ENCOR 350-401 (350-401) — Questions 826900

2015 questions total · 27pages · All types, answers revealed

Page 11

Page 12 of 27

Page 13
826
MCQeasy

A network engineer is configuring a Cisco router to act as a DHCP server for a branch office. The engineer creates a DHCP pool for the 192.168.1.0/24 subnet and configures the default-router, dns-server, and domain-name options. However, clients are able to obtain IP addresses but cannot ping the default gateway. The engineer verifies that the router's interface IP is 192.168.1.1. What is the most likely cause?

A.The router's interface is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP pool is missing the lease command.
C.The router's interface is administratively down.
D.The ip dhcp excluded-address command is blocking the default gateway IP.
AnswerA

Correct because if the router interface is not in the same subnet, the clients will have a default gateway that is unreachable.

Why this answer

The DHCP server assigns the default gateway, but if the router's interface is not in the same subnet as the pool or if the interface is down, clients cannot reach it.

827
Drag & Dropmedium

Drag and drop the steps of Rapid PVST+ convergence process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Rapid PVST+ first elects the root bridge and determines port roles. It then uses synchronization handshakes between bridges to quickly transition ports to forwarding without relying on timers. Edge ports (connected to hosts) immediately transition to forwarding.

Finally, the topology change notification propagates to update MAC address tables.

828
Drag & Drophard

Drag and drop the steps of OSPF redistribution from EIGRP with metric conversion into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Redistribution requires enabling redistribution, setting a seed metric (or using default-metric), optionally matching routes, and then verifying. The order ensures routes are properly injected.

829
Multi-Selectmedium

Which three statements about RRM (Radio Resource Management) in a Cisco wireless LAN are true? (Choose three.)

Select 3 answers
A.RRM automatically selects the best channel for each AP based on interference measurements.
B.RRM requires a dedicated hardware controller to perform RF calculations.
C.RRM can adjust the transmit power of APs to optimize coverage and reduce co-channel interference.
D.RRM uses a leader AP to collect and distribute RF measurements to other APs in the same RF group.
E.RRM automatically enables client load balancing across APs in the same coverage area.
AnswersA, C, D

Correct because RRM's Dynamic Channel Assignment (DCA) algorithm uses real-time RF data to assign channels with minimal interference.

Why this answer

RRM dynamically adjusts channel and power settings based on RF measurements, uses a leader AP to coordinate, and can be configured to run at a scheduled interval. It does not require a dedicated hardware controller (it runs on the WLC) and does not automatically enable client load balancing (that is a separate feature).

830
MCQhard

A network engineer runs the following command on Router R6: R6# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy output: QOS_POLICY Class-map: VOICE (match-any) 500 packets, 50000 bytes 5 minute offered rate 50000 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing strict priority queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 500/50000 police cir 1000000 bc 15625 be 15625 conformed 500 packets, 50000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: DATA (match-any) 1000 packets, 100000 bytes 5 minute offered rate 100000 bps, drop rate 0 bps Match: ip dscp af31 (26) Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 1000/100000 bandwidth remaining percent 50 Class-map: class-default (match-any) 2000 packets, 200000 bytes 5 minute offered rate 200000 bps, drop rate 0 bps Match: any Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 2000/200000 bandwidth remaining percent 50 Based on this output, what can be concluded?

A.Voice traffic is being dropped because it exceeds the police rate.
B.Data traffic is being guaranteed 50% of the remaining bandwidth.
C.All traffic is being shaped to a CIR of 1 Mbps.
D.The policy-map is applied to input traffic.
AnswerB

The DATA class has 'bandwidth remaining percent 50', meaning it gets 50% of the bandwidth left after priority queuing.

Why this answer

The VOICE class uses strict priority queuing and is policing at 1 Mbps. The offered rate for voice is 50 kbps, well below the police rate, so all voice packets are conforming and transmitted. The DATA and class-default classes share remaining bandwidth equally (50% each).

The total offered rate is 350 kbps, and since the interface bandwidth is likely higher, no drops occur.

831
Drag & Dropmedium

Drag and drop the steps of Ansible inventory grouping and variable inheritance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Ansible, inventory grouping starts with defining groups and hosts, then applying group variables with precedence: all group vars are overridden by parent group vars, which are overridden by host vars, and finally by ansible_host connection details.

832
MCQmedium

A Python script using Netmiko to configure telemetry on a Cisco IOS-XE device: ```python from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'host': '192.168.1.1', 'username': 'admin', 'password': 'cisco', } connection = ConnectHandler(**device) config_commands = [ 'telemetry ietf subscription 200', 'receiver ip address 10.1.1.100 port 50051 protocol grpc-tcp', 'source-address 10.1.1.1', 'encoding encode-kvgpb', 'filter xpath /interfaces/interface/state/counters', 'update-policy periodic 10000' ] output = connection.send_config_set(config_commands) print(output) connection.disconnect() ``` What is the expected outcome of this script?

A.The script will configure the telemetry subscription and print the configuration output.
B.The script will fail because 'telemetry ietf subscription' is not a valid command.
C.The script will fail because 'send_config_set' requires a list of strings.
D.The script will fail because the device_type should be 'cisco_xe'.
AnswerA

The script uses correct Netmiko syntax and valid IOS-XE commands.

Why this answer

The script connects to the device, enters configuration mode, applies the telemetry subscription commands, and prints the output. The commands are syntactically correct for IOS-XE, so the configuration should be applied successfully.

833
Multi-Selectmedium

Which two statements about Cisco DNA Center automation workflows are true? (Choose two.)

Select 2 answers
A.Cisco DNA Center supports Plug and Play (PnP) for zero-touch deployment of new switches and routers.
B.Cisco DNA Center can push configuration templates to devices using CLI commands or REST API calls.
C.Cisco DNA Center requires an external APIC-EM controller to manage device discovery and inventory.
D.Cisco DNA Center automation is limited to GUI-based workflows and does not support any programmatic interfaces.
E.Cisco DNA Center uses Cisco ISE as the primary source for device discovery and network topology mapping.
AnswersA, B

Correct because PnP is a built-in feature of DNA Center that automates the initial provisioning of network devices without manual intervention.

Why this answer

Cisco DNA Center uses intent-based networking to automate network changes. The correct answers highlight key automation capabilities: PnP for zero-touch provisioning and the ability to push configuration templates via CLI or REST API. The wrong answers misstate the role of APIC-EM (a predecessor), the GUI-only limitation, and the integration with ISE for policy rather than device discovery.

834
MCQmedium

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.2 Based on this output, what can be concluded?

A.The LDP session is not yet established.
B.The LDP session is using TCP port 646.
C.The LDP neighbor is using a different router ID than 10.0.0.2.
D.The LDP session has been up for 1 hour 23 minutes.
AnswerB

The TCP connection shows port 646, which is the well-known port for LDP.

Why this answer

The output shows an LDP neighbor with peer LDP identifier 10.0.0.2:0. The state is Operational, meaning the LDP session is established. The discovery source is GigabitEthernet0/0 with source IP 192.168.1.2.

The peer's addresses include the LDP router ID and the interface IP.

835
Multi-Selectmedium

Which two statements about SPAN and RSPAN are true? (Choose two.)

Select 2 answers
A.SPAN mirrors traffic only on the local switch.
B.RSPAN uses a dedicated VLAN to transport mirrored traffic across multiple switches.
C.SPAN can be used to mirror traffic between switches without additional configuration.
D.RSPAN supports both ingress and egress mirroring on the source switch.
E.RSPAN requires a separate management VLAN to function.
AnswersA, B

Correct because SPAN is local to the switch where the source ports reside.

Why this answer

SPAN mirrors traffic locally on the same switch; RSPAN uses a dedicated VLAN to carry mirrored traffic across switches. SPAN can monitor both ingress and egress traffic. RSPAN does not support egress-only mirroring on the source switch; it requires a special VLAN.

SPAN cannot be used across switches without RSPAN or ERSPAN. RSPAN does not require a separate management VLAN.

836
MCQmedium

Consider this configuration: interface GigabitEthernet0/2 switchport mode trunk switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 Which statement is true about this configuration?

A.The native VLAN 10 cannot be used as a routed interface because it is the native VLAN.
B.The trunk will only allow VLANs 10, 20, and 30, and VLAN 10 is the native VLAN.
C.The SVI for VLAN 10 will not come up because the native VLAN must be untagged.
D.The configuration is invalid because the native VLAN must be the same as the management VLAN.
AnswerB

The 'allowed vlan' command restricts the trunk to VLANs 10, 20, and 30, and 'native vlan 10' sets VLAN 10 as the native VLAN.

Why this answer

Option B is correct because the configuration explicitly permits VLANs 10, 20, and 30 on the trunk using the 'switchport trunk allowed vlan' command, and VLAN 10 is set as the native VLAN with the 'switchport trunk native vlan 10' command. The native VLAN carries untagged traffic on the trunk, but it is still a valid VLAN that can be included in the allowed list and can have an SVI for routing. The SVI for VLAN 10 will come up as long as the VLAN exists and there is at least one active switchport in that VLAN, which is satisfied by the trunk port.

Exam trap

Cisco often tests the misconception that the native VLAN cannot be used for routing or that it must be excluded from the allowed VLAN list, but in reality, the native VLAN is simply the VLAN that carries untagged frames and can be included in the allowed list and have an SVI.

