ENCOR 350-401 (350-401) — Questions 14261500

2015 questions total · 27pages · All types, answers revealed

Page 19

Page 20 of 27

Page 21
1426
MCQhard

An engineer creates an Ansible playbook to configure model-driven telemetry on a Cisco IOS-XE device: ```yaml --- - name: Configure MDT subscription hosts: ios_xe gather_facts: no tasks: - name: Configure telemetry receiver cisco.ios.ios_config: lines: - telemetry ietf subscription 101 - receiver ip address 10.10.10.10 port 57500 protocol grpc-tcp - encoding encode-kvgpb - filter xpath /interfaces/interface/state/counters - update-policy periodic 5000 ``` What is the problem with this playbook?

A.The playbook is missing the 'source-address' command under the receiver.
B.The 'encoding encode-kvgpb' should be 'encoding encode-json'.
C.The 'update-policy periodic 5000' should be 'update-policy periodic 5000 milliseconds'.
D.The 'filter xpath' path is invalid for IOS-XE.
AnswerA

The receiver must include a source-address to specify the IP address from which telemetry data is sent.

Why this answer

The telemetry subscription configuration is missing the 'source-address' command under the receiver. Without specifying a source IP, the device may not send telemetry data if the management interface is not the correct source. Additionally, the 'update-policy' command should be 'update-policy periodic 5000' but the correct syntax is 'update-policy periodic 5000' under the subscription, not under the receiver.

However, the most critical issue is that the 'telemetry ietf subscription' configuration requires a 'source-address' to specify the source IP for the telemetry stream.

1427
Multi-Selecthard

Which three statements about Ansible playbooks are true? (Choose three.)

Select 3 answers
A.A playbook must contain at least one play, and each play must specify a 'hosts' key.
B.Playbooks are written in YAML format and can include variables, conditionals, and loops.
C.The 'tasks' section of a play can include both module calls and role inclusions.
D.A playbook can only contain a single play.
E.Playbooks must be executed with the 'ansible' command, not 'ansible-playbook'.
AnswersA, B, C

Correct because a playbook is composed of one or more plays, and each play requires the 'hosts' directive to define the target group.

Why this answer

Playbooks are YAML files containing plays, each mapped to a host group. They support variables, conditionals, and loops. The 'hosts' key defines target groups, and 'tasks' lists modules to execute.

Playbooks can include other playbooks or roles.

1428
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap inventory all AP Inventory Information ----------------------- AP Name: AP-1 Base MAC: aabb.cc00.0100 Model: AIR-CAP3702I-A-K9 Software: 8.5.151.0 AP Name: AP-2 Base MAC: aabb.cc00.0200 Model: AIR-AP2802I-B-K9 Software: 8.5.151.0 AP Name: AP-3 Base MAC: aabb.cc00.0300 Model: AIR-AP3802I-A-K9 Software: 8.5.151.0 Based on this output, what can be concluded?

A.All APs are running the same software version and are compatible with the WLC.
B.AP-1 is a lightweight AP and AP-2 and AP-3 are autonomous APs.
C.AP-3 has a hardware failure because its model is different.
D.The WLC is running a software version that only supports AP-2 and AP-3.
AnswerA

The output shows all APs have the same software version 8.5.151.0, indicating compatibility.

Why this answer

The show ap inventory all command displays the model and software version of each AP. The output shows three APs with different models but the same software version. The key point is that the CAP3702I is a legacy AP that requires a specific software version, while the 2800 and 3800 series are newer.

The output indicates all APs are running the same software, which is compatible with the WLC version.

1429
MCQhard

A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?

A.The NHRP network ID is mismatched between the spokes.
B.The routing protocol is not redistributing spoke routes.
C.The hub is not configured with NHRP redirect.
D.The spokes are using GRE instead of mGRE.
AnswerC

Correct because NHRP redirect is required for Phase 3 spoke-to-spoke shortcuts.

Why this answer

In DMVPN Phase 3, spokes must use NHRP redirect and shortcut routes to enable direct spoke-to-spoke communication. If the hub is not configured with the NHRP redirect feature, the spokes will not receive the redirect messages, and traffic will continue to go through the hub. Option C is correct because the hub must have NHRP redirect enabled.

Option A is incorrect because the spokes are registered. Option B is incorrect because the routing protocol is working. Option D is incorrect because the tunnel mode is correct.

1430
MCQmedium

A network engineer issues the following command on Router R3: R3# show ip bgp summary BGP router identifier 10.0.0.3, local AS number 65003 BGP table version is 12345, main routing table version 12345 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65001 12345 12345 12345 0 0 1w2d 150 192.168.1.2 4 65002 12345 12345 12345 0 0 2w0d 200 Based on this output, what can be concluded?

A.Both BGP neighbors are in the 'Idle' state.
B.Router R3 has received a total of 350 prefixes from its BGP neighbors.
C.The BGP session with 192.168.1.1 is down.
D.Router R3 is in AS 65001.
AnswerB

150 + 200 = 350 prefixes received.

Why this answer

The BGP summary shows two neighbors, both in established state with prefixes received. The number of prefixes received (150 and 200) indicates the BGP table size.

1431
MCQmedium

A network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, connected via a trunk link. SW1 is a Cisco Catalyst 3850 running IOS-XE, and SW2 is a Cisco Catalyst 2960 running IOS. The trunk is configured as a dynamic desirable mode on SW1 and dynamic auto on SW2. The engineer notices that the trunk is not forming. What is the most likely cause?

A.The native VLAN is different on SW1 and SW2.
B.SW2 does not support DTP.
C.The trunk encapsulation is set to ISL on SW1.
D.VLAN 1 is not allowed on the trunk.
AnswerA

Correct because a native VLAN mismatch can cause DTP frames to be dropped, preventing trunk negotiation.

Why this answer

Option A is correct because when DTP modes are dynamic desirable (SW1) and dynamic auto (SW2), the trunk should form successfully if both switches support DTP and the encapsulation matches. However, if the native VLAN is mismatched, the trunk will not form because Cisco switches use DTP frames to negotiate trunking, and a native VLAN mismatch causes DTP to fail, preventing the trunk from coming up. This is a common issue that overrides the DTP negotiation.

Exam trap

Cisco often tests the misconception that DTP modes alone guarantee trunk formation, but the trap here is that a native VLAN mismatch silently breaks DTP negotiation, overriding the dynamic desirable/auto combination.

How to eliminate wrong answers

Option B is wrong because the Cisco Catalyst 2960 running IOS does support DTP; it is a common access-layer switch that supports dynamic auto and dynamic desirable modes. Option C is wrong because the Cisco Catalyst 3850 running IOS-XE only supports 802.1Q encapsulation and cannot be configured with ISL; if ISL were set, the switch would reject it or default to 802.1Q, but this would not prevent trunk formation with a 2960 that also supports 802.1Q. Option D is wrong because VLAN 1 is allowed on the trunk by default, and even if it were removed, the trunk would still form (though traffic for VLAN 1 would be blocked); the issue here is trunk negotiation failure, not traffic filtering.

1432
Matchingmedium

Drag and drop each DHCP option on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries vendor-specific suboptions for device provisioning

Identifies the vendor class of the DHCP client

Adds relay agent information (e.g., circuit ID, remote ID)

Provides TFTP server IP address for IP phones

Supplies a single TFTP server hostname or IP address

Why these pairings

Option 43 provides vendor-specific info (e.g., for APs). Option 60 identifies the vendor class. Option 82 is the relay agent information option.

Option 150 gives TFTP server address for phones. Option 66 provides a single TFTP server hostname.

1433
Drag & Dropmedium

Drag and drop the steps of DNA Center assurance issue detection and root cause analysis into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Assurance starts with collecting telemetry, detecting an anomaly, raising an issue, correlating data for root cause, and then recommending a remediation action.

1434
MCQmedium

A network team uses Ansible Tower to manage configuration backups of 500 Cisco IOS routers. They have a playbook that uses the ios_config module with the 'backup: yes' option. Recently, backups started failing for a subset of routers, with errors like 'backup destination path does not exist'. The playbook uses a variable 'backup_dir' set in the Tower job template. What is the most likely cause of these failures?

