CCNA Vrf And Path Isolation Questions

58 questions · Vrf And Path Isolation topic · All types, answers revealed

1
MCQhard

A network engineer runs the following command on Router R9: R9# show policy-map interface GigabitEthernet0/0.900 GigabitEthernet0/0.900 Service-policy input: QOS_POLICY_VRF_G Class-map: CLASS_VOICE (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) police: cir 1000000 bps, bc 31250 bytes, be 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: CLASS_DATA (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) police: cir 2000000 bps, bc 62500 bytes, be 62500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Based on this output, what can be concluded?

A.No QoS policy is applied to this interface
B.The policy only polices voice traffic
C.A QoS policy is applied inbound on GigabitEthernet0/0.900, policing voice and data traffic
D.The policy is applied outbound
AnswerC

The policy is applied input, with classes for voice (DSCP EF) and data (DSCP AF31), each with police actions.

Why this answer

The output shows the 'Service-policy input: QOS_POLICY_VRF_G' line, confirming that a QoS policy is applied inbound on GigabitEthernet0/0.900. The policy contains two user-defined class maps: CLASS_VOICE (matching DSCP EF) with a police rate of 1 Mbps and CLASS_DATA (matching DSCP AF31) with a police rate of 2 Mbps, both with conform/transmit and exceed/violate drop actions. This demonstrates that both voice and data traffic are being policed, making option C correct.

Exam trap

Cisco often tests the ability to read the 'Service-policy input' or 'output' direction in the command output, as candidates may overlook the direction keyword and incorrectly assume the policy is applied outbound or not applied at all.

How to eliminate wrong answers

Option A is wrong because the 'Service-policy input: QOS_POLICY_VRF_G' line explicitly shows a QoS policy is applied inbound on the subinterface. Option B is wrong because the policy includes both CLASS_VOICE and CLASS_DATA class maps, each with policing actions, so it polices both voice and data traffic, not just voice. Option D is wrong because the command output specifies 'Service-policy input', indicating the policy is applied inbound, not outbound.

2
MCQmedium

A network engineer configures VRF-lite on a router with the following snippet: vrf definition GREEN rd 200:1 ! interface GigabitEthernet0/3 vrf forwarding GREEN ip address 172.16.1.1 255.255.255.0 ! router ospf 10 vrf GREEN network 172.16.1.0 0.0.0.255 area 0 What is missing from this configuration to enable proper OSPF routing within VRF GREEN?

A.The configuration is complete and OSPF will operate correctly within VRF GREEN.
B.The 'network' command should specify the interface instead of the subnet.
C.The 'vrf definition GREEN' must include a 'route-target' command.
D.The OSPF process must be configured under the global VRF context, not using 'vrf GREEN'.
AnswerA

Correct. OSPF will run in VRF GREEN with the given commands; router-id can be auto-selected.

Why this answer

Option A is correct because the configuration is complete for VRF-lite OSPF routing. In VRF-lite, the 'vrf definition GREEN' with an RD, the interface assignment via 'vrf forwarding GREEN', and the OSPF process with 'vrf GREEN' and the network statement are all that is required. OSPF will operate correctly within VRF GREEN using the specified network in area 0.

Exam trap

Cisco often tests the misconception that VRF-lite requires 'route-target' commands, which are actually only necessary for MPLS VPNs, not for simple VRF-lite configurations.

How to eliminate wrong answers

Option B is wrong because the 'network' command in OSPF can specify a subnet with a wildcard mask, which is the standard method; it does not need to specify the interface directly. Option C is wrong because 'route-target' commands are required for MPLS VPN (VRF-lite does not use MPLS), not for VRF-lite where only the RD is needed for route distinguishment. Option D is wrong because the OSPF process can be configured under the global VRF context using the 'vrf GREEN' keyword after the process ID, which is the correct syntax for associating an OSPF process with a VRF.

3
Drag & Dropmedium

Drag and drop the steps of VRF-aware NAT configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order first defines the VRF, then configures the NAT inside and outside interfaces under the VRF, defines the NAT pool or ACL for translation, applies the NAT rule referencing the VRF, and finally verifies the translation with show ip nat translations vrf.

4
Matchinghard

Drag and drop each VRF-Lite or MPLS VPN characteristic on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses trunk ports and subinterfaces to separate traffic without MPLS

Employs MPLS labels and MP-BGP to isolate paths across multiple routers

Why these pairings

VRF-Lite uses only local VRFs without MPLS or MP-BGP, requiring trunk links; MPLS VPN uses MPLS labels and MP-BGP for scalable path isolation; VRF-Lite is simpler but limited to a single router or switch; MPLS VPN scales across an entire provider network; VRF-Lite does not support overlapping address spaces between sites without NAT.

5
Drag & Dropmedium

Drag and drop the steps of MPLS L3VPN packet forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with the ingress PE receiving an IP packet from the CE, looking up the VRF and imposing the inner VPN label and outer MPLS label, then forwarding the MPLS packet across the core. The P router swaps the outer label, and the egress PE pops the outer label, looks up the inner VPN label, and forwards the IP packet to the destination CE.

6
Multi-Selecthard

Which two statements about VRF route leaking are true? (Choose two.)

