ENCOR 350-401 (350-401) — Questions 19512015

2015 questions total · 27pages · All types, answers revealed

Page 26

Page 27 of 27

1951
Drag & Dropmedium

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping builds the binding table by first enabling snooping globally, then on specific VLANs, and designating trusted ports. The switch intercepts DHCP messages, extracts client info from ACK packets, and populates the binding table with the lease information.

1952
Matchingmedium

Drag and drop each VTP mode on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Can create, modify, and delete VLANs; advertises VTP updates

Cannot create VLANs; synchronizes from VTP servers

Forwards VTP advertisements but does not process them

Disables VTP; does not forward advertisements

Why these pairings

VTP server advertises and accepts changes; client accepts but cannot create; transparent forwards but does not participate; off disables VTP completely.

1953
MCQmedium

A network engineer runs the following command on Router R7: R7# show crypto ikev2 sa detail IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1 Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321 Based on this output, what can be concluded?

A.The IKEv2 SA is in a failed state because it is READY.
B.The tunnel is using pre-shared keys for authentication.
C.The tunnel is using RSA signatures for authentication.
D.The IKEv2 SA has expired because the life time is 86400 seconds.
AnswerB

The output shows 'Auth sign: PSK' and 'Auth verify: PSK', confirming PSK authentication.

Why this answer

The IKEv2 SA is UP-ACTIVE with status READY. The encryption is AES-CBC 256, hash SHA256, DH Group 14, and authentication is PSK. The tunnel is working correctly.

1954
MCQmedium

A network engineer is troubleshooting a model-driven telemetry deployment on a Cisco IOS-XE router. The telemetry subscription is configured to stream interface statistics using gRPC dial-out to a collector at 10.1.1.100:50051. The engineer verifies that the collector is listening on the port and the router can reach it. However, the collector shows no data received. The engineer checks the router's telemetry logs and sees 'Connection refused' errors. What is the most likely cause?

A.The collector's firewall is blocking the connection from the router
B.The gRPC server on the collector is not running or is listening on a different port
C.The telemetry subscription is missing the 'encoding' configuration
D.The router's source-interface is not configured, causing the router to use an unreachable IP
AnswerB

'Connection refused' occurs when the TCP SYN reaches the host but no application is listening on the specified port.

Why this answer

The correct answer is that the collector is not configured to accept gRPC connections, or the gRPC server on the collector is not running. The 'Connection refused' error indicates that the TCP connection is being rejected, typically because the collector's gRPC server is not listening on that port. The other options are incorrect because the router can reach the collector, so firewall is not blocking; the subscription is configured correctly; and the encoding is not the cause of connection refusal.

1955
MCQeasy

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

A.10 seconds
B.30 seconds
C.40 seconds
D.20 seconds
AnswerA

This is the default hello interval for broadcast and point-to-point OSPF networks.

Why this answer

OSPF uses different hello intervals depending on the network type. On broadcast and point-to-point networks, the default hello interval is 10 seconds.

1956
Multi-Selecthard

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

Select 3 answers
A.MP-BGP is used to exchange VPNv4 routes between PE routers.
B.Each customer site requires a separate VRF on the PE router.
C.The P router maintains a full routing table for all VPN customers.
D.A single MPLS label is used for both transport and VPN identification.
E.The PE router performs the routing between the CE device and the MPLS core.
AnswersA, B, E

Correct because MP-BGP carries VPNv4 prefixes with route distinguishers and route targets.

Why this answer

MPLS L3VPNs use MP-BGP to exchange VPNv4 routes, require a VRF per customer, and use two labels (IGP label for transport, VPN label for VRF lookup). The PE router performs the routing between CE and the MPLS core.

1957
Drag & Dropmedium

Drag and drop the steps of SNMP trap generation and forwarding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The SNMP agent monitors the device for a defined event, then builds a trap message including the OID and value, encapsulates it in a UDP packet, looks up the trap destination in the SNMP configuration, and finally forwards the packet to the NMS.

1958
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 14, main routing table version 14 4 network entries using 1152 bytes of memory 4 path entries using 320 bytes of memory 2/1 BGP path/bestpath attribute entries using 560 bytes of memory 0 BGP route reflector client to client reflections 2 BGP community entries using 80 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.1.2 4 65002 2345 2346 14 0 0 00:12:34 3 10.0.1.3 4 65003 1234 1235 14 0 0 00:08:21 2 10.0.1.4 4 65004 567 568 14 0 0 00:05:45 0 Based on this output, what can be concluded?

A.Neighbor 10.0.1.4 is in the 'Active' state because it received 0 prefixes.
B.Neighbor 10.0.1.4 has sent 0 prefixes to R1.
C.Neighbor 10.0.1.4 is not advertising any prefixes to R1.
D.The BGP session with 10.0.1.4 is down.
AnswerC

The 0 in the PfxRcd column means R1 has received no prefixes from 10.0.1.4. This is likely because 10.0.1.4 has no routes to advertise or is filtering outbound.

Why this answer

The 'State/PfxRcd' column shows the number of prefixes received from each neighbor. Neighbor 10.0.1.4 has a value of 0, meaning it has not advertised any prefixes to R1. The session is established (Up/Down shows 00:05:45), so the neighbor is reachable and the BGP session is up, but it is not sending any prefixes.

Exam trap

The trap here is that candidates may misinterpret the '0' in the 'State/PfxRcd' column as a session failure or that R1 is not sending prefixes, when it actually indicates the neighbor is not advertising any prefixes to R1.

How to eliminate wrong answers

Option A is wrong because the neighbor is in the 'Established' state (indicated by the Up/Down timer), not 'Active'; the 'Active' state would show a different status in the State/PfxRcd column. Option B is wrong because the 'MsgSent' column (568) indicates messages sent to the neighbor, but the 'State/PfxRcd' column shows prefixes received from the neighbor, not sent by R1. Option D is wrong because the Up/Down timer of 00:05:45 confirms the BGP session is up and established, not down.

1959
MCQeasy

A network engineer is designing an OSPF network with multiple areas. The engineer wants to ensure that routers in area 2 can reach networks in area 0, but they should not learn any external routes from other ASs. Which OSPF area type should be configured for area 2?

A.Stub area
B.Not-so-stubby area (NSSA)
C.Totally stubby area
D.Standard area
AnswerA

Correct because a stub area blocks type 5 LSAs, preventing external routes from being learned, and uses a default route for external destinations.

Why this answer

A stub area blocks Type 5 LSAs (external routes from other ASs) while allowing Type 3 summary LSAs from area 0. This ensures routers in area 2 can reach networks in area 0 via inter-area routes but do not learn external routes, meeting the requirement exactly.

Exam trap

Cisco often tests the distinction between stub and totally stubby areas: candidates confuse 'blocking external routes' with 'blocking all routes except the default,' forgetting that a stub area still allows inter-area summary LSAs (Type 3) from area 0.

How to eliminate wrong answers

Option B (NSSA) is wrong because it allows Type 7 LSAs to carry external routes into the area, which would still introduce external routes from other ASs, violating the requirement. Option C (totally stubby area) is wrong because it blocks both Type 5 and Type 3 LSAs, preventing routers in area 2 from learning inter-area routes to networks in area 0. Option D (standard area) is wrong because it permits all LSA types, including Type 5 external LSAs, so routers would learn external routes from other ASs.