A.The routers have insufficient storage space to save the backup locally.
B.The 'backup_dir' variable is not defined for those specific routers in their host_vars or group_vars, causing the playbook to use an undefined path.
C.The ios_config module requires the 'backup_options' sub-option to specify the directory, and the playbook is using the deprecated 'backup' parameter.
D.The routers are not reachable via SSH during the backup window.
AnswerB

If the variable is overridden or missing for certain hosts, the backup path may be invalid, leading to the error.

Why this answer

The backup option in ios_config saves the backup file to a local directory on the Ansible control node. If the directory specified by 'backup_dir' does not exist on the control node, the module will fail. Since the error is specific to a subset of routers, it is likely that the variable is not being resolved correctly for those routers, possibly due to host_vars or group_vars overriding the job template variable.

1435
MCQhard

An Ansible playbook uses the cisco.nxos.nxos_config module to configure a Nexus switch: --- - hosts: nxos_switches gather_facts: no connection: network_cli tasks: - name: Configure VLAN cisco.nxos.nxos_config: lines: - vlan 100 - name Test_VLAN parents: vlan 100 What will be the result of this playbook?

A.The playbook will successfully create VLAN 100 and set its name to Test_VLAN.
B.The playbook will fail because the 'parents' parameter cannot be the same as the lines.
C.The playbook will fail because 'cisco.nxos.nxos_config' does not support VLAN configuration.
D.The playbook will work but only if the Nexus switch runs NX-OS 7.0 or later.
AnswerB

Using 'parents: vlan 100' when the lines also start with 'vlan 100' creates a conflict; the module may not apply the configuration correctly.

Why this answer

The playbook attempts to configure VLAN 100 with a name. However, the 'parents' parameter is incorrectly set to 'vlan 100', which is the same as the lines being configured. This can cause idempotency issues or errors because the module may try to enter the same configuration mode again.

The correct answer identifies this logical error.

1436
MCQmedium

Given this configuration: interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode ! interface GigabitEthernet0/1 ip address 172.16.2.1 255.255.255.0 ip pim sparse-mode ! ip pim rp-address 172.16.1.1 What is the effect of this configuration?

A.The router uses 172.16.1.1 as the RP for all multicast groups, and PIM sparse-mode is enabled on both interfaces.
B.The router will automatically elect an RP using BSR because no RP is configured.
C.PIM dense-mode is used because sparse-mode is not fully configured.
D.The configuration is invalid because the RP address must be a loopback interface.
AnswerA

The 'ip pim rp-address' command statically assigns the RP, and sparse-mode is enabled on the interfaces.

Why this answer

The configuration statically assigns 172.16.1.1 as the RP for all multicast groups using the 'ip pim rp-address' command, and both interfaces are explicitly configured with 'ip pim sparse-mode'. This ensures that PIM sparse-mode is operational on the interfaces and that the router uses the specified RP for group-to-RP mapping, making option A correct.

Exam trap

Cisco often tests the misconception that the RP must be a loopback interface for stability, but the command accepts any reachable IP address, including a physical interface, as long as it is configured with 'ip pim sparse-mode' or 'ip pim sparse-dense-mode'.

How to eliminate wrong answers

Option B is wrong because an RP is explicitly configured with 'ip pim rp-address 172.16.1.1', so the router will not use BSR for automatic RP election. Option C is wrong because PIM sparse-mode is fully configured on both interfaces and an RP is defined; PIM dense-mode is not used. Option D is wrong because the RP address does not need to be a loopback interface; it can be any IP address reachable by the router, including a physical interface address like 172.16.1.1.

1437
Drag & Dropmedium

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Inline tagging embeds SGT in the Ethernet frame header; the ingress switch classifies the endpoint, adds the SGT tag, forwards the frame across the fabric, and the egress switch enforces policy based on the tag.

1438
Matchingmedium

Drag and drop each DHCP message on the left to its correct order in the DORA process on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client broadcasts to find DHCP servers

Server offers an IP address to the client

Client requests the offered IP address

Server acknowledges and assigns the IP address

Server denies the client's request

Why these pairings

The DORA process is Discover, Offer, Request, Acknowledge.

1439
Matchingmedium

Drag and drop each IP SLA reaction on the left to its action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Generates a log message

Sends an SNMP trap

Starts another IP SLA operation or event

Enables reaction to threshold violations

Specifies the type of reaction action

Why these pairings

Syslog generates a log message; SNMP trap sends an SNMP trap; trigger starts another IP SLA operation or event.

1440
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip flow monitor FLOW-MONITOR input ip flow monitor FLOW-MONITOR output ! flow monitor FLOW-MONITOR exporter EXPORTER-1 record netflow ipv4 original-input ! flow exporter EXPORTER-1 destination 192.168.1.100 transport udp 2055 ! What is the effect of this configuration?

A.NetFlow v9 records are sent to the collector at 192.168.1.100 on UDP port 2055.
B.NetFlow v5 records are sent to the collector at 192.168.1.100 on UDP port 2055.
C.IPFIX records are sent to the collector at 192.168.1.100 on UDP port 2055.
D.The configuration is missing the 'ip flow-export source' command to specify the source interface.
AnswerA

The flow monitor uses the exporter to send NetFlow v9 records (default) to the specified collector.

Why this answer

This configuration enables NetFlow on an interface using a flow monitor that references a flow exporter. The record type 'netflow ipv4 original-input' is valid for collecting IPv4 flow data. The exporter sends UDP packets to the collector at 192.168.1.100 on port 2055.

1441
MCQmedium

Examine the following SD-WAN policy configuration on a Cisco vSmart controller: policy control-policy CONTROL_POLICY sequence 10 match route prefix-list PL_10 action accept set community 100:10 ! prefix-list PL_10 sequence 10 match ip-address 10.0.0.0/24 ! What is the effect of this control policy?

A.The policy matches routes with prefix 10.0.0.0/24 and sets the community value 100:10 on those routes before advertising them via OMP.
B.The policy matches routes with prefix 10.0.0.0/24 and sets the community 100:10 on the local router's routing table.
C.The policy denies all routes except 10.0.0.0/24 and sets community 100:10.
D.The policy is invalid because prefix-list names cannot contain underscores.
AnswerA

This correctly describes the effect: the control policy matches the prefix and sets the community on accepted routes.

Why this answer

This control policy matches OMP routes that have the prefix 10.0.0.0/24 (as defined by the prefix-list PL_10) and, upon a match, sets the community value 100:10 on those routes. The action 'accept' means the route is permitted and the 'set community' modifies the route's attributes before it is advertised via OMP to other vSmart or vEdge devices. This is a standard SD-WAN control policy operation for manipulating route attributes within the overlay.

Exam trap

Cisco often tests the distinction between OMP route manipulation and local RIB changes, leading candidates to incorrectly assume that 'set community' modifies the local routing table instead of the OMP advertisement.

How to eliminate wrong answers

Option B is wrong because the 'set community' action in a control policy on the vSmart applies to the OMP route advertisement, not to the local router's routing table (RIB); the local RIB is unaffected by control policies. Option C is wrong because the policy does not contain a 'deny' action or a default action to deny all other routes; it only defines a match and accept for 10.0.0.0/24, meaning routes not matching the prefix-list are implicitly denied (since there is no default action), but the policy does not explicitly deny all routes and does not set community on non-matching routes. Option D is wrong because prefix-list names can contain underscores; the configuration is syntactically valid in Cisco SD-WAN.

1442
Drag & Dropmedium

Drag and drop the steps of DHCP failover configuration between primary and standby into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP failover requires both servers to be configured with the same scope and failover parameters. First, configure the primary server with the failover peer name and IP address of the standby. Then, configure the standby server with the same peer name and the primary's IP.

Enable the failover on the primary, which starts the negotiation. The standby then enters partner-down state until it synchronizes. Finally, both servers become active and share lease information.

1443
Drag & Dropmedium

Drag and drop the steps of the QoS shaping and policing configuration sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Shaping and policing require first defining traffic classes, then configuring the shaping/policing actions in a policy map, applying the policy to an interface, and finally adjusting parameters based on monitoring. This order ensures proper traffic control.

1444
Multi-Selecteasy

Which two statements about BGP neighbor states are true? (Choose two.)

