ENCOR 350-401 (350-401) — Questions 15761650

2015 questions total · 27pages · All types, answers revealed

Page 21

Page 22 of 27

Page 23
1576
Drag & Dropmedium

Drag and drop the steps of troubleshooting a failed RSPAN session into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with verifying the RSPAN VLAN exists and is active on all switches, then checking that trunk links carry the RSPAN VLAN, then confirming the source SPAN session is correctly configured, then inspecting the destination SPAN session, and finally using debug or monitor commands to isolate the issue.

1577
MCQmedium

Which BGP attribute is preferred when it has the lowest value?

A.Weight
B.Local Preference
C.MED (Multi-Exit Discriminator)
D.AS Path Length
AnswerC

Correct. A lower MED is preferred.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from neighboring ASes. A lower MED value is preferred when multiple paths are received from the same neighboring AS, making it the correct answer for an attribute preferred with the lowest value.

Exam trap

Cisco often tests the misconception that all BGP attributes follow a 'higher is better' rule, but MED is a key exception where lower is better, and candidates may confuse it with Local Preference or Weight which are higher-is-better.

How to eliminate wrong answers

Option A is wrong because Weight is a Cisco-proprietary attribute that is preferred when it has the highest value, not the lowest. Option B is wrong because Local Preference is used to influence outbound traffic from an AS and is preferred with the highest value. Option D is wrong because AS Path Length is preferred when it is the shortest (lowest number of AS hops), but the question asks for an attribute preferred with the lowest value, and MED is the only one among the options that explicitly uses a lower-is-better metric for its specific purpose.

1578
MCQhard

An architect is designing a QoS policy for a Cisco SD-Access fabric. The policy must prioritize voice traffic from wireless clients connected to fabric-enabled access points over other traffic types. The design should use the fabric's built-in capabilities to simplify deployment. Which approach should the architect take?

A.Use Cisco TrustSec to assign an SGT to voice traffic based on ISE authentication, then apply a QoS policy on the fabric edge node that matches the SGT and provides priority queuing.
B.Configure QoS policies on the wireless LAN controller (WLC) only, marking voice traffic with DSCP EF, and rely on the fabric to preserve the marking.
C.Implement a centralized QoS policy on the fabric border node that matches the source IP addresses of voice devices.
D.Use VXLAN network identifiers (VNIs) to classify voice traffic and apply QoS on the control plane node.
AnswerA

This uses the fabric's native policy capabilities (TrustSec) to classify voice traffic by SGT, enabling consistent QoS without complex ACLs.

Why this answer

Option A is correct because Cisco SD-Access uses TrustSec to propagate Security Group Tags (SGTs) from ISE to the fabric edge nodes. By matching the SGT assigned to voice traffic (e.g., via ISE profiling and authentication), the fabric edge node can apply a QoS policy that places that traffic into a priority queue. This leverages the fabric's built-in SGT-based policy enforcement, simplifying deployment without requiring per-device ACLs or complex marking configurations.

Exam trap

Cisco often tests the misconception that QoS marking alone (e.g., DSCP EF) is sufficient in SD-Access, when in fact the fabric requires explicit policy enforcement at the edge node, and SGT-based classification is the recommended method for scalable, identity-aware QoS.

How to eliminate wrong answers

Option B is wrong because relying solely on the WLC to mark voice traffic with DSCP EF does not guarantee that the fabric will preserve the marking end-to-end; the fabric edge node must still apply a local QoS policy to honor the DSCP value, and the WLC-only approach ignores the fabric's ability to use SGTs for simplified, scalable policy. Option C is wrong because matching source IP addresses on the fabric border node is not scalable for voice traffic from many wireless clients, and the border node is not the optimal location for per-flow QoS classification in SD-Access; classification should occur at the fabric edge where traffic enters the fabric. Option D is wrong because VXLAN network identifiers (VNIs) are used for Layer 2 and Layer 3 segmentation, not for QoS classification; applying QoS on the control plane node is incorrect as the control plane handles overlay routing and database functions, not data-plane packet forwarding or queuing.

1579
Multi-Selectmedium

Which three statements about syslog message severity levels are correct? (Choose three.)

Select 3 answers
A.Severity level 0 (emergencies) indicates the system is unusable.
B.Severity level 3 (errors) includes error conditions that still allow the system to function.
C.Severity level 5 (notifications) is used for normal but significant conditions, such as interface up/down.
D.Severity level 6 (informational) is used for debugging messages that are only useful during troubleshooting.
E.The default logging console severity level on Cisco IOS is 3 (errors).
AnswersA, B, C

Correct because level 0 is the highest severity and indicates a system-wide failure or emergency.

Why this answer

Syslog severity levels range from 0 (emergency) to 7 (debugging). The logging console default is usually level 7 (debugging) but can be changed. Level 3 (errors) includes error conditions that still allow the system to function.

Level 5 (notifications) is for normal but significant conditions. Level 6 (informational) is for informational messages. Level 0 is the highest severity (most critical).

1580
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.AS Path
AnswerA

Correct. Lower MED is preferred when comparing routes from the same neighboring AS.

Why this answer

The MED (Multi-Exit Discriminator) attribute is used to influence inbound traffic to an AS, and the path with the lowest MED is preferred.

1581
Drag & Dropmedium

Drag and drop the steps of EIGRP route summarization configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EIGRP route summarization first requires enabling EIGRP, configuring the network statement, then entering interface configuration mode, applying the summary-address command, and finally verifying the summary route in the routing table.

1582
Matchingmedium

Drag and drop each MQC component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines traffic classification using match statements

Defines QoS actions (e.g., bandwidth, priority) for each class

Applies a policy-map to an interface (input or output)

Why these pairings

class-map defines traffic classification criteria, policy-map defines the QoS actions to apply, service-policy applies the policy-map to an interface, class-map uses match statements, and policy-map uses class statements.

1583
MCQmedium

A network engineer runs the following command on Switch SW2: SW2# show spanning-tree vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address aabb.cc00.0200 Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 20) Address aabb.cc00.0300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Root FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Altn BLK 4 128.3 P2p Based on this output, what can be concluded?

A.SW2 is the root bridge for VLAN 20.
B.GigabitEthernet0/3 is in the Blocking state to prevent a loop.
C.The root port cost is 8.
D.SW2's bridge priority is 32768.
AnswerB

Correct. Gi0/3 is shown as Altn BLK (Alternate, Blocking), which prevents a loop.

Why this answer

SW2 is not the root bridge (its bridge priority 32778 is higher than root priority 24596). Gi0/1 is the root port (cost 4 to root), Gi0/2 is a designated port, and Gi0/3 is an alternate port in blocking state. The root bridge is at MAC aabb.cc00.0200.

1584
MCQmedium

Which statement correctly describes the difference between RADIUS and TACACS+?

A.RADIUS encrypts the entire packet; TACACS+ encrypts only the password.
B.RADIUS encrypts only the password; TACACS+ encrypts the entire packet body.
C.Both protocols encrypt the entire packet.
D.Neither protocol encrypts any part of the packet.
AnswerB

Correct. RADIUS encrypts only the password attribute, while TACACS+ encrypts the entire payload.

Why this answer

RADIUS encrypts only the password in the access-request packet, while TACACS+ encrypts the entire packet body (excluding the header). This is a key security difference.

1585
MCQeasy

A network engineer is configuring a Cisco router for AAA using a RADIUS server. The engineer wants to ensure that if the RADIUS server is unreachable, the router falls back to local authentication for console access. The engineer configures 'aaa authentication login default group radius local' and 'aaa authentication login CONSOLE local'. The console line is configured with 'login authentication CONSOLE'. However, when the RADIUS server is down, the engineer cannot log in via the console. What is the problem?

A.The router has no local usernames configured, so the 'local' method has no users to authenticate against.
B.The 'aaa authentication login CONSOLE local' command should be 'aaa authentication login CONSOLE group radius local' to include RADIUS as a fallback.
C.The console line should use the default authentication list instead of a named list.
D.The 'aaa new-model' command is missing, so AAA is not enabled.
AnswerA

Correct because 'local' authentication uses the local username database; if no usernames are configured, authentication fails.

Why this answer

The console line is configured to use the 'CONSOLE' method list, which only has 'local' as the method. This is correct for fallback. However, the issue might be that the local database has no users defined, or the 'local' method is not working because the 'username' command is missing.

But the scenario says the engineer cannot log in, implying that local authentication is failing. The most likely cause is that no local usernames are configured on the router.

1586
MCQeasy

What is the default IGMP version on a Cisco IOS interface when IP multicast routing is enabled?

