ENCOR 350-401 (350-401) — Questions 376450

2015 questions total · 27pages · All types, answers revealed

Page 5

Page 6 of 27

Page 7
376
MCQhard

An engineer is troubleshooting QoS on a Cisco ASR 1002 router. The router is configured with a policy map that includes a class for voice with a priority command. During congestion, the engineer notices that voice traffic is being dropped even though the priority queue is not congested. The router logs show 'QoS: priority queue overflow'. What is the most likely cause?

A.The priority queue has a default policer that drops traffic exceeding a certain rate
B.The interface bandwidth is set too low, causing the priority queue to be under-provisioned
C.The class map is not matching the voice traffic correctly
D.The router is using WRED on the priority queue
AnswerA

Correct because on ASR routers, the priority command includes an implicit policer to prevent starvation of other queues; exceeding this policer causes drops.

Why this answer

The correct answer is that the priority queue has a default policer that limits the amount of traffic that can be sent as priority. When the voice traffic exceeds this policer, it is dropped, even if the queue is not full.

377
Multi-Selectmedium

Which three statements about DHCP snooping are true? (Choose three.)

Select 3 answers
A.DHCP snooping is configured on Layer 2 switches to filter DHCP messages on untrusted ports.
B.The DHCP snooping binding table includes the client MAC address, IP address, lease time, VLAN, and port number.
C.Ports connected to DHCP servers should be configured as trusted ports.
D.The DHCP snooping binding database is stored in NVRAM by default.
E.DHCP snooping validates DHCPv6 messages by default when enabled globally.
AnswersA, B, C

Correct because DHCP snooping is a Layer 2 security feature implemented on switches.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a binding database. It is configured on switches, not routers. The DHCP snooping binding table contains the client MAC address, IP address, lease time, VLAN, and port.

Trusted ports are typically uplinks to DHCP servers, while untrusted ports face clients. Option D is incorrect because the DHCP snooping database is stored in the switch's flash memory, not NVRAM. Option E is incorrect because DHCP snooping does not validate DHCPv6 messages by default; it is for DHCPv4 only unless DHCPv6 snooping is separately configured.

378
Matchingmedium

Drag and drop each CoS value on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best effort data

Voice signaling

Video conferencing

Voice bearer

Internetwork control

Why these pairings

CoS 0 is typically best effort, CoS 3 is voice signaling, CoS 4 is video conferencing, CoS 5 is voice bearer, CoS 6 is internetwork control (e.g., routing protocols).

379
Matchinghard

Drag and drop each service chaining element on the left to its matching position in a typical chain on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

First element in the service chain

Inspects and filters traffic after ingress

Distributes traffic among servers after firewall

Compresses and optimizes traffic before egress

Last element before the destination network

Why these pairings

In a typical service chain, traffic flows from the ingress router through firewall, load balancer, WAN optimizer, and finally to the egress router.

380
Matchingmedium

Drag and drop each DSCP PHB on the left to its matching queue treatment on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Strict priority queue, low latency

Assured forwarding with drop precedence

Class selector, maps to IP precedence

Best-effort, no bandwidth guarantee

Default PHB, identical to BE

Why these pairings

EF is for low-latency traffic (strict priority). AF uses four classes with drop probabilities. CS is backward-compatible with IP precedence.

BE is best-effort with no guarantees. DF is the default PHB (same as BE).

381
Matchingmedium

Match each network automation tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Agentless automation using YAML playbooks

Agent-based configuration management using Puppet DSL

Agent-based using Ruby recipes

Agent-based with remote execution

Standard for network configuration and state data

Why these pairings

Automation tools simplify network device management.

382
Matchingmedium

Drag and drop each QoS model on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses RSVP to reserve resources per flow

Classifies traffic with DSCP markings

No QoS guarantees

Why these pairings

IntServ uses RSVP for per-flow signaling, DiffServ uses DSCP markings for per-hop behavior, Best Effort provides no guarantees, IntServ is not scalable for large networks, DiffServ offers classification and policing at the edge.

383
Multi-Selectmedium

Which three statements about RADIUS server configuration and operation are true? (Choose three.)

Select 3 answers
A.The default UDP port for RADIUS authentication is 1812.
B.The shared secret configured on the Cisco device must match the shared secret on the RADIUS server.
C.The 'radius-server host' command can include an optional 'key' parameter to specify the shared secret.
D.RADIUS uses TCP to ensure reliable delivery of authentication packets.
E.If no port is specified, RADIUS uses port 1645 for authentication by default.
AnswersA, B, C

Correct because IANA assigned port 1812 for RADIUS authentication.

Why this answer

RADIUS servers are configured with IP address, shared secret, and UDP ports. The default authentication port is 1812 and accounting port is 1813. The shared secret must match on both client and server.

The 'radius-server host' command can specify the key. RADIUS uses MD5 for password encryption, but the shared secret is sent in cleartext within the packet.

384
Multi-Selecteasy

Which three statements about HTTP response status codes in REST APIs are true? (Choose three.)

Select 3 answers
A.200 OK is used to indicate a successful GET request.
B.201 Created is returned when a resource is successfully created via POST.
C.404 Not Found indicates a server-side error.
D.400 Bad Request is a client error indicating malformed request syntax.
E.500 Internal Server Error is a client error.
AnswersA, B, D

Correct because 200 OK is the standard success response for GET.

Why this answer

The correct answers are A, B, and D. A is correct because 200 OK is the standard success response for GET. B is correct because 201 Created is used for successful resource creation via POST.

D is correct because 400 Bad Request indicates a client error such as malformed syntax. C is incorrect because 404 Not Found indicates the resource does not exist, not a server error. E is incorrect because 500 Internal Server Error is a server-side error, not a client error.

385
MCQhard

A network engineer runs the following command on Router R7: R7# show ip ospf virtual-links Virtual Link OSPF_VL0 to router 2.2.2.2 is up Run as demand circuit DoNotAge LSA allowed. Transit area 1, via interface GigabitEthernet0/1, Cost of using 10 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Adjacency State FULL Based on this output, what can be concluded?

A.The virtual link is used to connect area 0 to a non-backbone area.
B.Router 2.2.2.2 is the other endpoint of the virtual link.
C.The virtual link is down.
D.The virtual link uses area 0 as the transit area.
AnswerB

The virtual link is to router 2.2.2.2, so that is the remote endpoint.

Why this answer

The output shows that the virtual link OSPF_VL0 to router 2.2.2.2 is up and the adjacency state is FULL. This confirms that router 2.2.2.2 is the remote endpoint of the virtual link, as the command displays the router ID of the neighbor at the other end of the virtual link.

Exam trap

Cisco often tests the misconception that the router ID shown in the virtual link output is the local router's ID, when in fact it is the remote endpoint's router ID, as confirmed by the 'to router' syntax in the command output.

How to eliminate wrong answers

Option A is wrong because the virtual link is used to connect a non-backbone area to area 0, not to connect area 0 to a non-backbone area; the virtual link extends area 0 into a transit area. Option C is wrong because the output explicitly states 'Virtual Link ... is up' and 'Adjacency State FULL', indicating the link is operational. Option D is wrong because the transit area is area 1, not area 0; the output shows 'Transit area 1'.

386
Matchinghard

Drag and drop each EtherChannel load-balance method on the left to its matching hashing input on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Source and destination IP addresses

Source and destination MAC addresses

Source and destination Layer 4 ports

Source IP address only

Destination IP address only

Why these pairings

src-dst-ip uses source and destination IP, src-dst-mac uses MAC addresses, src-dst-port uses TCP/UDP ports.

387
Multi-Selectmedium

Which two statements about the QoS trust boundary on a Cisco switch are true? (Choose two.)

Select 2 answers
A.By default, a Cisco switch port in access mode trusts the CoS value received from the attached device.
B.On a trunk port, the switch can be configured to trust the CoS value by default.
C.The trust boundary can be extended to the endpoint by configuring the interface with the 'mls qos trust' command.
D.When a Cisco IP Phone is connected, the switch automatically trusts the CoS values from the phone but not from the PC behind the phone.
E.The 'trust device cisco-phone' command enables the switch to trust all CoS values from both the phone and the attached PC.
AnswersB, C

Correct. On trunk ports, the default trust state is to trust the CoS value, as the switch expects the other switch or router to have set the marking appropriately.

