ENCOR 350-401 (350-401) — Questions 226300

2015 questions total · 27pages · All types, answers revealed

Page 3

Page 4 of 27

Page 5
226
MCQhard

A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source static tcp 192.168.1.10 80 203.0.113.1 80. After testing, external users can access the internal web server using the public IP. However, internal hosts cannot access the web server using the public IP. What is the most likely cause?

A.The router does not have NAT hairpinning enabled, so internal traffic to the public IP is not translated.
B.The static NAT entry is missing the extendable keyword.
C.The internal hosts have a route to the public IP via the router's outside interface.
D.The access list used for NAT is blocking internal traffic.
AnswerA

Correct because by default, Cisco routers do not perform NAT for traffic that enters and leaves the same interface (inside-to-inside). This requires the ip nat enable route-map or similar configuration.

Why this answer

This is a classic NAT hairpinning issue. When an internal host tries to reach the public IP of the server, the router may not support or be configured for NAT reflection (hairpinning), so the packet is not translated correctly.

227
MCQhard

A network engineer is troubleshooting a NAT issue where an internal host cannot establish an SSH session to a remote server on the internet. The engineer checks the NAT translations on the border router and sees that the translation for the host's source IP is present. However, the SSH session times out. The engineer also notices that the remote server's IP is not in the NAT translation table. What is the most likely cause?

A.The router is performing NAT only for the source IP, but the return traffic is taking a different path that does not go through the NAT router.
B.The SSH server is blocking connections from the public IP address.
C.The NAT overload is causing port conflicts for SSH.
D.The access list used for NAT is denying the SSH traffic.
AnswerA

Correct because if the return traffic does not pass through the same NAT router, the router will not create an inbound translation entry, and the packet will not be translated back to the private IP.

Why this answer

For a successful NAT session, both the outbound and inbound translations must be present. If only the outbound translation exists, the return traffic is not being translated back correctly, possibly due to asymmetric routing or a missing route.

228
Matchingmedium

Drag and drop each CPU feature on the left to its matching virtualization purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables hardware-assisted virtualization for Intel CPUs

Reduces memory overhead for nested page tables

Allows direct assignment of PCIe devices to VMs

Enables hardware-assisted virtualization for AMD CPUs

Improves TLB management across VM context switches

Why these pairings

VT-x enables hardware-assisted virtualization for Intel CPUs, EPT reduces memory overhead for nested page tables, SR-IOV allows direct device assignment to VMs, AMD-V is AMD's equivalent of VT-x, and VPID improves TLB management across VM switches.

229
MCQhard

A network engineer is troubleshooting multicast connectivity in a large enterprise. The network uses PIM sparse mode with Auto-RP. The engineer notices that some routers are not receiving the RP mapping for a particular group. The engineer checks the Auto-RP mapping agent and sees that it is sending RP announcements, but the routers that are missing the mapping are not in the same PIM domain. What is the most likely reason?

A.The routers missing the mapping do not have 'ip pim autorp listener' configured.
B.The mapping agent is not configured as a candidate RP.
C.The TTL of the RP announcements is set too low.
D.The routers missing the mapping have PIM dense mode enabled.
AnswerA

Correct because Auto-RP uses reserved multicast groups; without this command, routers may not process the RP announcements.

Why this answer

Auto-RP uses multicast groups 224.0.1.39 and 224.0.1.40. Routers must be configured to listen to these groups using the 'ip pim autorp listener' command, especially if they are not in the same PIM domain or if PIM is not enabled on all interfaces.

230
MCQhard

A network engineer runs the following command on switch SW4: SW4# show cts environment-data CTS Environment Data: Device ID: SW4.cisco.com Device Name: SW4 CTS Capabilities: SGT, SXP, CTSD, CTSA SGT: 100 SXP Node: Enabled SXP Connection: 10.1.1.1:64999 Based on this output, what can be concluded?

A.The switch is using 802.1X for authentication.
B.The switch has an SXP connection to a peer at 10.1.1.1.
C.The switch's SGT is 10.
D.The switch is not capable of SGT assignment.
AnswerB

The output shows SXP Node enabled and an SXP connection to 10.1.1.1:64999.

Why this answer

The output shows the switch's CTS environment data, including its own SGT (100) and that SXP (SGT Exchange Protocol) is enabled with a connection to 10.1.1.1 on port 64999. This indicates the switch is participating in SXP to propagate SGT mappings.

231
Multi-Selecthard

Which three statements about Cisco SD-Access design are true? (Choose three.)

Select 3 answers
A.VXLAN is used as the data plane encapsulation in SD-Access to create overlay tunnels.
B.The fabric border node is the access layer switch that connects end devices to the network.
C.LISP provides the control plane for SD-Access by managing endpoint identifiers and routing locators.
D.The border node provides connectivity between the SD-Access fabric and traditional networks or the WAN.
E.SD-Access requires a three-tier hierarchical design with core, distribution, and access layers.
AnswersA, C, D

Correct because VXLAN encapsulates Layer 2 frames in UDP packets, enabling overlay networks across the underlay.

Why this answer

Cisco SD-Access is a policy-based, intent-driven network architecture that uses VXLAN for overlay tunneling and LISP for control plane. It separates the network into fabric and non-fabric domains. The fabric uses a border node to connect to external networks.

Option A is correct because VXLAN provides the data plane encapsulation. Option C is correct because LISP is the control plane that maps endpoints to their locations. Option D is correct because the border node connects the fabric to outside networks (e.g., WAN, Internet).

Option B is incorrect because the fabric edge is the access layer switch that connects endpoints, not the border. Option E is incorrect because SD-Access typically uses a two-tier spine-leaf design, not a three-tier core-distribution-access.

232
MCQmedium

A campus network architect is redesigning the LAN to support high availability and east-west traffic growth. The current design uses a traditional three-tier hierarchy with a collapsed core. The architect must choose a new design that provides predictable latency, simple scalability, and efficient use of uplinks. Which design should the architect select?

A.Collapsed core design with redundant core switches and distribution layers.
B.Leaf-spine design with all leaf switches connected to all spine switches.
C.Mesh design where every switch connects to every other switch.
D.Traditional three-tier design with access, distribution, and core layers.
AnswerB

Leaf-spine provides non-blocking, low-latency paths between any two leaf switches, and scales horizontally by adding more spines.

Why this answer

The leaf-spine design (option B) provides predictable latency because every leaf switch is exactly one hop away from any other leaf switch via the spine, regardless of traffic path. This design also scales simply by adding more leaf or spine switches without reconfiguring existing connections, and it uses uplinks efficiently through equal-cost multipath (ECMP) load balancing, making it ideal for east-west traffic growth in a modern data center or campus LAN.

Exam trap

Cisco often tests the misconception that a collapsed core design is sufficient for high availability and east-west traffic, but the trap here is that candidates overlook the predictable latency and linear scalability benefits of leaf-spine, which are explicitly required by the question's criteria.

How to eliminate wrong answers

Option A is wrong because a collapsed core design with redundant core switches and distribution layers still introduces variable hop counts and potential bottlenecks for east-west traffic, as traffic between distribution switches must traverse the core, increasing latency and reducing predictability. Option C is wrong because a full mesh design does not scale efficiently; the number of connections grows quadratically (n*(n-1)/2), leading to excessive cabling and port usage, and it lacks the structured, predictable latency of leaf-spine. Option D is wrong because the traditional three-tier design (access, distribution, core) introduces multiple hops and oversubscription at the distribution layer, which increases latency and complicates scaling for east-west traffic patterns.

233
MCQhard

A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?

A.The vManage IP address is not configured on the branch routers.
B.The vSmart IP address is not configured on the branch routers.
C.The vBond IP address is not configured on the branch routers.
D.The DTLS port 12346 is not open on the branch routers' firewall.
AnswerC

Correct because the branch routers need the vBond IP to initiate the initial contact and receive the list of controllers.

Why this answer

In Cisco SD-WAN, branch routers use a two-phase discovery process: they first connect to the vBond controller to authenticate and receive the list of vSmart and vManage controllers. Since the engineer has already configured the vBond with a public IP and enabled NAT traversal, and the branch routers have the correct organization name and can reach the vBond, the missing piece is that the vBond IP address must be explicitly configured on each branch router (via the 'system vbond' CLI command or the equivalent in the device template). Without this, the branch routers have no initial target to contact for the bootstrap discovery process, so they cannot automatically learn the vSmart and vManage addresses.

Exam trap

Cisco often tests the misconception that branch routers need the vSmart or vManage IP configured directly, when in fact the vBond is the single mandatory bootstrap address for automatic discovery.