Select 2 answers
A.Route leaking between VRFs can be achieved by configuring static routes with the 'global' keyword.
B.BGP can be used to leak routes between VRFs by using import and export route-targets.
C.Route leaking merges the routing tables of two VRFs into one.
D.VRF-lite automatically supports route leaking without any additional configuration.
E.Route leaking requires MPLS to be enabled.
AnswersA, B

Correct because 'ip route vrf A X.X.X.X Y.Y.Y.Y global' leaks a route to the global table.

Why this answer

Correct: Route leaking can be done using static routes or BGP with import/export maps. Incorrect: Route leaking does not merge routing tables; VRF-lite does not inherently support it; it does not require MPLS; it is not automatic.

7
Drag & Dropmedium

Drag and drop the steps of MPLS Layer 3 VPN VRF configuration on a PE router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you enable MPLS globally on the PE router. Then, you create the VRF and assign an RD. Next, you configure the route-target import and export policies.

After that, you apply the VRF to the customer-facing interface. Finally, you redistribute routes between the VRF and the MPLS backbone using BGP.

8
Matchingmedium

Drag and drop each route-target action on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Controls which routes from MP-BGP are placed into the VRF

Attached to VRF routes when they are advertised via MP-BGP

Applies a route-map to filter or modify routes being imported

Applies a route-map to modify RTs or attributes before export

Required for two VRFs to exchange routes in MPLS VPN

Why these pairings

Import RT determines which routes are accepted into a VRF; Export RT is attached to routes sent from a VRF; Both import and export can be configured per VRF; Import map can filter routes based on extended communities; Export map can modify RTs before advertisement.

9
Multi-Selectmedium

Which three statements about VRF path isolation in a service provider network are true? (Choose three.)

Select 3 answers
A.VRFs allow multiple customers to share the same physical infrastructure while keeping their traffic isolated.
B.In MPLS VPN, VRFs are combined with route targets to control route distribution between PE routers.
C.VRF-aware features such as NAT, QoS, and ACLs can be applied per VRF to enforce path isolation policies.
D.VRF can be used to replace VLANs for Layer 2 isolation.
E.In VRF-lite, path isolation is achieved using MPLS labels.
AnswersA, B, C

Correct because each VRF maintains separate forwarding tables, providing Layer 3 isolation.

Why this answer

Correct: VRFs isolate customer traffic; MPLS VPN uses VRFs with route targets; VRF-aware features like NAT and QoS can be applied per VRF. Incorrect: VRFs do not replace VLANs; VRF-lite does not use labels.

10
Drag & Dropmedium

Drag and drop the steps of VRF selection using policy-based routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with creating a route map with a match clause, then setting the VRF using the set vrf command, applying the route map to the incoming interface with ip policy route-map, the router matching the traffic, and finally forwarding the packet to the specified VRF.

11
Drag & Dropmedium

Drag and drop the steps of VRF-aware NAT configuration for path isolation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you create the VRF and assign an RD. Then, you configure the NAT inside and outside interfaces under the VRF. Next, you define the NAT pool and access list for translation.

After that, you apply the NAT rules with 'ip nat inside source' referencing the VRF. Finally, you verify NAT translations using 'show ip nat translations vrf'.

12
MCQmedium

A router has the following configuration snippet: vrf definition RED rd 100:1 ! interface Loopback0 ip vrf forwarding RED ip address 10.0.0.1 255.255.255.255 ! router eigrp 100 address-family ipv4 unicast vrf RED autonomous-system 100 network 10.0.0.1 0.0.0.0 What is the issue with this EIGRP configuration for VRF RED?

A.The EIGRP address-family is not activated because 'no shutdown' is missing under the address-family configuration.
B.The 'network' command should use a wildcard mask of 0.0.0.255 instead of 0.0.0.0.
C.The VRF must be defined under 'router eigrp' globally before using address-family.
D.The loopback interface cannot be placed in a VRF because it is a virtual interface.
AnswerA

Correct. EIGRP address-families require 'no shutdown' to start.

Why this answer

The EIGRP address-family configuration for VRF RED is missing the 'no shutdown' command under the address-family mode. In Cisco IOS, EIGRP address-families are administratively shut down by default; without 'no shutdown', the EIGRP process for that VRF will not form adjacencies or advertise routes, even though the network command is correctly configured.

Exam trap

Cisco often tests the default administrative shutdown of EIGRP address-families, knowing that many candidates assume the process starts automatically once the network command is configured, leading them to overlook the required 'no shutdown' command.

How to eliminate wrong answers

Option B is wrong because the 'network 10.0.0.1 0.0.0.0' command uses a host-specific wildcard mask, which is perfectly valid for advertising a single /32 interface; a wildcard mask of 0.0.0.255 would be incorrect as it would attempt to match a broader subnet. Option C is wrong because VRF definitions are not required under 'router eigrp' globally; the VRF is referenced directly in the address-family configuration via the 'vrf RED' keyword, which is the correct method. Option D is wrong because loopback interfaces can absolutely be placed in a VRF; there is no restriction against virtual interfaces being assigned to a VRF, and this is a common practice for management or iBGP peering.

13
MCQhard

A network engineer runs the following command on Router R6: R6# show ip route vrf CUSTOMER-D VRF CUSTOMER-D: 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/0.400 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0.400 192.168.0.0/16 is variably subnetted, 1 subnets, 1 mask B 192.168.1.0/24 [200/0] via 10.0.0.2, 00:10:00 R6# show ip bgp vpnv4 vrf CUSTOMER-D BGP table version is 5, local router ID is 10.0.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0/24 10.0.0.2 0 100 0 i Based on this output, what can be concluded?

