security wpa3 security wpa3 akm sae security ft over-the-ds What is the effect of the 'security ft over-the-ds' command?

A.It enables 802.11r fast roaming using over-the-air messaging.
B.It enables 802.11r fast roaming using the distribution system for key exchange.
C.It disables fast roaming for this policy.
D.It configures the AP to use a different radio band.
AnswerB

Over-the-DS uses the wired network for key distribution.

Why this answer

The 'ft over-the-ds' command enables Fast Transition (802.11r) using the over-the-DS (Distribution System) method, which is used for seamless roaming.

680
MCQhard

A network engineer is configuring NetFlow on a Cisco Nexus 7000 switch to monitor traffic between two data centers. The engineer wants to ensure that flow records are exported even if the export destination is temporarily unreachable. Which feature should the engineer enable?

A.Increase the NetFlow export buffer size and configure the export retry interval.
B.Change the export protocol to TCP to ensure reliable delivery.
C.Enable SNMP traps to notify the collector of flow data.
D.Configure IP SLA to monitor the collector and buffer flows locally.
AnswerA

Correct because increasing the buffer allows storing more records during outages, and retry intervals ensure re-transmission attempts.

Why this answer

NetFlow export uses UDP, which is unreliable. Option A is correct because NetFlow export buffer and retry mechanisms (like 'ip flow-export buffer-size' and 'ip flow-export retry') can store and retransmit records. Option B is incorrect because TCP is not supported for NetFlow export.

Option C is incorrect because SNMP traps are not for flow data. Option D is incorrect because IP SLA does not buffer NetFlow records.

681
Matchingeasy

Drag and drop each protocol number on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ICMP

TCP

UDP

OSPF

IGMP

Why these pairings

Protocol 1 is ICMP, 6 is TCP, 17 is UDP, 89 is OSPF, 2 is IGMP.

682
Matchinghard

Drag and drop each OMP attribute on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifies the site from which the route was originated

Indicates the vSmart that injected the route into OMP

Numeric value used to influence route selection (higher is preferred)

32-bit value used for route filtering and policy matching

Transport location (system-ip, color, encapsulation) for reachability

Why these pairings

OMP attributes control route preference, TLOC mapping, and path selection. Site ID identifies the origin site; Originator identifies the vSmart that originated the route; Preference influences route selection; Tag is used for policy matching; TLOC carries the transport location endpoint.

683
Drag & Dropmedium

Drag and drop the steps of NBAR2 application recognition and classification steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NBAR2 configuration begins by enabling the protocol discovery, then creating a class map to match the application, a policy map to mark traffic, applying it to the interface, and verifying the classification. NBAR2 uses deep packet inspection to identify applications.

684
MCQeasy

A network engineer is configuring a new Cisco Catalyst switch to connect to an existing network. The uplink to the distribution switch is configured as a trunk. The engineer wants to ensure that the trunk uses 802.1Q encapsulation and that the native VLAN is set to VLAN 100. The distribution switch is a Cisco Catalyst 3850. Which configuration should the engineer apply on the uplink interface?

A.switchport mode trunk; switchport trunk native vlan 100
B.switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk native vlan 100
C.switchport mode dynamic desirable; switchport trunk native vlan 100
D.switchport mode trunk; switchport trunk allowed vlan 100
AnswerA

Correct because it sets the trunk and changes the native VLAN to 100.

Why this answer

Option A is correct because on modern Cisco Catalyst switches that run LAN Base or IP Base software, the default trunk encapsulation is 802.1Q, so the 'switchport trunk encapsulation dot1q' command is not required. The 'switchport mode trunk' forces the interface into trunking mode, and 'switchport trunk native vlan 100' sets the native VLAN to 100, which matches the requirement.

Exam trap

Cisco often tests the fact that on modern switches (like the 3850), the 'switchport trunk encapsulation dot1q' command is not available because 802.1Q is the only supported encapsulation, leading candidates to incorrectly include it.

How to eliminate wrong answers

Option B is wrong because on a Catalyst 3850 (which runs IOS XE), the 'switchport trunk encapsulation dot1q' command is not supported; the switch only supports 802.1Q encapsulation and does not accept this command, making it invalid. Option C is wrong because 'switchport mode dynamic desirable' uses DTP to negotiate trunking, which does not guarantee the interface will become a trunk and does not set the native VLAN to 100. Option D is wrong because 'switchport trunk allowed vlan 100' restricts the trunk to only VLAN 100, rather than setting the native VLAN to 100, which is a different function.

685
Drag & Dropmedium

Drag and drop the steps of IPFIX template negotiation and export into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The exporter first sends a template set to the collector, the collector acknowledges, then the exporter sends data records using that template, and templates may be withdrawn or resent periodically.

686
Drag & Dropmedium

Drag and drop the steps of Hierarchical QoS (H-QoS) parent/child policy steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

H-QoS uses a child policy for per-class actions and a parent policy to shape aggregate traffic. The order ensures child policy is defined first, then parent references it, and finally applied to the interface.

687
Multi-Selectmedium

Which two statements about classification and marking in QoS are true? (Choose two.)

Select 3 answers
A.Classification can be based on IP precedence, DSCP, or CoS values.
B.Marking is performed using the 'set' command in a policy-map class configuration.
C.Layer 2 CoS marking uses the first 6 bits of the 802.1Q tag.
D.DSCP uses the first 3 bits of the ToS byte and is not compatible with IP precedence.
E.The 'match ip dscp' command can be used in a class map to match packets based on DSCP values.
AnswersA, B, E

Correct because classification matches existing markings like IP precedence, DSCP, or CoS.

Why this answer

Classification identifies traffic, and marking sets the QoS value. MQC uses class maps and policy maps. Layer 2 marking uses CoS bits, while IP precedence uses the first 3 bits of the ToS byte.

DSCP uses 6 bits and is backward-compatible with IP precedence.

688
MCQeasy

An engineer is using Ansible to automate the configuration of NTP on a group of Cisco IOS-XE switches. The playbook uses the ios_ntp module. The engineer wants to ensure that the NTP configuration is applied only to switches that are in the 'core' group, not the 'access' group. The inventory file defines these groups. Which Ansible feature should the engineer use to restrict the playbook to the 'core' group?

A.Use the 'when' clause to check if the switch is in the 'core' group using the 'group_names' variable.
B.Set the 'hosts' field in the play to 'core' instead of 'all'.
C.Use the 'limit' option when running the ansible-playbook command to specify the 'core' group.
D.Define a variable in the 'core' group and use 'vars_prompt' to ask the engineer which group to run on.
AnswerB

By setting 'hosts: core', the play will only run on switches that are members of the 'core' group.

Why this answer

Ansible playbooks can target specific groups by specifying the group name in the 'hosts' field of the play. This is the simplest and most direct way to restrict execution to a particular inventory group.

689
MCQmedium

A data center architect is designing a virtualized environment for a latency-sensitive application. The application requires dedicated CPU cores and memory to avoid performance degradation. Which hypervisor feature should be configured to meet this requirement?

A.Enable CPU pinning and memory reservation for the VM.
B.Use a shared storage solution to reduce I/O latency.
C.Configure the VM with a large vNUMA node to spread memory access.
D.Enable memory overcommitment to maximize utilization.
AnswerA

This guarantees dedicated resources and avoids contention with other VMs.

Why this answer

Option A is correct because CPU pinning binds a VM's virtual CPUs to specific physical cores, ensuring dedicated processing resources and preventing CPU contention from other VMs. Memory reservation guarantees that the specified amount of physical memory is always available to the VM, eliminating the risk of memory swapping or ballooning that would introduce latency. Together, these features provide the deterministic performance required for latency-sensitive applications in a virtualized environment.