How to eliminate wrong answers

Option A is wrong because the native VLAN can absolutely be used as a routed interface; the SVI for VLAN 10 will function normally, and there is no restriction that prevents a native VLAN from having an IP address. Option C is wrong because the native VLAN being untagged on the trunk does not prevent the SVI from coming up; the SVI is a Layer 3 interface that is independent of whether the VLAN traffic is tagged or untagged on the physical port. Option D is wrong because there is no requirement that the native VLAN must match the management VLAN; the management VLAN is typically used for out-of-band management traffic and can be any VLAN, while the native VLAN is a trunk-specific concept for untagged frames.

837
Multi-Selecteasy

Which TWO methods can be used to prevent unauthorized access to the privileged EXEC mode on a Cisco router? (Choose two.)

Select 2 answers
A.Enable AAA authentication.
B.Configure the enable secret password.
C.Use the service password-encryption command.
D.Configure the enable password.
E.Configure login local on the console line.
AnswersB, D

Provides encrypted access.

Why this answer

The privileged EXEC mode (enable mode) is protected by either the `enable password` or `enable secret` command. The `enable secret` command uses a stronger MD5-based hash (or SHA-256 in newer IOS versions) to store the password, making it the recommended method. Both commands restrict access to privileged EXEC mode by requiring a password before executing `enable`.

Exam trap

Cisco often tests the distinction between commands that protect privileged EXEC mode (enable password/secret) versus commands that protect user EXEC mode (login local) or merely obscure passwords (service password-encryption), leading candidates to select options that do not actually control access to the enable prompt.

838
MCQeasy

An engineer is deploying a virtual router (vRouter) on a Cisco NFVIS host. The vRouter needs to advertise routes to a physical router connected to the host's management port. The engineer configures the vRouter with an IP address on the same subnet as the management port. However, the physical router does not receive any routing updates. What should the engineer do to enable route exchange?

A.Configure a static route on the vRouter pointing to the physical router.
B.Enable OSPF on the vRouter's management interface.
C.Change the management port to a trunk port to carry routing updates.
D.Connect the vRouter to a data plane interface (e.g., a bridge connected to a physical data port) instead of the management port.
AnswerD

Correct because routing protocols should run over data plane interfaces, not the management port.

Why this answer

Option D is correct because in Cisco NFVIS, the management port is isolated from the data plane and is intended only for out-of-band management traffic. Routing protocols like OSPF or BGP cannot exchange routes over the management interface because it lacks the necessary data-plane forwarding capabilities. To advertise routes to a physical router, the vRouter must be connected to a data plane interface, such as a bridge mapped to a physical data port, which supports routing protocol adjacency and packet forwarding.

Exam trap

Cisco often tests the misconception that the management port can be used for data-plane functions like routing protocol exchange, when in fact NFVIS strictly isolates management traffic to a separate bridge that does not support Layer 3 routing adjacencies.

How to eliminate wrong answers

Option A is wrong because configuring a static route on the vRouter pointing to the physical router would only install a route in the vRouter's routing table; it does not cause the vRouter to advertise routes to the physical router, so no route exchange occurs. Option B is wrong because enabling OSPF on the vRouter's management interface is ineffective; the management port in NFVIS is a control-plane-only interface that does not support routing protocol adjacency or data-plane forwarding, so OSPF neighbors will not form. Option C is wrong because changing the management port to a trunk port does not enable routing protocol exchange; the management port is still isolated from the data plane and cannot carry routing updates regardless of trunking configuration.

839
MCQmedium

A network administrator is deploying QoS in a converged network. Which approach correctly implements trust boundaries and marking?

A.Set trust boundary at the access layer switch and re-mark packets based on source.
B.Configure marking only at the core layer to simplify policy.
C.Trust only the distribution layer switches to mark traffic.
D.Trust the DSCP values set by IP phones and workstations.
AnswerA

The access layer is the ideal trust boundary to enforce QoS policies.

Why this answer

Option A is correct because in a converged network, trust boundaries should be established at the access layer to ensure that marking decisions are made as close to the source as possible. By setting the trust boundary at the access layer switch and re-marking packets based on source (e.g., trusting only IP phones while re-marking workstation traffic), the network can enforce policy before traffic enters the core, preventing unauthorized or misconfigured endpoints from influencing QoS markings. This aligns with Cisco's best practice of trusting only known devices and re-marking all other traffic to a default or lower priority.

Exam trap

Cisco often tests the misconception that trust boundaries should be placed at the distribution or core layer for simplicity, but the trap is that marking must happen at the access layer to prevent untrusted endpoints from injecting high-priority traffic into the network.

How to eliminate wrong answers

Option B is wrong because configuring marking only at the core layer violates the principle of trust boundaries; marking should occur at the access layer to prevent congestion and ensure policy is applied early, and relying solely on core marking can lead to oversubscription and loss of differentiation. Option C is wrong because trusting only the distribution layer to mark traffic introduces unnecessary latency and complexity, and it fails to protect the network from untrusted endpoints at the access edge, which is the correct location for trust boundaries. Option D is wrong because while IP phones can be trusted to set correct DSCP values (e.g., EF for voice), workstations should never be trusted to mark their own traffic, as they may be compromised or misconfigured; the trust boundary must differentiate between trusted and untrusted sources.

840
MCQhard

A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?

A.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop
B.class-map match-all SSH match access-group name SSH_ACL policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
C.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
D.class-map match-all SSH match protocol ssh policy-map COPP class SSH police 2000 1000000 conform-action transmit exceed-action drop
AnswerC

Correct: matches SSH protocol, police rate 1Mbps burst 2000, and default police for all other traffic.

Why this answer

Option C is correct because it uses the 'match protocol ssh' class-map to identify SSH traffic, applies a police rate of 1,000,000 bps (1 Mbps) with a burst of 2000 bytes, and includes a class-default with a police rate of 8000 bps to drop all other control-plane traffic exceeding a default rate. This matches the requirement to rate-limit SSH and drop other traffic that exceeds a default rate, which is a common CoPP best practice to protect the control plane.

Exam trap

Cisco often tests the requirement for a class-default policy in CoPP to drop all other traffic, and the trap here is that candidates may forget that without it, unmatched traffic is permitted by default, or they may confuse the order of police parameters (rate vs. burst).

How to eliminate wrong answers

Option A is wrong because it lacks a class-default policy; without it, any traffic not matching the SSH class is implicitly permitted, failing to drop other traffic exceeding a default rate. Option B is wrong because it uses 'match access-group name SSH_ACL' instead of 'match protocol ssh', which is less efficient and not the direct method for matching SSH protocol traffic; also, the class-default police rate of 8000 is correct, but the match method is incorrect for the requirement. Option D is wrong because it swaps the police parameters: the first value (2000) is the burst size and the second (1000000) is the rate, but the correct syntax is 'police rate burst', so this would apply a rate of 2000 bps and a burst of 1,000,000 bytes, which does not meet the 1 Mbps rate requirement.

841
Multi-Selecthard

Which two statements about multicast RPF check are true? (Choose two.)

Select 2 answers
A.The RPF check uses the unicast routing table (or a dedicated multicast routing table) to determine the best path back to the multicast source.
B.If the RPF check fails, the multicast packet is dropped to prevent routing loops.
C.The RPF check is performed only on the first packet of a multicast stream; subsequent packets are forwarded without verification.
D.The RPF check can be overridden by configuring a static multicast route (mroute) that points to a different incoming interface.
E.The RPF check is only relevant for PIM-SM and not for PIM-DM.
AnswersA, B

Correct because the RPF check compares the source IP address of the multicast packet against the routing table (RIB or MRIB) to find the outgoing interface toward the source; the packet is accepted only if it arrives on that interface.

Why this answer

RPF check is a fundamental loop prevention mechanism in multicast. It verifies that the incoming interface of a multicast packet is the same interface the router would use to reach the source. If the check fails, the packet is dropped.

RPF can be influenced by static mroutes and is performed on all multicast packets, not just data.

842
MCQeasy

A network engineer is using the Cisco Meraki REST API to update the SSID settings for a wireless network. The engineer sends a PUT request to 'https://api.meraki.com/api/v1/networks/{networkId}/wireless/ssids/{ssidNumber}' with a JSON payload containing the new settings. The API returns a 429 Too Many Requests error. What should the engineer do to resolve this issue?

A.Implement exponential backoff and retry the request after a delay.
B.Change the HTTP method to POST because PUT is not supported for this endpoint.
C.Add an 'X-Cisco-Meraki-API-Key' header with a higher rate limit key.
D.Use a different API endpoint, such as 'https://api.meraki.com/api/v1/organizations/{orgId}/ssids'.
AnswerA

Correct because rate limiting requires the client to slow down and retry after a delay.

Why this answer

A 429 error indicates rate limiting; the API has received too many requests from the client within a given time frame. The engineer should implement exponential backoff and retry logic, or reduce the request rate.

843
MCQmedium

An architect is planning a Cisco SD-Access fabric deployment. The design must support host mobility across multiple fabric edge nodes while ensuring consistent policy enforcement. Which fabric component is responsible for tracking endpoint locations and mapping them to the fabric?

A.Fabric control plane node
B.Fabric border node
C.Fabric edge node
D.Fabric wireless controller
AnswerA

The control plane node uses LISP to track and map endpoints to their location in the fabric.