A.The route 192.168.1.0/24 is learned via OSPF
B.The route 192.168.1.0/24 is installed in the VRF routing table from BGP
C.The next-hop 10.0.0.2 is not reachable
D.VRF CUSTOMER-D has no directly connected networks
AnswerB

The VRF route shows B, and the BGP table shows the same prefix with next-hop 10.0.0.2.

Why this answer

The show ip bgp vpnv4 vrf CUSTOMER-D output displays a BGP route for 192.168.1.0/24 with the '> ' (best) marker, and the show ip route vrf CUSTOMER-D output shows this route with a 'B' code (BGP). This confirms the route is learned via BGP and installed in the VRF routing table. The administrative distance of 200 in the routing table entry further confirms it is a BGP route (eBGP default AD is 20, but iBGP is 200; the [200/0] indicates iBGP).

Exam trap

Cisco often tests the distinction between the routing table (show ip route) and the BGP table (show ip bgp), where a route can be present in BGP but not installed in the routing table if the next-hop is unreachable, but here the route is installed, confirming reachability.

How to eliminate wrong answers

Option A is wrong because the route is marked with 'B' in the routing table, which indicates BGP, not OSPF (which would show 'O'). Option C is wrong because the route is marked as 'best' (>) in BGP and installed in the routing table, which requires the next-hop 10.0.0.2 to be reachable via the directly connected subnet 10.0.0.0/30. Option D is wrong because the VRF has directly connected networks (10.0.0.0/30 and 10.0.0.1/32) as shown by the 'C' and 'L' entries in the routing table.

14
MCQmedium

A network engineer runs the following command on Router R3: R3# show bgp vpnv4 unicast all summary BGP router identifier 10.0.0.3, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 1360 bytes of memory 6/5 BGP path/bestpath attribute entries using 840 bytes of memory 4 BGP AS-PATH entries using 112 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 3752 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.1 4 65000 1000 1000 10 0 0 01:23:45 5 192.168.2.2 4 65000 800 800 10 0 0 00:45:12 3 Based on this output, what can be concluded?

A.Both neighbors are eBGP peers
B.Both neighbors are iBGP peers exchanging VPNv4 prefixes
C.The neighbor 192.168.1.1 is not receiving any prefixes
D.The BGP table has 20 prefixes
AnswerB

The local AS is 65000 and both neighbors have the same AS, indicating iBGP. PfxRcd shows prefixes received.

Why this answer

The command `show bgp vpnv4 unicast all summary` displays BGP VPNv4 unicast summary information for all VRFs. Both neighbors (192.168.1.1 and 192.168.2.2) are in the same AS 65000, and the output shows they are exchanging VPNv4 prefixes (State/PfxRcd shows 5 and 3 prefixes received). This confirms they are iBGP peers within the same AS, specifically for VPNv4 address family, which is used in MPLS Layer 3 VPN environments to carry customer VPN routes.

Exam trap

Cisco often tests the distinction between eBGP and iBGP by using the same AS number in the output, and candidates may overlook that the `vpnv4 unicast all` address family is specifically for MPLS VPN iBGP peering, not for standard IPv4 unicast.

How to eliminate wrong answers

Option A is wrong because both neighbors have the same AS number (65000) as the local router, which indicates iBGP peering, not eBGP (which requires different AS numbers). Option C is wrong because the State/PfxRcd column shows 5 prefixes received from 192.168.1.1, meaning it is actively receiving prefixes. Option D is wrong because the output clearly states '10 network entries' and '20/10 prefixes' (activity counters), not 20 prefixes in the current BGP table.

15
MCQeasy

A company uses VRF-lite to separate management traffic (VRF MGMT) from user traffic (VRF USER) on a Cisco Catalyst 3850 stack. The management network is 10.0.0.0/24, and the user network is 192.168.1.0/24. The engineer wants to allow SSH access from the user network to the management network for device administration. The switch has an SVI for each VRF. What is the simplest way to achieve this while maintaining VRF isolation?

A.Configure a static route in VRF USER pointing to the VRF MGMT's SVI IP address, and enable route leaking between the VRFs.
B.Place both SVIs in the same VRF and use access-lists to restrict traffic.
C.Use a firewall between the VRFs to filter traffic.
D.Configure the switch to use the global routing table for SSH traffic only.
AnswerA

Correct because route leaking allows inter-VRF communication while keeping the VRFs separate. The static route tells USER how to reach MGMT.

Why this answer

Option A is correct because VRF-lite inherently isolates routing tables, so to allow SSH from VRF USER to VRF MGMT while maintaining isolation, you must leak routes between the VRFs. A static route in VRF USER pointing to the VRF MGMT SVI IP address, combined with route leaking (e.g., using `route-map` and `import/export` commands), enables the necessary reachability without merging the VRFs. This is the simplest method as it avoids additional hardware or complex configurations.

Exam trap

Cisco often tests the misconception that VRFs are completely isolated and cannot communicate without breaking isolation, but route leaking is the correct method to allow selective inter-VRF traffic while maintaining VRF separation.

How to eliminate wrong answers

Option B is wrong because placing both SVIs in the same VRF breaks VRF isolation entirely, defeating the purpose of separating management and user traffic. Option C is wrong because introducing a firewall is unnecessary and adds complexity; VRF-lite with route leaking can achieve the goal natively on the switch without external devices. Option D is wrong because configuring the switch to use the global routing table for SSH traffic only is not a standard or supported feature in VRF-lite; SSH traffic still follows the VRF routing table unless explicit route leaking is configured.