How to eliminate wrong answers

Option A is wrong because the vManage IP address is not required on branch routers for initial control connection establishment; vManage is used for management and monitoring, and its address is learned from vBond during the discovery phase. Option B is wrong because the vSmart IP address is also not statically configured on branch routers; it is dynamically provided by vBond after the branch router successfully authenticates with vBond. Option D is wrong because DTLS port 12346 is the default port used by vBond for control connections, and the engineer has already enabled NAT traversal and verified reachability; if the port were blocked, the branch routers would not be able to reach vBond at all, but the scenario states vBond is reachable, so the firewall is not the issue.

234
Drag & Dropmedium

Drag and drop the steps of multicast RP discovery using BSR into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BSR election occurs first, then the BSR collects RP announcements, creates an RP-set, and floods it to all routers; each router then uses the hash function to select the RP for a group.

235
Drag & Dropmedium

Drag and drop the steps of WRED configuration for TCP congestion avoidance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable WRED under an interface or policy-map. Then set the minimum and maximum thresholds for each IP precedence or DSCP value. Configure the mark probability denominator.

Apply the policy-map to the interface. Finally, verify WRED operation using show queueing or show policy-map interface.

236
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet1/0/2 switchport mode access authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 Which statement about this configuration is true?

A.MAB will be attempted first, and if it fails, 802.1X will be used.
B.802.1X will be attempted first; if the client does not respond, MAB will be used as a fallback.
C.The port will be placed in a guest VLAN if both 802.1X and MAB fail.
D.The switch will act as a supplicant for MAB and an authenticator for 802.1X.
AnswerB

The switch tries 802.1X first; if no EAPOL is received, it falls back to MAB.

Why this answer

This configuration enables both 802.1X and MAB (MAC Authentication Bypass) on the interface. MAB is used as a fallback if the connected device does not support 802.1X. The switch acts as an authenticator.

237
MCQeasy

An enterprise is deploying QoS across a network that includes both Cisco and non-Cisco devices. The engineer wants to use a marking scheme that is end-to-end and not stripped at Layer 3 boundaries. Which marking field should the engineer use?

A.CoS
B.IP Precedence
C.DSCP
D.MPLS EXP
AnswerC

Correct because DSCP is a Layer 3 field that is preserved across routers and is supported by most vendors.

Why this answer

DSCP (Differentiated Services Code Point) is the correct choice because it is defined in RFC 2474 as a Layer 3 marking field in the IP header. Unlike CoS (Layer 2) or MPLS EXP (which is stripped at MPLS boundaries), DSCP markings are preserved across Layer 3 boundaries (routers) and can be used end-to-end across both Cisco and non-Cisco devices, as long as the intermediate devices trust the DSCP value.

Exam trap

Cisco often tests the distinction between Layer 2 (CoS) and Layer 3 (DSCP) marking, and the trap here is that candidates confuse 'end-to-end' with 'within a single domain,' leading them to choose CoS or MPLS EXP, which are not preserved across Layer 3 boundaries.

How to eliminate wrong answers

Option A is wrong because CoS (Class of Service) is a Layer 2 marking field in the 802.1Q/p header, which is stripped when a frame passes through a Layer 3 boundary (router) and is not preserved across IP networks. Option B is wrong because IP Precedence is a 3-bit field in the IP header that provides only 8 classes, but it is often re-marked or ignored in modern networks; DSCP (6 bits) is the preferred Layer 3 marking for end-to-end QoS and is backward-compatible with IP Precedence. Option D is wrong because MPLS EXP (Experimental bits) is a Layer 2.5 marking field used within an MPLS domain; it is stripped when the MPLS label is removed at the egress LER, so it is not end-to-end across Layer 3 boundaries.

238
Drag & Dropmedium

Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BFD session establishment starts with the vEdge sending a BFD hello packet, the remote vEdge responds with a BFD echo, then both agree on the BFD timer values, the session moves to the Up state, and finally the session is used for path liveliness detection.

239
MCQmedium

A network engineer is configuring QoS on a Cisco router to prioritize business-critical applications. The engineer creates a class-map that matches traffic based on the destination IP address and port. However, the class-map does not match the expected traffic. What is the most likely reason?

A.The class-map uses 'match-all' but the engineer intended to use 'match-any'.
B.The access-list used for matching is not applied to the correct interface.
C.The router does not support matching on both IP and port in the same class-map.
D.The class-map must be applied to the interface before it can match traffic.
AnswerA

Correct because if the class-map uses 'match-all', all match conditions must be true; if the traffic matches only one condition, it will not be classified.

Why this answer

Option A is correct because when a class-map uses 'match-all', all match conditions must be true for a packet to be classified. If the engineer intended to match traffic based on either the destination IP address OR the port, using 'match-any' would allow the class-map to match if any single condition is met. The mismatch occurs because the class-map is too restrictive, requiring both conditions to be satisfied simultaneously.

Exam trap

Cisco often tests the subtle difference between 'match-all' (default) and 'match-any' in class-maps, trapping candidates who assume that multiple match conditions automatically use OR logic.

How to eliminate wrong answers

Option B is wrong because the access-list used for matching is referenced inside the class-map, not applied directly to the interface; the class-map itself is applied to the interface via a policy-map, so the access-list does not need separate interface application. Option C is wrong because Cisco routers fully support matching on both IP and port in the same class-map using nested match statements or an extended access-list; there is no inherent limitation. Option D is wrong because a class-map does not need to be applied to an interface to match traffic; it is the policy-map that references the class-map and is applied to the interface, and the class-map itself can be tested independently.

240
MCQmedium

A network engineer runs the following command on Router R3: R3# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is ISR4331-2x1GE, address is aabb.cc00.0300 (bia aabb.cc00.0300) Internet address is 10.0.0.3/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 2000 bits/sec, 3 packets/sec 12345 packets input, 1234567 bytes, 0 no buffer Received 123 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 12345 packets output, 2345678 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Based on this output, what can be concluded?

A.The interface has experienced a hardware failure.
B.The interface has had one reset since the last counter clear.
C.The interface is experiencing high input errors.
D.The interface is operating at half-duplex.
AnswerB

The output shows '1 interface resets', which is a counter that increments each time the interface is reset.

Why this answer

The output shows the interface is up/up. The key clue is '1 interface resets' in the output counters. Interface resets can occur due to hardware issues, cable problems, or when the interface is administratively reset.

The presence of 1 reset indicates a past event, but the interface is currently operational. The question tests understanding of interface counters.

241
MCQmedium

A router has the following configuration snippet: vrf definition RED rd 100:1 ! interface Loopback0 ip vrf forwarding RED ip address 10.0.0.1 255.255.255.255 ! router eigrp 100 address-family ipv4 unicast vrf RED autonomous-system 100 network 10.0.0.1 0.0.0.0 What is the issue with this EIGRP configuration for VRF RED?

A.The EIGRP address-family is not activated because 'no shutdown' is missing under the address-family configuration.
B.The 'network' command should use a wildcard mask of 0.0.0.255 instead of 0.0.0.0.
C.The VRF must be defined under 'router eigrp' globally before using address-family.
D.The loopback interface cannot be placed in a VRF because it is a virtual interface.
AnswerA

Correct. EIGRP address-families require 'no shutdown' to start.

Why this answer

The EIGRP address-family configuration for VRF RED is missing the 'no shutdown' command under the address-family mode. In Cisco IOS, EIGRP address-families are administratively shut down by default; without 'no shutdown', the EIGRP process for that VRF will not form adjacencies or advertise routes, even though the network command is correctly configured.

Exam trap

Cisco often tests the default administrative shutdown of EIGRP address-families, knowing that many candidates assume the process starts automatically once the network command is configured, leading them to overlook the required 'no shutdown' command.

How to eliminate wrong answers

Option B is wrong because the 'network 10.0.0.1 0.0.0.0' command uses a host-specific wildcard mask, which is perfectly valid for advertising a single /32 interface; a wildcard mask of 0.0.0.255 would be incorrect as it would attempt to match a broader subnet. Option C is wrong because VRF definitions are not required under 'router eigrp' globally; the VRF is referenced directly in the address-family configuration via the 'vrf RED' keyword, which is the correct method. Option D is wrong because loopback interfaces can absolutely be placed in a VRF; there is no restriction against virtual interfaces being assigned to a VRF, and this is a common practice for management or iBGP peering.

242
MCQmedium

interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network non-broadcast ip ospf priority 1 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 neighbor 192.168.1.2 What is the effect of this configuration?