Why this answer

The trust boundary defines which device in the network is trusted to mark QoS values. By default, Cisco switches trust the CoS value on trunk ports but do not trust the DSCP value on access ports. The trust boundary can be extended to the endpoint by configuring the switch port as trusted, and the Cisco IP Phone can override the marking from the attached PC.

388
MCQeasy

A company is deploying a wireless network in an office with high client density. Which Cisco architecture is best suited to handle client roaming without requiring a central controller for every roaming event?

A.Mesh networking
B.Autonomous APs
C.Centralized switching with a WLC
D.FlexConnect
AnswerD

FlexConnect allows local data switching and fast roaming with minimal controller interaction.

Why this answer

FlexConnect (option D) is the correct architecture because it allows client data traffic to be switched locally at the remote site, while the control plane remains centralized. This design eliminates the need for a central controller to process every roaming event, as clients can roam between FlexConnect APs using local switching and 802.11r (Fast Roaming) without requiring a WLC in the data path.

Exam trap

Cisco often tests the misconception that centralized switching (WLC) is always required for seamless roaming, but FlexConnect decouples the data plane from the control plane to allow local roaming without a central controller in the data path.

How to eliminate wrong answers

Option A is wrong because mesh networking is designed for extending coverage in areas without wired backhaul, not for handling high-density client roaming with local switching; it still relies on a central controller for roaming decisions. Option B is wrong because autonomous APs operate independently without any central coordination, making seamless roaming inefficient and requiring manual configuration for each AP, which is unsuitable for high-density environments. Option C is wrong because centralized switching with a WLC forces all client traffic through the controller, creating a bottleneck and requiring the WLC to process every roaming event, which increases latency and reduces scalability in high-density deployments.

389
Drag & Dropmedium

Drag and drop the steps of MPLS LDP label distribution and FIB population into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, IP routing must be operational so that the IGP converges. Then LDP is enabled on interfaces and forms neighbor relationships. LDP then assigns local labels to FECs and advertises them to neighbors.

The remote label is received and installed in the LIB. Finally, the LFIB is populated with the best label bindings for forwarding.

390
MCQmedium

An architect is designing a virtualized service chain for a campus network using NFV. The chain must include a firewall, WAN optimizer, and IPS. The architect needs to minimize latency by placing VNFs on the same hypervisor host. Which design consideration is most important?

A.Ensure all VNFs are pinned to the same NUMA node on the hypervisor host.
B.Use a Type 2 hypervisor to reduce overhead.
C.Place each VNF on a separate physical host to avoid resource contention.
D.Enable DPDK on the virtual switch to accelerate packet processing.
AnswerA

This minimizes memory access latency and improves performance for the service chain.

Why this answer

Option A is correct because pinning all VNFs to the same NUMA node on the hypervisor host minimizes inter-NUMA memory access latency, which is critical for achieving low-latency packet processing in an NFV service chain. When VNFs are placed on different NUMA nodes, memory accesses must traverse the QPI/UPI interconnect, adding significant latency. By co-locating the firewall, WAN optimizer, and IPS on the same NUMA node, the architect ensures that all packet processing stays within the same memory domain, reducing latency to the minimum possible on that host.

Exam trap

Cisco often tests the misconception that DPDK or a Type 2 hypervisor is the primary solution for low-latency NFV, when in fact NUMA awareness is the foundational requirement that must be addressed first.

How to eliminate wrong answers

Option B is wrong because Type 2 hypervisors (hosted on an OS) introduce additional overhead from the host OS scheduler and drivers, which increases latency compared to Type 1 (bare-metal) hypervisors; the question requires minimizing latency, so a Type 2 hypervisor is counterproductive. Option C is wrong because placing each VNF on a separate physical host forces packets to traverse the network between hosts, adding switching and link latency that is far higher than any intra-host contention; this directly contradicts the goal of minimizing latency. Option D is wrong because enabling DPDK on the virtual switch accelerates packet processing by bypassing the kernel, but it does not address the fundamental latency penalty of cross-NUMA memory access; DPDK is a performance optimization, not a substitute for proper NUMA placement.

391
MCQeasy

An engineer is configuring a virtual machine on a Microsoft Hyper-V host. The VM runs a legacy application that requires a static MAC address. The engineer sets the MAC address in the VM settings. After the VM starts, the application cannot communicate on the network. The engineer verifies that the MAC address is not duplicated on the network. What is the most likely cause?

A.The static MAC address is not within the allowed range for Hyper-V virtual machines.
B.The VM is configured to use a dynamic MAC address, overriding the static setting.
C.The VM's network adapter is set to use the legacy network adapter type.
D.The VM is a generation 2 VM, which does not support static MAC addresses.
AnswerA

Correct because Hyper-V enforces a specific MAC address range for static assignments to avoid conflicts.

Why this answer

Hyper-V enforces a specific range for static MAC addresses assigned to virtual machines. The default allowed range is 00-15-5D-XX-XX-XX, derived from the Microsoft Organizationally Unique Identifier (OUI). If the engineer configured a MAC address outside this range (e.g., starting with a different OUI), Hyper-V will not allow the VM to use it, effectively breaking network communication even though the address is not duplicated on the network.

Exam trap

Cisco often tests the misconception that any static MAC address can be assigned to a Hyper-V VM, when in reality the address must fall within the Microsoft OUI range (00-15-5D-XX-XX-XX) to be accepted by the hypervisor.

How to eliminate wrong answers

Option B is wrong because if the engineer explicitly sets a static MAC address in the VM settings, Hyper-V does not override it with a dynamic address; the static setting takes precedence. Option C is wrong because the legacy network adapter type (used for PXE boot or older OS compatibility) does support static MAC addresses and would not prevent communication solely due to its type. Option D is wrong because Generation 2 VMs fully support static MAC addresses; the misconception that they do not is incorrect, as static MAC assignment is a standard feature across both Generation 1 and Generation 2 VMs.

392
Multi-Selecthard

Which three statements about NAT64 and NPTv6 are true? (Choose three.)

Select 3 answers
A.NAT64 translates IPv6 packets to IPv4 packets and vice versa, allowing IPv6-only clients to access IPv4 servers.
B.NPTv6 (Network Prefix Translation) translates the IPv6 prefix of a packet while preserving the host portion of the address.
C.NAT64 requires a DNS64 server to synthesize AAAA records from A records for IPv6 clients.
D.NPTv6 provides port address translation similar to PAT in IPv4 NAT.
E.Both NAT64 and NPTv6 require stateful inspection of all traffic flows.
AnswersA, B, C

Correct because NAT64 performs protocol translation between IPv6 and IPv4, enabling communication between IPv6-only and IPv4-only hosts.

Why this answer

This question tests understanding of IPv6 transition mechanisms, specifically NAT64 and NPTv6, including their differences and use cases.

393
MCQmedium

A network administrator is troubleshooting a BGP routing issue where routes from an eBGP neighbor are not being installed in the routing table. The 'show ip bgp' output shows the routes are received but not valid. What is the most likely cause?

A.The AS-path contains the local AS number.
B.The next-hop IP address is not reachable.
C.BGP synchronization is enabled.
D.The maximum-prefix limit has been exceeded.
AnswerB

Option B is correct because if the next-hop is not reachable, the route is not installed.

Why this answer

For a BGP route to be considered valid and installed in the routing table, the next-hop IP address must be reachable via an IGP or a static route. If the next hop is not reachable, the route will appear in the 'show ip bgp' output but will be marked as not valid (often with a 'r' for received but not valid). This is the most common cause when routes are received from an eBGP neighbor but not installed.

Exam trap

Cisco often tests the distinction between routes being received in the BGP table versus being installed in the routing table, and the trap here is that candidates confuse synchronization (a deprecated feature) with the next-hop reachability requirement, which is the immediate cause of the 'not valid' status.

How to eliminate wrong answers

Option A is wrong because if the AS-path contains the local AS number, BGP would reject the route due to loop prevention (the route would be marked as invalid or not received at all), but the question states routes are received. Option C is wrong because BGP synchronization is disabled by default in modern IOS versions and, even if enabled, it would affect the route's validity only if the prefix is not present in the IGP, but the next-hop reachability check is more fundamental. Option D is wrong because exceeding the maximum-prefix limit would cause the BGP session to be torn down or the neighbor to be shut down, not simply mark routes as not valid while keeping them in the BGP table.

