ENCOR 350-401 (350-401) — Questions 11261200

2015 questions total · 27pages · All types, answers revealed

Page 15

Page 16 of 27

Page 17
1126
MCQmedium

An enterprise is deploying a KVM-based virtualization platform for network functions. The architect must choose a networking model that allows VNFs to communicate with minimal overhead and supports VLAN trunking. Which virtual networking component should be used?

A.Linux bridge with VLAN tagging enabled on the bridge interface.
B.macvtap in bridge mode, which bypasses the Linux bridge.
C.Open vSwitch with DPDK for maximum performance.
D.Host-only networking with NAT to isolate VNFs.
AnswerA

This provides VLAN trunking and low-overhead connectivity for VNFs.

Why this answer

A Linux bridge with VLAN tagging enabled on the bridge interface is the correct choice because it provides a standard Layer 2 forwarding path with native 802.1Q VLAN trunking support, allowing VNFs to communicate with minimal overhead. Unlike more complex solutions, the Linux bridge operates in kernel space with low latency and does not require additional userspace processing, making it ideal for KVM-based NFV deployments where performance and simplicity are key.

Exam trap

Cisco often tests the misconception that macvtap in bridge mode is a drop-in replacement for a Linux bridge, but it fails to support VLAN trunking because it does not expose a bridge interface for VLAN filtering on the host.

How to eliminate wrong answers

Option B is wrong because macvtap in bridge mode bypasses the Linux bridge entirely and does not support VLAN trunking natively; it creates a direct connection between the VM and the physical interface, preventing the use of 802.1Q tags on the host side. Option C is wrong because Open vSwitch with DPDK, while offering maximum performance through userspace packet processing, introduces significant complexity and overhead for a scenario that only requires basic bridging and VLAN trunking, and is not necessary for minimal overhead. Option D is wrong because host-only networking with NAT isolates VNFs from the external network and does not support VLAN trunking; it is designed for private communication between VMs and the host, not for production NFV deployments requiring VLAN segmentation.

1127
Multi-Selecthard

Which three statements about Cisco TrustSec (CTS) are true? (Choose three.)

Select 3 answers
A.Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user or device identity.
B.SGTs are typically assigned to IP addresses using a centralized SGT mapping database.
C.802.1X can be used as the authentication mechanism to dynamically assign an SGT to a supplicant.
D.Cisco TrustSec eliminates the need for all traditional ACLs in the network.
E.SGTs can be carried in the Ethernet frame header using Cisco's inline tagging method.
AnswersA, C, E

Correct because SGTs are 16-bit values that represent the security group of the source, enabling identity-based policy enforcement.

Why this answer

Cisco TrustSec uses SGTs for role-based access control, can use 802.1X for initial authentication, and supports dynamic SGT assignment via RADIUS. SGTs are not IP-based but are 16-bit tags. CTS does not replace all ACLs but augments them with SGT-based policies.

1128
Drag & Dropmedium

Drag and drop the steps of VLAN mapping on trunk interfaces into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enter the trunk interface, configure encapsulation, then apply the VLAN mapping policy (translate or map), and finally verify the mapping.

1129
Drag & Dropmedium

Drag and drop the steps of Cisco NSO service provisioning workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The Cisco NSO workflow starts with the operator defining a service in YANG model. Then NSO maps the service to device configurations using a service template. Next, NSO pushes the configuration to network devices via NETCONF.

After that, NSO updates the service database with the operational state. Finally, NSO verifies the service by checking device state and alarms.

1130
Matchingmedium

Drag and drop each authentication mode on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port allows traffic even before successful authentication

Port blocks all traffic until authentication succeeds

Port logs authentication results but does not enforce access

Only one device can authenticate per port

Allows one voice and one data device per port

Why these pairings

Open mode allows traffic before authentication, closed mode blocks all until authenticated, and monitor mode logs but does not block.

1131
Multi-Selecthard

Which two statements about SPAN and RSPAN configuration limits are true? (Choose two.)

Select 2 answers
A.A single port can be a SPAN source for multiple SPAN sessions simultaneously.
B.A SPAN destination port can be used in multiple SPAN sessions at the same time.
C.RSPAN source sessions and local SPAN sessions count toward the same session limit on a switch.
D.The maximum number of SPAN sessions on a switch is always 4.
E.A SPAN source VLAN can be used in both a local SPAN and an RSPAN session at the same time.
AnswersA, C

Correct because a source port can be monitored by multiple SPAN sessions.

Why this answer

Cisco switches have limits on the number of SPAN/RSPAN sessions, typically up to 2 local SPAN sessions and 1 RSPAN source session. A single port can be a source for multiple sessions, but a destination port can only be used in one session at a time. The source and destination ports must be on the same switch for local SPAN.

1132
Drag & Dropmedium

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Reflexive ACLs work by evaluating outbound traffic, creating a reflexive entry, then applying inbound ACL to permit return traffic. The order ensures proper dynamic inspection.

1133
MCQeasy

A network engineer uses the Cisco DNA Center API to trigger a provisioning workflow for a new device. The API call returns the following JSON response: { "response": { "taskId": "task-12345", "url": "/api/v1/task/task-12345" }, "version": "1.0" } The engineer then polls the task status using the URL. Which HTTP method should be used to retrieve the task status?

A.GET
B.POST
C.PUT
D.DELETE
AnswerA

Correct. A GET request retrieves the task status.

Why this answer

To retrieve the status of a task, a GET request should be sent to the provided URL. The task ID is used to query the task API endpoint.

1134
Multi-Selecteasy

Which two statements about IPsec VPNs are true? (Choose two.)

Select 2 answers
A.IPsec tunnel mode encrypts the entire original IP packet and adds a new IP header.
B.IKEv2 is more secure and supports EAP authentication, unlike IKEv1.
C.IPsec always uses UDP port 500 for all its traffic.
D.AH provides encryption of the IP packet payload.
E.IPsec operates at Layer 2 of the OSI model.
AnswersA, B

Correct because in tunnel mode, the whole original packet is encapsulated and encrypted, with a new IP header for the tunnel endpoints.

Why this answer

IPsec can operate in transport mode (protecting payload only) or tunnel mode (protecting entire IP packet). IKEv2 is more secure and efficient than IKEv1. IPsec does not use UDP encapsulation by default; UDP encapsulation is used for NAT traversal.

AH provides authentication and integrity but not encryption. IPsec does not operate at Layer 2.

1135
Drag & Dropmedium

Drag and drop the steps of cisco.ios.ios_config module idempotent apply flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The cisco.ios.ios_config module first connects to the device; then, it retrieves the running configuration; next, it compares the desired config lines with the running config; after that, it applies only the lines that are missing or different; finally, it saves the configuration if the save parameter is set.

1136
Multi-Selectmedium

Which two statements about 802.1X port states and access control are true? (Choose two.)

Select 2 answers
A.Before authentication, the switch port is in the unauthorized state and only allows EAPOL frames.
B.After successful 802.1X authentication, the port transitions to the authorized state and all traffic is permitted.
C.In multi-auth mode, the port becomes authorized for all devices once the first device authenticates successfully.
D.The port remains in the unauthorized state until the client sends data traffic.
E.802.1X can be configured on a Layer 3 interface to authenticate users before routing.
AnswersA, B

Correct because the unauthorized state blocks all traffic except EAPOL, which is necessary for the authentication process.

