ENCOR 350-401 (350-401) — Questions 601675

2015 questions total · 27pages · All types, answers revealed

Page 8

Page 9 of 27

Page 10
601
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure OSPF hosts: routers gather_facts: no tasks: - name: OSPF config ios_config: lines: - router ospf 1 - network 10.0.0.0 0.255.255.255 area 0 parents: router ospf 1 What is wrong with this playbook?

A.The 'parents' parameter should not be used with 'router ospf 1' in lines; it causes a configuration error.
B.The network statement uses a wildcard mask instead of subnet mask, which is incorrect.
C.The OSPF process ID must be 1, but it can be any number.
D.There is no error; the playbook works correctly.
AnswerA

Correct. The 'parents' parameter already enters the mode, so the 'router ospf 1' line inside lines is redundant and causes an error.

Why this answer

The playbook attempts to enter OSPF router configuration mode by using 'parents: router ospf 1', but the 'lines' also include 'router ospf 1' which would try to enter the mode again from within the mode, causing an error. The correct approach is to either use 'parents' or include the router command in 'lines', but not both.

602
MCQmedium

Given the following configuration: aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting exec default start-stop group radius radius-server host 192.168.1.100 key Cisco123 radius-server host 192.168.1.101 key Cisco123 Which statement is true about this configuration?

A.If the first RADIUS server (192.168.1.100) is unreachable, the second server (192.168.1.101) is tried before falling back to local.
B.The RADIUS servers are used for authentication only, not for authorization or accounting.
C.Local authentication is always attempted first, then RADIUS.
D.The RADIUS key is optional; if omitted, the router uses an empty key.
AnswerA

Correct. RADIUS servers are tried in the order configured; if all RADIUS servers fail, the fallback method (local) is used.

Why this answer

The configuration uses RADIUS as the primary method for authentication, authorization, and accounting, with local as fallback. The RADIUS servers are defined with a shared secret key. The 'aaa new-model' enables AAA globally.

603
Multi-Selecteasy

Which TWO are benefits of using a spine-leaf architecture in a data center? (Choose two.)

Select 2 answers
A.Predictable latency between any two devices
B.Increased number of single points of failure
C.Increased broadcast domain size
D.Reduced need for VLANs
E.Higher bandwidth utilization through multiple equal-cost paths
AnswersA, E

Traffic always traverses one spine hop, resulting in consistent latency.

Why this answer

A is correct because spine-leaf architecture ensures that every leaf switch is connected to every spine switch, creating a full-mesh topology. This design guarantees that traffic between any two leaf switches traverses at most one spine hop, resulting in predictable, consistent latency regardless of which devices are communicating.

Exam trap

Cisco often tests the misconception that spine-leaf eliminates VLANs or reduces broadcast domains, but the architecture actually uses Layer 3 routing to contain broadcast domains while still requiring VLANs for Layer 2 segmentation at the leaf level.

604
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap rf-profile summary RF-Profile Name: default-rf-profile Description: Default RF Profile Band: 5 GHz Channel Width: 20/40/80 MHz Data Rates: 6,9,12,18,24,36,48,54 Mbps Power Level: 1 (max) RF-Profile Name: high-density Description: High Density RF Profile Band: 5 GHz Channel Width: 20 MHz Data Rates: 12,18,24,36,48,54 Mbps Power Level: 3 Based on this output, what can be concluded?

A.The high-density profile is designed to support more clients by using narrower channels and lower power.
B.The default profile uses only 20 MHz channels.
C.The high-density profile disables all data rates below 12 Mbps.
D.The default profile is used for 2.4 GHz band.
AnswerA

Narrower channels (20 MHz) and lower power reduce co-channel interference, which is beneficial in high-density environments.

Why this answer

The output shows two RF profiles. The default profile uses wider channel widths (up to 80 MHz) and higher power, while the high-density profile uses only 20 MHz channels and lower power to reduce interference and support more clients.

605
Drag & Dropmedium

Drag and drop the steps of WPA3 client authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WPA3 uses Simultaneous Authentication of Equals (SAE) handshake. The client first sends an SAE commit to the AP, the AP responds with its own SAE commit, then both compute a shared key. Next, the client sends an SAE confirm message, and finally the AP sends its SAE confirm to complete authentication.

606
Drag & Dropmedium

Drag and drop the steps of WPA3 client authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WPA3 uses SAE (Simultaneous Authentication of Equals) handshake. First, the AP announces WPA3 capability in beacons. The client then initiates the SAE commit exchange, followed by the SAE confirm exchange.

After SAE completes, the 4-Way Handshake occurs, and finally group key is installed.

607
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

608
Multi-Selecthard

Which THREE are common causes of high CPU utilization on a Cisco Catalyst switch? (Choose three.)

Select 3 answers
A.Broadcast storms
B.Excessive hardware switching of packets
C.Low memory conditions
D.Frequent STP topology changes
E.ACL logging with 'log' keyword
AnswersA, D, E

Option B is correct because broadcast storms flood the CPU with interrupts.

Why this answer

A broadcast storm occurs when excessive broadcast traffic overwhelms the switch CPU, as each broadcast frame must be processed by the CPU to determine forwarding decisions. This consumes CPU cycles, especially when the storm exceeds the switch's hardware forwarding capacity, leading to high CPU utilization.

Exam trap

Cisco often tests the distinction between control plane (CPU-processed) and data plane (ASIC-switched) traffic; the trap here is assuming hardware switching tasks consume CPU cycles, when in fact they are offloaded to dedicated hardware.

609
Drag & Dropmedium

Drag and drop the steps of MST region configuration and operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MST configuration begins with entering MST mode and defining the region name, revision number, and VLAN-to-instance mapping. After configuration, the switch computes an MD5 digest of the MST configuration to identify region membership. Switches in the same region then run IST (Internal Spanning Tree) and CIST (Common and Internal Spanning Tree) to elect a root bridge for the region.

Finally, per-instance spanning trees are calculated within the region.

610
MCQmedium

An engineer is troubleshooting a syslog issue on a Cisco switch. The switch is configured with 'logging host 10.1.1.1' and 'logging trap informational'. The syslog server at 10.1.1.1 receives messages from other devices but not from this switch. The engineer can ping 10.1.1.1 from the switch. What is the most likely cause?

A.The syslog server is configured to accept messages only from a specific source IP address.
B.The switch's logging process is disabled by default and must be enabled with 'logging on'.
C.The 'logging trap informational' command is incorrect; it should be 'logging trap 6'.
D.The switch uses UDP port 514, but the server listens on TCP port 514.
AnswerB

Correct because 'logging on' is required to start the syslog logging process; without it, no messages are sent even if hosts are configured.

Why this answer

The switch can reach the server, but syslog messages are not being sent. The most common cause is that the logging process is not enabled globally, or the source interface is not set, causing the server to drop messages due to source IP mismatch. However, the correct answer is that the logging facility is not configured, which is required for some syslog implementations.

611
Drag & Dropmedium

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP first classifies traffic using an access list, then matches it to a class map, then applies a policy map with a police action (rate-limit), activates the policy on the control plane, and finally the hardware performs policing.

612
Drag & Dropmedium

Drag and drop the steps of sFlow agent sampling and forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

sFlow begins with the agent sampling packets at a configured rate, then extracts header and counter information, encapsulates the sample into an sFlow datagram, sends the datagram to the collector via UDP, and finally the collector analyzes the samples for monitoring.