1960
MCQmedium

A network engineer checks AAA accounting on a router: R1# show aaa accounting Accounting method list 'default': Type: exec Start-stop: group radius Accounting records: Total started: 10 Total stopped: 8 Total failed: 2 Last record: user 'admin', start time 00:01:00 UTC Mar 1 2023 Based on this output, what can be concluded?

A.All accounting records were successfully sent.
B.Accounting is configured for EXEC sessions using RADIUS.
C.Accounting is performed using TACACS+.
D.No users have logged in since accounting was enabled.
AnswerB

The output shows 'start-stop group radius' for exec type.

Why this answer

The output shows accounting statistics for EXEC sessions. Out of 10 started sessions, 8 were stopped, and 2 failed (likely due to server unreachability or errors). The last record is for user admin.

This indicates some accounting records were not successfully sent to the RADIUS server.

1961
Matchingmedium

Match each EIGRP term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best metric to a destination

Metric advertised by neighbor

Backup route without loops

Primary route with lowest metric

Ensures loop-free backup routes

Why these pairings

EIGRP uses these terms for loop-free path selection.

1962
Drag & Dropmedium

Drag and drop the steps of 802.1X port authentication with MAB fallback into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The switch first attempts 802.1X by sending an EAP-Request/Identity. If no response is received, it initiates MAB by sending a RADIUS Access-Request with the MAC address. The RADIUS server checks the MAC against its database and responds with Access-Accept or Access-Reject.

The switch then opens or blocks the port accordingly.

1963
Drag & Dropmedium

Drag and drop the steps of DHCP failover configuration between primary and standby into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP failover uses a primary-standby relationship. Configure the primary server first with a failover peer, then the standby with the same peer name and IP, and finally enable the pool on both. The servers negotiate roles and start lease synchronization.

1964
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 ebgp-multihop 2 neighbor 10.0.0.2 update-source Loopback0 ! What is the purpose of the ebgp-multihop 2 command?

A.It allows the eBGP session to be established with a neighbor that is not directly connected, with a maximum of 2 hops.
B.It sets the maximum number of prefixes that can be received from the neighbor to 2.
C.It limits the number of paths BGP can install for load balancing to 2.
D.It enables BGP multipath for eBGP with a hop count of 2.
AnswerA

Correct. ebgp-multihop increases the TTL to allow multi-hop eBGP.

Why this answer

The ebgp-multihop 2 command allows an eBGP session to be established between peers that are not directly connected at Layer 3. By setting the TTL to 2, it permits the BGP packets to traverse one intermediate router (hop) to reach the neighbor, which is necessary when using loopback interfaces for eBGP peering.

Exam trap

Cisco often tests the distinction between ebgp-multihop (which adjusts TTL for non-directly connected peering) and BGP multipath (which enables load balancing), causing candidates to confuse the two features.

How to eliminate wrong answers

Option B is wrong because the command to set the maximum number of prefixes received from a neighbor is 'neighbor maximum-prefix', not ebgp-multihop. Option C is wrong because BGP multipath for load balancing is configured with 'maximum-paths' (or 'maximum-paths ibgp'/'maximum-paths ebgp'), not with ebgp-multihop. Option D is wrong because ebgp-multihop does not enable BGP multipath; it only adjusts the TTL to allow non-directly connected eBGP peering, while multipath is a separate feature for load balancing across multiple equal-cost paths.

1965
MCQeasy

A network engineer is configuring OSPF on a router that has multiple interfaces in the same area. The engineer wants to ensure that the router does not become the designated router (DR) on any of these interfaces. What should the engineer do?

A.Set the OSPF priority to 0 on all interfaces.
B.Configure the OSPF network type as point-to-point on all interfaces.
C.Use the 'ip ospf dr-priority' command to set a high priority on other routers.
D.Configure the router as an ABR.
AnswerA

Correct because a priority of 0 means the router will not be elected as DR or BDR.

Why this answer

Setting the OSPF priority to 0 on all interfaces prevents the router from participating in the DR/BDR election process. A router with priority 0 will never become the DR or BDR on any segment, regardless of its Router ID or other factors. This is the only method that guarantees the router will not be elected as DR on any interface.

Exam trap

The trap here is that candidates often confuse DR/BDR election prevention with network type changes, thinking that point-to-point is the only way to avoid DR election, but the priority 0 method is the direct and correct answer for preventing a specific router from becoming DR without altering the network type.

How to eliminate wrong answers

Option B is wrong because configuring the OSPF network type as point-to-point eliminates the need for a DR/BDR election entirely, but it does not prevent the router from becoming the DR on interfaces that are not point-to-point; it changes the election behavior on those specific interfaces, but the question asks for a solution that works on all interfaces without altering the network type. Option C is wrong because setting a high priority on other routers does not guarantee that this router will not become the DR; if those other routers are not present or have lower Router IDs, this router could still be elected. Option D is wrong because configuring the router as an ABR (Area Border Router) has no effect on DR/BDR election; ABR status is about routing between areas, not about interface election roles.

1966
Matchingmedium

Drag and drop each OSPF LSA type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Describes the router's own directly connected links and neighbors

Generated by the Designated Router to describe all routers attached to a multi-access segment

Advertises networks from one area into another area (inter-area routes)

Advertises the location of an Autonomous System Boundary Router (ASBR)

Advertises routes redistributed from another routing domain (external routes)

Why these pairings

LSA Type 1 (Router LSA) describes a router's own links; Type 2 (Network LSA) is generated by the DR; Type 3 (Summary LSA) advertises inter-area routes; Type 4 (ASBR Summary LSA) advertises the location of an ASBR; Type 5 (AS External LSA) advertises external routes.

1967
Drag & Dropmedium

Drag and drop the steps of BGP graceful restart negotiation steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, both peers advertise the graceful restart capability in the OPEN message. Then they exchange the restart time and stale-path timer via capabilities. Next, the helper router marks routes as stale upon session failure.

After that, the restarting router re-establishes the session. Finally, the helper removes stale routes if not refreshed.

1968
Matchingmedium

Drag and drop each VRF component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Makes an IPv4 prefix globally unique across the MPLS VPN network

Controls which routes are imported into or exported from a VRF

Stores routing information for the VRF instance

Contains the IP routing table and forwarding table for the VRF

Used for MPLS label switching to forward traffic within the VPN

Why these pairings

The Route Distinguisher (RD) makes a customer prefix globally unique; the Route Target (RT) controls import/export of routes between VRFs; the RIB stores routing information for the VRF; the VRF table holds the IP routing table for the VRF; the VRF label is used for MPLS forwarding.

1969
Drag & Dropmedium

Drag and drop the steps of STP root bridge election and port state transitions into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

STP first elects a root bridge based on lowest bridge ID. Then each non-root bridge selects one root port (lowest path cost to root). Next, each segment elects a designated port (lowest root path cost, then lowest bridge ID).

All other ports become alternate (blocking). Finally, ports transition through blocking, listening, learning, and forwarding states.

1970
Matchingmedium

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Phase 1 key agreement

Phase 2 authentication and policy

Rekey or additional SA

Error and status exchange

Phase 1 response with DH public value

Why these pairings

IKE_SA_INIT is phase 1 for key agreement; IKE_AUTH is phase 2 for authentication and policy; CREATE_CHILD_SA is used for rekeying or additional SAs.