394
MCQhard

A service provider uses MPLS L3VPN with multiple VRFs on a Cisco ASR 1000 PE router. One customer VRF (RED) has overlapping IP addresses with another VRF (BLUE). The engineer configures route-target import/export as 100:1 for RED and 200:2 for BLUE. Both VRFs have a static default route pointing to the CE. The PE receives VPNv4 routes from the route reflector for both VRFs. However, traffic from RED to its CE is working, but traffic from BLUE to its CE is intermittently failing. What is the most likely cause?

A.The BLUE VRF's interface is not configured with the ip vrf forwarding BLUE command, so the interface is in the global routing table.
B.The route-target import for BLUE is 200:2, but the route reflector exports routes with a different route-target.
C.The PE router has too many VRFs, causing memory exhaustion.
D.The BLUE VRF is missing the rd command.
AnswerA

Correct because if the interface is not associated with the VRF, traffic from that interface uses the global table, causing intermittent failures when the global table has conflicting routes.

Why this answer

The correct answer is A because if the BLUE VRF's interface is missing the 'ip vrf forwarding BLUE' command, the interface remains in the global routing table. This means traffic from the BLUE VRF will be forwarded using the global routing table instead of the VRF's routing table, causing intermittent failures when the global table does not have a route to the CE or when the CE's IP overlaps with another VRF's subnet. The static default route configured in the BLUE VRF would not be used, leading to connectivity issues.

Exam trap

The trap here is that candidates often focus on route-target or RD mismatches as the cause of VRF connectivity issues, but Cisco tests the fundamental requirement that each VRF interface must be explicitly bound to the VRF using 'ip vrf forwarding', otherwise the VRF's routing table is not used for that interface.

How to eliminate wrong answers

Option B is wrong because the question states that the PE receives VPNv4 routes from the route reflector for both VRFs, implying the route-target export/import is correctly matched; if the route reflector exported with a different RT, the BLUE VRF would not import any routes at all, not just intermittent failure. Option C is wrong because memory exhaustion would affect all VRFs and all traffic, not specifically and intermittently only the BLUE VRF's traffic to its CE. Option D is wrong because the 'rd' command is required for the VRF to exist and for VPNv4 route exchange, but the question states the PE receives VPNv4 routes for both VRFs, so the RD must be configured; missing RD would prevent any VPNv4 routes from being received or installed.

395
MCQhard

An engineer is configuring a FlexVPN hub-and-spoke topology using IKEv2. The hub router is configured with a dynamic crypto map and a local pool for assigning IP addresses to spokes. The spokes are configured with a static crypto map and a tunnel interface with an IP address from the pool. The tunnel comes up, but the spoke cannot ping the hub's tunnel interface. The hub can ping the spoke's tunnel interface. What is the most likely cause?

A.The spoke is configured with a static IP address on the tunnel interface that is not in the hub's IP pool.
B.The hub is missing the 'tunnel protection ipsec' command on the tunnel interface.
C.The spoke's crypto map is not using the correct pre-shared key.
D.The hub's IKEv2 profile is not configured with 'authentication remote rsa-sig'.
AnswerA

Correct. In FlexVPN, the hub assigns IP addresses from a pool. If the spoke statically configures an IP address, the hub may not have a route back to that address, causing asymmetric routing or unreachability.

Why this answer

In FlexVPN, the hub assigns an IP address to the spoke from a pool. The spoke's tunnel interface should receive this IP address dynamically. If the spoke is configured with a static IP address that is not in the hub's pool, the hub will not route traffic back to the spoke correctly, or the spoke may have a mismatched subnet.

The hub can ping the spoke because the spoke's tunnel IP is reachable, but the spoke cannot ping the hub because the spoke's routing table may not have a route to the hub's tunnel IP, or the hub's reverse route injection is not working.

396
Multi-Selectmedium

Which three statements about trunking and VLAN pruning are true? (Choose three.)

Select 3 answers
A.VTP pruning dynamically removes VLANs from a trunk if the VLAN is not present on the remote switch.
B.Manual pruning can be achieved using the 'switchport trunk allowed vlan' command.
C.VTP pruning requires VTP to be enabled on the switches in the management domain.
D.VTP pruning is only supported in VTP version 3.
E.The 'switchport trunk native vlan' command is used to prune VLANs from a trunk.
AnswersA, B, C

Correct because VTP pruning advertises VLAN membership and prunes unnecessary VLANs from trunk links.

Why this answer

Correct: A is true because VTP pruning reduces unnecessary broadcast traffic on trunk links by dynamically removing VLANs that are not needed on a switch. B is true because pruning can be manually configured on a trunk using the 'switchport trunk allowed vlan' command to restrict which VLANs traverse the link. C is true because VTP pruning requires VTP to be configured and operating in the domain; it is not available without VTP.

D is incorrect because VTP pruning works with VTP versions 1 and 2, not just version 3. E is incorrect because the 'switchport trunk native vlan' command sets the native VLAN, not pruning; pruning is controlled by allowed VLAN lists or VTP pruning.

397
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 1 spoke-to-hub tunnel setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 1, the spoke first establishes an mGRE tunnel to the hub using a multipoint interface. The hub then registers the spoke's NHRP mapping. After registration, the spoke can dynamically learn routes from the hub via the tunnel.

Finally, the spoke sends traffic through the hub, which routes it to the destination.

398
Drag & Drophard

Drag and drop the steps of cisco.ios.ios_config module idempotent apply flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The ios_config module first connects to the device, retrieves the running config, compares it with the desired config, applies only the necessary changes, and then saves the config if specified, ensuring idempotency.

399
MCQeasy

A network engineer is troubleshooting an OSPF adjacency issue between two routers connected via a serial link. The adjacency is stuck in the INIT state. The engineer has verified that the IP addresses are in the same subnet and that the link is up. What is the most likely cause?

A.The OSPF router IDs are the same.
B.The OSPF hello interval is mismatched between the two routers.
C.The OSPF process ID is different.
D.The OSPF network type is point-to-point on one router and point-to-multipoint on the other.
AnswerB

Correct because if the hello intervals are different, the routers will not agree on the hello timer, causing the adjacency to remain in INIT.

Why this answer

The INIT state in OSPF indicates that a router has received a Hello packet from its neighbor but the neighbor has not yet seen its own Router ID in the received Hello. A mismatched Hello interval causes the routers to send Hellos at different rates, so one router may not receive a Hello within the expected Dead interval, preventing the neighbor from seeing its Router ID in the received Hello and thus stalling the adjacency in INIT.

Exam trap

Cisco often tests the distinction between INIT and other OSPF states, and the trap here is that candidates confuse a network type mismatch (which causes EXSTART issues) with a Hello interval mismatch (which causes INIT), or incorrectly assume that the OSPF process ID must match.

How to eliminate wrong answers

Option A is wrong because identical OSPF router IDs would cause a conflict that typically results in the adjacency being stuck in EXSTART/EXCHANGE or a neighbor state of DOWN, not INIT. Option C is wrong because the OSPF process ID is locally significant and does not need to match between routers for adjacency formation. Option D is wrong because a network type mismatch (e.g., point-to-point vs. point-to-multipoint) usually causes the adjacency to get stuck in the EXSTART state due to DR/BDR election issues, not in INIT.

400
MCQmedium

Router R5 has the following OSPF configuration: router ospf 1 router-id 5.5.5.5 network 10.0.0.0 0.255.255.255 area 0 area 0 authentication message-digest ! interface GigabitEthernet0/0 ip address 10.1.1.5 255.255.255.0 ip ospf message-digest-key 1 md5 cisco123 What is missing from this OSPF authentication configuration?

A.The configuration is complete and correct.
B.The interface needs the 'ip ospf authentication message-digest' command.
C.The 'area 0 authentication' command should be 'area 0 authentication md5'.
D.The 'network' command should include the area authentication keyword.
AnswerB

This command activates MD5 authentication on the interface, required for the area authentication to take effect.

Why this answer

Option B is correct because OSPF authentication configuration requires two components: an area-level authentication type (configured via `area 0 authentication message-digest`) and an interface-level authentication mode (configured via `ip ospf authentication message-digest`). The interface command tells the OSPF process to actually use the key defined with `ip ospf message-digest-key`. Without it, the interface defaults to no authentication, even though the area is configured for authentication.

Exam trap

The trap here is that candidates assume configuring the area authentication and the key is sufficient, overlooking the mandatory interface-level `ip ospf authentication message-digest` command that activates authentication on the specific interface.