16
MCQhard

A service provider uses MPLS L3VPN with multiple VRFs on a Cisco ASR 1000 PE router. One customer VRF (RED) has overlapping IP addresses with another VRF (BLUE). The engineer configures route-target import/export as 100:1 for RED and 200:2 for BLUE. Both VRFs have a static default route pointing to the CE. The PE receives VPNv4 routes from the route reflector for both VRFs. However, traffic from RED to its CE is working, but traffic from BLUE to its CE is intermittently failing. What is the most likely cause?

A.The BLUE VRF's interface is not configured with the ip vrf forwarding BLUE command, so the interface is in the global routing table.
B.The route-target import for BLUE is 200:2, but the route reflector exports routes with a different route-target.
C.The PE router has too many VRFs, causing memory exhaustion.
D.The BLUE VRF is missing the rd command.
AnswerA

Correct because if the interface is not associated with the VRF, traffic from that interface uses the global table, causing intermittent failures when the global table has conflicting routes.

Why this answer

The correct answer is A because if the BLUE VRF's interface is missing the 'ip vrf forwarding BLUE' command, the interface remains in the global routing table. This means traffic from the BLUE VRF will be forwarded using the global routing table instead of the VRF's routing table, causing intermittent failures when the global table does not have a route to the CE or when the CE's IP overlaps with another VRF's subnet. The static default route configured in the BLUE VRF would not be used, leading to connectivity issues.

Exam trap

The trap here is that candidates often focus on route-target or RD mismatches as the cause of VRF connectivity issues, but Cisco tests the fundamental requirement that each VRF interface must be explicitly bound to the VRF using 'ip vrf forwarding', otherwise the VRF's routing table is not used for that interface.

How to eliminate wrong answers

Option B is wrong because the question states that the PE receives VPNv4 routes from the route reflector for both VRFs, implying the route-target export/import is correctly matched; if the route reflector exported with a different RT, the BLUE VRF would not import any routes at all, not just intermittent failure. Option C is wrong because memory exhaustion would affect all VRFs and all traffic, not specifically and intermittently only the BLUE VRF's traffic to its CE. Option D is wrong because the 'rd' command is required for the VRF to exist and for VPNv4 route exchange, but the question states the PE receives VPNv4 routes for both VRFs, so the RD must be configured; missing RD would prevent any VPNv4 routes from being received or installed.

17
MCQmedium

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?

A.The route-target import/export values are mismatched with the route reflector's configuration.
B.The VRF is not activated under BGP using the address-family ipv4 vrf CUSTOMER_A command.
C.The CE router is not configured with a default route pointing to the PE.
D.The PE router needs the mpls ip command on the interface facing the CE router.
AnswerB

Correct because without this command, the PE does not redistribute VRF routes into VPNv4 or import VPNv4 routes into the VRF.

Why this answer

The CE router can ping the PE's VRF interface IP, confirming Layer 2 and VRF interface configuration are correct. However, the CE cannot reach remote VPNv4 routes, which indicates that the PE is not advertising or installing those routes into the VRF. The most likely cause is that the VRF CUSTOMER_A has not been activated under BGP using the 'address-family ipv4 vrf CUSTOMER_A' command, which is required to exchange IPv4 routes between the PE and CE within the VRF context and to redistribute them into MP-BGP for VPNv4 propagation.

Exam trap

Cisco often tests the misconception that a working BGP session to the route reflector and correct route-target values alone are sufficient for VPNv4 route exchange, when in fact the VRF must be explicitly activated under BGP to enable route advertisement and import.

How to eliminate wrong answers

Option A is wrong because the route-target import/export values (100:1) are configured on the PE, and the route reflector does not need matching route-targets; it only reflects VPNv4 routes based on the RTs attached to the routes, and the PE's import RT must match the export RT of the remote PE, not the route reflector. Option C is wrong because the CE router not having a default route pointing to the PE would affect reachability to remote networks from the CE, but the symptom is that the CE cannot reach remote VPNv4 routes at all, which is a routing advertisement issue on the PE, not a missing default route on the CE. Option D is wrong because the 'mpls ip' command is required on the PE's core-facing interfaces to enable MPLS forwarding, not on the interface facing the CE, which is a Layer 3 VRF interface that does not require MPLS encapsulation.

18
MCQhard

An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?

A.The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF.
B.The trunk between the switch and the router is not allowing VLAN 100.
C.The guest VRF is missing the route-target export command.
D.The captive portal server is configured with a default gateway that points to the corporate VRF.
AnswerA

Correct because if the guest wireless clients and the captive portal server are in different VLANs but both in the GUEST VRF, the switch must have an SVI for each VLAN in the GUEST VRF and routing must be enabled. Without proper VRF-aware routing, packets are dropped.

Why this answer

The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.

Exam trap

Cisco often tests the misconception that simply placing devices in the same VLAN guarantees connectivity, ignoring that VRF-lite requires explicit inter-VLAN routing configuration within each VRF, even if the VLANs are on the same switch.