Select 2 answers
A.In the Idle state, BGP is waiting for a start event before initiating a TCP connection.
B.In the Active state, BGP is actively trying to establish a TCP connection with the neighbor.
C.In the Established state, BGP has sent an OPEN message but has not yet received an OPEN message from the peer.
D.In the OpenSent state, BGP is waiting for the TCP connection to complete.
E.In the Connect state, BGP is actively trying to establish a TCP connection.
AnswersA, B

Correct: Idle is the initial state; BGP does not initiate a TCP connection until a start event (e.g., neighbor configuration) occurs.

Why this answer

The BGP neighbor state machine includes Idle, Connect, Active, OpenSent, OpenConfirm, and Established. In the Idle state, BGP does not initiate any connection and may be waiting for a start event. In the Active state, BGP is actively trying to establish a TCP connection.

In the Established state, BGP has successfully formed a peering session and is exchanging routing updates. The OpenSent state is when BGP has sent an OPEN message and is waiting for an OPEN message from the peer. The Connect state is when BGP is waiting for the TCP connection to complete.

1445
Multi-Selectmedium

Which two statements about VRF configuration in Cisco IOS-XE are true? (Choose two.)

Select 2 answers
A.A VRF instance maintains its own routing table, CEF table, and forwarding table.
B.VRF can be used with OSPF by configuring the OSPF process under the VRF context.
C.VRF requires MPLS to be enabled on the router.
D.A VRF is automatically associated with all VLANs on a switch.
E.VRF is a Layer 2 isolation mechanism.
AnswersA, B

Correct because each VRF has independent forwarding and routing tables.

Why this answer

Correct: VRF instances use separate routing tables and can be used with OSPF. Incorrect: VRFs do not require MPLS; VLANs are not automatically associated; VRF-lite does not support MPLS; VRF is not a Layer 2 concept.

1446
Multi-Selectmedium

Which two statements about IGMP snooping are true? (Choose two.)

Select 2 answers
A.IGMP snooping reduces unnecessary multicast flooding on a Layer 2 switch.
B.IGMP snooping uses the IGMP querier election process to select the switch with the highest IP address as the querier.
C.IGMP snooping can be configured to replace IGMP on the router interface.
D.IGMP snooping listens to IGMP membership reports and leave messages to build a forwarding table.
E.IGMP snooping modifies the IP header of multicast packets to include group membership information.
AnswersA, D

Correct because IGMP snooping allows the switch to forward multicast frames only to ports that have joined the group, reducing flooding.

Why this answer

IGMP snooping operates on Layer 2 switches to constrain multicast traffic to only those ports that have interested receivers. It listens to IGMP messages between hosts and routers to build a forwarding table. It does not replace IGMP; it is complementary.

The querier is elected based on the lowest IP address, not the highest. IGMP snooping does not modify IP multicast headers.

1447
Matchingmedium

Drag and drop each LDP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers LDP neighbors on a link

Establishes an LDP session between peers

Maintains the LDP session and detects failures

Advertises interface addresses to LDP peers

Distributes label bindings for FECs

Why these pairings

Hello discovers neighbors, Initialization sets up the session, Keepalive maintains it, Address advertises interface addresses, and Label Mapping distributes label bindings.

1448
MCQhard

An engineer is troubleshooting a BGP routing issue. The router is not receiving routes from an eBGP neighbor. The neighbor is reachable via ping. The BGP session is established and in the Established state. What is the most likely cause?

A.The AS number is incorrect.
B.The BGP session is using an incorrect interface.
C.The network is not advertised under BGP.
D.The next-hop IP address is not reachable.
AnswerD

eBGP routes require reachable next-hop to be installed.

Why this answer

The BGP session is established, which confirms that the TCP connection and BGP open messages have been successfully exchanged. However, routes are not being received. The most common cause in this scenario is that the next-hop IP address for the advertised routes is not reachable via the router's routing table. eBGP by default sets the next-hop to the IP address of the neighbor's interface, and if that address is not reachable (e.g., missing route, incorrect static route, or interface down), the router will not install the routes into the BGP table or the routing table.

Exam trap

Cisco often tests the distinction between a BGP session being Established (Layer 4 connectivity) and the actual route installation (Layer 3 reachability), leading candidates to overlook the next-hop reachability requirement.

How to eliminate wrong answers

Option A is wrong because an incorrect AS number would prevent the BGP session from reaching the Established state; the session would remain in the Active or Idle state due to AS mismatch. Option B is wrong because using an incorrect interface would affect the TCP connection or reachability, but the session is already Established, indicating the interface is functional for BGP peering. Option C is wrong because the question states the router is not receiving routes from the eBGP neighbor; the network not being advertised under BGP on the local router would affect sending routes, not receiving them, and the neighbor's advertisement is independent of the local router's network statements.

1449
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Correct. Default hello interval for Ethernet is 10 seconds.

Why this answer

The default OSPF hello interval on an Ethernet link is 10 seconds, as defined in RFC 2328. OSPF uses this interval to maintain neighbor adjacency and detect link failures; on broadcast multi-access networks like Ethernet, the default is 10 seconds, while on non-broadcast multi-access (NBMA) networks it is 30 seconds.

Exam trap

Cisco often tests the distinction between OSPF network types, where candidates confuse the default hello interval for Ethernet (10 seconds) with that of NBMA (30 seconds) or point-to-point (10 seconds on Cisco, but 5 seconds on some other vendors).

How to eliminate wrong answers

Option B (30 seconds) is wrong because 30 seconds is the default OSPF hello interval on NBMA networks (e.g., Frame Relay), not on Ethernet. Option C (40 seconds) is wrong because 40 seconds is not a standard OSPF hello interval; it may be confused with the dead interval multiplier (default 4× hello) but not the hello itself. Option D (5 seconds) is wrong because 5 seconds is the default OSPF hello interval on point-to-point links in some implementations (e.g., Cisco) but not on Ethernet; Ethernet defaults to 10 seconds.

1450
MCQmedium

Consider this configuration: interface Port-channel1 switchport mode trunk switchport trunk native vlan 999 ! interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 999 channel-group 1 mode active ! interface GigabitEthernet0/2 switchport mode trunk switchport trunk native vlan 999 channel-group 1 mode active What is the effect of the 'switchport trunk native vlan 999' command on the EtherChannel?

A.The EtherChannel will drop all untagged frames because the native VLAN is not in the allowed list.
B.The EtherChannel will use VLAN 999 as the native VLAN, and any untagged frames will be associated with VLAN 999.
C.The EtherChannel will not form because the native VLAN must be the same across all interfaces, which it is.
D.The EtherChannel will form but the native VLAN will be ignored on the port-channel.
AnswerB

Correct. The native VLAN is set to 999, so untagged frames are placed in that VLAN.

Why this answer

The native VLAN is used for untagged traffic on a trunk. Setting it to 999 (an unused VLAN) helps prevent VLAN hopping attacks and ensures that any untagged frames are dropped. The configuration is consistent across all member interfaces and the port-channel, so the channel will form.

1451
MCQeasy

A network engineer is automating the collection of syslog messages from a Cisco ASA firewall using a Python script that connects via SSH and runs 'show log'. The script uses the paramiko library. The script works for a few minutes, but then the SSH connection drops with an error 'Server connection dropped'. The engineer suspects that the ASA is closing the connection due to inactivity. What is the best way to keep the connection alive?

A.Increase the buffer size in the paramiko SSH client.
B.Run a dummy command like 'show clock' every 30 seconds to keep the session active.
C.Set the 'keepalive' parameter in the paramiko Transport object to send keepalive packets every 30 seconds.
D.Use the netmiko library instead, which automatically handles keepalives.
AnswerC

Correct because keepalive packets prevent the firewall from closing the idle connection.

Why this answer

The correct answer is to enable keepalive packets in the SSH transport. Option A is incorrect because increasing the buffer size does not prevent disconnection. Option B is incorrect because running a command repeatedly may not be efficient and could interfere with the log collection.

Option D is incorrect because using a different library does not automatically solve the keepalive issue.

1452
MCQmedium

A network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?

A.Modify the CoPP ACL to include a permit statement for TCP port 22 from 10.10.10.0/24 before the deny statement.
B.Remove the deny statement from the CoPP ACL to allow all traffic.
C.Increase the police rate for the CoPP class that matches SSH traffic.
D.Remove the CoPP policy from the control plane and rely on interface ACLs.
AnswerA

Correct because this allows SSH traffic from the management subnet to be classified and permitted by the CoPP policy, preventing drops.