How to eliminate wrong answers

Option A is wrong because the configuration is incomplete; the interface lacks the `ip ospf authentication message-digest` command, so OSPF packets on GigabitEthernet0/0 will not be authenticated. Option C is wrong because `area 0 authentication md5` is not a valid Cisco IOS command; the correct syntax is `area 0 authentication message-digest`. Option D is wrong because the `network` command does not support an area authentication keyword; area authentication is configured separately under the OSPF process or on the interface.

401
MCQeasy

Which BGP attribute is preferred with the lowest value?

A.MED
B.Local Preference
C.Weight
D.Origin
AnswerA

Correct. Lower MED is preferred in BGP path selection.

Why this answer

MED (Multi-Exit Discriminator) is a BGP attribute that is preferred with the lowest value. It is used to influence inbound traffic to an AS when multiple entry points exist, and a lower MED value is more preferred over a higher one.

Exam trap

Cisco often tests the confusion between attributes that use 'lowest is best' (like MED and IGP metric) versus 'highest is best' (like Local Preference and Weight), so candidates mistakenly apply the 'highest is best' rule to MED.

How to eliminate wrong answers

Option B (Local Preference) is wrong because Local Preference is preferred with the highest value, not the lowest, and is used to influence outbound traffic from an AS. Option C (Weight) is wrong because Weight is a Cisco-proprietary attribute that is preferred with the highest value, and it is local to the router. Option D (Origin) is wrong because Origin is preferred in the order IGP < EGP < incomplete, not based on a numeric value.

402
MCQmedium

A network engineer is troubleshooting an EIGRP issue in a large enterprise network. Two routers, R1 and R2, are connected via a T1 link. R1 is learning a route to 10.0.0.0/8 from R2 with a metric of 28160, but the same route is also learned from another neighbor with a metric of 26880. The engineer notices that the route from R2 is not being installed in the routing table. What is the most likely cause?

A.The route from R2 is a feasible successor, so it is not installed in the routing table.
B.EIGRP is using unequal-cost load balancing, so the higher metric route is not used.
C.The route with metric 28160 is not installed because EIGRP selects the route with the lowest metric.
D.The route from R2 is a summary route, so it is not installed in the routing table.
AnswerC

Correct. EIGRP installs only the route with the best (lowest) metric in the routing table. Since 26880 is lower than 28160, the route from R2 is not installed.

Why this answer

C is correct because EIGRP installs only the route with the best (lowest) metric into the routing table. The route from R2 has a metric of 28160, while the other neighbor advertises the same route with a metric of 26880. Since 26880 is lower, R1 selects that route as the successor and does not install the higher-metric route from R2.

Exam trap

Cisco often tests the misconception that all learned EIGRP routes are installed in the routing table, but in reality only the successor (lowest metric) is installed unless unequal-cost load balancing is explicitly configured.

How to eliminate wrong answers

Option A is wrong because a feasible successor is a backup route that is kept in the topology table but not installed in the routing table unless the successor fails; however, the question states that the route from R2 is not installed, but it is not necessarily a feasible successor—it could simply be a non-successor route that does not meet the feasibility condition. Option B is wrong because unequal-cost load balancing (variance) is optional and, even if enabled, would only load-balance across routes that meet the variance multiplier; the route with metric 28160 would still not be installed if it is not selected as a successor or feasible successor under the variance condition. Option D is wrong because there is no indication that the route from R2 is a summary route; summary routes are typically installed with a lower administrative distance or as a local route, and the metric difference alone does not imply summarization.

403
MCQeasy

An enterprise uses VMware vSphere to host multiple virtual machines (VMs). The network team wants to implement a virtual firewall on the hypervisor to inspect traffic between VMs on the same ESXi host. Which technology should be used?

A.Use VXLAN to encapsulate traffic and send it to a firewall.
B.Deploy a virtual firewall on a vSphere Distributed Switch with a private VLAN.
C.Use a vSphere Standard Switch and configure port mirroring.
D.Deploy a physical firewall and route all VM traffic through it.
AnswerB

Private VLAN can redirect traffic to the virtual firewall.

Why this answer

Option B is correct because deploying a virtual firewall on a vSphere Distributed Switch (VDS) with a private VLAN (PVLAN) allows the firewall to inspect east-west traffic between VMs on the same ESXi host without sending traffic off the host. The VDS supports PVLANs to isolate VM traffic and redirect it to the virtual firewall for inspection, enabling granular security within the hypervisor.

Exam trap

Cisco often tests the distinction between monitoring tools (port mirroring) and inline security appliances (virtual firewalls), leading candidates to mistakenly choose port mirroring for traffic inspection instead of a solution that can actually enforce policies.

How to eliminate wrong answers

Option A is wrong because VXLAN is an overlay encapsulation protocol used for network virtualization and extending Layer 2 segments across Layer 3 boundaries, not for directing intra-host VM traffic to a firewall; it adds unnecessary overhead and complexity for local inspection. Option C is wrong because port mirroring on a vSphere Standard Switch copies traffic to a monitoring port but does not allow inline inspection or filtering; it is used for monitoring, not for enforcing firewall policies. Option D is wrong because deploying a physical firewall requires all VM traffic to be routed off the host, which defeats the purpose of hypervisor-level inspection and introduces latency and bandwidth constraints for east-west traffic.

404
Multi-Selectmedium

Which two statements about EIGRP route summarization are true? (Choose two.)

Select 2 answers
A.Manual summarization can be configured on a per-interface basis using the ip summary-address eigrp command.
B.Automatic summarization is enabled by default in EIGRP for IPv4.
C.A manually configured summary route in EIGRP has an administrative distance of 5.
D.Manual summarization causes the router to advertise all specific routes in addition to the summary.
E.EIGRP for IPv6 does not support manual summarization.
AnswersA, C

Correct because the command 'ip summary-address eigrp <as> <prefix> <mask>' is used to configure manual summarization on an interface.

Why this answer

EIGRP supports manual summarization on any interface, which creates a summary route with an administrative distance of 5 by default. Automatic summarization at classful boundaries is disabled by default in modern IOS versions. Manual summarization can be configured per interface and suppresses more specific routes from being advertised out that interface.

The summary route is installed in the routing table as a local route.

405
Drag & Dropmedium

Drag and drop the steps of traffic shaping vs policing configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, identify the traffic to be shaped or policed using a class-map. Then configure the policy-map with either shape or police command. Apply the service-policy in the appropriate direction.

For shaping, the router buffers excess traffic; for policing, it drops or re-marks. Finally, verify using show policy-map interface.

406
Multi-Selecteasy

Which THREE benefits does network automation provide over manual configuration?

Select 3 answers
A.Increased security by eliminating the need for SSH access
B.Lower initial investment compared to manual processes
C.Reduced risk of configuration errors
D.Consistent configuration across all devices
E.Faster deployment of configuration changes
AnswersC, D, E

Automation eliminates manual mistakes.

Why this answer

Option C is correct because network automation eliminates human error during repetitive configuration tasks. By using tools like Ansible, Python scripts, or NETCONF/YANG models, configurations are applied consistently without typos or missed commands, which are common in manual CLI entry. This directly reduces the risk of syntax errors, missing parameters, or inconsistent settings that can lead to network outages.

Exam trap

Cisco often tests the misconception that automation eliminates all manual access methods like SSH, but in reality, automation relies on SSH or similar transports for device communication, and the trap is assuming automation reduces security risks by removing SSH entirely.

407
Drag & Dropmedium

Drag and drop the steps of Dynamic Trunking Protocol (DTP) negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DTP negotiation begins with the interface defaulting to dynamic desirable or auto mode. If a switchport is set to trunk, DTP sends frames to negotiate. The neighbor responds if in a compatible mode.

Once agreed, the link becomes trunking. Finally, both ends forward traffic for multiple VLANs.

408
Matchingmedium

Drag and drop each BGP attribute on the left to its matching attribute type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Well-known mandatory

Well-known discretionary

Optional transitive

Optional non-transitive

Well-known mandatory

Why these pairings

AS_PATH is well-known mandatory; LOCAL_PREF is well-known discretionary; COMMUNITY is optional transitive; MULTI_EXIT_DISC is optional non-transitive; ORIGIN is well-known mandatory.

409
MCQhard

A network engineer is troubleshooting an MPLS L2VPN (VPWS) where two customer sites are connected via a pseudowire. The engineer has configured the xconnect on both PE routers, but the customer reports that the link is down. The 'show mpls l2transport vc' command on PE1 shows the VC state as 'down'. What is the most likely cause?