A.OSPF will form an adjacency with 192.168.1.2 and elect a DR/BDR based on priority.
B.OSPF will form an adjacency with 192.168.1.2 without DR/BDR election.
C.OSPF will automatically discover neighbors via multicast and form adjacencies.
D.OSPF will use a 30-second hello interval and suppress DR/BDR election.
AnswerA

Correct. Non-broadcast network type requires manual neighbor configuration and uses DR/BDR election.

Why this answer

The OSPF network type is set to non-broadcast, which requires manual neighbor configuration. The 'neighbor' command is used to specify the neighbor IP. The priority is set to 1, which allows the router to participate in DR/BDR election.

This is typical for Frame Relay or other NBMA networks.

243
Drag & Dropmedium

Drag and drop the steps of EIGRP redistribution from OSPF with metric seeding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When redistributing OSPF into EIGRP, you must define a default metric or use a route map. First, configure the EIGRP process, then enter address-family, issue the redistribute command, set the metric, and finally verify the redistributed routes.

244
MCQhard

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

A.EAP-TLS requires a client certificate, which the Windows clients do not have.
B.EAP-FAST requires a PAC file that the Windows clients do not have.
C.LEAP uses a shared secret that is not configured on the clients.
D.EAP-MD5 does not support mutual authentication, causing the failure.
AnswerA

Correct because EAP-TLS requires client certificates, and PEAP-MSCHAPv2 does not provide them.

Why this answer

EAP-TLS requires a client certificate, while PEAP-MSCHAPv2 uses a username/password inside a TLS tunnel. If ISE is configured to only accept EAP-TLS, clients attempting PEAP will receive an EAP failure. Option A is correct because EAP-TLS is certificate-based and different from PEAP.

Option B is incorrect because EAP-FAST uses a PAC, not certificates. Option C is incorrect because LEAP is deprecated and uses MS-CHAPv2, but it is not the same as PEAP. Option D is incorrect because EAP-MD5 is a simple challenge-response and not typically used in enterprise 802.1X.

245
MCQhard

A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?

A.The vEdge routers have not rebooted after the policy was applied.
B.The data policy was applied on the vEdge instead of the vSmart.
C.The DSCP EF marking is not supported in SD-WAN data policies.
D.The policy does not include a match condition for the correct VPN or site list.
AnswerD

Correct because the policy must be associated with the specific VPN and site list to apply to the traffic.

Why this answer

Option D is correct because a centralized data policy on the vSmart must include match conditions for both the traffic (e.g., DSCP EF) and the scope of the policy (e.g., VPN list or site list). Without a site list or VPN list match, the policy may not apply to the specific branch-to-branch traffic, causing the vEdge to fall back to the default routing behavior (e.g., using the Internet link if it has lower latency). The vSmart distributes the policy to vEdges, but the vEdge only enforces it for matched traffic within the specified sites or VPNs.

Exam trap

Cisco often tests the misconception that a centralized data policy with only traffic match conditions (like DSCP) will automatically apply to all traffic, when in reality the policy must also include a site list or VPN list to define the scope of enforcement.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for data policies to take effect; they are applied dynamically via the vSmart. Option B is wrong because the engineer explicitly created a centralized data policy on the vSmart, and applying it on the vEdge would be a localized policy, which is not the described scenario. Option C is wrong because DSCP EF (46) is fully supported in Cisco SD-WAN data policies for matching voice traffic; the issue is not a lack of support but missing scope conditions.

246
Matchingmedium

Drag and drop each MPLS VPN type on the left to its matching layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 3 IP-based VPN using MP-BGP

Layer 2 VPN transporting Ethernet or Frame Relay

Multipoint Layer 2 VPN emulating a LAN

Point-to-point Layer 2 VPN

Multicast VPN over MPLS

Why these pairings

L3VPN operates at Layer 3 (IP), L2VPN at Layer 2 (Ethernet/Frame Relay), VPLS is a specific L2VPN, VPWS is point-to-point L2VPN, and MVPN is multicast L3VPN.

247
Drag & Dropmedium

Drag and drop the steps of YANG data model traversal for interface stats into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

YANG traversal starts with identifying the YANG module for interfaces, then navigating to the interfaces container, selecting the specific interface list entry, accessing the statistics container, and finally reading the desired leaf values like in-octets.

248
Drag & Dropmedium

Drag and drop the steps of MSTP region and instance configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MSTP configuration begins with entering MST configuration mode, then assigning the region name, revision number, and mapping VLANs to instances. After exiting configuration mode, the MST region is active. Finally, the spanning-tree mode must be set to mst globally to enable MSTP.

249
MCQeasy

A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream OSPF neighbor state changes. The engineer uses the YANG model 'Cisco-IOS-XE-ospf-oper' and creates an on-change subscription. After testing, the engineer notices that the telemetry data is being sent, but the collector is receiving duplicate updates for the same OSPF neighbor state change. What is the most likely cause of these duplicate updates?

A.The subscription is configured with both on-change and periodic updates
B.The YANG path includes multiple leafs that change together, each triggering a separate update
C.The collector is sending acknowledgments that cause the router to resend data
D.The engineer used JSON encoding which causes larger payloads and fragmentation
AnswerB

On-change subscriptions send an update for each leaf that changes, so multiple leaf changes from a single event cause duplicate updates.

Why this answer

The correct answer is that the YANG path includes multiple leafs that change simultaneously, causing multiple updates for the same event. For example, when an OSPF neighbor goes from FULL to DOWN, multiple leafs (state, last-up-time, etc.) change, and each change triggers an on-change update. The other options are incorrect because the sample-interval is not used in on-change subscriptions; the collector is not causing duplicates; and the encoding does not cause duplicates.

250
Drag & Dropmedium

Drag and drop the steps of Multicast RP discovery using BSR into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In BSR, candidate RPs announce themselves to the BSR. The BSR collects these announcements and distributes a list of RPs via Bootstrap messages. Routers then use a hash function to select the RP for each group.

The RP must be reachable for the process to work.

251
Multi-Selectmedium

Which two statements about VLAN trunking using IEEE 802.1Q are true? (Choose two.)

Select 2 answers
A.The 802.1Q tag includes a 12-bit VLAN ID field.
B.The native VLAN is not tagged on an 802.1Q trunk.
C.The native VLAN must always be VLAN 1.
D.The 802.1Q tag uses a TPID value of 0x88A8.
E.802.1Q supports a maximum of 4096 VLANs.
AnswersA, B

Correct because the 802.1Q header contains a 12-bit VLAN ID (VID) allowing up to 4094 VLANs.

Why this answer

Correct: A is true because 802.1Q inserts a 4-byte tag after the source MAC address, which includes a 12-bit VLAN ID (0-4095). B is true because the native VLAN is not tagged; frames on the native VLAN are sent untagged to maintain backward compatibility with devices that do not understand trunking. C is incorrect because the native VLAN can be any VLAN, not just VLAN 1; it defaults to VLAN 1 but can be changed.

D is incorrect because the 802.1Q tag uses a TPID of 0x8100, not 0x88A8 (which is used for Q-in-Q). E is incorrect because 802.1Q supports up to 4094 usable VLANs (1-1001 and 1006-4094), not 4096.

252
Multi-Selecteasy

Which THREE of the following are components of a Cisco ACI fabric? (Choose three.)

Select 3 answers
A.Firewall
B.Spine switch
C.Router
D.APIC controller
E.Leaf switch
AnswersB, D, E

Spine switches form the fabric backbone.

Why this answer

The spine switch is a core component of a Cisco ACI fabric, forming the spine-leaf topology. Spine switches provide high-speed, non-blocking connectivity between leaf switches and handle all east-west traffic, relying on IS-IS as the routing protocol for fabric discovery and forwarding.

Exam trap

Cisco often tests the distinction between native fabric components (spine, leaf, APIC) and external devices (firewall, router) that can be integrated but are not part of the fabric itself, leading candidates to mistakenly include them as fabric components.

253
MCQmedium

Examine the following SD-WAN configuration on a Cisco vEdge router: vpn 0 interface ge0/0 ip address 10.0.0.1/24 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface ge0/1 ip address 10.0.0.2/24 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement is correct?

A.Both interfaces are in VPN 0, which is the transport VPN, and they will establish tunnels with the vSmart controller.
B.The interfaces are in VPN 0, which is the service VPN, and they will be used for customer traffic.
C.The configuration is invalid because tunnel interfaces cannot have IP addresses in the same VPN.
D.The 'allow-service all' command is not supported on vEdge routers.
AnswerA

VPN 0 is the transport VPN in SD-WAN. Tunnel interfaces in VPN 0 are used to establish connections to the vSmart and vBond controllers.