Why this answer

In 802.1X, the switch port starts in the unauthorized state, allowing only EAPOL traffic. After successful authentication, the port transitions to the authorized state, allowing normal traffic. Multi-auth mode allows multiple devices on the same port, each authenticated individually.

The port does not become fully authorized before the client sends traffic.

1137
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:34 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:38 192.168.1.3 GigabitEthernet0/0 Based on this output, what can be concluded?

A.The local router is the Designated Router (DR)
B.The local router is the Backup Designated Router (BDR)
C.The local router is a DROTHER
D.The OSPF network type is point-to-point
AnswerB

Since the DR is 10.0.0.2 and the BDR is not shown, the local router must be the BDR because it has a FULL adjacency with the DR and a 2WAY adjacency with the DROTHER.

Why this answer

The output shows OSPF neighbors on a multi-access network. The neighbor with state FULL/DR is the Designated Router, and the neighbor with state 2WAY/DROTHER is a non-DR/BDR router that has formed a two-way adjacency but is not adjacent to the DR. The local router must be either the BDR or a DROTHER, as it is not listed as DR.

The correct answer is that the local router is the Backup Designated Router (BDR).

1138
Matchingmedium

Drag and drop each AAA service on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RADIUS

TACACS+

RADIUS

TACACS+

TACACS+

Why these pairings

Authentication typically uses RADIUS, authorization uses TACACS+, accounting can use either, but RADIUS is more common for accounting; TACACS+ encrypts the entire packet and separates AAA functions.

1139
Drag & Dropmedium

Drag and drop the steps of Embedded Packet Capture (EPC) on IOS-XE steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EPC requires defining a capture buffer, then a capture point, associating them, starting the capture, and finally exporting or viewing.

1140
Drag & Dropmedium

Drag and drop the steps of Cisco Flex (FlexConnect) AP mode operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

A FlexConnect AP first discovers and joins the WLC, then downloads its configuration and policy. When a client associates, the AP locally switches traffic if configured. The AP sends client data to the WLC for authentication and then applies the downloaded policy locally.

1141
MCQhard

A service provider is using Cisco ASR 9000 routers and needs to collect NetFlow data from multiple customers' traffic. The engineer wants to ensure that flow records from different customers are not mixed and can be identified separately. The router supports Flexible NetFlow. What is the best approach?

A.Define a custom flow record that includes the 'match ipv4 vlan' or 'match ipv4 vrf' field to identify each customer's traffic, and apply a single flow monitor on the shared interface.
B.Configure a separate flow monitor for each customer interface and export to different collectors.
C.Use NetFlow v9 export with the 'match ipv4 source address' field only, and rely on the collector to separate by source IP.
D.Enable SNMP interface polling to track per-customer traffic statistics.
AnswerA

Correct because including the VRF or VLAN match field in the flow record allows the collector to distinguish flows per customer.

Why this answer

Flexible NetFlow allows customization of flow records. Option A is correct by using a flow record with a 'match ipv4 vlan' or 'match ipv4 vrf' field to tag flows per customer. Option B is incorrect because separate flow monitors for each interface would still mix flows if multiple customers share an interface.

Option C is incorrect because NetFlow v9 export format does not inherently separate customers. Option D is incorrect because SNMP is not suitable for per-customer flow identification.

1142
Drag & Dropmedium

Drag and drop the steps of implementing QoS trust boundaries on a Cisco switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, identify the trust boundary (e.g., access port). Then configure the trusted interface to trust CoS or DSCP. Next, set the default CoS for untrusted frames.

Finally, verify the configuration and adjust as needed.

1143
Multi-Selecthard

Which three statements about trunking and VLAN pruning are true? (Choose three.)

Select 3 answers
A.VTP pruning reduces unnecessary broadcast traffic by preventing a trunk from carrying traffic for VLANs that have no active ports in the VLAN on downstream switches.
B.VTP pruning is enabled globally using the 'vtp pruning' command in global configuration mode.
C.VTP pruning can be enabled on a VTP client switch.
D.Manual VLAN pruning using 'switchport trunk allowed vlan' overrides VTP pruning for that specific trunk interface.
E.VTP pruning can remove the native VLAN from a trunk link.
AnswersA, B, D

This is the primary benefit of VTP pruning; it dynamically prunes VLANs from trunk links.

Why this answer

VTP pruning reduces unnecessary broadcast traffic on trunk links by dynamically removing VLANs from trunk allowed lists when no downstream switch has ports in that VLAN. VTP pruning is enabled globally with the 'vtp pruning' command. It requires VTP to be in server or transparent mode; clients cannot enable pruning.

The 'switchport trunk allowed vlan' command can manually prune VLANs, and this overrides VTP pruning for that interface. VTP pruning does not affect the native VLAN, which is always allowed.

1144
Drag & Dropmedium

Drag and drop the steps of SVI configuration for inter-VLAN routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SVI configuration requires first creating the VLAN, then the SVI interface, assigning an IP address, enabling the interface, and finally verifying routing. This order ensures the VLAN exists before the SVI is created and routing is enabled.

1145
Drag & Dropmedium

Drag and drop the steps of FlexVPN IKEv2 spoke registration to hub into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

FlexVPN IKEv2 spoke registration starts with the spoke initiating an IKEv2 SA to the hub, followed by authentication using certificates or pre-shared keys, then the spoke sends a configuration payload request, the hub assigns an IP address and pushes policies, and finally the spoke installs the IPsec SA and routes traffic through the hub. The correct order is: initiate IKEv2 SA to hub, authenticate using certificates or PSK, send configuration payload request, hub assigns IP and pushes policies, spoke installs IPsec SA and routes traffic.

1146
Drag & Dropmedium

Drag and drop the steps of the QoS trust boundary configuration process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The trust boundary process starts by enabling trust on the interface, then optionally setting a default CoS/DSCP for untrusted traffic, and finally applying a service policy to enforce policing or marking. Verification ensures the trust boundary is correctly applied.

1147
MCQmedium

A network administrator checks the AAA configuration on a router: R1# show running-config | include aaa aaa new-model aaa authentication login default group radius local aaa authentication login console local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group radius Based on this output, what can be concluded?

A.Console login uses RADIUS authentication.
B.EXEC authorization uses TACACS+ as the primary method.
C.Accounting is performed using TACACS+.
D.Local authentication is never used.
AnswerB

The command 'aaa authorization exec default group tacacs+ local' shows TACACS+ is tried first.

Why this answer

The configuration shows AAA is enabled. For login authentication, the default method list uses RADIUS first, then local. The console uses local authentication only.

For EXEC authorization, TACACS+ is used first, then local. Accounting is configured for EXEC sessions using RADIUS.

1148
Drag & Dropmedium

Drag and drop the steps of troubleshooting an IP SLA operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the IP SLA configuration for errors, then verify the operation is scheduled and active. Next, examine the statistics for failures, check reachability to the target, and finally review logs for any system-level issues.

1149
MCQhard

An enterprise is using OSPF in a multi-area design. Area 1 is a regular area, and Area 2 is a totally stubby area. Which LSA types are present in Area 2?