613
Matchingmedium

Drag and drop each flow record field on the left to its matching category (key or non-key) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key field

Key field

Key field

Non-key field

Non-key field

Why these pairings

Key fields define the flow identity (e.g., IP addresses, ports, protocol). Non-key fields provide additional information about the flow (e.g., packet counts, timestamps, TCP flags).

614
MCQmedium

Router R6 has the following OSPF configuration: router ospf 1 router-id 6.6.6.6 network 192.168.0.0 0.0.255.255 area 0 passive-interface default no passive-interface GigabitEthernet0/0 ! interface GigabitEthernet0/0 ip address 192.168.1.6 255.255.255.0 ip ospf 1 area 0 What is the effect of the 'passive-interface default' command?

A.All OSPF interfaces become passive, including GigabitEthernet0/0.
B.Only GigabitEthernet0/0 is active; all other OSPF interfaces are passive.
C.OSPF adjacencies are formed on all interfaces.
D.The 'passive-interface default' command is ignored because the 'network' command is used.
AnswerB

The default passive setting applies to all interfaces except those explicitly set to 'no passive-interface'.

Why this answer

The 'passive-interface default' command sets all OSPF interfaces to passive by default, meaning they will not send or receive OSPF hello packets and thus cannot form adjacencies. The subsequent 'no passive-interface GigabitEthernet0/0' overrides this for that specific interface, making it the only active OSPF interface. This matches option B.

Exam trap

Cisco often tests the interaction between 'passive-interface default' and 'no passive-interface' to see if candidates understand that the default command applies to all interfaces and must be explicitly overridden per interface, rather than assuming the 'network' command alone controls adjacency formation.

How to eliminate wrong answers

Option A is wrong because the 'no passive-interface GigabitEthernet0/0' command explicitly overrides the default passive setting for that interface, so not all interfaces become passive. Option C is wrong because OSPF adjacencies are only formed on interfaces that are not passive; with 'passive-interface default', only GigabitEthernet0/0 is active, so adjacencies form only on that interface. Option D is wrong because the 'passive-interface default' command is not ignored; it works in conjunction with the 'network' command, which defines which interfaces participate in OSPF, but the passive setting controls whether hellos are sent and adjacencies are formed on those interfaces.

615
Multi-Selectmedium

Which two statements about Cisco DNA Center automation workflows are true? (Choose two.)

Select 2 answers
A.Cisco DNA Center supports Plug and Play (PnP) for zero-touch device onboarding.
B.Cisco DNA Center uses template-based provisioning to apply consistent configurations across devices.
C.Cisco DNA Center only supports GUI-based configuration; CLI access is not available.
D.Cisco DNA Center automates configuration of all network devices, including third-party switches.
E.Cisco DNA Center uses SNMP to push configuration changes to devices.
AnswersA, B

Correct because PnP is a built-in feature of DNA Center that automates the initial deployment of new devices without manual intervention.

Why this answer

Cisco DNA Center uses intent-based APIs and templates to automate network provisioning. The correct answers highlight key automation capabilities: PnP for zero-touch deployment and template-based provisioning for consistent configuration. The incorrect options misrepresent the GUI-only nature (CLI is also available via templates), the role of Assurance (monitoring, not configuration), the scope of SD-Access (fabric, not all devices), and the integration method (REST APIs, not SNMP).

616
Multi-Selectmedium

Which three statements about NAT traversal and translation are true? (Choose three.)

Select 3 answers
A.IPsec NAT traversal uses UDP encapsulation on port 4500 to allow ESP traffic to pass through a NAT device.
B.The ip nat outside source command translates the source IP address of packets arriving on the outside interface.
C.NAT can translate both source and destination IP addresses in the same packet for different translation rules.
D.NAT automatically translates IP addresses embedded in application-layer payloads such as FTP or SIP.
E.The ip nat inside destination command translates the destination MAC address of packets entering the inside interface.
AnswersA, B, C

Correct because NAT-T encapsulates ESP in UDP port 4500 to avoid issues with NAT modifying the IP header.

Why this answer

NAT traversal for IPsec uses UDP encapsulation (4500) to allow ESP through NAT devices. NAT can translate both source and destination addresses simultaneously in different scenarios. The ip nat outside source command translates source addresses of packets entering the outside interface.

NAT can cause issues with applications that embed IP addresses in payload (e.g., FTP, SIP). NAT does not translate MAC addresses, only IP and port information. The ip nat inside destination command translates destination addresses of packets entering the inside interface.

617
MCQmedium

Consider the following configuration: router bgp 65000 bgp router-id 192.168.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 ebgp-multihop 2 neighbor 10.0.0.2 update-source Loopback0 ! interface Loopback0 ip address 192.168.0.1 255.255.255.255 What is missing for this BGP session to establish?

A.A route to reach 10.0.0.2 is missing; the neighbor must be reachable via the routing table.
B.The ebgp-multihop value should be 1 for a directly connected neighbor.
C.The remote-as must be the same as the local AS for EBGP.
D.The router-id must be the same as the update-source interface IP.
AnswerA

BGP requires TCP connectivity; without a route to the neighbor's IP, the session cannot form.

Why this answer

Option A is correct because for an eBGP session to establish, the neighbor IP address (10.0.0.2) must be reachable via the routing table. The configuration uses `ebgp-multihop 2` and an update-source of Loopback0, but there is no route (static or dynamic) to reach 10.0.0.2, so the TCP connection cannot be initiated. Without reachability, BGP will remain in the Idle state.

Exam trap

Cisco often tests the misconception that ebgp-multihop alone ensures connectivity, but the trap here is that candidates forget BGP requires IP reachability in the routing table for the neighbor address, not just a configured multihop value.

How to eliminate wrong answers

Option B is wrong because ebgp-multihop 2 is correctly used when the neighbor is not directly connected (e.g., using loopback interfaces); setting it to 1 would assume a directly connected interface, which is not the case here. Option C is wrong because for eBGP, the remote-as must be different from the local AS (65000 vs 65001), so stating it must be the same is incorrect. Option D is wrong because the router-id does not need to match the update-source interface IP; the router-id is used for BGP identifier purposes and can be any unique IP, while the update-source specifies which interface's IP to use for the TCP connection.

618
Drag & Dropmedium

Drag and drop the steps of Netmiko multi-threaded device polling workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The workflow begins by importing required modules (threading and Netmiko), defining a function for device connection and command execution, creating a list of devices, then using threading.Thread to spawn threads for each device, and finally joining threads to wait for completion.

619
Drag & Dropmedium

Drag and drop the steps of Ansible Tower (AWX) job template execution steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Ansible Tower/AWX, a job template execution starts with creating the template, launching it, which triggers inventory and credential resolution, then the playbook runs, and finally the job output is displayed for review.

620
Drag & Dropmedium

Drag and drop the steps of syslog message generation and storage into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

A process or kernel generates a syslog message with a facility and severity, the syslogd daemon compares the severity to the configured logging level, then writes the message to the local buffer, optionally forwards it to a remote syslog server, and finally the message is stored or displayed.