Why this answer

VPN 0 is the transport VPN in Cisco SD-WAN, used exclusively for underlay network connectivity and control plane traffic. The two interfaces ge0/0 and ge0/1 are configured as tunnel interfaces with IPsec encapsulation and different colors (public-internet and 3g), which allows them to establish secure DTLS/TLS tunnels to the vSmart controller for orchestration and policy distribution. This is correct because transport VPN interfaces are designed to carry overlay control traffic, not customer data.

Exam trap

Cisco often tests the misconception that VPN 0 is a service VPN or that multiple tunnel interfaces in the same VPN are invalid, but the key is remembering that VPN 0 is strictly the transport underlay and supports multiple colored interfaces for control-plane connectivity.

How to eliminate wrong answers

Option B is wrong because VPN 0 is the transport VPN, not the service VPN; service VPNs are VPN 1-512 and are used for customer traffic. Option C is wrong because the configuration is valid; multiple tunnel interfaces can exist in the same transport VPN with different IP addresses and colors to provide path diversity and redundancy. Option D is wrong because 'allow-service all' is fully supported on vEdge routers to permit all control-plane services (e.g., OMP, BFD, SSH) over the tunnel interface.

254
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration starts with enabling the OSPF process, then defining networks and areas.

255
MCQmedium

A network engineer runs the following command on Switch SW3: SW3# show etherchannel summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+--------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(D) Based on this output, what can be concluded?

A.All three ports are actively participating in the EtherChannel.
B.The EtherChannel is using LACP protocol.
C.The EtherChannel is a Layer 3 port-channel.
D.Port Gi0/3 is in standby mode.
AnswerB

The Protocol column shows 'LACP'.

Why this answer

The output shows an EtherChannel group 1 using LACP. The Port-channel Po1 is in SU state (Layer2, in use). Two ports (Gi0/1 and Gi0/2) are bundled (P), while Gi0/3 is down (D).

The key is that Gi0/3 is down, so it is not part of the active bundle. The channel is still operational with two links.

256
MCQhard

A network engineer runs the following command on Router R6: R6# show ip route vrf CUSTOMER-D VRF CUSTOMER-D: 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/0.400 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0.400 192.168.0.0/16 is variably subnetted, 1 subnets, 1 mask B 192.168.1.0/24 [200/0] via 10.0.0.2, 00:10:00 R6# show ip bgp vpnv4 vrf CUSTOMER-D BGP table version is 5, local router ID is 10.0.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0/24 10.0.0.2 0 100 0 i Based on this output, what can be concluded?

A.The route 192.168.1.0/24 is learned via OSPF
B.The route 192.168.1.0/24 is installed in the VRF routing table from BGP
C.The next-hop 10.0.0.2 is not reachable
D.VRF CUSTOMER-D has no directly connected networks
AnswerB

The VRF route shows B, and the BGP table shows the same prefix with next-hop 10.0.0.2.

Why this answer

The show ip bgp vpnv4 vrf CUSTOMER-D output displays a BGP route for 192.168.1.0/24 with the '> ' (best) marker, and the show ip route vrf CUSTOMER-D output shows this route with a 'B' code (BGP). This confirms the route is learned via BGP and installed in the VRF routing table. The administrative distance of 200 in the routing table entry further confirms it is a BGP route (eBGP default AD is 20, but iBGP is 200; the [200/0] indicates iBGP).

Exam trap

Cisco often tests the distinction between the routing table (show ip route) and the BGP table (show ip bgp), where a route can be present in BGP but not installed in the routing table if the next-hop is unreachable, but here the route is installed, confirming reachability.

How to eliminate wrong answers

Option A is wrong because the route is marked with 'B' in the routing table, which indicates BGP, not OSPF (which would show 'O'). Option C is wrong because the route is marked as 'best' (>) in BGP and installed in the routing table, which requires the next-hop 10.0.0.2 to be reachable via the directly connected subnet 10.0.0.0/30. Option D is wrong because the VRF has directly connected networks (10.0.0.0/30 and 10.0.0.1/32) as shown by the 'C' and 'L' entries in the routing table.

257
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp interfaces detail EIGRP-IPv4 Interfaces for AS(100) Interface: GigabitEthernet0/0 Mtu: 1500, Bandwidth: 1000000 Kbit, Delay: 100 microseconds Reliability: 255/255, Load: 1/255, Min MTU: 1500 Hello interval: 5 sec, Hold time: 15 sec Next hello in: 3 secs Passive interface: No Split horizon: Enabled Authentication: None Neighbor count: 1 Interface: GigabitEthernet0/1 Mtu: 1500, Bandwidth: 100000 Kbit, Delay: 1000 microseconds Reliability: 255/255, Load: 1/255, Min MTU: 1500 Hello interval: 5 sec, Hold time: 15 sec Next hello in: 1 secs Passive interface: No Split horizon: Enabled Authentication: None Neighbor count: 1 Based on this output, what can be concluded?

A.Both interfaces have the same metric weight for bandwidth and delay.
B.GigabitEthernet0/1 will have a higher EIGRP metric than GigabitEthernet0/0 for the same prefix.
C.Interface Gi0/1 is configured as a passive interface.
D.EIGRP authentication is enabled on both interfaces.
AnswerB

EIGRP metric uses bandwidth and delay; lower bandwidth and higher delay increase the metric.

Why this answer

Option B is correct because EIGRP uses the composite metric formula: metric = (K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay) * (K5 / (reliability + K4)). With default K values (K1=K3=1, others=0), the metric simplifies to bandwidth + delay. Gi0/0 has bandwidth 1,000,000 Kbit and delay 100 microseconds, while Gi0/1 has bandwidth 100,000 Kbit and delay 1000 microseconds.

The lower bandwidth and higher delay on Gi0/1 result in a higher metric for the same prefix.

Exam trap

Cisco often tests the misconception that the 'show ip eigrp interfaces detail' command displays the K values or metric weights, when in fact it only shows per-interface parameters like bandwidth and delay, and the K values must be verified separately with 'show ip protocols'.

How to eliminate wrong answers

Option A is wrong because the metric weights (K values) are not shown in the output; the command only displays interface-specific parameters like bandwidth and delay, not the K values themselves. Option C is wrong because the output explicitly shows 'Passive interface: No' for Gi0/1, meaning it is not configured as a passive interface. Option D is wrong because the output shows 'Authentication: None' for both interfaces, indicating no EIGRP authentication is enabled.

258
Matchingmedium

Drag and drop each DNA Center Intent API on the left to its matching use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieves detailed device information including serial numbers and software versions

Returns physical and logical network topology maps

Lists network issues with severity and suggested actions

Subscribes to and retrieves real-time network events and syslog messages

Manages site hierarchy and associated device assignments

Why these pairings

Intent APIs: inventory retrieves device details; topology maps network connections; issues identifies network problems; events provides real-time notifications.

259
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp topology EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.1.1.0/24, 1 successors, FD is 1310720 via 192.168.1.2 (1310720/1310720), GigabitEthernet0/0 P 10.2.2.0/24, 1 successors, FD is 1310720 via 192.168.1.2 (1310720/1310720), GigabitEthernet0/0 P 10.3.3.0/24, 1 successors, FD is 1310720 via 192.168.1.2 (1310720/1310720), GigabitEthernet0/0 Based on this output, what can be concluded?

A.All routes have a feasible successor.
B.The routes are in Active state, meaning the router is querying for alternate paths.
C.Each route has exactly one successor and no feasible successor.
D.The router is using EIGRP stub routing.
AnswerC

The output shows one successor per route and the RD equals the FD, so no feasible successor.

Why this answer

The output shows each route with a code 'P' (Passive) and exactly one successor, with no feasible successor listed. In EIGRP, a feasible successor is only present if there is a backup route that satisfies the feasibility condition (reported distance < feasible distance). Since only one next-hop is shown per route and no additional entries exist, there is no feasible successor.

Option C correctly identifies this.

Exam trap

Cisco often tests the distinction between Passive and Active states in EIGRP topology table output, where candidates mistakenly think 'P' stands for 'Primary' or 'Path' instead of 'Passive', leading them to misinterpret the route state and miss the absence of feasible successors.

How to eliminate wrong answers

Option A is wrong because the output does not show any feasible successor; each route has only one successor and no backup path, so the statement 'All routes have a feasible successor' is false. Option B is wrong because the routes are in Passive state (code 'P'), not Active; Active state would indicate the router is actively querying neighbors for alternate paths, which is not the case here. Option D is wrong because the output does not indicate stub routing; EIGRP stub routing is configured with the 'eigrp stub' command and would not be evident from the topology table alone, and the routes are normal learned routes, not stub-specific behavior.

