ENCOR 350-401 (350-401) — Questions 301375

2015 questions total · 27pages · All types, answers revealed

Page 4

Page 5 of 27

Page 6
301
Drag & Dropmedium

Drag and drop the steps of a NETCONF get-config operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The NETCONF get-config operation begins with establishing a secure SSH session, then the client sends a hello message to exchange capabilities. After the server responds with its hello, the client sends the get-config request. The server retrieves the configuration and sends the reply.

302
MCQmedium

A network engineer is troubleshooting an STP issue in a switched network. The network has two distribution switches connected via a trunk, and each distribution switch connects to the same access switch. The engineer notices that the root bridge is not the intended distribution switch. Upon checking, the engineer sees that the access switch has a higher priority than the distribution switches. The engineer needs to ensure that the intended distribution switch becomes the root bridge without causing a temporary loop. What should the engineer do?

A.Configure the 'spanning-tree vlan vlan-id root primary' command on the intended distribution switch.
B.Set the priority of the access switch to 0 using the 'spanning-tree vlan vlan-id priority 0' command.
C.Increase the priority of the distribution switch to 61440 using the 'spanning-tree vlan vlan-id priority 61440' command.
D.Disable STP on the distribution switch and manually configure it as the root bridge.
AnswerA

Correct because this command sets the switch priority to 24576 (or lower if needed) to ensure it becomes the root bridge without manual configuration.

Why this answer

Option A is correct because the 'spanning-tree vlan vlan-id root primary' command dynamically sets the switch's bridge priority to 24576 (or 4096 if the current root has a priority lower than 24576) and ensures the switch becomes the root bridge without manual priority miscalculation. This command also adjusts the priority of neighboring switches if needed, preventing temporary loops by avoiding the need to disable or reset STP. It is the safest and most efficient method to force a specific switch to become the root bridge in a live network.

Exam trap

Cisco often tests the misconception that increasing a switch's priority (making it numerically higher) helps it become root, when in fact the root bridge is elected based on the lowest bridge priority value.

How to eliminate wrong answers

Option B is wrong because setting the access switch's priority to 0 would make it the root bridge, which is the opposite of the intended goal (the distribution switch should be root). Option C is wrong because increasing the distribution switch's priority to 61440 (a high value) would make it less likely to become the root bridge, not more; the root bridge is elected with the lowest priority value. Option D is wrong because disabling STP on the distribution switch would break loop prevention entirely, potentially causing a Layer 2 loop and network outage, and manually configuring it as root without STP is not a valid or safe method.

303
Multi-Selectmedium

Which two statements about policing and shaping are true? (Choose two.)

Select 2 answers
A.Policing can be configured on both ingress and egress interfaces, whereas shaping is typically applied only on egress interfaces.
B.Shaping drops packets that exceed the configured rate, while policing buffers them to meet the rate.
C.Both policing and shaping use a token bucket algorithm to measure traffic rates.
D.Shaping is more suitable than policing for traffic that must be dropped immediately, such as scavenger-class traffic.
E.Policing always introduces additional latency due to queuing, while shaping does not.
AnswersA, C

Correct. Policing is bidirectional; shaping is unidirectional (outbound) because it requires buffering.

Why this answer

Policing drops or re-marks packets that exceed a configured rate, while shaping buffers excess packets and delays them to smooth traffic. Policing can be applied inbound or outbound, but shaping is typically outbound only. Shaping uses a buffer, which can introduce jitter.

304
MCQeasy

A network engineer is troubleshooting an EIGRP issue where two routers, R1 and R2, are directly connected. R1 shows an EIGRP adjacency with R2, but R2 does not show an adjacency with R1. The engineer checks the interface configurations and finds that R1 has 'ip authentication mode eigrp 1 md5' and 'ip authentication key-chain eigrp 1 MYKEY' configured, while R2 has no authentication configured. What is the most likely cause?

A.R1 has authentication configured, but R2 does not, so R1 will reject R2's hello packets, and no adjacency forms.
B.R2 will automatically learn the authentication key from R1 and form an adjacency.
C.R1 will form an adjacency with R2 because authentication is optional.
D.The adjacency will form but only for routes that are not authenticated.
AnswerA

Correct. EIGRP authentication requires both sides to have matching authentication. Since R2 does not have authentication, R1 will discard R2's hello packets, preventing adjacency.

Why this answer

EIGRP authentication is configured per interface and must match on both sides for an adjacency to form. R1 has MD5 authentication enabled, so it will include the authentication data in its hello packets and will reject any hello packets received from R2 that lack the correct authentication. Since R2 has no authentication configured, its hello packets are sent without authentication data, causing R1 to discard them.

Consequently, R1 sees R2 as a neighbor (because it receives R2's unauthenticated hellos and may still attempt to form adjacency depending on implementation), but R2 never receives a valid hello from R1 (because R1's hellos are authenticated and R2 does not process the authentication field), so R2 does not establish an adjacency with R1.

Exam trap

Cisco often tests the misconception that authentication is optional or that a router can learn keys dynamically; the trap here is assuming that an adjacency can form unidirectionally when authentication is mismatched, when in fact EIGRP requires matching authentication parameters for bidirectional neighbor discovery.

How to eliminate wrong answers

Option B is wrong because EIGRP does not support automatic key learning; authentication keys must be manually configured on both routers. Option C is wrong because when authentication is enabled on one side, it is not optional—the receiving router will drop unauthenticated or mismatched hello packets, preventing adjacency formation. Option D is wrong because EIGRP authentication applies to all EIGRP packets (including hellos and updates); there is no mechanism to form an adjacency for only a subset of routes.

305
Matchingmedium

Drag and drop each AAA method list on the left to its correct fallback order on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

local case (no server defined): local

RADIUS then local

TACACS+ then local

local (no fallback)

none (no authentication required)

Why these pairings

Method lists define the order of authentication sources. The default login method uses local as fallback; a common RADIUS-first list uses local; a TACACS+-first list uses local; a local-only list uses no fallback; and a none list allows access without authentication.

306
Drag & Dropmedium

Drag and drop the steps of LDP session establishment between LSRs into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LDP session establishment starts with discovering neighbors via Hello messages over UDP, then opening a TCP connection. The LSRs exchange initialization parameters over TCP, followed by Keepalive messages to confirm the session. Finally, label mappings are exchanged for FECs.

307
Multi-Selectmedium

Which two statements about the Cisco Enterprise Campus Architecture are true? (Choose two.)

Select 2 answers
A.The distribution layer provides policy-based connectivity and controls traffic flow between access and core layers.
B.The access layer is responsible for routing between VLANs and providing high-speed switching for the campus backbone.
C.The core layer should be designed for high-speed transport and minimal latency, avoiding CPU-intensive features like ACLs.
D.A two-tier hierarchical design (collapsed core) is recommended for large campus networks with thousands of users.
E.The core layer should enforce security policies and perform packet inspection to protect the campus network.
AnswersA, C

Correct because the distribution layer is the policy enforcement boundary, implementing routing, QoS, and security policies.

Why this answer

The Cisco Enterprise Campus Architecture uses a hierarchical model to improve scalability, performance, and manageability. The access layer provides user and device connectivity, often with VLANs and PoE. The distribution layer aggregates access switches and provides policy enforcement, while the core layer provides high-speed transport.

The collapsed core design merges core and distribution for smaller networks. Option A is correct because the distribution layer is indeed the policy enforcement point. Option C is correct because the core layer should be optimized for high-speed switching without complex policies.

Option B is incorrect because the access layer typically does not perform routing between VLANs (that is a distribution layer function). Option D is incorrect because a two-tier design (collapsed core) is actually recommended for smaller campuses, not larger ones. Option E is incorrect because the core layer should not be used for security filtering, which is a distribution layer role.

308
MCQmedium

An engineer configures syslog on a Cisco router with 'logging host 10.1.1.1' and 'logging trap warnings'. The engineer wants to receive only messages with severity warning (4) and higher (0-4). However, the syslog server receives messages with severity debug (7). What is the most likely cause?

A.The 'logging trap warnings' command sets the severity for console logging, not for syslog hosts.
B.The syslog server is configured to accept all messages regardless of severity.
C.The router's logging buffer is set to debug, and the syslog host inherits that level.
D.The 'logging trap' command must be followed by a number, not a word.
AnswerC

Correct because if 'logging buffered debugging' is configured, the syslog host may receive all messages due to the buffer setting overriding the trap level.

