ENCOR 350-401 (350-401) — Questions 18761950

2015 questions total · 27pages · All types, answers revealed

Page 25

Page 26 of 27

Page 27
1876
MCQmedium

An architect is designing an SD-Access fabric for a campus network that requires segmentation of guest, employee, and IoT traffic. The design must use Cisco TrustSec for policy enforcement. Which component is responsible for assigning the Security Group Tag (SGT) to endpoints upon authentication?

A.Cisco ISE
B.Fabric edge node
C.Fabric control plane node
D.Cisco DNA Center
AnswerA

ISE authenticates endpoints and assigns SGTs, which are then used for policy enforcement in the fabric.

Why this answer

Cisco ISE is the policy decision point in a TrustSec-enabled SD-Access fabric. When an endpoint authenticates via 802.1X, MAB, or web authentication, ISE evaluates the authentication result and the applicable authorization policy, then dynamically assigns a Security Group Tag (SGT) to the endpoint. This SGT is passed to the network access device (e.g., fabric edge node) via RADIUS attributes in the Access-Accept message, enabling consistent policy enforcement throughout the fabric.

Exam trap

Cisco often tests the distinction between the policy decision point (ISE) and the policy enforcement point (fabric edge node), so the trap here is that candidates mistakenly think the fabric edge node assigns the SGT because it applies the tag to packets, but the assignment occurs during authentication by ISE.

How to eliminate wrong answers

Option B is wrong because the fabric edge node is the enforcement point that applies the SGT to traffic based on the tag received from ISE, but it does not assign the SGT itself. Option C is wrong because the fabric control plane node (e.g., LISP map-server) manages endpoint-to-location mappings and handles EID-to-RLOC resolution, not SGT assignment. Option D is wrong because Cisco DNA Center is the management and orchestration platform for the SD-Access fabric; it provisions policies and configurations but does not dynamically assign SGTs during authentication.

1877
Matchingmedium

Drag and drop each Netmiko device type on the left to its matching operating system on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco IOS (classic)

Cisco NX-OS

Cisco IOS-XR

Cisco IOS-XE

Arista EOS

Why these pairings

cisco_ios is for classic IOS; cisco_nxos is for NX-OS; cisco_xr is for IOS-XR; cisco_xe is for IOS-XE.

1878
MCQmedium

Router R1 has the following OSPF configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip ospf 1 area 0 ip ospf network point-to-point ! router ospf 1 router-id 1.1.1.1 network 10.0.0.0 0.255.255.255 area 0 What is the effect of the 'ip ospf network point-to-point' command on this interface?

A.It disables OSPF on the interface.
B.It changes the OSPF network type to point-to-point, eliminating DR/BDR election and reducing hello timer to 10 seconds.
C.It enables OSPF authentication on the interface.
D.It sets the OSPF cost to 1.
AnswerB

Point-to-point network type removes DR/BDR election and uses 10-second hello and 40-second dead timers.

Why this answer

The 'ip ospf network point-to-point' command changes the OSPF network type on the interface from the default (broadcast for Ethernet) to point-to-point. This eliminates the need for a Designated Router (DR) and Backup Designated Router (BDR) election, as point-to-point links have only two neighbors. Additionally, the OSPF hello timer on a point-to-point network defaults to 10 seconds (versus 30 seconds for non-broadcast), and the dead timer is 40 seconds.

Exam trap

Cisco often tests the misconception that 'ip ospf network point-to-point' disables OSPF or changes timers to 30 seconds, when in fact it eliminates DR/BDR and sets hello to 10 seconds.

How to eliminate wrong answers

Option A is wrong because the command does not disable OSPF; it modifies the network type while OSPF remains active. Option C is wrong because OSPF authentication is configured separately using 'ip ospf authentication' or 'ip ospf authentication-key' commands, not by changing the network type. Option D is wrong because the OSPF cost is not set to 1 by this command; cost is derived from interface bandwidth (default 100 Mbps / bandwidth) or manually set with 'ip ospf cost'.

1879
MCQmedium

Examine the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/6 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-req 3 dot1x timeout supp-timeout 10 What is the total time the switch will wait for a supplicant to respond before failing authentication?

A.30 seconds
B.9 seconds
C.10 seconds
D.13 seconds
AnswerB

The switch sends 3 identity requests every 3 seconds, totaling 9 seconds before giving up.

Why this answer

The switch sends up to 'max-req' (3) EAP-Request/Identity packets, each with a 'tx-period' of 3 seconds. The total time is max-req * tx-period = 3 * 3 = 9 seconds. The 'supp-timeout' is for EAP packets after identity, but the initial identity timeout is governed by tx-period.

1880
Drag & Dropmedium

Drag and drop the steps of network documentation and change management workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Change management begins with a request and impact assessment, followed by approval. After implementation, verification ensures success, and finally the documentation is updated to reflect the change.

1881
Drag & Dropmedium

Drag and drop the steps of Cisco IBNS 2.0 policy configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a modular policy framework. First, define the authentication template to specify the method (e.g., dot1x, MAB). Second, create the policy map that references the template and defines the behavior.

Third, apply the policy map to the interface. Fourth, enable authentication on the interface. Finally, verify the configuration using show commands.

1882
MCQmedium

interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip ospf network point-to-multipoint ip ospf hello-interval 30 ! router ospf 1 network 10.0.0.0 0.0.0.3 area 0 What is the effect of this configuration?

A.OSPF will use a 30-second hello interval and form adjacencies with all neighbors without DR/BDR election.
B.OSPF will use a 10-second hello interval and elect a DR/BDR.
C.OSPF will use a 30-second hello interval and elect a DR/BDR.
D.OSPF will use a 10-second hello interval and form adjacencies with all neighbors without DR/BDR.
AnswerA

Correct. Point-to-multipoint does not use DR/BDR and uses a 30-second hello interval by default.

Why this answer

The OSPF network type is set to point-to-multipoint, which is used for non-broadcast multi-access networks (like Frame Relay) but can also be used on Ethernet. The default hello interval for point-to-multipoint is 30 seconds, but here it is explicitly set to 30 seconds, which is the default. This network type does not elect DR/BDR and forms adjacencies with all neighbors.

1883
MCQeasy

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast neighbors 10.0.1.2 advertised-routes Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/16 10.0.1.1 0 100 0 i *> 172.16.1.0/24 10.0.1.1 0 100 0 i Total number of prefixes 2 Based on this output, what can be concluded?

A.R1 is receiving 2 prefixes from neighbor 10.0.1.2.
B.R1 is advertising 2 prefixes to neighbor 10.0.1.2.
C.Neighbor 10.0.1.2 is advertising these routes to R1.
D.The routes are being advertised with a next hop of 10.0.1.2.
AnswerB

The command explicitly shows routes that R1 advertises to the neighbor. The total is 2 prefixes.

Why this answer

The command 'show bgp ipv4 unicast neighbors 10.0.1.2 advertised-routes' specifically displays the routes that Router R1 is sending to the BGP neighbor at 10.0.1.2. The output shows two prefixes (172.16.0.0/16 and 172.16.1.0/24) with a next hop of 10.0.1.1 (R1's own interface), confirming these are routes R1 is advertising. Therefore, option B is correct.

Exam trap

Cisco often tests the distinction between 'advertised-routes' and 'received-routes' keywords, trapping candidates who confuse which device is the sender versus receiver in the BGP neighbor relationship.

How to eliminate wrong answers

Option A is wrong because the command shows advertised routes, not received routes; to see received routes, one would use 'show bgp ipv4 unicast neighbors 10.0.1.2 received-routes'. Option C is wrong because the output indicates R1 is the advertiser, not the neighbor; the neighbor 10.0.1.2 is the recipient of these routes. Option D is wrong because the next hop in the output is 10.0.1.1 (R1's own address), not 10.0.1.2, which would be the case if R1 were receiving routes from the neighbor.