Why this answer

In Cisco SD-Access, the fabric control plane node (based on LISP) is responsible for maintaining the endpoint database (EID-to-RLOC mappings). When a host moves between fabric edge nodes, the control plane node updates the mapping, ensuring consistent policy enforcement by providing the correct location information to all edge nodes.

Exam trap

Cisco often tests the misconception that the fabric edge node tracks endpoint locations because it directly connects to hosts, but the control plane node is the centralized mapping database in LISP-based SD-Access.

How to eliminate wrong answers

Option B is wrong because the fabric border node connects the SD-Access fabric to external networks (e.g., WAN, data center) and handles north-south traffic, but it does not track endpoint locations or maintain the EID-to-RLOC database. Option C is wrong because the fabric edge node is the access layer that connects endpoints to the fabric and enforces policies locally, but it relies on the control plane node to learn and update endpoint location mappings; it does not serve as the central mapping database. Option D is wrong because the fabric wireless controller (e.g., Cisco Catalyst 9800) manages wireless access points and client roaming within the fabric, but it does not maintain the LISP-based EID-to-RLOC mappings; that is the role of the control plane node.

844
MCQmedium

A network engineer runs the following command on switch SW2: SW2# show cts role-based sgt-map Active IPv4-SGT Mapping Table: IP Address SGT 192.168.1.10 10 192.168.1.20 20 192.168.1.30 30 Total number of entries: 3 Based on this output, what can be concluded?

A.The switch is using 802.1X to assign SGTs to endpoints.
B.The switch has a static mapping of IP addresses to SGTs.
C.The switch maintains a mapping table that associates IP addresses with SGTs for TrustSec policy enforcement.
D.The switch is using MAB to assign SGTs to endpoints.
AnswerC

This is exactly what the show cts role-based sgt-map command displays.

Why this answer

The command shows the mapping of IP addresses to Security Group Tags (SGTs) in a TrustSec environment. Each IP is associated with a specific SGT value, which is used for role-based access control.

845
Multi-Selectmedium

Which two statements about AAA accounting are true? (Choose two.)

Select 2 answers
A.RADIUS accounting uses UDP as the transport protocol.
B.TACACS+ accounting uses UDP as the transport protocol.
C.The wait-start accounting method delays service until the accounting start packet is acknowledged by the server.
D.AAA accounting is only supported for EXEC sessions, not for network access.
E.TACACS+ encrypts only the password portion of the accounting packet.
AnswersA, C

Correct because RADIUS uses UDP for both authentication and accounting.

Why this answer

AAA accounting tracks user activities and resource usage. RADIUS accounting uses UDP ports 1646/1813, while TACACS+ uses TCP port 49. Accounting can be start-stop, stop-only, or wait-start.

The wait-start method delays service until the accounting start is acknowledged, which can impact user experience. TACACS+ encrypts the entire packet, including accounting data.

846
MCQeasy

Which type of NAT translates multiple inside addresses to a single outside address using different port numbers?

A.Static NAT
B.Dynamic NAT
C.Port Address Translation (PAT)
D.Policy NAT
AnswerC

Correct. PAT uses port numbers to multiplex multiple inside addresses to a single outside address.

Why this answer

PAT (Port Address Translation) allows many inside hosts to share one outside IP by differentiating sessions via port numbers.

847
Drag & Dropmedium

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The AnyConnect client first establishes a TLS/DTLS tunnel to the ASA headend. The ASA then authenticates the user via AAA. After authentication, the ASA pushes client configuration and assigns an IP address from a pool.

The client installs the virtual adapter with the assigned IP. Finally, the client can send encrypted traffic through the tunnel.

848
MCQmedium

A network engineer executes the following command on Router R3: R3# show ip igmp groups 239.2.2.2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 239.2.2.2 GigabitEthernet0/0 1d04h 00:02:10 192.168.1.100 Based on this output, what can be concluded?

A.The multicast group is being sourced from 192.168.1.100.
B.A host at 192.168.1.100 has joined group 239.2.2.2.
C.The router is the RP for this group.
D.The group is using IGMP version 3.
AnswerB

The last reporter indicates the host that sent the most recent IGMP membership report for this group.

Why this answer

The 'show ip igmp groups' output shows that group 239.2.2.2 is present on interface GigabitEthernet0/0, with the last reporter being 192.168.1.100. The uptime is 1 day and 4 hours, and the expiry timer is about 2 minutes. This indicates that there is at least one IGMP host on that subnet interested in the group.

The correct answer is that a host at 192.168.1.100 has sent an IGMP report for this group.

849
Matchingmedium

Drag and drop each OSPF packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers and maintains OSPF neighbor adjacencies

Contains a summary of the link-state database for initial synchronization

Requests specific link-state advertisements from a neighbor

Carries one or more full LSAs during flooding or in response to an LSR

Acknowledges receipt of an LSU to ensure reliable flooding

Why these pairings

Hello packets discover and maintain neighbor relationships. DBD (Database Description) packets contain a summary of the LSDB for synchronization. LSR (Link-State Request) packets request specific LSAs.

LSU (Link-State Update) packets carry full LSAs in response to LSRs or during flooding. LSAck (Link-State Acknowledgment) packets confirm receipt of LSUs.

850
Matchingmedium

Drag and drop each CoPP class on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries OSPF, EIGRP, BGP control plane packets

Carries SSH, SNMP, NTP, and Syslog traffic

Carries packets requiring CPU intervention (e.g., TTL expiry)

Catch-all for traffic not matching other classes

Reserved for high-priority control plane traffic

Why these pairings

CoPP classes map to specific traffic categories: routing protocol traffic, management traffic, exception traffic, and default catch-all.

851
Matchingmedium

Drag and drop each STP protection feature on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Immediately transitions a port to forwarding state

Err-disables a port if a BPDU is received

Prevents a port from becoming the root port

Prevents a port from transitioning to forwarding when BPDUs stop

Why these pairings

PortFast moves a port to forwarding immediately; BPDU Guard err-disables a port upon BPDU reception; Root Guard prevents a port from becoming root; Loop Guard prevents alternate/backup ports from transitioning to forwarding.

852
MCQmedium

A company is implementing QoS on its campus network. The network engineer configures a policy-map that sets the CoS value for voice traffic to 5 on a switch interface. However, when the traffic reaches the router, the CoS marking is lost. What is the most likely reason?

A.The router does not trust the CoS marking and re-marks it to 0.
B.CoS is a Layer 2 marking and is not carried across a Layer 3 hop; the router must map CoS to DSCP.
C.The switch must be configured to set DSCP instead of CoS.
D.The router must have 'mls qos trust cos' configured on the interface.
AnswerB

Correct because CoS is part of the 802.1Q header, which is stripped when the packet is routed; the router needs to map CoS to DSCP to preserve the priority.

Why this answer

CoS (Class of Service) is a Layer 2 marking field in the 802.1Q VLAN tag, which is stripped when a frame passes through a Layer 3 device (router). Since the router operates at Layer 3, it does not preserve the CoS value; instead, the router must map the CoS to a DSCP (Differentiated Services Code Point) value at Layer 3 to maintain QoS across the routed hop. Option B correctly identifies this fundamental Layer 2 vs.

Layer 3 boundary issue.

Exam trap

The trap here is that candidates assume CoS is preserved across routers because they see 'trust cos' on switches, but Cisco tests the understanding that CoS is a Layer 2-only marking that disappears at a Layer 3 boundary, requiring DSCP for inter-VLAN or routed QoS.

How to eliminate wrong answers

Option A is wrong because the router does not automatically 'trust' or 're-mark' CoS to 0; CoS is simply not present in the IP packet after the Layer 2 header is removed, so no re-marking occurs. Option C is wrong because setting DSCP instead of CoS on the switch would not solve the problem—the issue is that CoS is lost at the Layer 3 boundary, and DSCP must be used on the router, but the switch can set both CoS and DSCP; the root cause is the Layer 2/3 demarcation. Option D is wrong because 'mls qos trust cos' is a Catalyst switch command (not a router command) that tells the switch to trust the CoS value on ingress; it does not apply to routers and would not preserve CoS across a Layer 3 hop.

853
Multi-Selecthard

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

Select 3 answers
A.Customer edge (CE) routers exchange routing information with provider edge (PE) routers using static routing, RIP, OSPF, EIGRP, or BGP.
B.VRF (Virtual Routing and Forwarding) instances are used on PE routers to maintain separate routing tables for each VPN customer.
C.MP-BGP (Multiprotocol BGP) is used between PE routers to exchange VPNv4 routes, which include an RD and RT.
D.The MPLS core routers (P routers) maintain full VPN routing tables to forward traffic based on customer IP prefixes.
E.Route targets (RT) are used to uniquely identify each customer VPN across the provider network.
AnswersA, B, C

Correct because PE-CE routing can use any of these protocols, as supported by the provider's configuration.

Why this answer

MPLS L3VPNs use VRFs for isolation, MP-BGP for route exchange, and MPLS labels for forwarding, with the provider core unaware of customer routes.