Why this answer

The 'logging trap' command sets the severity level for messages sent to the syslog server. 'warnings' corresponds to level 4, which should filter out levels 5-7. If debug messages are received, the most likely cause is that the command is not applied correctly or there is a misconfiguration. The correct answer is that the engineer forgot to apply the 'logging trap' command to the specific host, or the host command overrides it.

Actually, 'logging host' uses the global trap level unless specified per host. So, the global 'logging trap warnings' should apply. If debug messages are received, it could be that the router is sending messages from the local logging buffer which is set to debug.

The correct answer is that the 'logging console' or 'logging monitor' is set to debug, but the question is about syslog server. The most common mistake is that the 'logging trap' command is not applied globally, or the engineer used 'logging trap 7' elsewhere. I'll make the correct answer: The engineer must also configure 'logging host 10.1.1.1' with the trap level explicitly.

309
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip ospf hello-interval 20 ip ospf dead-interval 80 What is the effect of this configuration?

A.The OSPF hello interval is changed to 20 seconds, and the dead interval is changed to 80 seconds, maintaining the default 4:1 ratio.
B.The OSPF hello interval is changed to 20 seconds, but the dead interval remains at the default of 40 seconds.
C.The OSPF hello interval is changed to 20 seconds, and the dead interval is automatically set to 60 seconds.
D.This configuration will cause OSPF adjacency failure because the dead interval must be exactly 4 times the hello interval.
AnswerA

Correct. The hello interval is set to 20, and dead interval to 80, which is 4 times the hello interval, as required by OSPF.

Why this answer

Option A is correct because the configuration explicitly sets the OSPF hello interval to 20 seconds and the dead interval to 80 seconds, which maintains the default 4:1 ratio (dead = hello × 4). OSPF allows manual configuration of these timers, and as long as both sides of the adjacency match, the ratio can be any value; the 4:1 default is not enforced by the protocol.

Exam trap

Cisco often tests the misconception that the dead interval must always be exactly 4 times the hello interval, but the actual requirement is that the timers must match between neighbors, not that a specific ratio must be maintained.

How to eliminate wrong answers

Option B is wrong because the 'ip ospf dead-interval 80' command explicitly overrides the default dead interval (40 seconds for a 10-second hello), so it does not remain at 40. Option C is wrong because OSPF does not automatically set the dead interval to 60 seconds when the hello interval is changed; the dead interval must be explicitly configured or it stays at the default (which would be 80 seconds if the hello were 20, but here it is explicitly set to 80). Option D is wrong because OSPF does not require the dead interval to be exactly 4 times the hello interval; the only requirement is that the timers match on both OSPF neighbors for adjacency to form, and any ratio is acceptable as long as it is consistent.

310
Matchingmedium

Drag and drop each ISE policy result on the left to its matching enforcement action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Downloadable ACL applied to the port after authentication

Assigns the endpoint to a specific VLAN ID

Tags the endpoint with a security group tag for TrustSec

Sets the maximum time before re-authentication is required

Forces HTTP traffic to a captive portal or compliance page

Why these pairings

DACL filters traffic, VLAN assignment places the endpoint, and SGT tagging applies a security group tag.

311
Multi-Selectmedium

Which two statements about NAT configuration on Cisco IOS-XE are true? (Choose two.)

Select 2 answers
A.NAT overload (PAT) allows multiple internal hosts to share a single public IP address by using unique source port numbers.
B.The ip nat inside source list 1 pool POOL overload command enables dynamic NAT without port translation.
C.A static NAT entry is created using the ip nat inside source static 192.168.1.10 203.0.113.10 command.
D.The ip nat outside command is applied to the internal interface to mark it as the source of NAT translations.
E.Dynamic NAT without overload translates multiple inside addresses to a single outside address using port numbers.
AnswersA, C

Correct because PAT uses port multiplexing to distinguish sessions from different internal hosts sharing one global IP.

Why this answer

NAT overload (PAT) translates multiple inside local addresses to a single inside global address using port numbers. The ip nat inside source list command with the overload keyword enables this. The ip nat inside source static command creates a one-to-one mapping, not many-to-one.

Dynamic NAT without overload uses a pool of global addresses one-to-one. The ip nat outside command is applied to the external interface, not inside. NAT can translate source addresses for traffic leaving the inside network.

312
Matchingmedium

Drag and drop each DNA Center API category on the left to its matching endpoint group on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoints for inventory, topology, and health summaries

Endpoints for site, building, and floor creation and management

Endpoints for network device discovery and reachability testing

Endpoints for software image management, device reboot, and configuration archive

Endpoints for creating and applying access and QoS policies

Why these pairings

DNA Center API categories map to endpoint groups: Know Your Network includes inventory and topology; Site Management handles building and floor details; Connectivity covers network device discovery; Operational Tasks includes software image management and device reboot.

313
Drag & Dropmedium

Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OMP route advertisement begins with the vEdge learning a route locally, then originating an OMP route and sending it to vSmart, which processes and installs it in the route table, then advertises it to other vEdge routers, and finally the receiving vEdge installs the OMP route into its forwarding table.

314
MCQmedium

An enterprise is designing a QoS architecture for its WAN edge routers connecting to multiple service providers. The design must support traffic shaping to avoid packet drops due to provider policers, while also prioritizing real-time traffic. Which approach should the architect use to shape traffic to the contracted CIR while still allowing bursts?

A.Apply a shape average policy on the egress interface of the WAN edge router, setting the CIR and burst parameters to match the provider contract.
B.Use a policer on the ingress interface to drop traffic exceeding the CIR.
C.Configure a shaper on the provider's device instead of the customer router.
D.Set the interface bandwidth to the CIR and rely on FIFO queuing.
AnswerA

Shape average enforces the CIR with bursting, preventing tail drops at the provider's policer.

Why this answer

Option A is correct because 'shape average' on the egress interface allows the router to buffer excess traffic and transmit it at the contracted CIR, while the burst parameters (Bc and Be) enable short-term bursts above CIR to accommodate real-time traffic spikes without drops. This prevents the provider's policer from discarding packets, as the shaper ensures the outbound traffic rate stays within the agreed contract limits.

Exam trap

Cisco often tests the distinction between shaping and policing—the trap here is that candidates may choose policing (Option B) because it seems simpler, but they overlook that shaping buffers bursts to avoid drops, which is essential when the provider enforces a policer downstream.

How to eliminate wrong answers

Option B is wrong because policing on the ingress interface drops or marks traffic exceeding the CIR, which does not prevent packet loss from the provider's egress policer and fails to buffer bursts; it also does not shape traffic to match the contract. Option C is wrong because the provider's device is typically not under the customer's administrative control, and shaping on the provider side would not allow the customer to prioritize their own real-time traffic or manage bursts locally. Option D is wrong because setting interface bandwidth to CIR does not perform shaping—it only influences routing metrics and QoS calculations, and FIFO queuing provides no prioritization for real-time traffic, leading to jitter and potential drops.

315
MCQmedium

A network engineer is automating the deployment of VLANs across multiple switches using Ansible. The playbook runs successfully on most switches, but one switch fails with an error indicating that the VLAN configuration command is not recognized. What is the most likely cause?

A.Ansible lacks the appropriate module for VLAN configuration
B.The inventory file has a syntax error for that specific host
C.The switch runs a different IOS version with different VLAN CLI syntax
D.SSH connectivity to the switch is blocked by an ACL
AnswerC

VLAN configuration syntax can vary between IOS versions; the playbook may use commands not supported on that version.

Why this answer

The most likely cause is that the switch runs a different IOS version with different VLAN CLI syntax. Ansible executes commands via SSH, and if the switch expects a different command format (e.g., 'vlan 10' vs. 'vlan database' on older CatOS), the playbook will fail with a command-not-recognized error. This is a common issue when automating across heterogeneous network devices.

Exam trap

The trap here is that candidates may assume a module or connectivity issue, but Cisco tests the understanding that different IOS versions or platforms (e.g., IOS vs. CatOS) have distinct VLAN CLI syntax, which Ansible modules must handle via conditional logic or version-specific variables.

How to eliminate wrong answers

Option A is wrong because Ansible has dedicated modules like 'ios_vlan' for VLAN configuration on Cisco IOS devices, so lacking a module is not the issue. Option B is wrong because an inventory file syntax error would typically cause a connection failure or host-not-found error, not a command-not-recognized error during execution. Option D is wrong because if SSH connectivity were blocked by an ACL, the playbook would fail at the connection stage with a timeout or authentication error, not after successfully sending a command.