Exam trap

Cisco often tests the distinction between resource allocation features that guarantee performance (CPU pinning and memory reservation) versus features that optimize utilization or storage I/O, leading candidates to mistakenly select shared storage or memory overcommitment when the question explicitly demands dedicated resources.

How to eliminate wrong answers

Option B is wrong because shared storage solutions (e.g., NFS, iSCSI, Fibre Channel) address I/O latency for storage access, not CPU or memory contention; the question specifically requires dedicated CPU cores and memory, not storage performance. Option C is wrong because configuring a VM with a large vNUMA node spreads memory access across multiple NUMA nodes, which can increase remote memory access latency and degrade performance for latency-sensitive applications; the goal is to keep memory access local, not spread it. Option D is wrong because memory overcommitment allows the hypervisor to allocate more virtual memory to VMs than physical memory exists, relying on swapping or ballooning to reclaim memory, which introduces unpredictable latency and violates the requirement for dedicated memory.

690
MCQmedium

Given the configuration: flow monitor FM-1 exporter EXPORTER-1 record netflow ipv4 original-input cache timeout active 60 cache timeout inactive 15 ! What is the effect of the 'cache timeout active 60' command?

A.Flows that are active for more than 60 seconds are exported immediately and then removed from the cache.
B.Flows that are inactive for 60 seconds are exported and removed from the cache.
C.The cache will hold a maximum of 60 active flows at any time.
D.Flow records are sent to the exporter every 60 seconds.
AnswerA

When the active timeout expires, the flow is exported and a new cache entry is created for the continuation.

Why this answer

The 'cache timeout active' command sets the maximum lifetime (in seconds) for an active flow in the cache. After 60 seconds, the flow is exported even if it is still ongoing. This prevents long-lived flows from being delayed indefinitely.

691
MCQmedium

An organization uses Cisco DNA Center to automate network provisioning. A network engineer deploys a new access switch but finds that the switch does not receive the intended configuration template. The switch appears in DNA Center inventory with status 'Managed'. What is the most likely cause?

A.The switch has not been discovered by DNA Center
B.The switch is not in Plug and Play mode
C.The switch does not have a valid DNA license
D.The switch is not assigned to a site
AnswerD

Site assignment is required for template application.

Why this answer

In Cisco DNA Center, configuration templates are applied based on site assignment. A switch that appears as 'Managed' in inventory has been discovered and is under DNA Center's control, but if it is not assigned to a specific site, DNA Center cannot determine which template to push. Site assignment is a prerequisite for template-based provisioning; without it, the intended configuration will not be deployed.

Exam trap

Cisco often tests the distinction between 'Managed' and 'Provisioned' states, trapping candidates who assume that a device being managed automatically means it has received its configuration.

How to eliminate wrong answers

Option A is wrong because the switch appears in inventory with status 'Managed', which means it has already been discovered by DNA Center. Option B is wrong because Plug and Play (PnP) is a separate provisioning method; DNA Center can apply templates to switches that are not in PnP mode as long as they are managed and site-assigned. Option C is wrong because a valid DNA license is required for advanced features but not for basic template application; the switch being 'Managed' indicates it has the necessary licensing to be under DNA Center control.

692
Drag & Dropmedium

Drag and drop the steps for the DHCP DORA process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DHCP uses Discover, Offer, Request, Acknowledge (DORA) for dynamic address assignment.

693
Drag & Dropmedium

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ separates authentication, authorization, and accounting. For command authorization, the user authenticates first, then the device sends the command to the TACACS+ server, which checks its authorization policy and responds with permit or deny. The device then executes or blocks the command accordingly.

694
MCQmedium

Consider this AAA configuration: aaa new-model aaa authentication login default local aaa authorization exec default local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.0.0.1 key SecretKey line con 0 login authentication default line vty 0 4 login authentication default What is the effect of this configuration?

A.All login attempts use local authentication; exec accounting is sent to TACACS+.
B.All login attempts use TACACS+ authentication; exec accounting is local.
C.Console login uses TACACS+; VTY login uses local; accounting is sent to TACACS+.
D.Authentication and authorization are both performed by TACACS+; accounting is local.
AnswerA

Correct. Authentication is local, authorization is local, accounting is sent to TACACS+.

Why this answer

The configuration uses local authentication for all lines, local authorization for exec commands, and sends exec accounting start-stop records to TACACS+. The TACACS+ server is defined but only used for accounting.

695
Matchingmedium

Drag and drop each RESTCONF method on the left to its matching NETCONF equivalent on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve data (equivalent to get or get-config)

Create a new data resource (equivalent to edit-config with create)

Replace an existing resource (equivalent to edit-config with replace)

Partially update a resource (equivalent to edit-config with merge)

Remove a resource (equivalent to edit-config with delete)

Why these pairings

RESTCONF GET retrieves data (like NETCONF get/get-config), POST creates a resource (like edit-config with operation create), PUT replaces a resource (like edit-config with operation replace), PATCH partially updates (like edit-config with operation merge), and DELETE removes a resource (like edit-config with operation delete).

696
MCQmedium

An engineer is using a Python script to retrieve interface statistics from a Cisco IOS-XE device via the REST API. The script sends a GET request to 'https://device/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1/statistics' and receives a 404 Not Found response. The interface exists and is operational. What is the most likely issue?

A.The interface name must be URL-encoded because it contains a slash.
B.The URI is incorrect; statistics are under 'interfaces-state' not 'interfaces'.
C.The device requires authentication; the script must include a valid token.
D.The REST API is not enabled on the device; the engineer must enable it first.
AnswerB

Correct because operational state data like statistics is in the 'interfaces-state' container, while 'interfaces' contains configuration data.

Why this answer

The 404 error indicates the resource was not found. In RESTCONF, the URI must use the correct encoding for interface names, especially if they contain special characters like a slash. The interface name 'GigabitEthernet1' should be URL-encoded as 'GigabitEthernet1' (no encoding needed here), but the issue is that the URI path must match the YANG module structure exactly.

The statistics data is often under a separate container like 'interfaces-state' in the ietf-interfaces model, not directly under 'interface'. The correct URI for operational statistics is typically 'ietf-interfaces:interfaces-state/interface=GigabitEthernet1/statistics'.

697
MCQmedium

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

A.The police rate of 1 Mbps is too low for the combined SSH and SNMP traffic from the management station.
B.The CoPP policy is applied to the wrong interface, affecting transit traffic instead of control plane traffic.
C.The class-map should match on DSCP values instead of port numbers to be effective.
D.The policy-map should use the 'drop' action instead of 'police' to protect the control plane.
AnswerA

Correct because the police rate is insufficient, causing drops of legitimate control plane traffic.

Why this answer

CoPP polices traffic destined to the control plane. If the police rate is too low, even legitimate traffic can be dropped. The engineer set a 1 Mbps limit for both SSH and SNMP combined.

If the management station generates bursts above this rate, packets are dropped. Option A is correct because the aggregate police rate may be insufficient. Option B is incorrect because CoPP does not affect transit traffic.

Option C is incorrect because the policy is applied to the control plane, not an interface. Option D is incorrect because the class-map matches both protocols, but the issue is the police rate.

698
MCQmedium

Which statement about RSPAN is true?

A.RSPAN uses a dedicated VLAN to transport mirrored traffic from source to destination switches.
B.RSPAN can only monitor traffic within the same switch.
C.RSPAN requires the use of ERSPAN encapsulation.
D.RSPAN destination ports must be in trunk mode.
AnswerA

The RSPAN VLAN is used to carry mirrored traffic across the network.

Why this answer

RSPAN uses a dedicated VLAN to transport mirrored traffic across multiple switches, allowing remote monitoring.