1884
Drag & Dropmedium

Drag and drop the steps of EIGRP redistribution from OSPF with metric seeding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the EIGRP routing process must be entered. Then, the redistribute command is used with the OSPF process and a metric. Optionally, route-map filtering can be applied.

Finally, verification ensures routes appear in the EIGRP topology table.

1885
Drag & Dropmedium

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: create the ACL with deny/permit entries, apply it inbound on an interface, then verify with show commands. This follows standard Cisco IOS ACL configuration workflow.

1886
MCQmedium

Which QoS mechanism is used to prevent head-of-line blocking by ensuring that a single queue does not consume all available buffer space?

A.Policing
B.Shaping
C.Weighted Random Early Detection (WRED)
D.Priority Queuing
AnswerC

Correct. WRED drops packets randomly based on queue depth to avoid congestion and head-of-line blocking.

Why this answer

Congestion avoidance mechanisms like Weighted Random Early Detection (WRED) proactively drop packets before queues become full, preventing tail drops and head-of-line blocking.

1887
MCQeasy

What is the default SNMP trap port number?

A.UDP 161
B.UDP 162
C.TCP 161
D.TCP 162
AnswerB

UDP 162 is the standard port for SNMP traps and informs.

Why this answer

The default UDP port for SNMP traps is 162, as defined by IANA.

1888
MCQmedium

A network engineer runs the following command on Router R5: R5# show ip interface brief | include VRF Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0.100 10.0.0.1 YES NVRAM up up GigabitEthernet0/0.200 10.0.1.1 YES NVRAM up up GigabitEthernet0/0.300 10.0.2.1 YES NVRAM up up Loopback100 10.100.0.1 YES NVRAM up up R5# show vrf brief Name Default RD Protocols Interfaces CUSTOMER-A 65000:1 ipv4 Gi0/0.100 CUSTOMER-B 65000:2 ipv4 Gi0/0.200 CUSTOMER-C 65000:3 ipv4 Gi0/0.300 Based on this output, what can be concluded?

A.All interfaces belong to the same VRF
B.VRF CUSTOMER-A uses RD 65000:1 and is associated with GigabitEthernet0/0.100
C.Loopback100 is in VRF CUSTOMER-C
D.There is no VRF configured on Router R5
AnswerB

The output shows CUSTOMER-A with RD 65000:1 and interface Gi0/0.100.

Why this answer

Option B is correct because the 'show vrf brief' output explicitly lists CUSTOMER-A with Route Distinguisher (RD) 65000:1 and its associated interface GigabitEthernet0/0.100. This confirms the VRF configuration and the interface-to-VRF mapping, which is fundamental for MPLS L3VPN path isolation.

Exam trap

Cisco often tests the misconception that the 'show ip interface brief | include VRF' command displays VRF membership, when in fact it only filters lines containing the string 'VRF' (which may not appear in the output), leading candidates to incorrectly conclude no VRFs exist or that all interfaces share a single VRF.

How to eliminate wrong answers

Option A is wrong because the 'show vrf brief' output shows three separate VRFs (CUSTOMER-A, CUSTOMER-B, CUSTOMER-C), each with its own RD and distinct subinterfaces, so not all interfaces belong to the same VRF. Option C is wrong because Loopback100 is not listed under any VRF in the 'show vrf brief' output; it remains in the global routing table, not in CUSTOMER-C. Option D is wrong because the 'show vrf brief' output clearly shows three VRFs configured, so VRFs are present on Router R5.

1889
Matchingmedium

Drag and drop each hypervisor type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs directly on physical hardware without a host OS

Runs on top of an existing operating system

Example of a Type 1 hypervisor

Example of a Type 2 hypervisor

Type 1 hypervisor (Linux kernel-based)

Why these pairings

Type 1 hypervisors run directly on hardware (bare-metal), while Type 2 run on a host OS.

1890
MCQmedium

A large enterprise is redesigning its campus network to support 5000 users across three buildings. The design must provide high availability and fast convergence in case of a link failure. The network engineer is considering using Spanning Tree Protocol (STP) in the access layer. What is the primary design concern with using STP in this scenario?

A.STP will cause slow convergence and inefficient use of redundant links.
B.STP requires all switches to be in the same VLAN to function correctly.
C.STP cannot be used with 5000 users due to MAC address table limitations.
D.STP will cause broadcast storms in a three-building design.
AnswerA

Correct because STP blocks redundant links and convergence can take 30-50 seconds, which is not suitable for high-availability designs.

Why this answer

STP (802.1D) converges slowly, typically taking 30-50 seconds (listening + learning states) after a topology change. In a large campus network with 5000 users, this delay causes unacceptable downtime. Additionally, STP blocks redundant links to prevent loops, wasting bandwidth that could be used for load balancing.

Modern alternatives like Rapid PVST+ (802.1w) or MST (802.1s) offer sub-second convergence, making classic STP a poor choice for high-availability designs.

Exam trap

Cisco often tests the misconception that STP is a suitable high-availability solution, when in fact its slow convergence and blocked link inefficiency make it a poor choice for modern campus networks; candidates may overlook the need for RSTP or MST in the design.

How to eliminate wrong answers

Option B is wrong because STP does not require all switches to be in the same VLAN; it operates per VLAN (PVST/PVST+) or per instance (MST), and switches in different VLANs can still participate in STP. Option C is wrong because STP does not impose MAC address table limitations based on user count; MAC table size is a hardware limitation of the switch ASIC, not a protocol constraint, and 5000 users is well within typical switch capacities. Option D is wrong because STP is designed to prevent broadcast storms by blocking redundant paths; broadcast storms are caused by loops, which STP actively eliminates, not creates.

1891
MCQhard

A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor vrf CUSTOMER-C Peer LDP Ident: 10.0.0.5:0; Local LDP Ident 10.0.0.4:0 TCP connection: 10.0.0.5.646 - 10.0.0.4.646 State: Oper; Msgs sent/rcvd: 500/500; Downstream Up time: 02:30:00 LDP discovery sources: GigabitEthernet0/0.300, Src IP addr: 10.0.1.2 hello sent/rcvd: 1000/1000 Addresses bound to peer LDP Ident: 10.0.1.2 10.0.2.2 Based on this output, what can be concluded?

A.LDP is not configured for VRF CUSTOMER-C
B.The LDP session is operational with peer 10.0.0.5
C.The LDP session is using TCP port 179
D.The peer is discovered via OSPF
AnswerB

State is 'Oper' (operational), indicating the session is up.

Why this answer

The output shows 'State: Oper' and 'Up time: 02:30:00', which confirms the LDP session is fully operational. The peer LDP Ident is 10.0.0.5:0 and the local LDP Ident is 10.0.0.4:0, with a TCP connection established on port 646. This directly indicates that the LDP session with peer 10.0.0.5 is up and running.

Exam trap

Cisco often tests the distinction between LDP (TCP port 646) and BGP (TCP port 179), and candidates may confuse the 'Oper' state with a BGP session or assume LDP uses port 179 by default.

How to eliminate wrong answers

Option A is wrong because the command 'show mpls ldp neighbor vrf CUSTOMER-C' successfully returned detailed neighbor information, proving LDP is configured for that VRF. Option C is wrong because LDP uses TCP port 646, not port 179 (which is used by BGP). Option D is wrong because the output does not mention OSPF or any IGP; LDP discovery sources show a directly connected interface (GigabitEthernet0/0.300) and the peer's IP addresses, but the underlying IGP is not specified.

1892
Multi-Selectmedium

Which two statements about Type 1 and Type 2 hypervisors are true? (Choose two.)

Select 2 answers
A.A Type 1 hypervisor runs directly on the physical hardware without a host operating system.
B.A Type 2 hypervisor runs directly on the physical hardware without a host operating system.
C.VMware ESXi is an example of a Type 2 hypervisor.
D.VMware Workstation is an example of a Type 2 hypervisor.
E.Type 1 hypervisors are typically used for desktop virtualization in enterprise environments.
AnswersA, D

Correct because Type 1 hypervisors (bare-metal) install directly on the server hardware.