A.Type 1, Type 2, Type 3 (including default)
B.Type 1, Type 2, Type 3, Type 5
C.Type 1, Type 2, Type 4, Type 5
D.Type 1, Type 2, Type 3 (including default), Type 4
AnswerA

Totally stubby areas allow only Type 1, Type 2, and a default Type 3 LSA.

Why this answer

In a totally stubby area, the ABR blocks Type 4 and Type 5 LSAs and replaces all Type 3 inter-area routes with a single default route (Type 3 LSA with link-state ID 0.0.0.0). Therefore, only Type 1 (router), Type 2 (network), and the default Type 3 LSAs are present. This matches option A.

Exam trap

Cisco often tests the distinction between a standard stub area (which allows Type 3 summaries but blocks Type 4 and Type 5) and a totally stubby area (which additionally blocks all Type 3 summaries except the default), causing candidates to confuse the LSA types allowed in each.

How to eliminate wrong answers

Option B is wrong because Type 5 (AS-external) LSAs are blocked in a totally stubby area; they are only present in a standard stub area if not using the 'no-summary' keyword. Option C is wrong because Type 4 (ASBR-summary) LSAs are also blocked in a totally stubby area, and Type 5 LSAs are blocked as well. Option D is wrong because Type 4 LSAs are not present in a totally stubby area; the ABR does not advertise the ASBR location into the area.

1150
Matchingmedium

Drag and drop each multicast address range on the left to its matching use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link-local multicast (e.g., OSPF, EIGRP, PIM hello)

Source-Specific Multicast (SSM) range

Administratively scoped (private) multicast

Global unicast-based multicast (GLOP, SSM not included)

Entire IPv4 multicast address space

Why these pairings

224.0.0.0/24 is reserved for link-local multicast (e.g., routing protocols); 232.0.0.0/8 is for SSM; 239.0.0.0/8 is for administratively scoped (private) multicast; 224.0.1.0–238.255.255.255 is for global unicast-based multicast; 224.0.0.0/4 is the overall multicast range.

1151
MCQhard

A network engineer runs the following command on Switch SW9: SW9# show monitor session 9 Session 9 --------- Type : Remote Destination Session Source RSPAN VLAN : 300 Destination Ports : Gi1/0/40 Encapsulation : Native Ingress : Disabled Based on this output, what can be concluded?

A.This switch receives mirrored traffic from RSPAN VLAN 300 and sends it to Gi1/0/40.
B.This is a local SPAN session with source VLAN 300.
C.The RSPAN VLAN 300 is used to send traffic to a remote switch.
D.Ingress traffic on Gi1/0/40 is forwarded to the RSPAN VLAN.
AnswerA

The type 'Remote Destination Session' and source RSPAN VLAN confirm this.

Why this answer

This is an RSPAN destination session on SW9. The source is RSPAN VLAN 300, and the destination port Gi1/0/40 sends out the mirrored traffic. The destination port has Native encapsulation and ingress disabled, meaning it only forwards traffic from the RSPAN VLAN and does not forward incoming traffic.

1152
MCQmedium

A network team is deploying a virtualized WAN optimization appliance. The appliance must be able to process traffic at line rate on a 10 Gbps link. The hypervisor host has multiple physical NICs. Which design choice will best ensure the VM can achieve the required throughput?

A.Assign the VM a virtual function (VF) using SR-IOV on the physical NIC.
B.Use a standard virtual switch with a single vCPU for the VM.
C.Enable jumbo frames on the virtual switch only.
D.Configure the VM with multiple vNICs and use NIC teaming.
AnswerA

SR-IOV provides near-native performance by giving the VM direct NIC access.

Why this answer

SR-IOV (Single Root I/O Virtualization) allows a physical NIC to present multiple virtual functions (VFs) directly to a VM, bypassing the hypervisor's virtual switch. This reduces CPU overhead and latency, enabling the VM to achieve near line-rate throughput on a 10 Gbps link by allowing direct hardware access for data plane traffic.

Exam trap

Cisco often tests the misconception that adding more vNICs or teaming can solve throughput issues, but the real bottleneck is the hypervisor's software switching overhead, which SR-IOV eliminates by providing direct hardware pass-through.

How to eliminate wrong answers

Option B is wrong because a standard virtual switch with a single vCPU introduces significant CPU overhead and context-switching latency, which cannot sustain 10 Gbps line-rate processing. Option C is wrong because enabling jumbo frames on the virtual switch only does not reduce the hypervisor's I/O bottleneck; jumbo frames must also be supported end-to-end on the physical NIC and VM to improve throughput, but they alone cannot guarantee line rate. Option D is wrong because multiple vNICs with NIC teaming in the VM adds complexity and still relies on the hypervisor's virtual switch for packet forwarding, which introduces software overhead that prevents achieving line-rate performance on a 10 Gbps link.

1153
Drag & Dropmedium

Drag and drop the steps of EtherChannel troubleshooting and verification steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting begins with checking physical port status, then verifying EtherChannel bundle state, inspecting protocol details, checking load-balancing, and finally testing connectivity.

1154
Drag & Dropmedium

Drag and drop the steps of MPLS L3VPN packet forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order begins with the ingress PE receiving an IP packet from the CE, looking up the VRF to find the next hop and label, pushing the MPLS label stack, forwarding the labeled packet across the MPLS core, and finally the egress PE popping the label and forwarding the IP packet to the destination CE.

1155
MCQhard

An engineer configures IP SLA 10 to monitor the reachability of a next-hop router at 10.1.1.1 using ICMP echo. The IP SLA is used as a track object for a static route. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 1 ms', but the track object shows 'Track 10: up' even though the next-hop router is actually unreachable from the source. The source router has a default route pointing to 10.1.1.1. What is the most likely cause?

A.The IP SLA operation is using the wrong source IP address; it should be sourced from the interface that connects to the next-hop router.
B.The IP SLA operation must be configured with a 'timeout' value lower than the RTT to force a failure.
C.The track object must be configured with a 'down' delay to prevent flapping.
D.The static route must be configured with a higher administrative distance to allow the IP SLA to remove it.
AnswerA

Correct. If the IP SLA probe is sourced from a different interface (e.g., loopback), it may take a different path and succeed even if the next-hop router is unreachable via the intended interface.

Why this answer

If the source router has a default route pointing to the same next-hop, the IP SLA probe packets may be sent out using that default route, which could lead to the probe being sent to a different path or looping. However, the more direct cause is that the IP SLA probe is sourced from an interface that is not the one that would be used to reach the next-hop, so the probe may succeed even if the next-hop is unreachable via the expected path.

1156
Matchingmedium

Drag and drop each EIGRP timer on the left to its matching default value on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

5 seconds

15 seconds

3 minutes

5 seconds

0.5 seconds

Why these pairings

Hello timer default is 5 seconds on LAN; Hold timer default is 15 seconds (3x Hello); Active timer default is 3 minutes; Update timer default is 5 seconds; Retransmission timer default is 0.5 seconds.

1157
MCQmedium

Given the following BGP configuration on a Cisco IOS-XE device: router bgp 65001 bgp router-id 1.1.1.1 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 update-source Loopback0 neighbor 10.0.0.2 ebgp-multihop 2 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 What is the purpose of the 'ebgp-multihop 2' command?