699
Matchingmedium

Drag and drop each CoS value on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Voice payload

Video conferencing

Call signaling

Critical data

Best-effort data

Why these pairings

CoS values are used in 802.1Q frames: CoS 5 for voice, CoS 4 for video, CoS 3 for call signaling, CoS 2 for critical data, CoS 0 for best-effort data.

700
MCQhard

A network engineer runs the following command on switch SW6: SW6# show cts role-based counters Role-based counters: Source Group Dest Group Packets Sent Bytes Sent Packets Denied Bytes Denied 10 20 1500 120000 0 0 10 30 0 0 500 40000 Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is being denied.
B.Traffic from SGT 10 to SGT 30 is being permitted.
C.Traffic from SGT 10 to SGT 20 is being permitted, and traffic from SGT 10 to SGT 30 is being denied.
D.No traffic has been sent between any SGTs.
AnswerC

The counters confirm permit for 10->20 and deny for 10->30.

Why this answer

The output shows packet and byte counters for role-based policies. For source 10 to dest 20, 1500 packets were sent and none denied, indicating a permit policy. For source 10 to dest 30, 0 packets sent and 500 denied, indicating a deny policy.

This matches the permissions seen in a previous question.

701
MCQhard

An engineer configures VXLAN EVPN on a Nexus 9000 switch. The configuration is shown. The switch does not advertise any EVPN routes for VNI 10100. Which configuration change is required to fix this issue?

A.Configure "evpn" and "vni 10100 l2" under the BGP address-family l2vpn evpn.
B.Remove the mcast-group from the NVE member, because EVPN uses BGP for control plane.
C.Change the source-interface to a physical interface.
D.Add an IP address to the VLAN 100 interface in the default VRF.
AnswerA

The VNI must be activated under evpn for route advertisement.

Why this answer

Option A is correct because for VXLAN EVPN on a Nexus 9000, the BGP address-family l2vpn evpn must explicitly contain the 'evpn' keyword and the 'vni 10100 l2' command to advertise Layer 2 VNI routes. Without this configuration, BGP does not know to inject the VNI's MAC/VTEP information into the EVPN route table, so no EVPN routes are advertised for VNI 10100.

Exam trap

Cisco often tests the distinction between the NVE interface configuration (which enables VXLAN encapsulation) and the BGP EVPN address-family configuration (which enables route advertisement), leading candidates to mistakenly focus on NVE or interface settings instead of the missing BGP VNI injection.

How to eliminate wrong answers

Option B is wrong because removing the mcast-group from the NVE member would break BUM traffic replication in multicast mode, but the issue is about EVPN route advertisement, not data-plane flooding; EVPN uses BGP for control plane, but the mcast-group is still needed for multicast-based BUM traffic. Option C is wrong because changing the source-interface to a physical interface is not required; a loopback interface is the recommended source for NVE to ensure stability and is not the cause of missing EVPN routes. Option D is wrong because adding an IP address to VLAN 100 interface in the default VRF is unrelated to EVPN route advertisement; VLAN 100 is the Layer 2 VLAN associated with VNI 10100, but its SVI IP is only needed for Layer 3 VNI or gateway functionality, not for advertising EVPN routes.

702
Multi-Selecthard

Which two statements about the interaction between ACLs and CoPP are true? (Choose two.)

Select 2 answers
A.ACLs are used in CoPP class-maps to match specific control-plane traffic types.
B.CoPP can rate-limit ICMP packets destined to the router by using an ACL to match ICMP in the class-map.
C.ACLs applied to interfaces take precedence over CoPP policies for control-plane traffic.
D.CoPP can only use extended ACLs, not standard ACLs, for classification.
E.CoPP policies are applied globally and affect all traffic entering the router, including transit traffic.
AnswersA, B

Correct because CoPP uses class-maps that reference ACLs to identify traffic such as SSH, SNMP, or routing protocol packets.

Why this answer

ACLs are used within CoPP to classify control-plane traffic. CoPP can protect against DoS attacks, and ACLs provide the classification. The incorrect options misstate the order of processing or the scope of CoPP.

703
Matchingmedium

Drag and drop each DSCP value on the left to its matching Per-Hop Behavior (PHB) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Expedited Forwarding

Assured Forwarding class 4, low drop probability

Class Selector 3

Assured Forwarding class 2, medium drop probability

Best-effort

Why these pairings

DSCP values map to specific PHBs: EF is for expedited forwarding, AF41 is Assured Forwarding class 4 low drop, CS3 is class selector 3, AF21 is Assured Forwarding class 2 medium drop, and BE (0) is best-effort.

704
MCQmedium

A network engineer is configuring NetFlow on a Cisco ISR 4451 router to analyze traffic patterns. The engineer wants to export flow data to a collector every 60 seconds. After applying the configuration, the engineer notices that the export packets are not reaching the collector. The collector is reachable via ICMP. What is the most likely cause?

A.The 'ip flow-export destination' command is missing or specifies an incorrect UDP port number.
B.The router is using TCP for NetFlow export, but the collector only supports UDP.
C.The flow monitor is not applied to any interface, so no flows are being collected.
D.The 'ip flow-export timeout rate' is set too high, causing export packets to be delayed.
AnswerA

Correct because the export destination must include the correct IP and UDP port; if missing or wrong, export packets won't reach the collector.

Why this answer

NetFlow export uses UDP as the transport protocol, and the collector must be listening on the correct UDP port. Option A is correct because the export destination must specify the correct UDP port. Option B is incorrect because NetFlow does not require TCP.

Option C is incorrect because the flow monitor is needed for Flexible NetFlow, but traditional NetFlow uses 'ip flow-export'. Option D is incorrect because the timeout setting affects when flows are exported, not the reachability of export packets.

705
MCQeasy

A network engineer is designing a QoS policy for a Cisco router that connects to an MPLS VPN. The service provider expects all traffic to be marked with IP Precedence values. The engineer wants to ensure that voice traffic (DSCP EF) is mapped to IP Precedence 5. What configuration is required on the router to perform this mapping?

A.Configure a policy-map that sets the IP precedence to 5 using 'set ip precedence 5'.
B.Configure a policy-map that sets the DSCP to EF, and the router will automatically set IP precedence to 5.
C.Use the 'qos map dscp-ip-precedence' command to create a mapping table.
D.The router will automatically map DSCP EF to IP precedence 5 without any configuration.
AnswerA

Correct because setting IP precedence directly achieves the required marking without needing to map from DSCP.

Why this answer

Option A is correct because the 'set ip precedence 5' command in a policy-map explicitly marks the IP Precedence field to 5, which corresponds to the same value as DSCP EF (46) in the IP header. This ensures that voice traffic is marked with IP Precedence 5 as required by the service provider, regardless of any existing DSCP markings.

Exam trap

Cisco often tests the misconception that DSCP and IP Precedence are automatically synchronized or that a single command like 'set dscp ef' will implicitly set the IP Precedence field, when in fact they are independent markings that require separate configuration.

How to eliminate wrong answers

Option B is wrong because setting DSCP to EF does not automatically set IP Precedence to 5; the router treats DSCP and IP Precedence as separate fields, and explicit configuration is needed to map between them. Option C is wrong because the 'qos map dscp-ip-precedence' command does not exist; the correct command for creating a mapping table is 'qos map dscp-ip-precedence' is not a valid Cisco IOS command, and such mappings are typically done via policy-map actions. Option D is wrong because the router does not automatically map DSCP EF to IP Precedence 5; without explicit configuration, the IP Precedence field remains unchanged or is set based on default behavior, which may not meet the service provider's requirement.

706
Matchingmedium

Drag and drop each sFlow component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Samples packets and exports flow data

Receives and processes sFlow datagrams

Encapsulation of sampled packet headers and counters

Why these pairings

The sFlow agent samples packets and sends datagrams. The collector receives and analyzes datagrams. The datagram is the packet sent from agent to collector.