Why this answer

Type 1 hypervisors run directly on hardware and are used in data centers. Type 2 hypervisors run on a host OS and are common in labs. VMware ESXi is a Type 1 hypervisor.

VMware Workstation is Type 2.

1893
Multi-Selectmedium

Which three statements about SPAN and RSPAN limitations are true? (Choose three.)

Select 3 answers
A.SPAN can cause increased CPU utilization on the switch if many packets are mirrored.
B.SPAN can monitor control plane traffic such as routing protocol updates by default.
C.RSPAN requires that the RSPAN VLAN be pruned from all trunks to avoid loops.
D.A SPAN destination port cannot be used for normal network traffic.
E.RSPAN can be used to monitor traffic on a Layer 3 routed interface.
AnswersA, C, D

Correct because mirroring high-bandwidth traffic can stress the switch CPU.

Why this answer

SPAN and RSPAN can impact switch performance due to increased CPU/memory usage. SPAN cannot monitor control plane traffic (e.g., routing updates) unless specifically configured. RSPAN requires a dedicated VLAN that must be pruned appropriately.

A SPAN destination port stops normal switching. RSPAN does not support Layer 3 routed interfaces as sources directly.

1894
MCQmedium

A network engineer executes the following command on Router R8: R8# show ip sla monitor summary IP SLAs Monitor Summary Codes: * active, ^ inactive, ~ pending ID Type Destination Stats Return Code Last *1 icmp-echo 192.168.8.10 Success OK 1 ^2 udp-jitter 192.168.8.20 Success OK 2 *3 icmp-echo 192.168.8.30 Success OK 3 Based on this output, which IP SLA operations are currently active?

A.Only ID 1
B.Only ID 2
C.IDs 1 and 3
D.All three operations
AnswerC

Both IDs 1 and 3 show asterisks.

Why this answer

The asterisk (*) indicates active operations. IDs 1 and 3 have asterisks, while ID 2 has a caret (^) indicating inactive.

1895
Multi-Selectmedium

Which two statements about the Cisco SD-Access fabric roles are true? (Choose two.)

Select 2 answers
A.The fabric edge node is responsible for connecting end devices and enforcing SGT-based policies.
B.The fabric border node is responsible for connecting the SD-Access fabric to external Layer 3 networks.
C.The control plane node is responsible for encapsulating and forwarding user traffic across the fabric.
D.The intermediate node is responsible for policy enforcement and traffic segmentation within the fabric.
E.The wireless controller in SD-Access acts as a dedicated fabric border node for wireless traffic.
AnswersA, B

Correct because the fabric edge is the access-layer switch that applies security group tags (SGTs) and forwards traffic within the fabric.

Why this answer

In SD-Access, the fabric edge node is the switch that connects to end devices and enforces policy, while the fabric border node connects the fabric to external networks (e.g., WAN, data center). The control plane node hosts the LISP map server/map resolver, not the edge. The intermediate node is a simple transit switch that does not perform encapsulation or policy enforcement.

The wireless controller in SD-Access is integrated as a fabric WLC, not a separate fabric role.

1896
MCQmedium

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.1.1.2:0; Local LDP Ident 10.1.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.179 State: Oper; Msgs sent/rcvd: 120/115; Downstream Up time: 02:30:15 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident: 10.1.1.2 192.168.1.2 10.2.2.2 Based on this output, what can be concluded?

A.The LDP session is using TCP port 646 for LDP and port 179 for BGP, and the session is operational.
B.The LDP session is down because the state is 'Oper' but the TCP connection shows port 179.
C.The LDP neighbor is using label distribution mode 'Upstream' based on the output.
D.The LDP session has been up for 2 hours and 30 minutes, and the peer has sent 115 messages.
AnswerA

State: Oper confirms the session is up, and TCP ports 646 (LDP) and 179 (BGP) are correctly identified.

Why this answer

The output shows an established LDP session (State: Oper) between LSRs 10.1.1.1 and 10.1.1.2, with TCP port 646 (LDP) and port 179 (BGP) shown. The 'Downstream' label distribution mode is indicated. The peer's addresses include loopback and interface IPs.

1897
Matchinghard

Drag and drop each BGP community on the left to its standard behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Do not advertise to eBGP peers (except within confederation)

Do not advertise to any peer

Do not advertise to external peers (confederation boundary)

Do not advertise to any BGP peer

Advertise to all BGP peers (default behavior)

Why these pairings

NO_EXPORT prevents advertisement outside confederation; NO_ADVERTISE prevents any advertisement; LOCAL_AS prevents advertisement to external peers; NO_PEER prevents advertisement to any peer; INTERNET advertises to all BGP peers.

1898
MCQhard

A network engineer runs the following command on Router R9: R9# show ip interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Based on this output, what can be concluded?

A.The tunnel is down because the line protocol is up.
B.The MTU of 1400 bytes suggests this is a GRE or IPsec tunnel.
C.The tunnel is using IP compression because TCP/IP header compression is disabled.
D.The tunnel has a helper address configured for DHCP.
AnswerB

A reduced MTU is typical for tunnels that add encapsulation headers, such as GRE (24 bytes) or IPsec (up to 100 bytes).

Why this answer

The tunnel interface is up/up with an MTU of 1400 bytes. The MTU is reduced from the default 1500, which is typical for GRE/IPsec tunnels to accommodate encapsulation overhead. This indicates the tunnel is likely a GRE or IPsec tunnel.

1899
Matchingmedium

Drag and drop each SNMP operation on the left to its matching direction on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manager to agent

Manager to agent

Manager to agent

Manager to agent

Agent to manager

Why these pairings

GET, GETNEXT, GETBULK, and SET are manager-to-agent requests; TRAP and INFORM are agent-to-manager notifications.

1900
Matchingmedium

Drag and drop each VRF-Lite vs MPLS VPN characteristic on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses only VRFs without MPLS labels for path isolation

Uses MPLS labels to isolate traffic across the provider core

Why these pairings

VRF-Lite uses only VRFs without MPLS labels; MPLS VPN uses labels for isolation; VRF-Lite is limited to a single router; MPLS VPN scales across the core; VRF-Lite does not require MP-BGP; MPLS VPN uses MP-BGP for VPNv4 route exchange.

1901
MCQmedium

A service provider is deploying NFV to offer managed SD-WAN services to enterprise customers. The architect must place virtual network functions (VNFs) such as vEdge routers and firewalls in the provider's data center. Which VNF placement model allows the provider to chain these functions efficiently and scale per customer?

A.Place all VNFs for a customer on a single hypervisor host and use internal virtual switches to chain them.
B.Use a centralized service chain with a service graph that defines the order of VNFs, and deploy VNFs on separate hosts for redundancy.
C.Deploy each VNF as a separate virtual machine on a dedicated physical server to maximize performance.
D.Use a single VNF that combines routing and firewall functions to avoid chaining complexity.
AnswerB

This model uses a service graph to define the chain, and VNFs can be placed on separate hosts for high availability, allowing per-customer customization and scaling.

Why this answer

Option B is correct because a centralized service chain with a service graph allows the provider to define the ordered sequence of VNFs (e.g., vEdge router then firewall) and deploy them on separate hosts for redundancy. This model aligns with NFV MANO (Management and Orchestration) principles, enabling efficient scaling per customer by instantiating VNFs as needed while maintaining the service chain across hypervisors.

Exam trap

Cisco often tests the misconception that placing all VNFs on a single host (Option A) is simpler and efficient, but the trap is that this violates NFV's high-availability and multi-tenant scaling requirements, which are core to service provider SD-WAN offerings.

How to eliminate wrong answers

Option A is wrong because placing all VNFs for a customer on a single hypervisor host creates a single point of failure and limits scalability; internal virtual switches do not provide the orchestrated service chaining required for multi-tenant NFV deployments. Option C is wrong because dedicating a physical server per VNF defeats the purpose of NFV (virtualization and resource pooling), leading to high cost and poor scalability. Option D is wrong because combining routing and firewall into a single VNF violates the modular VNF design principle and prevents independent scaling or updating of individual functions, which is essential for multi-tenant SD-WAN services.