A.LDP is not enabled on the core interfaces between the PEs.
B.The VC ID is different on the two PEs.
C.The VC type is not set to Ethernet.
D.The encapsulation is set to VLAN instead of Ethernet.
AnswerA

Correct because LDP is required to exchange labels for the pseudowire.

Why this answer

In MPLS L2VPN, the VC state depends on the MPLS label path. If LDP is not exchanging labels for the pseudowire, the VC will remain down. Option A is correct.

Option B is wrong because the VC ID must match; Option C is wrong because the VC type must match; Option D is wrong because the encapsulation must match.

410
Drag & Dropmedium

Drag and drop the steps of configuring an IP SLA ICMP echo operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enter global config mode. Then create the IP SLA operation with type icmp-echo, set the target address and optional parameters like frequency, schedule the operation, and finally verify reachability using show commands.

411
Drag & Dropmedium

Drag and drop the steps of Flexible NetFlow flow record and exporter setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with defining the flow record, then the flow exporter, then the flow monitor, then applying it to an interface, and finally verifying with show commands.

412
MCQmedium

A company is using a dual-homed MPLS L3VPN connection with two different ISPs. The CE router is running eBGP with both PE routers. The engineer wants to ensure that inbound traffic from the Internet to the company's web servers uses both links, but outbound traffic from the company should prefer ISP A. The company advertises the same /24 prefix to both ISPs. What BGP configuration should the engineer apply on the CE router?

A.Set a lower MED for routes advertised to ISP A and a higher MED for routes advertised to ISP B.
B.Use AS path prepending on routes advertised to ISP B and set a higher local preference for routes learned from ISP A.
C.Advertise a more specific prefix (e.g., /25) to ISP A and a less specific prefix (/24) to ISP B.
D.Configure the CE router to use BGP multipath with both ISPs.
AnswerB

Correct. AS path prepending makes the path to ISP B longer, discouraging inbound traffic from using it. Setting a higher local preference for routes from ISP A makes outbound traffic prefer ISP A.

Why this answer

To influence inbound traffic, the engineer can use AS path prepending to make one path less preferred. For outbound traffic, local preference can be used to prefer one ISP. Since the company wants outbound traffic to prefer ISP A, they should set a higher local preference for routes learned from ISP A.

For inbound traffic, they can prepend AS path to ISP B to make that path less attractive.

413
MCQmedium

interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 mpls ip mpls label protocol tdp ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 ! router ldp interface GigabitEthernet0/1 ! Which statement about this configuration is true?

A.The interface will use TDP for label distribution, ignoring the LDP configuration under router ldp.
B.The router will use LDP because the global configuration overrides the interface command.
C.Both TDP and LDP will be used simultaneously on the interface.
D.The configuration will fail because TDP is not supported on this platform.
AnswerA

Correct. The interface-level 'mpls label protocol tdp' overrides the global LDP configuration, so TDP is used on that interface.

Why this answer

The interface is configured with TDP (Cisco proprietary) while the router is configured for LDP (standard). This mismatch will prevent label exchange.

414
MCQhard

An enterprise is migrating from a traditional three-tier campus design to a software-defined access (SD-Access) fabric. The engineer needs to ensure that the existing wireless infrastructure integrates seamlessly. Which component of SD-Access is responsible for integrating wireless and wired policies?

A.Fabric Edge node
B.Fabric Control node
C.Fabric Border node
D.Wireless LAN Controller (WLC)
AnswerA

Correct because the Fabric Edge node is the entry point for both wired and wireless users into the fabric, enforcing policies and providing connectivity.

Why this answer

The Fabric Edge node is the correct answer because it is the SD-Access component that serves as the attachment point for both wired and wireless endpoints. In an SD-Access fabric, the Fabric Edge node terminates the VXLAN tunnels from the wireless LAN controller (WLC) and applies consistent policy (e.g., SGT-based ACLs) to traffic from both wired and wireless users, ensuring seamless integration of the existing wireless infrastructure.

Exam trap

Cisco often tests the misconception that the WLC is responsible for policy integration, but in SD-Access, the WLC is merely a wireless controller that tunnels client traffic to the Fabric Edge node, which is the actual policy enforcement point.

How to eliminate wrong answers

Option B (Fabric Control node) is wrong because it handles LISP control-plane functions such as endpoint registration and mapping, not the integration of wireless policies. Option C (Fabric Border node) is wrong because it connects the fabric to external networks (e.g., WAN, data center) and performs NAT or route advertisement, but does not directly integrate wireless policies. Option D (Wireless LAN Controller) is wrong because while the WLC manages APs and wireless sessions, it is not the component responsible for integrating wireless and wired policies within the fabric; that role belongs to the Fabric Edge node, which applies consistent policy enforcement across both domains.

415
MCQhard

A network engineer runs the following command on a Cisco WLC: WLC# show ap stats ap-name AP-3 AP Statistics for AP-3 ---------------------- Channel Utilization: 75% Interference: 30% Noise Floor: -80 dBm Total Packets Received: 5000 Total Packets Sent: 4500 Total Errors: 1500 Based on this output, what can be concluded?

A.The AP is operating in a clean environment with low interference.
B.The high error rate suggests possible co-channel interference or signal issues.
C.The channel utilization is low, indicating spare capacity.
D.The noise floor is excellent at -80 dBm.
AnswerB

30% error rate is high and indicates problems, likely from interference or noise.

Why this answer

The output shows high channel utilization (75%), high interference (30%), and a relatively high noise floor (-80 dBm is noisy). The error rate is 1500 out of 5000 received, which is 30%, indicating a poor wireless environment.

416
MCQeasy

Refer to the exhibit. An administrator needs to ensure that traffic to 192.168.1.0/24 is forwarded via a different path than traffic to 192.168.2.0/24, even though both routes are learned via OSPF with the same metric. Which action should the administrator take?

A.Configure policy-based routing to match 192.168.1.0/24 and set the next hop to 10.0.0.1.
B.Add a static route for 192.168.1.0/24 with a lower administrative distance than OSPF.
C.Use the 'distance ospf' command to change the OSPF administrative distance for all routes.
D.Adjust the OSPF cost on the interface to 10.0.0.2.
AnswerB

A static route with AD 1 would override the OSPF route (AD 110) for that prefix.

Why this answer

Option B is correct because adding a static route for 192.168.1.0/24 with a lower administrative distance (e.g., 1) than OSPF (default 110) forces the router to prefer the static route over the OSPF-learned route, even though the OSPF metric is the same. This allows traffic to 192.168.1.0/24 to use a different next-hop (e.g., 10.0.0.1) while traffic to 192.168.2.0/24 continues using the OSPF-learned path via 10.0.0.2, achieving the desired path differentiation without altering OSPF metrics or using complex PBR.

Exam trap

Cisco often tests the misconception that policy-based routing (PBR) is the only way to force traffic to a different next-hop, when in fact a simple static route with a lower administrative distance can achieve the same result more efficiently and is a common technique for path selection without altering routing protocol metrics.

How to eliminate wrong answers

Option A is wrong because policy-based routing (PBR) matches traffic based on source/destination and sets the next hop, but it does not change the routing table; it overrides the forwarding decision for matched packets, which is unnecessary complexity when a simple static route can achieve the same result with less overhead. Option C is wrong because using the 'distance ospf' command changes the administrative distance for all OSPF routes globally, affecting both 192.168.1.0/24 and 192.168.2.0/24 equally, so it cannot differentiate the path for only one prefix. Option D is wrong because adjusting the OSPF cost on the interface to 10.0.0.2 would change the metric for all routes learned via that interface, potentially altering the path for both prefixes and not specifically isolating 192.168.1.0/24 to a different next-hop.

417
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.224
AnswerA

Correct. EIGRP has a maximum hop count of 255.

Why this answer

EIGRP uses a maximum hop count of 255 by default, though the default administrative distance is 90 for internal routes and 170 for external routes.

418
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: MGMT-CLASS (match-all) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: access-group name MGMT-ACL police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 80 packets, 4000 bytes; actions: transmit exceeded 15 packets, 750 bytes; actions: drop violated 5 packets, 250 bytes; actions: drop Class-map: class-default (match-any) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 200 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.Management traffic to the control plane is being policed, and some packets are being dropped because they exceed the configured rate.
B.All management traffic is being transmitted without drops.
C.The policer is configured in the output direction.
D.The class-default is dropping packets.
AnswerA

The policer shows 80 conformed and 20 exceeded/violated packets, meaning 20 packets were dropped due to exceeding the CIR.

