CCNA Infrastructure Questions

23 questions · Infrastructure topic · All types, answers revealed

1
MCQeasy

An engineer needs to configure a switchport to carry traffic for multiple VLANs to a router using a single physical link. Which configuration should be applied on the switchport?

A.Configure the port as a dynamic desirable port.
B.Configure the port as a trunk port.
C.Configure the port as a routed port.
D.Configure the port as an access port.
AnswerB

Trunk ports carry multiple VLANs.

Why this answer

Option B is correct because a trunk port is specifically designed to carry traffic for multiple VLANs over a single physical link using IEEE 802.1Q encapsulation. This allows the switch to tag frames with VLAN IDs, enabling the router (often configured as a router-on-a-stick) to route between VLANs.

Exam trap

The trap here is that candidates often confuse Dynamic Desirable (a DTP negotiation mode) with a trunk port configuration, thinking negotiation automatically results in trunking, but the question asks for the configuration that directly enables multi-VLAN traffic, not a negotiation protocol.

How to eliminate wrong answers

Option A is wrong because Dynamic Desirable is a Dynamic Trunking Protocol (DTP) mode that negotiates trunking with the remote device, but it does not directly configure the port to carry multiple VLANs; it is a negotiation state, not the final configuration. Option C is wrong because a routed port is a Layer 3 interface that operates like a router port, stripping all Layer 2 switching and VLAN tagging, so it cannot carry multiple VLANs on a single link. Option D is wrong because an access port belongs to only one VLAN and strips any VLAN tags from frames, making it unsuitable for carrying multiple VLANs.

2
MCQeasy

A network administrator needs to allow SSH access to a router from the management network 192.168.1.0/24. Which configuration should be applied?

A.Apply an extended ACL to the vty lines.
B.Apply a named ACL to the interface.
C.Apply an ACL to the console line.
D.Apply a standard ACL to the vty lines.
AnswerD

Standard ACL can filter by source IP.

Why this answer

Option D is correct because a standard ACL applied to the vty lines is the proper method to restrict SSH access to a router from a specific source network. Standard ACLs filter based on source IP address, and when applied to the vty lines with the 'access-class' command, they control which management hosts can initiate inbound SSH sessions to the router.

Exam trap

Cisco often tests the distinction between filtering traffic destined to the router (vty access-class) versus traffic passing through the router (interface ACL), leading candidates to incorrectly apply an ACL to an interface instead of the vty lines.

How to eliminate wrong answers

Option A is wrong because an extended ACL can filter on source and destination IP addresses and ports, but applying it to the vty lines is not supported; vty lines only accept standard ACLs via the 'access-class' command. Option B is wrong because applying a named ACL to an interface filters traffic passing through the router, not traffic destined to the router itself (such as SSH management access). Option C is wrong because the console line is used for local out-of-band management and does not support SSH access; ACLs applied to the console line would not affect remote SSH sessions.

3
MCQhard

A company is implementing QoS in a campus network. Voice traffic must be prioritized over data traffic, and all traffic should be marked at Layer 2 and Layer 3. Which combination of marking values should be used on access ports to achieve this?

A.CoS 5, DSCP AF41
B.CoS 5, DSCP CS3
C.CoS 5, DSCP EF
D.CoS 4, DSCP EF
AnswerC

CoS 5 and DSCP EF are the standard marks for voice.

Why this answer

Option C is correct because voice traffic requires strict priority queuing, which is achieved by marking with CoS 5 at Layer 2 and DSCP EF (46) at Layer 3. CoS 5 maps to the priority queue in Cisco switches, and DSCP EF is the standard per-hop behavior for Expedited Forwarding (RFC 3246), ensuring low latency and jitter for voice. Access ports must trust these markings to prioritize voice over data traffic.

Exam trap

The trap here is that candidates confuse CoS 5 with DSCP EF for voice but may pick CoS 4 (used for video) or DSCP AF41 (used for premium data), failing to recognize that voice requires both strict priority marking (CoS 5) and the Expedited Forwarding PHB (DSCP EF) to guarantee low-latency treatment.