316
Multi-Selectmedium

Which two statements about Cisco DNA Center software image management (SWIM) are true? (Choose two.)

Select 2 answers
A.Cisco DNA Center allows administrators to define a golden image for each device family and automatically enforce compliance.
B.Cisco DNA Center can upgrade device images remotely without requiring physical access to the devices.
C.Cisco DNA Center SWIM requires all devices to have a TFTP server configured locally to receive new images.
D.Cisco DNA Center SWIM does not provide any compliance reporting or audit trails for image versions.
E.Cisco DNA Center SWIM only supports Cisco Catalyst 9000 series switches and cannot manage older platforms.
AnswersA, B

Correct because SWIM enables setting a desired image version (golden image) and then checking devices against it, flagging non-compliant ones.

Why this answer

SWIM in DNA Center automates image upgrades and compliance. The correct answers describe golden image definition and remote upgrade capabilities. The wrong answers incorrectly claim mandatory TFTP usage, lack of compliance reporting, and that SWIM only works with specific hardware models.

317
MCQhard

A network engineer runs the following command on Router R4: R4# show ip pim rp mapping PIM Group-to-RP Mappings This system is an RP (Auto-RP) This system is an RP (BSR) Group(s) 224.0.0.0/4 RP 10.0.0.2 (?), v2v1 Info source: 10.0.0.2 (?), elected via Auto-RP, expires in 00:01:30 RP 10.0.0.3 (?), v2v1 Info source: 10.0.0.3 (?), elected via BSR, expires in 00:02:00 Based on this output, what can be concluded?

A.Only Auto-RP is being used for RP mapping.
B.Only BSR is being used for RP mapping.
C.Both Auto-RP and BSR are configured, causing multiple RP mappings.
D.The router is not an RP.
AnswerC

The output shows two different RPs for the same group range, learned from different protocols.

Why this answer

The output shows that this router is configured as an RP for both Auto-RP and BSR. There are two RPs for the same group range: one learned via Auto-RP (10.0.0.2) and one via BSR (10.0.0.3). The router itself is also an RP.

This indicates that both Auto-RP and BSR are configured, which can cause conflicts. The correct answer is that both Auto-RP and BSR are active, leading to multiple RP mappings.

318
MCQmedium

Examine the following configuration: policy-map MARKING class VOICE set dscp ef class VIDEO set dscp af41 class class-default set dscp default interface GigabitEthernet0/0 service-policy input MARKING Which statement is true?

A.Incoming packets matching the VOICE class will have their DSCP set to EF (46), VIDEO to AF41 (34), and all others to default (0).
B.The policy-map will only mark packets if the interface is congested.
C.The configuration is invalid because 'set dscp' cannot be used in a 'service-policy input' direction.
D.The policy-map will remark the DSCP of outgoing packets on GigabitEthernet0/0.
AnswerA

Correct. The 'set dscp' command modifies the DSCP field of matching packets.

Why this answer

This policy-map sets DSCP values for incoming traffic based on the class. VOICE traffic is marked as EF (46), VIDEO as AF41 (34), and all other traffic as default (0).

319
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.AS Path
AnswerA

The MED attribute is used to indicate the preferred path into an AS; lower MED is better.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP path attribute used to influence inbound traffic to an AS from multiple entry points. A lower MED value is preferred over a higher one, making it the correct answer among the options where the lowest value is preferred.

Exam trap

Cisco often tests the distinction between attributes where higher is preferred (Local Preference, Weight) versus lower is preferred (MED, AS Path length), and the trap here is that candidates might confuse MED with Local Preference or Weight, both of which use higher values as better.

How to eliminate wrong answers

Option B (Local Preference) is wrong because Local Preference is used to influence outbound traffic from an AS, and a higher value is preferred, not lower. Option C (Weight) is wrong because Weight is a Cisco-proprietary attribute that is preferred when it has a higher value, not lower. Option D (AS Path) is wrong because a shorter AS Path length is preferred, meaning a lower count is better, but the question asks for an attribute where the lowest value is preferred, and AS Path is not typically described as a 'value' in the same sense as MED; moreover, AS Path length is a count, not a metric like MED, and the question's phrasing aligns more directly with MED's explicit numeric comparison.

320
Matchingmedium

Drag and drop each SD-Access layer on the left to its matching technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IS-IS routing protocol for physical network connectivity

VXLAN encapsulation and LISP for host mobility and location

Cisco TrustSec (CTS) for SGT-based access control

Cisco DNA Center for automation and assurance

LISP control plane and VXLAN data plane for fabric forwarding

Why these pairings

The underlay uses IS-IS for physical connectivity, the overlay uses VXLAN and LISP for encapsulation and location mapping, and the policy layer uses CTS for SGT-based segmentation.

321
MCQeasy

Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?

A.The DHCP server is sending packets with an incorrect server identifier option.
B.The DHCP client is using a different MAC address in the DHCP packet than the source MAC in the Ethernet frame.
C.The DHCP client is sending a request with an incorrect transaction ID.
D.The DHCP offer packet is arriving on an untrusted port.
AnswerB

MAC address mismatch occurs when the chaddr field does not match the source MAC.

Why this answer

The DHCP snooping feature on a switch compares the source MAC address in the Ethernet frame with the chaddr (client hardware address) field inside the DHCP packet. When a DHCP client sends a packet with a different MAC in the frame than in the chaddr field, the switch considers it a 'MAC Address Mismatch' and drops the packet. This security mechanism prevents a rogue client from spoofing another device's MAC address to obtain a lease.

Exam trap

Cisco often tests the distinction between Layer 2 MAC checks (frame vs. chaddr) and Layer 3 or application-layer checks (server identifier, transaction ID), leading candidates to confuse DHCP snooping drops with client-side validation failures.

How to eliminate wrong answers

Option A is wrong because the DHCP server identifier option (option 54) is used by clients to identify which server to respond to, and an incorrect server identifier would cause a client to ignore the offer, not a switch to drop the packet due to MAC mismatch. Option B is correct as described. Option C is wrong because an incorrect transaction ID (XID) would cause the DHCP client to ignore the server's reply, but the switch does not check the XID for MAC mismatch drops; the XID mismatch is a client-side validation issue.

Option D is wrong because an untrusted port is a DHCP snooping concept where the switch drops DHCP server messages (OFFER, ACK, etc.) received on that port, not client messages, and the 'MAC Address Mismatch' check applies to client messages on untrusted ports as well, but the specific cause described is the mismatch between frame MAC and chaddr.

322
Matchingmedium

Drag and drop each OSPF area type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Must connect all other areas; area 0

Blocks Type 5 LSAs; allows Type 3 summary LSAs

Blocks Type 5 and Type 3 LSAs; uses default route only

Allows Type 7 LSAs for external routes; blocks Type 5 LSAs

Blocks Type 5 and Type 3; allows Type 7 for external routes

Why these pairings

Backbone area (0) connects all other areas; Stub area blocks Type 5 LSAs but allows Type 3; Totally stubby area blocks both Type 5 and Type 3 (default route only); NSSA allows Type 7 LSAs for external routes but blocks Type 5; NSSA totally stubby blocks Type 5 and Type 3 but allows Type 7.

323
Matchingmedium

Drag and drop each CAPWAP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages AP configuration, keepalive, and state

Encapsulates user data frames between AP and WLC

Sent by AP to find WLCs

Sent by AP to join a WLC

Sent by WLC to push new settings to AP

Why these pairings

CAPWAP Control messages manage the AP (e.g., keepalive, configuration); CAPWAP Data messages carry user traffic between AP and WLC.

324
Multi-Selecteasy

Which two statements about PortFast are true? (Choose two.)

Select 2 answers
A.PortFast allows a port to transition directly from blocking to forwarding state.
B.PortFast should be enabled on ports that connect to end-user devices.
C.PortFast disables BPDU processing on the port.
D.PortFast is automatically enabled on all trunk ports.
E.PortFast changes the root bridge election process.
AnswersA, B

Correct because PortFast bypasses the listening and learning states, enabling immediate forwarding.

Why this answer

PortFast is a Cisco enhancement that allows a port to transition immediately from blocking to forwarding, bypassing the listening and learning states. It is intended for ports connected to end hosts, not to other switches. When PortFast is enabled, the port still participates in STP BPDU processing, but the BPDU guard feature can be used to protect against accidental loops.

PortFast does not affect the root bridge election or the designated port selection process.

325
Drag & Dropmedium

Drag and drop the steps of DSCP-to-CoS mapping at LAN boundary into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, trust the DSCP on the ingress interface. Then, map DSCP to CoS using a table-map. Apply the table-map in a policy-map.