How to eliminate wrong answers

Option B is wrong because the trunk must be allowing VLAN 100 for the guest devices to reach the internet through the router, which they can, so VLAN 100 is allowed. Option C is wrong because route-target export is used in MPLS VPNs for BGP route distribution, not required for VRF-lite which uses local routing and does not need route-target commands. Option D is wrong because the captive portal server's default gateway pointing to the corporate VRF would cause it to be unreachable from the guest VRF entirely, but the switch can reach it, indicating the server's gateway is correctly in the GUEST VRF.

19
MCQhard

An enterprise uses VRF-lite on a Cisco Catalyst 9300 to isolate a guest network (VRF GUEST) from the corporate network (VRF CORP). The guest network uses DHCP from a server in the corporate network. The engineer configures a DHCP relay on the guest SVI pointing to the corporate DHCP server. The DHCP server is in VRF CORP. The guest clients are not receiving IP addresses. What is the issue?

A.The DHCP relay agent is not configured to use the VRF GUEST; the ip helper-address command must be applied under the VRF interface, but the DHCP server is in a different VRF, requiring inter-VRF routing or the use of the ip dhcp relay information option.
B.The DHCP server is in a different VRF, and the switch does not have a route from the GUEST VRF to the CORP VRF for the DHCP server.
C.The DHCP server is not configured with a scope for the guest subnet.
D.The guest VRF is missing the ip dhcp relay command globally.
AnswerB

Correct because DHCP relay forwards the request based on the routing table of the source VRF. Without a route to the server in the GUEST VRF, the relay fails.

Why this answer

The DHCP server resides in VRF CORP, but the DHCP relay agent on the guest SVI forwards the discover packet within VRF GUEST. Without a route from VRF GUEST to the DHCP server's subnet in VRF CORP, the relayed packet cannot reach the server. Inter-VRF routing (e.g., a route leak or VRF-aware service) is required for the relay to forward the packet across VRFs.

Exam trap

Cisco often tests the misconception that configuring ip helper-address alone is sufficient for DHCP relay across VRFs, ignoring the need for inter-VRF reachability or route leaking.

How to eliminate wrong answers

Option A is wrong because the ip helper-address command is correctly applied under the guest SVI (which is in VRF GUEST), and the issue is not about the relay information option (option 82) but about the lack of a route between VRFs. Option C is wrong because the DHCP server may have a scope for the guest subnet, but the packet never reaches the server due to the routing issue, so the scope configuration is irrelevant. Option D is wrong because there is no global ip dhcp relay command in Cisco IOS; DHCP relay is enabled per interface with ip helper-address, and the VRF is inherited from the SVI.

20
Multi-Selectmedium

Which two statements about VRF-aware services are true? (Choose two.)

Select 2 answers
A.VRF-lite allows multiple routing instances on a single router using separate routing tables.
B.VRF-aware services such as DHCP and NAT can be configured independently per VRF.
C.VRF instances are only supported on routers running MPLS VPN.
D.Route leaking between VRFs is not supported in Cisco IOS.
E.All VRFs on a router must share the same global routing table.
AnswersA, B

Correct because VRF-lite creates separate virtual routing and forwarding tables on a single device, enabling path isolation without MPLS.

Why this answer

VRF-aware services can operate within a VRF context, allowing per-VRF routing and forwarding decisions. The correct answers highlight that VRF-lite uses static or dynamic routing within each VRF and that route leaking between VRFs is possible. The incorrect options misstate the scope of VRF-aware services (e.g., they are not limited to MPLS VPNs only) or incorrectly claim that VRF instances cannot share a common routing table.

21
Drag & Dropmedium

Drag and drop the steps of MP-BGP VPNv4 route advertisement between PE routers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with the PE learning the customer route via IGP or static, then redistributing it into MP-BGP as a VPNv4 route with a route distinguisher, advertising it to the other PE via MP-BGP update, the receiving PE importing the route based on matching route targets, and finally installing the route into the appropriate VRF.

22
Matchingmedium

Drag and drop each VRF component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uniquely identifies a VRF to allow overlapping IPv4 prefixes

Determines which routes are imported into or exported from a VRF

Stores all routes learned within a specific VRF

Holds routes for the default or global routing table

Used by hardware to make forwarding decisions based on the RIB

Why these pairings

Route Distinguisher (RD) makes IPv4 prefixes unique across VRFs; Route Target (RT) controls import/export of routes; the VRF RIB stores routes learned within that VRF; the global RIB holds routes for the global routing table; the FIB is used for forwarding decisions.

23
Drag & Dropmedium

Drag and drop the steps of VRF selection using policy-based routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with creating an extended access-list to match traffic, defining a route-map with a match clause and set vrf command, applying the route-map to the incoming interface, the router evaluating the policy on received packets, and finally forwarding the matched traffic into the specified VRF.

24
MCQhard

A network engineer runs the following command on Router R8: R8# show ip pim neighbor vrf CUSTOMER-F Neighbor Interface Uptime/Expires Ver DR 10.0.3.2 GigabitEthernet0/0.700 02:00:00/00:01:30 v2 1/ DR 10.0.4.2 GigabitEthernet0/0.800 01:30:00/00:01:45 v2 0/ NDR (BDR) Based on this output, what can be concluded?

A.PIM is not configured for VRF CUSTOMER-F
B.The DR is 10.0.4.2
C.PIM is enabled in VRF CUSTOMER-F with a DR and BDR
D.Both neighbors are using PIM version 1
AnswerC

Both neighbors are present with DR and BDR roles.