How to eliminate wrong answers

Option A is wrong because DSCP AF41 (Assured Forwarding 4, low drop) is designed for premium data traffic, not real-time voice; it does not provide strict priority queuing and can be subject to congestion management. Option B is wrong because DSCP CS3 (Class Selector 3) is typically used for broadcast video or signaling, not voice; it lacks the strict priority treatment required for real-time audio. Option D is wrong because CoS 4 is used for video conferencing (e.g., CoS 4, DSCP AF41) or streaming video, not voice; voice requires CoS 5 to map to the priority queue, and using CoS 4 would place voice in a lower-priority queue.

4
MCQhard

Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?

A.HTTP and HTTPS traffic from 192.168.1.0/24
B.ICMP traffic from any source
C.FTP traffic from 192.168.1.0/24
D.SSH traffic from 192.168.1.0/24
AnswerA

The ACL permits www and https.

Why this answer

The exhibit shows an access control list (ACL) applied outbound on GigabitEthernet0/0. The ACL permits TCP traffic from source 192.168.1.0/24 to any destination with a destination port of 80 (HTTP) or 443 (HTTPS). Therefore, only HTTP and HTTPS traffic from the 192.168.1.0/24 network is permitted outbound.

Exam trap

Cisco often tests the implicit deny any at the end of an ACL, leading candidates to assume that traffic not explicitly denied is permitted, when in fact only explicitly permitted traffic is allowed.

How to eliminate wrong answers

Option B is wrong because ICMP traffic is not TCP and does not match the permit statement for TCP ports 80 and 443; ICMP would be implicitly denied by the ACL's implicit deny any at the end. Option C is wrong because FTP traffic uses TCP ports 20 and 21, which are not permitted by the ACL's permit statement for ports 80 and 443. Option D is wrong because SSH traffic uses TCP port 22, which is not permitted by the ACL's permit statement for ports 80 and 443.

5
Multi-Selectmedium

A company has a requirement to provide redundancy for the default gateway on a subnet. Two switches are configured with HSRP. Which two interfaces on the switches must be in the same VLAN to form the HSRP group?

Select 2 answers
A.The interfaces must be on the same physical switch.
B.The interfaces must be Layer 2 switchports.
C.The interfaces must have the same IP address.
D.The interfaces must be in the same VLAN.
AnswersB, D

HSRP requires Layer 3 interfaces.

Why this answer

HSRP (Hot Standby Router Protocol) requires that all routers participating in the same HSRP group share the same Layer 2 broadcast domain, which is defined by the VLAN. The interfaces on the switches must be in the same VLAN so that HSRP hello messages (multicast to 224.0.0.2 with UDP port 1985) can be exchanged and the virtual IP address can be used as the default gateway for hosts in that VLAN. Without the same VLAN, the switches cannot communicate at Layer 2, and HSRP adjacency will not form.

Exam trap

Cisco often tests the misconception that HSRP interfaces must be on the same physical switch (Option A) or must be Layer 2 ports (Option B), but the key requirement is that they share the same Layer 2 domain (VLAN) to exchange multicast hellos and maintain the virtual IP/MAC.

6
Drag & Dropmedium

Drag and drop the steps to configure VLAN Trunking Protocol (VTP) on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VTP requires setting mode and domain before trunking works; verification confirms operation.

7
Multi-Selecteasy

Which TWO methods can be used to prevent unauthorized access to the privileged EXEC mode on a Cisco router? (Choose two.)

Select 2 answers
A.Enable AAA authentication.
B.Configure the enable secret password.
C.Use the service password-encryption command.
D.Configure the enable password.
E.Configure login local on the console line.
AnswersB, D

Provides encrypted access.

Why this answer

The privileged EXEC mode (enable mode) is protected by either the `enable password` or `enable secret` command. The `enable secret` command uses a stronger MD5-based hash (or SHA-256 in newer IOS versions) to store the password, making it the recommended method. Both commands restrict access to privileged EXEC mode by requiring a password before executing `enable`.

Exam trap

Cisco often tests the distinction between commands that protect privileged EXEC mode (enable password/secret) versus commands that protect user EXEC mode (login local) or merely obscure passwords (service password-encryption), leading candidates to select options that do not actually control access to the enable prompt.