A.IGMPv1
B.IGMPv2
C.IGMPv3
D.IGMPv2 is default only if PIM is enabled; otherwise, no IGMP.
AnswerB

Correct. IGMPv2 is the default on Cisco IOS interfaces.

Why this answer

The default IGMP version on Cisco IOS interfaces is version 2, which is widely supported and provides basic membership reporting and querying.

1587
MCQeasy

A network engineer is troubleshooting a connectivity issue in a switched network. The network uses Rapid PVST+ with multiple VLANs. The engineer notices that a host connected to an access port on SW1 cannot communicate with the default gateway, which is on a distribution switch. The access port is configured with PortFast and BPDU Guard. The engineer checks the switch logs and sees that the port went into errdisable state. What is the most likely cause of the errdisable state?

A.Another switch was connected to the access port, causing BPDU Guard to disable the port.
B.A broadcast storm occurred due to a loop in the network.
C.The host connected to the port caused a duplex mismatch.
D.The cable connecting the host is faulty, causing link flaps.
AnswerA

Correct because BPDU Guard disables a PortFast-enabled port if a BPDU is received, which happens when another switch is connected.

Why this answer

The access port is configured with PortFast and BPDU Guard. PortFast immediately transitions the port to forwarding, but BPDU Guard monitors for incoming BPDUs. When another switch is connected to this access port, it sends BPDUs, triggering BPDU Guard to error-disable the port to prevent a potential bridging loop.

This matches the log entry showing the port went into errdisable state.

Exam trap

Cisco often tests the distinction between BPDU Guard (which reacts to BPDUs) and other errdisable causes like loop guard, UDLD, or link-flap; the trap here is assuming that any errdisable on an access port must be due to a physical issue (duplex, cable) rather than a deliberate STP protection mechanism.

How to eliminate wrong answers

Option B is wrong because a broadcast storm due to a loop would typically cause high CPU utilization and potential port flapping, but it would not directly trigger BPDU Guard to error-disable a port; BPDU Guard specifically reacts to BPDU reception, not broadcast storms. Option C is wrong because a duplex mismatch causes CRC errors, late collisions, and performance degradation, but it does not cause BPDU Guard to disable the port; duplex mismatch is detected by interface counters, not by BPDU Guard. Option D is wrong because a faulty cable causing link flaps would result in the port repeatedly going up/down, which could trigger errdisable due to link-flap protection (if configured), but not BPDU Guard; the logs specifically mention errdisable from BPDU Guard, not from link flaps.

1588
Drag & Dropmedium

Drag and drop the steps of RSPAN session configuration and traffic flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with creating a dedicated VLAN for RSPAN traffic, then configuring the source switch to monitor traffic and forward it to that VLAN, followed by configuring the intermediate switches to transport the RSPAN VLAN, then configuring the destination switch to receive and analyze the traffic, and finally verifying end-to-end packet flow.

1589
MCQmedium

spanning-tree mode rapid-pvst What is the effect of this global configuration command?

A.The switch will use Rapid PVST+ for all VLANs, providing faster convergence than classic STP.
B.The switch will use MSTP for all VLANs.
C.The switch will use classic STP for all VLANs.
D.The switch will disable STP on all ports.
AnswerA

Rapid PVST+ is the Cisco implementation of RSTP per VLAN.

Why this answer

This enables Rapid PVST+ mode, which runs RSTP per VLAN for faster convergence.

1590
Drag & Dropmedium

Drag and drop the steps of LDP session establishment between LSRs into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LDP session establishment starts with Hello discovery via UDP, then TCP connection setup, LDP initialization with parameters, label exchange via KeepAlive and Label Mapping, and finally session up with full label exchange.

1591
MCQhard

A network engineer runs the following command on Router R3: R3# show ip nat statistics Total active translations: 5 (0 static, 5 dynamic; 5 extended) Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 1234 Misses: 5 CEF Translated packets: 1200, CEF Punted packets: 34 Expired translations: 10 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 203.0.113.1 203.0.113.10 netmask 255.255.255.240 refcount 5 Based on this output, what can be concluded?

A.The NAT pool has exhausted all available addresses.
B.The NAT translations are all static.
C.The router is performing Port Address Translation (PAT).
D.The inside interface is GigabitEthernet0/0.
AnswerC

The translations are 'extended', which indicates PAT is being used.

Why this answer

The statistics show 5 active dynamic translations, all extended (PAT). The pool POOL1 has 10 addresses, but only 5 are currently used. The misses indicate packets that triggered new translations.

1592
MCQhard

A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream CPU and memory statistics to a collector. The engineer wants to use the YANG model 'Cisco-IOS-XE-process-cpu-oper' and 'Cisco-IOS-XE-memory-oper'. After configuring the telemetry subscription, the engineer notices that no data is being received at the collector. The collector is reachable and the gRPC dial-out is configured correctly. What is the most likely cause of the issue?

A.The YANG models specified are not supported on IOS-XE
B.The telemetry subscription is missing the 'source-interface' configuration
C.The collector is blocking UDP traffic from the router
D.The engineer must enable 'ip http secure-server' for telemetry to work
AnswerB

Without a source-interface, the router may use an unreachable IP address, causing the collector to drop the connection or not receive data.

Why this answer

The correct answer is that the YANG models are operational data models and require the 'source-address' to be specified under the telemetry receiver, or the subscription must be for operational data. Actually, the most likely cause is that the engineer did not include the 'source-interface' configuration under the telemetry subscription, which is required for dial-out telemetry to ensure the router uses the correct IP address. The other options are incorrect because the collector is reachable, so firewall is not the issue; YANG models are correct; and gRPC is supported.

1593
Matchingmedium

Drag and drop each flow record field on the left to its matching category (key or non-key) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key field

Key field

Key field

Non-key field

Non-key field

Why these pairings

Key fields define a unique flow (e.g., source IP, destination IP, protocol). Non-key fields provide additional data (e.g., byte count, packet count, timestamps).

1594
Multi-Selecthard

Which three statements about model-driven telemetry are true? (Choose three.)

Select 3 answers
A.Model-driven telemetry uses a pull model where the collector requests data from network devices.
B.Telemetry subscriptions can be configured to report data on a periodic interval or when a value changes.
C.gRPC and gNMI are common transport protocols used for model-driven telemetry.
D.Model-driven telemetry requires the use of SNMP for data encoding.
E.YANG data models define the structure and semantics of telemetry data.
AnswersB, C, E

Subscriptions support both periodic (cadence-based) and on-change reporting.

Why this answer

Model-driven telemetry (MDT) uses YANG data models and supports both periodic and on-change subscriptions. It uses a push model, reducing polling overhead. gRPC and gNMI are common transport protocols. Telemetry data can be encoded in JSON or GPB.

1595
Drag & Dropmedium

Drag and drop the steps of DNA Center SWIM (Software Image Management) upgrade flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with importing the image into the image repository, then distributing the image to the device, then activating the image (setting it as the boot image), then rebooting the device, and finally verifying the new version. This ensures a controlled upgrade process.

1596
Drag & Dropmedium

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To log commands via AAA accounting, you first enable AAA globally, then configure the accounting method list for exec or commands, apply it to the desired lines, and finally verify that commands are being sent to the accounting server.

1597
MCQhard

A network engineer is troubleshooting an issue where Cisco DNA Center is not sending configuration changes to a group of switches. The engineer checks the Provisioning dashboard and sees that the devices are in 'Pending' state. The engineer has already created the intent (network profile) and assigned it to the site. What is the most likely cause?

A.The engineer has not executed the Provision workflow to deploy the configuration.
B.The devices are not reachable from DNA Center.
C.The DNA Center appliance is out of disk space.
D.The network profile contains an invalid configuration.
AnswerA

Correct because 'Pending' means the configuration is ready but not yet deployed; the engineer must run the Provision workflow.

Why this answer

In Cisco DNA Center, provisioning is a multi-step process. After creating intent, the engineer must explicitly run the Provision workflow to push the configuration. The 'Pending' state indicates that the intent has been defined but not yet deployed.

The engineer must start the provisioning job to push the configuration to the devices.

1598
MCQmedium

interface GigabitEthernet0/1 spanning-tree portfast spanning-tree bpduguard enable end What is the effect of this configuration?

A.The port will immediately transition to forwarding state and will be error-disabled if a BPDU is received.
B.The port will go through normal STP states and will be error-disabled if a BPDU is received.
C.The port will immediately transition to forwarding and ignore any BPDUs received.
D.The port will remain in blocking state until a BPDU is received.
AnswerA

PortFast causes immediate forwarding; BPDU Guard error-disables the port upon BPDU reception.

Why this answer

PortFast and BPDU Guard are enabled on the interface, which immediately transitions the port to forwarding and disables it if a BPDU is received.