Why this answer

The correct answer adds an ACL entry to permit SSH from the management subnet before the deny statement, ensuring that SSH traffic is matched by the CoPP policy and not dropped. Option B is incorrect because removing the deny statement would leave the control plane unprotected. Option C is incorrect because increasing the police rate might not resolve the issue if the traffic is being dropped by an ACL deny.

Option D is incorrect because removing the CoPP policy entirely removes all protection.

1453
MCQhard

A service provider wants to deploy a virtualized firewall as a VNF in a service chain. The VNF must be inserted transparently into the traffic path without requiring changes to the existing IP addressing. Which service chaining method should the architect choose?

A.Use static routing to point traffic to the VNF.
B.Implement policy-based routing (PBR) to redirect traffic to the VNF.
C.Deploy the VNF in inline mode with proxy ARP.
D.Use VRF-lite to separate traffic and route through the VNF.
AnswerB

PBR allows traffic to be redirected based on policies without changing IP addressing.

Why this answer

Policy-based routing (PBR) allows the architect to redirect traffic to the VNF based on match criteria such as source/destination IP or protocol, without altering the existing IP addressing scheme. This enables transparent insertion of the VNF into the service chain, as PBR overrides the routing table for selected traffic and forwards it to the virtualized firewall, while the original IP headers remain unchanged.

Exam trap

Cisco often tests the misconception that inline mode with proxy ARP is the simplest transparent insertion method, but candidates overlook that proxy ARP modifies Layer 2 behavior and can break transparency, whereas PBR operates at Layer 3 without altering IP addressing.

How to eliminate wrong answers

Option A is wrong because static routing requires modifying the routing table to point traffic to the VNF, which changes the next-hop behavior and may disrupt existing IP addressing or routing policies. Option C is wrong because deploying the VNF in inline mode with proxy ARP would require the VNF to respond to ARP requests on behalf of other devices, altering the Layer 2 topology and potentially causing IP address conflicts or transparency issues. Option D is wrong because VRF-lite separates traffic into different routing tables, but it does not inherently redirect traffic through the VNF without additional routing changes, and it adds complexity without achieving transparent insertion.

1454
Drag & Dropmedium

Drag and drop the steps of LACP active/passive mode negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LACP negotiation starts with active ports sending LACPDUs, passive ports listening, then exchanging system/port priorities, selecting aggregator, and finally forming the bundle.

1455
Matchingmedium

Drag and drop each DNA Center ISE integration component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Shares context and session data between DNA Center and ISE

Enforces security group tags (SGTs) for micro-segmentation

Provides authentication, authorization, and accounting for network access

Manages guest user portal, sponsor workflows, and captive portal

Identifies endpoint device type and attributes for policy enforcement

Why these pairings

ISE integration: pxGrid shares context; TrustSec enforces SGTs; RADIUS provides AAA; Guest services manage guest access; Profiling identifies endpoint types.

1456
Matchingmedium

Drag and drop each Ansible task return value on the left to its matching meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The task made a modification to the managed node

The task executed successfully with no changes

The task encountered an error and did not complete

The task was not executed because a condition was not met

The managed node could not be contacted via the connection

Why these pairings

changed means the task modified the system; ok means the task ran without changes; failed means the task encountered an error; skipped means the task was not executed due to a condition; unreachable means the host could not be contacted.

1457
Drag & Dropmedium

Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OMP route advertisement begins with the vEdge learning a local route, then advertising it via OMP to vSmart, vSmart processes the route and may apply policies, then vSmart advertises the route to other vEdges, and finally the receiving vEdge installs the route into its forwarding table.

1458
MCQmedium

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

Correct. EIGRP supports up to 255 hops.

Why this answer

EIGRP uses a metric based on bandwidth and delay, but it also has a hop count limit. The maximum hop count for EIGRP is 255, though the default is 100.

1459
MCQhard

A network engineer runs the following command on Router R1: R1# show ip pim neighbor PIM Neighbor Table Neighbor Address Interface Uptime Expires Mode 10.0.0.2 GigabitEthernet0/0 00:10:00 00:01:30 Dense 10.0.0.3 GigabitEthernet0/1 00:20:00 00:01:20 Sparse Based on this output, what can be concluded?

A.All PIM neighbors are operating in sparse mode
B.The router is configured with mixed PIM modes on different interfaces
C.The router is using PIM version 2 exclusively
D.The neighbor 10.0.0.3 is not a valid PIM neighbor
AnswerB

One neighbor is Dense and the other is Sparse, indicating the router has interfaces in different PIM modes.

Why this answer

The output shows PIM neighbors. One neighbor (10.0.0.2) is in Dense mode, and the other (10.0.0.3) is in Sparse mode. This indicates that the router has interfaces operating in different PIM modes.

The correct answer is that the router is configured with mixed PIM modes on different interfaces.

1460
MCQhard

A network administrator is troubleshooting an issue where OSPF routes are not being learned from a neighbor. The administrator checks the OSPF configuration and sees that both routers are in the same area. The neighbor state is stuck in EXSTART. What is the most likely cause?

A.The router ID is the same on both routers.
B.The area ID is different.
C.The hello timer is set to 30 seconds on one router.
D.The interface MTU does not match.
AnswerD

MTU mismatch causes EXSTART state.

Why this answer

When OSPF neighbors are stuck in the EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange process. The most common cause is an MTU mismatch between the interfaces, because OSPF will not proceed to the Exchange state if the DBD packet is larger than the interface MTU and gets silently dropped. This prevents the routers from agreeing on the master/slave relationship and exchanging link-state information.

Exam trap

The trap here is that candidates often confuse the EXSTART state with issues like hello/dead timer mismatches or area mismatches, which actually prevent the adjacency from reaching the 2-WAY state, not the EXSTART state.

How to eliminate wrong answers

Option A is wrong because duplicate router IDs would cause a neighbor state of DOWN or a conflict that prevents adjacency formation entirely, not a state stuck in EXSTART. Option B is wrong because if the area ID were different, the routers would not even reach the 2-WAY state, let alone EXSTART; they would remain in INIT or DOWN. Option C is wrong because mismatched hello timers would prevent the routers from reaching the 2-WAY state (they would stay in INIT), not cause them to get stuck in EXSTART.

1461
MCQeasy

A network administrator is troubleshooting a performance issue in a large enterprise campus network. The network consists of Cisco Catalyst 9300 switches acting as access switches and Cisco Catalyst 9500 switches as distribution. Users on VLAN 10 report intermittent slow file transfers to a server on VLAN 20. The administrator has verified that there are no errors on the links, CPU utilization is normal, and STP topology is stable. The administrator suspects a possible QoS issue. Upon checking the QoS configuration on the access switch, the administrator finds that the default QoS configuration is in place, which trusts the CoS value at the port level. The connected devices are IP phones and PCs; the IP phones mark voice traffic with CoS 5. The server on VLAN 20 is connected to a distribution switch. Which action should the administrator take to most likely resolve the issue?

A.Apply a policy map that polices voice traffic to 128 kbps to free bandwidth for data.
B.Disable QoS entirely on all switches to eliminate any potential QoS-related drops.
C.Configure auto QoS for VoIP on the access ports to ensure proper classification and queuing.
D.Configure trust DSCP on the access ports to prioritize all traffic based on DSCP values.
AnswerC

Correct.

Why this answer

Option C is correct because Auto QoS for VoIP automatically configures the necessary class maps, policy maps, and trust settings to properly classify and queue voice traffic (CoS 5) while ensuring data traffic is not starved. The default QoS configuration trusts CoS at the port level, but without proper queuing and scheduling, voice and data may compete for buffers, causing intermittent slow file transfers. Auto QoS sets up strict priority queuing for voice and allocates bandwidth for data, resolving the performance issue without manual misconfiguration.

Exam trap

Cisco often tests the misconception that simply trusting CoS or DSCP values is sufficient to prioritize traffic, when in fact trust alone does not configure the egress queuing and scheduling policies needed to prevent congestion and ensure bandwidth allocation.