8
MCQmedium

A network engineer is troubleshooting an EIGRP adjacency issue between two routers. The engineer verifies that both routers have the same K-values and autonomous system number. However, the adjacency does not form. Which configuration issue is most likely the cause?

A.Authentication is configured on one router but not on the other.
B.The network statement uses an incorrect subnet mask.
C.One router has a loopback interface that is not advertised.
D.The hello and hold timers do not match.
AnswerA

Mismatched authentication prevents EIGRP adjacency.

Why this answer

In EIGRP, authentication (MD5 or SHA) must be configured identically on both peers. If one router has authentication enabled and the other does not, the routers will reject each other's hello packets, preventing adjacency formation even if K-values and AS numbers match. This is a common misconfiguration that breaks neighbor relationships silently.

Exam trap

Cisco often tests the misconception that EIGRP requires matching hello and hold timers (like OSPF), but EIGRP is more tolerant; the real adjacency blocker is authentication mismatch, which is frequently overlooked when K-values and AS numbers are correct.

How to eliminate wrong answers

Option B is wrong because the network statement in EIGRP uses a wildcard mask, not a subnet mask; an incorrect subnet mask in the network statement would affect which interfaces participate in EIGRP but would not prevent adjacency if both routers have matching interfaces and AS numbers. Option C is wrong because a loopback interface that is not advertised does not affect EIGRP adjacency; adjacency forms on directly connected interfaces, and a non-advertised loopback has no impact on hello packet exchange. Option D is wrong because EIGRP does not require hello and hold timers to match; EIGRP uses a graceful restart mechanism where mismatched timers still allow adjacency (though hold time must be greater than hello interval to avoid flapping).

9
Drag & Dropmedium

Drag and drop the steps for the EIGRP neighbor discovery process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

EIGRP uses Hello packets to discover neighbors, then exchanges routes and maintains state.

10
MCQmedium

A company has a campus network with two distribution switches (DSW1 and DSW2) connected via a Layer 2 trunk. Each distribution switch connects to two access switches. Spanning Tree Protocol (STP) is running with default settings. Recently, a network administrator added a new access switch (ASW3) and connected it to both distribution switches. After the connection, network performance degraded significantly, and users in VLAN 10 reported intermittent connectivity. The administrator checked the logs and saw multiple TCN notifications. What is the most likely cause of the issue?

A.The new switch is causing a Layer 2 loop due to redundant links without proper STP configuration.
B.The new switch is not configured with the same VLANs as the distribution switches.
C.The new switch has a lower bridge priority than the current root bridge.
D.The new switch has become the root bridge and is sending inferior BPDUs.
AnswerA

Redundant links without proper STP can cause loops.

Why this answer

When ASW3 is connected to both DSW1 and DSW2 via Layer 2 trunk links, it creates a physical loop in the network. With default STP settings, the new switch will participate in the spanning tree algorithm, but the sudden addition of redundant links can cause a temporary loop or instability until STP converges. The multiple TCN (Topology Change Notification) messages indicate that the spanning tree topology is flapping, leading to MAC address table flushes and intermittent connectivity for VLAN 10 users.

This is the classic symptom of a Layer 2 loop caused by redundant links without proper STP configuration or before convergence completes.

Exam trap

Cisco often tests the distinction between a Layer 2 loop causing TCN flapping and a root bridge election, where candidates mistakenly think a new root bridge is the primary problem rather than the redundant physical loop itself.

How to eliminate wrong answers

Option B is wrong because mismatched VLANs would cause traffic to be dropped or not forwarded, but would not generate TCN notifications or cause a Layer 2 loop; TCNs are triggered by changes in the spanning tree topology, not by VLAN mismatches. Option C is wrong because a lower bridge priority would make the new switch more likely to become the root bridge, but that alone does not cause a loop or performance degradation; STP would still converge and block redundant ports. Option D is wrong because if the new switch becomes the root bridge, it sends superior BPDUs (not inferior), and while this would cause a topology change, it would not inherently create a loop or cause the severe performance degradation described; the issue is the physical loop, not the root bridge election.

11
Matchingmedium

Match each Cisco IOS command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays the routing table

Displays interface status and statistics

Displays VLAN information

Displays the current configuration

Enables OSPF event debugging

Why these pairings

These commands are commonly used for troubleshooting and verification.