1971
MCQmedium

A company is implementing a WAN optimization solution using Cisco WAAS. The engineer configures WAAS devices at the data center and remote branch. The WAAS devices are configured to use inline mode. However, the engineer notices that optimized traffic is not being intercepted. The WAAS devices are directly connected to the WAN router and the LAN switch. What is the most likely cause?

A.The WAAS device is not configured with the correct WAN and LAN interfaces.
B.The WAN router is not configured with WCCP or PBR to redirect traffic to the WAAS device.
C.The WAAS device is not licensed for optimization.
D.The WAAS device is using a different subnet than the LAN and WAN.
AnswerB

Correct. Without WCCP or PBR, the WAN router will forward traffic directly, bypassing the WAAS device.

Why this answer

In inline mode, WAAS devices must be physically placed in the traffic path. The WAAS device must be configured with the correct WAN and LAN interfaces, and the WAN router must be configured to redirect traffic to the WAAS device using WCCP or Policy Based Routing (PBR). If the WAN router is not configured to redirect traffic, the WAAS device will not see the traffic.

1972
MCQeasy

A network engineer needs to automate the backup of running configurations from multiple Cisco IOS XE devices to a central TFTP server. Which tool is best suited for this task in a Python-based automation framework?

A.RESTCONF
B.Ansible
C.Paramiko
D.Netmiko
AnswerC

Paramiko provides SSH connectivity to network devices.

Why this answer

Paramiko is a Python library that implements the SSHv2 protocol, allowing direct, low-level SSH connections to network devices. For backing up running configurations to a TFTP server, Paramiko can execute the `copy running-config tftp:` command on each device, providing the necessary interactive session handling. While Netmiko is built on Paramiko, it is a higher-level library that abstracts away some of the low-level control; for a simple, script-driven backup task, Paramiko offers the direct SSH access needed without additional overhead.

Exam trap

Cisco often tests the distinction between low-level SSH libraries (Paramiko) and higher-level abstractions (Netmiko), trapping candidates who assume Netmiko is always better because it is more popular, when the question emphasizes a simple, direct SSH task where Paramiko's lower-level control is actually more appropriate.

How to eliminate wrong answers

Option A is wrong because RESTCONF is a RESTful API for YANG-defined data models, used for programmatic configuration and state retrieval, but it does not provide a mechanism to execute CLI commands like `copy running-config tftp:`; it is designed for NETCONF/YANG-based automation, not for sending arbitrary IOS commands. Option B is wrong because Ansible is a configuration management and automation tool that can be used for network backups, but it is not a Python library; the question specifically asks for a tool in a Python-based automation framework, and Ansible is a separate tool that uses YAML playbooks, not a Python library for direct SSH scripting. Option D is wrong because Netmiko is a high-level Python library that simplifies SSH connections to network devices, but it is built on top of Paramiko and adds abstractions like multi-vendor support and simplified command execution; for a straightforward backup task, Paramiko is more fundamental and directly suited, and Netmiko's additional features are unnecessary overhead.

1973
Drag & Dropmedium

Drag and drop the steps of QoS pre-classify for encrypted VPN traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

QoS pre-classify copies original IP precedence/DSCP before encryption, so the VPN tunnel interface can apply QoS policies based on original markings. The order ensures classification occurs before encryption and is preserved after encapsulation.

1974
Drag & Dropmedium

Drag and drop the steps of 802.11r Fast BSS Transition (FT) roaming steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

802.11r FT roaming uses a fast handshake. The client sends an FT Authentication request to the new AP, which replies with an FT Authentication response. Then the client sends an FT Reassociation Request, the new AP confirms, and finally the client installs the PMK keys.

1975
Matchingmedium

Drag and drop each DHCPv6 mode on the left to its matching address assignment method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server assigns both IPv6 address and configuration parameters

Server provides only configuration parameters; address from SLAAC

Host generates its own IPv6 address using Router Advertisement prefix and EUI-64

Delegates an IPv6 prefix to a downstream router

Security feature that blocks unauthorized Router Advertisements

Why these pairings

Stateful DHCPv6 assigns both IPv6 address and other parameters. Stateless DHCPv6 provides only parameters (DNS, domain), while addresses come from SLAAC. SLAAC uses Router Advertisements for prefix and EUI-64.

DHCPv6-PD delegates prefixes. RA Guard prevents rogue RAs.

1976
MCQhard

A network engineer runs the following command on Router R6: R6# show ip pim neighbor PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, S - State Refresh Capable, G - GenID Capable, L - DR Load Balancing Capable Neighbor Address Interface Uptime Expires Mode 10.0.0.2 GigabitEthernet0/0 02:15:30 00:01:25 DR (DR) 10.0.0.3 GigabitEthernet0/0 02:15:28 00:01:27 B S Based on this output, what can be concluded?

A.Router R6 is the PIM Designated Router on this segment.
B.The neighbor 10.0.0.2 is the PIM Designated Router.
C.The neighbor 10.0.0.3 supports bidirectional PIM.
D.Both neighbors are capable of state refresh.
AnswerB

The mode column shows 'DR' for 10.0.0.2, indicating it is the DR.

Why this answer

The output shows PIM neighbors on interface GigabitEthernet0/0. The neighbor 10.0.0.2 has mode 'DR (DR)', indicating it is the Designated Router on this segment. The neighbor 10.0.0.3 has mode 'B S', meaning it is Bidir capable and State Refresh capable.

The key is that R6 itself is not the DR because the neighbor 10.0.0.2 is marked as DR.

1977
Matchingmedium

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

CPU overload from excessive control plane traffic

IP spoofing attacks

Rogue DHCP server

ARP cache poisoning

IP spoofing on access ports

Why these pairings

CoPP protects against CPU overload; uRPF against IP spoofing; DHCP snooping against rogue DHCP server; DAI against ARP cache poisoning; IP Source Guard against IP spoofing on access ports.

1978
MCQhard

Refer to the exhibit. R1 has two equal-cost OSPF E2 routes to 10.1.1.0/24 via two different next hops. However, when tracing to 10.1.1.1, all traffic uses the path through 10.0.1.2. What is the most likely reason?

A.One route has a higher administrative distance.
B.A default route is overriding the specific route.
C.The route via 10.0.2.2 is an E1 route.
D.OSPF E2 routes do not factor interface cost; but the router uses the interface cost as a tie-breaker for equal-cost routes.
AnswerD

Correct: When E2 metrics are equal, some implementations prefer the path with lower interface cost.

Why this answer

OSPF E2 routes do not include the internal cost to the ASBR; the cost shown in the routing table is the external metric only. When two E2 routes have the same external metric, Cisco IOS uses the interface cost as a tie-breaker to select the best next hop. In this scenario, the interface to 10.0.1.2 has a lower cost than the interface to 10.0.2.2, so all traffic is forwarded via 10.0.1.2.

Exam trap

Cisco often tests the subtle tie-breaking behavior for OSPF E2 routes, where candidates mistakenly assume that equal-cost E2 routes will always be load-balanced, ignoring the interface cost tie-breaker that Cisco IOS applies.

How to eliminate wrong answers

Option A is wrong because administrative distance is a per-protocol preference and both routes are OSPF E2 routes, so they share the same AD (110 by default). Option B is wrong because a default route would only be used if no specific route to 10.1.1.0/24 existed; the router has two specific routes and will use them, not a default. Option C is wrong because if the route via 10.0.2.2 were an E1 route, it would include the internal cost to the ASBR, making its total metric higher than the E2 route, and it would not be considered equal-cost; the question states both are equal-cost E2 routes.