854
Matchingmedium

Drag and drop each SD-WAN plane on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OMP route exchange and BGP/OSPF peering

IPsec tunnel encapsulation and packet forwarding

CLI, REST API, and web-based administration

vBond-based device authentication and onboarding

Telemetry collection and application visibility

Why these pairings

The control plane handles OMP and routing protocols; the data plane forwards traffic using IPsec tunnels; the management plane provides CLI/GUI and APIs; the orchestration plane handles zero-touch provisioning and authentication.

855
Drag & Dropmedium

Drag and drop the steps of vSphere VM snapshot creation and revert steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order ensures that the snapshot is taken and then, if needed, the VM is powered off before reverting to the snapshot, and finally powered back on.

856
MCQmedium

spanning-tree vlan 10 priority 4096 What is the effect of this global configuration command?

A.The switch will have a bridge priority of 4096 for VLAN 10, increasing its chance to become root bridge.
B.The switch will have a bridge priority of 4096 for all VLANs.
C.The switch will become the root bridge for VLAN 10 immediately.
D.The switch will have a bridge priority of 4096 for VLAN 10 and all other VLANs will use 32768.
AnswerA

Lower priority value is preferred; 4096 is lower than default 32768.

Why this answer

This sets the bridge priority for VLAN 10 to 4096, making the switch more likely to become the root bridge for that VLAN.

857
MCQmedium

A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream BGP route updates to a collector using gRPC dial-out. The engineer wants to ensure that the telemetry data is encrypted in transit. Which additional configuration is required to secure the gRPC telemetry stream?

A.Configure IPsec between the router and the collector
B.Enable TLS on the gRPC connection by configuring a trustpoint and using the 'transport grpc tls' command
C.Use SSH tunneling for the gRPC connection
D.Configure DTLS on the telemetry receiver
AnswerB

TLS provides encryption for gRPC telemetry, and IOS-XE supports it with proper trustpoint configuration.

Why this answer

The correct answer is to configure TLS on the gRPC connection. gRPC supports TLS for encryption, and on IOS-XE, this requires configuring a trustpoint and enabling TLS under the telemetry receiver. The other options are incorrect because IPsec is not directly integrated with gRPC telemetry; SSH is used for NETCONF, not gRPC; and DTLS is used for UDP-based telemetry, not gRPC.

858
Multi-Selecthard

Which three statements about VRF-lite are true? (Choose three.)

Select 3 answers
A.VRF-lite allows multiple routing instances on a single router using static or dynamic routing protocols.
B.VRF-lite does not require MPLS to operate.
C.VRF-lite provides path isolation by maintaining separate forwarding tables.
D.VRF-lite supports MPLS VPN inter-AS option B.
E.VRF-lite requires BGP as the routing protocol between VRFs.
AnswersA, B, C

Correct because VRF-lite supports RIP, EIGRP, OSPF, and static routes per VRF.

Why this answer

Correct: VRF-lite uses static or dynamic routing; it does not require MPLS; it provides path isolation. Incorrect: VRF-lite does not support MPLS VPN inter-AS; it does not require BGP; it does not use label switching.

859
MCQhard

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.179 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:10:00 LDP discovery sources: GigabitEthernet0/0, Src IP: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.2.2 Peer LDP Ident: 10.0.0.3:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.3.646 - 10.0.0.1.179 State: Oper; Msgs sent/rcvd: 200/190; Downstream Up time: 00:20:00 LDP discovery sources: GigabitEthernet0/1, Src IP: 10.0.0.3 Addresses bound to peer LDP Ident: 10.0.0.3 192.168.3.3 Based on this output, what can be concluded?

A.The router has two LDP peers that are both operational
B.The router is using LDP in downstream-on-demand mode
C.The LDP session with 10.0.0.2 is down
D.The router has only one LDP neighbor
AnswerA

Both peers show 'State: Oper', indicating they are operational.

Why this answer

The output shows LDP neighbors. Both neighbors are in Oper (operational) state. The local LDP identifier is 10.0.0.1:0.

The peers are discovered via different interfaces (GigabitEthernet0/0 and GigabitEthernet0/1). The correct answer is that the router has two LDP peers that are both operational.

860
MCQhard

A network engineer is deploying 802.1X with Cisco ISE for a wired network. The engineer wants to use CoA (Change of Authorization) to dynamically change the VLAN of a user after authentication. The engineer configures the switch with 'aaa server radius dynamic-author' and the ISE with CoA settings. When the engineer tests CoA from ISE, the switch logs show 'CoA request received' but the VLAN does not change. What is the most likely cause?

A.The ISE is not configured with the correct shared secret for CoA.
B.The switch is missing the 'authentication command bounce-port' or 'authentication command disable-port' configuration.
C.The switch is not configured with 'dot1x pae authenticator' on the interface.
D.The switchport is configured as 'switchport mode trunk', which does not support VLAN changes via CoA.
AnswerB

Correct because these commands enable the switch to apply CoA actions like VLAN change.

Why this answer

CoA requires the switch to accept and process the request. The switch must have the 'authentication command bounce-port' or 'authentication command disable-port' configured to apply changes. Option B is correct because without this, the switch may acknowledge but not act.

Option A is incorrect because the switch received the request. Option C is incorrect because the RADIUS server is reachable. Option D is incorrect because the switchport mode does not prevent CoA.

861
Multi-Selecthard

Which three statements about the classification and marking tools in Cisco IOS are true? (Choose three.)

Select 3 answers
A.The trust boundary can be configured using the 'mls qos trust' command on a switch port to trust the CoS or DSCP value received from an attached device.
B.NBAR (Network-Based Application Recognition) can classify traffic based on application signatures, including HTTP URLs and SSL certificate fields.
C.Layer 2 CoS marking uses a 3-bit field in the 802.1Q tag, providing 8 possible values, while DSCP uses 6 bits for 64 values.
D.The 'set dscp' command in a policy map can be used to mark packets with a DSCP value, but only on egress interfaces.
E.MPLS EXP bits are a 3-bit field used for QoS in MPLS networks and are always directly mapped from the IP DSCP value without any configuration.
AnswersA, B, C

Correct. The trust boundary is set with 'mls qos trust' to honor incoming markings.

Why this answer

Classification identifies traffic based on various fields, while marking sets the QoS value. Trust boundaries determine where marking is honored. NBAR can perform deep packet inspection for classification.

CoS is a Layer 2 marking in 802.1Q frames, while DSCP is Layer 3. MPLS uses EXP bits.

862
Multi-Selecthard

Which three statements about Cisco Wireless LAN Controller (WLC) mobility groups are true? (Choose three.)

Select 3 answers
A.Controllers in the same mobility group must be in the same IP subnet.
B.A mobility group can contain up to 24 controllers.
C.Mobility groups enable seamless client roaming between controllers without re-authentication.
D.Mobility tunnels between controllers must be symmetric and use the same source and destination IP addresses.
E.All controllers in a mobility group must be the same hardware model.
AnswersB, C, D

Correct because Cisco WLCs support a maximum of 24 controllers in a single mobility group.

Why this answer

Mobility groups allow seamless client roaming across controllers, support up to 24 controllers per group, require symmetric mobility tunnels, and use a backup controller list for redundancy. They do not require all controllers to be in the same subnet or same hardware model.

863
Matchingmedium

Drag and drop each EtherChannel load-balance method on the left to its matching hashing input on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Source MAC address

Destination MAC address

Source and destination IP addresses

Source and destination Layer 4 ports

Source and destination MAC addresses

Why these pairings

Methods use different combinations of source/destination MAC, IP, or port to compute hash for link selection.

864
MCQeasy

A network team must design a QoS policy for a WAN link that carries voice, video, and data. The policy must ensure that voice traffic is never dropped, even during congestion. Which queuing mechanism should be used for the voice class?

A.Class-based weighted fair queuing (CBWFQ).
B.Low-latency queuing (LLQ).
C.Weighted random early detection (WRED).
D.First-in, first-out (FIFO) queuing.
AnswerB

LLQ combines strict priority with CBWFQ, ensuring voice is never dropped.

Why this answer

Low-latency queuing (LLQ) is the correct choice because it combines strict priority queuing with CBWFQ, allowing voice traffic to be placed in a strict priority queue that is serviced first before any other queues. This ensures that voice packets are never dropped due to congestion, as long as the configured policer rate is not exceeded, meeting the requirement that voice traffic is never dropped.

Exam trap

Cisco often tests the misconception that CBWFQ alone can provide low latency for voice, but the trap is that CBWFQ lacks a strict priority queue, so only LLQ guarantees zero drops for real-time traffic during congestion.

How to eliminate wrong answers

Option A is wrong because CBWFQ provides guaranteed bandwidth for each class but does not include a strict priority queue, so voice traffic could still experience delay or drop during congestion if the queue is full. Option C is wrong because WRED is a congestion avoidance mechanism that proactively drops packets before a queue is full, which would cause voice drops and is unsuitable for real-time traffic that requires zero drops. Option D is wrong because FIFO queuing treats all traffic equally with no priority, so during congestion voice packets would be dropped along with other traffic, violating the requirement.

865
MCQmedium

Given the following configuration: router eigrp TEST network 10.0.0.0 0.255.255.255 network 192.168.1.0 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip summary-address eigrp TEST 10.0.0.0 255.0.0.0 5 What is the effect of the ip summary-address command?