1599
Multi-Selecthard

Which three statements about LDP (Label Distribution Protocol) are true? (Choose three.)

Select 3 answers
A.LDP uses UDP to send Hello messages for neighbor discovery.
B.LDP establishes TCP sessions between LSRs to exchange label bindings.
C.LDP assigns labels to all prefixes in the routing table by default.
D.LDP supports traffic engineering by reserving bandwidth along LSPs.
E.LDP uses OSPF to distribute label bindings across the network.
AnswersA, B, C

Correct because LDP Hellos are sent as UDP packets to the multicast address 224.0.0.2 on port 646.

Why this answer

LDP uses Hello messages (UDP on port 646) for neighbor discovery and TCP (port 646) for session establishment and label exchange. LDP assigns labels to all prefixes in the routing table by default. LDP does not support traffic engineering; RSVP-TE is used for that.

LDP does not use OSPF for label distribution; it has its own discovery and session mechanisms.

1600
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.1.1.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(192.168.1.1) for 10.1.1.0/24 State: Passive, Reply status: 0, Originating router: 192.168.1.1 Routing Descriptor Blocks: 0.0.0.0 (Null0), from 0.0.0.0, Send flag: 0x0 Composite metric: (128256/0), Route is Internal Vector metric: Minimum bandwidth: 1000000 Kbit Total delay: 100 microseconds Reliability: 255/255 Load: 1/255 Minimum MTU: 1500 Hop count: 0 192.168.1.2 (GigabitEthernet0/0), from 192.168.1.2, Send flag: 0x0 Composite metric: (1310720/128256), Route is Internal Vector metric: Minimum bandwidth: 1000000 Kbit Total delay: 1100 microseconds Reliability: 255/255 Load: 1/255 Minimum MTU: 1500 Hop count: 1 Based on this output, what can be concluded?

A.The route 10.1.1.0/24 is learned from neighbor 192.168.1.2 and is the successor.
B.The router has a feasible successor for this route.
C.The route is directly connected on Router R1.
D.The router is in Active state for this route.
AnswerC

The Null0 entry with metric 128256/0 indicates a connected route.

Why this answer

The presence of a Null0 route in the EIGRP topology table with a composite metric of (128256/0) and a hop count of 0 indicates that Router R1 has a directly connected interface on the 10.1.1.0/24 network. EIGRP automatically installs a summary or connected route to Null0 to prevent routing loops, and the metric (128256/0) with hop count 0 confirms it is locally originated, not learned from a neighbor.

Exam trap

Cisco often tests the misconception that a Null0 route in the EIGRP topology table indicates a summary or redistributed route, when in fact it confirms a directly connected network; candidates mistakenly assume the neighbor route must be the successor because it has a next-hop IP address.

How to eliminate wrong answers

Option A is wrong because the route learned from neighbor 192.168.1.2 has a composite metric of (1310720/128256), which is higher than the Null0 route's metric (128256/0); the successor is the best path, which is the directly connected Null0 route, not the neighbor route. Option B is wrong because a feasible successor requires a reported distance (RD) less than the feasible distance (FD) of the successor; here the only neighbor route has an RD of 128256, which is equal to the FD of the Null0 route (128256), so it does not meet the feasibility condition (RD < FD). Option D is wrong because the output shows 'State: Passive', meaning the router is not performing Diffusing Update Algorithm (DUAL) computations for this route; an Active state would indicate the router is actively querying neighbors for a lost route.

1601
Multi-Selectmedium

Which two statements about using Python for configuration management and templating in network automation are true? (Choose two.)

Select 2 answers
A.Jinja2 templates allow the use of variables and control structures like loops and conditionals to generate network device configurations.
B.A Python script can load a Jinja2 template, render it with device-specific data, and push the resulting configuration to a network device.
C.Jinja2 can be used to execute CLI commands on network devices directly from within the template.
D.Jinja2 is a Python library used for parsing YAML files.
E.Python cannot be used to generate configuration files because it lacks templating capabilities.
AnswersA, B

Correct because Jinja2 is a powerful templating engine that supports variables, for loops, if statements, and filters, making it ideal for generating dynamic configurations.

Why this answer

The correct answers focus on Jinja2 templating and its integration with Python. The incorrect options either misstate Jinja2's capabilities (it does not execute commands), misidentify the library for YAML parsing (PyYAML, not Jinja2), or incorrectly claim that Python cannot be used for configuration generation (it can, via templates).

1602
Matchingmedium

Drag and drop each BGP community on the left to its standard behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Do not advertise to any eBGP peer outside the AS

Do not advertise to any peer (eBGP or iBGP)

Do not advertise outside the local confederation

Do not advertise to any eBGP peer

Graceful shutdown of the route

Why these pairings

NO_EXPORT prevents advertisement outside the AS; NO_ADVERTISE prevents advertisement to any peer; LOCAL_AS prevents advertisement outside the local confederation; NO_PEER prevents advertisement to any eBGP peer; GSHUT signals graceful shutdown.

1603
MCQmedium

Given the following configuration on a Cisco IOS-XE device: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip ospf cost 10 ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 ! Which statement is true about OSPF operation?

A.Both interfaces will have an OSPF cost of 10.
B.GigabitEthernet0/0 will have an OSPF cost of 10, and GigabitEthernet0/1 will have a default cost based on its bandwidth.
C.Both interfaces will have the same OSPF cost because they are in the same area.
D.OSPF will not run on either interface because the network command uses a wildcard mask of 0.255.255.255.
AnswerB

Correct. The explicit cost applies only to the interface it is configured on. The other interface uses the default cost.

Why this answer

The 'ip ospf cost' command overrides the default cost calculation based on bandwidth. The network command matches both interfaces because they fall under 10.0.0.0/8.

1604
MCQmedium

A network engineer writes the following Python script to collect telemetry data from a Cisco IOS-XE device using NETCONF: ```python from ncclient import manager m = manager.connect( host='192.168.1.1', port=830, username='admin', password='cisco', hostkey_verify=False ) filter = ''' <filter xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <interfaces xmlns="http://openconfig.net/yang/interfaces"> <interface> <name>GigabitEthernet1</name> </interface> </interfaces> </filter> ''' reply = m.get(filter=('subtree', filter)) print(reply.xml) m.close_session() ``` What is the issue with this code?

A.The filter is passed as a string instead of a tuple with filter type.
B.The hostkey_verify=False is insecure and should be set to True.
C.The interface name should be 'GigabitEthernet0/0' to match Cisco naming.
D.The filter XML uses the wrong namespace for interfaces.
AnswerA

ncclient requires filter=('subtree', filter_xml) to specify the filter type.

Why this answer

The filter is passed as a string but the ncclient library expects a tuple with the filter type and the filter content. The correct syntax is filter=('subtree', filter_string). The code passes a single string, which will cause a TypeError.

1605
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap rf-profile summary RF-Profile Name: default-rf-profile Description: Default RF Profile Band: 2.4 GHz Channel Width: 20 MHz Data Rates: 1,2,5.5,11,6,9,12,18,24,36,48,54 Mbps Power Level: 1 (max) RF-Profile Name: low-power Description: Low Power Profile Band: 2.4 GHz Channel Width: 20 MHz Data Rates: 1,2,5.5,11,6,9,12,18,24,36,48,54 Mbps Power Level: 5 Based on this output, what can be concluded?

A.The low-power profile reduces the transmit power of the AP.
B.The default profile uses 40 MHz channels.
C.The low-power profile disables all data rates below 12 Mbps.
D.The low-power profile is for 5 GHz band.
AnswerA

Power level 5 is lower than level 1, so the AP transmits at lower power.

Why this answer

Both profiles use 2.4 GHz and 20 MHz channels. The low-power profile uses a higher power level number (5) which typically means lower power (since power level is inversely related to power output on Cisco APs). The default profile uses power level 1 (max power).

1606
MCQmedium

An enterprise is migrating its data center to a leaf-spine architecture to support high east-west traffic between servers. The design must provide non-blocking forwarding and allow for easy scaling by adding more spines. Which characteristic is essential for the spine switches in this design?

A.Spine switches must run Spanning Tree Protocol (STP) to prevent loops
B.Spine switches must support high port density and high forwarding capacity, and act as Layer 3 routers
C.Spine switches must be connected to each other to provide redundancy
D.Spine switches must perform NAT to translate between VLANs
AnswerB

Spine switches are the backbone, forwarding traffic between leaf switches using Layer 3 routing and ECMP for load balancing.