1979
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:38 10.0.0.2 GigabitEthernet0/0 192.168.1.3 1 2WAY/DROTHER 00:00:32 10.0.0.3 GigabitEthernet0/0 Based on this output, what can be concluded?

A.R1 is the Designated Router (DR) on this segment.
B.R1 is the Backup Designated Router (BDR) on this segment.
C.R1 is a DROTHER on this segment.
D.The OSPF network type is point-to-point.
AnswerB

R1 has a FULL adjacency with the DR (192.168.1.2) and a 2WAY adjacency with the DROTHER (192.168.1.3), which is characteristic of a BDR.

Why this answer

The output shows two OSPF neighbors on the same interface. The neighbor 192.168.1.2 is in FULL state and is the Designated Router (DR), while 192.168.1.3 is in 2WAY state and is a DROTHER. This indicates that R1 is the Backup Designated Router (BDR) because it has a FULL adjacency with the DR but only a 2WAY state with the DROTHER.

The Dead Time values are still counting down, indicating the neighbors are alive.

1980
MCQhard

A network engineer runs the following debug on a router: R1# debug aaa authentication *Mar 1 00:01:23.456: AAA/BIND(00000001): Bind iplist *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default' *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Method=RADIUS *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): RADIUS server 10.1.1.10:1812, timeout 5, retransmit 2 *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Sent username 'admin', password **** *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Received PASS response *Mar 1 00:01:23.456: AAA/AUTHEN/LOGIN (00000001): Pass Based on this output, what can be concluded?

A.Authentication failed due to incorrect password.
B.The router used TACACS+ for authentication.
C.The RADIUS server 10.1.1.10 authenticated the user successfully.
D.The user 'admin' was authenticated using local database.
AnswerC

The debug confirms a successful PASS response from the RADIUS server.

Why this answer

The debug output shows a successful AAA authentication using RADIUS. The router selected the default method list, used RADIUS as the first method, sent credentials to server 10.1.1.10, and received a PASS response. The 'Pass' message indicates authentication succeeded.

1981
MCQeasy

An engineer is configuring SPAN on a Cisco Catalyst 9300 switch to monitor traffic from a port that is part of an EtherChannel (Port-channel 1). The monitoring station is on port Gi1/0/24. Which configuration should the engineer use to capture traffic from the EtherChannel?

A.Configure 'monitor session 1 source interface Port-channel 1 both' and 'monitor session 1 destination interface Gi1/0/24'.
B.Configure 'monitor session 1 source interface Gi1/0/1 both' (where Gi1/0/1 is a member of the EtherChannel) and 'monitor session 1 destination interface Gi1/0/24'.
C.Configure 'monitor session 1 source vlan 100' (the VLAN of the EtherChannel) and 'monitor session 1 destination interface Gi1/0/24'.
D.Configure an RSPAN VLAN and use 'monitor session 1 source interface Port-channel 1' and 'monitor session 1 destination remote vlan 999'.
AnswerA

Correct; SPAN can source from a port-channel interface, capturing all traffic on the EtherChannel.

Why this answer

SPAN can source from an EtherChannel interface. The correct answer is to use the port-channel interface as the source. Option B is incorrect because individual member ports cannot be used as SPAN sources if they are part of an EtherChannel; the SPAN session must reference the port-channel.

Option C is incorrect because VLAN-based SPAN would capture all traffic on that VLAN, not just the EtherChannel. Option D is incorrect because RSPAN is not needed.

1982
Multi-Selectmedium

Which two statements about IP SLA with object tracking are true? (Choose two.)

Select 2 answers
A.A tracking object can monitor the state of an IP SLA operation and change state when the operation fails.
B.The 'track' command is used to create a tracking object that references an IP SLA operation by its operation number.
C.Object tracking can only be used with static routes, not with dynamic routing protocols like EIGRP or OSPF.
D.The tracking object automatically modifies the routing table when the IP SLA operation fails.
E.An IP SLA operation can be configured after the tracking object that references it.
AnswersA, B

Correct because the tracking object uses the IP SLA operation's success/failure to determine its own state (up/down).

Why this answer

Object tracking allows IP SLA operations to influence routing decisions. The 'track' command is used to create a tracking object that monitors the state of an IP SLA operation. When the IP SLA operation fails, the tracked object changes state, which can then be used to adjust routing, such as floating static routes.

The tracking object can be referenced by multiple routing protocols or static routes. The tracking object does not directly modify the routing table; it provides a state that other features use. The IP SLA operation must be configured before the tracking object can reference it.

1983
MCQhard

A network administrator runs the following debug on a router: R1# debug aaa authorization *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Processing author request for user 'jdoe' *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Method=TACACS+ *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): TACACS+ server 10.1.1.10:49, timeout 5 *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Sent author request *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Received PASS response *Mar 1 00:02:45.678: AAA/AUTHOR/EXEC(00000002): Pass Based on this output, what can be concluded?

A.The user jdoe failed authorization.
B.Authorization was performed using RADIUS.
C.The TACACS+ server authorized the user successfully.
D.The user was authenticated but not authorized.
AnswerC

The debug confirms a PASS response from the TACACS+ server.

Why this answer

The debug shows a successful EXEC authorization using TACACS+. The router sent an authorization request for user jdoe to TACACS+ server 10.1.1.10 and received a PASS response. This indicates the user was authorized to access the EXEC shell.

1984
Matchingmedium

Drag and drop each NAT type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a single inside local address to a single inside global address

Maps inside local addresses to a pool of inside global addresses

Maps multiple inside local addresses to a single inside global address using port numbers

Another term for NAT overload

Translates private IP addresses to public IP addresses

Why these pairings

Static NAT maps a private IP to a fixed public IP; dynamic NAT uses a pool of public IPs; overload (PAT) maps multiple private IPs to a single public IP using port numbers; PAT is synonymous with overload.

1985
MCQhard

A network engineer is designing a data center network using Cisco ACI. The design must support multiple tenants with isolated policies. The engineer needs to ensure that traffic between endpoints in different tenants is blocked by default. Which ACI construct provides this isolation?

A.Tenant
B.VRF
C.Bridge Domain
D.Contract
AnswerA

Correct because tenants in ACI provide administrative and policy isolation; endpoints in different tenants cannot communicate unless a contract is created between them.

Why this answer

In Cisco ACI, a Tenant is the top-level logical container that provides administrative and policy isolation. By default, endpoints in different tenants cannot communicate because each tenant has its own separate policy domain, and no contracts exist between them. This makes the Tenant the correct construct for ensuring traffic between different tenants is blocked by default.

Exam trap

Cisco often tests the misconception that VRFs or Bridge Domains provide cross-tenant isolation, but the trap here is that VRFs and BDs are scoped within a single tenant and do not inherently block traffic between different tenants—only the Tenant construct enforces default isolation.

How to eliminate wrong answers

Option B is wrong because a VRF (Virtual Routing and Forwarding) provides Layer 3 network segmentation within a tenant, but it does not enforce policy isolation between tenants; multiple VRFs can exist within the same tenant and inter-VRF traffic can be allowed via contracts. Option C is wrong because a Bridge Domain (BD) is a Layer 2 forwarding construct within a tenant that defines a subnet and associated VRF, but it does not provide cross-tenant isolation; BDs are scoped to a single tenant. Option D is wrong because a Contract defines the rules for allowed communication between endpoint groups (EPGs) within or across tenants, but it is not the default isolation mechanism; contracts are used to explicitly permit traffic, whereas isolation between tenants is inherent to the Tenant construct itself.