A.It creates a summary route 10.0.0.0/8 with a metric of 5, advertised out GigabitEthernet0/0.
B.It creates a summary route 10.0.0.0/8 with a metric of 5, but only for the EIGRP process named TEST.
C.It creates a summary route 10.0.0.0/8 with a hop count of 5.
D.The command is invalid because the summary address must match the network statement exactly.
AnswerA

The summary address is 10.0.0.0/8, and the value 5 is the administrative distance for the summary route.

Why this answer

The `ip summary-address eigrp TEST 10.0.0.0 255.0.0.0 5` command creates a summary route of 10.0.0.0/8 with an administrative distance of 5, which is advertised out of GigabitEthernet0/0. The EIGRP process name TEST matches the router eigrp configuration, and the summary is generated regardless of the network statements, as long as the router has a more specific route within the summarized range.

Exam trap

Cisco often tests the misconception that the number after the summary address is a metric or hop count, when in fact it is the administrative distance for the summary route.

How to eliminate wrong answers

Option B is wrong because the summary route is advertised out of the specific interface (GigabitEthernet0/0), not for the entire EIGRP process; the process name only identifies which EIGRP instance the summary belongs to. Option C is wrong because the number 5 in the command sets the administrative distance for the summary route, not a hop count or metric; EIGRP uses metric (composite) values, not hop counts. Option D is wrong because the summary address does not need to match a network statement exactly; the `ip summary-address` command can summarize any range that includes subnets learned via EIGRP, even if the network statement is broader or different.

866
MCQmedium

Examine the following RSPAN configuration on a Cisco Catalyst switch: vlan 100 name RSPAN_VLAN remote-span monitor session 1 source vlan 10 both monitor session 1 destination remote vlan 100 Which statement about this configuration is true?

A.The RSPAN VLAN 100 must be created on all switches in the network that participate in RSPAN.
B.The destination remote vlan 100 command is incorrect; it should be 'destination remote vlan 100 encapsulation replicate'.
C.This configuration copies traffic from VLAN 10 to the local switch only.
D.The RSPAN VLAN 100 must be tagged on all trunk ports between switches.
AnswerA

For RSPAN to work, the RSPAN VLAN must exist on all switches that forward the mirrored traffic.

Why this answer

This configures an RSPAN session where traffic from VLAN 10 is sent to the RSPAN VLAN 100, which is then transported across the network to other switches.

867
Drag & Dropmedium

Drag and drop the steps of configuring a native VLAN mismatch detection into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, configure the trunk interface with a specific native VLAN. Then, set the neighbor's trunk to a different native VLAN. The mismatch causes CDP to log an error.

The switch then disables the trunk port. Finally, the administrator corrects the native VLAN to match.

868
MCQmedium

Review the following DHCP relay configuration: ``` interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip helper-address 172.16.1.100 ``` What is the effect of the 'ip helper-address' command?

A.It forwards DHCP requests from VLAN 10 to the DHCP server at 172.16.1.100.
B.It configures the router as a DHCP server for VLAN 10.
C.It translates the source IP of DHCP requests to 192.168.10.1.
D.It blocks DHCP traffic from VLAN 10.
AnswerA

Correct. The helper address relays DHCP broadcasts to the server.

Why this answer

The command forwards DHCP broadcasts (and other UDP broadcasts by default) to the specified server.

869
Drag & Dropmedium

Drag and drop the steps of Flexible NetFlow flow record and exporter setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Flexible NetFlow setup begins with defining the flow record to specify what to match and collect, then defining the flow exporter to set destination and transport, followed by creating the flow monitor that binds record and exporter, then applying the monitor to an interface, and finally verifying with show commands.

870
MCQmedium

Given the following configuration snippet on a Cisco IOS-XE switch: interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 spanning-tree portfast monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination interface GigabitEthernet1/0/2 What is the effect of this configuration?

A.All traffic entering and leaving GigabitEthernet1/0/1 is copied to GigabitEthernet1/0/2.
B.Only traffic entering GigabitEthernet1/0/1 is copied to GigabitEthernet1/0/2.
C.Traffic on GigabitEthernet1/0/2 is replicated to GigabitEthernet1/0/1.
D.The configuration is invalid because the destination port must be in trunk mode.
AnswerA

The 'both' keyword copies both ingress and egress traffic from the source interface to the destination.

Why this answer

The configuration creates a local SPAN session that copies traffic from GigabitEthernet1/0/1 (both ingress and egress) to GigabitEthernet1/0/2, which is a standard SPAN destination port.

871
Drag & Drophard

Drag and drop the steps of OSPF route redistribution into a different autonomous system into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Redistribution requires first configuring the routing process that will receive the routes, then defining the source protocol and metric, optionally setting route tags for loop prevention, applying a route map for filtering, and finally verifying the redistributed routes appear in the OSPF database.

872
Matchingmedium

Drag and drop each IPsec mode on the left to its matching header usage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

New IP header + ESP header + encrypted original packet

Original IP header + ESP trailer + encrypted payload

New IP header + AH header + original packet

Original IP header + AH header + payload

Encrypts entire original IP packet

Why these pairings

Tunnel mode encrypts original IP header and adds new IP header; transport mode only encrypts payload and leaves original IP header intact.

873
MCQmedium

Examine this configuration: policy-map QOS_POLICY class VOICE priority percent 10 class VIDEO bandwidth percent 30 class class-default fair-queue ! interface GigabitEthernet0/0 service-policy output QOS_POLICY What is the effect of this policy-map?

A.Voice traffic gets strict priority up to 10% of interface bandwidth, video gets at least 30%, and all other traffic is fair-queued.
B.Voice and video both get priority queuing, with voice at 10% and video at 30%.
C.The policy-map is invalid because you cannot use both priority and bandwidth in the same policy-map.
D.The policy-map will only shape traffic, not prioritize it.
AnswerA

This is the correct interpretation of the policy-map.

Why this answer

Option A is correct because the policy-map uses the 'priority percent 10' command under class VOICE, which provides strict priority queuing for voice traffic, guaranteeing it is serviced first up to 10% of the interface bandwidth. The 'bandwidth percent 30' command under class VIDEO allocates a minimum bandwidth guarantee of 30% for video traffic, while the 'fair-queue' command under class-default ensures all other traffic shares the remaining bandwidth fairly using Cisco's Class-Based Weighted Fair Queuing (CBWFQ). This configuration is valid and commonly used in enterprise QoS designs to prioritize real-time traffic while still providing bandwidth guarantees for other critical traffic.

Exam trap

Cisco often tests the misconception that 'priority' and 'bandwidth' cannot coexist in the same policy-map, or that 'bandwidth' implies priority queuing, when in fact they serve different roles (strict priority vs. guaranteed minimum bandwidth) and are commonly used together in enterprise QoS designs.

How to eliminate wrong answers

Option B is wrong because it incorrectly states that both voice and video get priority queuing; in this configuration, only the VOICE class uses the 'priority' command, while the VIDEO class uses 'bandwidth', which provides a minimum bandwidth guarantee, not strict priority. Option C is wrong because it claims the policy-map is invalid; Cisco IOS allows the use of both 'priority' and 'bandwidth' commands in the same policy-map, as long as the priority class is configured first and the total bandwidth allocations do not exceed 100%. Option D is wrong because the policy-map does not include any 'shape' command; it applies queuing and scheduling policies (priority, bandwidth, and fair-queue) on output, not traffic shaping.

874
Multi-Selectmedium

Which TWO statements about Cisco DNA Center's Assurance capabilities are correct?

Select 2 answers
A.It uses streaming telemetry to collect data for real-time analytics.
B.It supports only wired networks and not wireless.
C.It is a fully cloud-based solution with no on-premises components.
D.It only displays network device health scores and does not provide path tracing.
E.It can proactively detect potential issues based on historical trends.
AnswersA, E

Correct.

Why this answer

Option A is correct because Cisco DNA Center uses model-driven telemetry (e.g., gRPC, NETCONF/YANG, or UDP-based push) to stream real-time data from network devices, enabling sub-second analytics and faster troubleshooting compared to traditional polling methods like SNMP.

Exam trap

The trap here is that candidates often assume DNA Center is purely cloud-based or only supports wired networks, but Cisco deliberately tests the hybrid deployment model and the unified wired/wireless assurance scope.

875
MCQmedium

Examine the following IPsec configuration snippet: crypto ikev2 proposal IKEV2_PROP encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy IKEV2_POL proposal IKEV2_PROP ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC_PROF set transform-set TSET set ikev2-profile IKEV2_POL Which statement about this configuration is true?

A.The transform set uses ESP with AES-256 encryption and SHA-256 HMAC for authentication.
B.The IKEv2 proposal uses AES-256, SHA-256, and DH group 14, but the IPsec profile will not apply because the ikev2-profile command is missing the 'set' keyword.
C.The transform set is configured in transport mode, which is incorrect for site-to-site VPN.
D.The IPsec profile is incomplete because it does not include a PFS (Perfect Forward Secrecy) setting.
AnswerA

The transform set command 'esp-aes 256 esp-sha256-hmac' specifies ESP with AES-256 encryption and SHA-256 HMAC for integrity/authentication.

Why this answer

The configuration defines an IKEv2 proposal with AES-256 encryption, SHA-256 integrity, and Diffie-Hellman group 14. The IPsec transform set uses AES-256 and SHA-256. The IPsec profile references both the transform set and the IKEv2 profile.