621
Drag & Dropmedium

Drag and drop the steps of MPLS L2VPN (AToM) pseudowire setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AToM pseudowire setup starts with configuring the attachment circuit on both PE routers. Then a pseudowire class is defined, specifying encapsulation and control word. The VC label is signaled via LDP, and the pseudowire is bound to the attachment circuit.

Finally, the pseudowire becomes operational and forwards L2 frames.

622
Drag & Drophard

Drag and drop the steps of DMVPN phase 2 spoke-to-spoke tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN phase 2, each spoke first registers with the hub via mGRE and NHRP. When a spoke wants to reach another spoke, it sends an NHRP Resolution Request to the hub. The hub forwards the request to the destination spoke, which replies with its real (non-NBMA) address.

The source spoke then initiates a direct mGRE tunnel to the destination spoke, and finally the spokes exchange routing information over the direct tunnel.

623
MCQmedium

A network engineer is designing an EIGRP network with multiple routers. The network has a core layer where all routers are fully meshed. The engineer wants to ensure that if a link fails, EIGRP converges quickly without relying on route redistribution or static routes. The engineer configures EIGRP with default timers. However, during a failure simulation, convergence takes over 15 seconds. What is the most likely reason?

A.EIGRP is using passive interfaces on the core routers, preventing rapid updates.
B.The failed link was the only feasible successor for the affected routes, causing EIGRP to go into active state and query neighbors.
C.EIGRP hold timers are set to 180 seconds by default, causing slow detection.
D.The engineer configured 'eigrp stub' on the core routers, which prevents query propagation.
AnswerB

Correct. When the only feasible successor fails, EIGRP transitions to active state and sends queries to all neighbors. The time to receive all replies can exceed 15 seconds, especially in large networks.

Why this answer

When the only feasible successor (FS) for a route fails, EIGRP cannot perform a local recomputation and must transition the route to the active state. It then sends query packets to all neighbors to find an alternative path, which introduces significant delay due to the need to wait for replies from every neighbor in a fully meshed core. With default timers, this query/reply process can easily exceed 15 seconds, especially if any neighbor is slow to respond.

Exam trap

Cisco often tests the misconception that EIGRP convergence is always fast due to its DUAL algorithm, but the trap here is that without a feasible successor, the active query process can cause significant delays, especially in a fully meshed network.

How to eliminate wrong answers

Option A is wrong because passive interfaces suppress the sending of EIGRP hellos and updates, which would prevent neighbor formation entirely, not just slow convergence; the scenario implies neighbors are established. Option C is wrong because the default EIGRP hold timer is 15 seconds (not 180 seconds), and even if it were longer, the failure detection delay alone would not account for a 15-second convergence time when the primary issue is query propagation. Option D is wrong because configuring 'eigrp stub' on core routers would actually speed convergence by preventing query propagation, not slow it; stubs do not propagate queries, so they reduce the active-state delay.

624
Matchinghard

Drag and drop each Ansible variable precedence level on the left to its matching scope on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest precedence, passed via --extra-vars on command line

Lowest precedence, defined in defaults/main.yml of a role

Variables specific to a single host, defined in host_vars/

Variables applied to all hosts in a group, defined in group_vars/

Variables defined in the vars: section of a play

Why these pairings

Extra-vars override all others, role defaults have lowest precedence, host vars apply per host, group vars apply per group, and play vars apply to the entire play.

625
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(D) Based on this output, what can be concluded?

A.The EtherChannel is using PAgP.
B.Port Gi0/3 is bundled in the channel.
C.The port-channel is a Layer 3 interface.
D.The EtherChannel has two active member links.
AnswerD

Gi0/1 and Gi0/2 are marked P (bundled), so two links are active.

Why this answer

The output shows that Gi0/1 and Gi0/2 have a flag of 'P' (bundled in port-channel), while Gi0/3 has a flag of 'D' (down). Therefore, only two ports are actively bundled, making option D correct. The 'SU' flags on Po1 indicate the port-channel is Layer 2 (S) and in use (U), not Layer 3.

Exam trap

Cisco often tests the interpretation of the 'show etherchannel summary' flags, where candidates mistakenly assume a port listed in the output is active, ignoring the specific flag character (e.g., 'D' vs 'P').

How to eliminate wrong answers

Option A is wrong because the protocol column explicitly shows 'LACP', not PAgP. Option B is wrong because Gi0/3 has a flag of 'D' (down), not 'P' (bundled), meaning it is not part of the active bundle. Option C is wrong because the 'S' in 'Po1(SU)' indicates Layer 2, not Layer 3 (which would be 'R').

626
MCQeasy

A REST API call is made to Cisco DNA Center to get the list of network devices: GET /dna/intent/api/v1/network-device Headers: X-Auth-Token: <token> The response is: { "response": [ { "id": "123456", "managementIpAddress": "10.10.10.1", "platformId": "C9300-24P", "role": "ACCESS" } ], "version": "1.0" } What does this response indicate?

A.The response contains a single device with management IP 10.10.10.1 and role ACCESS.
B.The response indicates an error because the 'version' field is missing a value.
C.The response contains multiple devices, but only one is shown due to pagination.
D.The response requires authentication because the token is missing.
AnswerA

The JSON array has one element with the given fields.

Why this answer

The response shows a list of devices; each device has an id, management IP, platform ID, and role. The correct answer correctly interprets the JSON structure.

627
Drag & Dropmedium

Drag and drop the steps of Netconf/Yang-based device monitoring subscription into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First establish NETCONF session, then subscribe to YANG data, then receive periodic updates, and finally unsubscribe.

628
MCQhard

A company is deploying a new wireless network in a large warehouse. The network engineer must choose between using a centralized WLC architecture (with CAPWAP tunnels) or a converged access (SD-Access) wireless architecture. The warehouse has high-density client areas and requires low latency for real-time applications like voice and video. Which architecture should the engineer choose and why?

A.Centralized WLC architecture, because it provides better RF management and security.
B.Converged access (SD-Access) wireless, because it allows local switching of traffic at the access layer, reducing latency.
C.Centralized WLC architecture, because it requires fewer access points to cover the warehouse.
D.Converged access (SD-Access) wireless, because it requires fewer WLCs to manage the network.
AnswerB

Correct because SD-Access wireless enables local switching, which minimizes latency for real-time traffic by avoiding backhaul to a central WLC.

Why this answer

The correct answer is converged access (SD-Access) because it enables local switching of traffic at the access layer, reducing latency and improving performance for real-time applications. Centralized CAPWAP tunnels would force all traffic back to the WLC, increasing latency. The other options are incorrect because centralized architecture does not inherently provide better RF management, and SD-Access does not require more APs or more WLCs.

629
MCQmedium

Consider the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet1/0/1 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast What is the effect of this configuration?

A.The port will immediately transition to forwarding state and then wait for authentication.
B.The switch will act as an 802.1X authenticator and the port will be unauthorized until a successful authentication.
C.The port will be placed in a VLAN assigned by the RADIUS server after authentication.
D.The switch will act as a supplicant and respond to EAP requests from an upstream authenticator.
AnswerB

The 'dot1x pae authenticator' sets the switch as authenticator, and 'authentication port-control auto' means the port is unauthorized until authentication succeeds.

Why this answer

This configuration enables 802.1X authentication on the interface with the authenticator role, sets the transmit period to 5 seconds, and enables PortFast to avoid STP delays. The 'authentication port-control auto' command puts the port in unauthorized state until authentication succeeds.