Why this answer

The output shows two PIM neighbors (10.0.3.2 and 10.0.4.2) with their respective interfaces, uptimes, and DR/BDR roles. The presence of a DR (Designated Router) and BDR (Backup Designated Router) indicates that PIM is enabled and operating in VRF CUSTOMER-F, with the DR being 10.0.3.2 (as shown by '1/ DR') and the BDR being 10.0.4.2 (as shown by '0/ NDR (BDR)'). Therefore, option C is correct.

Exam trap

Cisco often tests the misinterpretation of the DR/BDR column, where candidates mistakenly assume the neighbor with 'BDR' is the DR, or that PIM is not running when neighbors are present.

How to eliminate wrong answers

Option A is wrong because the output clearly shows PIM neighbors with DR/BDR roles, confirming that PIM is configured and active in VRF CUSTOMER-F. Option B is wrong because the DR is 10.0.3.2 (indicated by '1/ DR'), not 10.0.4.2, which is the BDR (Backup Designated Router). Option D is wrong because both neighbors are using PIM version 2 (as shown by 'v2' in the Ver column), not version 1.

25
MCQeasy

A service provider is migrating a customer from a global routing table to a VRF on a Cisco ASR 1000. The customer has a BGP session with the provider for internet access. After moving the customer's interface to VRF CUSTOMER_D, the BGP session goes down. The engineer verifies that the VRF is configured with the correct route-target and that the BGP neighbor is configured under address-family ipv4 vrf CUSTOMER_D. What else is missing?

A.The IP address on the interface was removed when the VRF was applied, and it was not reconfigured.
B.The BGP neighbor is not configured with the password command.
C.The route-target import/export values are incorrect for the customer.
D.The engineer forgot to configure the VRF under the BGP router-id.
AnswerA

Correct because the ip vrf forwarding command clears the IP address on the interface, requiring it to be re-entered.

Why this answer

When a VRF is applied to an interface on a Cisco ASR 1000, the interface's IP address is removed because the VRF changes the routing context. The engineer must reconfigure the IP address under the VRF interface. Without the IP address, the BGP session cannot establish a TCP connection, causing it to go down.

Exam trap

Cisco often tests the fact that applying a VRF to an interface removes the IP address, leading candidates to overlook the need to reconfigure it, and instead focus on BGP or VRF configuration errors.

How to eliminate wrong answers

Option B is wrong because BGP password configuration is optional and not required for session establishment; the session fails due to missing IP address, not authentication. Option C is wrong because the engineer verified correct route-target import/export values, so this is not the issue. Option D is wrong because BGP router-id is a global or VRF-level parameter that does not need to be explicitly configured under the VRF; it defaults to the highest loopback or interface IP, and the session failure is unrelated to router-id.

26
Drag & Dropmedium

Drag and drop the steps of VRF-Lite inter-VRF route leaking configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you create the VRF definitions. Then, you assign interfaces to the VRFs. Next, you configure the route targets for import and export.

After that, you enable route leaking between VRFs using the 'route-replicate' command. Finally, you verify the routing tables to confirm the leaked routes are present.

27
Multi-Selecthard

Which three statements about VRF-lite are true? (Choose three.)

Select 3 answers
A.VRF-lite allows multiple routing instances on a single router using static or dynamic routing protocols.
B.VRF-lite does not require MPLS to operate.
C.VRF-lite provides path isolation by maintaining separate forwarding tables.
D.VRF-lite supports MPLS VPN inter-AS option B.
E.VRF-lite requires BGP as the routing protocol between VRFs.
AnswersA, B, C

Correct because VRF-lite supports RIP, EIGRP, OSPF, and static routes per VRF.

Why this answer

Correct: VRF-lite uses static or dynamic routing; it does not require MPLS; it provides path isolation. Incorrect: VRF-lite does not support MPLS VPN inter-AS; it does not require BGP; it does not use label switching.

28
Multi-Selectmedium

Which three statements about path isolation using VRF are true? (Choose three.)

Select 3 answers
A.VRFs allow overlapping IP addresses between different virtual networks on the same router.
B.VRF-lite can provide path isolation without the use of MPLS.
C.VRF-based path isolation ensures encryption of all data between VRFs.
D.A VRF can be used to separate customer traffic in a service provider network.
E.VRF-lite requires a full mesh of trunk links between all routers in the network.
AnswersA, B, D

Correct because each VRF has its own routing table, so overlapping addresses are isolated.

Why this answer

Path isolation with VRF ensures that traffic from different tenants or departments does not interfere. The correct answers highlight that VRFs provide separate forwarding tables, that overlapping IP addresses are possible, and that VRF-lite can be used without MPLS. The incorrect options claim that VRFs guarantee end-to-end encryption (they do not) or that VRF-lite requires a full mesh of trunks (it does not).

29
MCQmedium

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE router. The VRF CUSTOMER_C has route-target import 300:1 and export 300:1. The PE receives VPNv4 routes from the route reflector, but the CE router connected to the PE cannot ping any remote site IP addresses. The PE can ping the remote site IP addresses from the VRF. What is the most likely cause?

A.The CE router does not have a default route pointing to the PE's VRF interface.
B.The VRF is missing the route-target export command.
C.The PE router is not running a routing protocol with the CE router.
D.The MPLS LDP is not enabled on the PE-CE link.
AnswerA

Correct because if the CE does not have a route to remote sites, it cannot send traffic. The PE can ping because it has the routes in the VRF.