Why this answer

In a leaf-spine architecture designed for non-blocking forwarding and high east-west traffic, spine switches must act as Layer 3 routers with high port density and forwarding capacity. This allows them to perform Equal-Cost Multi-Path (ECMP) routing, which distributes traffic across all available uplinks without blocking, ensuring that any leaf can reach any other leaf with predictable latency and full bandwidth utilization.

Exam trap

Cisco often tests the misconception that STP is needed in all redundant switch designs, but in a Layer 3 leaf-spine architecture, STP is not used because routing protocols inherently prevent loops and allow all links to be active.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) is a Layer 2 loop-prevention mechanism that actively blocks redundant links, which would defeat the purpose of a non-blocking leaf-spine design where all links must be active and forwarding. Option C is wrong because spine switches are never directly connected to each other in a valid leaf-spine topology; doing so would create a Layer 3 routing loop or a Layer 2 loop, and redundancy is achieved by having multiple spine switches, not by interconnecting them. Option D is wrong because NAT is used for translating between private and public IP addresses, not for inter-VLAN routing; in a leaf-spine design, inter-VLAN routing is performed by the spine switches using Layer 3 forwarding (e.g., OSPF or BGP), not NAT.

1607
MCQeasy

An engineer is configuring a new VLAN 100 on a switch. Which command must be used to create the VLAN?

A.vlan 100
B.switchport access vlan 100
C.vlan database
D.interface vlan 100
AnswerA

This creates VLAN 100.

Why this answer

The correct command to create a new VLAN on a Cisco IOS switch is 'vlan 100' entered in global configuration mode. This command creates VLAN 100 and enters VLAN configuration mode, allowing you to assign a name or other parameters. The other options either apply an existing VLAN to an interface, use a deprecated method, or create a switched virtual interface (SVI) for Layer 3 routing, none of which actually create the VLAN itself.

Exam trap

Cisco often tests the distinction between creating a VLAN and applying it to an interface, so candidates mistakenly choose 'switchport access vlan 100' thinking it both creates and assigns the VLAN, when in fact it only assigns an existing VLAN.

How to eliminate wrong answers

Option B is wrong because 'switchport access vlan 100' assigns an interface to VLAN 100, but it does not create the VLAN; if VLAN 100 does not exist, the command may fail or the interface will be in an inactive state. Option C is wrong because 'vlan database' is a legacy, deprecated command from older Catalyst OS (CatOS) and is not used in modern IOS-based switches; it does not create VLANs in the running configuration. Option D is wrong because 'interface vlan 100' creates a Layer 3 switched virtual interface (SVI) for routing, but it does not create the VLAN itself; the VLAN must already exist or be created separately before the SVI can be used.

1608
MCQmedium

A network administrator issues the following command on a Cisco switch: Switch# show aaa servers RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 3600s, previous duration 0s Dead: total 0, retransmit 0 RADIUS: id 2, priority 2, host 192.168.1.20, auth-port 1812, acct-port 1813 State: current UP, duration 100s, previous duration 300s Dead: total 3, retransmit 2 Based on this output, what can be concluded?

A.Both RADIUS servers are currently unreachable.
B.Server 192.168.1.20 has a history of failures.
C.Server 192.168.1.10 is the backup server.
D.TACACS+ is also configured on these servers.
AnswerB

The dead total of 3 and retransmit count of 2 indicate previous failures.

Why this answer

The output shows two RADIUS servers. Server 192.168.1.10 has been up for 3600 seconds with no dead events. Server 192.168.1.20 has been up for only 100 seconds, has experienced 3 dead events and 2 retransmissions, indicating it has been unreliable.

The 'previous duration' of 300s for server 2 suggests it was previously up for 300s before going dead.

1609
Drag & Dropmedium

Drag and drop the steps of WLC high availability SSO failover steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In HA SSO, the active WLC fails, the standby detects the failure via RP link, takes over the active role, reinitializes interfaces, and then clients reassociate to the new active WLC.

1610
Multi-Selectmedium

Which two statements about virtual machine migration (vMotion/VMware) or live migration (Hyper-V) are true? (Choose two.)

Select 2 answers
A.During live migration, the virtual machine must be powered off to transfer memory contents.
B.Live migration copies the memory state of the VM from the source host to the destination host while the VM continues to run.
C.Live migration requires that both source and destination hosts use the same shared storage for the VM's virtual disks.
D.Both source and destination hosts must have compatible CPU feature sets to ensure the VM does not encounter instruction errors after migration.
E.After a live migration, the virtual machine's IP address changes to match the new network segment.
AnswersB, D

Correct because the hypervisor iteratively copies memory pages to the destination with minimal downtime.

Why this answer

Live migration moves a running VM between hosts with minimal downtime. Option B is correct because live migration typically copies memory pages iteratively while the VM runs. Option D is correct because both the source and destination hosts must have compatible CPU features (e.g., same CPU family or Enhanced vMotion Compatibility).

Option A is incorrect because the VM must remain powered on during live migration. Option C is incorrect because shared storage is often used but not mandatory; storage vMotion can migrate without shared storage. Option E is incorrect because the VM retains its IP address and network state after migration.

1611
Drag & Dropmedium

Drag and drop the steps of NAT overload (PAT) packet translation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The PAT process begins with a host sending a packet with a private source IP and port. The router creates a NAT entry mapping the private address and port to the outside global address and a unique port. It then translates the source IP and port in the packet.

When the reply arrives, the router looks up the NAT table to find the original mapping. Finally, it translates the destination back to the private IP and port and forwards the packet to the host.

1612
MCQhard

A network engineer uses the following Python code to subscribe to telemetry data from a Cisco IOS-XE device via NETCONF using the YANG module 'Cisco-IOS-XE-mdt-oper': ```python from ncclient import manager m = manager.connect( host='192.168.1.1', port=830, username='admin', password='cisco', hostkey_verify=False ) # Create a telemetry subscription subscription = ''' <config> <mdt-config-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-mdt-cfg"> <mdt-subscription> <subscription-id>400</subscription-id> <base> <stream>yang-push</stream> <encoding>encode-kvgpb</encoding> <period>5000</period> <xpath>/interfaces/interface/state/counters</xpath> </base> <mdt-receivers> <address>10.1.1.100</address> <port>50051</port> <protocol>grpc-tcp</protocol> </mdt-receivers> </mdt-subscription> </mdt-config-data> </config> ''' reply = m.edit_config(target='running', config=subscription) print(reply.xml) m.close_session() ``` What is the issue with this code?

A.The code uses target='running' which may not be writable; it should use target='candidate' and then commit.
B.The XML namespace is incorrect; it should be 'http://cisco.com/ns/yang/Cisco-IOS-XE-mdt-oper'.
C.The xpath is invalid; it should be '/interfaces/interface/state/counters'.
D.The subscription-id should be a string, not an integer.
AnswerA

IOS-XE NETCONF typically requires candidate configuration and commit.

Why this answer

The NETCONF edit-config operation with target='running' is used to directly modify the running configuration. However, on many Cisco IOS-XE devices, the running configuration is not directly writable via NETCONF; you must use target='candidate' and then commit. Additionally, the XML namespace for mdt-config-data may be incorrect; the correct namespace is 'http://cisco.com/ns/yang/Cisco-IOS-XE-mdt-cfg' but the module name is 'Cisco-IOS-XE-mdt-cfg'.

However, the primary issue is that the code uses target='running' instead of target='candidate' and a separate commit operation.

1613
MCQhard

An enterprise network is experiencing high CPU utilization on the distribution layer switches. The design uses VLANs with SVIs for inter-VLAN routing, and HSRP for first-hop redundancy. The engineer notices that the standby switch is also experiencing high CPU. What is the most likely cause?

A.The standby switch is processing HSRP hellos for all VLANs, causing CPU spikes.
B.The standby switch is forwarding all broadcast traffic due to a misconfigured STP root.
C.The standby switch is performing routing for all VLANs because the active switch failed.
D.The standby switch is processing VTP updates from the distribution layer.
AnswerA

Correct because HSRP hellos are sent every 3 seconds per group; with many VLANs (e.g., 500), the CPU must process all hellos, leading to high utilization.

Why this answer

In an HSRP setup, both the active and standby routers process incoming Hello messages for every VLAN on which HSRP is configured. Even though the standby switch does not forward inter-VLAN traffic, it must still receive and process periodic HSRP hellos (default every 3 seconds) to maintain its role and detect active failures. With a large number of VLANs, the cumulative CPU overhead from processing these hellos can cause high utilization on both switches.

Exam trap

Cisco often tests the misconception that the standby switch is idle or only processes traffic during failover, when in reality it must continuously process HSRP hellos for every configured group, which can become a significant CPU burden in large VLAN deployments.