However, the IKEv2 policy is not directly used in the profile; the profile uses the IKEv2 profile, not the policy. The correct statement is that the transform set uses ESP with AES-256 encryption and SHA-256 HMAC.

876
MCQmedium

A network engineer runs the following command on Router R4: R4# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy input: SHAPE_POLICY Class-map: class-default (match-any) 1000 packets, 100000 bytes 5 minute offered rate 100000 bps, drop rate 0 bps Match: any Queueing shape (average) cir 500000, bc 5000, be 5000 target shape rate 500000 Based on this output, what can be concluded?

A.Traffic is being shaped to an average rate of 500 kbps.
B.Traffic is being policed to 500 kbps.
C.The policy is applied to output traffic.
D.The offered rate exceeds the shaping rate, causing drops.
AnswerA

The shape command specifies cir 500000, which is 500 kbps.

Why this answer

The policy-map is applied to the input direction. Shaping is typically used on output to smooth traffic, but it can be applied to input as well, though it is less common. The shape command is shaping all traffic to an average CIR of 500 kbps.

The offered rate is 100 kbps, which is below the shaping rate, so no drops occur.

877
Matchingmedium

Drag and drop each security protocol on the left to its matching provided security service on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Confidentiality and data integrity

Data integrity and authentication without encryption

Data integrity only

Confidentiality and data integrity with authentication

Sequence number verification

Why these pairings

ESP provides confidentiality, data integrity, and optional anti-replay; AH provides data integrity and authentication but no encryption; ESP with null encryption provides integrity only; combined ESP+AH provides both confidentiality and integrity; anti-replay is a service provided by both ESP and AH.

878
MCQhard

A network engineer configures model-driven telemetry on a Cisco IOS-XE device using gRPC dial-out. The subscription configuration snippet is: ``` telemetry ietf subscription 100 encoding encode-kvgpb filter xpath /interfaces/interface/statistics stream yang-push update-policy periodic 500 receiver ip address 10.1.1.1 50001 protocol grpc-tcp ``` What is the primary issue with this configuration?

A.The 'encoding' should be 'encode-json' or 'encode-gpb' instead of 'encode-kvgpb' for gRPC.
B.The 'stream' should be 'yang-notif' instead of 'yang-push'.
C.The 'update-policy periodic' value must be between 100 and 1000 milliseconds.
D.The 'receiver' command should specify 'protocol grpc' instead of 'grpc-tcp'.
AnswerA

KVGPB is not a standard encoding for gRPC; JSON or GPB are used.

Why this answer

The 'encoding' command uses 'encode-kvgpb' which is incorrect. The correct encoding keyword for gRPC is 'encode-kvgpb'? Actually, in IOS-XE, the encoding for gRPC is 'encode-kvgpb' (Key-Value GPB) or 'encode-json'. However, the command 'encoding encode-kvgpb' is valid.

Another issue: The 'receiver' command should specify 'ip address' but the syntax is 'receiver ip address <ip> <port> protocol <protocol>'. That seems correct. Wait, the protocol should be 'grpc-tcp' which is valid.

The real issue might be that the subscription uses 'stream yang-push' but the filter xpath is not properly scoped. However, a common mistake is that the 'update-policy periodic' requires a time in seconds, but 500 is valid. Let me think: The major issue is that the 'receiver' command is missing the 'protocol' keyword? Actually, it's there.

Hmm. Perhaps the issue is that the encoding 'encode-kvgpb' is not supported for gRPC; it should be 'encode-json' or 'encode-gpb'. In IOS-XE, for gRPC dial-out, the encoding is typically 'encode-json' or 'encode-gpb' (Google Protocol Buffers). 'kvgpb' is a different format.

So the correct answer is that 'encode-kvgpb' is invalid; it should be 'encode-json' or 'encode-gpb'.

879
Multi-Selecthard

Which three statements about hypervisor security and isolation are true? (Choose three.)

Select 3 answers
A.A VM escape attack occurs when an attacker breaks out of a virtual machine to access the hypervisor or other VMs.
B.Virtual machines are inherently isolated from each other and do not require any additional security measures.
C.The hypervisor must enforce memory and device isolation to prevent one VM from accessing another VM's data.
D.Regularly patching the hypervisor and reducing its attack surface are important security practices.
E.Virtual machines have direct access to physical hardware resources such as CPU and memory.
AnswersA, C, D

Correct because VM escape is a known security risk that compromises isolation.

Why this answer

Hypervisor security is critical to prevent VM escape and ensure isolation. Option A is correct because VM escape is a serious vulnerability where code in a VM breaks out to the hypervisor. Option C is correct because the hypervisor should enforce strict isolation between VMs to prevent data leakage.

Option D is correct because keeping the hypervisor patched and minimizing its attack surface are key security practices. Option B is incorrect because VMs are not inherently isolated from each other; isolation depends on hypervisor design. Option E is incorrect because VMs do not have direct access to physical hardware; the hypervisor mediates access.

880
Drag & Dropmedium

Drag and drop the steps of YANG module import and augmentation resolution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows YANG module processing: first the module is imported, then its base schema is parsed, next augmentations are resolved, then conflicts are detected, and finally the complete schema tree is built.

881
Multi-Selecthard

Which three statements about Control Plane Policing (CoPP) are true? (Choose three.)

Select 3 answers
A.CoPP uses Modular QoS CLI (MQC) to define traffic classes and policies.
B.CoPP is used to police traffic in the data plane to protect against DoS attacks.
C.CoPP can rate-limit or drop certain types of control plane traffic to prevent CPU overload.
D.CoPP classifies traffic into categories such as critical, normal, and management.
E.CoPP is applied directly to physical interfaces using the 'service-policy' command.
AnswersA, C, D

Correct because CoPP is configured using MQC with class maps, policy maps, and the 'service-policy' command applied to the control plane.

Why this answer

CoPP protects the control plane by applying QoS policies to traffic destined to the route processor. Option A is correct because CoPP uses MQC (Modular QoS CLI) to define class maps and policy maps. Option C is correct because CoPP can rate-limit or drop traffic to prevent CPU overload.

Option D is correct because CoPP classifies traffic into categories such as critical, normal, and management. Option B is incorrect because CoPP does not apply to the data plane; it applies to the control plane. Option E is incorrect because CoPP is applied to the control plane, not to interfaces directly; interface-level policing is done by other mechanisms.

882
MCQmedium

A network engineer runs the following command on Router R2: R2# show crypto ipsec sa peer 10.2.2.2 interface: Tunnel0 Crypto map tag: CMAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Based on this output, what can be concluded?

A.The IPsec tunnel is functioning correctly with no issues.
B.There is a routing problem causing packets to be dropped in one direction.
C.The tunnel is using compression, as shown by the compress counters.
D.The remote peer is not responding to IKE requests.
AnswerB

The difference between encaps and decaps counts indicates that some packets sent are not being received, likely due to routing or firewall issues.

Why this answer

The packet counters show 1500 packets encapsulated (sent) but only 1200 decapsulated (received). This asymmetry indicates possible packet loss or a routing issue in one direction.

883
MCQmedium

A Python script uses NAPALM to retrieve the ARP table from a Cisco IOS-XE device: from napalm import get_network_driver driver = get_network_driver('ios') device = driver('192.168.1.1', 'admin', 'cisco') device.open() arp_table = device.get_arp_table() print(arp_table) device.close() What is the issue with this script?

A.The script will fail because the driver name 'ios' is incorrect; it should be 'iosxe' for IOS-XE devices.
B.The script will work correctly because 'ios' is the correct driver for all Cisco IOS devices.
C.The script will fail because the 'get_arp_table()' method requires an argument.
D.The script will work but only if the device is running IOS-XE 16.12 or later.
AnswerA

NAPALM uses 'iosxe' for IOS-XE; 'ios' is for classic IOS.

Why this answer

The NAPALM driver for IOS-XE is 'ios' but the correct driver for IOS-XE is 'iosxe'. Using 'ios' may work for some devices but is deprecated. The correct answer identifies the driver name mismatch.

884
MCQmedium

Given the following SNMP configuration on a Cisco IOS-XE router: snmp-server community public RO snmp-server community private RW snmp-server location Building-A snmp-server contact admin@example.com snmp-server enable traps snmp linkdown linkup snmp-server host 192.168.1.100 version 2c public What is the effect of this configuration?

A.The router will send SNMP traps to 192.168.1.100 using community string 'public' for linkdown and linkup events.
B.The router will send SNMP traps to 192.168.1.100 using community string 'private' for all SNMP traps.
C.The router will only accept SNMP read requests using community 'public' and write requests using community 'private'.
D.The router will send SNMPv3 traps to 192.168.1.100 using authentication.
AnswerA

The 'snmp-server enable traps snmp linkdown linkup' enables those traps, and the 'snmp-server host' command sends them to 192.168.1.100 with community 'public'.

Why this answer

The configuration enables SNMPv2c with read-only (RO) and read-write (RW) community strings, sets location and contact information, enables linkdown and linkup traps, and sends traps to the NMS at 192.168.1.100 using community 'public'.

885
MCQmedium

Consider the following configuration snippet on a Cisco IOS-XE device: telemetry ietf subscription 100 encoding encode-kvgpb filter xpath /interfaces/interface/state/counters stream yang-push update-policy periodic 500 receiver ip address 10.1.1.1 50000 protocol grpc What is the effect of this configuration?