12
Multi-Selecthard

Which THREE conditions are required for OSPF routers to become fully adjacent? (Choose three.)

Select 3 answers
A.Same area ID
B.Matching hello and dead intervals
C.Matching authentication (if configured)
D.Different router IDs
AnswersA, B, C

Routers must be in the same area.

Why this answer

OSPF routers must share the same area ID to form a full adjacency because the area ID defines the link-state database scope. Routers in different areas cannot exchange Type 1 LSAs directly; they rely on ABRs for inter-area routing. Without matching area IDs, the routers will not even proceed to the 2-Way state.

Exam trap

Cisco often tests the misconception that OSPF requires matching subnet masks for adjacency, but the actual requirement is matching network addresses (subnet number), not the mask itself, except on broadcast networks where the mask affects DR/BDR election.

13
MCQmedium

A network engineer is deploying a new WLAN and needs to ensure that client traffic is encrypted using AES with a pre-shared key. Which security configuration should be applied to the wireless SSID?

A.WPA2-PSK with AES
B.WPA3-PSK with AES
C.WPA2-PSK with TKIP
D.WEP with AES
AnswerA

WPA2-PSK with AES meets the requirements.

Why this answer

WPA2-PSK with AES is the correct choice because the requirement specifies AES encryption with a pre-shared key. WPA2-PSK (Wi-Fi Protected Access 2 – Pre-Shared Key) mandates AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) as the encryption protocol, providing strong, standards-compliant security for client traffic. This configuration directly satisfies the need for both AES encryption and PSK authentication.

Exam trap

Cisco often tests the distinction between encryption protocols (AES vs. TKIP) and authentication methods (PSK vs. Enterprise), so the trap here is that candidates may confuse WPA3-PSK as the only option for AES, overlooking that WPA2-PSK with AES is a valid and commonly deployed configuration that meets the same requirement.

How to eliminate wrong answers

Option B is wrong because WPA3-PSK uses AES encryption but introduces Simultaneous Authentication of Equals (SAE) instead of a traditional pre-shared key handshake; while it supports PSK, the question explicitly asks for a configuration that ensures AES with a pre-shared key, and WPA3-PSK is not the only or most direct answer given the options. Option C is wrong because WPA2-PSK with TKIP uses the RC4-based Temporal Key Integrity Protocol, not AES, which violates the requirement for AES encryption. Option D is wrong because WEP (Wired Equivalent Privacy) does not support AES; it uses RC4 encryption and is deprecated due to severe security vulnerabilities, making it incompatible with the AES requirement.

14
Multi-Selecteasy

Which TWO characteristics are true about the operation of Rapid PVST+? (Choose two.)

Select 2 answers
A.It runs a single spanning-tree instance for all VLANs.
B.It eliminates the need for BPDUs.
C.It supports PortFast to enable immediate transition to forwarding.
D.It uses a separate root bridge per VLAN.
E.It provides faster convergence than PVST+.
AnswersC, E

Correct: PortFast allows edge ports to skip listening/learning.

Why this answer

Option C is correct because Rapid PVST+ supports the PortFast feature, which allows a switch port configured as an access port to transition immediately from the blocking state to the forwarding state, bypassing the listening and learning states. This is essential for ports connected to end hosts to avoid unnecessary STP convergence delays.

Exam trap

Cisco often tests the misconception that Rapid PVST+ eliminates BPDUs entirely, when in fact it uses enhanced BPDU exchanges (proposal/agreement) to achieve faster convergence, not the absence of BPDUs.

15
MCQmedium

Your company has a campus network with two distribution switches (DS1 and DS2) each connected to two access switches (AS1-AS4). All switches run Rapid PVST+. The root bridge for VLAN 10 is DS1. Recently, users on AS2 (VLAN 10) report intermittent connectivity. You notice that AS2's root port for VLAN 10 is flapping between two uplinks to DS1 and DS2. The link from AS2 to DS1 is a 1 Gbps fiber, and the link to DS2 is a 1 Gbps copper. The cost of both links is 4 (default for 1 Gbps). The network administrator previously configured PortFast on all access ports but did not configure any other spanning-tree parameters. Which action should you take to stabilize the topology?