630
MCQmedium

interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network broadcast ip ospf priority 0 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 What is the effect of setting the OSPF priority to 0 on this interface?

A.The router will never become the DR or BDR on this segment.
B.The router will have a higher chance of becoming the DR.
C.The router will only form adjacencies with other routers that have priority 0.
D.The router will use a longer hello interval.
AnswerA

Correct. A priority of 0 means the router is ineligible for DR/BDR election.

Why this answer

Setting the OSPF priority to 0 on a broadcast network prevents the router from becoming the Designated Router (DR) or Backup Designated Router (BDR). It will never participate in the DR/BDR election and will only form full adjacencies with the DR and BDR.

631
Matchingmedium

Drag and drop each WAN technology on the left to its matching layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2.5

Layer 2

Layer 3 and above

Layer 3

Layer 3

Why these pairings

MPLS operates at Layer 2.5 (shim header between Layer 2 and Layer 3). Metro Ethernet is a Layer 2 technology. SD-WAN abstracts the underlay and operates at Layer 3 and above.

DMVPN is a Layer 3 VPN overlay.

632
MCQeasy

A network engineer is planning to use Cisco DNA Center to automate the deployment of a new branch office. The engineer has already discovered the devices and added them to Inventory. The engineer wants to use a template to configure the devices consistently. Which tool in DNA Center should the engineer use to create and apply the template?

A.Use the 'Template Editor' to create a CLI template and apply it during provisioning.
B.Use the 'Policy Editor' to create a policy-based configuration.
C.Use the 'Command Runner' to execute commands on multiple devices.
D.Use the 'Network Profiles' to define the configuration.
AnswerA

Correct because Template Editor is designed for creating and applying configuration templates in DNA Center.

Why this answer

Cisco DNA Center includes a feature called 'Template Editor' (or 'Network Templates') that allows engineers to create CLI templates for device configuration. These templates can be parameterized and applied to devices during provisioning, ensuring consistent configuration across the branch.

633
MCQmedium

Examine the following configuration: interface Port-channel1 switchport mode trunk ! interface GigabitEthernet0/1 switchport mode trunk channel-group 1 mode active spanning-tree portfast ! interface GigabitEthernet0/2 switchport mode trunk channel-group 1 mode active spanning-tree portfast What is the effect of the 'spanning-tree portfast' command on the member interfaces of this EtherChannel?

A.The PortFast will be applied to the EtherChannel, causing it to immediately transition to forwarding.
B.The PortFast on the member interfaces will be ignored because they are part of an EtherChannel.
C.The PortFast will cause the EtherChannel to form faster.
D.The configuration will cause a spanning-tree loop because PortFast is used on trunk ports.
AnswerB

Correct. When interfaces are bundled into an EtherChannel, STP is handled at the port-channel level, and per-interface PortFast is overridden.

Why this answer

PortFast is used on access ports to immediately transition to forwarding state, bypassing STP listening/learning. However, on trunk ports, PortFast can cause loops if used incorrectly. In this case, the member interfaces are part of an EtherChannel, and PortFast is applied at the interface level.

But the port-channel interface itself does not have PortFast. The PortFast on member interfaces is ignored because the channel is a trunk; the port-channel interface controls STP. The correct practice is to apply PortFast on the port-channel interface, not on individual members.

634
Multi-Selectmedium

Which THREE of the following are valid considerations when planning a wireless network for high-density environments?

Select 3 answers
A.Use a channel reuse plan that minimizes co-channel interference.
B.Prefer the 5 GHz band over 2.4 GHz for client connectivity.
C.Lower AP transmit power to reduce cell size and increase capacity.
D.Increase AP transmit power to maximize coverage.
E.Enable 2.4 GHz band only to maximize range.
AnswersA, B, C

Proper channel planning is essential in high-density environments.

Why this answer

Option A is correct because a channel reuse plan that minimizes co-channel interference is essential in high-density environments to ensure that adjacent access points (APs) do not use the same or overlapping channels, which would degrade throughput. By carefully planning channel assignments (e.g., using non-overlapping channels in the 5 GHz band), you maximize spatial reuse and overall network capacity.

Exam trap

Cisco often tests the misconception that increasing AP transmit power always improves coverage and performance, when in fact, in high-density environments, lowering power and reducing cell size is the correct strategy to increase capacity and minimize interference.

635
MCQmedium

A network engineer runs the following command on Router R8: R8# show policy-map interface GigabitEthernet0/1 GigabitEthernet0/1 Service-policy output: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing strict priority queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 15625 be 15625 conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: DATA (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth remaining percent 50 Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth remaining percent 50 Based on this output, what can be concluded?

A.Voice traffic is being prioritized but not policed.
B.The interface is not passing any traffic.
C.Data traffic is being dropped due to policing.
D.The policy-map is applied to input traffic.
AnswerB

All counters are zero, indicating no traffic has been forwarded.

Why this answer

All classes show zero packets, zero bytes, and zero rates. This indicates that no traffic has been processed through this interface. The policy-map is applied but no packets have been seen.

636
MCQmedium

A network engineer runs the following command on Switch SW5: SW5# show running-config | section interface port-channel interface Port-channel1 switchport mode trunk switchport trunk allowed vlan 1-100,200-300 ! interface Port-channel2 switchport mode access switchport access vlan 10 ! SW5# show interfaces trunk Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 1 Port Vlans allowed on trunk Po1 1-100,200-300 Port Vlans allowed and active in management domain Po1 1-100,200-300 Port Vlans in spanning tree forwarding state and not pruned Po1 1-100,200-300 Based on this output, what can be concluded?

A.Port-channel2 is also trunking but not displayed due to a software bug.
B.Port-channel1 is trunking and allowed VLANs include VLANs 101-199.
C.Port-channel1 is operational as a trunk with the configured allowed VLANs.
D.The native VLAN on Po1 is VLAN 10.
AnswerC

The trunk output confirms the trunk is up and the allowed VLAN list matches.

Why this answer

The output shows that Port-channel1 is configured as a trunk with allowed VLANs 1-100 and 200-300. The 'show interfaces trunk' output confirms that Po1 is trunking and the allowed VLAN list matches. Port-channel2 is not shown in the trunk output, which is expected because it is an access port.

The correct answer is that Port-channel1 is operational as a trunk.

637
Multi-Selectmedium

Which two statements about DMVPN Phase 2 are true? (Choose two.)

Select 2 answers
A.Spokes can establish direct tunnels to each other without traversing the hub.
B.All traffic must pass through the hub router at all times.
C.NHRP is used to resolve the public IP addresses of spokes.
D.Phase 2 uses only point-to-point GRE tunnels on the hub.
E.Phase 2 does not support dynamic routing protocols between spokes.
AnswersA, C

Correct because Phase 2 enables spoke-to-spoke dynamic tunnels.

Why this answer

DMVPN Phase 2 allows spoke-to-spoke tunnels after initial hub registration, uses mGRE on spokes, and supports dynamic routing between spokes. NHRP is used for resolution.

638
Multi-Selecthard

Which three statements about IP SLA threshold monitoring and reaction configuration are true? (Choose three.)