How to eliminate wrong answers

Option B is wrong because broadcast traffic is forwarded based on the VLAN's STP topology, not the HSRP role; a misconfigured STP root could cause suboptimal forwarding but would not specifically cause high CPU on the standby switch. Option C is wrong because if the active switch had failed, the standby would transition to active and begin routing, but the question states both switches are experiencing high CPU simultaneously, not that a failover occurred. Option D is wrong because VTP updates are processed by all switches in the same VTP domain regardless of HSRP state, and VTP processing is typically minimal unless large topology changes occur; it would not selectively cause high CPU on the standby.

1614
Matchingmedium

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2

Layer 3

Layer 4

Layer 7

Layer 2

Why these pairings

Port security operates at Layer 2, ACLs at Layer 3, firewall at Layer 4, IPS at Layer 7, and 802.1X at Layer 2.

1615
Multi-Selecteasy

Which two statements about VRF-lite configuration are true? (Choose two.)

Select 2 answers
A.In VRF-lite, each VRF maintains its own independent routing table.
B.Interfaces are assigned to a VRF using the 'ip vrf forwarding' command under interface configuration.
C.VRF-lite requires MPLS enabled on all interfaces.
D.VRF-lite can only use static routes for inter-VRF communication.
E.A router can have at most two VRFs configured.
AnswersA, B

Correct because the core concept of VRF-lite is per-VRF routing tables for path isolation.

Why this answer

VRF-lite provides path isolation on a single router without MPLS. The correct answers describe that VRF-lite uses separate routing tables and that interfaces are assigned to VRFs. The incorrect options wrongly claim that VRF-lite requires MPLS or that it supports only static routing.

1616
Matchingmedium

Drag and drop each YANG statement on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Groups related nodes into a subtree

Defines a single scalar value node

Defines a sequence of entries with keys

Defines an array of scalar values

Defines a derived type from an existing base type

Why these pairings

In YANG, container groups related nodes, leaf holds a single scalar value, list defines a sequence of entries, leaf-list is an array of scalar values, and typedef defines a derived type.

1617
MCQhard

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

A.The KS is missing an access list to define the traffic to encrypt.
B.The group name on the GMs does not match the KS.
C.The KS is not configured with an IPsec profile.
D.The GMs are in different IP subnets than the KS.
AnswerA

Correct because the traffic selector is required for GETVPN policy.

Why this answer

In GETVPN, the KS must define a traffic selector (access list) that specifies which traffic to encrypt. Without a proper access list, the KS will not send the policy to the GMs, and traffic will pass in the clear. Option A is correct because the access list is missing.

Option B is incorrect because the group name is not the issue. Option C is incorrect because the KS does not need an IPsec profile. Option D is incorrect because GMs can be in different subnets.

1618
Multi-Selecthard

Which three statements about encoding formats in model-driven telemetry are true? (Choose three.)

Select 3 answers
A.Google Protocol Buffers (GPB) provide a compact, binary encoding that reduces bandwidth usage.
B.JSON encoding is human-readable and supported by both gRPC and RESTCONF telemetry.
C.XML encoding is verbose but is the default for NETCONF-based telemetry subscriptions.
D.YANG defines the encoding format for telemetry data.
E.CBOR is a binary encoding format used exclusively in Cisco IOS-XE telemetry.
AnswersA, B, C

Correct because GPB is efficient and commonly used in high-performance telemetry.

Why this answer

GPB is compact and efficient, often used with gRPC. JSON is human-readable and widely supported. XML is verbose but used in NETCONF.

YANG does not define encoding; it defines data models. CBOR is not commonly used in Cisco telemetry.

1619
MCQmedium

A network engineer runs the following command on Router R5: R5# show ip ospf border-routers OSPF Process 1 internal Routing Table Codes: i - Intra-area route, I - Inter-area route i 1.1.1.1 [110/10] via 192.168.1.1, GigabitEthernet0/0, ABR, Area 0, SPF 5 i 2.2.2.2 [110/20] via 192.168.1.2, GigabitEthernet0/0, ASBR, Area 0, SPF 5 Based on this output, what can be concluded?

A.Router 1.1.1.1 connects area 0 to another OSPF area.
B.Router 2.2.2.2 is an Area Border Router.
C.Router 1.1.1.1 is redistributing external routes into OSPF.
D.The route to 2.2.2.2 is an inter-area route.
AnswerA

ABR indicates it connects multiple areas.

Why this answer

The output shows an entry for 1.1.1.1 with the label 'ABR' (Area Border Router) and a route type of 'i' (intra-area). An ABR connects two or more OSPF areas, so Router 1.1.1.1 must be connecting Area 0 to another OSPF area. The metric [110/10] and next-hop 192.168.1.1 confirm it is reachable within Area 0.

Exam trap

Cisco often tests the distinction between ABR and ASBR roles in the 'show ip ospf border-routers' output, where candidates mistakenly assume any border router is an ABR or confuse the 'i' and 'I' route codes.

How to eliminate wrong answers

Option B is wrong because the output explicitly labels 2.2.2.2 as 'ASBR' (Autonomous System Boundary Router), not ABR; an ASBR redistributes external routes into OSPF, it does not connect areas. Option C is wrong because 1.1.1.1 is labeled 'ABR', not 'ASBR'; only an ASBR redistributes external routes into OSPF. Option D is wrong because the route to 2.2.2.2 is marked with 'i' (intra-area), not 'I' (inter-area); inter-area routes are denoted by a capital 'I' in the OSPF routing table.

1620
Drag & Dropmedium

Drag and drop the steps of WLC high availability SSO failover steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In WLC SSO HA, the active WLC fails, triggering the standby to take over. The standby detects the failure via loss of heartbeat and link state. It then assumes the active role, reinitializing interfaces and applying the synchronized configuration.

The standby (now active) sends gratuitous ARP to update the network. Finally, client sessions and CAPWAP tunnels are re-established with the new active WLC.

1621
Multi-Selectmedium

Which two statements about OSPF network types are true? (Choose two.)

Select 2 answers
A.The point-to-point network type does not require a DR/BDR election.
B.The broadcast network type uses a DR/BDR to reduce the number of adjacencies.
C.The NBMA network type automatically discovers neighbors via hello packets.
D.The point-to-multipoint network type requires a DR/BDR election.
E.The loopback interface defaults to the point-to-point network type.
AnswersA, B

Correct because in point-to-point networks, there are only two routers, so no DR/BDR is needed.

Why this answer

Option A is correct because the point-to-point network type does not require a DR/BDR election. Option B is correct because the broadcast network type uses a DR/BDR to reduce adjacencies and LSAs. Option C is incorrect because NBMA networks require manual neighbor configuration.

Option D is incorrect because the point-to-multipoint network type does not require a DR/BDR. Option E is incorrect because the loopback interface defaults to the loopback network type, not point-to-point.

1622
Drag & Dropmedium

Drag and drop the steps of IGMPv3 membership report processing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IGMPv3 allows hosts to specify source filtering. The host sends a Membership Report with group and source list. The switch/router receives the report and updates its multicast forwarding table.

It adds the group and includes the requested sources. It then forwards multicast traffic from those sources to the host's port. The router periodically sends General Queries to maintain membership.

1623
MCQhard

A network engineer runs the following command on Switch SW3: SW3# show monitor session 3 Session 3 --------- Type : Remote Destination Session Source RSPAN VLAN : 100 Destination Ports : Gi1/0/15 Encapsulation : Native Ingress : Disabled Based on this output, what can be concluded?

A.This switch receives mirrored traffic from the RSPAN VLAN and sends it to Gi1/0/15.
B.This is a local SPAN session with source VLAN 100.
C.The RSPAN VLAN 100 is used to send traffic to a remote switch.
D.Ingress traffic on Gi1/0/15 is forwarded to the RSPAN VLAN.
AnswerA

The type 'Remote Destination Session' and source RSPAN VLAN indicate this.

Why this answer

The session type is Remote Destination Session, which is the destination switch in an RSPAN setup. The source is an RSPAN VLAN (100), and the destination port Gi1/0/15 is used to monitor traffic from that VLAN. The destination port has Native encapsulation and ingress disabled, meaning it only sends out the mirrored traffic from the RSPAN VLAN.

1624
Matchingmedium

Drag and drop each SNMP operation on the left to its matching direction on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manager requests a specific variable from agent

Manager requests the next variable in a MIB tree

Manager requests a large block of data efficiently

Manager modifies a variable on the agent

Agent sends unsolicited notification to manager

Why these pairings

GET, GETNEXT, GETBULK, and SET are initiated by the manager; TRAP and INFORM are initiated by the agent.

1625
Multi-Selecthard

Which three statements about MPLS forwarding are true? (Choose three.)