1986
Matchingmedium

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

shutdown

banner login

ip ssh version 2

access-class

security passwords min-length

Why these pairings

Disable unused ports with 'shutdown', set a login banner with 'banner login', enable SSH with 'ip ssh version 2', restrict VTY access with 'access-class', and set a minimum password length with 'security passwords min-length'.

1987
Drag & Dropmedium

Drag and drop the steps of Metro Ethernet E-Line service provisioning into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Metro Ethernet E-Line provisioning begins with defining the service requirements, then the provider assigns VLAN IDs and configures the UNI ports, sets up the EVC between the two sites, applies QoS policies, and finally tests the circuit for connectivity. The correct order is: define service requirements and bandwidth, assign VLAN IDs and configure UNI ports, set up EVC between two sites, apply QoS policies, test circuit for connectivity.

1988
MCQhard

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?

A.The IKEv2 proposal is not configured correctly.
B.The IKEv2 profile is not attached to the crypto map or interface.
C.The IPsec transform set is missing.
D.The pre-shared key is not defined in the keyring.
AnswerB

Correct because the profile must be applied to activate the configuration.

Why this answer

In IKEv2, the crypto ikev2 profile must be applied to the interface or the crypto map. Without applying the profile, the router will not use the configured keyring and proposal. Option B is correct because the profile must be attached.

Option A is incorrect because the proposal is configured. Option C is incorrect because the transform set is for IPsec, not IKE. Option D is incorrect because the keyring is configured.

1989
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:38 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:32 192.168.1.3 GigabitEthernet0/0 10.0.0.4 1 FULL/BDR 00:00:35 192.168.1.4 GigabitEthernet0/0 Based on this output, what can be concluded?

A.Router R1 is the DR on this segment.
B.Router R1 is the BDR on this segment.
C.Router R1 is a DROTHER on this segment.
D.Router R1 has no OSPF neighbors.
AnswerC

R1 has a FULL adjacency with DR and BDR, but only 2WAY with another DROTHER, indicating R1 is also a DROTHER.

Why this answer

The output shows OSPF neighbors on a multi-access network. The router with the highest priority becomes DR, and the next highest becomes BDR. Here, 10.0.0.2 is DR (FULL/DR), 10.0.0.4 is BDR (FULL/BDR), and 10.0.0.3 is a DROTHER (2WAY/DROTHER).

The router R1 itself is not shown, but its state is implied: since it has a FULL adjacency with DR and BDR, but only 2WAY with DROTHER, R1 is likely a DROTHER.

1990
MCQhard

A company is deploying an SD-Access fabric with a centralized policy model. The design must ensure that all traffic between virtual networks (VNs) is inspected by a firewall. Which fabric role should be used to enforce this inter-VN policy?

A.Fabric border node
B.Fabric edge node
C.Fabric control plane node
D.Fabric WAN router
AnswerA

Border nodes can apply policy-based routing to steer inter-VN traffic to a firewall.

Why this answer

In a centralized policy model for SD-Access, the fabric border node is the correct role to enforce inter-VN traffic policies because it is the only node that can route traffic between different virtual networks (VNs) while applying firewall inspection. The border node connects the fabric to external networks and, when configured with a firewall, can enforce policies such as IP-based ACLs or zone-based firewalls for traffic crossing VNs. This design ensures that all inter-VN traffic is funneled through the border node for inspection, aligning with the centralized policy model where policy enforcement occurs at the network edge.

Exam trap

Cisco often tests the misconception that fabric edge nodes enforce all policies, but the trap here is that inter-VN traffic requires a routing point (the border node) to apply firewall inspection, while edge nodes only enforce intra-VN policies like SGT-based access control.

How to eliminate wrong answers

Option B (Fabric edge node) is wrong because fabric edge nodes are responsible for attaching endpoints to the fabric and enforcing host-level policies (e.g., SGT-based policies) within a single VN, not for routing or inspecting traffic between VNs. Option C (Fabric control plane node) is wrong because the control plane node handles LISP mapping and registration (e.g., EID-to-RLOC mappings) and does not participate in data-plane forwarding or policy enforcement. Option D (Fabric WAN router) is wrong because a WAN router connects the fabric to external WAN networks (e.g., MPLS or Internet) and is not specifically designed for inter-VN policy enforcement within the fabric; inter-VN traffic is typically routed through the border node, not the WAN router.

1991
Multi-Selecteasy

Which TWO of the following are benefits of implementing a spine-leaf architecture in a data center?

Select 2 answers
A.Provides predictable latency for east-west traffic.
B.Eliminates the need for spanning-tree protocol.
C.Reduces the amount of cabling required.
D.Simplifies scalability by adding leaf switches without redesign.
E.Eliminates the need for firewall appliances.
AnswersA, D

Any leaf-to-leaf path has equal number of hops, ensuring consistent latency.

Why this answer

In a spine-leaf architecture, every leaf switch connects to every spine switch, creating a full mesh topology. This design ensures that any east-west traffic (server-to-server) traverses exactly one spine hop, providing consistent and predictable latency regardless of which leaf switches the source and destination are connected to.

Exam trap

Cisco often tests the misconception that spine-leaf reduces cabling or eliminates all protocols like STP and firewalls, when in fact it increases cabling and only removes Layer 2 loops while still requiring routing protocols and security appliances.

1992
Drag & Dropmedium

Drag and drop the steps of iBGP route reflection configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you enable the BGP process and define the local AS. Then you configure the router as a route reflector using the neighbor route-reflector-client command. Next, you specify the cluster ID if needed, then adjust the next-hop behavior with next-hop-self.

Finally, you verify the configuration with show ip bgp neighbors.

1993
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric endpoint registration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with the endpoint sending an ARP or DHCP request, the edge node detecting the new endpoint, registering it with the control plane (LISP), the control plane updating the map server, and finally the edge node installing the necessary forwarding entries. This sequence ensures the endpoint is properly discovered and integrated into the fabric.

1994
MCQhard

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.0.0.0/8 BGP routing table entry for 10.0.0.0/8, version 25 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65050 65100 10.0.1.2 from 10.0.1.2 (10.0.0.2) Origin IGP, metric 0, localpref 100, weight 0, valid, external rx pathid: 0, tx pathid: 0x0 65050 10.0.1.3 from 10.0.1.3 (10.0.0.3) Origin IGP, metric 0, localpref 100, weight 0, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, what can be concluded?

A.Path #1 is the best path because it has a longer AS_PATH, indicating more specific routing.
B.Path #2 is the best path because it has a shorter AS_PATH.
C.Both paths are equally preferred, and BGP uses tie-breaking rules like router ID.
D.Path #2 is the best path because it is received from a higher IP address.
AnswerB

Path #2 has AS_PATH length 1 (65050) while path #1 has length 2 (65050 65100). Shorter AS_PATH is preferred.

Why this answer

BGP selects the best path based on a set of well-defined tie-breaking rules. After comparing weight, local preference, and origin, the next step is AS_PATH length. Path #2 has an AS_PATH of '65050' (one AS), while Path #1 has '65050 65100' (two ASes).

Since a shorter AS_PATH is preferred, Path #2 is chosen as the best path, making option B correct.