A.It allows the BGP session to be established even if the neighbor is not directly connected, with a maximum of 2 hops.
B.It sets the BGP session to use two TCP connections for redundancy.
C.It enables BGP to use two different paths to reach the neighbor.
D.It is required because the neighbor is configured with a loopback interface as the update source.
AnswerA

Correct. EBGP multihop with value 2 allows the neighbor to be up to 2 hops away (TTL=2).

Why this answer

EBGP multihop allows the BGP session to be established between non-directly connected peers. The number specifies the maximum TTL for the BGP packets. Here, TTL=2 allows one intermediate hop.

1158
Matchingmedium

Drag and drop each STP port state on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discards frames, does not learn MAC addresses

Discards frames, does not learn MAC addresses (receives BPDUs)

Discards frames, learns MAC addresses

Forwards frames, learns MAC addresses

Administratively down, discards frames

Why these pairings

Blocking discards frames and does not learn MACs; Listening discards frames but does not learn MACs (receives BPDUs); Learning discards frames but learns MACs; Forwarding forwards frames and learns MACs; Disabled administratively down and discards frames.

1159
MCQmedium

Examine this DHCP configuration: ``` service dhcp ip dhcp pool POOL2 network 10.20.20.0 255.255.255.0 default-router 10.20.20.1 lease infinite ``` What is the effect of the 'lease infinite' command?

A.Clients will receive an infinite lease and never need to renew.
B.The lease time is set to the default value of 1 day.
C.Clients will be unable to obtain an IP address because infinite is invalid.
D.The router will ignore the lease command and use the default.
AnswerA

Correct. Infinite lease means the IP address is valid indefinitely.

Why this answer

The lease infinite command sets the DHCP lease time to never expire.

1160
Drag & Dropmedium

Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

App-aware routing begins with classification of traffic by application, then measuring path performance via probes, comparing metrics against configured SLA thresholds, selecting the best path that meets the SLA, and finally forwarding the traffic over the chosen path.

1161
MCQmedium

An engineer is troubleshooting intermittent connectivity issues between two data center switches. The link is a 10GE LACP port-channel. Which misconfiguration could cause packet loss?

A.MTU size is set to 1500 on one switch and 9000 on the other.
B.Auto-negotiation is disabled on both ends.
C.Spanning-tree BPDU guard is enabled on the port-channel.
D.One switch is configured with active LACP and the other with passive LACP.
AnswerD

Active-passive LACP is a valid combination; but if one is passive and the other is also passive (or off), the channel fails. This question assumes the misconfiguration is passive-passive, leading to no LACP negotiation.

Why this answer

Option D is correct because LACP requires one side to be in active mode to initiate negotiation; if one side is active and the other is passive, the passive side will not initiate the LACP exchange, but it will respond to active-side messages. However, the question states that the link is an LACP port-channel, implying both sides should be configured to form the bundle. If one side is passive and the other is active, the port-channel can form, but intermittent packet loss can occur if the passive side fails to respond quickly enough to LACP PDUs during transient conditions, or if there is a mismatch in LACP system priority or port priority that causes the bundle to flap.

More critically, a passive/passive combination would never form the port-channel, but active/passive can form it, yet the passive side's reliance on the active side for initiation can lead to instability under certain failure scenarios, causing packet loss.

Exam trap

Cisco often tests the misconception that active/passive LACP will always form a stable port-channel, but the trap is that while it forms, the passive side's dependency on the active side for initiation can cause flapping under stress, leading to packet loss—unlike active/active which is more robust.

How to eliminate wrong answers

Option A is wrong because MTU mismatch does not cause packet loss on a port-channel; it causes fragmentation issues or dropped oversized frames, but the link itself remains operational and LACP will still form. Option B is wrong because auto-negotiation is not required on 10GE fiber links (e.g., 10GBASE-SR/LR) where speed and duplex are fixed; disabling it on both ends is standard practice and does not cause packet loss. Option C is wrong because BPDU guard is a spanning-tree feature that err-disables a port upon receiving a BPDU, but it does not cause intermittent packet loss; it either shuts the port down or leaves it operational, not a flapping or loss condition.

1162
Drag & Dropmedium

Drag and drop the steps of Netconf/Yang-based device monitoring subscription into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First establish a NETCONF session, then subscribe to a YANG data stream, and finally receive periodic push updates.

1163
MCQhard

A network engineer needs to monitor traffic from a specific VLAN (VLAN 100) on a Cisco Catalyst 9300 switch and send the mirrored traffic to a monitoring station on a different switch across a routed network. The engineer decides to use ERSPAN. Which configuration is required on the source switch?

A.Configure 'monitor session 1 type erspan-source' and then 'source vlan 100' and 'destination ip 192.168.1.100'.
B.Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination interface Gi1/0/24'.
C.Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination remote vlan 999'.
D.Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination interface Gi1/0/24' and then 'monitor session 1 encapsulation replicate'.
AnswerA

Correct; ERSPAN source session requires the type erspan-source, source VLAN, and destination IP address.

Why this answer

ERSPAN encapsulates mirrored traffic in GRE and sends it over IP. On the source switch, the engineer must configure an ERSPAN source session that specifies the source VLAN and the destination IP address of the monitoring station or the destination switch. The correct answer is to configure 'monitor session 1 type erspan-source' and then specify the source VLAN and the destination IP.

Option B is incorrect because that is for local SPAN. Option C is incorrect because that is for RSPAN. Option D is incorrect because that is for local SPAN with a VLAN source.

1164
Matchingmedium

Drag and drop each MPLS role on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards MPLS packets by performing label lookup and swapping

Pushes labels on ingress and pops labels on egress

Core router that swaps labels without pushing or popping

Edge router that connects customer sites and runs MPLS VPNs

Customer edge router that connects to the PE

Why these pairings

LSR forwards packets based on labels, LER pushes/pops labels at the edge, P is a core LSR that only swaps labels, PE provides VPN services at the edge, and CE is the customer device connecting to the MPLS network.

1165
MCQmedium

ip vrf RED rd 200:1 route-target export 200:1 route-target import 200:1 ! interface GigabitEthernet0/1 ip vrf forwarding RED ip address 10.1.1.1 255.255.255.0 ! router bgp 65000 neighbor 192.168.1.1 remote-as 65000 neighbor 192.168.1.1 update-source Loopback0 address-family vpnv4 neighbor 192.168.1.1 activate neighbor 192.168.1.1 send-community extended ! Which statement about this configuration is true?

A.The configuration is correct for MPLS L3VPN, but the VRF RED must also be configured under BGP with 'address-family ipv4 vrf RED'.
B.The 'send-community extended' command is unnecessary because it is enabled by default.
C.The interface GigabitEthernet0/1 requires 'mpls ip' to forward MPLS packets.
D.The VRF RED will automatically import routes from the VPNv4 address-family without additional configuration.
AnswerA

Correct. The VRF needs to be activated under BGP to advertise and receive VPN routes.

Why this answer

The BGP configuration includes 'send-community extended' under the VPNv4 address-family, which is required for MPLS L3VPN route exchange. However, the VRF RED is defined but not used in BGP.

1166
MCQeasy

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

A.10 seconds
B.30 seconds
C.5 seconds
D.40 seconds
AnswerA

Correct. The default hello interval on broadcast networks is 10 seconds.