Select 3 answers
A.MPLS forwarding uses the Label Forwarding Information Base (LFIB) to make forwarding decisions.
B.The LFIB is populated by label distribution protocols such as LDP.
C.The LIB stores all labels learned from LDP neighbors, but the LFIB is used for actual forwarding.
D.MPLS forwarding uses the Forwarding Information Base (FIB) for label lookups.
E.MPLS forwarding uses the Routing Information Base (RIB) to determine the next hop.
AnswersA, B, C

Correct because the LFIB is the table used for MPLS label switching.

Why this answer

MPLS forwarding is based on a label lookup in the LFIB (Label Forwarding Information Base). The LFIB is populated by label distribution protocols such as LDP or RSVP-TE. The FIB (Forwarding Information Base) is used for IP forwarding, not MPLS.

The LIB (Label Information Base) stores all labels learned from neighbors, but the LFIB is used for actual forwarding decisions. Option D is incorrect because the FIB is not used for MPLS forwarding. Option E is incorrect because the RIB (Routing Information Base) is used for IP routing, not MPLS label switching.

1626
MCQmedium

Examine the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/5 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,20,30 switchport nonegotiate What is the effect of the 'switchport nonegotiate' command?

A.The interface will not send DTP frames, but will still respond to incoming DTP frames.
B.The interface will not send or process DTP frames, and remains a trunk.
C.The interface will revert to an access port.
D.The interface will negotiate trunking using ISL instead of DTP.
AnswerB

Correct. DTP is completely disabled, and the static trunk configuration remains.

Why this answer

The 'switchport nonegotiate' command disables Dynamic Trunking Protocol (DTP) on the interface. When configured on a trunk port, the interface will neither send nor process any DTP frames, ensuring the port remains in trunk mode regardless of the neighbor's DTP configuration. This is commonly used when connecting to non-Cisco devices that do not support DTP, or to prevent unwanted trunk negotiation.

Exam trap

Cisco often tests the misconception that 'switchport nonegotiate' only stops sending DTP frames but still allows the interface to respond to them, when in fact it disables all DTP processing, both sending and receiving.

How to eliminate wrong answers

Option A is wrong because 'switchport nonegotiate' prevents the interface from both sending and processing DTP frames; it does not allow the interface to respond to incoming DTP frames. Option C is wrong because the interface does not revert to an access port; it remains a trunk as explicitly configured with 'switchport mode trunk'. Option D is wrong because DTP is used to negotiate either ISL or 802.1Q trunking, but 'switchport nonegotiate' disables DTP entirely, not switches to ISL negotiation.

1627
MCQhard

An engineer is troubleshooting an EIGRP issue where a router is not learning a specific route from a neighbor. The engineer runs 'show ip eigrp topology all-links' and sees the route in the topology table with a feasible distance of 100 and a reported distance of 120. The neighbor's advertised distance is 80. The router's own computed distance to the network is 150. The route is not in the routing table. What is the most likely cause?

A.The route is a feasible successor, but the successor route is not present.
B.The route is not installed because the reported distance (80) from the neighbor is less than the feasible distance (100), but the router's computed distance (150) is higher.
C.The route is not installed because the feasible distance (100) is not the best metric; the router has another route with a lower metric.
D.The route is not installed because EIGRP is configured for stub routing, which prevents learning routes.
AnswerC

Correct. The feasible distance is 100, but if there is another route with a lower metric (e.g., 90), that route would be the successor and installed. The route with FD 100 would not be installed. The scenario implies the route is not the best.

Why this answer

Option C is correct because EIGRP installs the route with the best feasible distance (FD) into the routing table. The router's computed distance of 150 is lower than the feasible distance of 100, meaning the router has a better path (FD 100) already in the topology table. Since the route is not in the routing table, the router must have another route with a lower metric (FD 100) that is already installed, and the route with FD 150 is not selected as the successor.

Exam trap

Cisco often tests the distinction between the feasible distance (FD) and the computed distance (also called the metric) — candidates confuse the reported distance (RD) with the router's own computed distance, thinking that a lower RD automatically means the route is installed, but EIGRP installs only the route with the lowest FD, not the lowest RD.

How to eliminate wrong answers

Option A is wrong because a feasible successor is a backup route that meets the feasibility condition (reported distance < feasible distance), but the route is not installed as a feasible successor if the successor route is present; the issue is that the route is not in the routing table, not that the successor is missing. Option B is wrong because the reported distance (80) from the neighbor is less than the feasible distance (100), which actually satisfies the feasibility condition, but the router's computed distance (150) being higher than the FD (100) means this route is not the best path; the route is not installed because the router has a better path (FD 100), not because of the reported distance comparison. Option D is wrong because stub routing prevents the router from learning routes from neighbors, but the router is learning the route (it appears in the topology table), so stub routing is not the cause; the issue is about route selection, not route learning.

1628
Drag & Dropmedium

Drag and drop the steps of configuring LLQ (Low Latency Queuing) on a Cisco router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LLQ requires first classifying traffic, then assigning it to a priority queue in a policy map, applying bandwidth/queue-limit, attaching the policy to an interface, and finally verifying queue statistics.

1629
Drag & Dropmedium

Drag and drop the steps of VLAN mapping on trunk interfaces into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

VLAN mapping requires first enabling the feature globally, then configuring the trunk interface, mapping the VLANs, and finally verifying the translation. The order ensures proper translation between customer and service provider VLANs.

1630
Multi-Selecthard

Which three statements about OSPF area types are correct? (Choose three.)

Select 3 answers
A.A stub area blocks Type 5 AS External LSAs but allows Type 3 Summary LSAs and a default route.
B.A totally stubby area blocks both Type 5 and Type 3 LSAs, injecting only a default route into the area.
C.A not-so-stubby-area (NSSA) allows Type 5 LSAs to be imported from external networks.
D.A standard area can contain Type 1, 2, 3, 4, and 5 LSAs.
E.A totally NSSA blocks Type 3 LSAs but allows Type 5 LSAs from external sources.
AnswersA, B, D

Correct because stub areas are designed to reduce the LSDB by preventing Type 5 LSAs, while still receiving inter-area routes via Type 3 and a default route.

Why this answer

OSPF area types control the propagation of LSAs. A standard area can carry all LSA types. A stub area blocks Type 5 LSAs but allows Type 3.

A totally stubby area blocks both Type 5 and Type 3 (except a default route). A not-so-stubby-area (NSSA) blocks Type 5 but allows Type 7 for external routes. A totally NSSA further blocks Type 3.

1631
Drag & Dropmedium

Drag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Extended ACLs filter based on source/destination IP, protocol, and port; must be applied to an interface.

1632
MCQmedium

A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?

A.The IP phone does not support 802.1X and is not configured for MAB.
B.The switchport is missing 'switchport mode access' command.
C.The RADIUS server is not sending the voice VLAN ID in the Access-Accept.
D.The PC is using the voice VLAN instead of the data VLAN.
AnswerA

Correct because the phone must authenticate to be placed in the voice VLAN; if it fails, it may not get the voice VLAN.

Why this answer

In a voice VLAN deployment, the switch must be configured to authenticate the phone separately from the PC. The phone typically uses 802.1X or MAB. If the phone does not authenticate, it may be placed in the data VLAN or denied.

Option C is correct because the phone must authenticate to be placed in the voice VLAN. Option A is incorrect because the phone can use MAB. Option B is incorrect because the voice VLAN is configured.

Option D is incorrect because the PC's authentication does not affect the phone's VLAN.

1633
Matchingmedium

Drag and drop each TACACS+ packet type on the left to its correct function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Initiates an authentication session from the client to the server

Sent by the server to the client, carrying prompts or authentication results

Sent by the client to the server with the user's response to a prompt

Used for authorization requests and responses

Used for accounting start, stop, and interim records

Why these pairings

TACACS+ uses START to initiate authentication, REPLY to respond with prompts or success/failure, CONTINUE to send user responses, and also has special types for authorization and accounting.

1634
MCQmedium

A network engineer is deploying Cisco DNA Center in a large campus network with 5000+ devices. After initial setup, the engineer notices that the Assurance module is not receiving telemetry data from many access switches. The switches are running IOS-XE 16.12 and are reachable via SNMP. What is the most likely cause of this issue?

A.The switches are not configured with NETCONF/YANG or telemetry streaming.
B.The DNA Center appliance is not licensed for the Assurance module.
C.The switches are not running the correct IOS-XE version for DNA Center compatibility.
D.The SNMP community string is incorrect on the switches.
AnswerA

Correct because Assurance requires telemetry streaming (e.g., model-driven telemetry) from devices; SNMP alone is insufficient.