260
MCQmedium

In Cisco SD-WAN, what is the maximum number of TLOCs that can be associated with a single OMP route?

A.8
B.4
C.16
D.Unlimited
AnswerA

The maximum number of TLOCs per OMP route is 8, allowing for up to 8 paths for load balancing.

Why this answer

In Cisco SD-WAN, a single OMP route can have up to 8 TLOCs (Transport Locations) associated with it. This limit is enforced by the OMP protocol to balance path diversity and control-plane scalability, ensuring that the vSmart controller does not advertise an excessive number of next-hop paths for a single prefix.

Exam trap

Cisco often tests the 8-TLOC limit to catch candidates who confuse OMP's TLOC-per-route limit with the 16-path limit common in BGP or with the default 4-path limit in some IGP protocols.

How to eliminate wrong answers

Option B (4) is wrong because the maximum is 8, not 4; this misconception may arise from the default number of TLOCs per OMP route in some older configurations, but the hard limit is 8. Option C (16) is wrong because 16 is the maximum number of OMP paths per prefix in some other routing protocols (e.g., BGP), but Cisco SD-WAN OMP specifically caps TLOCs per route at 8. Option D (Unlimited) is wrong because OMP has a fixed limit of 8 TLOCs per route to prevent control-plane overload; unlimited TLOCs would allow unbounded route churn and memory consumption on vSmart and vEdge/cEdge devices.

261
MCQmedium

A network engineer writes the following Python script using the Requests library to retrieve interface information from a Cisco IOS-XE device via RESTCONF: ```python import requests import json url = "https://10.1.1.1:443/restconf/data/ietf-interfaces:interfaces" headers = { "Accept": "application/yang-data+json", "Content-Type": "application/yang-data+json" } auth = ("admin", "password") response = requests.get(url, headers=headers, auth=auth, verify=False) print(response.json()) ``` What is the primary issue with this code?

A.The URL uses HTTPS but the device only supports HTTP, causing a connection error.
B.The 'Content-Type' header is misspelled as 'Contet-Type', which will cause the server to reject the request.
C.The 'verify=False' parameter is not valid for the requests library; it should be 'ssl_verify=False'.
D.The 'auth' tuple should be passed as a dictionary with 'username' and 'password' keys.
AnswerB

The header 'Contet-Type' is incorrect; it should be 'Content-Type'. This will cause the server to not recognize the media type.

Why this answer

The code does not disable SSL warnings, which will cause a warning message but not an error. However, the real issue is that the URL uses HTTPS port 443, which is correct for RESTCONF, but the code lacks a context to handle self-signed certificates. The most critical problem is that the 'verify' parameter is set to False, but the code does not suppress the InsecureRequestWarning, which can clutter output.

However, the question focuses on a functional issue: the URL path is missing the module name for the YANG model. The correct path should be '/restconf/data/ietf-interfaces:interfaces' which is present. Actually, the code is correct syntactically.

The deliberate bug is that the 'verify=False' is used without disabling warnings, but that is not a functional error. The intended bug is that the 'Accept' header should be 'application/yang-data+json' but the code uses it correctly. The real bug is that the URL uses 'https' but the device might only support HTTP.

However, the most common mistake is forgetting to disable SSL warnings. The correct answer is that the code will run but produce warnings; however, the question expects a functional issue: the code will fail because the device requires certificate verification. But verify=False bypasses that.

Let me re-evaluate: The code is actually correct. The deliberate bug is that the URL should be '/restconf/data/ietf-interfaces:interfaces' but it is correct. I need to adjust.

The bug is that the 'headers' dictionary has a typo: 'Contet-Type' instead of 'Content-Type'. That is the deliberate bug. So the answer is that the request will fail due to incorrect header.

262
Matchingmedium

Drag and drop each PnP workflow step on the left to its matching action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Assigns the device to a site and triggers the provisioning process

Deploys day-0 configuration, templates, and software image

Applies the configuration and brings the device into operational state

Checks device connectivity and validates configuration compliance

Tracks device status, logs, and alerts during the PnP workflow

Why these pairings

PnP steps: Claim device assigns it to a site; Provision deploys configuration; Activate applies image; Verify checks connectivity; Monitor tracks status.

263
Drag & Dropmedium

Drag and drop the steps of configuring a standard ACL for traffic filtering on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Standard ACLs are configured by first entering global config, defining the ACL with permit/deny statements, then applying it to an interface in the correct direction. Verification confirms the ACL is active.

264
Matchingmedium

Drag and drop each VM storage type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allocates storage on demand, grows as needed

Pre-allocates full storage at creation

Provides direct access to a physical LUN

VMware virtual disk file format

Hyper-V virtual disk file format

Why these pairings

Thin provisioning allocates space on demand, thick provisioning allocates full space at creation, RDM provides direct LUN access, VMDK is VMware's virtual disk format, and VHDX is Hyper-V's virtual disk format.

265
MCQeasy

What is the default port used by TACACS+ for communication?

A.49
B.1812
C.1645
D.389
AnswerA

Correct. TACACS+ uses TCP port 49.

Why this answer

TACACS+ uses TCP port 49 by default. This is a well-known port assigned to TACACS+.

266
Matchingmedium

Drag and drop each Ansible connection type on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SSH-based connection for Cisco IOS/IOS-XE CLI

SSH-based connection for NETCONF protocol

HTTP/HTTPS-based connection for REST APIs

Runs modules on the control node, not on the target

Pure Python SSH implementation for legacy devices

Why these pairings

network_cli uses SSH for CLI-based devices; netconf uses SSH for NETCONF-based devices; httpapi uses HTTP/HTTPS for REST APIs like NX-API or IOS-XE RESTCONF.

267
Matchingmedium

Drag and drop each EAP method on the left to its matching authentication type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Mutual certificate-based authentication

Server-side certificate with MSCHAPv2 inner method

Protected Access Credential (PAC) for secure tunneling

Simple username and password hash (no mutual authentication)

Generic Token Card for one-time password or certificate

Why these pairings

EAP-TLS uses certificates, PEAP uses server certificate with inner MSCHAPv2, EAP-FAST uses a PAC, and EAP-MD5 uses simple password hash.

268
Matchingmedium

Drag and drop each multicast tree type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tree rooted at the source, uses optimal path to each receiver

Shared tree rooted at the RP, used in PIM Sparse Mode

Shared tree that allows multicast traffic to flow in both directions

A tree rooted at the source of the multicast traffic

A tree rooted at the RP, shared by all sources for a given group

Why these pairings

SPT is the shortest path from source to receivers; RPT is a shared tree rooted at the RP; Bidirectional tree allows traffic to flow both ways; Source tree is a tree rooted at the source; Shared tree is a tree rooted at the RP.

269
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup requires IKE phase 1, then phase 2 (transform set and crypto map).

270
MCQhard

A network engineer is deploying Cisco DNA Center in a brownfield network. The engineer wants to use DNA Center to automate the configuration of QoS policies across all access switches. After discovering the devices and adding them to Inventory, the engineer creates a QoS policy and assigns it to a site. However, when attempting to provision, DNA Center reports that the devices are in 'Compliance Error' state. What is the most likely reason?

A.The devices have existing QoS configurations that conflict with the new policy.
B.The devices are not running a supported IOS-XE version for QoS automation.
C.The DNA Center appliance does not have enough storage to process the QoS policy.
D.The QoS policy was created with an invalid DSCP value.
AnswerA

Correct because DNA Center's compliance check compares the intended configuration with the actual device configuration. Conflicts cause compliance errors.

Why this answer

In brownfield deployments, devices may have existing configurations that conflict with the intended policies. DNA Center performs a compliance check before provisioning. If the current device configuration does not match the intended configuration (e.g., existing QoS settings), DNA Center reports a compliance error.

The engineer must either update the device configuration to match the intent or modify the intent to accommodate the existing configuration.

271
Drag & Dropmedium

Drag and drop the steps of DSCP re-marking at enterprise WAN edge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

At the enterprise WAN edge, traffic is first classified based on existing markings or other criteria. Then a policy-map is created to set the new DSCP value. The policy is applied outbound on the WAN interface.

The router re-marks packets as they exit. Finally, the new DSCP value is verified using show commands.

272
MCQeasy

An engineer is configuring multicast on a Cisco router. The router receives multicast traffic from a source on interface GigabitEthernet0/0 and needs to forward it to receivers on interface GigabitEthernet0/1. The engineer enables PIM sparse mode on both interfaces and configures a static RP. However, the router does not create a multicast routing entry for the (S,G) pair. What is the most likely missing configuration?