707
Matchingmedium

Drag and drop each NetFlow version on the left to its matching feature description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fixed 7-tuple flow keys, IPv4 only

Template-based, supports IPv6 and MPLS

IETF standard, extensible fields, NetFlow v10

Why these pairings

NetFlow v5 uses fixed 7-tuple keys and is IPv4-only. NetFlow v9 is template-based and supports IPv6 and MPLS. IPFIX (NetFlow v10) is the IETF standard based on v9 with extensible fields.

708
MCQmedium

Which BGP attribute is preferred when it has the lowest value?

A.Weight
B.Local Preference
C.MED (Multi-Exit Discriminator)
D.Origin
AnswerC

Lower MED is preferred when paths are from the same AS.

Why this answer

In BGP path selection, a lower weight is preferred over a higher weight.

709
Matchingmedium

Drag and drop each sFlow component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Samples packets and exports datagrams

Receives and processes sFlow datagrams

Contains sampled packet headers and counters

Why these pairings

sFlow agent: embedded in the network device, samples packets and sends datagrams. sFlow collector: receives and analyzes datagrams. sFlow datagram: the packet sent from agent to collector containing sampled data.

710
Drag & Dropmedium

Drag and drop the steps of VRF selection using policy-based routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with creating an extended access-list to match traffic, defining a route-map with a match clause and set vrf command, applying the route-map to the incoming interface, the router evaluating the policy on received packets, and finally forwarding the matched traffic into the specified VRF.

711
MCQeasy

Which of the following is a valid transport protocol for model-driven telemetry receivers on Cisco IOS-XE?

A.HTTP
B.gRPC
C.FTP
D.SNMP
AnswerB

gRPC is a commonly used transport for model-driven telemetry.

Why this answer

gRPC is a supported transport protocol for telemetry receivers, along with gNMI and others.

712
MCQmedium

A network engineer is troubleshooting a Layer 2 loop that occurred in a network using Rapid PVST+. The network has three switches: SW1 (root), SW2, and SW3. The engineer examines the topology and finds that SW2 and SW3 are connected via a link that is not supposed to be there. The engineer suspects that an unauthorized switch was connected to the network, causing the loop. The engineer wants to prevent such loops in the future by configuring a feature that will disable any port that receives a BPDU from an unauthorized switch. Which feature should the engineer configure on the access ports?

A.Enable BPDU Guard on all access ports.
B.Enable Loop Guard on all access ports.
C.Enable Root Guard on all access ports.
D.Enable UDLD on all access ports.
AnswerA

Correct because BPDU Guard disables a port if a BPDU is received, preventing unauthorized switches from causing loops.

Why this answer

BPDU Guard is the correct feature because it immediately error-disables a port when a BPDU is received, preventing loops from unauthorized switches. Since the engineer wants to protect access ports from receiving BPDUs (which should never occur on a properly configured access port), BPDU Guard directly addresses the scenario of an unauthorized switch being connected and sending BPDUs.

Exam trap

Cisco often tests the distinction between BPDU Guard and Root Guard, where candidates mistakenly choose Root Guard because they think it protects against unauthorized switches, but Root Guard only prevents a port from becoming root, not from receiving BPDUs and causing loops.

How to eliminate wrong answers

Option B is wrong because Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not disable a port upon receiving an unexpected BPDU; it only prevents loops caused by unidirectional link failures. Option C is wrong because Root Guard prevents a port from becoming a root port by placing it into a root-inconsistent state if a superior BPDU is received, but it does not disable the port; it still allows BPDU reception and does not block all BPDUs from unauthorized switches. Option D is wrong because UDLD detects and disables ports experiencing unidirectional links, but it does not react to BPDU reception; it uses its own keepalive mechanism and is unrelated to preventing loops from unauthorized switches sending BPDUs.

713
MCQmedium

An engineer is troubleshooting a problem where a host in VLAN 20 cannot communicate with a host in VLAN 30, even though both are connected to the same access switch. The access switch is configured with VLANs 20 and 30, and the uplink to the distribution switch is a trunk that allows both VLANs. The distribution switch has SVIs for both VLANs and IP routing is enabled. The engineer verifies that the trunk is up and both VLANs are allowed. What is the most likely cause of the communication failure?

A.The hosts are not configured with the correct default gateway pointing to the SVI on the distribution switch.
B.The trunk is not allowing VLAN 20 or VLAN 30.
C.Spanning Tree Protocol is blocking the SVI interfaces.
D.The native VLAN mismatch on the trunk is causing the issue.
AnswerA

Correct because hosts need a default gateway to route traffic to other VLANs; if misconfigured, inter-VLAN communication fails.

Why this answer

Hosts in different VLANs must communicate through a Layer 3 device. The correct default gateway for each host should be the IP address of the SVI on the distribution switch for its respective VLAN. If the hosts are configured with an incorrect or no default gateway, traffic cannot be routed between VLAN 20 and VLAN 30, even though the trunk and SVIs are properly configured.

Exam trap

Cisco often tests the misconception that a properly configured trunk and SVIs alone guarantee inter-VLAN communication, when in fact the hosts must have the correct default gateway configured to reach the SVI.

How to eliminate wrong answers

Option B is wrong because the engineer already verified that the trunk is up and both VLANs are allowed, so a trunk misconfiguration is not the cause. Option C is wrong because Spanning Tree Protocol (STP) operates on Layer 2 interfaces and does not block SVI interfaces; SVIs are virtual Layer 3 interfaces and are not subject to STP blocking. Option D is wrong because a native VLAN mismatch on a trunk would cause issues for untagged traffic (typically management or CDP), but it would not prevent routed communication between hosts in different VLANs if the trunk is up and both VLANs are allowed.

714
Multi-Selectmedium

Which two statements about NFV MANO (Management and Orchestration) are true? (Choose two.)

Select 2 answers
A.The VNF Manager (VNFM) is responsible for the lifecycle management of VNF instances, including instantiation and scaling.
B.The NFV Orchestrator (NFVO) coordinates the allocation of resources across multiple VNFs and the NFVI.
C.The Virtualized Infrastructure Manager (VIM) manages the lifecycle of VNFs and their connectivity.
D.The VIM is responsible for service chaining and policy enforcement within the NFV environment.
E.The VNFM is responsible for managing the physical hardware resources in the NFVI.
AnswersA, B

Correct because the VNFM performs operations like instantiation, scaling, updating, and termination of VNFs.

Why this answer

NFV MANO consists of three main components: NFV Orchestrator (NFVO), VNF Manager (VNFM), and Virtualized Infrastructure Manager (VIM). The NFVO coordinates network services across multiple VNFs, the VNFM manages individual VNF instances, and the VIM controls the NFVI resources. Option A is correct because the VNFM handles VNF lifecycle (instantiation, scaling, termination).

Option B is correct because the NFVO coordinates resources across VNFs and the infrastructure. Option C is incorrect because the VIM manages the NFVI, not VNFs. Option D is incorrect because the VIM does not handle service chaining; that is the role of the NFVO.

Option E is incorrect because the VNFM does not manage physical hardware.

715
MCQhard

A network engineer runs the following command on Router R8: R8# show ip pim neighbor vrf CUSTOMER-F Neighbor Interface Uptime/Expires Ver DR 10.0.3.2 GigabitEthernet0/0.700 02:00:00/00:01:30 v2 1/ DR 10.0.4.2 GigabitEthernet0/0.800 01:30:00/00:01:45 v2 0/ NDR (BDR) Based on this output, what can be concluded?