A.It streams interface counter data every 500 milliseconds to the collector at 10.1.1.1:50000 using gRPC.
B.It streams interface counter data every 500 seconds to the collector at 10.1.1.1:50000 using gRPC.
C.It streams the entire YANG model for interfaces to the collector, not just counters.
D.It uses the NETCONF protocol to send data to the collector.
AnswerA

The update-policy periodic 500 sets the interval to 500 ms, and the receiver uses gRPC on port 50000.

Why this answer

This configuration creates an IETF telemetry subscription that periodically pushes interface counter data to a gRPC collector.

886
MCQmedium

An architect is planning a virtualized infrastructure for a branch office that will host a Cisco ISRv router and a local DHCP server. The architect wants to minimize management overhead and ensure the VMs can be easily backed up. Which hypervisor deployment model is most appropriate?

A.Deploy a Type 1 hypervisor on the branch server and manage VMs via a centralized vCenter or similar tool.
B.Use a Type 2 hypervisor on a desktop PC at the branch.
C.Run the ISRv and DHCP server as containers on the same host.
D.Install the ISRv directly on physical hardware without virtualization.
AnswerA

This provides robust management, backup, and performance for production VMs.

Why this answer

A Type 1 hypervisor (bare-metal) runs directly on the server hardware, providing near-native performance for the Cisco ISRv router and DHCP server. Centralized management via vCenter or similar tools reduces administrative overhead and enables efficient VM backup and recovery, meeting the architect's requirements for minimal management overhead and easy backup.

Exam trap

Cisco often tests the distinction between Type 1 and Type 2 hypervisors in the context of network functions like ISRv, where the trap is that candidates may choose a Type 2 hypervisor for simplicity, overlooking the performance and management overhead penalties for production branch office deployments.

How to eliminate wrong answers

Option B is wrong because a Type 2 hypervisor runs on top of an existing operating system (e.g., VMware Workstation on Windows), which adds overhead, reduces performance for network functions like ISRv, and complicates backup and centralized management. Option C is wrong because containers share the host OS kernel and do not provide the full virtualization isolation required for a Cisco ISRv router, which expects a dedicated virtual machine environment; containers also complicate backup compared to VM snapshots. Option D is wrong because installing ISRv directly on physical hardware eliminates virtualization benefits, making backup more difficult (physical server backup vs.

VM snapshots) and increasing management overhead for the branch office.

887
MCQmedium

A network engineer configures SNMPv2c on a Cisco router to monitor CPU and memory utilization. The NMS is reachable and configured with the same community string 'public'. However, the NMS receives no traps from the router. The engineer verifies that the router's SNMP configuration includes 'snmp-server enable traps' and 'snmp-server host 192.168.1.100 version 2c public'. What is the most likely cause of the missing traps?

A.The router's SNMP agent is disabled.
B.The community string 'public' is not defined on the router.
C.The router lacks specific trap configuration for CPU and memory utilization.
D.The NMS is using SNMPv3, which is incompatible with SNMPv2c traps.
AnswerC

Correct because 'snmp-server enable traps' alone does not enable all traps; specific traps like 'snmp-server enable traps cpu threshold' and 'snmp-server enable traps memory' are needed.

Why this answer

The issue is that the trap destination is configured, but the router may not be sending traps due to missing trap-specific configuration or a filtering issue. The most common oversight is not enabling the specific trap types (e.g., CPU, memory) or not having the SNMP agent respond to polls. However, the correct answer focuses on the fact that 'snmp-server enable traps' without specifying trap types only enables generic traps; CPU and memory traps require explicit configuration.

888
MCQmedium

Examine this IP SLA configuration on Router R1: ip sla 4 icmp-echo 10.4.4.4 frequency 10 ip sla schedule 4 life forever start-time now ip sla reaction-configuration 4 react timeout threshold-type immediate action-type triggerOnly Which of the following is missing from this configuration to make it useful for tracking?

A.A 'track' object that references the IP SLA operation is missing.
B.The 'frequency' command is missing; it should be set to 60 seconds.
C.The 'ip sla responder' must be configured on the target router.
D.The 'life' parameter should be set to a specific number of repetitions.
AnswerA

The 'track' command (e.g., 'track 1 ip sla 4') is needed to link the IP SLA reaction to a tracking object that can be used by routing protocols or other features.

Why this answer

IP SLA reaction configurations need to be associated with a tracking object to be useful for actions like route manipulation. Without 'track', the trigger has no effect.

889
MCQmedium

A network engineer is troubleshooting intermittent connectivity issues between two switches connected via a trunk link. The engineer notices that the port counters show a high number of CRC errors and runts on one side. Which action should the engineer take first?

A.Check the cable and connectors for damage or loose connections.
B.Increase the MTU size on the interface.
C.Configure the interface with a different duplex setting.
D.Disable Dynamic Trunking Protocol (DTP) on the interface.
AnswerA

CRC errors and runts often indicate physical layer issues like faulty cabling.

Why this answer

CRC errors and runts on a trunk link typically indicate a Layer 1 physical-layer issue, such as faulty cabling, damaged connectors, or poor termination. The first and most logical step is to inspect and test the physical cable and connectors, as this is the most common root cause and the easiest to verify before making configuration changes.

Exam trap

Cisco often tests the principle that Layer 1 issues must be resolved first before considering Layer 2 or Layer 3 changes, and the trap here is that candidates jump to configuration changes (like duplex or DTP) instead of verifying the physical medium.

How to eliminate wrong answers

Option B is wrong because increasing the MTU size would not resolve CRC errors or runts; it could actually exacerbate the problem by allowing larger frames that are more susceptible to corruption on a faulty physical link. Option C is wrong because duplex mismatch usually causes alignment errors, late collisions, or FCS errors, not specifically CRC errors and runts; moreover, modern switches with auto-negotiation rarely have duplex issues unless manually misconfigured. Option D is wrong because disabling DTP addresses trunk negotiation and VLAN tagging issues, not physical-layer errors like CRC and runts.

890
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET_MED out ! route-map SET_MED permit 10 set metric 50 ! What is the effect of this configuration on routes advertised to 10.0.0.2?

A.All routes sent to 10.0.0.2 will have the MED value set to 50.
B.Routes received from 10.0.0.2 will have their MED set to 50.
C.The local preference of routes sent to 10.0.0.2 is set to 50.
D.The configuration is invalid because MED cannot be set on outbound updates.
AnswerA

Correct. The route-map sets MED on outbound updates.

Why this answer

Option A is correct because the route-map SET_MED is applied to outbound updates to neighbor 10.0.0.2, and the 'set metric 50' command sets the Multi-Exit Discriminator (MED) attribute to 50 for all routes advertised to that neighbor. The MED is a metric used to influence inbound traffic from the AS of the neighbor, and it is propagated to the neighbor's BGP table.

Exam trap

Cisco often tests the distinction between outbound and inbound route-map application, and the trap here is confusing the 'set metric' command (which sets MED) with 'set local-preference' or assuming that MED cannot be set on outbound updates.

How to eliminate wrong answers

Option B is wrong because the route-map is applied to outbound updates ('out'), not inbound updates, so it does not affect routes received from 10.0.0.2. Option C is wrong because the 'set metric' command sets the MED, not the local preference; local preference is set using 'set local-preference' and is used for outbound traffic within the local AS. Option D is wrong because the configuration is valid; MED can be set on outbound updates using a route-map with the 'set metric' command, and this is a common practice for influencing path selection in neighboring ASes.

891
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map SET_ORIGIN in ! route-map SET_ORIGIN permit 10 set origin incomplete ! What is the effect of this configuration?

A.Routes received from 10.0.0.2 will have their origin set to incomplete, making them less preferred compared to IGP origin.
B.Routes sent to 10.0.0.2 will have their origin set to incomplete.
C.The router will not advertise any routes with origin incomplete to other peers.
D.The configuration is invalid because origin cannot be changed with a route-map.
AnswerA

Correct. Incomplete origin is the least preferred.

Why this answer

The route-map SET_ORIGIN is applied as an inbound filter to neighbor 10.0.0.2. When a route is received, the 'set origin incomplete' command changes the origin attribute to incomplete (value 2). In BGP path selection, origin incomplete is the least preferred origin type, making these routes less preferred than routes with IGP (value 0) or EGP (value 1) origin.

Exam trap

Cisco often tests the directionality of route-maps (in vs out) and the fact that origin can be modified with a route-map, leading candidates to mistakenly think the route-map applies to outbound updates or that origin is immutable.

How to eliminate wrong answers

Option B is wrong because the route-map is applied 'in' (inbound), not 'out' (outbound), so it affects received routes, not sent routes. Option C is wrong because the configuration does not filter or suppress routes; it only modifies the origin attribute of received routes, and routes with origin incomplete can still be advertised to other peers. Option D is wrong because the origin attribute can be changed using a route-map with the 'set origin' command; this is a valid BGP configuration.

892
Drag & Dropmedium

Drag and drop the steps of Streaming telemetry sensor path subscription flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First a sensor path is defined, then a subscription is created with destination, the device pushes data periodically, the collector receives and processes, and the subscription can be updated or deleted.