Why this answer

The MGMT class has a CIR of 32 kbps. Out of 100 packets, 80 conformed and were transmitted, while 20 exceeded or violated and were dropped. This indicates that the traffic rate exceeded the policer's CIR, causing drops.

The correct answer is that management traffic to the control plane is being policed, and some packets are being dropped because they exceed the configured rate.

419
Matchingmedium

Drag and drop each BGP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establishes a BGP session and negotiates capabilities

Advertises new routes or withdraws previously advertised routes

Reports an error condition and closes the BGP session

Periodically sent to keep the BGP session alive

Requests that a peer readvertise its routes

Why these pairings

OPEN establishes a BGP session; UPDATE advertises or withdraws routes; NOTIFICATION indicates an error; KEEPALIVE maintains the session; ROUTE-REFRESH requests readvertisement of routes.

420
MCQmedium

Given the following configuration on a Cisco IOS switch: interface GigabitEthernet0/6 switchport mode dynamic desirable What is the effect of this configuration?

A.The interface will actively try to form a trunk and will succeed if the other side is set to trunk, desirable, or auto.
B.The interface will only become a trunk if the other side is set to trunk.
C.The interface will always remain an access port.
D.The interface will not send DTP frames.
AnswerA

Correct. Dynamic desirable sends DTP frames and can form a trunk with several modes.

Why this answer

The `switchport mode dynamic desirable` command configures the interface to actively send Dynamic Trunking Protocol (DTP) frames to negotiate trunking. If the neighboring interface is set to trunk, dynamic desirable, or dynamic auto, the negotiation will succeed and the link will become a trunk. This is because dynamic desirable actively initiates the negotiation, unlike dynamic auto which only responds.

Exam trap

Cisco often tests the distinction between dynamic desirable and dynamic auto, where the trap is that candidates forget dynamic desirable actively sends DTP frames and can form a trunk with dynamic auto, while dynamic auto only responds and will not form a trunk with another auto interface.

How to eliminate wrong answers

Option B is wrong because the interface will not only become a trunk if the other side is set to trunk; it will also succeed if the other side is set to dynamic desirable or dynamic auto, as DTP negotiation allows these combinations. Option C is wrong because the interface will not always remain an access port; it will actively negotiate to become a trunk if the neighbor supports it. Option D is wrong because the interface will send DTP frames; dynamic desirable is an active DTP mode that transmits DTP frames to initiate trunk negotiation.

421
Drag & Dropmedium

Drag and drop the steps of Cisco SD-WAN control plane establishment sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The control plane setup begins with vBond orchestrating initial authentication and directing devices to vManage and vSmart. Then each device establishes a DTLS/TLS connection to vManage for management. Next, devices establish DTLS/TLS connections to vSmart for control.

After that, OMP peering is set up between edges and vSmart. Finally, BFD sessions are established between edge devices for data plane liveliness detection.

422
Matchingmedium

Drag and drop each VM storage type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allocates storage only as data is written

Allocates all required storage at creation

Provides direct LUN access to a VM

VMware virtual disk file format

Microsoft virtual hard disk format

Why these pairings

Thin provisioning allocates space on demand. Thick provisioning allocates all space at creation. RDM (Raw Device Mapping) provides direct access to a LUN.

VMDK is the virtual disk file format. VHDX is Microsoft’s virtual hard disk format.

423
Matchingmedium

Drag and drop each DNA Center Intent API on the left to its matching use on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieves network device details, serial numbers, and software versions

Provides physical and logical network topology maps

Lists network problems, severity, and suggested remediation

Tracks configuration changes, syslog messages, and SNMP traps

Manages site hierarchy and location-based network settings

Why these pairings

Intent APIs: inventory retrieves device details; topology provides network maps; issues reports network problems; events tracks changes and alerts.

424
Matchingmedium

Drag and drop each IP SLA schedule parameter on the left to its function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines when the operation begins

Interval between probes

Total duration of the operation

Time after which inactive operation is removed

Repeats the schedule daily

Why these pairings

start-time defines when the operation begins; frequency sets the interval between probes; life sets the total duration; ageout removes the operation after inactivity; recurring repeats the schedule daily.

425
Drag & Dropmedium

Drag and drop the steps of VNF scaling up and scaling out steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Scaling up (vertical) or scaling out (horizontal) begins with the VNFM monitoring performance metrics and detecting a threshold breach. The VNFM then notifies the NFVO of the scaling requirement. The NFVO authorizes the scaling action.

The VNFM then coordinates with the VIM to allocate additional resources (scale up) or instantiate new VNF instances (scale out). Finally, the VNFM updates the VNF configuration to use the new resources or instances.

426
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80 Based on this output, what can be concluded?

A.The router is performing static NAT for two internal hosts.
B.The router is performing dynamic NAT for all translations.
C.The router is performing Port Address Translation (PAT) for all translations.
D.The router is translating outside global addresses to inside local addresses.
AnswerA

The first two entries show a one-to-one mapping between inside local and inside global addresses without any protocol or outside address, which is characteristic of static NAT.

Why this answer

The output shows NAT translations. The first two lines are static NAT entries (no protocol, no outside address). The third line is a dynamic translation for a TCP session.

The inside local addresses are private (192.168.1.x), and inside global addresses are public (203.0.113.x). The outside addresses are public. This is typical for PAT or dynamic NAT.

427
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.15
C.128
D.Unlimited
AnswerA

EIGRP uses a 1-byte hop count field, allowing a maximum of 255 hops.

Why this answer

EIGRP uses a maximum hop count of 255 to prevent routing loops, which is a hard limit enforced by the protocol. This value is configurable via the 'metric maximum-hops' command under the EIGRP process, but the absolute maximum is 255. Unlike distance-vector protocols like RIP, EIGRP is an advanced distance-vector protocol that uses the Diffusing Update Algorithm (DUAL) for loop avoidance, but the hop count serves as a final safety mechanism.

Exam trap

Cisco often tests the distinction between the default hop count (100) and the maximum hop count (255), leading candidates to mistakenly select 128 or 15 due to confusion with other protocols or default values.

How to eliminate wrong answers

Option B is wrong because 15 is the maximum hop count for RIP (Routing Information Protocol), not EIGRP; this is a common confusion between distance-vector protocols. Option C is wrong because 128 is the default hop count for EIGRP, not the maximum; the default is 100, but it can be increased up to 255. Option D is wrong because EIGRP does have a finite maximum hop count of 255; it is not unlimited, as the protocol must have a loop-prevention boundary.

428
Matchingmedium

Drag and drop each MPLS label operation on the left to its matching action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Adds a new label to the top of the label stack

Removes the top label from the label stack

Replaces the top label with a new label value

Removes the label before the final hop

Adds one or more labels to an unlabeled packet

Why these pairings

Push adds a new label to the stack, pop removes the top label, and swap replaces the top label with a new one.

429
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 1 spoke-to-hub tunnel setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 1, the spoke first establishes an mGRE tunnel to the hub using NHRP registration, then the hub learns the spoke's NBMA address, and finally the spoke can route traffic through the hub. The correct order is: configure mGRE tunnel interface on spoke, configure NHRP with hub as NHS, spoke registers its NBMA address via NHRP, hub adds spoke to its NHRP database, and spoke sends traffic through hub.

430
MCQmedium

A network engineer is troubleshooting a DHCP issue on a Cisco router configured as a DHCP server for a VLAN. Clients in the VLAN are able to obtain IP addresses from the DHCP server, but they are not receiving the correct DNS server address. The engineer checks the DHCP pool configuration and sees the dns-server command is configured with the correct IP address. What is the most likely cause of the problem?

A.The DHCP pool is not associated with the correct VLAN interface using the network command.
B.The DNS server is unreachable from the DHCP server.
C.The ip dhcp excluded-address command is blocking the DNS server IP.
D.The DHCP client is configured with a static DNS server address.
AnswerA

Correct because if the network command in the DHCP pool does not match the subnet of the VLAN, the DHCP server may assign addresses but not apply the pool-specific options like DNS.

Why this answer

The DHCP server configuration appears correct, but the clients are not receiving the DNS server address. This often happens when the DHCP server is not the default gateway and DHCP relay is involved, or when the DHCP pool is not bound to the correct interface.