A.PIM is not configured for VRF CUSTOMER-F
B.The DR is 10.0.4.2
C.PIM is enabled in VRF CUSTOMER-F with a DR and BDR
D.Both neighbors are using PIM version 1
AnswerC

Both neighbors are present with DR and BDR roles.

Why this answer

The output shows two PIM neighbors (10.0.3.2 and 10.0.4.2) with their respective interfaces, uptimes, and DR/BDR roles. The presence of a DR (Designated Router) and BDR (Backup Designated Router) indicates that PIM is enabled and operating in VRF CUSTOMER-F, with the DR being 10.0.3.2 (as shown by '1/ DR') and the BDR being 10.0.4.2 (as shown by '0/ NDR (BDR)'). Therefore, option C is correct.

Exam trap

Cisco often tests the misinterpretation of the DR/BDR column, where candidates mistakenly assume the neighbor with 'BDR' is the DR, or that PIM is not running when neighbors are present.

How to eliminate wrong answers

Option A is wrong because the output clearly shows PIM neighbors with DR/BDR roles, confirming that PIM is configured and active in VRF CUSTOMER-F. Option B is wrong because the DR is 10.0.3.2 (indicated by '1/ DR'), not 10.0.4.2, which is the BDR (Backup Designated Router). Option D is wrong because both neighbors are using PIM version 2 (as shown by 'v2' in the Ver column), not version 1.

716
Drag & Dropmedium

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF first receives a packet on an interface, then looks up the source IP in the routing table, verifies that the incoming interface matches the best reverse path, and if it matches, forwards the packet; otherwise, it drops the packet.

717
Drag & Dropmedium

Drag and drop the steps of OSPF redistribution from EIGRP with metric conversion into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, identify the EIGRP routes to redistribute into OSPF. Then, configure the OSPF redistribution command under the OSPF process, specifying the EIGRP AS number. Since OSPF requires a metric for redistributed routes, set the OSPF metric type (E1 or E2) and seed metric.

Optionally, use a route map to filter or modify specific routes. Finally, verify that the redistributed routes appear in the OSPF database and routing table.

718
Multi-Selectmedium

Which TWO statements are true about IP SLA? (Choose two.)

Select 2 answers
A.IP SLA is only supported on ASR routers.
B.IP SLA can be used with tracking objects to trigger route changes.
C.IP SLA can measure jitter between two devices.
D.IP SLA uses actual user traffic for measurements.
E.IP SLA can only measure round-trip time, not one-way delay.
AnswersB, C

Option D is correct because IP SLA can be tracked and used for conditional routing.

Why this answer

Option B is correct because IP SLA can be combined with tracking objects and the 'track' command to influence routing decisions. When an IP SLA probe fails or falls below a threshold, the tracked object changes state, which can trigger a route change (e.g., via a static route with a higher administrative distance or a PBR policy). This allows the network to react to network performance or reachability issues automatically.

Exam trap

Cisco often tests the misconception that IP SLA uses real user traffic (Option D) or that it is limited to RTT (Option E), when in fact it generates synthetic probes and can measure one-way delay with proper time synchronization.

719
Matchingmedium

Drag and drop each RADIUS attribute name on the left to its matching attribute number on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1

4

6

8

22

Why these pairings

RADIUS attribute numbers are standardized: User-Name=1, NAS-IP-Address=4, Service-Type=6, Framed-IP-Address=8, and Framed-Route=22.

720
Drag & Dropmedium

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AnyConnect session establishment begins with the client establishing a TLS tunnel to the ASA headend. The ASA presents its digital certificate for authentication. The client then authenticates the user, and the ASA assigns an IP address from a pool.

Finally, the client installs the virtual adapter and the session is established.

721
Drag & Dropmedium

Drag and drop the steps of deploying a CoPP policy on a Cisco IOS-XE router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Deploying CoPP requires first defining ACLs to classify traffic, then creating class maps, then a policy map, then applying it to the control plane, and finally verifying the policy.

722
MCQmedium

A network engineer runs the following command on Switch SW2: SW2# show monitor session 2 Session 2 --------- Type : Remote Source Session Source Ports : TX Only : Gi1/0/5 RX Only : Gi1/0/6 Destination Ports : Gi1/0/20 Encapsulation : Replicate Based on this output, what can be concluded?

A.This is an RSPAN source session, sending mirrored traffic to a remote VLAN.
B.This is a local SPAN session with bidirectional capture.
C.The destination port Gi1/0/20 is used to receive mirrored traffic from another switch.
D.Both source ports capture all traffic in both directions.
AnswerA

The type 'Remote Source Session' and Replicate encapsulation indicate RSPAN.

Why this answer

The session type is Remote Source Session, indicating this is an RSPAN source switch. Source port Gi1/0/5 captures only transmitted traffic, and Gi1/0/6 captures only received traffic. The destination port uses Replicate encapsulation, which is typical for RSPAN to send traffic to a remote VLAN.

This is part of an RSPAN configuration.

723
MCQeasy

A network engineer is using Cisco DNA Center to monitor network health. The Assurance dashboard shows that a particular access switch has a high CPU utilization issue. The engineer wants to investigate the root cause using DNA Center's built-in tools. Which feature should the engineer use to analyze the switch's CPU utilization over time?

A.Use the 'Trends' feature in Assurance to view CPU utilization over time.
B.Use the 'Command Runner' to execute 'show process cpu' on the switch.
C.Use the 'Path Trace' tool to analyze traffic paths.
D.Use the 'Software Image Management' to check for software bugs.
AnswerA

Correct because Trends provides historical data for performance metrics, including CPU utilization.

Why this answer

Cisco DNA Center's Assurance module provides historical and real-time data for network devices. The 'Trends' feature allows engineers to view metrics like CPU utilization over a selected time period, helping to identify patterns and root causes.

724
Multi-Selectmedium

Which two statements about PIM sparse mode are true? (Choose two.)

Select 2 answers
A.PIM sparse mode uses an explicit join model to receive multicast traffic.
B.PIM sparse mode routers always use the shortest path tree (SPT) immediately after the first packet is received.
C.PIM sparse mode builds a shared tree rooted at the rendezvous point (RP).
D.PIM sparse mode uses a flood-and-prune mechanism to distribute multicast traffic.
E.PIM sparse mode requires the use of a bootstrap router (BSR) to operate.
AnswersA, C

Correct because in PIM sparse mode, receivers must explicitly join via PIM Join messages toward the RP.

Why this answer

PIM sparse mode uses an explicit join model where routers send PIM Join messages toward the RP to join a multicast group. It builds a shared tree (RP-tree) initially, and optionally switches to a source tree (SPT) when traffic exceeds a threshold. PIM dense mode uses flood-and-prune, not sparse mode.

PIM-BSR is one method for RP distribution, but not a requirement for sparse mode operation.

725
Matchingmedium

Drag and drop each AAA function on the left to its correct description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device

Determines what resources or commands a user can access

Records user activity for auditing or billing purposes

Why these pairings

Authentication verifies identity, authorization determines allowed actions, and accounting tracks usage for auditing or billing.

726
MCQmedium

Given the following SNMPv3 configuration on a Cisco IOS-XE router: snmp-server group ADMIN v3 priv write ADMINVIEW snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456 snmp-server view ADMINVIEW iso included What is missing or incorrect in this configuration?

A.The SNMPv3 user 'admin' must also specify an engine ID for the router.
B.The view 'ADMINVIEW' includes the entire ISO tree, which might be too permissive for a restricted write view.
C.The privacy password 'cisco456' must be at least 8 characters long.
D.The group 'ADMIN' must be configured with a read view to allow SNMP get operations.
AnswerB

Using 'iso included' includes all OIDs under the ISO subtree, which is essentially the entire MIB. This could be a security concern if a restricted view was intended.