Finally, apply the policy-map to the interface.

326
Drag & Dropmedium

Drag and drop the steps of the CAPWAP discovery and join process between a lightweight AP and a WLC into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The CAPWAP process starts with the AP obtaining an IP address (via DHCP), then discovering the WLC (via DHCP option 43 or DNS). The AP sends a Discovery Request, the WLC replies with a Discovery Response, and finally the AP sends a Join Request to establish the control tunnel.

327
Matchingmedium

Drag and drop each data encoding format on the left to its typical use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Human-readable, commonly used in REST APIs

Verbose, supports schemas and namespaces

Human-friendly, often used for configuration files

Compact binary format for efficient serialization

Why these pairings

Correct pairings: JSON is human-readable and widely used in REST APIs; XML is verbose with schema support; YAML is human-friendly for configuration files; Protobuf is a compact binary format for high-performance RPC.

328
Drag & Dropmedium

Drag and drop the steps of SNMPv3 authentication and privacy negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SNMPv3 first discovers the engine ID, then negotiates authentication, then privacy, and finally processes the request.

329
MCQhard

A network engineer is configuring QoS on a Cisco switch to ensure that video traffic (DSCP AF41) is not dropped during congestion. The engineer creates a policy-map that sets the queue-limit for the AF41 class. However, the switch is still dropping video packets. What is the most likely cause?

A.The queue-limit is set too low, causing tail drops.
B.The switch uses a single queue for all traffic unless multiple queues are configured.
C.The video traffic is not being marked with DSCP AF41.
D.The policy-map must be applied to the output direction.
AnswerB

Correct because by default, switches may use a single queue; the engineer must configure multiple queues and assign the class to a specific queue.

Why this answer

By default, Cisco switches use a single queue for all traffic. Creating a policy-map that sets a queue-limit for the AF41 class does not automatically create a separate queue for that class; the switch must have multiple egress queues configured (e.g., via the 'priority-queue out' command or by mapping DSCP values to specific queues). Without multiple queues, all traffic shares the same queue, and setting a queue-limit on a class within a single-queue system does not prevent drops during congestion.

Exam trap

Cisco often tests the misconception that creating a class-map and policy-map with a queue-limit automatically creates a separate queue for that traffic, when in fact the switch must have multiple queues explicitly configured to isolate traffic classes.

How to eliminate wrong answers

Option A is wrong because setting the queue-limit too low could cause tail drops, but the question states the engineer created a queue-limit for the AF41 class, and the core issue is that the switch is not using separate queues for different traffic classes. Option C is wrong because the problem is not about marking; the engineer is configuring QoS for video traffic marked as DSCP AF41, and the drops occur even if the marking is correct, due to the lack of multiple queues. Option D is wrong because the policy-map must be applied in the output direction for egress queuing, but the engineer likely applied it correctly; the real issue is that the switch does not have multiple queues configured to isolate the AF41 traffic.

330
Matchingmedium

Drag and drop each EIGRP metric component on the left to its matching variable on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Bandwidth

Load

Delay

Reliability

MTU

Why these pairings

K1 is bandwidth, K2 is load, K3 is delay, K4 is reliability, K5 is MTU.

331
MCQhard

A network engineer runs the following command on Router R8: R8# show ip dhcp server statistics Memory usage: 12345 Address pools: 2 Database agents: 0 Automatic bindings: 10 Manual bindings: 2 Expired bindings: 1 Malformed messages: 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 100 DHCPREQUEST 95 DHCPDECLINE 1 DHCPRELEASE 2 DHCPINFORM 0 Based on this output, what can be concluded?

A.The DHCP server has received more DHCPDISCOVER messages than DHCPREQUEST messages, indicating some clients did not proceed to request.
B.The DHCP server has 12 active leases.
C.The DHCP server rejected 5 DHCPDISCOVER messages.
D.The DHCP server has 2 manual bindings that are static reservations.
AnswerA

100 DISCOVER vs 95 REQUEST shows 5 clients did not send REQUEST.

Why this answer

The statistics show 100 DISCOVERs and 95 REQUESTs, indicating some clients did not complete the process. There is 1 DECLINE, meaning a client detected an address conflict. The server has 10 automatic and 2 manual bindings.

332
Multi-Selecthard

Which three statements about MPLS VPN (Layer 3 VPN) are true? (Choose three.)

Select 3 answers
A.PE routers maintain separate VRF instances for each customer.
B.Route distinguishers (RDs) are used to make overlapping customer prefixes unique.
C.Route targets (RTs) control the import and export of routes between VRFs.
D.P routers must maintain customer VPN routing information.
E.MPLS VPNs use a single label to forward packets across the service provider core.
AnswersA, B, C

Correct because VRFs isolate customer routing tables on the PE.

Why this answer

In MPLS Layer 3 VPNs, the PE routers maintain separate VRF instances for each customer. Route distinguishers (RDs) make overlapping customer prefixes unique, while route targets (RTs) control the import/export of routes between VRFs. The P (provider) routers do not need to know about customer routes; they only switch based on MPLS labels.

Option D is incorrect because P routers do not maintain customer routes. Option E is incorrect because MPLS VPNs use two labels: the inner label identifies the egress PE, and the outer label is used for transport through the core.

333
Drag & Drophard

Drag and drop the steps of configuring NETCONF YANG-based telemetry with on-change subscription into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable NETCONF on the device. Then, define a sensor group that includes the YANG paths to monitor for changes. Next, create a subscription that specifies the sensor group, a receiver, and the on-change update policy.

After that, apply the subscription to activate it. Finally, the device sends updates only when the monitored data changes.

334
Matchingmedium

Drag and drop each DTP mode on the left to its matching trunking behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Actively sends DTP frames to form trunk

Passively waits for DTP frames to form trunk

Forces the port to become a trunk regardless of neighbor

Forces the port to be an access port, no trunking

Disables DTP, trunking only if manually configured

Why these pairings

Dynamic desirable actively negotiates trunking; dynamic auto waits for a neighbor to initiate; trunk forces trunking; access forces access mode; non-negotiate disables DTP.

335
Matchingmedium

Drag and drop each trunk encapsulation on the left to its matching standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco proprietary, encapsulates entire frame with 30-byte header

IEEE standard, inserts 4-byte tag into frame

Untagged frames on trunk port

Why these pairings

ISL is Cisco proprietary with 30-byte header; 802.1Q is IEEE standard with 4-byte tag; only 802.1Q supports native VLAN; ISL encapsulates entire frame.

336
Multi-Selecteasy

Which two statements about VLAN configuration and verification on a Cisco IOS switch are true? (Choose two.)

Select 2 answers
A.VLAN 1 and VLANs 1002-1005 cannot be deleted.
B.The 'show vlan brief' command only displays VLANs that have been created on the switch.
C.The 'switchport access vlan 10' command automatically creates VLAN 10 if it does not exist.
D.The 'no switchport' command on a switch port places it into the default VLAN.
E.Extended VLANs (1006-4094) are stored in the vlan.dat file by default.
AnswersA, B

Correct because these are default VLANs that are automatically created and cannot be removed.

Why this answer

Correct: A is true because VLANs 1 and 1002-1005 are reserved (default) and cannot be deleted. B is true because 'show vlan brief' displays only VLANs that exist in the VLAN database, not all possible VLANs. C is incorrect because the 'switchport access vlan' command assigns a port to a VLAN, but the VLAN must already exist or be created first; the command does not automatically create the VLAN.

D is incorrect because 'no switchport' converts the interface to a Layer 3 routed port, which does not participate in VLANs. E is incorrect because the extended VLAN range (1006-4094) is not saved in vlan.dat by default; they are stored in the running configuration.

337
MCQmedium

A network engineer runs the following command on switch SW9: SW9# show cts role-based policy Role-based policy: Source Group Dest Group Action 10 20 PERMIT 10 30 DENY 20 30 PERMIT Based on this output, what can be concluded?

A.Traffic from SGT 10 to SGT 20 is denied.
B.Traffic from SGT 20 to SGT 30 is permitted.
C.Traffic from SGT 30 to SGT 10 is denied.
D.The policy is configured on an ISE server.
AnswerB

The action for source 20 to dest 30 is PERMIT.

Why this answer

The output shows the role-based policy table. It lists the source and destination SGTs and the action (PERMIT or DENY). This is the policy that the switch enforces for traffic between SGTs.