1902
Drag & Dropmedium

Drag and drop the steps of configuring AAA on a Cisco IOS device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AAA configuration requires first enabling AAA globally, then defining the authentication method list, applying it to login, and optionally specifying a fallback method like local. Finally, verify with debug commands.

1903
Drag & Dropmedium

Drag and drop the steps of OSPF summarization at ABR configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Summarization on an ABR uses the area range command to aggregate prefixes. The order is: identify prefixes, configure range, verify, and optionally suppress more specific routes.

1904
MCQhard

A network engineer runs the following command on Switch SW3: SW3# show spanning-tree vlan 30 VLAN0030 Spanning tree enabled protocol ieee Root ID Priority 24606 Address aabb.cc00.0400 Cost 12 Port 2 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32798 (priority 32768 sys-id-ext 30) Address aabb.cc00.0500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------------------------------ Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Root FWD 12 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Based on this output, what is the root path cost from SW3 to the root bridge for VLAN 30?

A.4
B.12
C.16
D.20
AnswerB

Correct. The root path cost is 12, as shown in the Root ID section.

Why this answer

The root path cost is the cost of the path from this switch to the root bridge. It is shown in the Root ID section as 'Cost 12'. This is the cumulative cost via the root port (Gi0/2, which has a cost of 12).

1905
Multi-Selecthard

Which THREE of the following are characteristics of Cisco TrustSec (CTS) security architecture?

Select 3 answers
A.It uses IPsec to encrypt traffic between network devices.
B.It uses VLANs to segment traffic based on security roles.
C.It uses Security Group Tags (SGTs) to classify traffic.
D.It provides data confidentiality using IEEE 802.1AE (MACsec) encryption.
E.It uses Security Group Access Control Lists (SGACLs) to enforce policies.
AnswersC, D, E

SGTs are used for classification.

Why this answer

C is correct because Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user, device, or role, rather than IP addresses. SGTs are 16-bit values (0–65535) assigned dynamically via authentication (e.g., 802.1X) or static mapping, enabling scalable policy enforcement.

Exam trap

Cisco often tests the misconception that TrustSec uses VLANs or IPsec for segmentation and encryption, when in fact it uses SGTs for classification and MACsec for Layer 2 encryption.

1906
MCQmedium

Review the following Python script that uses the Cisco IOS-XE RESTCONF API to modify an interface: ```python import requests from requests.auth import HTTPBasicAuth url = 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=1/0/1' headers = { 'Accept': 'application/yang-data+json', 'Content-Type': 'application/yang-data+json' } auth = HTTPBasicAuth('admin', 'cisco') payload = { 'Cisco-IOS-XE-native:GigabitEthernet': { 'name': '1/0/1', 'description': 'Configured via RESTCONF' } } response = requests.put(url, headers=headers, auth=auth, json=payload, verify=False) print(response.status_code) ``` What is the expected result if the script runs successfully?

A.It will create a new interface named GigabitEthernet1/0/1.
B.It will set the description of GigabitEthernet1/0/1 to 'Configured via RESTCONF'.
C.It will delete the interface configuration.
D.It will return an error because the payload is missing required fields.
AnswerB

The PUT request updates the interface configuration with the provided description.

Why this answer

A PUT request to the interface URL with a payload that includes a description will update the interface description.

1907
Matchingmedium

Drag and drop each multicast address range on the left to its matching use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Reserved for link-local multicast (e.g., routing protocols)

Used for Source-Specific Multicast (SSM)

Administratively scoped (private) multicast

All hosts on this subnet (link-local all-hosts group)

All routers on this subnet (link-local all-routers group)

Why these pairings

224.0.0.0/24 is reserved for link-local multicast; 232.0.0.0/8 is for Source-Specific Multicast; 239.0.0.0/8 is for administratively scoped (private) multicast.

1908
Matchingmedium

Drag and drop each Python data structure on the left to its matching network config use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Store interface configuration as key-value pairs

Maintain ordered list of VLANs to apply

Define immutable routing table entry

Collect unique OSPF router IDs

Represent immutable set of allowed protocols

Why these pairings

dict maps parameter to value; list stores ordered items; tuple is immutable; set holds unique elements.

1909
MCQmedium

A network engineer is configuring EtherChannel between two Cisco Catalyst switches. The ports are configured as access ports in VLAN 10. After configuring the port-channel interface and adding the physical ports, the engineer notices that the EtherChannel does not come up. The show etherchannel summary command shows the port-channel in a down state. What is the most likely cause?

A.The physical ports are configured as access ports in VLAN 10, but the port-channel interface is not configured with the same VLAN.
B.The physical ports have different duplex settings.
C.The switch is using PAgP and the neighbor is using LACP.
D.The physical ports are in different VLANs.
AnswerA

Correct because the port-channel interface must have the same access VLAN as the physical ports, or the channel will not form.

Why this answer

The correct answer is that the physical ports must be configured identically, including the allowed VLAN list. For access ports, the VLAN must match. The wrong answers involve issues that would not prevent the channel from forming if the VLANs match.

1910
Drag & Dropmedium

Drag and drop the steps of MPLS L2VPN (AToM) pseudowire setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AToM pseudowire setup begins with configuring attachment circuit and VC ID, then LDP targeted session for pseudowire signaling, label mapping exchange, pseudowire status notification, and finally pseudowire operational with traffic flow.

1911
Matchingmedium

Drag and drop each MPLS label field on the left to its matching bit size on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

20 bits

3 bits

1 bit

8 bits

32 bits

Why these pairings

The MPLS label has 4 fields: Label (20 bits), TC (3 bits), S (1 bit), and TTL (8 bits).

1912
MCQmedium

A network engineer runs the following command on Router R7: R7# show mpls ldp capabilities LDP Capabilities: Dynamic Capability: advertised Typed Wildcard FEC: advertised MTU Signaling: advertised P2MP: not advertised MPLS OAM: advertised LDP Graceful Restart: advertised Helper mode: enabled Restart mode: enabled Reconnect time: 120 sec Recovery time: 180 sec Based on this output, which capability is NOT supported by this router?

A.LDP Graceful Restart
B.MTU Signaling
C.P2MP (Point-to-Multipoint)
D.Dynamic Capability
AnswerC

It is listed as 'not advertised'.

Why this answer

The output lists capabilities that are advertised. P2MP (Point-to-Multipoint) is explicitly listed as 'not advertised', meaning it is not supported.

1913
Drag & Dropmedium

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF verification involves checking if it is enabled, verifying the routing table, testing with ping, checking counters, and interpreting results. The order follows a logical troubleshooting sequence.

1914
Matchingmedium

Drag and drop each First Hop Redundancy Protocol on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco-proprietary active/standby gateway redundancy with one virtual IP

Open standard with master/backup election and one virtual IP

Cisco-proprietary load-balancing across multiple gateways using AVF/AVG

Adds support for IPv6 and increased group numbers

Supports IPv4 and IPv6 with improved timers

Why these pairings

HSRP uses an active/standby model with one virtual MAC; VRRP uses an election process with a single virtual MAC; GLBP load-balances across multiple gateways.

1915
Matchingmedium

Drag and drop each service chaining element on the left to its matching position in the chain on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Entry point that identifies and steers traffic into a service chain

Node that forwards traffic to the next service function in the chain

Individual VNF that processes traffic (e.g., firewall, load balancer)

Ordered list of service functions that traffic must traverse

Encapsulation header that carries chain context between SFFs

Why these pairings

Service chaining steers traffic through a sequence of VNFs; classifiers identify traffic; SFC encapsulation maintains chain context.

1916
Drag & Dropmedium

Drag and drop the steps of configuring a site-to-site IPsec VPN on Cisco IOS into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order for configuring a site-to-site IPsec VPN is: first define the IKE policy (Phase 1 parameters), then define the IPsec transform set (Phase 2 parameters), then create the crypto ACL to match interesting traffic, then configure the crypto map to bind all parameters, and finally apply the crypto map to the outgoing interface.