How to eliminate wrong answers

Option A is wrong because policing voice traffic to 128 kbps would drop voice packets that exceed this rate, degrading voice quality, and does not address the root cause of data traffic being starved due to improper queuing. Option B is wrong because disabling QoS entirely removes all prioritization, which can cause both voice and data to be treated equally, potentially worsening the performance issue for file transfers during congestion. Option D is wrong because configuring trust DSCP on access ports would trust DSCP markings from PCs and IP phones, but the default QoS configuration already trusts CoS; changing to DSCP trust may not align with the existing CoS markings from IP phones and could lead to misclassification, while still lacking proper queuing policies.

1462
MCQmedium

Consider the following SPAN configuration on a Cisco IOS-XE switch: monitor session 2 source interface GigabitEthernet1/0/3 rx monitor session 2 destination interface GigabitEthernet1/0/4 What is the effect of this configuration?

A.Only traffic received on GigabitEthernet1/0/3 is copied to GigabitEthernet1/0/4.
B.Both ingress and egress traffic on GigabitEthernet1/0/3 is copied to GigabitEthernet1/0/4.
C.Traffic on GigabitEthernet1/0/4 is mirrored to GigabitEthernet1/0/3.
D.The configuration is invalid because the destination interface must be in trunk mode.
AnswerA

The 'rx' keyword specifies ingress traffic only.

Why this answer

This SPAN session captures only ingress traffic (rx) from GigabitEthernet1/0/3 and sends it to GigabitEthernet1/0/4.

1463
MCQmedium

An enterprise is redesigning its WAN QoS architecture to support real-time voice, video, and critical data applications over a limited bandwidth link. The architect must ensure that voice traffic receives strict priority queuing and that video traffic is guaranteed a minimum bandwidth, while allowing best-effort traffic to use remaining capacity. Which queuing strategy should be deployed on the WAN edge routers?

A.FIFO (First In, First Out) with tail drop
B.CBWFQ (Class-Based Weighted Fair Queuing) without a priority queue
C.LLQ (Low Latency Queuing) with a strict priority queue for voice and CBWFQ for video and data
D.WRED (Weighted Random Early Detection) with DSCP-based drop probabilities
AnswerC

LLQ combines a strict priority queue (for voice) with CBWFQ classes (for video and data), meeting both latency and bandwidth requirements.

Why this answer

LLQ combines a strict priority queue for delay-sensitive voice traffic with CBWFQ for other classes, guaranteeing minimum bandwidth for video while allowing best-effort traffic to share remaining capacity. This satisfies the requirement for strict priority queuing for voice and bandwidth guarantees for video, which CBWFQ alone cannot provide because it lacks a priority queue.

Exam trap

Cisco often tests the distinction between CBWFQ and LLQ, trapping candidates who think CBWFQ alone can provide strict priority queuing, when in fact only LLQ adds the 'priority' keyword to create a low-latency queue.

How to eliminate wrong answers

Option A is wrong because FIFO with tail drop provides no differentiation between traffic types, causing voice and video to suffer delay and drops alongside best-effort data. Option B is wrong because CBWFQ without a priority queue cannot offer strict priority queuing for voice, which is essential for low-latency real-time traffic. Option D is wrong because WRED is a congestion avoidance mechanism that manages drop probabilities based on DSCP, not a queuing strategy, and it cannot guarantee minimum bandwidth or strict priority for voice.

1464
MCQmedium

In a Cisco QoS policy, what is the difference between 'bandwidth' and 'bandwidth remaining' commands?

A.There is no difference; both commands allocate bandwidth based on the total interface bandwidth.
B.'bandwidth' allocates from the total bandwidth, while 'bandwidth remaining' allocates from the bandwidth left after priority queues.
C.'bandwidth' is used for output policies, while 'bandwidth remaining' is used for input policies.
D.'bandwidth' guarantees a minimum rate, while 'bandwidth remaining' sets a maximum rate.
AnswerB

Correct. 'bandwidth remaining' is used for fair sharing of leftover bandwidth.

Why this answer

The 'bandwidth' command allocates a percentage of the total interface bandwidth, while 'bandwidth remaining' allocates a percentage of the bandwidth left after priority queues and other guaranteed allocations have been served.

1465
Drag & Dropmedium

Drag and drop the steps of PAgP EtherChannel negotiation steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PAgP negotiation starts with ports in auto mode sending PAgP packets, then detecting partner in desirable mode, exchanging capabilities, agreeing on parameters, and finally forming the bundle.

1466
MCQhard

A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?

A.The RA guard policy does not include the IPv6 address or MAC address of the legitimate default gateway.
B.The switch has DHCPv6 snooping enabled, which conflicts with RA guard.
C.SLAAC requires the host to send a router solicitation first, which is being blocked by RA guard.
D.RA guard is configured in 'block' mode, which drops all RAs regardless of the policy.
AnswerA

Correct because RA guard drops RAs from devices not matching the policy, so the gateway's RAs are dropped.

Why this answer

RA guard uses a policy to determine which devices can send RAs. If the policy is configured to allow only a specific device (e.g., the default gateway), but the device's MAC address or IPv6 address is not correctly identified, all RAs are dropped. Option A is correct because the policy must include the gateway's address.

Option B is incorrect because RA guard does not require DHCPv6. Option C is incorrect because RA guard can work with SLAAC. Option D is incorrect because RA guard does not block all RAs by default; it uses the policy.

1467
MCQmedium

An engineer is using the Cisco IOS-XE RESTCONF API to create a new loopback interface. The following JSON payload is sent in a POST request to '/restconf/data/ietf-interfaces:interfaces': ```json { "ietf-interfaces:interface": [ { "name": "Loopback100", "description": "Management Loopback", "type": "iana-if-type:softwareLoopback", "enabled": true, "ietf-ip:ipv4": { "address": [ { "ip": "192.168.1.1", "netmask": "255.255.255.0" } ] } } ] } ``` What is the correct HTTP method and URL for this operation?

A.POST /restconf/data/ietf-interfaces:interfaces
B.PUT /restconf/data/ietf-interfaces:interfaces
C.PATCH /restconf/data/ietf-interfaces:interfaces
D.POST /restconf/data/ietf-interfaces:interfaces/interface=Loopback100
AnswerA

POST is used to create a new resource under the interfaces collection.

Why this answer

To create a new resource, the POST method is used. The URL should point to the collection of interfaces. The payload includes the 'ietf-interfaces:interface' list.

The correct URL is '/restconf/data/ietf-interfaces:interfaces'.

1468
Drag & Dropmedium

Drag and drop the steps of IP SLA tracking with static route failover into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the IP SLA operation is defined to monitor reachability. Then a track object is created that references the IP SLA operation. The track object is configured with a threshold for up/down state.

A static route is configured with the track object for failover. Finally, the static route is verified to use the track.

1469
Drag & Dropmedium

Drag and drop the steps of IP SLA tracking with static route failover into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, configure the IP SLA operation to monitor reachability. Then create a track object that references the IP SLA operation. Next, define a static route with the track option.

After that, configure the backup static route (with higher metric). Finally, verify failover by simulating a failure.

1470
Matchingmedium

Drag and drop each DHCPv6 mode on the left to its matching address assignment method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DHCPv6 server assigns IPv6 addresses and other parameters

DHCPv6 server provides only options (e.g., DNS), addresses via SLAAC

Host generates its own IPv6 address using router advertisements

DHCPv6 prefix delegation for assigning subnets

Router Advertisement used in SLAAC to convey prefix and other info

Why these pairings

Stateful DHCPv6 assigns addresses from a server; stateless DHCPv6 provides other config info but uses SLAAC for addressing; SLAAC uses router advertisements for address autoconfiguration.

1471
Drag & Dropmedium

Drag and drop the steps of 4G/LTE WAN failover with IP SLA tracking into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

For 4G/LTE WAN failover using IP SLA, first an IP SLA probe is configured to monitor the primary WAN link, then the probe is associated with a tracking object, a backup static route with a higher metric is configured for the LTE interface, the primary route is removed when the tracking object goes down, and finally traffic is rerouted through the LTE interface. The correct order is: configure IP SLA probe to monitor primary WAN, associate probe with tracking object, configure backup static route with higher metric for LTE, remove primary route when tracking object goes down, reroute traffic through LTE interface.