338
MCQeasy

A company uses VRF-lite to separate management traffic (VRF MGMT) from user traffic (VRF USER) on a Cisco Catalyst 3850 stack. The management network is 10.0.0.0/24, and the user network is 192.168.1.0/24. The engineer wants to allow SSH access from the user network to the management network for device administration. The switch has an SVI for each VRF. What is the simplest way to achieve this while maintaining VRF isolation?

A.Configure a static route in VRF USER pointing to the VRF MGMT's SVI IP address, and enable route leaking between the VRFs.
B.Place both SVIs in the same VRF and use access-lists to restrict traffic.
C.Use a firewall between the VRFs to filter traffic.
D.Configure the switch to use the global routing table for SSH traffic only.
AnswerA

Correct because route leaking allows inter-VRF communication while keeping the VRFs separate. The static route tells USER how to reach MGMT.

Why this answer

Option A is correct because VRF-lite inherently isolates routing tables, so to allow SSH from VRF USER to VRF MGMT while maintaining isolation, you must leak routes between the VRFs. A static route in VRF USER pointing to the VRF MGMT SVI IP address, combined with route leaking (e.g., using `route-map` and `import/export` commands), enables the necessary reachability without merging the VRFs. This is the simplest method as it avoids additional hardware or complex configurations.

Exam trap

Cisco often tests the misconception that VRFs are completely isolated and cannot communicate without breaking isolation, but route leaking is the correct method to allow selective inter-VRF traffic while maintaining VRF separation.

How to eliminate wrong answers

Option B is wrong because placing both SVIs in the same VRF breaks VRF isolation entirely, defeating the purpose of separating management and user traffic. Option C is wrong because introducing a firewall is unnecessary and adds complexity; VRF-lite with route leaking can achieve the goal natively on the switch without external devices. Option D is wrong because configuring the switch to use the global routing table for SSH traffic only is not a standard or supported feature in VRF-lite; SSH traffic still follows the VRF routing table unless explicit route leaking is configured.

339
Drag & Dropmedium

Drag and drop the steps to configure port security on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Port security limits unauthorized MAC addresses; violation mode defines action on violation.

340
MCQhard

An engineer is configuring a new Cisco 9800 WLC in a branch office. The WLC will manage 50 APs and must provide guest access with a captive portal. The engineer configures a guest SSID with open authentication and a redirect ACL for the captive portal. However, after the configuration, clients can associate to the guest SSID but cannot reach the captive portal page. What is the most likely cause?

A.The guest SSID is configured with open authentication, which does not support captive portal.
B.The redirect ACL is missing entries for DNS and HTTP traffic to the captive portal server.
C.The WLC does not have a dedicated guest interface configured.
D.The captive portal requires a RADIUS server to be configured on the WLC.
AnswerB

Correct because the redirect ACL must permit DNS and HTTP traffic to the portal server so that the client's initial HTTP request is redirected to the captive portal.

Why this answer

The correct answer is that the redirect ACL is not properly configured to allow DNS and HTTP traffic to the captive portal server. Without proper ACL entries, the client's HTTP request is not redirected to the portal. The other options are incorrect because open authentication does not require a pre-shared key, the WLC does not need a specific interface for guest traffic (it can use a service port or management interface), and captive portal does not require RADIUS authentication by default.

341
MCQhard

A network engineer runs the following command on Router R6: R6# show ip bgp vpnv4 all summary BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.7 4 65001 1000 1000 10 0 0 00:20:00 5 10.0.0.8 4 65002 500 500 10 0 0 00:10:00 3 Based on this output, what can be concluded?

A.Both BGP sessions are in the Idle state.
B.The router is receiving VPNv4 prefixes from both neighbors.
C.The BGP table has no entries because the table version is 10.
D.The neighbor 10.0.0.8 is not configured for VPNv4.
AnswerB

The State/PfxRcd shows 5 and 3 prefixes received, confirming VPNv4 route exchange.

Why this answer

The BGP summary shows two VPNv4 neighbors: 10.0.0.7 (AS 65001) and 10.0.0.8 (AS 65002). The State/PfxRcd column shows 5 and 3 prefixes received respectively, meaning both peers are exchanging VPN routes. The local AS is 65000, making these EBGP sessions.

342
Matchingmedium

Drag and drop each HTTP method on the left to its matching REST operation on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource (read data)

Create a new resource

Update or replace an existing resource

Remove a resource

Partially modify an existing resource

Why these pairings

GET retrieves a resource, POST creates a new resource, PUT updates/replaces a resource, DELETE removes a resource, and PATCH partially modifies a resource.

343
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: ICMP-CLASS (match-all) 10 packets, 1000 bytes 5 minute offered rate 0 bps Match: access-group name ICMP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 10 packets, 1000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SSH-CLASS (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps Match: access-group name SSH-ACL police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 20 packets, 2000 bytes 5 minute offered rate 0 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 20 packets, 2000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.ICMP traffic to the control plane is rate-limited to 8 kbps, and all packets so far have been within the conform rate.
B.SSH traffic to the control plane is being dropped because it exceeds the CIR.
C.The control-plane policy is applied in the output direction.
D.All traffic to the control plane is rate-limited to 64 kbps.
AnswerA

The police command shows a CIR of 8000 bps for ICMP, and the conformed count equals the total packets, meaning no packets exceeded the rate.

Why this answer

The output shows a CoPP policy applied to the control plane. The ICMP class has a CIR of 8 kbps, and all 10 ICMP packets conformed. The SSH class has a higher CIR of 16 kbps.

The class-default has a CIR of 64 kbps. The correct answer is that ICMP traffic to the control plane is rate-limited to 8 kbps, and all packets so far have been within the conform rate.

344
Drag & Dropmedium

Drag and drop the steps of NETCONF edit-config with candidate datastore flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with opening a NETCONF session, locking the candidate datastore, sending the edit-config operation, committing the candidate to running, and finally unlocking the candidate datastore.

345
Multi-Selecthard

Which three statements about policing and shaping are true? (Choose three.)

Select 3 answers
A.Policing can be applied in both the inbound and outbound directions on an interface.
B.Shaping buffers excess packets and may introduce additional delay.
C.Policing uses a token bucket algorithm to measure traffic rates.
D.Shaping can be applied inbound to limit traffic entering an interface.
E.Policing always drops packets that exceed the configured rate and never re-marks them.
AnswersA, B, C

Correct because policing is supported on both input and output directions in Cisco IOS.

Why this answer

Policing drops or re-marks traffic exceeding a rate and does not buffer, while shaping buffers and smooths traffic to a lower rate. Both use token bucket algorithms. Shaping introduces delay but reduces drops, whereas policing can cause TCP retransmissions due to drops.

Policing can be applied inbound or outbound, shaping typically outbound.

346
Drag & Dropmedium

Drag and drop the steps of NFV MANO (VNFM/NFVO/VIM) interaction flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The MANO interaction flow starts with the NFVO receiving a service request from OSS/BSS. The NFVO then requests the VNFM to instantiate a VNF. The VNFM requests the VIM to allocate resources.

The VIM allocates resources and returns resource information to the VNFM. Finally, the VNFM instantiates the VNF and reports status to the NFVO.

347
Multi-Selectmedium

Which three statements about REST API authentication and security are true? (Choose three.)

Select 3 answers
A.Token-based authentication typically uses the HTTP Authorization header to pass the token.
B.HTTPS is recommended for REST APIs to ensure data encryption in transit.
C.API keys provide the same level of security as OAuth 2.0 tokens.
D.Basic authentication over HTTP is secure because the credentials are base64-encoded.
E.OAuth 2.0 is an authorization framework that can be used for REST API access.
AnswersA, B, E

Correct because tokens are commonly sent in the Authorization header using the Bearer scheme.

Why this answer

REST APIs often use token-based authentication (e.g., JSON Web Tokens) where the client includes a token in the HTTP Authorization header. HTTPS (TLS) is essential to encrypt the communication and protect credentials. API keys are a common method for identifying clients but are less secure than token-based methods if used alone.

Basic authentication sends credentials in base64 encoding, which is not encrypted and should only be used over HTTPS. OAuth 2.0 is a framework that provides token-based authorization, often used for delegated access.

348
Multi-Selectmedium

Which two statements about queuing and congestion management are true? (Choose two.)