Why this answer

Cisco DNA Center Assurance relies on telemetry data collected via NETCONF/YANG or gRPC, not just SNMP. If the switches are not configured for telemetry, Assurance will not receive the necessary data. SNMP is used for inventory and basic monitoring, but not for the rich telemetry required by Assurance.

1635
MCQmedium

interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 mpls ip mpls label protocol ldp ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 ! router ldp interface GigabitEthernet0/1 ! What is the effect of this configuration?

A.MPLS forwarding is enabled on GigabitEthernet0/1, and LDP will distribute labels for all routes in the routing table.
B.Only OSPF routes are labeled; static routes are excluded from LDP label distribution.
C.The 'mpls label protocol ldp' command is redundant because LDP is the default.
D.The configuration will fail because 'router ldp' requires an LDP router-id to be set.
AnswerA

Correct. 'mpls ip' enables MPLS forwarding, and LDP with the interface configuration will distribute labels for all routes, including OSPF-learned ones.

Why this answer

The configuration enables MPLS forwarding and LDP on the interface, with OSPF providing IGP reachability. LDP will distribute labels for prefixes learned via OSPF.

1636
Multi-Selecthard

Which three statements about SNMP trap and inform operations are true? (Choose three.)

Select 3 answers
A.Traps are unacknowledged notifications sent from the SNMP agent to the manager.
B.Informs are acknowledged notifications that require a response from the manager.
C.Informs use UDP port 162, the same as traps.
D.Traps are more reliable than informs because they are sent with a higher priority.
E.Informs consume less memory and processing than traps because they do not require state tracking.
AnswersA, B, C

Correct: Traps are unacknowledged; the manager does not send a response.

Why this answer

SNMP traps are unacknowledged messages sent from agent to manager. Informs are acknowledged (confirmed) notifications. Informs require a response from the manager and can be retransmitted if no response is received.

Traps are sent via UDP port 162 by default. Informs also use UDP port 162. Informs consume more memory and processing because they maintain state for acknowledgment.

Traps are less reliable because they are not acknowledged.

1637
MCQmedium

Based on the exhibit, what is the role of R1 on this OSPF network?

A.Backup Designated Router
B.DROther
C.Regular router
D.Designated Router
AnswerA

R1 is in state BDR.

Why this answer

R1 has a priority of 0, which by OSPF specification (RFC 2328) prevents it from ever becoming the Designated Router (DR) or Backup Designated Router (BDR). However, the exhibit shows R1 is the BDR, which is impossible with priority 0. The correct answer is A because the question likely contains an error or the exhibit shows R1 as BDR despite priority 0, making it the intended correct answer based on the provided exhibit.

Exam trap

Cisco often tests the OSPF priority 0 rule, where candidates mistakenly think a router with priority 0 can still be a BDR, but the exhibit may show an inconsistent scenario to test attention to detail.

How to eliminate wrong answers

Option B (DROther) is wrong because DROther routers have a priority greater than 0 but are not elected as DR or BDR; R1 is shown as BDR, so it cannot be DROther. Option C (Regular router) is wrong because 'regular router' is not an OSPF role; OSPF roles are DR, BDR, or DROther. Option D (Designated Router) is wrong because R1 is explicitly labeled as BDR in the exhibit, not DR.

1638
MCQmedium

A network engineer runs the following command on Router R7: R7# show ip ospf neighbor vrf CUSTOMER-E Neighbor ID Pri State Dead Time Address Interface 10.0.0.8 1 FULL/DR 00:00:35 10.0.1.2 GigabitEthernet0/0.500 10.0.0.9 1 FULL/BDR 00:00:31 10.0.2.2 GigabitEthernet0/0.600 Based on this output, what can be concluded?

A.OSPF is not configured for VRF CUSTOMER-E
B.There is only one OSPF neighbor in VRF CUSTOMER-E
C.OSPF is operating within VRF CUSTOMER-E with two neighbors
D.The DR is 10.0.0.9
AnswerC

Two neighbors are in FULL state, indicating OSPF adjacency.

Why this answer

The command `show ip ospf neighbor vrf CUSTOMER-E` explicitly queries OSPF neighbors within the VRF named CUSTOMER-E. The output shows two neighbors (10.0.0.8 and 10.0.0.9) with states FULL/DR and FULL/BDR, confirming that OSPF is actively operating inside that VRF. Therefore, option C is correct because it accurately states that OSPF is operating within VRF CUSTOMER-E with two neighbors.

Exam trap

Cisco often tests the misconception that the DR is always the neighbor with the highest IP address or the first listed, but the DR is explicitly indicated by the state field (FULL/DR), not by the Neighbor ID or IP address.

How to eliminate wrong answers

Option A is wrong because the command successfully returned neighbor details, which would not happen if OSPF were not configured for VRF CUSTOMER-E; a missing OSPF configuration under the VRF would produce an empty output or an error. Option B is wrong because the output clearly lists two neighbors (10.0.0.8 and 10.0.0.9), not one. Option D is wrong because the DR (Designated Router) is identified by the neighbor with state FULL/DR, which is 10.0.0.8, not 10.0.0.9 (the BDR).

1639
MCQhard

A network team uses Ansible to automate VLAN configuration on Cisco IOS devices. The playbook fails with the error 'Failed to connect to the host via ssh: Permission denied (publickey)'. The control node runs Ubuntu, and the network devices are configured with SSH key authentication. Which solution should the engineer implement?

A.Set ansible_ssh_private_key_file in the inventory but omit the passphrase
B.Set ansible_user to the correct username in the inventory
C.Run ssh-add on the control node to add the private key to the SSH agent
D.Enable keyboard-interactive authentication on the IOS devices
AnswerC

The SSH agent must have the key loaded for authentication.

Why this answer

The error 'Permission denied (publickey)' indicates that the SSH key is not being presented to the IOS device. Running ssh-add on the control node loads the private key into the SSH agent, which Ansible uses by default when connecting via SSH. This resolves the authentication failure without requiring a passphrase or changing the inventory.

Exam trap

Cisco often tests the misconception that setting inventory variables like ansible_ssh_private_key_file or ansible_user alone fixes SSH key issues, when the real problem is that the key is not loaded into the SSH agent on the control node.

How to eliminate wrong answers

Option A is wrong because setting ansible_ssh_private_key_file without a passphrase does not help if the key is not loaded into the agent or if the key file is encrypted; Ansible will still fail to authenticate if the key is not accessible. Option B is wrong because setting ansible_user to the correct username addresses only the username, not the missing private key authentication; the error is about key-based authentication, not user identity. Option D is wrong because enabling keyboard-interactive authentication on IOS devices would allow password-based methods, but the issue is that the private key is not being presented; keyboard-interactive does not solve the missing key problem and may introduce security risks.

1640
MCQmedium

An enterprise is deploying Cisco SD-WAN and must ensure that data plane traffic between branch sites is encrypted and authenticated. The design must also allow the use of application-aware routing to steer traffic based on real-time performance metrics. Which component is responsible for establishing and managing the IPsec tunnels between branch routers?

A.vSmart controllers
B.vEdge/cEdge routers
C.vManage
D.vBond
AnswerB

vEdge/cEdge routers are the data plane devices that establish and terminate IPsec tunnels between branches, encrypting traffic and applying application-aware routing.

Why this answer

The vEdge/cEdge routers are the correct answer because they are the SD-WAN edge devices that terminate IPsec tunnels for data plane traffic. In Cisco SD-WAN, the data plane is fully distributed: each vEdge or cEdge router establishes and manages its own IPsec tunnels (using DTLS/TLS for control and IPsec for data) directly with other branch routers. This allows the routers to apply application-aware routing by monitoring real-time performance metrics (e.g., loss, latency, jitter) and steering traffic across the encrypted tunnels accordingly.

Exam trap

Cisco often tests the misconception that vSmart controllers handle all tunnel management, but in SD-WAN, vSmart only distributes policies and OMP routes, while the actual IPsec tunnel establishment and data plane forwarding is a function of the vEdge/cEdge routers.

How to eliminate wrong answers

Option A is wrong because vSmart controllers are responsible for the control plane—they distribute routing policies, OMP routes, and TLOCs to vEdge/cEdge routers, but they do not establish or manage IPsec data plane tunnels. Option C is wrong because vManage is the management and orchestration plane; it provides a GUI for configuration, monitoring, and troubleshooting but does not participate in IPsec tunnel establishment. Option D is wrong because vBond is the orchestrator that handles initial authentication, NAT traversal, and vSmart/vManage discovery; it does not terminate or manage IPsec data plane tunnels.