Select 3 answers
A.The 'threshold' command sets the rising threshold that triggers a reaction when exceeded.
B.The 'reaction' configuration can specify an action such as 'connection-loss' to trigger when the probe fails to receive a response.
C.The IP SLA reaction can be used to update a tracking object, which can then influence policy-based routing or static route removal.
D.The 'reaction' command supports a 'timeout' type that triggers when the probe response time exceeds a configured value.
E.The 'reaction' command can only monitor round-trip time and cannot be used for jitter or packet loss.
AnswersA, B, C

Correct because the 'threshold' command defines the upper boundary; when the measured value exceeds it, the reaction is triggered.

Why this answer

IP SLA allows configuring rising and falling thresholds to trigger events. The reaction can be tied to a tracking object, which can then influence routing decisions. The 'connection-loss' type triggers when all probes fail.

The 'timeout' reaction is not a valid type; the correct keyword is 'timeout' within the threshold configuration. The 'react' command can also monitor jitter values.

639
Drag & Dropmedium

Drag and drop the steps to configure VLAN Trunking Protocol (VTP) on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VTP requires setting mode and domain before trunking works; verification confirms operation.

640
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:32 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:35 192.168.1.3 GigabitEthernet0/0 Based on this output, what can be concluded?

A.R1 is the Backup Designated Router (BDR) on this segment.
B.R1 has a full OSPF adjacency with the neighbor 10.0.0.3.
C.R1 is a DROTHER on this segment.
D.The OSPF network type is point-to-point.
AnswerC

Since the DR is 10.0.0.2 and the BDR is not listed, and R1 has a full adjacency only with the DR, R1 must be a DROTHER.

Why this answer

The output shows R1 has a neighbor with state 2WAY/DROTHER (10.0.0.3), which indicates that R1 is also a DROTHER on this broadcast multiaccess segment. The FULL/DR neighbor (10.0.0.2) is the Designated Router, and since R1 is not the BDR (no FULL/BDR state), it must be a DROTHER.

Exam trap

Cisco often tests the misconception that 2WAY state means a full adjacency, but in OSPF, 2WAY is a normal neighbor state on broadcast networks between DROTHERs, not a full adjacency (which requires FULL state).

How to eliminate wrong answers

Option A is wrong because R1 is not the BDR; the BDR would appear with state FULL/BDR, but the only FULL neighbor is the DR (10.0.0.2). Option B is wrong because the neighbor 10.0.0.3 is in the 2WAY state, not FULL, meaning they have an established neighbor relationship but not a full adjacency (they exchange Hellos but not LSAs directly). Option D is wrong because the presence of DR/BDR states (FULL/DR, 2WAY/DROTHER) indicates a broadcast multiaccess network type, not point-to-point.

641
MCQhard

A network engineer is deploying a virtual WAN edge device using Cisco SD-WAN on an NFVIS platform. After powering on the VM, the device fails to boot and the NFVIS console shows 'ERROR: No bootable device found'. The engineer verified that the ISO image is correctly uploaded. What is the most likely cause?

A.The VM's virtual disk size is too small for the WAN edge image.
B.The VM's CPU type is set to 'host-passthrough' instead of 'qemu64'.
C.The boot order in the VM configuration does not have the CD-ROM (ISO) as the first device.
D.The ISO image is corrupted and NFVIS cannot read it.
AnswerC

Correct because the VM attempts to boot from the hard disk first, which is empty, leading to the error.

Why this answer

Option C is correct because the error 'No bootable device found' indicates that the VM attempted to boot from a device that does not contain a bootable operating system. In NFVIS, when deploying a virtual WAN edge device from an ISO, the VM's boot order must be configured to prioritize the CD-ROM (ISO) device. If the boot order defaults to the virtual hard disk (which is empty before installation), the VM will fail to find a bootable medium and produce this exact error.

Exam trap

Cisco often tests the distinction between image upload errors (corruption, size) and boot process errors (boot order), leading candidates to incorrectly suspect the ISO or disk configuration when the real issue is a missing boot device priority.

How to eliminate wrong answers

Option A is wrong because the virtual disk size does not prevent the VM from booting from the ISO; the disk is only used after the OS is installed. Option B is wrong because the CPU type 'host-passthrough' is actually recommended for Cisco SD-WAN VMs on NFVIS to expose the full CPU feature set; 'qemu64' would be a less compatible choice. Option D is wrong because if the ISO were corrupted, NFVIS would typically report a checksum or mount error, not a 'No bootable device found' message, which specifically points to boot order misconfiguration.

642
MCQhard

A network engineer issues the following command on a router: R1# show tacacs TACACS+ Server: 10.1.1.10/49 Socket opens: 5 Socket closes: 3 Socket aborts: 0 Total packets sent: 10 Total packets received: 9 Retransmissions: 1 Timeouts: 1 Current idle time: 30 seconds Based on this output, what can be concluded?

A.The TACACS+ server is unreachable.
B.There have been no authentication attempts.
C.The TACACS+ server experienced a single timeout.
D.All packets were successfully acknowledged.
AnswerC

The timeout count is 1, indicating one packet timed out.

Why this answer

The output shows TACACS+ server statistics. Out of 10 packets sent, 9 were received, indicating 1 packet was lost or timed out. There was 1 retransmission and 1 timeout, which suggests occasional network issues but not a complete failure.

The current idle time of 30 seconds means no recent activity.

643
MCQmedium

An organization uses Ansible to manage network device configurations. They have a playbook that uses the ios_command module to execute 'show ip route' on multiple routers and then uses the 'debug' module to print the output. Recently, the playbook started failing with 'Timeout (12s) waiting for privilege escalation prompt'. The routers are reachable and SSH credentials are correct. What is the most likely cause?

A.The routers are configured with a different enable secret that does not match the one in the Ansible vault.
B.The 'ansible_connection' is set to 'network_cli' but the 'ansible_become_method' is not set to 'enable'.
C.The SSH key exchange is taking longer than the default 12-second timeout.
D.The ios_command module requires a different privilege level to execute 'show ip route'.
AnswerB

For network_cli connections, the become method must be 'enable'; otherwise, Ansible waits indefinitely for the privilege prompt.

Why this answer

The error 'Timeout waiting for privilege escalation prompt' indicates that Ansible is trying to enter enable mode (or similar) but is not receiving the expected prompt (usually '#'). This often happens when the 'ansible_become' method is not set correctly for network devices. For Cisco IOS, the become method should be 'enable', and the become password must be provided.

If the become method is missing or set to 'sudo', the privilege escalation will fail.

644
Drag & Dropmedium

Drag and drop the steps of Metro Ethernet E-Line service provisioning into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

E-Line provisioning starts with defining the service attributes and customer endpoints. The provider then configures the UNI on each customer edge device. Next, the EVC is created across the provider network to connect the two UNIs.

Finally, the service is tested and activated for the customer.

645
MCQmedium

A network engineer runs the following command on Router R6: R6# show mpls ldp neighbor 10.6.6.7 detail Peer LDP Ident: 10.6.6.7:0; Local LDP Ident 10.6.6.6:0 TCP connection: 10.6.6.7.646 - 10.6.6.6.179 State: Oper; Msgs sent/rcvd: 200/195; Downstream Up time: 1d04h LDP discovery sources: Targeted Hello 10.6.6.6 -> 10.6.6.7, active, passive Addresses bound to peer LDP Ident: 10.6.6.7 192.168.6.7 Hold time: 15 seconds; keepalive interval: 5 seconds Peer hold time: 15 seconds; keepalive interval: 5 seconds Based on this output, what type of LDP session is this?