Exam trap

Cisco often tests the BGP best-path selection order, and the trap here is that candidates may assume that a longer AS_PATH indicates a more specific or preferred route, or that the path with the higher neighbor IP address is chosen, when in fact BGP strictly prefers the shortest AS_PATH at this stage of the decision process.

How to eliminate wrong answers

Option A is wrong because a longer AS_PATH is actually less preferred in BGP best-path selection, not more specific; AS_PATH length is a metric for path preference, not route specificity. Option C is wrong because the paths are not equally preferred; the output explicitly shows that Path #2 is the best due to a shorter AS_PATH, and BGP tie-breaking rules are applied sequentially, not arbitrarily. Option D is wrong because BGP does not compare neighbor IP addresses as a tie-breaker at this stage; the shorter AS_PATH is the decisive factor here, and router ID or IP address comparisons only come into play much later in the BGP decision process.

1995
MCQeasy

A network administrator is configuring a new VLAN 100 on a switch and wants to ensure that the VLAN is created and active. Which command is required to create a VLAN in the VLAN database?

A.interface vlan 100
B.name VLAN100
C.vlan 100
D.switchport access vlan 100
AnswerC

This command creates VLAN 100 and enters VLAN configuration mode.

Why this answer

The 'vlan 100' command is executed in global configuration mode to create a VLAN in the VLAN database on a Cisco IOS switch. This command creates the VLAN and places the switch into VLAN configuration mode, where optional parameters like name can be set. The VLAN is active immediately upon creation, provided the switch is in VTP server or transparent mode.

Exam trap

Cisco often tests the distinction between creating a VLAN with 'vlan <id>' versus creating an SVI with 'interface vlan <id>', leading candidates to confuse Layer 2 VLAN creation with Layer 3 interface configuration.

How to eliminate wrong answers

Option A is wrong because 'interface vlan 100' creates a Layer 3 switched virtual interface (SVI) for routing, not the VLAN itself. Option B is wrong because 'name VLAN100' is a subcommand used within VLAN configuration mode to assign a name to an existing VLAN, not to create the VLAN. Option D is wrong because 'switchport access vlan 100' assigns an access port to VLAN 100, but the VLAN must already exist or be dynamically created via VTP; it does not create the VLAN in the database.

1996
Drag & Dropmedium

Drag and drop the steps of EIGRP variance-based unequal-cost load balancing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the EIGRP process must be configured. Then, the variance multiplier is set to allow feasible successors with higher metrics. Optionally, the maximum-paths command can increase the number of paths.

Finally, verification confirms multiple routes in the routing table.

1997
MCQeasy

A network engineer runs the following command on a Cisco WLC: WLC# show wlan summary WLAN ID SSID Status Security Interface 1 Guest Enabled Open guest-vlan 2 Corporate Enabled WPA2 corp-vlan 3 IoT Disabled WPA2 iot-vlan 4 Management Enabled WPA2 mgmt-vlan Based on this output, what can be concluded?

A.All WLANs are currently active and serving clients.
B.WLAN 3 is not operational because it is disabled.
C.The Guest WLAN uses WPA2 security.
D.The Management WLAN is on the guest-vlan interface.
AnswerB

The Status column shows Disabled for WLAN 3.

Why this answer

The output shows WLANs and their status. WLAN 3 (IoT) is disabled, meaning it is not broadcasting or accepting clients. The other WLANs are enabled.

1998
MCQhard

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit tcp 10.0.0.0 0.255.255.255 any eq 23 (2 matches) 20 deny tcp any any eq 23 (8 matches) 30 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (4 matches) 40 deny tcp any any eq 22 (1 match) 50 permit ip any any (15 matches) Based on this output, what can be concluded?

A.Telnet from 192.168.1.0/24 would be denied, and SSH from 10.0.0.0/8 would be denied.
B.Telnet from 10.0.0.0/8 is denied.
C.SSH from 172.16.0.0/16 is denied.
D.All traffic is permitted.
AnswerA

Telnet from 192.168.1.0/24 matches entry 20 (deny), and SSH from 10.0.0.0/8 does not match entry 30 (which permits only from 172.16.0.0/16), so it matches entry 40 (deny).

Why this answer

ACL 150 permits Telnet (port 23) from 10.0.0.0/8, denies Telnet from all other sources, permits SSH (port 22) from 172.16.0.0/16, denies SSH from all other sources, and permits all other IP traffic. The match counts show 2 Telnet packets from 10.x.x.x, 8 denied Telnet packets from other sources, 4 SSH packets from 172.16.x.x, 1 denied SSH packet from another source, and 15 other packets. The correct answer is that Telnet from 192.168.1.0/24 would be denied, and SSH from 10.0.0.0/8 would be denied because it does not match the SSH permit entry.

1999
MCQeasy

In OSPF, which LSA type is used to describe routes to networks within the same area and is generated by the router that owns the network?

A.Type 1 (Router LSA)
B.Type 2 (Network LSA)
C.Type 3 (Summary LSA)
D.Type 5 (External LSA)
AnswerA

Type 1 LSAs advertise the router's links and are the most basic LSA type.

Why this answer

Type 1 (Router LSA) is correct because each OSPF router generates a Type 1 LSA to describe its directly connected links and networks within the same area. This LSA is flooded only within the originating area and is the fundamental building block for intra-area route calculation using the SPF algorithm.

Exam trap

Cisco often tests the distinction between the router that originates the LSA (Type 1) versus the DR that generates the LSA for the network segment (Type 2), causing candidates to confuse the 'owner' of the network with the DR's role.

How to eliminate wrong answers

Option B (Type 2 Network LSA) is wrong because it is generated by the Designated Router (DR) on a broadcast or NBMA network to describe the routers attached to that segment, not by the router that owns the network. Option C (Type 3 Summary LSA) is wrong because it is generated by an Area Border Router (ABR) to advertise routes from one area to another, not for intra-area networks. Option D (Type 5 External LSA) is wrong because it is generated by an Autonomous System Boundary Router (ASBR) to advertise routes redistributed from outside the OSPF domain, not for networks within the same area.

2000
MCQmedium

Review the following IP SLA configuration on Router R1: ip sla 3 icmp-echo 10.3.3.3 frequency 30 ip sla schedule 3 life forever start-time now ip sla reaction-configuration 3 react rtt threshold-type xof 5 threshold-value 100 action-type triggerAndReset What is the purpose of the 'threshold-type xof 5' parameter?

A.It triggers an event if 5 out of the last 10 RTT measurements exceed 100 ms.
B.It triggers an event if 5 consecutive RTT measurements exceed 100 ms.
C.It triggers an event if the RTT exceeds 100 ms for 5 seconds.
D.It triggers an event if the RTT exceeds 100 ms and then repeats 5 times.
AnswerB

'xof 5' means 5 consecutive measurements must exceed the threshold to trigger the event.

Why this answer

'threshold-type xof 5' means the trigger will occur if 5 consecutive RTT measurements exceed the threshold value of 100 ms. This helps avoid false triggers from transient spikes.

2001
MCQhard

A network engineer is using the Cisco DNA Center REST API to retrieve the list of devices. The API call returns the following JSON response: ```json { "response": [ { "id": "device-123", "hostname": "Router1", "managementIpAddress": "10.10.20.1", "softwareVersion": "17.3.3", "platformId": "ISR4451-X/K9" }, { "id": "device-456", "hostname": "Switch1", "managementIpAddress": "10.10.20.2", "softwareVersion": "16.12.5", "platformId": "C9300-24P" } ], "version": "1.0" } ``` The engineer wants to filter the results to only show devices with software version 17.3.3. Which of the following API query parameters should be used?