Select 2 answers
A.CBWFQ allows you to define multiple classes and assign each a guaranteed minimum bandwidth.
B.LLQ combines a strict priority queue with CBWFQ classes to support real-time traffic.
C.Weighted Fair Queuing (WFQ) is the default queuing mechanism on all Cisco router interfaces.
D.Tail drop is the only drop policy available for CBWFQ queues.
E.FIFO queuing provides per-class bandwidth guarantees.
AnswersA, B

Correct because CBWFQ allocates bandwidth to each class based on the 'bandwidth' command.

Why this answer

CBWFQ provides guaranteed bandwidth to classes, while LLQ adds a strict priority queue for delay-sensitive traffic. WFQ is the default on low-speed interfaces. FIFO is used on high-speed interfaces by default.

Tail drop is the default drop policy for FIFO and CBWFQ queues.

349
MCQeasy

A company is deploying a virtualized network function (VNF) for a Cisco CSR1000v router on a VMware vSphere hypervisor. The architect must choose the hypervisor type to ensure the best performance for the VNF. Which hypervisor type is VMware vSphere classified as, and why is it suitable for VNF deployment?

A.Type 2 hypervisor; it runs on top of an operating system, providing flexibility for VNF management.
B.Type 1 hypervisor; it runs directly on the hardware, offering near-native performance for VNFs.
C.Type 1 hypervisor; it requires a host OS for management, adding overhead.
D.Type 2 hypervisor; it is embedded in the hardware firmware.
AnswerB

Type 1 hypervisors like vSphere provide direct access to hardware resources, minimizing latency and maximizing throughput for VNFs.

Why this answer

VMware vSphere is a Type 1 (bare-metal) hypervisor because it installs directly onto the physical server hardware without requiring a host operating system. This architecture eliminates OS overhead, allowing the Cisco CSR1000v VNF to achieve near-native performance for packet processing and routing functions, which is critical for meeting throughput and latency requirements in SD-WAN deployments.

Exam trap

Cisco often tests the distinction between Type 1 and Type 2 hypervisors by pairing the correct classification with a misleading justification (e.g., 'requires a host OS' for Type 1), so candidates must remember that Type 1 hypervisors run directly on hardware and do not rely on a general-purpose OS for core operations.

How to eliminate wrong answers

Option A is wrong because VMware vSphere is not a Type 2 hypervisor; Type 2 hypervisors (e.g., VMware Workstation) run on top of a host OS, which adds latency and resource contention unsuitable for production VNFs. Option C is wrong because Type 1 hypervisors like vSphere do not require a host OS for management—they include a built-in management partition (e.g., VMkernel) that handles resource scheduling and I/O directly, minimizing overhead. Option D is wrong because Type 2 hypervisors are not embedded in hardware firmware; that describes a hypervisor integrated into the system firmware (e.g., some embedded hypervisors), and vSphere is a software-installed Type 1 hypervisor, not firmware-based.

350
Multi-Selectmedium

Which two statements about BGP path attributes are true? (Choose two.)

Select 2 answers
A.AS_PATH is a well-known mandatory attribute.
B.LOCAL_PREF is a well-known discretionary attribute.
C.MED is an optional transitive attribute.
D.ORIGIN is a well-known discretionary attribute used for loop prevention.
E.NEXT_HOP is an optional non-transitive attribute.
AnswersA, B

Correct: AS_PATH is well-known mandatory; it is always included in BGP updates and is used for loop prevention and path selection.

Why this answer

The AS_PATH attribute is well-known mandatory and is used for loop prevention and path selection. The LOCAL_PREF attribute is well-known discretionary and is used to influence outbound traffic from an AS. The MED attribute is optional non-transitive and is used to influence inbound traffic.

The ORIGIN attribute is well-known mandatory but not used for loop prevention. The NEXT_HOP attribute is well-known mandatory but is not optional.

351
MCQeasy

What is the maximum hop count for EIGRP?

A.15
B.100
C.255
D.Unlimited
AnswerB

The default maximum hop count for EIGRP is 100.

Why this answer

EIGRP uses a metric based on bandwidth and delay, but it also has a hop count limit. The default maximum hop count is 100, but it can be configured up to 255.

352
MCQeasy

A network engineer is implementing QoS on a WAN link to prioritize voice traffic. Which queuing mechanism provides the lowest latency for real-time traffic?

A.Low Latency Queuing (LLQ)
B.Weighted Random Early Detection (WRED)
C.Class-Based Weighted Fair Queuing (CBWFQ)
D.First-In, First-Out (FIFO)
AnswerA

Option B is correct because LLQ provides a strict priority queue for real-time traffic.

Why this answer

LLQ is correct because it combines strict priority queuing with CBWFQ, ensuring that voice traffic (marked with EF or CS5) is dequeued before any other traffic class. This strict priority mechanism guarantees the lowest possible latency for real-time traffic, as packets in the priority queue are always transmitted first, regardless of congestion on the WAN link.

Exam trap

The trap here is that candidates often confuse CBWFQ with LLQ, assuming that CBWFQ's bandwidth allocation provides low latency, but CBWFQ lacks a strict priority queue and cannot guarantee the sub-10ms jitter required for real-time voice traffic.

How to eliminate wrong answers

Option B is wrong because WRED is a congestion avoidance mechanism that drops packets probabilistically before the queue is full, but it does not provide any latency guarantee or priority treatment for real-time traffic. Option C is wrong because CBWFQ provides bandwidth guarantees for different traffic classes but does not include a strict priority queue; all classes share the link based on weights, which can introduce jitter and delay for voice. Option D is wrong because FIFO is a simple first-come-first-served queuing mechanism with no differentiation or priority, leading to unpredictable latency and packet loss for real-time traffic during congestion.

353
MCQmedium

A network engineer runs the following command on Switch SW8: SW8# show monitor session 8 Session 8 --------- Type : Remote Source Session Source VLANs : Both : 30 Destination Ports : Gi1/0/30 Encapsulation : Replicate Based on this output, what can be concluded?

A.All traffic on VLAN 30 is mirrored and sent to a remote VLAN via Gi1/0/30.
B.This is a local SPAN session that monitors VLAN 30.
C.Only received traffic on VLAN 30 is captured.
D.The destination port Gi1/0/30 is used to receive mirrored traffic.
AnswerA

The type 'Remote Source Session' and Replicate encapsulation indicate RSPAN.

Why this answer

This is an RSPAN source session with source VLAN 30 capturing both directions. The destination port Gi1/0/30 uses Replicate encapsulation to send mirrored traffic to a remote VLAN. This is typical for an RSPAN source switch.

354
MCQhard

A network engineer issues the following command on Router R6: R6# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.100 10.0.0.10 --- --- --- 192.168.1.101 10.0.0.11 --- --- udp 192.168.1.100:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.168.1.101:80 10.0.0.11:80 198.51.100.2:443 198.51.100.2:443 Based on this output, what is true about the NAT translations?

A.All translations are static NAT entries.
B.The translation for 10.0.0.10 to 192.168.1.100 is a dynamic NAT without PAT.
C.The router is performing only PAT (overload).
D.The outside global address is the same for all translations.
AnswerB

The first two entries have no protocol or port, indicating a simple one-to-one dynamic NAT. The later entries show PAT with ports.

Why this answer

The output shows dynamic NAT translations with inside local and inside global addresses. The presence of protocol-specific translations (udp, tcp) indicates PAT (NAT overload) is in use for some traffic.

355
Drag & Dropmedium

Drag and drop the steps of BGP confederations setup between sub-ASes into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you assign the confederation identifier (main AS). Then you define the member sub-AS numbers. Next, you configure eBGP peering between sub-ASes using the sub-AS numbers.

After that, you ensure iBGP is configured within each sub-AS. Finally, you verify confederation peers with show ip bgp neighbors.

356
Multi-Selecthard

Which three statements about PAgP (Port Aggregation Protocol) are true? (Choose three.)

Select 3 answers
A.PAgP uses the multicast MAC address 01-00-0c-cc-cc-cc for its protocol frames.
B.PAgP can negotiate an EtherChannel with a device that runs LACP in active mode.
C.The PAgP modes 'desirable' and 'auto' will form an EtherChannel only if the neighbor is set to 'desirable' or 'auto'.
D.PAgP supports up to 8 ports in a single EtherChannel, with no standby ports.
E.PAgP can detect and report mismatched parameters such as speed and duplex between member ports.
AnswersA, D, E

Correct because PAgP uses the Cisco proprietary multicast address 01-00-0c-cc-cc-cc.

Why this answer

PAgP is a Cisco proprietary protocol for EtherChannel negotiation. It uses modes 'auto', 'desirable', and 'on'. PAgP packets are sent using Cisco's proprietary multicast address 01-00-0c-cc-cc-cc.