A.This is a link-local LDP session because the discovery source is an interface.
B.This is a targeted LDP session established between two non-directly connected routers.
C.This is a multicast LDP session because the hold time is 15 seconds.
D.This is a BGP session because the TCP connection shows port 179.
AnswerB

Targeted hellos are used for non-directly connected peers, and the output confirms targeted discovery.

Why this answer

The output shows 'Targeted Hello' in the discovery sources, indicating this is a targeted LDP session (not link-local). The session is operational and uses targeted hellos.

646
MCQeasy

What is the default quiet-period timer value in Cisco IOS 802.1X configuration?

A.30 seconds
B.60 seconds
C.120 seconds
D.10 seconds
AnswerB

The default quiet-period is 60 seconds.

Why this answer

The quiet-period timer defines the number of seconds the switch waits after a failed authentication attempt before re-initiating authentication. The default value is 60 seconds.

647
Drag & Dropmedium

Drag and drop the steps of EIGRP authentication using MD5 key-chain into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EIGRP MD5 authentication requires first defining a key chain with keys, then applying the key chain to the EIGRP process, enabling authentication on the interface, and finally verifying the authentication status.

648
Matchingmedium

Drag and drop each streaming telemetry mode on the left to its matching trigger on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is sent at a fixed interval

Data is sent only when a value changes

The device decides when to send data

On-change with additional suppression rules

Combination of periodic and on-change triggers

Why these pairings

Periodic sends at intervals, on-change sends on value change, target-defined leaves timing to the device, on-change-with-policy adds conditions, and periodic-and-on-change combines both.

649
MCQmedium

An engineer is configuring QoS on a Cisco ASR 1000 router to support three traffic classes: voice (EF), video (AF41), and data (default). The link is a 50 Mbps Ethernet circuit. The engineer wants to guarantee 10 Mbps for voice, 20 Mbps for video, and the remaining for data. The current policy uses bandwidth percent statements. During congestion, voice traffic is not receiving its guaranteed bandwidth. What is the most likely cause?

A.The interface bandwidth command is not set to 50000 kbps
B.The voice class should use priority instead of bandwidth
C.The video class should use bandwidth remaining percent
D.The policy map is applied in the input direction
AnswerA

Correct because bandwidth percent uses the interface bandwidth value; if it is set to a default (e.g., 1000000 for Ethernet), the percentages do not match the actual link speed.

Why this answer

The correct answer is that bandwidth percent is based on the interface bandwidth, which may not match the actual link speed if the interface bandwidth is not set correctly. The engineer should use bandwidth remaining percent or shape the traffic.

650
Matchingmedium

Drag and drop each VRF component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uniquely identifies a VRF to allow overlapping IPv4 prefixes

Determines which routes are imported into or exported from a VRF

Stores all routes learned within a specific VRF

Holds routes for the default or global routing table

Used by hardware to make forwarding decisions based on the RIB

Why these pairings

Route Distinguisher (RD) makes IPv4 prefixes unique across VRFs; Route Target (RT) controls import/export of routes; the VRF RIB stores routes learned within that VRF; the global RIB holds routes for the global routing table; the FIB is used for forwarding decisions.

651
Multi-Selecthard

Which three statements about BGP route reflectors are true? (Choose three.)

Select 4 answers
A.Route reflectors reduce the number of required iBGP sessions in an AS.
B.A route reflector client must be fully meshed with all other clients.
C.The route reflector does not modify the AS_PATH or NEXT_HOP attributes when reflecting routes.
D.The ORIGINATOR_ID attribute is used to prevent routing loops in a route reflector environment.
E.Non-client peers of a route reflector must be fully meshed with each other.
AnswersA, C, D, E

Correct because route reflectors allow a hub-and-spoke topology, reducing sessions.

Why this answer

Route reflectors allow iBGP to scale by reducing the number of iBGP sessions. A route reflector client only needs to peer with the route reflector. The route reflector does not modify the AS_PATH or NEXT_HOP attributes.

The route reflector uses the ORIGINATOR_ID and CLUSTER_LIST attributes for loop prevention. A non-client peer must be fully meshed with other non-client peers.

652
Matchingmedium

Drag and drop each ERSPAN version on the left to its correct header format description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

4-byte GRE header with 4-byte session ID

4-byte GRE header with 8-byte ERSPAN header

4-byte GRE header with 12-byte ERSPAN header

Indicates ERSPAN encapsulated packet

Optionally included in ERSPAN Type II/III

Why these pairings

ERSPAN Type I uses a 4-byte GRE header with 4-byte session ID; ERSPAN Type II uses a 4-byte GRE header with an 8-byte ERSPAN header; ERSPAN Type III uses a 4-byte GRE header with a 12-byte ERSPAN header.

653
MCQmedium

Consider the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 1 What is the effect of this configuration?

A.The interface will operate as an 802.1Q trunk, and untagged frames will be associated with VLAN 1.
B.The interface will operate as an ISL trunk.
C.The interface will drop all untagged frames.
D.The interface will only forward traffic for VLAN 1.
AnswerA

Correct. The native VLAN is 1, so untagged frames belong to VLAN 1.

Why this answer

The configuration sets the interface to 802.1Q trunking mode and explicitly defines VLAN 1 as the native VLAN. On an 802.1Q trunk, the native VLAN is the VLAN to which untagged frames are assigned when received on the trunk port. Since VLAN 1 is the default native VLAN and is explicitly configured here, untagged frames will be associated with VLAN 1, allowing them to traverse the trunk without an 802.1Q tag.

Exam trap

Cisco often tests the misconception that a trunk port drops untagged frames or that the native VLAN is only for management traffic, when in fact untagged frames are always associated with the native VLAN on an 802.1Q trunk.

How to eliminate wrong answers

Option B is wrong because the command 'switchport trunk encapsulation dot1q' explicitly sets the trunking protocol to 802.1Q, not ISL; ISL is a Cisco-proprietary encapsulation that is not supported on modern IOS-XE switches and would require 'switchport trunk encapsulation isl'. Option C is wrong because an 802.1Q trunk does not drop untagged frames; instead, it assigns them to the native VLAN (VLAN 1 by default or as configured). Option D is wrong because the interface is configured as a trunk, which forwards traffic for multiple VLANs (all allowed VLANs by default), not only VLAN 1; the native VLAN setting only affects how untagged frames are handled, not the scope of VLANs forwarded.

654
Drag & Dropmedium

Drag and drop the steps of CoPP policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP evaluates packets against class maps in sequential order. The first match determines the action. The default class is processed last if no match occurs.

655
Drag & Dropmedium

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In GET VPN, the group member first registers with the key server using ISAKMP. The key server authenticates the member and pushes the initial policy and key. After registration, the key server periodically sends rekey messages to update the group encryption key.

The group member acknowledges the rekey, and then both sides install the new key for ongoing encryption.

656
Drag & Dropmedium

Drag and drop the steps of Multicast RP discovery using Auto-RP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Auto-RP uses a mapping agent to discover RPs. Candidate RPs announce their services to a well-known group (224.0.1.39). The mapping agent collects these announcements and sends RP-to-group mappings to another group (224.0.1.40).