A./dna/intent/api/v1/network-device?softwareVersion=17.3.3
B./dna/intent/api/v1/network-device?version=17.3.3
C./dna/intent/api/v1/network-device?osVersion=17.3.3
D./dna/intent/api/v1/network-device?filter=softwareVersion:17.3.3
AnswerA

The DNA Center API allows filtering by softwareVersion directly in the query string.

Why this answer

DNA Center API supports filtering using query parameters. The correct parameter to filter by software version is 'softwareVersion'.

2002
Multi-Selecthard

Which three statements about DMVPN phase 2 are true? (Choose three.)

Select 3 answers
A.Spokes can dynamically establish direct tunnels with each other after learning the destination spoke's public address via NHRP.
B.The hub router must be configured with a static crypto map for each spoke.
C.Data traffic between spokes is forwarded through the hub by default.
D.Routing protocols such as EIGRP or OSPF can be run over the DMVPN tunnel interfaces.
E.NHRP redirect and shortcut features are used to enable spoke-to-spoke communication.
AnswersA, D, E

Correct because in phase 2, NHRP allows spokes to resolve the public IP of other spokes and build direct mGRE tunnels.

Why this answer

DMVPN phase 2 allows spoke-to-spoke tunnels after initial hub registration, uses NHRP to resolve spoke addresses, and supports spoke-to-spoke direct communication without hub forwarding of data traffic. The hub still participates in routing updates. Phase 2 does not support spoke-to-spoke without NHRP resolution, and the spoke does not need a static crypto map for each peer.

2003
Matchingeasy

Drag and drop each broadband type on the left to its matching technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses telephone line with ADSL or VDSL

Uses coaxial cable with DOCSIS

Uses optical fiber with GPON

Uses cellular radio with OFDMA

Uses geostationary satellite with high latency

Why these pairings

DSL uses telephone lines with frequencies above voice. Cable uses coaxial cable with DOCSIS. Fiber uses optical fiber with GPON or active Ethernet. 4G LTE uses cellular radio.

Satellite uses geostationary or LEO satellites.

2004
Multi-Selectmedium

Which three statements about IGMP snooping are true? (Choose three.)

Select 3 answers
A.IGMP snooping reduces multicast flooding on a VLAN by forwarding traffic only to ports that have joined the group.
B.IGMP snooping builds a Layer 2 forwarding table that maps multicast MAC addresses to switch ports.
C.IGMP snooping forwards IGMP membership reports only toward the multicast router (querier).
D.IGMP snooping suppresses all IGMP general queries from the multicast router.
E.IGMP snooping requires PIM to be enabled on the switch.
AnswersA, B, C

Correct because IGMP snooping examines IGMP join messages and builds a forwarding table so multicast frames are sent only to interested receivers.

Why this answer

IGMP snooping optimizes multicast forwarding at Layer 2 by monitoring IGMP messages. It builds a snooping table, forwards reports only to the querier, and can be configured with static entries. It does not suppress queries or require PIM.

2005
MCQmedium

A network engineer is configuring a Cisco router to provide internet access to a small office using a single public IP address assigned by the ISP. The engineer wants to allow internal hosts to initiate connections to the internet, but also needs to make a web server on the internal network reachable from the internet. The engineer configures a standard access list for NAT and an ip nat inside source list command. However, external users cannot reach the internal web server. What is the most likely cause?

A.The access list used for NAT does not permit the web server's IP address.
B.The engineer forgot to add the ip nat inside source static command for the web server.
C.The ip nat inside and ip nat outside commands are applied on the wrong interfaces.
D.The global configuration mode is missing the ip nat pool command.
AnswerB

Correct because a static NAT entry is required to map the public IP to the internal web server's private IP, allowing inbound connections.

Why this answer

The scenario requires both dynamic NAT (for outbound traffic) and static NAT (for inbound access to the web server). Using only a dynamic NAT configuration with an access list will not provide a permanent mapping for the web server.

2006
MCQmedium

Given the following EIGRP configuration on a router: router eigrp 200 network 192.168.1.0 0.0.0.255 network 10.0.0.0 Which statement about this configuration is true?

A.EIGRP will be enabled on any interface with an IP address in the 10.0.0.0/8 range, and only on interfaces with an IP address in the 192.168.1.0/24 range.
B.Both network statements are classful and will enable EIGRP on all interfaces with IP addresses in the 192.168.0.0/16 and 10.0.0.0/8 ranges.
C.EIGRP will only be enabled on interfaces with an IP address in the 192.168.1.0/24 range.
D.This configuration will cause an error because wildcard masks are not allowed in EIGRP network statements.
AnswerA

Correct. The first network statement uses a wildcard mask to specify the exact subnet, while the second is classful.

Why this answer

Option A is correct because the first network statement uses a wildcard mask (0.0.0.255) to enable EIGRP only on interfaces in the 192.168.1.0/24 subnet, while the second network statement (10.0.0.0) is classful and enables EIGRP on all interfaces in the 10.0.0.0/8 range. EIGRP network statements can include a wildcard mask to specify a subnet; without one, the router assumes the classful boundary.

Exam trap

Cisco often tests the distinction between classful and classless network statements in EIGRP, where candidates mistakenly assume that a network statement without a wildcard mask applies only to the exact subnet rather than the entire classful range.

How to eliminate wrong answers

Option B is wrong because the first network statement uses a wildcard mask (0.0.0.255), which restricts EIGRP to the 192.168.1.0/24 subnet, not the classful 192.168.0.0/16 range. Option C is wrong because the second network statement (10.0.0.0) is classful and enables EIGRP on all interfaces in the 10.0.0.0/8 range, not just the 192.168.1.0/24 subnet. Option D is wrong because EIGRP explicitly supports wildcard masks in network statements (e.g., network 192.168.1.0 0.0.0.255) to allow subnet-level granularity.

2007
MCQmedium

A network engineer configures IP SLA 20 to monitor the response time of a DNS server at 10.1.1.1 using DNS query for 'example.com'. The operation is used to influence routing decisions. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 50 ms', but the DNS server is actually down and not responding to any queries. What is the most likely reason?

A.The IP SLA DNS probe is using a cached DNS response from the router's DNS resolver, so it does not actually query the server.
B.The IP SLA DNS probe must be configured with a 'timeout' value lower than 50 ms to detect the failure.
C.The DNS server is responding to the probe but not to other queries because the probe uses a different port.
D.The IP SLA operation is configured with a 'frequency' that is too low, causing the probe to be sent before the server times out.
AnswerA

Correct. If the router has DNS caching enabled, the IP SLA DNS probe may receive a cached response, making it appear as if the server is reachable when it is not.

Why this answer

The DNS probe may be receiving a response from a cache (either on the router itself or an intermediate DNS cache) rather than the actual DNS server. This can cause the probe to succeed even if the server is down.

2008
Multi-Selectmedium

Which THREE attributes are typically included in a YANG module for interface configuration? (Choose three.)

Select 3 answers
A.switchport mode
B.description
C.mtu
D.ip address
E.mac address
AnswersB, C, D

Description is a common attribute.