A.The global command 'ip multicast-routing' is not configured.
B.The interface GigabitEthernet0/0 is not configured with an IP address.
C.The RP address is not reachable from the router.
D.The router is not configured as a candidate RP.
AnswerA

Correct because this command is required to enable multicast routing on the router.

Why this answer

For multicast routing to work, the 'ip multicast-routing' command must be enabled globally. Without it, the router will not create multicast forwarding entries, even if PIM is enabled on interfaces.

273
Matchingmedium

Drag and drop each 802.11 standard on the left to its matching frequency band and maximum speed on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, 11 Mbps

5 GHz, 54 Mbps

2.4 GHz, 54 Mbps

2.4/5 GHz, 600 Mbps

5 GHz, 6.9 Gbps

Why these pairings

802.11b operates at 2.4 GHz with 11 Mbps; 802.11a at 5 GHz with 54 Mbps; 802.11g at 2.4 GHz with 54 Mbps; 802.11n can use both 2.4 and 5 GHz with 600 Mbps; 802.11ac operates only at 5 GHz with up to 6.9 Gbps.

274
Multi-Selectmedium

Which two statements about REST API HTTP methods are true? (Choose two.)

Select 2 answers
A.GET is a safe method that must not change server state.
B.POST is idempotent, meaning multiple identical requests have the same effect.
C.DELETE is non-idempotent and each request may have a different outcome.
D.PUT is idempotent and replaces the entire resource at the target URI.
E.PATCH is always idempotent because it uses a patch document.
AnswersA, D

Correct because GET is defined as safe and idempotent in REST.

Why this answer

The correct answers are A and D. A is correct because GET is defined as a safe method that does not modify server state. D is correct because PUT is idempotent — multiple identical requests produce the same result.

B is incorrect because POST is not idempotent; it often creates new resources. C is incorrect because DELETE is idempotent, not non-idempotent. E is incorrect because PATCH is typically non-idempotent unless applied carefully.

275
Matchingmedium

Drag and drop each BGP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establishes BGP peering parameters

Advertises or withdraws prefixes

Reports error conditions

Maintains session liveness

Requests re-advertisement of routes

Why these pairings

OPEN establishes peering; UPDATE advertises/withdraws routes; NOTIFICATION signals errors; KEEPALIVE maintains session; ROUTE-REFRESH requests re-advertisement.

276
Multi-Selecthard

Which three statements about Cisco AP join process and discovery are true? (Choose three.)

Select 3 answers
A.An AP can discover a WLC using DHCP option 43, which provides the WLC management IP address.
B.An AP can discover a WLC by sending a DNS query for 'CISCO-CAPWAP-CONTROLLER.localdomain'.
C.An AP must have a valid certificate installed to establish a DTLS session with the WLC.
D.An AP can discover a WLC by sending an SNMP broadcast to the local subnet.
E.An AP can be manually configured with the primary WLC name via the AP CLI before joining.
AnswersA, B, C

Correct because DHCP option 43 is a standard method for APs to learn the WLC IP address during boot.

Why this answer

APs discover WLCs via DHCP option 43, DNS, or local subnet broadcast. They use CAPWAP for control and data. The AP must have a valid certificate for DTLS.

APs can be pre-configured with a primary WLC name. APs do not use SNMP to find WLCs.

277
MCQhard

A network engineer runs the following command on Switch SW7: SW7# show monitor session 7 Session 7 --------- Type : Local Session Source Ports : Both : Gi1/0/1 Destination Ports : Gi1/0/20 Encapsulation : Native Ingress : Enabled Based on this output, what can be concluded?

A.The destination port Gi1/0/20 can forward incoming traffic in addition to sending mirrored traffic.
B.This is an RSPAN session with a remote VLAN.
C.Only egress traffic from Gi1/0/1 is mirrored.
D.The destination port is configured to block all incoming traffic.
AnswerA

Ingress enabled allows the port to forward received traffic.

Why this answer

This is a local SPAN session with ingress enabled on the destination port. Normally, ingress is disabled to prevent loops, but here it is enabled, meaning traffic arriving on Gi1/0/20 can be forwarded normally. This is unusual and may be used for specific monitoring purposes.

278
Multi-Selecteasy

Which two statements about IP SLA probe scheduling and operation states are true? (Choose two.)

Select 2 answers
A.The 'schedule' command with 'start-time now' causes the IP SLA operation to begin immediately.
B.An IP SLA operation in the 'active' state indicates that the probe is currently being sent and responses are being collected.
C.The 'life' parameter in the IP SLA configuration sets the frequency at which probes are sent.
D.An IP SLA operation remains in the 'pending' state until the 'start-time' is reached, even if the configuration is complete.
E.The 'schedule' command with 'life forever' causes the operation to stop after a single probe.
AnswersA, B

Correct because 'start-time now' starts the operation as soon as the command is entered.

Why this answer

IP SLA operations can be scheduled to start immediately or at a specific time, and they can run indefinitely or for a fixed duration. The 'life' parameter controls how long the operation runs. An operation in 'active' state is currently sending probes.

The 'pending' state means the operation is configured but not yet scheduled. The 'life forever' command makes the operation run until manually stopped.

279
Drag & Dropmedium

Drag and drop the steps of stateless DHCPv6 address assignment steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Stateless DHCPv6 uses SLAAC for addressing and DHCPv6 for additional parameters. The host sends an RS, receives an RA with the O flag, then sends an Information-Request and receives a Reply with options like DNS.

280
MCQmedium

Consider the following configuration: router eigrp 100 network 10.0.0.0 0.255.255.255 passive-interface default no passive-interface GigabitEthernet0/0 Which statement is true about this EIGRP configuration?

A.EIGRP will send and receive updates only on GigabitEthernet0/0.
B.EIGRP will send updates on all interfaces except GigabitEthernet0/0.
C.EIGRP will not send any updates because the network statement is incorrect.
D.EIGRP will form adjacencies on all interfaces that have an IP address in the 10.0.0.0/8 range.
AnswerA

All interfaces are passive by default, but Gi0/0 is explicitly enabled for EIGRP updates.

Why this answer

The `passive-interface default` command sets all interfaces to passive by default, preventing EIGRP from sending or receiving hello packets (and thus updates) on them. The `no passive-interface GigabitEthernet0/0` command then overrides this default for that specific interface, allowing EIGRP to send and receive updates only on GigabitEthernet0/0. The network statement 10.0.0.0 0.255.255.255 enables EIGRP on any interface matching the 10.0.0.0/8 range, but the passive-interface logic restricts actual adjacency formation.

Exam trap

Cisco often tests the interaction between `passive-interface default` and `no passive-interface` to see if candidates understand that the default passive setting overrides all interfaces except those explicitly enabled, rather than the reverse.

How to eliminate wrong answers

Option B is wrong because the configuration uses `passive-interface default` followed by `no passive-interface GigabitEthernet0/0`, which makes only GigabitEthernet0/0 active for EIGRP updates, not all interfaces except GigabitEthernet0/0. Option C is wrong because the network statement `10.0.0.0 0.255.255.255` is a valid wildcard mask that matches the 10.0.0.0/8 prefix, and EIGRP will enable on any interface with an IP in that range; the passive-interface logic does not invalidate the network statement. Option D is wrong because although the network statement enables EIGRP on all interfaces in the 10.0.0.0/8 range, the `passive-interface default` command suppresses hello packets and adjacency formation on all interfaces except GigabitEthernet0/0, so adjacencies will not form on other interfaces.

281
MCQhard

A network engineer runs the following command on Router R7: R7# show ip sla monitor statistics 6 Round Trip Time (RTT) for Index 6 Latest RTT: NoConnection/Busy/Timeout Latest Operation Start Time: 18:00:00.000 UTC Mon Mar 1 2021 Latest Operation Return Code: Timeout Number of successes: 0 Number of failures: 15 Over thresholds: 0 Based on this output, what is the status of the IP SLA operation?

A.The operation is functioning normally with occasional timeouts.
B.The target is reachable but with high latency.
C.The target is unreachable, as all probes have timed out.
D.The operation has been configured but not started.
AnswerC

15 failures and timeout indicate unreachable target.

Why this answer

All 15 probes have failed with a timeout return code, indicating a persistent connectivity issue to the target. The target is likely unreachable.

282
Multi-Selectmedium

Which three statements about OSPF route summarization are true? (Choose three.)