Routers then learn the RP for each group.

657
MCQeasy

A network team is planning to migrate from a Type 2 hypervisor to a Type 1 hypervisor for their production VMs. They need to understand the architectural impact. Which statement correctly describes a key difference between Type 1 and Type 2 hypervisors?

A.Type 1 hypervisors run directly on the physical hardware, while Type 2 hypervisors run on top of a host operating system.
B.Type 1 hypervisors require a host OS for device drivers, while Type 2 hypervisors include their own drivers.
C.Type 2 hypervisors are always more secure than Type 1 because of the additional OS layer.
D.Type 1 hypervisors cannot support hardware passthrough, but Type 2 can.
AnswerA

This is the fundamental architectural difference.

Why this answer

Option A is correct because Type 1 hypervisors (bare-metal) run directly on the physical hardware without an underlying operating system, providing direct access to hardware resources and better performance. Type 2 hypervisors (hosted) run as an application on top of a host operating system, which introduces additional overhead and resource contention. This architectural difference is fundamental to understanding virtualization performance and isolation in production environments.

Exam trap

Cisco often tests the misconception that Type 2 hypervisors are more secure due to an additional OS layer, but the trap here is that the extra layer actually increases the attack surface and reduces security isolation compared to a Type 1 hypervisor.

How to eliminate wrong answers

Option B is wrong because Type 1 hypervisors include their own built-in device drivers and do not require a host OS for device drivers; Type 2 hypervisors rely on the host OS for driver support. Option C is wrong because Type 2 hypervisors are generally less secure than Type 1 due to the larger attack surface introduced by the host OS layer, not more secure. Option D is wrong because Type 1 hypervisors fully support hardware passthrough (e.g., PCIe passthrough via Intel VT-d or AMD IOMMU), while Type 2 hypervisors often have limited or more complex passthrough support due to the host OS abstraction.

658
Drag & Dropmedium

Drag and drop the steps of LLQ configuration for voice traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LLQ for voice requires first classifying voice traffic, then creating a policy map with a priority queue, applying it to the interface, and verifying the configuration. The priority queue ensures low latency for voice packets.

659
Drag & Dropmedium

Drag and drop the steps of telemetry path validation using YANG DevKit into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation begins with loading the YANG model, then using the tool to check path syntax, verifying existence, and confirming with device capabilities.

660
Matchingmedium

Drag and drop each EAP method on the left to its matching authentication type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Certificate-based mutual authentication

Tunneled authentication with MSCHAPv2

Protected Access Credential (PAC) based

Simple password hash (no server certificate)

Generic Token Card (one-time password)

Why these pairings

EAP-TLS uses certificates, PEAP uses tunneled MSCHAPv2, EAP-FAST uses PAC, EAP-MD5 uses simple password hash.

661
Drag & Dropmedium

Drag and drop the steps of EIGRP named mode configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

EIGRP named mode uses an address-family configuration. First, create the named EIGRP instance, then enter address-family IPv4, configure the network, optionally adjust timers, and finally verify the configuration.

662
MCQmedium

A network engineer is troubleshooting an EtherChannel between two Cisco switches. The show etherchannel 1 port-channel command shows the port-channel is up, but traffic is not load-balanced evenly. The engineer notices that all traffic is using only one link. The physical ports are all configured identically. What is the most likely cause?

A.The load-balancing method is set to src-mac, and the traffic is from multiple MAC addresses.
B.The load-balancing method is set to src-dst-ip, and all traffic is between the same two IP addresses.
C.The physical ports have different speeds.
D.The port-channel is configured with 'lacp fast-switchover'.
AnswerB

Correct because src-dst-ip hashes on source and destination IP; if they are the same, all traffic goes to the same link.

Why this answer

The correct answer is that the load-balancing method is set to src-dst-ip, but the traffic is from a single source to a single destination IP. The wrong answers involve issues that would prevent the channel from being up or affect all links.

663
Matchingmedium

Drag and drop each queuing mechanism on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Single queue, no differentiation

Per-flow flow-based fair queuing

User-defined traffic classes with guaranteed bandwidth

Strict priority queue with rate limiting

Always serves highest-priority queue first

Why these pairings

FIFO uses a single queue with no prioritization. WFQ provides per-flow fairness. CBWFQ allows user-defined classes.

LLQ provides strict priority with policing. PQ always services the highest-priority queue first.

664
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Gi0/2 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-1005 Gi0/2 1-1005 Port Vlans allowed and active in management domain Gi0/1 1,10,20 Gi0/2 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,10,20 Gi0/2 1,10,20 Based on this output, what can be concluded?

A.VLANs 2-9 are allowed but not active on the trunk.
B.The trunk is using ISL encapsulation.
C.VLAN 1 is pruned from the trunk.
D.Only VLANs 10 and 20 are forwarding traffic.
AnswerA

The 'allowed' list includes 1-1005, but only VLANs 1,10,20 are active; thus VLANs 2-9 are allowed but not active (not created in VLAN database).

Why this answer

The output shows that VLANs 1-1005 are allowed on the trunk, but only VLANs 1, 10, and 20 are listed as active in the management domain. This means VLANs 2-9 are configured on the trunk but are not active (i.e., not created or not present on the switch), so they do not forward traffic. Option A correctly identifies this condition.

Exam trap

Cisco often tests the difference between 'allowed on trunk' and 'active in management domain' to trick candidates into thinking all allowed VLANs are forwarding, when in fact only active VLANs forward traffic.

How to eliminate wrong answers

Option B is wrong because the encapsulation is explicitly shown as '802.1q', not ISL, which is a Cisco proprietary protocol that is now largely deprecated. Option C is wrong because VLAN 1 is listed in the 'Vlans in spanning tree forwarding state and not pruned' section, indicating it is forwarding and not pruned; pruning would remove it from that list. Option D is wrong because VLAN 1 is also in the forwarding state and not pruned, so traffic for VLAN 1 is also being forwarded, not just VLANs 10 and 20.

665
MCQmedium

Given the following configuration on a Cisco IOS router: policy-map SHAPE class class-default shape average 1000000 interface Serial0/0/0 service-policy output SHAPE What is the effect of this configuration?

A.The router will limit the transmit rate on Serial0/0/0 to an average of 1 Mbps by queuing excess packets.
B.The router will drop any traffic exceeding 1 Mbps on Serial0/0/0.
C.The router will mark all traffic with a rate limit of 1 Mbps but not enforce it.
D.The configuration is invalid because 'shape average' requires a class-map with a match statement.
AnswerA

Correct. Shaping buffers traffic to conform to the specified rate.

Why this answer

The 'shape average' command limits the output rate on the interface to an average of 1 Mbps (1000000 bps) by buffering excess traffic.

666
MCQeasy

A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?

A.The return route for the source IP points to a different interface than the one where the packet arrived.
B.uRPF is checking the destination IP address, which is not reachable.
C.The router does not have a default route, so uRPF drops all traffic.
D.uRPF cannot be used with static routes; it requires a dynamic routing protocol.
AnswerA

Correct because strict uRPF requires the source IP to have a route back out the same interface.