1641
MCQmedium

A network engineer issues the following command on Router R9: R9# show ip sla configuration 7 IP SLAs Infrastructure Engine-II Entry number: 7 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.9.10 Source address: 192.168.9.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 30 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): 3600 Entry Ageout (seconds): never Recurring (Starting Everyday, Starting Time: 00:00:01) Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: Based on this output, how long will this IP SLA operation run?

A.Forever
B.30 seconds
C.3600 seconds
D.5000 milliseconds
AnswerC

The life is explicitly 3600 seconds.

Why this answer

The 'Life (seconds): 3600' indicates the operation will run for 3600 seconds (1 hour) before stopping.

1642
Drag & Dropmedium

Drag and drop the steps of IP addressing scheme design and subnetting steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IP addressing design starts with gathering requirements, then choosing a private address space. Subnetting is applied to create subnets, which are assigned to specific network segments, and finally summarized to reduce routing table size.

1643
Drag & Dropmedium

Drag and drop the steps of Multiple SPAN source ports with filter VLAN into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The configuration must first specify the session, then define sources and filter VLAN, and finally activate the session.

1644
MCQmedium

A network engineer runs the following command on switch SW1: SW1# show authentication sessions interface GigabitEthernet1/0/1 Interface: GigabitEthernet1/0/1 MAC Address: 0011.2233.4455 IP Address: 192.168.1.100 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: 0A1B2C3D4E5F6G7H8I9J Acct Session ID: 0x0000000A Handle: 0x00000001 Current Method List: mab Method: MAB State: Authz Success Based on this output, what can be concluded?

A.The client authenticated using 802.1X with a username and password.
B.The client was authenticated based on its MAC address via MAB.
C.The port is in multi-domain mode, allowing one data and one voice device.
D.The session is for voice traffic because the domain is DATA.
AnswerB

The method is MAB and state is Authz Success, meaning MAC authentication succeeded.

Why this answer

The output shows the session status as 'Authz Success' and the method used is MAB (MAC Authentication Bypass). The host mode is multi-auth, meaning multiple devices can authenticate on the same port. The domain is DATA, indicating the session is for data traffic, not voice.

1645
Multi-Selecteasy

Which TWO statements are true about Cisco DNA Center automation? (Choose two.)

Select 2 answers
A.DNA Center primarily uses SNMP to manage devices.
B.DNA Center only supports greenfield deployments.
C.DNA Center uses a declarative model for network configuration.
D.DNA Center provides a single dashboard for network management.
E.DNA Center uses an imperative model for network configuration.
AnswersC, D

DNA Center is declarative.

Why this answer

Option C is correct because Cisco DNA Center uses a declarative model for network configuration. In a declarative model, the administrator specifies the desired end-state of the network (e.g., 'VLAN 10 should exist on all access switches'), and DNA Center's automation engine determines the necessary steps to achieve that state, handling dependencies and ordering automatically. This contrasts with imperative models where each step must be explicitly scripted.

Exam trap

Cisco often tests the distinction between declarative and imperative models, and the trap here is that candidates mistakenly associate DNA Center's automation with imperative scripting (like Python or Ansible playbooks) rather than recognizing its intent-based, declarative nature.

1646
MCQmedium

Examine the following configuration: policy-map QUEUE class GOLD bandwidth percent 25 queue-limit 64 packets class SILVER bandwidth percent 25 queue-limit 128 packets class class-default fair-queue interface GigabitEthernet0/2 service-policy output QUEUE Which statement about this configuration is true?

A.The GOLD class has a smaller queue limit than SILVER, which may cause more packet drops for GOLD traffic under congestion.
B.The SILVER class will always receive more bandwidth than GOLD because of its larger queue limit.
C.The configuration is invalid because 'queue-limit' cannot be used with 'bandwidth percent' in the same class.
D.The 'fair-queue' command in class-default will override the bandwidth allocation for GOLD and SILVER.
AnswerA

Correct. A smaller queue limit means fewer packets can be buffered, increasing the likelihood of drops when the queue is full.

Why this answer

The policy-map allocates 25% of bandwidth to both GOLD and SILVER classes, with queue limits of 64 and 128 packets respectively. The default class uses fair-queue. This configuration is valid and provides differentiated queuing.

1647
MCQhard

A network engineer runs the following command on Switch SW2: SW2# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aabb.cc00.0100 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aabb.cc00.0200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p Based on this output, what can be concluded?

A.SW2 is the root bridge for VLAN 10.
B.The root bridge for VLAN 10 has MAC address aabb.cc00.0100.
C.Port Gi0/2 is in forwarding state.
D.The STP priority for VLAN 10 is 32768.
AnswerB

The Root ID shows the root bridge's MAC address as aabb.cc00.0100.

Why this answer

The output shows STP details for VLAN 10. The Root ID is aabb.cc00.0100 (priority 32778 = 32768 + 10 for VLAN 10). The local switch (aabb.cc00.0200) has the same priority.

The root port is Gi0/1 (cost 19 to root). Gi0/2 is an alternate port (blocking). Gi0/3 is a designated port (forwarding).

The key conclusion is that the local switch is not the root because it has a root port. Also, the root bridge has the same priority, so the root is determined by lower MAC address (aabb.cc00.0100 < aabb.cc00.0200).

1648
Matchingmedium

Drag and drop each hypervisor type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs directly on physical hardware without a host OS

Runs on top of an existing operating system

Example of a Type 1 hypervisor

Example of a Type 2 hypervisor

Linux-based Type 1 hypervisor that is part of the kernel

Why these pairings

Type 1 hypervisors run directly on hardware and are common in data centers; Type 2 run on a host OS and are used for desktop virtualization.

1649
Multi-Selectmedium

Which two statements about SNMPv3 security models are true? (Choose two.)

Select 2 answers
A.The authNoPriv security model provides authentication but no encryption.
B.The noAuthNoPriv security model uses both a username and a password for authentication.
C.The authPriv security model provides both authentication and encryption.
D.SNMPv3 requires the use of a separate engine ID for each SNMP manager and agent.
E.The authPriv model supports only AES-256 for encryption.
AnswersA, C

Correct: authNoPriv uses an authentication protocol (MD5 or SHA) but does not encrypt the payload.

Why this answer

SNMPv3 provides three security models: noAuthNoPriv (no authentication, no encryption), authNoPriv (authentication but no encryption), and authPriv (authentication and encryption). The authPriv model uses HMAC-MD5 or HMAC-SHA for authentication and CBC-DES or CFB128-AES for encryption. The engine ID is a unique identifier for each SNMP entity and is used to generate the localized key.

1650
MCQmedium

A network architect is designing QoS for a converged network carrying voice, video, and data. The design must use the DiffServ model and ensure that voice traffic is marked with the highest priority and that video traffic is marked with a lower priority but still above data. Which DSCP markings should be assigned to voice and video traffic, respectively, to comply with the standard Per-Hop Behavior (PHB) definitions?

A.Voice: DSCP 46 (EF); Video: DSCP 34 (AF41)
B.Voice: DSCP 56 (CS7); Video: DSCP 48 (CS6)
C.Voice: DSCP 40 (AF41); Video: DSCP 46 (EF)
D.Voice: DSCP 26 (AF31); Video: DSCP 18 (AF21)
AnswerA

EF (DSCP 46) provides strict priority for voice; AF41 (DSCP 34) provides assured forwarding for video with lower priority than voice.

Why this answer

Option A is correct because the DiffServ model defines specific Per-Hop Behaviors (PHBs) for different traffic types. Voice traffic requires low latency, jitter, and loss, which is best served by the Expedited Forwarding (EF) PHB, assigned DSCP 46. Video traffic, while still delay-sensitive, can tolerate some loss and is typically marked with Assured Forwarding (AF41, DSCP 34), which provides a lower priority queue than EF but higher than best-effort data.

Exam trap

Cisco often tests the specific DSCP values for EF (46) and AF41 (34) and the fact that voice must use EF (not AF or CS) to ensure strict priority queuing, while video uses the highest AF class (AF41) to differentiate it from data without breaking the EF queue.

How to eliminate wrong answers

Option B is wrong because DSCP 56 (CS7) and DSCP 48 (CS6) are Class Selector codepoints used for network control traffic (e.g., routing protocols), not for voice or video; they would starve other traffic and violate the standard PHB definitions. Option C is wrong because it reverses the priority: DSCP 40 (AF41) is for video, not voice, and DSCP 46 (EF) is for voice, not video; this would incorrectly prioritize video over voice. Option D is wrong because DSCP 26 (AF31) and DSCP 18 (AF21) are Assured Forwarding classes with lower drop precedence, typically used for mission-critical data or streaming video, not for real-time voice; they do not provide the strict priority queuing required for voice traffic.

Page 21

Page 22 of 27

Page 23