Why this answer

Option B is correct because the 'description' leaf is a standard attribute in YANG models for interface configuration, providing a human-readable text string to document the interface's purpose. It is defined in the IETF interface model (RFC 8343) and is widely supported across Cisco IOS-XE and NX-OS YANG models.

Exam trap

Cisco often tests the distinction between configurable YANG leaves (like 'description', 'mtu', 'ip address') and operational state leaves (like 'mac address') or platform-specific extensions (like 'switchport mode') to see if candidates understand the standard IETF interface model versus proprietary additions.

2009
MCQmedium

A network engineer runs the following command on Router R1: R1# debug eigrp packets hello EIGRP: Received HELLO on Gi0/0 nbr 192.168.1.2 AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 EIGRP: Sending HELLO on Gi0/0 AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 EIGRP: Received HELLO on Gi0/1 nbr 10.1.1.2 AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 EIGRP: Sending HELLO on Gi0/1 AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 Based on this output, what can be concluded?

A.EIGRP is using MD5 authentication between neighbors.
B.The hello packets are being exchanged normally without any issues.
C.There is a K-value mismatch between R1 and its neighbors.
D.The router is using EIGRP named mode.
AnswerB

The debug shows consistent sending and receiving of hellos with no errors.

Why this answer

The debug output shows EIGRP hello packets being sent and received on both interfaces without any errors, sequence mismatches, or authentication failures. The 'Flags 0x0' and 'Seq 0/0' indicate normal operation, and the neighbor IPs are present, confirming that the EIGRP adjacency is forming correctly. Therefore, the hello packets are being exchanged normally without any issues.

Exam trap

Cisco often tests the distinction between normal hello exchange and authentication or parameter mismatch by showing clean debug output with 'Flags 0x0' and 'Seq 0/0', leading candidates to incorrectly assume authentication is present or that a mismatch exists.

How to eliminate wrong answers

Option A is wrong because the debug output shows 'Flags 0x0' and no authentication-related fields (such as Auth type or key ID), and EIGRP MD5 authentication would include a non-zero authentication field in the packet. Option C is wrong because a K-value mismatch would prevent neighbor adjacency formation, but the debug shows successful hello exchange and neighbor IPs, indicating no mismatch. Option D is wrong because EIGRP named mode uses different debug output formats (e.g., 'EIGRP-IPv4' or 'EIGRP-IPv6' prefixes) and the classic 'debug eigrp packets' command is used here, which is typical for classic EIGRP configuration.

2010
Drag & Dropmedium

Drag and drop the steps of Private VLAN (PVLAN) configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First create the primary VLAN, then the secondary VLANs (community or isolated), then associate them. Finally configure host and promiscuous ports.

2011
MCQmedium

An enterprise is migrating from a traditional three-tier campus network to Cisco SD-Access. The network engineer has deployed a fabric with a single fabric edge node and a single control plane node. Users in VLAN 10 report that they cannot reach the default gateway, which is a virtual IP on the fabric edge. The fabric edge is configured with a VLAN 10 SVI and the anycast gateway feature is enabled. What is the most likely cause of the problem?

A.The fabric edge node is not configured with the VLAN 10 SVI or the anycast gateway feature is disabled.
B.The control plane node is not reachable from the fabric edge, causing the fabric edge to drop traffic.
C.The endpoints are not configured with the correct IP address for the default gateway.
D.The fabric edge node is in Layer 2 mode and cannot route traffic.
AnswerA

Correct. Without the SVI and anycast gateway enabled, the fabric edge cannot provide the default gateway for VLAN 10 users.

Why this answer

Option A is correct because the question states that the fabric edge is configured with a VLAN 10 SVI and anycast gateway is enabled, yet users cannot reach the default gateway. The most likely cause is a misconfiguration: either the SVI is missing or anycast gateway is disabled on the fabric edge. In Cisco SD-Access, the anycast gateway feature must be explicitly enabled under the SVI using the command 'ip virtual-reassembly in' and 'ip local-proxy-arp' along with the 'anycast-gateway' configuration; without it, the fabric edge cannot respond to ARP requests or route traffic for the virtual IP, breaking connectivity to the default gateway.

Exam trap

Cisco often tests the misconception that anycast gateway is automatically enabled when an SVI is created on a fabric edge, but in reality it requires explicit configuration, and candidates may overlook this step when troubleshooting connectivity to the default gateway.

How to eliminate wrong answers

Option B is wrong because if the control plane node were unreachable, the fabric edge would still forward traffic for known endpoints using its local cache; it would not drop all traffic to the default gateway, and LISP registration would fail but routing would continue for existing flows. Option C is wrong because the problem is that users cannot reach the default gateway, not that endpoints have incorrect IP configuration; the question implies endpoints are configured correctly but the gateway is unresponsive. Option D is wrong because a fabric edge node in SD-Access operates in Layer 3 mode for routed traffic (using SVI and anycast gateway), and Layer 2 mode would only be used for pure bridging; the fabric edge is designed to route traffic for the virtual IP, so being in Layer 2 mode would not cause the described symptom.

2012
Drag & Drophard

Drag and drop the steps of OSPF virtual link configuration across area 0 into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Virtual links require area 0 transit area, and must be configured on both ABRs. The steps ensure proper connectivity: identify endpoints, configure on each router, and verify.

2013
Drag & Dropmedium

Drag and drop the steps of STP portfast and BPDU guard configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PortFast is enabled globally or per interface to bypass listening/learning. BPDU guard is then configured to disable the port if a BPDU is received. The configuration is applied to the interface, and the port transitions to forwarding immediately.

Finally, errdisable recovery can be set.

2014
MCQmedium

A junior engineer is tasked with writing a Python script that uses the Cisco IOS-XE RESTCONF API to retrieve the hostname of a router. The engineer uses the requests library and sends a GET request to the URL 'https://router/restconf/data/Cisco-IOS-XE-native:native/hostname'. The request returns a 404 Not Found error. The engineer has verified that the RESTCONF service is enabled and the credentials are correct. What is the most likely reason for the 404 error?

A.The hostname data node does not exist in the YANG model.
B.The engineer forgot to include the 'Accept: application/yang-data+json' header in the request.
C.The URL path should be '/restconf/data/Cisco-IOS-XE-native:hostname' instead of including 'native' in the path.
D.The engineer must use a different HTTP method like POST to retrieve the hostname.
AnswerC

Correct because the YANG module name is 'Cisco-IOS-XE-native', and the top-level node is 'hostname', so the path should be '/restconf/data/Cisco-IOS-XE-native:hostname'.

Why this answer

The correct answer is that the URL path is incorrect; the correct path should include the module namespace correctly. Option A is incorrect because the hostname is a valid data node. Option B is incorrect because the Content-Type header is not required for GET requests.

Option D is incorrect because the error is not related to authentication.

2015
Matchingmedium

Drag and drop each MP-BGP address family on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries IPv4 VPN routes with MPLS labels across the provider core

Carries IPv6 VPN routes with MPLS labels across the provider core

Carries global IPv4 unicast routes (non-VPN)

Carries global IPv6 unicast routes (non-VPN)

Carries Layer 2 VPN information such as pseudowires and VPLS

Why these pairings

VPNv4 address family carries IPv4 VPN routes; VPNv6 carries IPv6 VPN routes; IPv4 unicast carries global IPv4 routes; IPv6 unicast carries global IPv6 routes; L2VPN address family carries Layer 2 VPN information.

Page 26

Page 27 of 27