1917
Matchingmedium

Drag and drop each Python library on the left to its matching network use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Simplifies SSH connections to network devices

Provides a unified API for configuration and state retrieval

Enables parallel task execution across inventory

Supports asynchronous network device communication

Offers raw SSH protocol implementation

Why these pairings

Netmiko simplifies SSH to network devices; NAPALM provides multi-vendor abstraction; Nornir is task-based and parallel; Scrapli is async-focused; Paramiko is low-level SSH.

1918
MCQmedium

Given the following partial configuration on a Cisco IOS-XE router: ip pim rp-address 10.0.0.1 10 access-list 10 permit 224.0.0.0 0.255.255.255 ! interface GigabitEthernet0/0 ip pim sparse-mode ! What is the effect of this configuration?

A.The router will use 10.0.0.1 as the RP for all multicast groups from 224.0.0.0 to 224.255.255.255, and the interface will operate in sparse-mode.
B.The router will ignore the static RP because the ACL includes the reserved link-local range (224.0.0.0/24).
C.The interface must also be configured with 'ip pim dense-mode' for the RP to work.
D.The RP address 10.0.0.1 must be configured on a loopback interface on the same router.
AnswerA

Correct. The static RP is defined for the group range specified in ACL 10, and the interface is in sparse-mode.

Why this answer

This configures a static RP at 10.0.0.1 for multicast groups matching access-list 10, which permits all groups in the 224.0.0.0/8 range. The interface is in PIM sparse-mode. However, the RP address must be reachable via unicast routing.

The configuration is valid but note that 224.0.0.0/8 includes reserved link-local addresses (224.0.0.0/24) which are not typically used with PIM.

1919
Matchingmedium

Drag and drop each LISP message type on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Queries the LISP mapping system for an EID-to-RLOC mapping

Returns the requested EID-to-RLOC mapping to the requesting ITR

Registers an EID-to-RLOC mapping with the map-server

Acknowledges successful registration of an EID-to-RLOC mapping

Requests the map-server to send a Map-Request on behalf of a requesting device

Why these pairings

Map-Request queries the location of an EID, Map-Reply provides the mapping, Map-Register registers EID-to-RLOC mappings, Map-Notify confirms registration, and Map-Solicit triggers a Map-Request from the map-server.

1920
Matchingmedium

Drag and drop each MPLS label field on the left to its matching bit size on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

20 bits

3 bits

1 bit

8 bits

32 bits

Why these pairings

The MPLS label is 20 bits, Traffic Class (TC) is 3 bits, Bottom of Stack (S) is 1 bit, and TTL is 8 bits, totaling 32 bits per label entry.

1921
Multi-Selectmedium

Which two statements about SNMPv3 security features are true? (Choose two.)

Select 2 answers
A.The authNoPriv security level provides authentication using MD5 or SHA, but no encryption.
B.The noAuthNoPriv security level provides both authentication and encryption.
C.The authPriv security level provides authentication using MD5 or SHA, and encryption using DES or AES.
D.SNMPv3 users are identified solely by the community string, similar to SNMPv2c.
E.The SNMP engine ID is optional and only used for debugging purposes.
AnswersA, C

Correct because authNoPriv uses a hash algorithm for authentication but does not encrypt the SNMP payload.

Why this answer

SNMPv3 provides both authentication and encryption. The authNoPriv level uses MD5 or SHA for authentication without encryption; noAuthNoPriv uses no security; authPriv provides both authentication and encryption. The engine ID is required for SNMPv3 user configuration and is used to generate the localized key.

1922
Drag & Dropmedium

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP configuration requires defining match criteria in a class-map, then creating a policy-map with police commands, and finally applying the policy to the control plane. The order follows standard MQC (Modular QoS CLI) process.

1923
Multi-Selectmedium

Which two statements about policing and shaping in a QoS architecture are true? (Choose two.)

Select 2 answers
A.Policing can be configured on both ingress and egress interfaces, while shaping is only supported on egress interfaces.
B.Shaping uses a token bucket algorithm to meter traffic and drops packets that exceed the configured rate.
C.Policing introduces variable delay because it buffers excess traffic before forwarding.
D.Both policing and shaping can re-mark packets that conform to the configured rate.
E.The 'shape average' command configures shaping to use the average rate over time, while 'shape peak' allows bursts above the average.
AnswersA, E

Correct. Policing can be applied inbound or outbound on Cisco routers and switches, whereas shaping is typically applied only on outbound interfaces because it buffers packets.

Why this answer

Policing drops or re-marks traffic exceeding a rate, while shaping buffers excess traffic to smooth bursts. Policing is applied inbound or outbound, shaping is typically outbound. Policing does not introduce delay, shaping does.

Both can use token bucket algorithms.

1924
MCQmedium

An architect is designing an SD-Access fabric for a large campus network. The design must support wireless clients that roam across different access switches without requiring a centralized wireless LAN controller. Which fabric component and protocol combination should the architect use to enable this mobility?

A.Fabric edge switches with VXLAN and LISP; APs in local mode with a centralized WLC.
B.Fabric edge switches with VXLAN and LISP; APs in fabric mode (SD-Access enabled).
C.Fabric border nodes with VXLAN and LISP; APs in flexconnect mode with a local switch.
D.Fabric control plane nodes with VXLAN and LISP; APs in monitor mode.
AnswerB

Fabric mode APs connect directly to the fabric edge and use VXLAN encapsulation; LISP handles endpoint mobility across the fabric.

Why this answer

Option B is correct because SD-Access fabric uses fabric edge switches with VXLAN (data plane) and LISP (control plane) to create a distributed overlay that supports seamless wireless client roaming. APs in fabric mode (SD-Access enabled) integrate directly with the fabric, allowing the fabric edge to handle mobility without a centralized WLC, as the client's context is maintained across the VXLAN overlay.

Exam trap

Cisco often tests the misconception that SD-Access requires a centralized WLC for wireless roaming, but the trap here is that fabric mode APs offload mobility to the fabric edge switches using VXLAN/LISP, eliminating the need for a WLC controller.

How to eliminate wrong answers

Option A is wrong because APs in local mode with a centralized WLC require the WLC to anchor traffic and manage roaming, contradicting the design requirement of no centralized WLC. Option C is wrong because fabric border nodes are used for external connectivity (e.g., to WAN or Internet), not for wireless client mobility; FlexConnect mode with a local switch does not use VXLAN/LISP fabric integration and still relies on a WLC for control. Option D is wrong because fabric control plane nodes (e.g., LISP map-server/map-resolver) handle endpoint ID-to-location mapping, not wireless client mobility; APs in monitor mode are for passive scanning and do not forward client traffic.

1925
Drag & Dropmedium

Drag and drop the steps of Cisco NSO service provisioning workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco NSO service provisioning begins with the operator or OSS sending a service request to NSO via NETCONF/RESTCONF. NSO then processes the service model and creates a service instance. NSO uses device templates and YANG models to generate device configurations.

NSO pushes the configuration to the network devices using NETCONF. Finally, NSO verifies the service is operational and updates the service state.

1926
MCQmedium

Review the following OSPF configuration: router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.255.255.255 area 1 default-information originate always metric 20 metric-type 1 ! What is the effect of the 'default-information originate always metric 20 metric-type 1' command?

A.It injects a default route into OSPF only if a default route exists in the routing table, with metric 20 and type E1.
B.It injects a default route into OSPF unconditionally, with metric 20 and type E1.
C.It injects a default route into OSPF with metric 20 and type E2, but only if a default route exists.
D.It injects a default route into OSPF with metric 20 and type E1, but only for area 0.
AnswerB

Correct. 'always' forces advertisement even without a default route. Metric-type 1 means E1.