Why this answer

The SNMPv3 user 'admin' is configured with authentication (SHA) and privacy (AES 128), and the group 'ADMIN' is set with write access to view 'ADMINVIEW'. However, the view 'ADMINVIEW' only includes the 'iso' subtree, which is too broad and may not be appropriate for a restricted view. Additionally, the configuration lacks an 'snmp-server host' command to send traps or informs, but that is not strictly required for SNMP access.

727
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 24586 Address aabb.cc00.0100 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24586 (priority 24576 sys-id-ext 10) Address aabb.cc00.0100 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Based on this output, what can be concluded?

A.SW1 is the root bridge for VLAN 10, and all its interfaces are in the Designated role.
B.SW1 is not the root bridge; the root bridge has MAC address aabb.cc00.0100 but is a different switch.
C.SW1 has a port in the Blocking state, preventing loops.
D.The root bridge priority for VLAN 10 is 24576 without the system ID extension.
AnswerA

Correct. The output explicitly states 'This bridge is the root' and all interfaces are Desg FWD.

Why this answer

The output explicitly states 'This bridge is the root' and shows all three interfaces (Gi0/1, Gi0/2, Gi0/3) in the Designated (Desg) role with a Forwarding (FWD) state. In a stable STP topology, only the root bridge has all its active ports as Designated; non-root bridges will have at least one Root port. Therefore, SW1 is the root bridge for VLAN 10, and all its interfaces are in the Designated role.

Exam trap

Cisco often tests the distinction between the configured bridge priority (without the system ID extension) and the effective priority displayed in the 'show spanning-tree' output, leading candidates to mistakenly think the root priority is 24576 when it is actually 24586.

How to eliminate wrong answers

Option B is wrong because the output clearly states 'This bridge is the root' and the Bridge ID address matches the Root ID address (aabb.cc00.0100), confirming SW1 itself is the root bridge, not a different switch. Option C is wrong because all three interfaces show a state of FWD (Forwarding), and no Blocking state is listed; the output shows no blocked ports, so a loop is prevented by the root bridge having all Designated ports. Option D is wrong because the Bridge ID Priority is shown as 24586, which is the sum of the configured priority 24576 and the system ID extension 10 (VLAN 10); the effective root bridge priority is 24586, not 24576 without the extension.

728
MCQeasy

A network engineer is configuring a new switch that will be used as an access layer switch. The switch connects to two distribution switches via trunk links. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN. The engineer also wants to provide redundancy so that if one uplink fails, the other uplink takes over quickly. The engineer is using Rapid PVST+. What configuration should the engineer apply on the access switch?

A.Configure 'spanning-tree vlan vlan-list priority 61440' on the access switch.
B.Configure 'spanning-tree vlan vlan-list priority 0' on the access switch.
C.Enable UplinkFast on the access switch to provide fast failover.
D.Enable PortFast on the trunk ports to speed up convergence.
AnswerA

Correct because setting the priority to 61440 ensures the access switch will not become root, and Rapid PVST+ provides fast convergence automatically.

Why this answer

Option A is correct because setting the spanning-tree priority to 61440 (which is 0xF000 in hex) makes the switch a very unlikely root bridge candidate. In Rapid PVST+, the bridge priority is a 4-bit value (0-15) multiplied by 4096, so 61440 corresponds to priority 15 — the highest possible value. This ensures the access switch will never become the root bridge for any VLAN, while Rapid PVST+ provides fast failover (sub-second convergence) via its alternate/backup port mechanism without needing UplinkFast.

Exam trap

Cisco often tests the misconception that UplinkFast is needed with Rapid PVST+ for fast failover, but Rapid PVST+ already includes its own fast convergence (based on the 802.1w standard), making UplinkFast obsolete.

How to eliminate wrong answers

Option B is wrong because setting priority 0 makes the switch the most likely root bridge candidate, which directly contradicts the requirement to never become root. Option C is wrong because UplinkFast is a legacy Cisco proprietary feature for 802.1D STP; Rapid PVST+ already provides fast failover (typically 1-2 seconds) via its own convergence mechanism, making UplinkFast unnecessary and redundant. Option D is wrong because PortFast is designed for access ports connected to end hosts to bypass listening/learning states; applying it to trunk ports would disable STP on those links, risking loops and violating the requirement for redundancy with STP protection.

729
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT assignment and propagation via SXP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SXP propagates SGTs from a classification device to enforcement devices; first the SGT is assigned (e.g., via IP-to-SGT mapping), then SXP sends the binding to an SXP speaker, which forwards it to a listener, who adds it to the local SGT mapping table, enabling enforcement.

730
Matchingmedium

Drag and drop each gRPC method on the left to its matching subscription type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Subscribe to telemetry data streams

Query server capabilities

Retrieve a single snapshot of data

Modify configuration data

Subscribe for a single update then close

Why these pairings

Subscribe is for streaming telemetry, Capabilities for discovery, Get for one-time retrieval, Set for configuration changes, and SubscribeOnce for one-shot subscription.

731
MCQmedium

A network engineer is configuring QoS on a Cisco Catalyst 9300 switch to prioritize voice traffic. The switch has multiple access ports connected to IP phones and PCs. The engineer applies a policy-map that matches DSCP EF and sets the CoS to 5. However, after testing, the voice packets are not being marked correctly. What is the most likely cause?

A.The policy-map is not applied to the correct interface direction.
B.The switch does not support DSCP-to-CoS mapping.
C.The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
D.The IP phone is not sending packets with DSCP EF.
AnswerC

Correct because by default, Cisco switches do not trust incoming QoS markings; the trust command must be configured to accept the marking from the IP phone.

Why this answer

On Cisco Catalyst switches like the 9300, QoS marking policies applied via a policy-map only re-mark packets if the interface port is configured to trust a specific marking. Without the 'mls qos trust dscp' command, the switch defaults to an untrusted state and may ignore or overwrite the DSCP-to-CoS mapping set by the policy-map. Option C is correct because the missing trust command prevents the policy-map from correctly applying the CoS 5 marking to voice packets.

Exam trap

Cisco often tests the trust boundary concept, where candidates assume a policy-map alone is sufficient to re-mark packets, but the missing 'mls qos trust' command is the hidden prerequisite that causes the marking to fail.

How to eliminate wrong answers

Option A is wrong because the policy-map direction (input vs. output) is not the core issue here; the problem is that the switch does not trust the incoming DSCP marking, so even if applied in the correct direction, the marking will not be honored. Option B is wrong because the Catalyst 9300 fully supports DSCP-to-CoS mapping via the 'mls qos map dscp-cos' command and the policy-map can perform this mapping when trust is enabled. Option D is wrong because the question states the engineer is matching DSCP EF, implying the IP phone is sending DSCP EF; the failure is in the switch's handling of that marking, not in the phone's transmission.

732
MCQmedium

Given the following SD-WAN configuration on a Cisco IOS-XE router: router ospf 1 redistribute bgp 65000 subnets network 192.168.1.0 0.0.0.255 area 0 ! interface GigabitEthernet0/0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ! Which statement is true?

A.The OSPF network type is point-to-point, so the hello interval defaults to 10 seconds on this interface.
B.The OSPF network type is point-to-point, so the dead interval defaults to 120 seconds.
C.The redistribution of BGP into OSPF will cause OSPF to advertise all BGP routes, including those learned via SD-WAN overlay.
D.The configuration is incomplete because OSPF requires a router-id to be manually configured.
AnswerA

On a point-to-point network type, the default OSPF hello interval is 10 seconds (same as broadcast). This is correct.