Select 3 answers
A.Inter-area route summarization is configured on ABRs using the "area range" command.
B.External route summarization is configured on ASBRs using the "summary-address" command.
C.Route summarization reduces the size of the LSDB and improves network convergence.
D.Route summarization can be configured on any OSPF router to reduce Type 1 LSAs.
E.Summarization in OSPF can be applied to Type 1 and Type 2 LSAs to reduce flooding.
AnswersA, B, C

Correct because ABRs use the "area range" command to summarize routes between areas, reducing Type 3 LSAs.

Why this answer

Option A is correct because inter-area summarization is configured on ABRs to reduce the number of Type 3 LSAs. Option B is correct because external route summarization is configured on ASBRs to reduce Type 5 LSAs. Option C is correct because summarization helps reduce the routing table size and LSA flooding, improving network stability.

Option D is incorrect because summarization is not supported on internal routers; it is only performed on ABRs and ASBRs. Option E is incorrect because summarization does not affect Type 1 or Type 2 LSAs; it only affects Type 3 and Type 5 LSAs.

283
MCQmedium

A network engineer runs the following command on Router R3: R3# show bgp vpnv4 unicast all summary BGP router identifier 10.0.0.3, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 1360 bytes of memory 6/5 BGP path/bestpath attribute entries using 840 bytes of memory 4 BGP AS-PATH entries using 112 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 3752 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65000 1000 1000 10 0 0 01:23:45 5 192.168.2.2 4 65000 800 800 10 0 0 00:45:12 3 Based on this output, what can be concluded?

A.Both neighbors are eBGP peers
B.Both neighbors are iBGP peers exchanging VPNv4 prefixes
C.The neighbor 192.168.1.1 is not receiving any prefixes
D.The BGP table has 20 prefixes
AnswerB

The local AS is 65000 and both neighbors have the same AS, indicating iBGP. PfxRcd shows prefixes received.

Why this answer

The command `show bgp vpnv4 unicast all summary` displays BGP VPNv4 unicast summary information for all VRFs. Both neighbors (192.168.1.1 and 192.168.2.2) are in the same AS 65000, and the output shows they are exchanging VPNv4 prefixes (State/PfxRcd shows 5 and 3 prefixes received). This confirms they are iBGP peers within the same AS, specifically for VPNv4 address family, which is used in MPLS Layer 3 VPN environments to carry customer VPN routes.

Exam trap

Cisco often tests the distinction between eBGP and iBGP by using the same AS number in the output, and candidates may overlook that the `vpnv4 unicast all` address family is specifically for MPLS VPN iBGP peering, not for standard IPv4 unicast.

How to eliminate wrong answers

Option A is wrong because both neighbors have the same AS number (65000) as the local router, which indicates iBGP peering, not eBGP (which requires different AS numbers). Option C is wrong because the State/PfxRcd column shows 5 prefixes received from 192.168.1.1, meaning it is actively receiving prefixes. Option D is wrong because the output clearly states '10 network entries' and '20/10 prefixes' (activity counters), not 20 prefixes in the current BGP table.

284
MCQeasy

Which of the following is a valid AP mode on Cisco 9800 WLCs that allows the AP to function as a standalone access point without controller management?

A.Local mode
B.FlexConnect mode
C.Monitor mode
D.Sniffer mode
AnswerB

FlexConnect allows standalone operation with local switching.

Why this answer

Cisco APs can operate in various modes; 'FlexConnect' allows local switching and can operate independently if the WLC is unreachable.

285
Multi-Selecteasy

Which three statements about multicast group addresses and Layer 2 mapping are true? (Choose three.)

Select 3 answers
A.The multicast MAC address is derived by placing the lower 23 bits of the multicast IP address into the OUI 01-00-5E.
B.Multiple multicast IP addresses can map to the same multicast MAC address.
C.The multicast IP address 224.0.0.1 maps to the MAC address 01-00-5E-00-00-01.
D.The multicast IP address range 224.0.0.0/24 is reserved for global scope and can be routed across the internet.
E.The multicast MAC address 01-00-5E-00-00-05 corresponds to the IP address 224.0.0.5.
AnswersA, B, C

Correct because the standard mapping takes the last 23 bits of the IP multicast group address and copies them into the last 23 bits of the MAC address 01-00-5E-00-00-00 (with the high-order bit of the MAC set to 0).

Why this answer

Multicast IP addresses in the 224.0.0.0/4 range map to a Layer 2 MAC address range. The mapping is not unique, leading to possible overlap. Well-known addresses like 224.0.0.1 are used for local link communication and are not routable.

286
Multi-Selectmedium

Which two statements about BGP TTL security are true? (Choose two.)

Select 2 answers
A.BGP TTL security uses the Generalized TTL Security Mechanism (GTSM) to validate the TTL of incoming BGP packets.
B.The command 'neighbor <ip> ttl-security hops <hop-count>' is used to enable BGP TTL security on a per-neighbor basis.
C.The default TTL value for eBGP packets is 64.
D.BGP TTL security encrypts the BGP update messages to prevent eavesdropping.
E.BGP TTL security is only applicable to eBGP sessions, not iBGP.
AnswersA, B

Correct because GTSM checks that the TTL is within a valid range based on the configured hop count.

Why this answer

BGP TTL security (GTSM) protects against CPU-based attacks by ensuring incoming BGP packets have a TTL of 255 minus the expected hop count. The neighbor ttl-security hops command is used on Cisco IOS-XE to enable this feature, and it must be configured on both peers to be effective. Option C is incorrect because the default TTL for eBGP is 1, not 64.

Option D is incorrect because GTSM does not encrypt BGP updates. Option E is incorrect because GTSM is supported for both eBGP and iBGP.

287
Matchingmedium

Drag and drop each SD-WAN controller on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management, monitoring, and configuration of the SD-WAN fabric

Control plane distribution of OMP routes, TLOCs, and policies

Orchestration of initial authentication and NAT traversal for WAN edge devices

WAN edge router that forwards data plane traffic and terminates overlay tunnels

Historical and real-time analytics for network visibility and troubleshooting

Why these pairings

vManage provides centralized management and monitoring; vSmart is the control plane controller that distributes routing and policy; vBond handles authentication and orchestration of the overlay network.

288
Drag & Dropmedium

Drag and drop the steps of Cisco TrustSec inline tagging across fabric into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

TrustSec inline tagging starts with the ingress switch classifying traffic and adding an SGT to the frame, then forwarding it across the fabric, the egress switch reading the SGT, matching it to an SGACL, and finally enforcing the permit/deny decision.

289
MCQmedium

Given this NAT configuration: ``` interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 198.51.100.1 255.255.255.0 ip nat outside ! ip nat inside source static 10.0.0.5 198.51.100.5 ``` What is the purpose of this configuration?

A.It translates all traffic from 10.0.0.0/24 to 198.51.100.0/24 using PAT.
B.It creates a one-to-one mapping between 10.0.0.5 and 198.51.100.5, allowing inbound and outbound traffic.
C.It translates only outbound traffic from 10.0.0.5 to 198.51.100.5.
D.The configuration is incomplete; it needs an access-list.
AnswerB

Correct. Static NAT provides a fixed mapping for both directions.

Why this answer

This configures static NAT, mapping a single inside host to a specific outside address.

290
Multi-Selecthard

Which three statements about configuring model-driven telemetry on Cisco IOS-XE devices are true? (Choose three.)

Select 3 answers
A.The 'telemetry' command enters the telemetry configuration submode, where subscriptions and sensor groups are defined.
B.A sensor group can contain multiple sensor paths, each referencing a YANG data model path.
C.The 'update-policy' command is used to set the on-change trigger for a subscription.
D.A single subscription can only have one sensor group and one receiver.
E.The 'receiver' command specifies the destination IP address, port, and protocol (e.g., gRPC or TCP) for the telemetry stream.
AnswersA, B, E

Correct because 'telemetry' at global config mode enters the telemetry configuration context, where you can configure subscriptions, sensor groups, and receivers.

Why this answer

On IOS-XE, telemetry is configured under the 'telemetry' submode. A subscription defines the destination (e.g., IP, port, protocol) and the sensor paths (YANG paths). Multiple sensor groups can be associated with one subscription.

The 'update-policy' command sets the periodic interval. The 'receiver' command specifies the collector details. TLS is supported for secure dial-out connections.

291
Matchingmedium

Drag and drop each MPLS label operation on the left to its matching action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Adds a new label to the top of the label stack

Removes the top label from the label stack

Replaces the top label with a new label value

Pops the label at the penultimate hop before the egress LER

Copies the IP TTL value into the MPLS TTL field

Why these pairings

Push adds a new label to the stack, pop removes the top label, swap replaces the top label with a new one, PHP pops the label before the egress LER, and TTL propagation copies the IP TTL into the label TTL field.