Why this answer

The 'default-information originate always' command injects a default route into the OSPF link-state database unconditionally, even if no default route exists in the routing table. The 'metric 20' sets the OSPF cost to 20, and 'metric-type 1' makes it an E1 (Type 1) external route, meaning the metric includes the internal cost to the ASBR plus the external cost.

Exam trap

Cisco often tests the distinction between 'default-information originate' (conditional) and 'default-information originate always' (unconditional), and the difference between metric-type 1 (E1) and metric-type 2 (E2), to see if candidates understand the exact behavior of each keyword.

How to eliminate wrong answers

Option A is wrong because the 'always' keyword causes the default route to be injected unconditionally, not only if a default route exists in the routing table. Option C is wrong because the command specifies 'metric-type 1', which results in an E1 route, not an E2 route; additionally, the 'always' keyword removes the condition of a pre-existing default route. Option D is wrong because the 'default-information originate' command applies to the entire OSPF process, not just area 0; the network statements define which interfaces participate in which areas, but the default route is advertised into all areas unless filtered.

1927
MCQeasy

What is the default value of the BGP 'weight' attribute for routes learned from a neighbor?

A.0
B.100
C.32768
D.1
AnswerA

Correct. Weight defaults to 0 for routes learned from BGP neighbors.

Why this answer

The BGP 'weight' attribute is a Cisco-proprietary attribute that is locally significant only to the router on which it is configured. By default, routes learned from a BGP neighbor have a weight of 0, while routes originated locally on the router (e.g., via network or aggregate-address commands) have a weight of 32768. Weight is the highest priority BGP attribute in the path selection process, so a route with a higher weight is preferred over one with a lower weight.

Exam trap

Cisco often tests the distinction between the default weight for locally originated routes (32768) versus routes learned from a neighbor (0), causing candidates to mistakenly choose 32768 when asked about learned routes.

How to eliminate wrong answers

Option B (100) is wrong because 100 is the default administrative distance for IBGP routes, not the default BGP weight. Option C (32768) is wrong because 32768 is the default weight for locally originated routes (e.g., routes injected via the network command), not for routes learned from a neighbor. Option D (1) is wrong because there is no BGP attribute or default value of 1 for weight; weight values range from 0 to 65535, and 0 is the default for learned routes.

1928
Multi-Selectmedium

Which two statements about SD-WAN architecture are true? (Choose two.)

Select 2 answers
A.The vSmart controller is responsible for distributing routing and policy information to the WAN edge routers.
B.vEdge routers establish IPsec tunnels directly with each other for data plane traffic.
C.The vBond orchestrator is responsible for forwarding data traffic between branch sites.
D.vEdge routers establish OMP sessions with each other to exchange control plane information.
E.Control plane communication between vSmart and vEdge is secured using IPsec.
AnswersA, B

Correct because vSmart acts as the control plane, using OMP to distribute routes and policies to vEdge/cEdge routers.

Why this answer

In Cisco SD-WAN, the vSmart controller is responsible for centralized control and policy distribution, while the vBond orchestrator handles authentication and NAT traversal. The vManage is the management plane. vEdge routers establish OMP sessions with vSmart, not with each other. Control plane traffic between vSmart and vEdge is secured with DTLS or TLS, not IPsec.

The vBond is not involved in forwarding data traffic.

1929
MCQeasy

What is the default syslog severity level for console logging on a Cisco IOS device?

A.debugging (level 7)
B.informational (level 6)
C.warnings (level 4)
D.errors (level 3)
AnswerA

By default, console logging is set to level 7 (debugging), so all syslog messages appear on the console.

Why this answer

The default console logging severity level is 'debugging' (level 7), meaning all messages are displayed on the console by default.

1930
Drag & Dropmedium

Drag and drop the steps of BGP policy application (route-map, prefix-list, AS-path ACL) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Policy application starts with defining match criteria (prefix-list or AS-path ACL), then creating a route-map with permit/deny and set actions, applying it to a neighbor, and finally verifying the policy effect.

1931
Multi-Selecthard

Which three statements about RPF check in IP multicast are true? (Choose three.)

Select 3 answers
A.The RPF check ensures that multicast packets are forwarded only if they arrive on the interface that the router would use to send unicast traffic back to the source.
B.If the RPF check fails, the multicast packet is dropped by the router.
C.The RPF check is performed only on the first packet of a multicast stream to determine the forwarding path.
D.The RPF check relies solely on the multicast routing table (MRIB) to determine the incoming interface.
E.A multicast packet can fail the RPF check even if the unicast route to the source exists, if the packet arrives on a different interface than the one used for unicast return traffic.
AnswersA, B, E

Correct because the RPF check uses the unicast routing table to determine the expected incoming interface for the source.

Why this answer

The RPF check is a fundamental multicast forwarding mechanism that verifies the source address of incoming multicast packets against the unicast routing table. A packet passes RPF if it arrives on the interface that the router would use to reach the source. If the RPF check fails, the packet is dropped to prevent loops.

RPF is performed on every multicast packet, not just the first one. The RPF check is independent of the multicast routing protocol; it uses the unicast routing table. RPF failure can occur even with a correct unicast route if the packet arrives on a different interface.

1932
Drag & Dropmedium

Drag and drop the steps of OpenAPI schema validation for DNA Center REST call into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation begins with retrieving the OpenAPI spec, then parsing the endpoint, validating the request against the schema, checking the response, and finally handling any validation errors.

1933
Drag & Dropmedium

Drag and drop the steps of 4G/LTE WAN failover with IP SLA tracking into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, configure the primary WAN interface and the LTE backup interface. Then, create an IP SLA probe to monitor the primary link. Track the SLA with a tracking object.

Set a static route with a higher metric for the LTE interface, tied to the track. When the primary fails, the track goes down, and the LTE route becomes active.

1934
Matchingmedium

Drag and drop each DNA Center ISE integration component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables real-time context sharing between DNA Center and ISE

Defines and enforces security group access policies across the network

Provides authentication, authorization, and accounting for network access

Carries security group tag information in data packets for policy enforcement

Allows manual configuration of ISE policies and user identity stores

Why these pairings

ISE integration: pxGrid shares context data; TrustSec enforces segmentation; RADIUS provides authentication; SGT carries security group tags.

1935
MCQmedium

Examine the following EIGRP configuration snippet: interface GigabitEthernet0/0 ip bandwidth-percent eigrp 100 50 What is the effect of this command?

A.EIGRP will use up to 50% of the interface bandwidth for its control traffic.
B.EIGRP will only advertise routes that have a metric within 50% of the best path.
C.EIGRP will use 50% of the interface bandwidth for data traffic.
D.EIGRP will reduce its hello interval by 50%.
AnswerA

Correct. This command limits EIGRP's bandwidth usage to 50% of the interface's configured bandwidth.

Why this answer

The `ip bandwidth-percent eigrp 100 50` command configures EIGRP to use up to 50% of the interface's configured bandwidth for its control traffic (hello, update, query, and reply packets). This limits the amount of bandwidth EIGRP can consume to prevent it from starving other traffic. The percentage is applied to the interface's `bandwidth` setting, not the actual physical link speed.

Exam trap

Cisco often tests the misconception that `ip bandwidth-percent eigrp` controls data traffic or route selection, when in fact it only limits EIGRP's own control plane bandwidth usage.

How to eliminate wrong answers

Option B is wrong because EIGRP does not have a mechanism to advertise only routes within a percentage of the best path; variance and offset-lists are used for unequal-cost load balancing, not route filtering based on metric percentage. Option C is wrong because this command specifically limits EIGRP control traffic, not data traffic; data traffic is unaffected by this command. Option D is wrong because the `ip bandwidth-percent eigrp` command does not influence the hello interval; hello intervals are configured separately with `ip hello-interval eigrp`.

1936
Multi-Selectmedium

Which two statements about NFV architecture and components are true? (Choose two.)