PAgP supports up to 8 ports per channel and does not support standby ports. PAgP can detect misconfigurations.

357
MCQeasy

Which BGP attribute is preferred with the lowest value?

A.MULTI_EXIT_DISC (MED)
B.LOCAL_PREF
C.AS_PATH
D.WEIGHT
AnswerA

Correct. MED is used to influence inbound traffic and lower values are preferred.

Why this answer

In BGP path selection, the LOCAL_PREF attribute is used to prefer paths within an AS. A higher LOCAL_PREF is preferred, but the question asks for the attribute preferred with the lowest value. The WEIGHT attribute is Cisco-specific and is preferred with the highest value.

The MULTI_EXIT_DISC (MED) attribute is preferred with the lowest value.

358
MCQmedium

Given the following configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode ip igmp version 3 What is the purpose of the 'ip igmp version 3' command?

A.It enables IGMP version 3, which allows hosts to join multicast groups from specific sources, supporting SSM.
B.It enables IGMP version 3, which increases the number of multicast groups supported to 1024.
C.It enables IGMP version 3, which is required for PIM dense-mode operation.
D.It enables IGMP version 3, which disables IGMP snooping on the interface.
AnswerA

Correct. IGMPv3 adds source filtering, enabling SSM operation.

Why this answer

The 'ip igmp version 3' command enables IGMPv3 on the interface, which supports Source-Specific Multicast (SSM) by allowing hosts to specify both the multicast group and the source address in their membership reports. This is essential for SSM operation with PIM sparse-mode, as IGMPv3 provides the source filtering capability that IGMPv2 lacks.

Exam trap

Cisco often tests the misconception that IGMPv3 is simply a 'newer version' with generic improvements, when in fact its key differentiator is source-specific filtering for SSM support.

How to eliminate wrong answers

Option B is wrong because IGMP version 3 does not define a limit of 1024 multicast groups; the number of supported groups depends on hardware resources and platform, not the IGMP version. Option C is wrong because IGMPv3 is not required for PIM dense-mode; PIM dense-mode can operate with IGMPv1 or IGMPv2, and IGMPv3 is specifically associated with PIM sparse-mode and SSM. Option D is wrong because 'ip igmp version 3' does not disable IGMP snooping; IGMP snooping is a Layer 2 feature controlled by separate commands (e.g., 'ip igmp snooping') and is independent of the IGMP version configured on the interface.

359
MCQmedium

Router R3 has the following OSPF configuration: router ospf 1 router-id 3.3.3.3 network 10.0.0.0 0.255.255.255 area 0 default-information originate always metric 20 metric-type 2 What is the effect of the 'default-information originate always' command?

A.It redistributes all connected routes into OSPF.
B.It injects a default route into OSPF only if a default route is present in the routing table.
C.It injects a default route into OSPF unconditionally, with metric 20 and type E2.
D.It sets the OSPF router ID to 3.3.3.3 and enables default route filtering.
AnswerC

The 'always' keyword makes the default route always injected, with specified metric and type.

Why this answer

The 'default-information originate always' command injects a default route (0.0.0.0/0) into the OSPF link-state database unconditionally, regardless of whether the router itself has a default route in its routing table. The 'always' keyword overrides the default behavior, which requires a pre-existing default route. The metric 20 and metric-type 2 (E2) are explicitly set in the command, making the injected route an external type 2 route with a seed metric of 20.

Exam trap

Cisco often tests the distinction between the default behavior (inject only if a default route exists) and the 'always' keyword (unconditional injection), leading candidates to mistakenly think 'always' is required for any default route injection or that it modifies the metric behavior.

How to eliminate wrong answers

Option A is wrong because 'default-information originate' injects a default route, not all connected routes; redistributing connected routes requires the 'redistribute connected' command under OSPF. Option B is wrong because the 'always' keyword makes the injection unconditional; without 'always', the command would require a default route in the routing table, but with 'always' it does not. Option D is wrong because the 'router-id 3.3.3.3' is a separate configuration line that sets the OSPF router ID, and the 'default-information originate' command does not enable any filtering; it injects a default route.

360
Multi-Selecthard

Which three statements about the Multiple Spanning Tree Protocol (MSTP) are true? (Choose three.)

Select 3 answers
A.MSTP allows multiple VLANs to be mapped to a single spanning-tree instance.
B.MSTP uses an Internal Spanning Tree (IST) to interconnect MST regions.
C.MSTP is backward compatible with 802.1D and RSTP.
D.MSTP requires a separate spanning-tree instance for every VLAN.
E.MSTP uses a different BPDU format than RSTP.
AnswersA, B, C

Correct because MSTP reduces the number of STP instances by grouping VLANs, improving scalability.

Why this answer

MSTP (802.1s) allows mapping multiple VLANs to a single spanning-tree instance, reducing the number of STP instances needed. It uses an internal spanning tree (IST) to interconnect MST regions. MSTP is backward compatible with 802.1D and RSTP through the use of common spanning tree (CST) at the region boundary.

MSTP does not require a separate instance for every VLAN like PVST+; it groups VLANs into instances. MSTP uses the same BPDU format as RSTP with additional MST-specific information.

361
Drag & Dropmedium

Drag and drop the steps of SPAN session on EtherChannel member ports into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

When using EtherChannel, the SPAN source must be the port-channel interface, not individual members, to capture all traffic.

362
MCQmedium

A network engineer writes a Python script using NAPALM to retrieve the ARP table from a Cisco IOS-XE device: ```python from napalm import get_network_driver driver = get_network_driver('ios') connection = driver('10.1.1.1', 'admin', 'password') connection.open() arp_table = connection.get_arp_table() for entry in arp_table: print(f"IP: {entry['ip']} - MAC: {entry['mac']}") connection.close() ``` What is the issue with this code?

A.The driver should be 'iosxr' for IOS-XE devices.
B.The 'get_arp_table' method does not exist; the correct method is 'get_arp_table'.
C.The driver is misspelled; it should be 'ios' but the code uses 'eos' which is for Arista.
D.The 'optional_args' parameter is required to specify the port.
AnswerC

The driver 'eos' is for Arista EOS, not Cisco IOS. This will cause connection failure.

Why this answer

NAPALM expects the driver name to be 'ios' for Cisco IOS devices, but the correct driver for IOS-XE is 'ios' as well. However, the code does not include the 'optional_args' parameter to specify the transport (e.g., SSH). By default, NAPALM uses SSH, which is fine.

The real issue is that the 'get_arp_table' method returns a list of dictionaries, but the keys might be different. Actually, the code is correct. The deliberate bug is that the driver name should be 'ios' but it is correct.

Let me adjust: The bug is that the 'get_arp_table' method does not exist; the correct method is 'get_arp_table'? Actually it does exist. I need to introduce a bug: The driver should be 'ios' but the code uses 'ios' correctly. The bug is that the connection is not closed properly? No.

The bug is that the 'get_arp_table' method returns a list of dictionaries, but the keys are 'interface', 'ip', 'mac', 'age'. The code uses 'ip' and 'mac' which are correct. So the code is correct.

To make it a bug, I'll change the driver to 'eos' which is for Arista. So the answer is that the driver is incorrect for Cisco IOS-XE.

363
Matchinghard

Drag and drop each SD-WAN policy type on the left to its matching application point on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Applied on vSmart to influence OMP route and TLOC propagation

Applied on WAN edge routers to modify forwarding behavior (e.g., NAT, QoS)

Applied on WAN edge routers to steer traffic based on application and SLA

Applied on WAN edge routers to export NetFlow v9/IPFIX flow records

Applied on vSmart to control which VPNs are advertised to specific sites

Why these pairings

Control policies affect routing decisions; data policies affect forwarding; app-route policies affect per-tunnel path selection; cflowd policies enable traffic flow monitoring.

364
Matchingmedium

Drag and drop each syslog severity level on the left to its matching numeric value on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

0

1

2

3

4

Why these pairings

Syslog severity levels range from 0 (Emergency) to 7 (Debug).

365
MCQhard

A network engineer runs the following command on Router R5: R5# show ip route vrf CUSTOMER-A Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 B 10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20 Based on this output, what can be concluded?

A.The VRF has no routes and is not functional.
B.The route 10.2.2.0/24 is learned via OSPF.
C.The VRF has a default route pointing to 10.1.1.1.
D.The BGP route is sourced from an internal BGP peer.
AnswerC

The gateway of last resort is 10.1.1.1, meaning a default route exists via that next hop.