Why this answer

uRPF strict mode checks that the source IP address of a packet has a route back to the same interface. If the router has multiple equal-cost paths or if the return route points to a different interface, uRPF drops the packet. Option A is correct because the return path must match the ingress interface.

Option B is incorrect because uRPF does not check the destination. Option C is incorrect because uRPF does not require a default route. Option D is incorrect because uRPF works with static routes.

667
Matchingmedium

Drag and drop each SNMP component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network management station that polls agents

Software module running on managed device

Virtual database defining managed objects

Numeric identifier for a specific managed object

Password-like string used for authentication in v1/v2c

Why these pairings

The manager collects data, the agent runs on the device, MIB defines the data structure, and OID identifies specific variables.

668
Drag & Dropmedium

Drag and drop the steps of connecting to a network device via Netmiko into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the Netmiko library, then creating a device dictionary with connection parameters, establishing the SSH connection using ConnectHandler, sending a command (e.g., 'show ip interface brief'), and finally closing the connection with disconnect(). This sequence follows standard Netmiko workflow for device access.

669
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists 130 Extended IP access list 130 10 permit icmp host 10.1.1.1 any echo (8 matches) 20 permit icmp host 10.1.1.1 any echo-reply (5 matches) 30 deny icmp any any (3 matches) 40 permit ip any any (12 matches) Based on this output, what can be concluded?

A.ICMP packets from sources other than 10.1.1.1 are denied.
B.All ICMP traffic is permitted.
C.The ACL permits all traffic from 10.1.1.1.
D.The ACL is applied inbound on an interface.
AnswerA

Entry 30 denies all ICMP not matching entries 10 or 20, so any ICMP from other sources is denied.

Why this answer

ACL 130 permits ICMP echo and echo-reply only from host 10.1.1.1, denies all other ICMP, and permits all other IP traffic. The match counts show 8 echo packets from 10.1.1.1, 5 echo-reply packets from 10.1.1.1, 3 denied ICMP packets from other sources, and 12 other packets permitted. The correct answer is that ICMP packets from sources other than 10.1.1.1 are denied.

670
Multi-Selecthard

Which three statements about BGP route reflectors are true? (Choose three.)

Select 3 answers
A.Route reflectors allow iBGP speakers to advertise routes learned from other iBGP speakers without requiring a full mesh.
B.A route reflector client must be fully meshed with all other clients in the same cluster.
C.The route reflector can be a client of another route reflector.
D.The cluster ID is used to prevent routing loops in a route reflector environment.
E.The route reflector modifies the AS_PATH attribute to prevent loops.
AnswersA, C, D

Correct: This is the primary purpose of route reflectors; they relax the full mesh requirement.

Why this answer

Route reflectors are used to reduce the number of iBGP peers in an AS. They allow iBGP speakers to advertise routes learned from other iBGP speakers without requiring a full mesh. A route reflector client does not need to be fully meshed with other clients; it only peers with the route reflector.

The route reflector can be a client itself. The cluster ID is used to identify a route reflector cluster and to prevent loops. The route reflector does not modify the AS_PATH or NEXT_HOP attributes by default.

671
MCQeasy

An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?

A.dot1x pae authenticator
B.authentication port-control auto
C.authentication port-control force-authorized
D.authentication port-control force-unauthorized
AnswerB

Correct: this command enables 802.1X authentication on the interface.

Why this answer

Option B is correct because 'authentication port-control auto' is the required interface command to enable 802.1X authentication on a switch port. This command sets the port to initiate the authentication process, placing it in the unauthorized state until the client successfully authenticates via the RADIUS server (Cisco ISE). Without this command, the port will not enforce 802.1X.

Exam trap

Cisco often tests the distinction between the 'dot1x pae authenticator' command and the 'authentication port-control auto' command, leading candidates to mistakenly think the PAE command alone enables 802.1X, when in fact both are required for full functionality.

How to eliminate wrong answers

Option A is wrong because 'dot1x pae authenticator' is a subcommand that enables the Port Access Entity (PAE) role as authenticator, but it is not sufficient alone; the port must also be configured with 'authentication port-control auto' to actually enforce 802.1X. Option C is wrong because 'authentication port-control force-authorized' places the port in an always-authorized state, effectively disabling 802.1X authentication and allowing all traffic without verification. Option D is wrong because 'authentication port-control force-unauthorized' places the port in a permanently unauthorized state, blocking all traffic regardless of authentication attempts, which is not the goal for enabling 802.1X.

672
MCQmedium

Consider the following configuration: flow monitor FM-1 exporter EXPORTER-1 record netflow ipv4 original-input cache entries 16000 ! Which statement about this configuration is correct?

A.The flow cache can hold up to 16,000 flow entries simultaneously.
B.The flow cache will export flows every 16,000 seconds.
C.The flow cache will store only 16,000 bytes of flow data.
D.The flow cache will automatically increase to 32,000 entries if needed.
AnswerA

The 'cache entries' command defines the size of the flow cache.

Why this answer

The 'cache entries' command sets the maximum number of flow entries that the cache can hold. When the cache is full, the router may need to age out flows prematurely or drop new flows.

673
Drag & Dropmedium

Drag and drop the steps of the gRPC dial-out telemetry subscription flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: first, configure the telemetry receiver (destination) on the network device. Next, define a sensor group to specify which YANG data paths to collect. Then, create a subscription associating the sensor group with the receiver.

After that, enable the subscription to start streaming data. Finally, the device streams telemetry data to the receiver.

674
Matchingmedium

Drag and drop each RSPAN VLAN requirement on the left to its correct restriction on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Must be dedicated solely to RSPAN traffic; no other traffic allowed.

The RSPAN VLAN cannot be the native VLAN of any trunk port.

The RSPAN VLAN must be allowed on all trunk links between source and destination switches.

The RSPAN VLAN must not have an SVI or any Layer 3 interface configured.

RSPAN VLANs are not propagated by VTP; they must be manually created on each switch.

Why these pairings

The RSPAN VLAN must be dedicated to RSPAN only, cannot be the native VLAN, must be allowed on all trunk links between source and destination switches, and must not have any Layer 3 interface configured.

675
Multi-Selecthard

Which three statements about OSPF LSA types are correct? (Choose three.)

Select 3 answers
A.Type 1 LSAs (Router LSAs) are generated by every OSPF router and describe the router's interfaces and neighbors within an area.
B.Type 2 LSAs (Network LSAs) are generated by the DR on broadcast and NBMA networks to list all routers attached to the segment.
C.Type 3 LSAs (Summary LSAs) are generated by ASBRs to advertise external routes into the OSPF domain.
D.Type 4 LSAs (ASBR Summary LSAs) are generated by ABRs to advertise the location of an ASBR to routers in other areas.
E.Type 5 LSAs (AS External LSAs) are flooded only within the area where they originate.
AnswersA, B, D

Correct because Router LSAs are the fundamental LSA type, created by each router to advertise its directly connected links and state.

Why this answer

OSPF uses various LSA types to describe different routing information. Type 1 (Router LSA) is generated by every router. Type 2 (Network LSA) is generated by the DR.

Type 3 (Summary LSA) is generated by ABRs. Type 4 (ASBR Summary LSA) is also generated by ABRs. Type 5 (AS External LSA) originates from ASBRs and is flooded throughout the entire OSPF domain.

Page 8

Page 9 of 27

Page 10