1472
MCQhard

A network engineer issues the following command on Router R8: R8# show policy-map interface gigabitethernet 0/1 GigabitEthernet0/1 Service-policy output: SHAPE-1M Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any queue limit 64 packets (queue depth 0) (congestion occurrences) shape (average) cir 1000000, bc 10000, be 10000 target shape rate 1000000 Based on this output, what is true about the traffic shaping policy?

A.The policy is policing traffic to 1 Mbps.
B.The policy is shaping traffic to an average rate of 1 Mbps.
C.The policy is dropping all traffic because the queue is full.
D.The policy is applied in the input direction.
AnswerB

The command 'shape (average) cir 1000000' indicates shaping to 1 Mbps.

Why this answer

The output shows a shaping policy applied in the output direction with a CIR of 1 Mbps. The class-default is used, meaning all traffic is shaped.

1473
Drag & Dropmedium

Drag and drop the steps of ERSPAN (Encapsulated RSPAN) session configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ERSPAN configuration requires first defining the source and destination, then enabling the session. The order ensures the session references exist before activation.

1474
Multi-Selectmedium

Which two statements about OSPF neighbor states are true? (Choose two.)

Select 2 answers
A.The 2-Way state indicates that the router has received a Hello packet from the neighbor with its own Router ID in the neighbor list.
B.In the ExStart state, routers exchange Database Description (DBD) packets to describe their LSDB contents.
C.The Full state means the routers have synchronized their link-state databases and are fully adjacent.
D.The Loading state occurs before the Exchange state in the neighbor state machine.
E.The Down state means the router has received a Hello packet from the neighbor but has not yet established two-way communication.
AnswersA, C

Correct because 2-Way state confirms bidirectional communication: each router sees its own Router ID in the other's Hello packet.

Why this answer

OSPF neighbor state machine progresses through several states. The 2-Way state indicates bidirectional communication has been established. The Full state means the routers have exchanged complete LSDB information.

The ExStart state is where the master/slave relationship is determined. The Loading state occurs after the Database Description (DBD) exchange.

1475
MCQmedium

A network engineer is troubleshooting a security issue and needs to capture all traffic between two servers connected to different switches. The switches are connected via a trunk link. The monitoring station is connected to a third switch. The engineer decides to use RSPAN. Which of the following is a mandatory requirement for RSPAN to function correctly?

A.The RSPAN VLAN must be configured as the native VLAN on all trunk ports.
B.The RSPAN VLAN must be pruned from all trunk ports to prevent loops.
C.The RSPAN VLAN must be configured with the 'remote-span' command on all switches.
D.The RSPAN VLAN must be the same as the management VLAN for the switches.
AnswerC

Correct; the 'remote-span' command designates the VLAN as an RSPAN VLAN, which prevents normal data traffic from using it and allows mirrored traffic.

Why this answer

RSPAN requires a dedicated VLAN (RSPAN VLAN) that is used to transport the mirrored traffic from source switches to the destination switch. This VLAN must be configured with the 'remote-span' command on all switches that participate. The correct answer is that the RSPAN VLAN must be configured with the 'remote-span' command.

Option A is incorrect because the RSPAN VLAN does not need to be the native VLAN. Option B is incorrect because the RSPAN VLAN does not need to be pruned; in fact, it must be allowed on all trunks. Option D is incorrect because the RSPAN VLAN must be consistent across all switches, but it is not required to be the management VLAN.

1476
MCQhard

A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?

A.The TACACS+ server is not configured to authorize the user for EXEC access, so it sends a 'deny' response, causing the router to disconnect the user.
B.The 'aaa authorization exec' command should be 'aaa authorization commands 15' to allow the user to execute commands after login.
C.The router's SSH configuration is missing the 'ip ssh authentication-retries' command.
D.The 'local' fallback in the authorization command is overriding the TACACS+ response.
AnswerA

Correct because TACACS+ authorization for EXEC determines whether the user is allowed to start a shell; if the server denies, the router disconnects even though authentication succeeded.

Why this answer

The user is authenticated successfully, but the authorization for EXEC (shell) is failing. The 'aaa authorization exec default group tacacs+ local' command means the router will first try TACACS+ for EXEC authorization; if TACACS+ does not respond, it falls back to local. However, if TACACS+ responds with a deny for EXEC authorization, the user is denied access and disconnected.

The TACACS+ server may not have a shell profile for the user, or the authorization rule denies EXEC access.

1477
MCQmedium

A network architect is designing a campus network for a large university with 10,000+ users. The design must provide high availability, minimize failure domains, and allow for easy scaling of the access layer. The core layer should be resilient and support fast convergence. Which hierarchical design model best meets these requirements?

A.Three-tier hierarchical design with access, distribution, and core layers, using redundant links and VRRP for gateway redundancy
B.Collapsed core design with core and distribution combined into one layer
C.Flat Layer 2 design with all switches in a single VLAN
D.Leaf-spine design with all switches acting as leafs and spines
AnswerA

This design separates failure domains, provides high availability via redundancy, and scales by adding distribution or access switches.

Why this answer

The three-tier hierarchical design (access, distribution, core) is the correct choice because it provides clear separation of failure domains, allows easy scaling by adding access switches, and supports high availability through redundant links and VRRP (or HSRP/GLBP) for first-hop gateway redundancy. The core layer can be designed with fast-converging protocols like ECMP and BFD to meet the resilience and convergence requirements for a large campus with 10,000+ users.

Exam trap

Cisco often tests the misconception that a collapsed core design is always more efficient for small-to-medium networks, but for a large campus with 10,000+ users, the three-tier model is required to minimize failure domains and allow independent scaling of the access layer.

How to eliminate wrong answers

Option B is wrong because a collapsed core design combines the core and distribution layers, which reduces the number of devices but creates a larger failure domain and limits scalability at the access layer, making it unsuitable for a large university campus. Option C is wrong because a flat Layer 2 design with all switches in a single VLAN creates a massive broadcast domain, leading to poor convergence, security risks, and no fault isolation, which violates the requirement to minimize failure domains. Option D is wrong because leaf-spine design is optimized for data center east-west traffic patterns and does not align with the north-south traffic flow typical of a campus network; it also does not provide the same level of gateway redundancy and access-layer scaling as a three-tier design.

1478
Matchingmedium

Drag and drop each EIGRP metric component on the left to its matching K variable on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

K1

K2

K3

K4

K5

Why these pairings

K1 is bandwidth, K2 is load, K3 is delay, K4 is reliability, K5 is MTU.

1479
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.10:1024 10.0.0.10:1024 203.0.113.5:80 203.0.113.5:80 tcp 192.168.1.10:1025 10.0.0.10:1025 203.0.113.5:80 203.0.113.5:80 --- 192.168.1.11:2048 10.0.0.11:2048 198.51.100.2:443 198.51.100.2:443 Based on this output, what can be concluded?

A.The router is performing static NAT
B.The router is performing dynamic NAT without overload
C.The router is performing NAT overload (PAT)
D.The router is performing destination NAT
AnswerC

Multiple inside local addresses (10.0.0.10 and 10.0.0.11) are using the same inside global address (192.168.1.10) with different port numbers, which is characteristic of PAT.

Why this answer

The output shows NAT translations. Inside global addresses are the public IPs seen on the outside, and inside local are the private IPs. The first entry has no protocol (---) indicating a static NAT or a translation that has timed out.

The second and third entries are TCP translations. The correct answer is that the router is performing NAT overload (PAT) because multiple inside local addresses are mapped to the same inside global address (192.168.1.10).

1480
MCQeasy

What is the default frequency (in seconds) for an IP SLA ICMP echo operation if not explicitly configured?

A.10 seconds
B.30 seconds
C.60 seconds
D.120 seconds
AnswerC

The default frequency for IP SLA operations is 60 seconds.

Why this answer

The default frequency for IP SLA operations, including ICMP echo, is 60 seconds.

1481
Drag & Dropmedium

Drag and drop the steps of TrustSec SGT classification and enforcement into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TrustSec first classifies traffic by assigning an SGT based on user/device identity, then the switch tags packets with the SGT. The packet is forwarded with the SGT intact, and the destination switch enforces policy by checking the SGT against an SGACL. Finally, the destination switch permits or denies traffic based on the SGACL.