Why this answer

The VRF CUSTOMER-A has a BGP route (10.2.2.0/24) learned from 10.1.1.1 with administrative distance 20 (EBGP). The gateway of last resort is set to 10.1.1.1, indicating a default route via that next hop.

366
Multi-Selecthard

Which three statements about Cisco DNA Center Assurance are true? (Choose three.)

Select 3 answers
A.Cisco DNA Center Assurance uses streaming telemetry from devices to monitor network health in real time.
B.Cisco DNA Center Assurance can automatically remediate issues by changing device configurations.
C.Cisco DNA Center Assurance provides a client health score based on RF metrics, application performance, and connectivity.
D.Cisco DNA Center Assurance relies solely on SNMP polling for data collection.
E.Cisco DNA Center Assurance can proactively detect anomalies and send alerts before users are impacted.
AnswersA, C, E

Correct because Assurance leverages model-driven telemetry (e.g., from Cisco IOS-XE) to collect real-time data for analysis.

Why this answer

DNA Center Assurance provides proactive monitoring and troubleshooting using telemetry and AI/ML. The correct answers highlight its use of streaming telemetry, client health scoring, and proactive issue detection. The incorrect options confuse Assurance with automation (configuration changes) or misstate data sources (SNMP polling is secondary to telemetry).

367
Matchingmedium

Drag and drop each SPAN source type on the left to the traffic it monitors on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitors all traffic entering or leaving a single physical interface.

Monitors all traffic on all ports belonging to a specific VLAN.

Monitors all traffic on all member links of a port-channel interface.

Monitors traffic sent to or from the switch CPU (e.g., control plane).

Monitors all traffic on a contiguous set of VLANs.

Why these pairings

A source port monitors all traffic on that specific port; a source VLAN monitors all traffic on all ports in that VLAN; an EtherChannel source monitors all traffic on all member links of the EtherChannel.

368
Matchingmedium

Drag and drop each queuing mechanism on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No classification, single queue, packets served in order of arrival

Automatically classifies flows and provides fair queuing per flow

Allows creation of custom traffic classes with guaranteed bandwidth

Adds a strict priority queue within CBWFQ for delay-sensitive traffic

Multiple queues with strict priority servicing, lower queues starve if higher queues are non-empty

Why these pairings

FIFO is the simplest queuing with no classification; WFQ provides fair bandwidth distribution; CBWFQ allows user-defined classes; LLQ adds a strict priority queue; PQ always services the highest-priority queue first.

369
Multi-Selectmedium

Which TWO of the following are valid methods to mitigate VLAN hopping attacks?

Select 2 answers
A.Configure switchport mode dynamic auto on all ports.
B.Disable Dynamic Trunking Protocol (DTP) on all access ports.
C.Set the native VLAN to VLAN 1 on all trunk ports.
D.Set the native VLAN to an unused VLAN ID on all trunk ports.
E.Use 802.1Q trunking instead of ISL.
AnswersB, D

Prevents trunk negotiation.

Why this answer

Option B is correct because disabling Dynamic Trunking Protocol (DTP) on all access ports prevents a switch port from automatically negotiating a trunk, which is the primary vector for VLAN hopping attacks. An attacker can spoof DTP messages to force a port into trunking mode, gaining access to multiple VLANs; disabling DTP eliminates this risk.

Exam trap

Cisco often tests the misconception that simply using 802.1Q trunking (Option E) or setting the native VLAN to VLAN 1 (Option C) provides security, when in fact the key mitigations are disabling DTP on access ports and using an unused native VLAN on trunk ports.

370
Matchinghard

Drag and drop each BGP path selection criterion on the left to its order of preference (1 = highest priority) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1

2

3

4

5

Why these pairings

Weight (highest) is checked first, then LOCAL_PREF (highest), then locally originated routes, then AS_PATH (shortest), then ORIGIN (IGP < EGP < incomplete).

371
MCQmedium

A network engineer runs the following command on Router R4: R4# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.0.4/30 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.1.4, destination 192.168.2.4 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Based on this output, what is true about this tunnel?

A.The tunnel is using IPsec encryption.
B.The tunnel is a GRE tunnel that is up and operational.
C.The tunnel is using MPLS over GRE.
D.The tunnel is down because there are no packets.
AnswerB

The interface is up/up and protocol is GRE/IP.

Why this answer

The tunnel is up/up, uses GRE/IP encapsulation, and has a source and destination IP. The lack of traffic is indicated by zero packets input/output.

372
MCQeasy

Which QoS mechanism is used to prevent congestion by dropping packets before a queue becomes full?

A.Weighted Random Early Detection (WRED)
B.Priority Queuing (PQ)
C.Class-Based Weighted Fair Queuing (CBWFQ)
D.Tail Drop
AnswerA

WRED proactively drops packets to avoid tail drop and global synchronization.

Why this answer

Weighted Random Early Detection (WRED) is a congestion avoidance mechanism that proactively drops packets before a queue becomes full. By monitoring the average queue depth and dropping packets with a probability that increases as the queue depth grows, WRED signals TCP senders to reduce their transmission rate, thereby preventing tail drop and global synchronization. This differs from congestion management mechanisms like PQ or CBWFQ, which only act on packets after the queue is full.

Exam trap

Cisco often tests the distinction between congestion management (queuing/scheduling) and congestion avoidance (drop policy), so the trap here is that candidates confuse mechanisms like CBWFQ or PQ (which manage queues after they form) with WRED (which prevents queues from filling up in the first place).

How to eliminate wrong answers

Option B is wrong because Priority Queuing (PQ) is a congestion management mechanism that services queues in strict priority order, not a congestion avoidance mechanism; it does not drop packets before the queue is full. Option C is wrong because Class-Based Weighted Fair Queuing (CBWFQ) is a scheduling mechanism that allocates bandwidth to classes and queues packets, but it does not proactively drop packets to prevent congestion. Option D is wrong because Tail Drop is a passive congestion management mechanism that drops packets only when the queue is completely full, which can cause global TCP synchronization and does not prevent congestion by dropping packets early.

373
Matchingmedium

Drag and drop each protocol on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP transport

Uses TCP transport

Why these pairings

RADIUS uses UDP, encrypts only the password, and combines authentication and authorization. TACACS+ uses TCP, encrypts the entire packet, and separates authentication, authorization, and accounting.

374
MCQmedium

A network engineer is troubleshooting voice quality issues on a Cisco Catalyst 9300 switch. The switch is configured with auto QoS for voice, which enabled trust on the access ports. However, voice packets are being marked with DSCP EF but are still experiencing jitter. The engineer checks the interface queue statistics and sees that the priority queue is not being used. What is the most likely reason?

A.Auto QoS does not create a priority queue; a manual policy is required
B.The switch does not support DSCP-based queuing
C.The voice VLAN is not configured on the access port
D.The switch is using default CoS-to-queue mapping which maps EF to a non-priority queue
AnswerA

Correct because auto QoS only sets trust and marks; the queuing policy must be applied separately to prioritize voice.

Why this answer

The correct answer is that auto QoS for voice enables trust but does not automatically create a priority queue on the switch; the engineer must also configure a service policy that includes a priority queue for EF traffic.

375
MCQeasy

A network administrator needs to allow SSH access to a router from the management network 192.168.1.0/24. Which configuration should be applied?

A.Apply an extended ACL to the vty lines.
B.Apply a named ACL to the interface.
C.Apply an ACL to the console line.
D.Apply a standard ACL to the vty lines.
AnswerD

Standard ACL can filter by source IP.

Why this answer

Option D is correct because a standard ACL applied to the vty lines is the proper method to restrict SSH access to a router from a specific source network. Standard ACLs filter based on source IP address, and when applied to the vty lines with the 'access-class' command, they control which management hosts can initiate inbound SSH sessions to the router.

Exam trap

Cisco often tests the distinction between filtering traffic destined to the router (vty access-class) versus traffic passing through the router (interface ACL), leading candidates to incorrectly apply an ACL to an interface instead of the vty lines.

How to eliminate wrong answers

Option A is wrong because an extended ACL can filter on source and destination IP addresses and ports, but applying it to the vty lines is not supported; vty lines only accept standard ACLs via the 'access-class' command. Option B is wrong because applying a named ACL to an interface filters traffic passing through the router, not traffic destined to the router itself (such as SSH management access). Option C is wrong because the console line is used for local out-of-band management and does not support SSH access; ACLs applied to the console line would not affect remote SSH sessions.

Page 4

Page 5 of 27

Page 6