Why this answer

On a broadcast multi-access network like Ethernet, OSPF defaults to a hello interval of 10 seconds. This is defined in RFC 2328 and is used to quickly detect neighbor failures while keeping control traffic overhead manageable. The corresponding dead interval is 40 seconds (4 times the hello interval).

Exam trap

Cisco often tests the distinction between hello and dead intervals, and candidates confuse the 40-second dead interval with the hello interval, or incorrectly recall the NBMA hello interval of 30 seconds.

How to eliminate wrong answers

Option B is wrong because 30 seconds is the default hello interval for OSPF on non-broadcast multi-access (NBMA) networks, not broadcast multi-access. Option C is wrong because 5 seconds is not a standard OSPF hello interval; it is sometimes used in tuned configurations but is not the default. Option D is wrong because 40 seconds is the default dead interval on broadcast networks, not the hello interval.

1167
MCQmedium

An enterprise is migrating a legacy application from a physical server to a virtual machine on a KVM-based hypervisor. The application requires direct access to a PCIe network interface card for performance reasons. The engineer needs to provide the VM with dedicated hardware access while maintaining isolation from other VMs. Which technology should the engineer use?

A.Use PCI passthrough to assign the NIC directly to the VM.
B.Enable SR-IOV and assign a virtual function to the VM.
C.Configure a paravirtualized network driver (virtio).
D.Attach the VM to a Linux bridge using macvtap.
AnswerA

Correct because PCI passthrough gives the VM exclusive access to the physical NIC.

Why this answer

PCI passthrough (Option A) is correct because it assigns the entire physical PCIe NIC directly to the VM, giving it exclusive, dedicated hardware access with full performance and no hypervisor overhead. This meets the requirement for direct access while maintaining isolation, as other VMs cannot use the same device.

Exam trap

Cisco often tests the distinction between PCI passthrough (dedicated, exclusive access) and SR-IOV (shared, but with virtual functions), and the trap here is that candidates may choose SR-IOV thinking it provides 'dedicated' access, when in fact it still involves the PF and is designed for sharing the physical NIC among multiple VMs.

How to eliminate wrong answers

Option B is wrong because SR-IOV assigns a virtual function (VF) to the VM, which provides near-direct access but still involves the physical function (PF) and the hypervisor's IOMMU for mediation, not fully dedicated hardware access like passthrough. Option C is wrong because paravirtualized drivers (virtio) emulate a network device in software, adding hypervisor overhead and not providing direct PCIe hardware access. Option D is wrong because macvtap connects the VM to a Linux bridge via a tap interface, which uses software switching and does not grant direct hardware access to the NIC.

1168
Drag & Dropmedium

Drag and drop the steps of creating and applying an Ansible role for network device configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the role structure with defaults, vars, tasks, and handlers. Then, write the tasks in main.yml to configure interfaces. Next, set default variables in defaults/main.yml.

After that, create a playbook that references the role. Finally, execute the playbook against the target inventory.

1169
MCQeasy

A network engineer uses Cisco DNA Center API to retrieve the health of a device. The API call returns: ```json { "response": [ { "deviceId": "1234567890", "healthScore": 85, "overallHealth": "good", "memory": { "used": 4096, "total": 8192, "usage": 50 }, "cpu": { "usage": 25 } } ] } ``` What does the healthScore of 85 indicate?

A.The device is healthy with a score of 85 out of 100.
B.The device is critical and needs immediate attention.
C.The device has 85% memory usage.
D.The device has 85% CPU usage.
AnswerA

A health score of 85 is in the 'good' range (75-90) per DNA Center documentation.

Why this answer

In Cisco DNA Center, health scores range from 0 to 100. A score of 85 is considered 'good' (typically 75-90 range), indicating the device is healthy but may have minor issues.

1170
Multi-Selectmedium

Which two statements about Rapid PVST+ are true? (Choose two.)

Select 2 answers
A.Rapid PVST+ uses a proposal/agreement handshake to achieve rapid convergence.
B.Rapid PVST+ runs a separate instance of STP for each VLAN.
C.Rapid PVST+ requires the UplinkFast feature to be enabled for fast uplink convergence.
D.In Rapid PVST+, the root bridge is elected based on the lowest MAC address only.
E.Rapid PVST+ supports only two port roles: designated and root.
AnswersA, B

Correct because the proposal/agreement mechanism allows ports to transition to forwarding quickly without relying on timers.

Why this answer

Rapid PVST+ is an enhancement of the original 802.1D STP that provides faster convergence by using a proposal/agreement handshake. It runs a separate instance of RSTP for each VLAN, enabling per-VLAN load balancing. The UplinkFast feature is not needed because RSTP already handles uplink convergence quickly.

The root bridge is elected based on bridge priority, not MAC address alone. Port roles include alternate and backup, not just designated and root.

1171
Matchingmedium

Drag and drop each LDP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers LDP neighbors on a link

Establishes and negotiates LDP session parameters

Maintains an established LDP session

Advertises label bindings for FECs

Reports errors or advisory information

Why these pairings

Discovery uses Hello messages, Session uses Initialization/Keepalive, Advertisement uses Label Mapping, and Notification signals errors.

1172
Matchingmedium

Drag and drop each NFV component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software instance of a network function running on NFVI

Compute, storage, and networking resources that host VNFs

Framework for lifecycle management and orchestration of NFV resources

Abstraction layer that decouples VNF software from underlying hardware

Manages fault, configuration, accounting, performance, and security for a VNF

Why these pairings

VNFs are software implementations of network functions; NFVI provides the infrastructure; MANO orchestrates and manages the lifecycle.

1173
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 3 NHRP registration and spoke-to-spoke tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 3, the spoke first registers its NHRP mapping with the hub, then the hub propagates the mapping. When a spoke needs to reach another spoke, it sends an NHRP resolution request to the hub, the hub replies with the mapping, and then the spoke initiates a direct IPsec tunnel to the target spoke.

1174
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 23 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?

A.Telnet traffic from 192.168.1.0/24 is permitted.
B.Telnet traffic from any source is denied.
C.HTTP traffic from any source is permitted.
D.All traffic is permitted because of the last entry.
AnswerB

Entry 20 denies TCP port 23 (Telnet) from any source to any destination.

Why this answer

The ACL 101 has three entries. The first permits HTTP traffic from 192.168.1.0/24 to any destination. The second denies Telnet traffic from any source.

The third permits all other IP traffic. The match counters show hits. Since Telnet is denied, any Telnet attempt will be blocked unless it matches a preceding permit (which it doesn't).

1175
Drag & Dropmedium

Drag and drop the steps of PHP (Penultimate Hop Popping) operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PHP begins with egress LSR assigning implicit-null label (3) to FEC, advertising it upstream, penultimate LSR popping the label, forwarding the IP packet without label, and egress LSR performing IP lookup.

1176
MCQmedium

A network engineer runs the following command on Router R9: R9# show ip pim neighbor PIM Neighbor Table Neighbor Address Interface Uptime Expires Mode 192.168.1.10 GigabitEthernet0/0 1w2d 00:01:30 Dense 192.168.1.11 GigabitEthernet0/0 2w0d 00:01:25 Sparse 192.168.1.12 GigabitEthernet0/1 3d04h 00:01:28 Sparse Based on this output, what can be concluded?