431
MCQeasy

A network engineer is deploying streaming telemetry from a Cisco ASR 1000 router to a collector using gRPC. The engineer notices that the telemetry data is not being received by the collector. The router shows that the gRPC server is running and the collector is reachable. What is the most likely cause?

A.No telemetry subscription is configured on the router for the desired data paths.
B.The gRPC server is configured with the wrong port number.
C.The collector is not listening on the same IP address as configured on the router.
D.The telemetry data is encoded in GPB, but the collector expects JSON.
AnswerA

Correct because a subscription defines what data to stream and to which collector; without it, no data is sent.

Why this answer

For gRPC telemetry, the router must have a subscription configured to send data. Option A is correct because without a subscription, no data is streamed. Option B is incorrect because the server is running.

Option C is incorrect because the collector is reachable. Option D is incorrect because the encoding format does not prevent data from being sent if the server is up.

432
Drag & Dropmedium

Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ZTP starts with the device contacting the DHCP server for an IP address, then resolving the vManage hostname via DNS, establishing a DTLS connection to vManage, downloading the full configuration, and finally applying the configuration to become operational.

433
Drag & Dropmedium

Drag and drop the steps of EIGRP authentication using MD5 key-chain into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, a key chain must be created and a key defined with the MD5 key string. Then, the key chain is applied to the EIGRP interface under router configuration. Finally, authentication mode and key chain are enabled on the interface.

434
Drag & Dropmedium

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a policy map that first triggers 802.1X, then if that fails, concurrently tries MAB and web authentication, evaluates the first successful method, and finally applies the corresponding authorization result.

435
MCQmedium

A Python script using Netmiko is written to send a command to a Cisco router: from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '192.168.1.1', 'username': 'admin', 'password': 'cisco', 'secret': 'enable' } connection = ConnectHandler(**device) connection.enable() output = connection.send_command('show ip interface brief') print(output) connection.disconnect() What is the potential issue with this script?

A.The script will fail because 'device_type' should be 'cisco_ios_telnet' for telnet connections.
B.The script will work correctly without any issues.
C.The script will fail because 'secret' is misspelled; it should be 'enable_secret'.
D.The script lacks exception handling for authentication or connection failures, which can cause the script to crash.
AnswerD

Netmiko can raise exceptions like AuthenticationException or NetmikoTimeoutException; these should be caught.

Why this answer

The script does not handle authentication failures or connection timeouts. If the device is unreachable or credentials are wrong, the script will throw an unhandled exception and crash. The correct answer identifies the lack of exception handling.

436
MCQhard

A network engineer issues the following command on Router R2: R2# show ip ospf interface GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 192.168.1.2/24, Area 0 Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2 Backup Designated router (ID) 1.1.1.1, Interface address 192.168.1.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:03 Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 1.1.1.1 (Backup Designated Router) Adjacent with neighbor 3.3.3.3 Based on this output, what can be concluded?

A.R2 has a full OSPF adjacency with all neighbors on this segment.
B.R2 is the Backup Designated Router on this segment.
C.The OSPF cost to reach the network 192.168.1.0/24 is 20.
D.R2 will send hello packets every 40 seconds.
AnswerA

The adjacent neighbor count is 2, equal to the neighbor count, meaning all neighbors are fully adjacent.

Why this answer

The output shows that R2 is the Designated Router (DR) on this broadcast segment, with two neighbors listed: 1.1.1.1 (BDR) and 3.3.3.3. The 'Adjacent neighbor count is 2' and both neighbors are listed as 'Adjacent with neighbor', confirming that R2 has formed full OSPF adjacencies with all neighbors on this segment. In OSPF broadcast networks, only the DR and BDR form full adjacencies with all routers, while non-DR/BDR routers only form full adjacencies with the DR and BDR.

Exam trap

Cisco often tests the distinction between 'neighbor count' and 'adjacent neighbor count' — candidates may incorrectly assume that all neighbors are fully adjacent, but in broadcast networks, only the DR and BDR have full adjacencies with all routers, while other routers only have full adjacency with the DR and BDR.

How to eliminate wrong answers

Option B is wrong because R2 is the Designated Router (State DR, Priority 1), not the Backup Designated Router; the BDR is 1.1.1.1. Option C is wrong because the cost shown (Cost: 10) is the OSPF cost of the GigabitEthernet0/0 interface on R2, not the cost to reach the network 192.168.1.0/24; the cost to reach that network would be the sum of outgoing interface costs along the path. Option D is wrong because the Hello timer is configured as 10 seconds (Hello 10), not 40 seconds; the Dead timer is 40 seconds.

437
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure interface hosts: routers gather_facts: no tasks: - name: Set IP address ios_config: lines: - ip address 192.168.1.1 255.255.255.0 - no shutdown parents: interface GigabitEthernet0/1 What is the effect of this playbook?

A.It configures IP address 192.168.1.1/24 on interface GigabitEthernet0/1 and enables it.
B.It configures the IP address globally, not under the interface.
C.It only configures the IP address; no shutdown is ignored because it is not a valid command.
D.It fails because 'parents' cannot be used with 'lines' in ios_config.
AnswerA

Correct. The lines are applied under the specified interface, setting the IP and no shutdown.

Why this answer

The playbook uses the ios_config module to push configuration lines to a Cisco IOS device. The 'parents' parameter specifies the parent configuration mode (interface GigabitEthernet0/1), so the lines are applied under that interface. The lines configure an IP address and enable the interface.

438
Matchingmedium

Drag and drop each OSPF network type on the left to its matching DR election behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Elects a DR/BDR; uses multicast Hellos (224.0.0.5 and 224.0.0.6)

Elects a DR/BDR; requires manual neighbor configuration

No DR/BDR election; uses multicast Hellos (224.0.0.5)

No DR/BDR election; treats each neighbor as a point-to-point link

No DR/BDR election; requires manual neighbor configuration

Why these pairings

Broadcast network type (e.g., Ethernet) elects a DR/BDR. Non-broadcast (NBMA) also elects DR/BDR but requires manual neighbor configuration. Point-to-point does not elect a DR/BDR.

Point-to-multipoint does not elect a DR/BDR. Point-to-multipoint non-broadcast does not elect a DR/BDR and requires manual neighbor configuration.

439
Matchingmedium

Drag and drop each STP port role on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best path to the root bridge

Best path for a given segment

Alternate path to the root bridge

Redundant path to the same segment

Why these pairings

Root port is the best path to the root bridge; Designated port is the best path for a segment; Alternate port provides an alternative path to the root; Backup port provides a redundant path to the same segment.

440
Matchingmedium

Drag and drop each SNMP version on the left to its matching security feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses community strings for authentication only

Uses community strings with improved error handling

Provides encryption, authentication, and message integrity

Authenticates but does not encrypt payload

Authenticates and encrypts payload

Why these pairings

SNMPv1 and v2c use community strings for authentication, while SNMPv3 provides encryption, authentication, and message integrity.

441
MCQmedium

A network engineer is configuring EIGRP on a router that connects to multiple remote sites via Frame Relay. The engineer wants to ensure that EIGRP does not form adjacencies over the Frame Relay interfaces to reduce overhead, but still wants to advertise the connected networks. The engineer applies the 'passive-interface' command to the Frame Relay interfaces. However, the remote sites stop receiving the routes. What is the most likely reason?

A.The 'passive-interface' command also prevents EIGRP from sending routing updates on that interface.
B.The 'passive-interface' command only affects hello packets, not updates, but the remote sites are not configured correctly.
C.The engineer should use the 'neighbor' command under the EIGRP process to specify the remote routers.
D.The remote sites are using a different EIGRP autonomous system number.
AnswerA

Correct. The passive-interface command suppresses both hello packets and routing updates. Therefore, the remote sites do not receive the routes.

Why this answer

The 'passive-interface' command in EIGRP prevents both hello and routing updates from being sent on the specified interface. Since EIGRP relies on hello packets to form and maintain neighbor adjacencies, applying this command to the Frame Relay interfaces stops adjacency formation. Without an adjacency, no routes are exchanged, so the remote sites stop receiving the advertised networks.

Exam trap

Cisco often tests the misconception that 'passive-interface' only affects routing updates but not hello packets, leading candidates to think adjacencies can still form and routes can be received.