Select 2 answers
A.The NFV Infrastructure (NFVI) includes compute, storage, and networking resources that host VNFs.
B.Virtual Network Functions (VNFs) are software implementations of network functions that run on virtualized infrastructure.
C.Each VNF must be deployed on its own dedicated physical server to ensure performance isolation.
D.The Virtualized Infrastructure Manager (VIM) is responsible for managing the lifecycle of VNFs.
E.The NFV Orchestrator is primarily responsible for allocating virtual resources to VNFs.
AnswersA, B

Correct because the NFVI provides the virtualized resources (compute, storage, network) upon which VNFs are deployed.

Why this answer

NFV decouples network functions from dedicated hardware. The NFV Infrastructure includes compute, storage, and networking resources. VNFs run on top of the NFVI.

The NFV MANO framework orchestrates and manages these components. Option A is correct because NFVI provides the virtualized resources. Option B is correct because VNFs are software implementations of network functions.

Option C is incorrect because NFV does not require dedicated hardware per VNF; it relies on shared infrastructure. Option D is incorrect because VNFs are managed by the VNFM, not the VIM. Option E is incorrect because the NFV Orchestrator handles lifecycle management, not just resource allocation.

1937
Drag & Dropmedium

Drag and drop the steps of Rapid PVST+ topology change notification process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Rapid PVST+, a topology change is triggered when a non-edge port transitions to forwarding. The switch then sets the proposal bit on its designated ports, sends a proposal message, and expects an agreement from the downstream switch. After receiving the agreement, the port moves to forwarding and the switch propagates the change by setting the TC flag in BPDUs sent on all designated ports.

This ensures rapid convergence.

1938
MCQeasy

What is the default OSPF hello interval on an Ethernet link in a Cisco router?

A.10 seconds
B.30 seconds
C.5 seconds
D.40 seconds
AnswerA

Correct. The default hello interval for Ethernet is 10 seconds.

Why this answer

By default, OSPF sends hello packets every 10 seconds on broadcast and point-to-point links (e.g., Ethernet).

1939
Drag & Drophard

Drag and drop the steps of gNMI Subscribe RPC using Python gRPC library into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the gNMI protobuf modules and gRPC, creating a secure channel with credentials, instantiating the gNMI stub, building a SubscribeRequest with paths and mode, and finally calling the Subscribe RPC and iterating over responses.

1940
MCQhard

A network engineer is configuring EIGRP on a router that connects to a service provider network. The engineer wants to advertise a default route to internal routers. The engineer configures 'ip default-network 0.0.0.0' and redistributes a static default route into EIGRP. However, internal routers are not receiving the default route. The engineer checks the EIGRP topology table and sees the default route with a metric of 1. What is the most likely reason?

A.The engineer used 'ip default-network' which is not supported in EIGRP; instead, 'default-information originate' should be used.
B.The static default route is not configured correctly; the engineer should use 'ip route 0.0.0.0 0.0.0.0 <next-hop>'.
C.The internal routers have a route to the default network with a better metric from another source.
D.The engineer needs to configure 'eigrp stub' on the router to allow default route advertisement.
AnswerA

Correct. EIGRP does not support the 'ip default-network' command. To advertise a default route, the engineer should use 'redistribute static' and optionally 'default-information originate' to inject the default route.

Why this answer

Option A is correct because EIGRP does not support the 'ip default-network' command to originate a default route; this command is used with IGRP. To advertise a default route in EIGRP, the engineer must use the 'default-information originate' command under the EIGRP process, which redistributes a static default route (0.0.0.0/0) into EIGRP. The presence of the default route in the topology table with a metric of 1 indicates it was redistributed, but without 'default-information originate', EIGRP will not advertise it to neighbors.

Exam trap

Cisco often tests the misconception that 'ip default-network' works with EIGRP, when in fact it is an IGRP-specific command, and candidates may confuse it with the correct 'default-information originate' command used in EIGRP and OSPF.

How to eliminate wrong answers

Option B is wrong because the static route syntax 'ip route 0.0.0.0 0.0.0.0 <next-hop>' is correct and commonly used; the issue is not with the static route configuration but with the EIGRP advertisement method. Option C is wrong because the topology table shows the default route with a metric of 1, and if internal routers had a better metric from another source, the route would still be present in the topology table but not selected as best; the problem is that the route is not being advertised at all. Option D is wrong because configuring 'eigrp stub' restricts the router from advertising routes learned from other EIGRP neighbors, but it does not prevent the advertisement of a locally originated default route via 'default-information originate'; the stub feature is used to limit route propagation, not to enable default route advertisement.

1941
MCQhard

A network engineer uses the Requests library to query a Cisco IOS-XE device via RESTCONF for interface statistics: ```python import requests from requests.auth import HTTPBasicAuth url = 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1/statistics' headers = {'Accept': 'application/yang-data+json'} auth = HTTPBasicAuth('admin', 'cisco123') response = requests.get(url, headers=headers, auth=auth, verify=False) print(response.json()) ``` What is the most likely issue with this code?

A.The URL is missing the '/data' segment; it should be '/restconf/data/...'
B.The interface name 'GigabitEthernet1/0/1' in the URL must be URL-encoded as 'GigabitEthernet1%2F0%2F1'.
C.The Accept header should be 'application/json' instead of 'application/yang-data+json'.
D.The HTTP method should be POST instead of GET.
AnswerB

The slash in the interface name must be percent-encoded to avoid being interpreted as a path separator.

Why this answer

The URL uses 'https://' but the code does not disable SSL certificate verification properly; verify=False is used, but the requests library may still raise an InsecureRequestWarning. More critically, the URL path is incorrect: the interface name should be URL-encoded (e.g., 'GigabitEthernet1' is fine, but the path may need to be 'Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1/statistics' — however, the module is 'Cisco-IOS-XE-interfaces-oper' and the leaf is 'interface', but the correct YANG path might require a different format. The most common issue is that the interface name must be URL-encoded if it contains special characters, but here it's simple.

A more likely issue is that the device may require a specific namespace or the path is missing the 'data' prefix? Actually, the path seems correct. Another common issue: the device may not have RESTCONF enabled or the credentials are wrong. But the most immediate problem is that the code does not handle HTTP errors or check response status, and the 'verify=False' may cause a warning but not failure.

However, the question expects a specific bug: the URL should be 'https://192.168.1.1/restconf/data/Cisco-IOS-XE-interfaces-oper:interfaces/interface=GigabitEthernet1/statistics' — but the module name is case-sensitive. The real issue is that the interface name in the URL must be URL-encoded if it contains a slash (e.g., 'GigabitEthernet1/0/1'), but here it's simple. Let me adjust: The typical bug is that the engineer forgot to include the 'data' keyword in the URL.

Actually, the URL includes '/restconf/data/', which is correct. Hmm. Let me think of a common mistake: The Accept header should be 'application/yang-data+json' which is correct.

Perhaps the issue is that the device uses self-signed certificate and the code does not suppress warnings, but that's not a failure. Another common issue: The interface name in the URL should be URL-encoded, but for 'GigabitEthernet1' it's fine. I'll change the interface to 'GigabitEthernet1/0/1' to introduce a URL encoding bug.

1942
Multi-Selectmedium

Which two statements about IP Source Guard are true? (Choose two.)

Select 2 answers
A.IP Source Guard uses the DHCP snooping binding database to validate source IP addresses.
B.IP Source Guard filters traffic based on the source MAC address.
C.IP Source Guard is applied on Layer 3 interfaces of a switch.
D.IP Source Guard can be configured with a static IP source binding for hosts with static IP addresses.
E.IP Source Guard requires 802.1X authentication to function.
AnswersA, D

Correct because IPSG relies on the DHCP snooping binding database to determine which source IP addresses are allowed on a given port.

Why this answer

IP Source Guard (IPSG) filters IP traffic on a per-port basis using the DHCP snooping binding database. Option A is correct because IPSG uses the binding database to validate source IP addresses. Option D is correct because IPSG can be configured with a static IP source binding for hosts with static IP addresses.

Option B is incorrect because IPSG does not filter MAC addresses; that is the role of port security. Option C is incorrect because IPSG is applied on Layer 2 switch ports, not on Layer 3 interfaces. Option E is incorrect because IPSG does not require 802.1X; it can work with DHCP snooping alone.