A.All PIM neighbors are operating in Sparse mode.
B.Router R9 has three PIM neighbors, one in Dense mode and two in Sparse mode.
C.The PIM neighbor 192.168.1.12 is on the same interface as the others.
D.All PIM neighbors are in the 'Expires' state.
AnswerB

The output lists three neighbors with modes: Dense, Sparse, Sparse.

Why this answer

The output shows PIM neighbors with different modes (Dense and Sparse). The mode indicates the PIM mode configured on the interface.

1177
Matchingmedium

Drag and drop each wireless roaming method on the left to its matching 802.11 standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

802.11r

802.11k

802.11k

802.11v

802.11v

Why these pairings

802.11r enables fast BSS transition (FT) with reduced reauthentication time; 802.11k provides neighbor report and channel information; 802.11v offers network-assisted power saving and BSS transition management.

1178
Drag & Dropmedium

Drag and drop the steps of YANG module import and augmentation resolution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with importing the base YANG module, then importing the augmentation module, resolving dependencies, applying augmentations to the base schema tree, and finally validating the combined schema.

1179
MCQmedium

A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?

A.The engineer configured the data policy under VPN 0 instead of the service VPN (e.g., VPN 10).
B.The branch router does not have a default route in its routing table for the service VPN.
C.The engineer used a localized data policy instead of a centralized data policy.
D.The OMP route redistribution is not enabled on the branch router.
AnswerA

Correct because VPN 0 is for transport, and internet traffic from the service side must be matched in the service VPN policy to enforce local exit.

Why this answer

Option A is correct because in Cisco SD-WAN, data policies that control traffic forwarding (such as forcing local internet exit) must be applied to the service VPN (e.g., VPN 10) where the branch’s LAN and internet-bound traffic resides. Configuring the policy under VPN 0 (the transport VPN) only affects overlay tunnel traffic and control-plane packets, not user traffic. Since the engineer applied the policy to VPN 0, the policy did not match internet-bound traffic in the service VPN, causing it to follow the default route toward the regional hub.

Exam trap

Cisco often tests the distinction between VPN 0 and service VPNs in SD-WAN policy application, trapping candidates who assume any data policy applied globally will affect all traffic, when in fact the VPN context determines which traffic the policy matches.

How to eliminate wrong answers

Option B is wrong because the branch router does have a default route in the service VPN (likely pointing to the hub via OMP), which is why traffic is being sent to the hub; the issue is that the data policy intended to override that route was misapplied. Option C is wrong because a localized data policy is applied per device and can still influence local forwarding; the core problem is the VPN context, not the policy type. Option D is wrong because OMP route redistribution is not required for internet-bound traffic to be forwarded locally; the branch can have a local default route via DHCP or static, and the data policy is what should redirect traffic to that local exit.

1180
Drag & Dropmedium

Drag and drop the steps of IPsec IKEv2 tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 establishment starts with IKE_SA_INIT to negotiate cryptographic parameters and exchange Diffie-Hellman keys. Next, IKE_AUTH authenticates the peers and establishes the first CHILD_SA. Then, additional CHILD_SAs can be created via CREATE_CHILD_SA.

Finally, the IPsec SA is used to encrypt data traffic.

1181
MCQeasy

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?

A.The crypto map is not applied to the outside interface on Router B.
B.The access list on Router B is missing the permit statement for the traffic.
C.The transform set on Router B is different from Router A.
D.The peer address on Router B is configured incorrectly.
AnswerA

Correct because the crypto map must be applied on both sides.

Why this answer

For IPsec to work bidirectionally, the crypto map must be applied to the outside interface on both routers. If it is missing on one side, that router will not encrypt outgoing traffic. Option A is correct because the crypto map is not applied on Router B.

Option B is incorrect because the access list is not the issue. Option C is incorrect because the transform set is used for encryption. Option D is incorrect because the peer is configured.

1182
MCQmedium

Refer to the exhibit. A network engineer wants to use Ansible to change the IP address of Loopback100 from 10.1.100.1/24 to 10.1.200.1/24. The playbook uses the ios_config module. The playbook runs successfully, but the IP address remains unchanged. What is the most likely reason?

A.The loopback interface is administratively down
B.The playbook is sending the wrong CLI commands
C.The ios_config module is not configured to replace the existing configuration
D.The SNMP community strings are not configured correctly
AnswerC

Without replace/match, Ansible may not apply the change.

Why this answer

The ios_config module in Ansible, by default, uses a 'set' operation that appends commands to the running configuration. To change an existing IP address on an interface, the module must be configured with the 'replace' option or use a 'before'/'parents' directive to remove the old address first. Without this, the new IP command is added but the old one remains, and the interface retains the original address because Cisco IOS allows multiple IP addresses on a single interface only if the secondary keyword is used, which the module does not automatically apply.

Exam trap

Cisco often tests the misconception that the ios_config module is idempotent by default for all configuration changes, when in reality it only ensures the specified lines are present, not that conflicting lines are removed.

How to eliminate wrong answers

Option A is wrong because the administrative state of the interface does not affect the ability to change its IP address; a shutdown interface can still have its configuration modified. Option B is wrong because the playbook runs successfully, indicating the CLI commands sent are syntactically correct and reach the device; the issue is not the commands themselves but how they are applied. Option D is wrong because SNMP community strings are irrelevant to Ansible's ios_config module, which uses SSH (or CLI over Telnet) for configuration changes, not SNMP.

1183
Multi-Selecthard

Which three statements about YANG data models are true? (Choose three.)

Select 3 answers
A.YANG is used to model both configuration and operational state data.
B.YANG models can be augmented using the 'augment' statement.
C.YANG defines the transport protocol for data exchange.
D.The 'leaf' statement in YANG defines a list of key-value pairs.
E.YANG uses XML or JSON encoding for data instances.
AnswersA, B, E

Correct because YANG models can include both config true and config false nodes for configuration and state data.

Why this answer

YANG is a data modeling language used to model configuration and state data for network devices. It can define both configuration data (which is writable) and operational state data (which is read-only). YANG models can be augmented using the 'augment' statement to add nodes to an existing model without modifying it.

YANG does not define transport protocols; it is used with protocols like NETCONF and RESTCONF. The 'leaf' statement defines a single, scalar data node, not a list.

1184
MCQhard

A network engineer is deploying a new server farm with multiple servers connected to a Cisco Nexus 9000 switch. Each server is dual-homed to two separate access switches for redundancy. The servers are configured with NIC teaming in active-standby mode. The engineer wants to ensure that if the active link fails, traffic continues without interruption. The access switches are connected to each other via a trunk. Which technology should the engineer implement on the access switches to prevent loops and allow both uplinks to be active?

A.Configure a vPC domain between the two access switches and use a vPC on the server-facing ports.
B.Enable Spanning Tree Protocol (STP) to block one of the links to prevent loops.
C.Configure an EtherChannel between the server and each access switch individually.
D.Implement Virtual Switching System (VSS) on the access switches.
AnswerA

Correct because vPC allows both switches to act as a single logical switch for the server, providing active-active links and redundancy.

Why this answer

A is correct because a vPC (Virtual Port Channel) allows two access switches to appear as a single logical device to the server, enabling both uplinks to be active simultaneously while preventing loops. This is essential for active-standby NIC teaming, as vPC ensures that if one link fails, the other continues forwarding traffic without requiring STP to block a port, thus providing seamless failover and loop-free operation.