1482
Matchingmedium

Drag and drop each telemetry encoding on the left to its matching format on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

JSON encoding per IETF draft

Google Protocol Buffers binary encoding

Key-value pairs in GPB format

Extensible Markup Language encoding

Standard JSON encoding (non-IETF)

Why these pairings

JSON_IETF is a specific JSON profile, protobuf is binary, kvGPB is key-value GPB, XML is used in NETCONF, and JSON is generic.

1483
MCQmedium

A network engineer runs the following command on Router R8: R8# show ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2 Based on this output, what can be concluded?

A.The router has static NHRP mappings configured.
B.The router is a DMVPN hub with two registered spokes.
C.The NHRP entries are about to expire because the expire time is less than 2 hours.
D.The router is a spoke because it has only two entries.
AnswerB

Dynamic entries with 'unique registered' flags indicate spoke registrations on a hub.

Why this answer

The NHRP cache shows two dynamic entries for 10.0.0.1 and 10.0.0.2 with NBMA addresses 192.168.1.1 and 192.168.1.2. Both are registered and unique, indicating a DMVPN spoke registration.

1484
Matchingmedium

Drag and drop each SGT value range on the left to its matching policy type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Reserved for system use (e.g., unknown SGT)

User-defined scalable groups

Default SGTs assigned by Cisco DNA Center

Static SGTs configured manually

Dynamic SGTs assigned by ISE

Why these pairings

SGTs 0-1 are reserved, 2-9999 are user-defined, 10000-19999 are default, 20000-29999 are static, and 30000-65535 are dynamic.

1485
Drag & Dropmedium

Drag and drop the steps of EIGRP variance-based unequal-cost load balancing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To enable unequal-cost load balancing, first ensure feasible successors exist, then set the variance multiplier, optionally adjust the metric offset, and finally verify the load sharing across multiple paths.

1486
Drag & Dropmedium

Drag and drop the steps of REST API call using Requests library to DNA Center into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the requests library, then obtaining an authentication token via POST to the login endpoint. Next, the token is used as a header in a GET request to retrieve network devices, the response is parsed as JSON, and finally the token is used for subsequent API calls.

1487
MCQmedium

A network engineer uses the Requests library to send a RESTCONF PATCH request to modify the hostname of a Cisco IOS-XE device: ```python import requests from requests.auth import HTTPBasicAuth url = 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/hostname' headers = {'Content-Type': 'application/yang-data+json'} auth = HTTPBasicAuth('admin', 'cisco123') payload = { 'Cisco-IOS-XE-native:hostname': 'NewRouter' } response = requests.patch(url, json=payload, headers=headers, auth=auth, verify=False) print(response.status_code) ``` What is the expected HTTP status code if the request is successful?

A.200 OK
B.201 Created
C.204 No Content
D.202 Accepted
AnswerC

RESTCONF PATCH returns 204 on success.

Why this answer

In RESTCONF, a successful PATCH request returns 204 No Content, as the resource is modified and no content is returned in the response body. Some implementations may return 200, but the standard is 204.

1488
MCQhard

A financial services company has deployed Cisco UCS servers with VMware vSphere 7.0 to host critical trading applications. The network uses Cisco Nexus 9000 switches in a VXLAN EVPN fabric with BGP as the underlay. The environment includes 50 ESXi hosts, each connected via two 40G interfaces to two different leaf switches in a VPC. The VMs are spread across multiple hosts and communicate over VXLAN. Recently, the operations team migrated a set of VMs from an old VLAN-based network to a new VXLAN segment (VNI 50000). After the migration, users report intermittent connectivity issues and packet loss. The engineering team captures traffic and notices that some VMs send ARP requests that are not being replied to, even though the target VM is active. Further analysis shows that the ARP requests are being flooded to all VTEPs, but the replies are not reaching the source. The team checks the underlay and finds no issues with BGP or routing. The NVE interfaces are up, and the VNI is configured. Which of the following is the most likely cause of the issue?

A.The ingress replication list is missing some VTEPs.
B.The symmetric routing configuration is missing on the leaf switches.
C.The VPC configuration between the leaf switches and ESXi hosts is incorrect.
D.The MAC address of the target VM is not being advertised in EVPN type-2 routes because the VM's MAC is learned on a different leaf switch than expected.
AnswerD

If the MAC is not advertised, the source VTEP will flood ARP requests but not receive replies due to unknown unicast flooding.

Why this answer

The issue is that the target VM's MAC address is not being advertised via EVPN Type-2 routes from the leaf switch where it resides. When the source VM sends an ARP request, the ingress VTEP floods it to all VTEPs in the VNI's ingress replication list, but the reply from the target VM must be unicast back. If the target's MAC is not in the EVPN control plane (e.g., because it was learned on a different leaf than expected due to asymmetric MAC learning or stale entries), the reply cannot be forwarded correctly, causing intermittent connectivity.

Exam trap

Cisco often tests the distinction between data-plane flooding (which works) and control-plane advertisement (which fails), leading candidates to incorrectly blame replication lists or VPC issues instead of identifying the missing EVPN Type-2 route.

How to eliminate wrong answers

Option A is wrong because if the ingress replication list were missing some VTEPs, the ARP requests would not reach those VTEPs at all, but the problem states the ARP requests are flooded to all VTEPs, so the list is complete. Option B is wrong because symmetric routing is a design choice for inter-VNI routing (e.g., between different VNIs), not for intra-VNI ARP handling within the same VNI; the issue is about MAC/IP advertisement, not routing asymmetry. Option C is wrong because the VPC configuration between leaf switches and ESXi hosts affects link-level redundancy and loop prevention, but the underlay is healthy and NVE interfaces are up, so VPC misconfiguration would cause connectivity issues unrelated to ARP reply forwarding.

1489
Matchingmedium

Drag and drop each NAT terminology on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The IP address of the host as seen from inside the network

The translated IP address of the host as seen from outside the network

The IP address of the remote host as seen from inside the network

The IP address of the remote host as seen from outside the network

A range of public IP addresses used for dynamic translation

Why these pairings

Inside local is the private IP of the host; inside global is the public IP after translation; outside local is the private IP of the remote host; outside global is the public IP of the remote host.

1490
MCQhard

A network engineer runs the following command on Router R9: R9# show queueing interface GigabitEthernet0/1 Interface GigabitEthernet0/1 queueing strategy: class-based weighted fair Queueing on output: Class-based Weighted Fair Queueing Queueing on input: FIFO R9# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy output: QOS_POLICY Class-map: VOICE (match-any) 100 packets, 10000 bytes 5 minute offered rate 10000 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing strict priority queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/10000 police cir 1000000 bc 15625 be 15625 conformed 100 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: DATA (match-any) 200 packets, 20000 bytes 5 minute offered rate 20000 bps, drop rate 0 bps Match: ip dscp af31 (26) Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 200/20000 bandwidth remaining percent 50 Class-map: class-default (match-any) 300 packets, 30000 bytes 5 minute offered rate 30000 bps, drop rate 0 bps Match: any Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 300/30000 bandwidth remaining percent 50 Based on this output, what can be concluded?

A.The interface uses WFQ for output queuing.
B.Voice traffic is being dropped because it exceeds the police rate.
C.Data traffic is guaranteed 50% of the remaining bandwidth after priority queuing.
D.The policy-map is applied to input traffic.
AnswerC

The DATA class has 'bandwidth remaining percent 50'.

Why this answer

The output queueing strategy is CBWFQ. The VOICE class uses strict priority and is policed at 1 Mbps. All voice packets conform (100 packets).

DATA and class-default share remaining bandwidth equally. The total offered rate is 60 kbps, well below any congestion, so no drops occur.

1491
MCQmedium

Consider the following OSPF configuration on router R2: interface GigabitEthernet0/0 ip address 192.168.1.2 255.255.255.0 ip ospf 1 area 0 ip ospf hello-interval 5 ! router ospf 1 router-id 2.2.2.2 network 192.168.1.0 0.0.0.255 area 0 Which statement is true about this configuration?

A.The OSPF dead interval is automatically set to 20 seconds.
B.The OSPF dead interval remains at the default of 40 seconds.
C.This configuration will cause OSPF to use MD5 authentication.
D.The OSPF network type changes to point-to-point.
AnswerA

By default, the dead interval is 4 times the hello interval, so with hello 5, dead becomes 20 seconds.