Why this answer

The PE can ping remote site IP addresses from within the VRF, confirming that the VRF has the correct route-target import/export configuration and that VPNv4 routes are being received and installed in the VRF routing table. However, the CE router cannot ping remote sites, which indicates that the CE does not have a route pointing to the PE’s VRF interface as its next hop. Without a default route or a specific route pointing to the PE’s VRF-facing interface, the CE has no path to forward traffic to remote VPN destinations, even though the PE can reach them.

Exam trap

Cisco often tests the misconception that if the PE can reach remote sites from the VRF, the CE must also be able to reach them, but the trap is that the CE’s routing table is independent and requires explicit route injection or a default route pointing to the PE.

How to eliminate wrong answers

Option B is wrong because the VRF already has route-target export 300:1 configured, and the PE can ping remote sites from the VRF, proving that VPNv4 routes are being exported and imported correctly. Option C is wrong because the PE can ping remote sites from the VRF, which implies that a routing protocol (or static route) is running between the PE and CE to exchange routes; otherwise the PE would not have a route to the CE’s subnet. Option D is wrong because MPLS LDP is not required on the PE-CE link; LDP is used for label distribution in the MPLS core, not on the customer-facing link, which typically uses IP routing or static routes.

30
Matchingmedium

Drag and drop each route-target action on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Adds routes with a matching Route Target into the VRF

Tags routes from the VRF with a Route Target for advertisement

Filters which routes are imported into the VRF based on a route map

Filters which routes are exported from the VRF based on a route map

Can be configured per VRF using route-target commands

Why these pairings

Import RT adds routes with matching RT into the VRF; export RT tags routes from the VRF; import map filters routes during import; export map filters routes during export; both import and export can be configured per VRF.

31
Matchingmedium

Drag and drop each MPLS VPN role on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Customer edge router that connects to the provider network

Provider edge router that attaches labels and runs MP-BGP with other PEs

Provider core router that switches MPLS labels and does not hold customer routes

Router that connects two different MPLS VPN domains or autonomous systems

Route Reflector that reduces MP-BGP peering by reflecting VPN routes

Why these pairings

CE routers connect customer sites to the provider; PE routers label customer routes and exchange VPNv4 prefixes via MP-BGP; P routers perform label switching without storing customer routes; ASBR routers connect different MPLS domains; RRs propagate VPN routes within an AS.

32
MCQmedium

Examine the following VRF configuration: vrf definition BLUE rd 1:1 route-target export 1:1 route-target import 2:2 ! interface GigabitEthernet0/5 vrf forwarding BLUE ip address 10.0.0.1 255.255.255.0 What is the effect of having different export and import route targets?

A.The VRF exports routes tagged with RT 1:1 and imports routes tagged with RT 2:2, enabling selective route exchange.
B.The configuration is invalid because export and import RTs must be identical.
C.The VRF will only import routes from other VRFs that also have RT 1:1.
D.This configuration disables route advertisement for VRF BLUE.
AnswerA

Correct. This is a common design for hub-and-spoke or inter-VRF routing.

Why this answer

Option A is correct because the VRF BLUE configuration uses different route targets for export (1:1) and import (2:2). This enables selective route exchange: routes learned in VRF BLUE are exported with RT 1:1, and only routes tagged with RT 2:2 are imported into VRF BLUE. This is a common design for hub-and-spoke or inter-VRF route leaking scenarios where import and export RTs are intentionally asymmetric.

Exam trap

Cisco often tests the misconception that export and import route targets must match, but in reality they can differ to control route propagation in complex MPLS VPN designs.

How to eliminate wrong answers

Option B is wrong because Cisco IOS allows different export and import route targets; they do not need to be identical. Option C is wrong because the VRF imports routes tagged with RT 2:2, not RT 1:1; routes from other VRFs with RT 1:1 would be exported, not imported. Option D is wrong because the configuration does not disable route advertisement; routes are still exported with RT 1:1 and imported with RT 2:2, enabling normal VRF operation.

33
MCQmedium

An engineer is configuring MPLS L3VPN on a Cisco IOS-XR router. The VRF CUSTOMER_B is configured with route-target import 100:1 and export 100:1. The engineer notices that the VRF routes are not being advertised to the route reflector. The BGP session to the route reflector is established and the VPNv4 address family is activated. What is the missing configuration?

A.The VRF is not configured with a route distinguisher.
B.The engineer did not configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and redistribute the routes.
C.The route-target import/export values are incorrect.
D.The interface in the VRF is not configured with the ipv4 address.
AnswerB

Correct because without this, the VRF routes are not injected into BGP VPNv4.

Why this answer

Option B is correct because in MPLS L3VPN on Cisco IOS-XR, simply configuring the VRF and establishing the BGP VPNv4 session is insufficient. The engineer must explicitly configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and use the redistribute command (e.g., redistribute connected or redistribute static) to inject the VRF routes into BGP for advertisement to the route reflector. Without this, the VRF routes remain in the local routing table but are never converted into VPNv4 prefixes.

Exam trap

Cisco often tests the misconception that configuring the VRF and establishing the BGP VPNv4 session is enough, but the trap is that candidates overlook the mandatory redistribution step under the VRF-specific BGP address family, which is required to inject routes into the VPNv4 table.