Exam trap

Cisco often tests the distinction between vPC (Nexus) and VSS (Catalyst), and candidates may mistakenly choose VSS for Nexus switches, not realizing it is platform-specific.

How to eliminate wrong answers

Option B is wrong because enabling STP would block one of the redundant uplinks to prevent loops, which contradicts the requirement to keep both uplinks active and would cause traffic interruption during failover due to STP convergence delays. Option C is wrong because configuring an EtherChannel between the server and each access switch individually is not possible; EtherChannel requires a single logical link between two devices, and the server is dual-homed to two separate switches, so each switch would need its own EtherChannel, which does not prevent loops between the switches. Option D is wrong because VSS is a Cisco Catalyst technology that bundles two switches into a single logical entity, but it is not supported on Nexus 9000 switches; vPC is the correct Nexus-specific solution for this scenario.

1185
MCQmedium

An engineer is managing a Cisco NFVIS host running multiple virtual network functions (VNFs). The engineer needs to upgrade the NFVIS software to a new version that includes critical security patches. The upgrade process must minimize downtime. Which upgrade method should the engineer use?

A.Use the 'patch install' command to apply the upgrade without rebooting.
B.Use the 'software install add' command to stage the image, then 'activate' and 'commit' with a single reboot.
C.Perform a clean installation of the new NFVIS version and redeploy all VNFs.
D.Migrate all VNFs to another NFVIS host, then upgrade the original host.
AnswerB

Correct because this method stages the upgrade and applies it with one reboot, minimizing downtime.

Why this answer

Option B is correct because the 'software install add' command stages the new NFVIS image, followed by 'activate' and 'commit' with a single reboot, which minimizes downtime by performing the upgrade in a single reboot cycle. This method is the recommended approach for upgrading NFVIS while preserving existing VNF configurations and minimizing service disruption.

Exam trap

Cisco often tests the misconception that NFVIS upgrades can be applied without a reboot, but the correct method always requires a single reboot to activate the new software version.

How to eliminate wrong answers

Option A is wrong because NFVIS does not support a 'patch install' command that applies upgrades without a reboot; security patches typically require a system reboot to load the new kernel and services. Option C is wrong because a clean installation and redeployment of all VNFs would cause maximum downtime and is not the intended upgrade method for minimizing disruption. Option D is wrong because migrating all VNFs to another NFVIS host is a valid disaster recovery or maintenance technique but is not the standard upgrade method for a single host and introduces additional complexity and potential downtime.

1186
MCQmedium

A network engineer runs the following command on Router R9: R9# show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Gi0/0 1 0 192.168.1.9/24 10 DR 2/2 Gi0/1 1 1 10.0.0.9/24 20 BDR 1/1 Lo0 1 0 9.9.9.9/32 1 LOOP 0/0 Based on this output, what can be concluded?

A.R9 is the Designated Router on the segment connected to Gi0/1.
B.R9 has two fully adjacent neighbors on Gi0/0.
C.The loopback interface Lo0 is advertised as a /24 network.
D.R9 is an Area Border Router.
AnswerB

The Nbrs F/C column shows 2/2, meaning 2 neighbors and 2 full adjacencies.

Why this answer

The output shows that on interface Gi0/0, R9 has a state of DR (Designated Router) and 2 fully adjacent neighbors (Nbrs F/C = 2/2). The '2/2' indicates 2 neighbors in a full state out of 2 total neighbors, meaning both neighbors have completed the OSPF adjacency process. Therefore, R9 has two fully adjacent neighbors on Gi0/0, making option B correct.

Exam trap

Cisco often tests the misinterpretation of the 'Nbrs F/C' field, where candidates confuse the total neighbor count with the number of fully adjacent neighbors, or assume that being in the DR state on one interface implies DR status on all interfaces.

How to eliminate wrong answers

Option A is wrong because on Gi0/1, R9 is in the BDR (Backup Designated Router) state, not DR; the DR on that segment would be another router. Option C is wrong because the loopback interface Lo0 is configured with a /32 mask (as shown by 9.9.9.9/32), and OSPF advertises it as a host route (/32) by default, not as a /24 network. Option D is wrong because R9 has interfaces in Area 0 and Area 1, but the output does not show any interface in a different area that would indicate it is an ABR; an ABR must have at least one interface in Area 0 and one in another non-backbone area, which is true here, but the output does not confirm that R9 is actually performing ABR functions (e.g., it could be a simple multi-area router without LSA type 3 generation), and the question asks what can be concluded from the output—being in two areas does not automatically mean it is an ABR without further evidence of route redistribution between areas.

1187
MCQeasy

A network engineer executes the following command on Router R5: R5# show ip sla monitor configuration 4 IP SLAs Monitor Configuration Entry number: 4 Owner: Tag: Type of operation to perform: udp-jitter Target address: 192.168.5.10 Target port: 16384 Source address: 192.168.5.1 Source port: 0 Type Of Service parameter: 0x0 Request size (ARR data portion): 32 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday, Starting Time: 00:00:01) Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: Based on this output, what type of IP SLA operation is configured?

A.ICMP echo
B.UDP jitter
C.TCP connect
D.HTTP get
AnswerB

The output explicitly states 'udp-jitter'.

Why this answer

The line 'Type of operation to perform: udp-jitter' clearly indicates the operation type is UDP jitter.

1188
MCQhard

A network engineer is configuring an EtherChannel between a Cisco switch and a router. The switch ports are configured as trunk ports with allowed VLANs 10, 20, and 30. The router is configured with subinterfaces for each VLAN. After configuring the EtherChannel, the engineer notices that the router can ping devices in VLAN 10 but not in VLAN 20 or 30. What is the most likely cause?

A.The native VLAN is configured as VLAN 1 on the switch but VLAN 10 on the router.
B.The allowed VLAN list on the switch does not include VLAN 20 and 30.
C.The router subinterfaces are configured with the wrong encapsulation.
D.The EtherChannel is configured with 'lacp system-priority' that is too high.
AnswerA

Correct because a native VLAN mismatch can cause connectivity issues for some VLANs, especially if the native VLAN is used for management or control traffic.

Why this answer

The correct answer is that the native VLAN mismatch is causing issues. The wrong answers involve misconfigurations that would affect all VLANs or are unrelated.

1189
MCQmedium

Given the following configuration on a Cisco switch: monitor session 1 source interface GigabitEthernet1/0/1 - 3 both monitor session 1 destination interface GigabitEthernet1/0/4 What is the effect of this configuration?

A.Traffic from GigabitEthernet1/0/1, 1/0/2, and 1/0/3 is copied to GigabitEthernet1/0/4.
B.Only traffic from GigabitEthernet1/0/1 is copied to GigabitEthernet1/0/4.
C.Traffic from GigabitEthernet1/0/4 is copied to GigabitEthernet1/0/1, 1/0/2, and 1/0/3.
D.The configuration is invalid because a SPAN session can only have one source interface.
AnswerA

The range syntax allows multiple source interfaces to be monitored to a single destination.

Why this answer

This configures a SPAN session that monitors multiple source interfaces (GigabitEthernet1/0/1 through 1/0/3) and sends their traffic to a single destination interface (GigabitEthernet1/0/4).