893
MCQmedium

Examine the following telemetry configuration on a Cisco IOS-XE device: telemetry ietf subscription 200 encoding encode-kvgpb filter xpath /interfaces/interface[name='GigabitEthernet0/0/0']/state stream yang-push update-policy on-change receiver ip address 192.168.1.100 50001 protocol grpc Which statement is true about this configuration?

A.Data is pushed only when a change occurs in the state of GigabitEthernet0/0/0.
B.Data is pushed every 200 seconds to the collector.
C.The subscription uses JSON encoding.
D.The filter selects all interfaces, not just GigabitEthernet0/0/0.
AnswerA

The update-policy on-change triggers updates only on state changes for that interface.

Why this answer

This subscription uses on-change update policy, so data is pushed only when a change occurs in the specified subtree.

894
MCQmedium

Examine this SNMP configuration snippet from a Cisco IOS-XE router: snmp-server community MyComm RO 10 access-list 10 permit 192.168.1.0 0.0.0.255 What is the effect of this configuration?

A.SNMP read requests from any host in the 192.168.1.0/24 network using community 'MyComm' will be accepted.
B.SNMP read and write requests from 192.168.1.0/24 using community 'MyComm' will be accepted.
C.Only SNMP requests from the 192.168.1.0/24 network are allowed, regardless of community string.
D.The access-list 10 is incomplete; it needs a deny statement to block other traffic.
AnswerA

The access-list 10 permits the 192.168.1.0/24 network, and the community is tied to that ACL, so only those hosts can use 'MyComm' for read access.

Why this answer

The community string 'MyComm' is configured with read-only access and is restricted by access-list 10, which permits only the 192.168.1.0/24 network.

895
MCQeasy

What is the default tx-period timer value in Cisco IOS 802.1X configuration?

A.3 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerC

The default tx-period is 30 seconds.

Why this answer

The tx-period timer defines the number of seconds the switch waits for a response to an EAP-Request/Identity packet before retransmitting. The default value is 30 seconds.

896
Multi-Selectmedium

Which three statements about path isolation using VRF are true? (Choose three.)

Select 3 answers
A.VRFs allow overlapping IP addresses between different virtual networks on the same router.
B.VRF-lite can provide path isolation without the use of MPLS.
C.VRF-based path isolation ensures encryption of all data between VRFs.
D.A VRF can be used to separate customer traffic in a service provider network.
E.VRF-lite requires a full mesh of trunk links between all routers in the network.
AnswersA, B, D

Correct because each VRF has its own routing table, so overlapping addresses are isolated.

Why this answer

Path isolation with VRF ensures that traffic from different tenants or departments does not interfere. The correct answers highlight that VRFs provide separate forwarding tables, that overlapping IP addresses are possible, and that VRF-lite can be used without MPLS. The incorrect options claim that VRFs guarantee end-to-end encryption (they do not) or that VRF-lite requires a full mesh of trunks (it does not).

897
MCQmedium

A network engineer is using Netmiko to connect to a Cisco IOS-XE device that is managed by Cisco DNA Center. The script is: from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'host': '10.10.10.1', 'username': 'admin', 'password': 'cisco123', 'secret': 'enable123' } connection = ConnectHandler(**device) connection.enable() output = connection.send_command('show ip interface brief') print(output) connection.disconnect() What is a potential security concern with this script in the context of DNA Center?

A.The script does not handle authentication failures gracefully.
B.The enable secret is hardcoded in plain text, which is a security risk.
C.The device_type should be 'cisco_xe' for IOS-XE.
D.The script should use SSH keys instead of passwords.
AnswerB

Correct. Hardcoding credentials is insecure. They should be stored in a secure manner.

Why this answer

The script stores the enable secret in plain text. In a production environment, credentials should be stored securely, such as using environment variables or a vault. DNA Center itself stores credentials encrypted, but this script exposes them.

898
MCQhard

A company has a core network running OSPF in a single area (area 0). The network consists of four routers: R1, R2, R3, and R4. R1 is connected to R2 and R3. R2 is also connected to R4. R3 is also connected to R4. All links are GigabitEthernet with OSPF cost based on bandwidth (reference bandwidth 100 Gbps). The network engineer notices that traffic from R1 to a subnet behind R4 is taking a suboptimal path: R1 -> R2 -> R4, instead of R1 -> R3 -> R4 which has lower cost. Upon checking OSPF neighbor states, all adjacencies are full. The engineer verifies that the cost on the R1-R3 link is 10 and the cost on the R3-R4 link is 10, while the R1-R2 link cost is 20 and the R2-R4 link cost is 20. The total cost via R2 is 40, via R3 is 20. However, the routing table on R1 shows the next-hop as R2 for the subnet behind R4. What is the most likely cause?

A.OSPF is load balancing across both paths equally.
B.The OSPF network type on R1-R3 is broadcast, causing DR/BDR election issues.
C.The subnet behind R4 is an external route (type 5 LSA) and the cost to the ASBR via R2 is lower than via R3 due to a mismatched reference bandwidth or manual cost setting.
D.The R1-R3 link is flapping, causing OSPF to prefer the stable path via R2.
AnswerC

Option C is correct because external routes are evaluated based on cost to ASBR plus external cost; if the cost to ASBR via R2 is lower (e.g., due to different reference bandwidth), the path via R2 may be preferred.

Why this answer

Option C is correct because the subnet behind R4 is likely redistributed into OSPF as an external route (type 5 LSA). The cost to reach the ASBR (R4) via R2 is 40, while via R3 it is 20, but if the external route's advertised cost is lower via R2 (e.g., due to a mismatched reference bandwidth or manual cost setting on R4's redistribution), OSPF will prefer the path with the lower total cost (intra-area cost to ASBR + external cost). In this scenario, the external cost via R2 could be 0 or very low, making the total cost via R2 (40 + low) lower than via R3 (20 + high), overriding the intra-area cost advantage.

Exam trap

Cisco often tests the misconception that OSPF always uses the lowest intra-area cost, but external route types (E1 vs E2) and their metric handling can override intra-area path selection, causing candidates to overlook redistribution and metric-type behavior.

How to eliminate wrong answers

Option A is wrong because OSPF does not load balance across unequal-cost paths without explicit configuration (e.g., 'maximum-paths' with equal-cost paths), and the costs are clearly unequal (40 vs 20). Option B is wrong because the OSPF network type on a point-to-point GigabitEthernet link (default broadcast) does not cause suboptimal path selection; DR/BDR election affects LSA flooding but not the cost-based SPF calculation, and all adjacencies are full. Option D is wrong because if the R1-R3 link were flapping, OSPF would detect the adjacency down and remove the route, not prefer a stable path with higher cost; the routing table would show only the R2 path, not a suboptimal choice based on stability.

899
Multi-Selecthard

Which three statements about YANG data models are true? (Choose three.)

Select 3 answers
A.YANG is used to define data models for NETCONF and RESTCONF.
B.YANG models are written in XML syntax.
C.YANG supports hierarchical data structures using containers and lists.
D.YANG modules are compiled into MIB files for SNMP.
E.YANG includes built-in data types such as string, int32, and enumeration.
AnswersA, C, E

Correct because YANG is the standard data modeling language for NETCONF and RESTCONF.

Why this answer

The correct answers are A, C, and E. A is correct because YANG is used to model configuration and operational data in NETCONF and RESTCONF. C is correct because YANG uses a tree-like hierarchical structure with containers and lists.

E is correct because YANG supports data types such as string, int32, and enumeration. B is incorrect because YANG models are not written in XML; they use a custom syntax similar to SMIv2. D is incorrect because YANG modules are not compiled into MIB files; MIBs are for SNMP.

900
MCQmedium

A network engineer is using a Cisco Catalyst 3850 switch to monitor traffic from a server connected to port Gi1/0/1. The monitoring station is on port Gi1/0/24. The engineer configures 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'. The monitoring station receives traffic, but the engineer notices that the switch CPU utilization is high. What is the most likely cause of the high CPU?

A.The SPAN session is capturing both directions, which doubles the number of packets and increases CPU usage.
B.The destination port is not configured with 'switchport nonegotiate' and is still participating in DTP, causing CPU overhead.
C.The destination port is still a member of a VLAN, and the switch is processing the copied frames as normal traffic, leading to high CPU.
D.The source interface is a trunk port, and SPAN is capturing all VLANs, causing high CPU.
AnswerC

Correct; when a destination port is not dedicated to SPAN, the switch may attempt to switch the copied frames, increasing CPU load.

Why this answer

SPAN can cause high CPU if the destination port is not configured with 'ingress' or if the switch is overloaded. However, a common cause is that the destination port is configured to also forward traffic normally (i.e., it is not a dedicated SPAN destination). But the question says the monitoring station receives traffic, so the destination port is working.

High CPU can occur if the SPAN session is configured to capture from a large number of sources or if the switch is processing many packets. The most likely cause here is that the destination port is not configured with 'switchport nonegotiate' or is in a VLAN that causes the switch to process the copied frames as normal traffic, leading to high CPU. But the best answer: The destination port should be configured as a SPAN destination only, and if it is also a member of a VLAN, the switch may try to switch the copied frames, causing high CPU.

The correct answer is that the destination port is not configured as a SPAN destination-only port; it is still a member of a VLAN, causing the switch to process the copied frames as normal traffic.

Page 11

Page 12 of 27

Page 13