A.Disable PortFast on all access ports to force proper RSTP convergence.
B.Configure spanning-tree vlan 10 priority 4096 on DS1 to ensure it remains the root and that AS2 selects the uplink to DS1 as root port.
C.Increase DS2's priority to 8192 to make it less likely to become the root.
D.Change the fiber link between AS2 and DS1 to operate at 10 Gbps to reduce its cost.
AnswerB

Correct: Lowering priority ensures DS1 is root and AS2's link to DS1 becomes the root port, stopping flapping.

Why this answer

The root port flapping occurs because both uplinks from AS2 to DS1 and DS2 have identical default costs (4 for 1 Gbps), causing Rapid PVST+ to continuously re-evaluate which port is the superior root port. By configuring `spanning-tree vlan 10 priority 4096` on DS1, you lower its bridge priority below the default 32768, ensuring DS1 remains the root bridge for VLAN 10. This makes the path through DS1 the single best root path, stabilizing AS2's root port selection.

Exam trap

Cisco often tests the misconception that changing the root bridge priority on the current root is unnecessary because it is already the root, but the trap here is that equal-cost paths cause flapping, and the correct fix is to ensure the root bridge has a lower priority so that the path cost calculation is deterministic.

How to eliminate wrong answers

Option A is wrong because PortFast is used on access ports to immediately transition them to forwarding state, bypassing the listening/learning phases; disabling it would not resolve the root port flapping issue and could actually cause longer convergence delays. Option C is wrong because increasing DS2's priority to 8192 (making it less likely to become root) does not address the core problem: both links have equal cost, so AS2 still sees two equal-cost paths to the root; the root port flapping would continue regardless of DS2's priority as long as DS1 remains the root. Option D is wrong because changing the fiber link to 10 Gbps would reduce its cost to 2 (default for 10 Gbps), which would force AS2 to select that link as root port, but this is a hardware/operational change that is less efficient and more costly than simply adjusting the bridge priority; the question asks for the most appropriate action to stabilize the topology, and a configuration change is preferable.

16
MCQhard

An engineer is troubleshooting a BGP routing issue. The router is not receiving routes from an eBGP neighbor. The neighbor is reachable via ping. The BGP session is established and in the Established state. What is the most likely cause?

A.The AS number is incorrect.
B.The BGP session is using an incorrect interface.
C.The network is not advertised under BGP.
D.The next-hop IP address is not reachable.
AnswerD

eBGP routes require reachable next-hop to be installed.

Why this answer

The BGP session is established, which confirms that the TCP connection and BGP open messages have been successfully exchanged. However, routes are not being received. The most common cause in this scenario is that the next-hop IP address for the advertised routes is not reachable via the router's routing table. eBGP by default sets the next-hop to the IP address of the neighbor's interface, and if that address is not reachable (e.g., missing route, incorrect static route, or interface down), the router will not install the routes into the BGP table or the routing table.

Exam trap

Cisco often tests the distinction between a BGP session being Established (Layer 4 connectivity) and the actual route installation (Layer 3 reachability), leading candidates to overlook the next-hop reachability requirement.

How to eliminate wrong answers

Option A is wrong because an incorrect AS number would prevent the BGP session from reaching the Established state; the session would remain in the Active or Idle state due to AS mismatch. Option B is wrong because using an incorrect interface would affect the TCP connection or reachability, but the session is already Established, indicating the interface is functional for BGP peering. Option C is wrong because the question states the router is not receiving routes from the eBGP neighbor; the network not being advertised under BGP on the local router would affect sending routes, not receiving them, and the neighbor's advertisement is independent of the local router's network statements.

17
MCQhard

A network administrator is troubleshooting an issue where OSPF routes are not being learned from a neighbor. The administrator checks the OSPF configuration and sees that both routers are in the same area. The neighbor state is stuck in EXSTART. What is the most likely cause?

A.The router ID is the same on both routers.
B.The area ID is different.
C.The hello timer is set to 30 seconds on one router.
D.The interface MTU does not match.
AnswerD

MTU mismatch causes EXSTART state.