Why this answer

Option A is correct because on a Cisco IOS-XE router, when the OSPF network type is set to point-to-point, the default hello interval is 10 seconds (not 30 seconds as on broadcast networks). The dead interval defaults to 40 seconds (four times the hello interval), not 120 seconds. This configuration is valid and does not require a manually configured router-id, as OSPF can dynamically select one.

The redistribution of BGP into OSPF only injects routes that are in the BGP table; it does not automatically include all SD-WAN overlay routes unless they are present in BGP.

Exam trap

Cisco often tests the default OSPF timer values for different network types, specifically tricking candidates into thinking point-to-point uses 30-second hello or 120-second dead intervals, which are actually defaults for NBMA networks.

How to eliminate wrong answers

Option B is wrong because the OSPF dead interval for a point-to-point network defaults to 40 seconds (4 × hello interval of 10 seconds), not 120 seconds. Option C is wrong because the 'redistribute bgp 65000 subnets' command only redistributes BGP routes that are in the BGP routing table; it does not automatically advertise all SD-WAN overlay routes unless they are learned via BGP and meet redistribution criteria (e.g., subnets keyword includes classless prefixes). Option D is wrong because OSPF does not require a manually configured router-id; if none is configured, OSPF automatically selects the highest IP address on a loopback interface or the highest IP address on any active physical interface.

733
Matchingmedium

Drag and drop each SD-Access fabric role on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects the SD-Access fabric to external Layer 2 or Layer 3 networks

Attaches wired endpoints to the fabric and enforces access policies

Hosts the LISP map-server and map-resolver functions

Manages wireless endpoints and integrates with the fabric edge

Provides wireless connectivity and tunnels client traffic to the fabric edge

Why these pairings

The fabric border node connects the fabric to external networks, the fabric edge node connects endpoints to the fabric, and the fabric control node manages LISP mapping and VXLAN tunnels.

734
MCQmedium

interface GigabitEthernet0/3 spanning-tree guard root end What is the effect of this configuration?

A.The port will error-disable if it receives a BPDU that would cause the switch to become a non-root bridge.
B.The port will block all BPDUs received from other switches.
C.The port will become the root port for the VLAN.
D.The port will ignore BPDUs from switches with lower bridge ID.
AnswerA

Root Guard protects the root bridge position by disabling ports that receive superior BPDUs.

Why this answer

Root Guard is enabled on the port, which will error-disable the port if a superior BPDU (indicating a potential root bridge) is received.

735
MCQhard

A network engineer runs the following command on Switch SW5: SW5# show monitor session 5 Session 5 --------- Type : Remote Source Session Source Ports : Both : Gi1/0/1-3 Destination Ports : Gi1/0/24 Encapsulation : Replicate Based on this output, what can be concluded?

A.Traffic from ports Gi1/0/1-3 is mirrored and sent to a remote VLAN via Gi1/0/24.
B.This is a local SPAN session that sends traffic to Gi1/0/24.
C.The destination port Gi1/0/24 is used to receive mirrored traffic from another switch.
D.Only egress traffic from Gi1/0/1-3 is captured.
AnswerA

The type 'Remote Source Session' and Replicate encapsulation indicate RSPAN source.

Why this answer

This is an RSPAN source session on SW5. Source ports Gi1/0/1-3 capture both directions. The destination port Gi1/0/24 uses Replicate encapsulation, which is typical for RSPAN to send mirrored traffic to a remote VLAN.

This switch is the source of the RSPAN session.

736
MCQmedium

Consider the following telemetry configuration on a Cisco IOS-XE device: telemetry ietf subscription 600 encoding encode-kvgpb filter xpath /interfaces/interface/state stream yang-push update-policy on-change receiver ip address 10.1.1.1 50000 protocol grpc What is a potential issue with this configuration?

A.The on-change policy will not work without a periodic fallback.
B.The filter XPath is too broad and may cause excessive CPU usage on frequent changes.
C.The receiver IP address must be on the same subnet as the device.
D.The encoding should be encode-xml for on-change subscriptions.
AnswerB

A broad filter like /interfaces/interface/state can cause high CPU if many interfaces change state often.

Why this answer

On-change subscriptions can generate high CPU load if the monitored data changes frequently, which may impact device performance.

737
Multi-Selecthard

Which three statements about virtual networking and hypervisor switches are true? (Choose three.)

Select 3 answers
A.A standard virtual switch (vSwitch) operates at Layer 2 and can forward frames between virtual machines on the same host.
B.A distributed virtual switch (DVS) provides consistent network configuration across multiple ESXi hosts in a cluster.
C.Virtual switches support VLAN tagging using IEEE 802.1Q trunking between the hypervisor and physical switches.
D.Spanning Tree Protocol (STP) must always be enabled on virtual switches to prevent loops in the virtual network.
E.A virtual switch can only be configured with a single port group for all virtual machines.
AnswersA, B, C

Correct because a vSwitch is a Layer 2 switch that connects VMs within a host.

Why this answer

Virtual switches (vSwitch) forward frames between VMs and physical NICs. They support VLANs and port groups. A distributed switch spans multiple hosts.

Virtual switches do not require STP because loops are prevented by design.

738
Multi-Selectmedium

Which two statements about the MQC (Modular QoS CLI) classification process are true? (Choose two.)

Select 2 answers
A.A class map can contain multiple match statements that are evaluated using a logical OR when the match-any keyword is configured.
B.In a policy map, class maps are evaluated in the order they are configured, and the first matching class map is applied to the packet.
C.The class-default class is used only when no other class map is defined in the policy map.
D.Match statements in a class map can reference ACLs, NBAR protocols, or CoS values, but not DSCP values.
E.A class map configured with match-all requires that all match statements be true for the packet to belong to that class.
AnswersA, B

Correct. The match-any keyword causes the class map to match a packet if it satisfies any one of the match statements.

Why this answer

The MQC uses class maps to define match criteria; a packet is matched against class maps in the order they appear in the policy map. The first match wins, and if no match occurs, the default class (class-default) is used. Only one match statement per class map is allowed unless the match-any keyword is used.

739
Drag & Dropmedium

Drag and drop the steps of MPLS Traffic Engineering (TE) tunnel setup (RSVP) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MPLS TE tunnel setup using RSVP begins with IGP extension (OSPF/IS-IS) to flood TE link attributes, then CSPF computes the path, RSVP Path message is sent, RSVP Resv message reserves resources, and finally the tunnel is signaled and installed in the forwarding table.

740
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET_COMMUNITY in ! route-map SET_COMMUNITY permit 10 set community 100:200 ! What is the effect of this configuration?

A.Routes received from 10.0.0.2 are tagged with community 100:200, but the community is not sent to other BGP peers unless send-community is configured.
B.Routes received from 10.0.0.2 are tagged with community 100:200 and automatically sent to all neighbors.
C.The route-map is applied to outbound updates to 10.0.0.2, setting community on routes sent to that neighbor.
D.The configuration is invalid because the community must be a string, not a numeric value.
AnswerA

Correct. The route-map sets the community on inbound updates, but without send-community, the community is not propagated.

Why this answer

The route-map SET_COMMUNITY is applied to inbound updates from neighbor 10.0.0.2, so routes received from that neighbor are tagged with community 100:200. However, BGP does not propagate communities to other peers unless the neighbor is explicitly configured with the send-community command. Without send-community, the community attribute is stripped from outbound updates, so the community is not sent to other BGP peers.

Exam trap

Cisco often tests the distinction between inbound and outbound route-map application, and the fact that communities are not automatically sent to peers without explicit send-community configuration, leading candidates to assume the community is propagated by default.

How to eliminate wrong answers

Option B is wrong because BGP does not automatically send communities to all neighbors; the send-community command is required under the neighbor configuration for the community attribute to be included in outbound updates. Option C is wrong because the route-map is applied with the 'in' keyword, meaning it affects inbound routes from 10.0.0.2, not outbound updates to that neighbor. Option D is wrong because the community value 100:200 is a valid numeric format (AS:value) and is perfectly acceptable in BGP configuration.