1190
MCQhard

A network engineer is designing a model-driven telemetry solution for a large enterprise network with thousands of devices. The engineer wants to minimize the load on the network devices and the collector by sending data only when significant changes occur. The engineer decides to use on-change subscriptions. However, after deployment, the engineer notices that some subscriptions are sending updates too frequently, causing high CPU usage on the devices. What is the most likely reason for this excessive update frequency?

A.The engineer configured a sample-interval in addition to on-change, causing both periodic and on-change updates
B.The YANG paths include high-frequency changing leafs like interface counters or CPU load
C.The collector is overwhelmed and sending back-pressure signals causing retransmissions
D.The engineer used JSON encoding instead of GPB, causing larger payloads and more CPU usage
AnswerB

On-change subscriptions trigger updates for any change in the monitored data, so including frequently changing leafs causes excessive updates.

Why this answer

The correct answer is that the YANG paths used in the subscriptions include leafs that change frequently, such as counters or timestamps, which trigger on-change updates even for minor changes. The other options are incorrect because the sample-interval is not used in on-change subscriptions; the collector load is not the cause; and the encoding format does not affect update frequency.

1191
Drag & Dropmedium

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DAI validates ARP packets by first enabling it on VLANs, then using the DHCP snooping binding table as a source of truth. It checks the sender MAC and IP against the binding table and validates the packet format before forwarding or dropping.

1192
Matchingmedium

Drag and drop each SD-WAN policy type on the left to its matching application point on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Applied to data traffic for SLA-based path selection

Applied to enable NetFlow-like traffic monitoring

Applied to modify forwarding, NAT, or QoS on data packets

Applied to OMP routes and TLOCs for route manipulation

Applied to define which VPNs are provisioned on a device

Why these pairings

App-route policies are applied to data traffic to influence path selection; cflowd policies enable flow monitoring; data policies control forwarding and NAT; control policies affect routing and TLOC advertisements; VPN membership policies control which VPNs are active on a device.

1193
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

The default hello interval for OSPF on Ethernet (broadcast) is 10 seconds.

Why this answer

The default OSPF hello interval on an Ethernet link is 10 seconds, as specified in RFC 2328. Ethernet is a broadcast multi-access network type, and OSPF uses a 10-second hello interval on such networks to maintain neighbor adjacencies and detect failures within the dead interval (default 40 seconds, or 4 times the hello interval).

Exam trap

Cisco often tests the confusion between the OSPF hello interval and dead interval, where candidates mistakenly select 40 seconds (the dead interval) instead of 10 seconds (the hello interval) on Ethernet links.

How to eliminate wrong answers

Option B (30 seconds) is wrong because 30 seconds is the default hello interval for OSPF on non-broadcast multi-access (NBMA) networks, such as Frame Relay, not on Ethernet. Option C (40 seconds) is wrong because 40 seconds is the default OSPF dead interval on Ethernet, not the hello interval; candidates often confuse the two. Option D (5 seconds) is wrong because 5 seconds is the default hello interval for OSPF on point-to-point and point-to-multipoint networks, not on Ethernet broadcast multi-access links.

1194
MCQhard

A network engineer is planning to deploy model-driven telemetry in a brownfield network with a mix of Cisco IOS-XE and Nexus devices. The engineer wants to use a single collector that supports both gRPC and UDP-based telemetry. The engineer is concerned about the scalability of the solution, as the network has over 5000 devices. Which design consideration is most important to ensure the telemetry solution scales effectively?

A.Use only periodic subscriptions with long sample intervals to reduce data volume
B.Deploy a hierarchical collector architecture with load balancers to distribute telemetry streams across multiple collectors
C.Configure all devices to use the same YANG model to simplify the collector configuration
D.Use a single transport protocol (gRPC) for all devices to reduce complexity
AnswerB

This design allows horizontal scaling and prevents any single collector from being a bottleneck.

Why this answer

The correct answer is to use a hierarchical collector architecture with load balancers to distribute the telemetry streams. With 5000 devices, a single collector can become overwhelmed, so multiple collectors or a load-balanced cluster is essential. The other options are incorrect because using only periodic subscriptions does not address scalability; using a single YANG model is not practical; and using a single transport protocol is not feasible for a mixed environment.

1195
Matchingmedium

Drag and drop each 802.1X component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client device requesting network access

Network device that enforces port-based access control

RADIUS server that validates credentials and returns authorization attributes

Protocol used between supplicant and authenticator to carry EAP frames

Protocol used between authenticator and authentication server for AAA

Why these pairings

The supplicant requests access, the authenticator (switch/AP) enforces port control, and the authentication server (RADIUS) validates credentials.

1196
Matchingmedium

Drag and drop each 802.1X component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client device that initiates authentication

Network device that controls port access

Server that validates credentials and grants access

Protocol used between Supplicant and Authenticator

Protocol used between Authenticator and Authentication Server

Why these pairings

Supplicant requests access, Authenticator enforces port state, Authentication Server validates credentials.

1197
Drag & Dropmedium

Drag and drop the steps of TACACS+ command authorization flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TACACS+ command authorization starts with the user entering a command, which is sent to the TACACS+ server. The server checks the command against the user's authorization profile and responds with permit or deny. The device executes or blocks the command accordingly, and finally logs the result.

1198
MCQeasy

What is the maximum hop count for EIGRP?

A.15
B.255
C.100
D.16
AnswerB

Correct. EIGRP supports up to 255 hops.

Why this answer

EIGRP uses a hop count metric as one of the components in its composite metric. The maximum hop count is 255, which is also the default administrative distance for EIGRP internal routes.

1199
Matchingmedium

Drag and drop each cisco.ios module on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Push configuration commands to Cisco IOS devices

Execute show and exec commands on Cisco IOS devices

Collect device facts such as version, interfaces, and serial numbers

Manage VLAN configuration (create, delete, modify)

Configure Layer 3 interface properties like IP address

Why these pairings

ios_config pushes configuration commands, ios_command runs show commands, ios_facts gathers device facts, ios_vlans manages VLANs, and ios_l3_interfaces configures Layer 3 interfaces.

1200
MCQmedium

A network engineer writes the following Python script using Netmiko to configure a Cisco IOS-XE device: ```python from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '192.168.1.1', 'username': 'admin', 'password': 'cisco123', } connection = ConnectHandler(**device) output = connection.send_command('show ip interface brief') print(output) connection.disconnect() ``` What is the primary issue with this script?

A.The script will fail because the device_type should be 'cisco_ios_xe' for IOS-XE devices.
B.The script will fail because the send_command method cannot be used for show commands; it requires send_command_timing.
C.The script will fail because the device is not in enable mode, and 'show ip interface brief' may not execute or return restricted output.
D.The script will fail because the password is not encrypted; Netmiko requires an encrypted password.
AnswerC

Without enable mode, the command may be rejected or return limited output. The script should call connection.enable() after connecting.

Why this answer

The script does not enable privileged EXEC mode (enable) before running 'show ip interface brief', which requires privilege level 15. Netmiko's send_command does not automatically enter enable mode unless the device_type expects it, and cisco_ios requires an explicit enable() call or use of secret parameter.

Page 15

Page 16 of 27

Page 17