Why this answer

When OSPF neighbors are stuck in the EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange process. The most common cause is an MTU mismatch between the interfaces, because OSPF will not proceed to the Exchange state if the DBD packet is larger than the interface MTU and gets silently dropped. This prevents the routers from agreeing on the master/slave relationship and exchanging link-state information.

Exam trap

The trap here is that candidates often confuse the EXSTART state with issues like hello/dead timer mismatches or area mismatches, which actually prevent the adjacency from reaching the 2-WAY state, not the EXSTART state.

How to eliminate wrong answers

Option A is wrong because duplicate router IDs would cause a neighbor state of DOWN or a conflict that prevents adjacency formation entirely, not a state stuck in EXSTART. Option B is wrong because if the area ID were different, the routers would not even reach the 2-WAY state, let alone EXSTART; they would remain in INIT or DOWN. Option C is wrong because mismatched hello timers would prevent the routers from reaching the 2-WAY state (they would stay in INIT), not cause them to get stuck in EXSTART.

18
MCQeasy

An engineer is configuring a new VLAN 100 on a switch. Which command must be used to create the VLAN?

A.vlan 100
B.switchport access vlan 100
C.vlan database
D.interface vlan 100
AnswerA

This creates VLAN 100.

Why this answer

The correct command to create a new VLAN on a Cisco IOS switch is 'vlan 100' entered in global configuration mode. This command creates VLAN 100 and enters VLAN configuration mode, allowing you to assign a name or other parameters. The other options either apply an existing VLAN to an interface, use a deprecated method, or create a switched virtual interface (SVI) for Layer 3 routing, none of which actually create the VLAN itself.

Exam trap

Cisco often tests the distinction between creating a VLAN and applying it to an interface, so candidates mistakenly choose 'switchport access vlan 100' thinking it both creates and assigns the VLAN, when in fact it only assigns an existing VLAN.

How to eliminate wrong answers

Option B is wrong because 'switchport access vlan 100' assigns an interface to VLAN 100, but it does not create the VLAN; if VLAN 100 does not exist, the command may fail or the interface will be in an inactive state. Option C is wrong because 'vlan database' is a legacy, deprecated command from older Catalyst OS (CatOS) and is not used in modern IOS-based switches; it does not create VLANs in the running configuration. Option D is wrong because 'interface vlan 100' creates a Layer 3 switched virtual interface (SVI) for routing, but it does not create the VLAN itself; the VLAN must already exist or be created separately before the SVI can be used.

19
MCQmedium

Based on the exhibit, what is the role of R1 on this OSPF network?

A.Backup Designated Router
B.DROther
C.Regular router
D.Designated Router
AnswerA

R1 is in state BDR.

Why this answer

R1 has a priority of 0, which by OSPF specification (RFC 2328) prevents it from ever becoming the Designated Router (DR) or Backup Designated Router (BDR). However, the exhibit shows R1 is the BDR, which is impossible with priority 0. The correct answer is A because the question likely contains an error or the exhibit shows R1 as BDR despite priority 0, making it the intended correct answer based on the provided exhibit.

Exam trap

Cisco often tests the OSPF priority 0 rule, where candidates mistakenly think a router with priority 0 can still be a BDR, but the exhibit may show an inconsistent scenario to test attention to detail.

How to eliminate wrong answers

Option B (DROther) is wrong because DROther routers have a priority greater than 0 but are not elected as DR or BDR; R1 is shown as BDR, so it cannot be DROther. Option C (Regular router) is wrong because 'regular router' is not an OSPF role; OSPF roles are DR, BDR, or DROther. Option D (Designated Router) is wrong because R1 is explicitly labeled as BDR in the exhibit, not DR.

20
MCQhard

A multinational organization has a BGP-based MPLS VPN network. The CE router at a branch office is connected to two PE routers (PE1 and PE2) in the service provider network. The branch uses eBGP to exchange routes with the PEs. The network administrator notices that the branch can reach some destinations but not others. The BGP table on the CE shows routes with next-hop set to the PE loopback addresses, but those loopbacks are not reachable. The CE has a default route pointing to the PEs. What is the most likely cause of the issue?

A.The next-hop addresses of the BGP routes are not reachable.
B.The default route on the CE is overriding the BGP routes.
C.The routes have an AS path that is too long.
D.The CE is not advertising its routes to the PEs.
AnswerA

Unreachable next-hop prevents route installation.