741
Drag & Dropmedium

Drag and drop the steps of Embedded Packet Capture (EPC) on IOS-XE steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EPC requires defining a capture buffer, defining a capture point, associating them, starting the capture, and then stopping/exporting.

742
MCQhard

A network administrator is troubleshooting high CPU utilization on a Catalyst 9300 switch. The output of 'show processes cpu sorted' shows the 'IP Input' process consuming 45% CPU. Which tool should be used to identify the specific packets causing the issue?

A.Use extended ping from the switch to generate traffic.
B.Configure a SPAN session to capture all traffic to the CPU.
C.Check CDP neighbors to see if any devices are flooding.
D.Enable IP traffic export (NetFlow) on the switch.
AnswerD

Option C is correct because NetFlow can identify the flows that are being processed by the CPU.

Why this answer

The 'IP Input' process handles incoming IP packets that require CPU processing, such as routing protocol updates, management traffic, or packets destined to the switch itself. Enabling IP traffic export (NetFlow) on the switch allows the administrator to analyze traffic flows and identify the specific source/destination IP addresses, ports, and protocols consuming CPU cycles, without overwhelming the CPU further. NetFlow provides granular visibility into the types of packets being processed, making it the correct tool for this scenario.

Exam trap

The trap here is that candidates often confuse SPAN (traffic mirroring) with a diagnostic tool, but SPAN does not provide built-in traffic analysis and can worsen CPU load, whereas NetFlow is designed for flow-level analysis without adding significant overhead.

How to eliminate wrong answers

Option A is wrong because extended ping generates ICMP echo requests from the switch, which would add to the CPU load rather than help diagnose the existing high utilization, and it does not capture or analyze the packets already causing the issue. Option B is wrong because configuring a SPAN session to capture all traffic to the CPU would mirror the traffic to a monitoring port, but it does not provide a built-in analysis mechanism on the switch; it requires an external analyzer and could further increase CPU load due to the mirroring process. Option C is wrong because CDP neighbors only provide information about directly connected Cisco devices and their capabilities; checking CDP cannot identify the specific packets causing high CPU utilization, as CDP is a Layer 2 discovery protocol unrelated to IP packet processing.

743
Multi-Selectmedium

Which two statements about MPLS label operations are true? (Choose two.)

Select 2 answers
A.The ingress LSR imposes a label onto the packet.
B.The egress LSR removes the label before forwarding the IP packet.
C.The egress LSR pushes a new label onto the packet.
D.Each LSR in the LSP performs label imposition.
E.Transit LSRs perform label imposition.
AnswersA, B

Correct because the ingress LSR pushes the initial label onto the packet.

Why this answer

In MPLS, the ingress LSR imposes (pushes) a label onto the packet. At each intermediate LSR, the label is swapped (the incoming label is replaced with an outgoing label). The egress LSR removes (pops) the label before forwarding the IP packet.

Penultimate Hop Popping (PHP) is a feature where the penultimate router pops the label, so the egress router receives only an IP packet. Option C is incorrect because the egress LSR always pops the label, not pushes. Option D is incorrect because label imposition occurs only at the ingress, not at every LSR.

Option E is incorrect because label swapping is the action at transit LSRs, not label imposition.

744
Drag & Dropmedium

Drag and drop the steps of MSTP region and instance configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MSTP configuration begins with entering MST configuration mode, assigning a region name and revision number, mapping VLANs to instances, and then activating the configuration. Finally, the MST instance priority is set to influence root bridge selection.

745
Drag & Dropmedium

Drag and drop the steps of DNA Center SWIM (Software Image Management) upgrade flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SWIM upgrade begins with importing the image, then distributing it to the device, performing a pre-check, activating the image, and finally committing the upgrade.

746
Drag & Dropmedium

Drag and drop the steps of Jinja2 template rendering for device config generation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process begins by loading the Jinja2 environment and template file, then defining a dictionary with configuration variables. Next, the template is rendered with those variables, the resulting configuration string is printed or saved, and finally it can be pushed to the device.

747
MCQmedium

Examine the following configuration: flow record REC-1 match ipv4 source address match ipv4 destination address match ipv4 protocol collect interface input collect interface output collect counter bytes collect counter packets ! flow monitor MON-1 record REC-1 exporter EXPORTER-1 ! interface GigabitEthernet0/1 ip flow monitor MON-1 input ! What is the purpose of this configuration?

A.It collects NetFlow data for incoming traffic, including source/destination IP, protocol, and byte/packet counts.
B.It collects NetFlow data for both incoming and outgoing traffic on the interface.
C.It configures Flexible NetFlow with a user-defined record that includes TCP flags.
D.It sends flow data to the exporter using IPFIX format.
AnswerA

The match and collect statements define the fields to be recorded; the monitor applies to input traffic.

Why this answer

This configuration defines a custom flow record that captures key fields (source/destination IP, protocol) and collects interface and counter information. The flow monitor applies this record to incoming traffic on GigabitEthernet0/1.

748
MCQeasy

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

A.The Dead Peer Detection (DPD) interval is too short.
B.The IKE Phase 1 lifetime is set too low.
C.The IPsec transform set is misconfigured.
D.The Phase 2 lifetime is longer than Phase 1.
AnswerB

Correct because a short lifetime causes frequent rekeys, which can lead to drops if not synchronized.

Why this answer

IKE Phase 1 SAs have a lifetime; when the lifetime expires, the SA is rekeyed. If the rekey fails or is delayed, the tunnel may drop temporarily. Option B is correct because the lifetime expiration is the most common cause.

Option A is incorrect because DPD is used to detect dead peers, not cause drops. Option C is incorrect because rekeying is normal. Option D is incorrect because the Phase 2 lifetime is separate.

749
MCQeasy

An Ansible playbook uses the cisco.ios.ios_telemetry module to configure a telemetry subscription: ```yaml --- - name: Configure telemetry subscription hosts: ios_xe gather_facts: no tasks: - name: Create telemetry subscription cisco.ios.ios_telemetry: state: present subscription_id: 300 receiver: ip: 10.1.1.100 port: 50051 protocol: grpc-tcp source_ip: 10.1.1.1 encoding: kvgpb filter: xpath: /interfaces/interface/state/counters update_policy: period: 10000 ``` What is the purpose of the 'state: present' parameter?

A.It ensures the subscription is present in the running configuration.
B.It checks if the subscription is currently active.
C.It removes the subscription if it exists.
D.It displays the current subscription configuration.
AnswerA

state: present creates or updates the subscription to match the desired state.

Why this answer

The 'state: present' parameter ensures that the telemetry subscription is created if it does not exist, or updated if it does. It is a common Ansible module parameter that idempotently manages configuration.

750
MCQmedium

Examine the following BGP configuration on a Cisco IOS-XE router: ``` router bgp 65000 bgp default local-preference 150 neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 password cisco123 neighbor 10.1.1.1 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 ``` What is the effect of the route-map on outbound updates to 10.1.1.1?

A.The MED value of routes advertised to 10.1.1.1 is set to 50.
B.The local preference of routes received from 10.1.1.1 is set to 150.
C.The route-map filters routes; only those with metric 50 are advertised.
D.The password is applied to the BGP session, but the route-map is ignored due to the password.
AnswerA

Correct. The route-map sets the MED attribute to 50.

Why this answer

The route-map SET-MED is applied outbound to neighbor 10.1.1.1. It sets the MED (multi-exit discriminator) to 50 for all routes advertised to that neighbor.

Page 9

Page 10 of 27

Page 11