1943
Multi-Selectmedium

Which two statements about YANG data models in model-driven telemetry are true? (Choose two.)

Select 2 answers
A.YANG models are used to define the data structures streamed in telemetry subscriptions.
B.OpenConfig YANG models are vendor-neutral and supported across multiple network operating systems.
C.Native YANG models are standardized by the IETF and used universally.
D.NETCONF is a YANG data model used for telemetry configuration.
E.RESTCONF provides a YANG-based data model for streaming telemetry.
AnswersA, B

Correct because YANG provides the schema for telemetry data, ensuring consistent encoding.

Why this answer

YANG models define the structure and constraints of telemetry data. Native models are vendor-specific, while OpenConfig models are standardized. IETF models are also standards-based but not vendor-specific.

NETCONF uses YANG but is not a data model. RESTCONF is a protocol, not a model.

1944
Matchingmedium

Drag and drop each NFV component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtualized network function software (e.g., virtual router)

Physical and virtual resources (compute, storage, networking)

Orchestration and lifecycle management framework

Manages NFVI resources (e.g., OpenStack)

Manages lifecycle of individual VNFs

Why these pairings

VNF is the virtualized network function software; NFVI is the infrastructure of compute, storage, and networking; MANO handles orchestration and lifecycle management.

1945
MCQmedium

A service provider uses a Cisco ASR 1000 router to provide MPLS L3VPN services to multiple customers. Each customer has their own VRF. Recently, a new customer was added with VRF CUSTOMER_C. After configuration, the customer reports that they can reach some remote sites but not others. The network engineer checks the VRF configuration and finds that the route targets for CUSTOMER_C are correctly configured. The engineer also verifies that BGP sessions to the PE routers are up. The missing routes are from a site that uses a different PE router. Which action should the engineer take to resolve the issue?

A.Increase the MTU on the link between the PE routers.
B.Reconfigure LDP on the PE routers to establish a targeted session.
C.Check the MPLS label stack on the local PE to ensure labels are being swapped correctly.
D.Verify that the route target import/export values on the remote PE match those on the local PE for VRF CUSTOMER_C.
AnswerD

Correct: Mismatched route targets cause routes to not be imported into the VRF.

Why this answer

The issue is that the remote PE router does not have the correct route target import/export configuration for VRF CUSTOMER_C. In MPLS L3VPN, VRFs on different PEs must have matching route target values to import and export VPNv4 routes into the correct VRF. Even if the local PE is correctly configured, the remote PE must also import the routes from the local PE using the same route target.

Without this, the remote PE will not install the VPNv4 prefixes into its VRF, causing the customer to be unable to reach sites connected to that remote PE.

Exam trap

Cisco often tests the misconception that route target configuration is only needed on one PE, or that BGP session status alone guarantees route exchange, when in fact both import and export RTs must match across all PEs participating in the same VRF.

How to eliminate wrong answers

Option A is wrong because increasing the MTU on the link between PE routers would not affect route reachability; MTU issues typically cause packet fragmentation or drops, not missing routes in a VRF. Option B is wrong because LDP targeted sessions are used for MPLS label distribution between non-adjacent routers, but in this scenario the PE routers are already exchanging BGP VPNv4 routes and LDP is not the mechanism for VRF route import/export. Option C is wrong because checking the MPLS label stack on the local PE would verify label switching, but the problem is that the remote PE does not have the routes in its VRF, not that labels are being swapped incorrectly; label swapping issues would cause forwarding failures, not missing routes in the routing table.

1946
Multi-Selecthard

Which three statements about 802.1X port-based authentication are true? (Choose three.)

Select 3 answers
A.The supplicant communicates with the authenticator using EAP over LAN (EAPoL) frames.
B.The authenticator is typically a network switch or wireless access point.
C.The supplicant is the device that provides authentication services, such as a RADIUS server.
D.The authentication server is usually a RADIUS server that validates credentials.
E.802.1X is only supported on wireless networks and cannot be used on wired switches.
AnswersA, B, D

Correct; EAPoL is the encapsulation used for 802.1X on wired LANs.

Why this answer

802.1X uses EAP over LAN (EAPoL) for communication between supplicant and authenticator, the authenticator is typically a switch, and the authentication server is usually a RADIUS server. Option A is correct because EAPoL is the protocol used. Option B is correct because the switch acts as the authenticator.

Option D is correct because the authentication server is typically RADIUS. Option C is incorrect because the supplicant is the client, not the switch. Option E is incorrect because 802.1X can be used with both wired and wireless networks.

1947
Multi-Selectmedium

Which three statements about LACP (Link Aggregation Control Protocol) are true? (Choose three.)

Select 3 answers
A.LACP uses multicast destination address 01-80-c2-00-00-02 for its frames.
B.The LACP system priority is used to determine which switch is the controlling switch in the aggregation.
C.LACP port priority is used to select which ports become active when the number of ports exceeds the maximum allowed.
D.LACP can negotiate EtherChannels with devices that run PAgP.
E.The default LACP system priority on Cisco switches is 32768.
AnswersA, B, C

Correct because LACP uses the IEEE 802.3 Slow Protocols multicast address 01-80-c2-00-00-02.

Why this answer

LACP is an IEEE standard (802.3ad) that allows dynamic EtherChannel formation. It uses system priority and port priority to determine which side controls the aggregation. LACP supports up to 16 links per group (8 active, 8 standby).

It can operate in active or passive modes.

1948
Multi-Selectmedium

Which THREE characteristics are true about Cisco StackWise virtual technology? (Choose three.)

Select 2 answers
A.It allows multiple physical switches to operate as a single logical switch.
B.Each member switch must have the same hardware model.
C.The stack can be managed using a single IP address.
D.It requires dedicated stacking cables for interconnectivity.
E.It supports up to 9 member switches in a stack.
AnswersA, C

StackWise virtual creates a single control plane across member switches.

Why this answer

Cisco StackWise Virtual allows multiple physical switches to be interconnected and operate as a single logical entity, simplifying management and improving redundancy. This is achieved by creating a virtual switch domain where control and data planes are unified, so the stack appears as one device to the network.

Exam trap

Cisco often tests the distinction between physical StackWise (cable-based, up to 9 switches, same model required) and StackWise Virtual (Ethernet-based, 2 switches, mixed models allowed), so candidates mistakenly apply the characteristics of physical stacking to StackWise Virtual.

1949
Matchingmedium

Drag and drop each queuing mechanism on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Strict priority for delay-sensitive traffic

Guaranteed bandwidth for defined classes

Strict priority queue with CBWFQ for voice/video

Fair queuing for all flows

Why these pairings

PQ provides strict priority for delay-sensitive traffic, CBWFQ guarantees bandwidth for defined classes, LLQ combines strict priority with CBWFQ for real-time traffic, WFQ provides fair queuing for all flows, CBWFQ is used for data traffic requiring bandwidth guarantees.

1950
Multi-Selectmedium

Which two statements about OSPF network types are true? (Choose two.)

Select 2 answers
A.On a broadcast multiaccess network, OSPF elects a DR and BDR to reduce LSA flooding.
B.The OSPF point-to-point network type requires a DR/BDR election.
C.On a non-broadcast multiaccess (NBMA) network, OSPF can use the neighbor command to manually discover neighbors.
D.The OSPF point-to-multipoint network type always elects a DR.
E.The default OSPF network type for a loopback interface is point-to-point.
AnswersA, C

Correct because on broadcast networks (e.g., Ethernet), a Designated Router (DR) and Backup DR are elected to minimize the number of adjacencies and flooding.

Why this answer

OSPF network types control how adjacencies are formed and how LSAs are flooded. Broadcast and non-broadcast types require a DR/BDR election, while point-to-point and point-to-multipoint do not. The loopback interface defaults to loopback network type, not point-to-point.

Page 25

Page 26 of 27

Page 27