292
MCQmedium

A network engineer executes the following command on Router R2: R2# show mpls ldp neighbor Peer LDP Ident: 192.168.1.1:0; Local LDP Ident 192.168.1.2:0 TCP connection: 192.168.1.1.646 - 192.168.1.2.54321 State: Oper; Msgs sent/rcvd: 1234/1234; Downstream Up time: 2d04h LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.1 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 192.168.1.1 10.0.0.1 Based on this output, what is true about the LDP session?

A.The LDP session is down because the state is 'Oper'.
B.The LDP session is using UDP port 646 for the TCP connection.
C.The LDP session is operational and the holdtime is 15000 ms.
D.The LDP session is using the default hello interval of 5000 ms.
AnswerC

The state is 'Oper' and holdtime is explicitly shown as 15000 ms.

Why this answer

The output shows an LDP neighbor with state 'Oper' (operational) and a TCP connection using well-known port 646. The holdtime and hello interval are displayed.

293
Multi-Selecthard

Which two statements about EtherChannel configuration and verification are true? (Choose two.)

Select 2 answers
A.On IOS-XE, the 'channel-group 1 mode active' command creates the port-channel interface automatically if it does not exist.
B.The 'show etherchannel load-balance' command displays the current load-balancing method and the hash algorithm used.
C.In a Layer 3 EtherChannel, you must assign an IP address to the port-channel interface and also to each member interface.
D.The 'channel-group 1 mode desirable' command is valid on both IOS-XE and NX-OS platforms.
E.If physical ports in an EtherChannel have different speed or duplex settings, the EtherChannel will still form but with reduced bandwidth.
AnswersA, B

Correct because when the first physical port is added with a mode that enables LACP, the port-channel interface is dynamically created.

Why this answer

EtherChannel interfaces can be configured as Layer 2 (switchport) or Layer 3 (no switchport). The 'channel-group' command assigns a physical port to a port-channel. The 'show etherchannel summary' command displays the state and bundle information.

On NX-OS, the 'channel-group' command uses the 'force' option to override mismatched parameters.

294
MCQmedium

Refer to the exhibit. Which OSPF route type is the default route?

A.External type 2 (E2)
B.Inter-area (IA)
C.NSSA external type 2 (N2)
D.External type 1 (E1)
AnswerA

Option B is correct because O*E2 indicates OSPF external type 2.

Why this answer

The exhibit shows a default route (0.0.0.0/0) being redistributed into OSPF from another routing protocol or static route. By default, OSPF redistributes routes as External Type 2 (E2), meaning the metric does not include the internal cost to the ASBR. The route is not an NSSA type because the area is not configured as a not-so-stubby area, and it is not an inter-area route because it originates outside the OSPF domain.

Exam trap

Cisco often tests the default OSPF metric type for redistributed routes (E2) and the fact that a default route can be an external route, not just an inter-area or NSSA type, leading candidates to confuse it with N2 or IA when the area type is not explicitly stated.

How to eliminate wrong answers

Option B is wrong because Inter-area (IA) routes are prefixes learned from another OSPF area, not redistributed external routes; a default route redistributed into OSPF is external, not inter-area. Option C is wrong because NSSA external type 2 (N2) routes only appear in not-so-stubby areas (NSSA) and are translated to type 5 LSAs by the ABR; the exhibit does not indicate an NSSA configuration. Option D is wrong because External type 1 (E1) routes include the internal cost to the ASBR in their metric, but OSPF defaults to E2 for redistributed routes unless explicitly configured with the 'metric-type 1' keyword.

295
MCQmedium

A RESTCONF request is sent to a Cisco IOS-XE device to retrieve interface statistics: GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1 Accept: application/yang-data+json Response: { "ietf-interfaces:interface": [ { "name": "GigabitEthernet1", "type": "iana-if-type:ethernetCsmacd", "enabled": true, "ietf-ip:ipv4": { "address": [ { "ip": "192.168.1.1", "netmask": "255.255.255.0" } ] } } ] } What does the response indicate about the interface?

A.The interface GigabitEthernet1 is enabled and has an IPv4 address of 192.168.1.1/24.
B.The interface is disabled because the 'enabled' field is missing.
C.The response indicates an error because the interface type is incorrect.
D.The response shows that the interface has no IP address configured.
AnswerA

The 'enabled' field is true, and the IPv4 address with netmask indicates /24.

Why this answer

The response shows the interface configuration, including its name, type, enabled status, and IPv4 address. The correct answer correctly interprets the JSON structure.

296
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric border handoff configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the external network, then creating the SVI for the handoff, configuring the routing protocol, applying the border handoff policy, and finally verifying the connectivity. This sequence ensures the border node can properly connect the fabric to external networks.

297
MCQhard

A network engineer runs the following command on Router R9: R9# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.20:1234 10.0.0.20:1234 203.0.113.1:53 203.0.113.1:53 tcp 192.0.2.20:5678 10.0.0.20:5678 198.51.100.1:80 198.51.100.1:80 --- 192.0.2.21 10.0.0.21 --- --- Based on this output, what can be concluded?

A.All translations are dynamic.
B.The router is using both static NAT and PAT simultaneously.
C.The router is configured with a single NAT pool.
D.The inside global address 192.0.2.20 is used for both static and dynamic translations.
AnswerB

Static NAT for 10.0.0.21 and PAT for 10.0.0.20 are both active.

Why this answer

The output shows a mix of dynamic PAT translations (with ports) and a static NAT entry (no protocol/port). The static entry maps 10.0.0.21 to 192.0.2.21, while PAT is used for 10.0.0.20.

298
MCQmedium

A network engineer is migrating a physical server running a critical database to a virtual machine on a VMware vSphere cluster. The database requires high I/O performance and low latency. The engineer decides to use VMFS datastores with multiple extents to improve performance. After migration, the database performance is worse than on the physical server. What is the most likely reason?

A.VMFS datastores with multiple extents can cause I/O to span multiple LUNs, increasing latency.
B.The VMFS datastore does not support files larger than 2 TB.
C.The virtual disk is configured as thin provisioned, causing write amplification.
D.The virtual disk is configured as thick eager zeroed, causing slow initial writes.
AnswerA

Correct because multiple extents can lead to I/O being split across LUNs, adding overhead.

Why this answer

VMFS datastores with multiple extents distribute data across multiple LUNs, which can cause I/O operations to span physical storage devices. This introduces additional latency due to the need for coordination across LUNs, negating the performance benefit expected from a single, contiguous LUN. For a database requiring high I/O and low latency, this spanning effect degrades performance compared to a physical server with direct-attached storage.

Exam trap

Cisco often tests the misconception that multiple extents improve performance by aggregating bandwidth, when in fact they increase latency due to I/O spanning and SCSI locking overhead.

How to eliminate wrong answers

Option B is wrong because VMFS datastores support files larger than 2 TB; VMFS-5 and later allow virtual disks up to 62 TB, so file size is not the issue. Option C is wrong because thin provisioning can cause write amplification due to on-demand allocation, but the question specifies the engineer used multiple extents, and thin provisioning is not mentioned as the chosen configuration; the primary performance issue here is the extent spanning. Option D is wrong because thick eager zeroed pre-allocates and zeros blocks during creation, which can slow initial writes but does not explain ongoing poor performance after migration; the problem is persistent latency from multi-extent I/O.

299
Drag & Dropmedium

Drag and drop the steps of Cisco ISE profiling and policy assignment flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The flow starts with endpoint authentication via 802.1X/MAB, then ISE collects profiling data (e.g., DHCP, HTTP). ISE matches the endpoint to a profiling policy, assigns an identity group, and finally applies the appropriate authorization policy (e.g., SGT, VLAN).

300
MCQmedium

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 100 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint What is the effect of the command 'ip nhrp map multicast dynamic'?

A.It statically maps the hub's own NBMA address to the multicast group.
B.It enables the hub to dynamically add spoke NBMA addresses to the multicast NHRP map for forwarding multicast traffic to all spokes.
C.It configures the hub to send NHRP registration requests to the multicast address 224.0.0.1.
D.It disables multicast forwarding over the tunnel interface.
AnswerB

This is the correct function: the hub learns spoke addresses dynamically and uses them for multicast replication.

Why this answer

The 'ip nhrp map multicast dynamic' command allows the hub to dynamically learn the NBMA addresses of spoke routers when they register via NHRP, and then automatically add those addresses to the multicast list for forwarding multicast traffic (such as routing protocol hellos) to all spokes.

Page 3

Page 4 of 27

Page 5