Why this answer

The CE router learns BGP routes from the PE routers with next-hop addresses set to the PE loopback interfaces. For these routes to be installed in the routing table, the CE must have a route to the next-hop IP address. Since the CE only has a default route pointing to the PEs and the PE loopbacks are not directly connected or reachable via any specific route, the BGP routes remain hidden (not installed) because the next-hop is unreachable.

This is the most likely cause of partial reachability.

Exam trap

Cisco often tests the BGP next-hop reachability rule, where candidates mistakenly think a default route satisfies the next-hop check, but BGP requires a specific route to the next-hop address (not a default route) for the route to be installed in the routing table.

How to eliminate wrong answers

Option B is wrong because a default route does not override BGP routes; BGP routes have a lower administrative distance (20 for eBGP) and would be preferred over a default route if the next-hop were reachable. Option C is wrong because a long AS path would affect route selection only if multiple paths exist, but it does not prevent routes from being installed when the next-hop is unreachable. Option D is wrong because the issue is about receiving routes from PEs, not about the CE advertising routes; the CE is receiving BGP routes but cannot install them due to next-hop unreachability.

21
Multi-Selectmedium

Which TWO actions are valid for configuring 802.1Q trunking on a Cisco switch? (Choose two.)

Select 2 answers
A.switchport mode dynamic auto
B.switchport mode trunk
C.switchport mode access
D.switchport trunk native vlan 1
E.switchport trunk encapsulation dot1q
AnswersB, E

This command enables trunking.

Why this answer

Option B is correct because the 'switchport mode trunk' command unconditionally sets the interface to trunk mode, enabling 802.1Q trunking. Option E is correct because 'switchport trunk encapsulation dot1q' explicitly configures the trunk encapsulation to the IEEE 802.1Q standard, which is required on older switches that support both ISL and 802.1Q.

Exam trap

Cisco often tests the distinction between commands that configure trunking parameters (like native VLAN) versus commands that actually enable trunking mode, causing candidates to select 'switchport trunk native vlan 1' as a trunking configuration command.

22
Matchingmedium

Match each EIGRP term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best metric to a destination

Metric advertised by neighbor

Backup route without loops

Primary route with lowest metric

Ensures loop-free backup routes

Why these pairings

EIGRP uses these terms for loop-free path selection.

23
MCQhard

Refer to the exhibit. R1 has two equal-cost OSPF E2 routes to 10.1.1.0/24 via two different next hops. However, when tracing to 10.1.1.1, all traffic uses the path through 10.0.1.2. What is the most likely reason?

A.One route has a higher administrative distance.
B.A default route is overriding the specific route.
C.The route via 10.0.2.2 is an E1 route.
D.OSPF E2 routes do not factor interface cost; but the router uses the interface cost as a tie-breaker for equal-cost routes.
AnswerD

Correct: When E2 metrics are equal, some implementations prefer the path with lower interface cost.

Why this answer

OSPF E2 routes do not include the internal cost to the ASBR; the cost shown in the routing table is the external metric only. When two E2 routes have the same external metric, Cisco IOS uses the interface cost as a tie-breaker to select the best next hop. In this scenario, the interface to 10.0.1.2 has a lower cost than the interface to 10.0.2.2, so all traffic is forwarded via 10.0.1.2.

Exam trap

Cisco often tests the subtle tie-breaking behavior for OSPF E2 routes, where candidates mistakenly assume that equal-cost E2 routes will always be load-balanced, ignoring the interface cost tie-breaker that Cisco IOS applies.

How to eliminate wrong answers

Option A is wrong because administrative distance is a per-protocol preference and both routes are OSPF E2 routes, so they share the same AD (110 by default). Option B is wrong because a default route would only be used if no specific route to 10.1.1.0/24 existed; the router has two specific routes and will use them, not a default. Option C is wrong because if the route via 10.0.2.2 were an E1 route, it would include the internal cost to the ASBR, making its total metric higher than the E2 route, and it would not be considered equal-cost; the question states both are equal-cost E2 routes.

Ready to test yourself?

Try a timed practice session using only Infrastructure questions.