How to eliminate wrong answers

Option A is correct because the 'passive-interface' command suppresses both hello and routing updates, breaking adjacency. Option B is wrong because the 'passive-interface' command does affect updates, not just hello packets; it suppresses all EIGRP traffic on the interface, including updates. Option C is wrong because the 'neighbor' command is used for EIGRP over non-broadcast multi-access (NBMA) networks like Frame Relay to define static neighbors, but it does not override the 'passive-interface' command; the interface would still be passive and no packets would be sent.

Option D is wrong because if the remote sites used a different autonomous system number, they would never form adjacencies regardless of the passive-interface command; the question states they were receiving routes before the change, so the AS numbers must match.

442
MCQmedium

Consider this AAA configuration: aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default stop-only group tacacs+ tacacs-server host 10.0.0.1 key SecretKey tacacs-server host 10.0.0.2 key SecretKey What is the effect of the accounting command?

A.Accounting records are sent to TACACS+ only when the exec session ends.
B.Accounting records are sent to TACACS+ at both session start and end.
C.Accounting records are sent to TACACS+ only at session start.
D.Accounting is disabled because the command uses 'stop-only' incorrectly.
AnswerA

Correct. 'stop-only' means only a stop record is sent at session termination.

Why this answer

The 'aaa accounting exec default stop-only group tacacs+' command sends accounting records only when an exec session ends (stop), not at the start. This reduces traffic but provides less detailed accounting.

443
Multi-Selecthard

Which TWO statements are true about RESTCONF and NETCONF in a Cisco IOS XE environment? (Choose two.)

Select 2 answers
A.RESTCONF uses HTTP methods (GET, POST, PUT, DELETE) and supports JSON and XML encoding.
B.RESTCONF supports the candidate datastore for editing configurations.
C.NETCONF uses HTTP as its transport protocol.
D.RESTCONF and NETCONF both support JSON and XML encoding.
E.NETCONF uses XML-encoded RPCs over a secure SSH session.
AnswersA, E

RESTCONF indeed uses HTTP methods and supports JSON and XML.

Why this answer

Option A is correct because RESTCONF is designed to use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) for CRUD operations on YANG-defined data, and it supports both JSON and XML encoding formats. This aligns with its goal of providing a simpler, web-friendly interface compared to NETCONF.

Exam trap

Cisco often tests the misconception that both protocols support JSON and XML equally, or that NETCONF uses HTTP, leading candidates to select option D or C incorrectly.

444
Multi-Selecthard

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Select 3 answers
A.TACACS+ encrypts the entire packet body, whereas RADIUS only encrypts the password.
B.RADIUS uses TCP for reliable transport, while TACACS+ uses UDP.
C.RADIUS combines authentication and authorization in one packet, whereas TACACS+ separates them.
D.TACACS+ encrypts only the password in the packet, similar to RADIUS.
E.RADIUS uses UDP as its transport protocol, while TACACS+ uses TCP.
AnswersA, C, E

Correct because TACACS+ encrypts the entire payload, while RADIUS only encrypts the password attribute.

Why this answer

The correct answers contrast the two protocols. Option A is correct because TACACS+ encrypts the entire packet body, while RADIUS only encrypts the password. Option C is correct because RADIUS combines authentication and authorization, while TACACS+ separates them.

Option E is correct because RADIUS uses UDP (typically port 1812/1813), while TACACS+ uses TCP (port 49). Option B is wrong because RADIUS uses UDP, not TCP. Option D is wrong because TACACS+ encrypts the entire packet body, not just the password.

445
MCQhard

A company is implementing QoS in a campus network. Voice traffic must be prioritized over data traffic, and all traffic should be marked at Layer 2 and Layer 3. Which combination of marking values should be used on access ports to achieve this?

A.CoS 5, DSCP AF41
B.CoS 5, DSCP CS3
C.CoS 5, DSCP EF
D.CoS 4, DSCP EF
AnswerC

CoS 5 and DSCP EF are the standard marks for voice.

Why this answer

Option C is correct because voice traffic requires strict priority queuing, which is achieved by marking with CoS 5 at Layer 2 and DSCP EF (46) at Layer 3. CoS 5 maps to the priority queue in Cisco switches, and DSCP EF is the standard per-hop behavior for Expedited Forwarding (RFC 3246), ensuring low latency and jitter for voice. Access ports must trust these markings to prioritize voice over data traffic.

Exam trap

The trap here is that candidates confuse CoS 5 with DSCP EF for voice but may pick CoS 4 (used for video) or DSCP AF41 (used for premium data), failing to recognize that voice requires both strict priority marking (CoS 5) and the Expedited Forwarding PHB (DSCP EF) to guarantee low-latency treatment.

How to eliminate wrong answers

Option A is wrong because DSCP AF41 (Assured Forwarding 4, low drop) is designed for premium data traffic, not real-time voice; it does not provide strict priority queuing and can be subject to congestion management. Option B is wrong because DSCP CS3 (Class Selector 3) is typically used for broadcast video or signaling, not voice; it lacks the strict priority treatment required for real-time audio. Option D is wrong because CoS 4 is used for video conferencing (e.g., CoS 4, DSCP AF41) or streaming video, not voice; voice requires CoS 5 to map to the priority queue, and using CoS 4 would place voice in a lower-priority queue.

446
MCQeasy

What is the default trust state of a Cisco IOS switch port when no 'mls qos trust' command is configured?

A.The port trusts the CoS value of incoming packets.
B.The port trusts the DSCP value of incoming packets.
C.The port is untrusted and marks all incoming packets with CoS 0.
D.The port trusts both CoS and DSCP values.
AnswerC

Correct. By default, the port is untrusted and packets are marked with CoS 0.

Why this answer

By default, Cisco switches do not trust any QoS markings on incoming packets; they are set to the default CoS/DSCP value of 0 unless a trust policy is applied.

447
MCQmedium

Given the following configuration: ip access-list extended FILTER permit tcp any host 10.1.1.1 eq 22 permit icmp any any echo-reply ! interface GigabitEthernet0/4 ip access-group FILTER in What traffic is permitted?

A.Only SSH traffic to 10.1.1.1 is permitted.
B.SSH to 10.1.1.1 and ICMP Echo Reply are permitted.
C.All ICMP traffic is permitted.
D.Only traffic from host 10.1.1.1 is permitted.
AnswerB

Both permit statements are valid and allow the specified traffic.

Why this answer

The ACL permits TCP traffic to host 10.1.1.1 on port 22 (SSH) and ICMP Echo Reply messages from any source.

448
Drag & Dropmedium

Drag and drop the steps of STP root guard and loop guard activation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Root guard is configured on a port to prevent it from becoming a root port. Loop guard is used to prevent alternate ports from transitioning to forwarding when BPDUs are lost. Both are applied at the interface level.

Root guard is configured first, then loop guard. Verification confirms the port state and protection status.

449
MCQhard

A network engineer is configuring a DMVPN Phase 3 deployment with EIGRP as the routing protocol. The hub router has multiple spoke routers behind a single physical interface. The engineer notices that spoke-to-spoke traffic is being forwarded through the hub instead of directly. The spoke routers have the correct NHRP and mGRE configuration. What is the most likely cause of this issue?

A.The hub router is configured with 'no ip next-hop-self eigrp' under the tunnel interface.
B.The hub router is configured with 'ip next-hop-self eigrp' under the tunnel interface.
C.The spoke routers have 'ip nhrp shortcut' configured but the hub does not have 'ip nhrp redirect'.
D.The spoke routers are using static NHRP mappings to the hub only, without dynamic NHRP registration.
AnswerB

Correct. With next-hop-self enabled, the hub advertises routes with its own IP as the next hop, preventing spokes from learning the remote spoke's tunnel IP and thus no direct tunnel is built.

Why this answer

In DMVPN Phase 3, spoke-to-spoke tunnels require NHRP redirect and routing protocol next-hop-self behavior to be disabled on the hub so that spokes learn the remote spoke's next-hop IP and install a direct NHRP shortcut. If the hub still sets next-hop-self in EIGRP updates, spokes will see the hub as the next hop and forward traffic through it.

450
MCQeasy

What is the default STP hello timer value in seconds?

A.1 second
B.2 seconds
C.5 seconds
D.10 seconds
AnswerB

Default hello timer is 2 seconds.

Why this answer

The default hello timer in STP is 2 seconds, used to send BPDUs on the root bridge.

Page 5

Page 6 of 27

Page 7