Why this answer

The correct answer is A because the OSPF dead interval is automatically set to four times the hello interval when the hello interval is manually configured. By default, OSPF uses a hello interval of 10 seconds and a dead interval of 40 seconds on broadcast networks. However, when you explicitly set the hello interval to 5 seconds using the 'ip ospf hello-interval 5' command, the router automatically adjusts the dead interval to 20 seconds (4 × 5 seconds) to maintain the standard ratio, unless the dead interval is also manually configured.

Exam trap

Cisco often tests the automatic relationship between the OSPF hello and dead intervals, and the trap here is that candidates assume the dead interval remains at the default value (40 seconds) even after changing the hello interval, rather than understanding it scales proportionally to 4× the new hello interval.

How to eliminate wrong answers

Option B is wrong because the OSPF dead interval does not remain at the default of 40 seconds; it is automatically recalculated to 20 seconds when the hello interval is changed to 5 seconds. Option C is wrong because the configuration shown does not include any authentication commands such as 'ip ospf authentication message-digest' or 'ip ospf message-digest-key', so MD5 authentication is not enabled. Option D is wrong because the network type remains as the default broadcast (multi-access) for GigabitEthernet interfaces; changing the network type to point-to-point requires the explicit command 'ip ospf network point-to-point'.

1492
Drag & Dropmedium

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexVPN, a spoke sends an IKEv2 authentication request to the hub. The hub authenticates the spoke and sends back the IKEv2 configuration payload with the remote spoke's address. The originating spoke then initiates a direct IKEv2 session to the remote spoke.

Both spokes complete IKEv2 authentication and IPsec SA setup. Finally, traffic flows directly between the spokes without going through the hub.

1493
Drag & Dropmedium

Drag and drop the steps of VNF scaling up and scaling out into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Scaling begins with the VNFM monitoring performance metrics against thresholds. When a threshold is exceeded, the VNFM triggers a scaling action. For scale-up, additional resources are allocated to the existing VNF instance.

For scale-out, a new VNF instance is instantiated. Finally, load balancing is updated to distribute traffic across all instances.

1494
Matchingmedium

Drag and drop each DNA Center API category on the left to its matching endpoint group on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoints for network discovery, inventory, and topology

Endpoints for site creation, building floors, and maps

Endpoints for device configuration, templates, and software images

Endpoints for command runner, tasks, and events

Endpoints for group-based access control and application policy

Why these pairings

DNA Center API categories: Know Your Network includes discovery and inventory; Site Management handles sites and maps; Connectivity manages network devices; Operational Tasks covers tasks and events.

1495
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.15
C.100
D.16
AnswerA

Correct. EIGRP supports up to 255 hops.

Why this answer

EIGRP uses a maximum hop count of 255, which is the default and hard limit for the protocol. This is because EIGRP is a distance-vector protocol that uses hop count as one of its metrics, but unlike RIP (which has a limit of 15), EIGRP's DUAL algorithm allows for much larger networks without the same loop-prevention constraints.

Exam trap

Cisco often tests the difference between EIGRP's maximum hop count (255) and RIP's maximum hop count (15/16), tempting candidates who confuse the two distance-vector protocols or who mistakenly think all routing protocols have a low hop limit.

How to eliminate wrong answers

Option B (15) is wrong because 15 is the maximum hop count for RIP, not EIGRP; this is a common confusion between distance-vector protocols. Option C (100) is wrong because 100 is not a standard hop count limit for any major routing protocol; it may be confused with the default administrative distance for OSPF or EIGRP summary routes. Option D (16) is wrong because 16 is the 'unreachable' metric in RIP (hop count 16 means infinite), not a valid maximum for EIGRP.

1496
Multi-Selectmedium

Which two statements about Ansible inventory files are true? (Choose two.)

Select 2 answers
A.Ansible can use a dynamic inventory script that queries an external source such as AWS EC2.
B.The default location for the Ansible inventory file is /etc/ansible/hosts.
C.Ansible inventory files can only be written in INI format.
D.Group variables in an inventory must be defined in separate files under the group_vars directory.
E.The inventory file can only contain hostnames, not IP addresses.
AnswersA, B

Correct because dynamic inventory scripts allow Ansible to retrieve host information from external sources like cloud providers.

Why this answer

Ansible inventory files can be static (INI/YAML) or dynamic (script or plugin). The default location is /etc/ansible/hosts. INI format uses [group] headers and YAML uses a structured hierarchy.

Dynamic inventories pull from external sources like cloud APIs.

1497
Matchingmedium

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Spoke-to-hub only via NHRP registration

Spoke-to-spoke via NHRP redirect

Spoke-to-spoke via NHRP shortcut

Redirect from hub to trigger direct tunnel

Shortcut resolution by spoke

Why these pairings

Phase 1 uses spoke-to-hub only; Phase 2 allows spoke-to-spoke via NHRP redirect; Phase 3 uses NHRP shortcut to enable spoke-to-spoke directly.

1498
MCQmedium

A network engineer is configuring BGP on a Cisco router that connects to two ISPs. The router has a default route pointing to each ISP. The engineer wants to load balance outbound traffic across both ISPs. The router receives a default route from both ISPs. Which BGP configuration approach will allow the router to install both default routes in the routing table and load balance traffic?

A.Configure the maximum-paths command under the BGP address family and use the bgp bestpath as-path multipath-relax command.
B.Configure the network command to advertise the default route from both ISPs.
C.Set the local preference to the same value on both default routes.
D.Use the redistribute command to redistribute the default routes into BGP.
AnswerA

Correct because maximum-paths allows multiple paths to be installed, and multipath-relax ignores AS_PATH length differences, enabling load balancing across different ASes.

Why this answer

Option A is correct because the `maximum-paths` command under the BGP address family enables the router to install multiple paths for the same prefix (in this case, the default route 0.0.0.0/0) into the routing table. The `bgp bestpath as-path multipath-relax` command is necessary because the two default routes from different ISPs will have different AS_PATH lengths; this command relaxes the requirement for equal AS_PATH length, allowing the router to consider them as multipath candidates. Together, they allow both default routes to be installed and used for load balancing outbound traffic.

Exam trap

Cisco often tests the nuance that simply having equal BGP path attributes (like local preference) does not enable multipath installation; candidates must remember that `maximum-paths` and `multipath-relax` are explicitly required to install and load balance multiple BGP routes, even for default routes.

How to eliminate wrong answers

Option B is wrong because the `network` command is used to inject a prefix into BGP from the IP routing table, not to install received routes; the router already receives the default routes from the ISPs, so advertising them again is irrelevant to load balancing. Option C is wrong because setting the same local preference on both default routes only ensures they have equal preference in the BGP best-path selection process, but without `maximum-paths` and `multipath-relax`, the router will still select only one best path and install a single default route. Option D is wrong because `redistribute` is used to import routes from another routing protocol into BGP, not to control how received BGP routes are installed; redistributing the default routes would create a new BGP route, but it does not enable multipath installation of the received routes.

1499
MCQmedium

Given the following configuration on a Cisco IOS-XE router: ip multicast-routing ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ip igmp version 2 ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 ! What is missing from this configuration to support Source-Specific Multicast (SSM) for group range 232.0.0.0/8?

A.The interface must be configured with 'ip igmp version 3' to support SSM.
B.The router must be configured with 'ip pim ssm' command to enable SSM.
C.An RP must be configured for the 232.0.0.0/8 range.
D.The interface must be configured with 'ip pim dense-mode' for SSM to work.
AnswerA

Correct. IGMPv3 is required for SSM to allow hosts to specify sources in their membership reports.

Why this answer

SSM requires IGMPv3 to allow hosts to specify sources. The configuration uses IGMPv2, which does not support source filtering. Additionally, PIM sparse-mode is used, but SSM typically uses PIM SSM (which is essentially PIM sparse-mode with the SSM range).

The missing piece is IGMPv3; the SSM range is automatically enabled for 232.0.0.0/8 when IGMPv3 is configured.

1500
Drag & Dropmedium

Drag and drop the steps of Hierarchical QoS (H-QoS) parent/child policy steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, create the child policy for per-class queuing. Then, create the parent policy that shapes and references the child. Apply the parent policy to the interface.

Page 19

Page 20 of 27

Page 21