How to eliminate wrong answers

Option A is wrong because a route distinguisher (RD) is required for VRF configuration to make routes unique across VPNs, but its absence would cause the VRF to fail to install routes or cause route duplication, not specifically prevent advertisement to the route reflector; the question states the VRF is configured with route-target import/export, implying an RD is likely present. Option C is wrong because the route-target import 100:1 and export 100:1 values are correctly matched, which is necessary for route distribution between PE routers; incorrect values would affect import/export filtering but not the initial advertisement from the PE to the route reflector. Option D is wrong because an interface in the VRF with an IPv4 address is required for the VRF to have local routes, but the issue is about route advertisement to the route reflector, not about the existence of routes; the VRF could have routes from other sources (e.g., static) without a directly connected interface.

34
Multi-Selecthard

Which three statements about VRF route targets are true? (Choose three.)

Select 3 answers
A.Route targets are used to control which routes are imported into a VRF.
B.Route targets are used to control which routes are exported from a VRF.
C.A VRF can have multiple import and export route targets configured.
D.Route targets and route distinguishers are the same BGP attribute.
E.Route targets are only used in MPLS VPN and not in VRF-lite.
AnswersA, B, C

Correct because the 'route-target import' command specifies which RTs cause a route to be installed in the VRF.

Why this answer

Route targets (RTs) are BGP extended communities used in MPLS VPN to control route import and export between VRFs. The correct answers describe the role of RTs in importing routes into a VRF, exporting routes from a VRF, and the fact that multiple RTs can be configured per VRF. The incorrect options confuse RTs with route distinguishers (RDs) or claim that RTs are not used in VRF-lite (they are used in VRF-lite with BGP as well).

35
Matchingmedium

Drag and drop each MP-BGP address family on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries MPLS Layer 3 VPN routes with route distinguisher and route target

Carries standard IPv4 unicast routes (non-VPN)

Carries standard IPv6 unicast routes

Carries MPLS Layer 3 VPN routes for IPv6 customer prefixes

Carries Layer 2 VPN information such as VPLS or EVPN

Why these pairings

The VPNv4 unicast address family carries MPLS VPN routes with RD and RT; IPv4 unicast carries standard IPv4 routes; IPv6 unicast carries IPv6 routes; VPNv6 unicast carries IPv6 MPLS VPN routes; L2VPN address family carries Layer 2 VPN information like VPLS.

36
MCQmedium

A network engineer is troubleshooting a VRF-lite deployment on a Cisco Nexus 9000 switch. Two VRFs, PROD and DEV, are configured. The switch has an SVI for VLAN 10 in VRF PROD and VLAN 20 in VRF DEV. A firewall is connected to a Layer 3 port in VRF PROD for internet access. The engineer needs to allow the DEV VRF to reach the internet through the same firewall, but without using a separate physical interface. What should the engineer configure?

A.Configure a static route in VRF DEV pointing to the firewall's IP address in VRF PROD, and use the route-map to leak the route.
B.Place the firewall interface in both VRFs using the ip vrf forwarding command on the same interface.
C.Create a VLAN trunk between the switch and firewall, and assign the same VLAN to both VRFs.
D.Use policy-based routing (PBR) in VRF DEV to forward traffic to the firewall's MAC address.
AnswerA

Correct because route leaking allows one VRF to use a next-hop in another VRF. A static route with the appropriate VRF and route-map can achieve this.

Why this answer

Option A is correct because VRF-lite does not support direct route leaking between VRFs without an external mechanism. By configuring a static route in VRF DEV pointing to the firewall's IP address (which resides in VRF PROD) and using a route-map to leak the route, the engineer enables inter-VRF routing. This allows DEV traffic to reach the firewall's interface in PROD without requiring a separate physical interface, as the route-map controls which prefixes are shared between VRFs.

Exam trap

Cisco often tests the misconception that a single interface can belong to multiple VRFs simultaneously, or that VLANs can be shared across VRFs, leading candidates to choose options that violate VRF isolation principles.

How to eliminate wrong answers

Option B is wrong because the 'ip vrf forwarding' command cannot be applied to the same interface for multiple VRFs; an interface can belong to only one VRF at a time. Option C is wrong because assigning the same VLAN to two different VRFs is not supported; VLANs are mapped to a single VRF, and trunking does not solve the isolation requirement. Option D is wrong because policy-based routing (PBR) can forward traffic based on policies but cannot directly route between VRFs; PBR operates within a single VRF and does not provide inter-VRF route leaking.

37
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.AS Path
AnswerA

Correct. Lower MED is preferred.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from a neighboring AS. A lower MED value is preferred because it indicates a more preferred path into the AS, making it the correct answer when the question asks for the attribute preferred with the lowest value.

Exam trap

Cisco often tests the confusion between attributes that prefer the lowest value (MED) versus those that prefer the highest value (Weight, Local Preference), and candidates mistakenly apply the 'lowest is best' rule to all attributes without remembering the specific behavior of each.

How to eliminate wrong answers

Option B is wrong because Local Preference is preferred when it has the highest value, not the lowest, as it influences outbound traffic from the local AS. Option C is wrong because Weight is a Cisco-proprietary attribute that is preferred when it has the highest value, not the lowest, and it is local to the router. Option D is wrong because AS Path is preferred when it is the shortest (lowest number of AS hops), but the question asks for the attribute preferred with the lowest value, and AS Path is not a numerical value in the same sense; it is a sequence of AS numbers, and the preference is based on length, not a single lowest value.

38
Drag & Dropmedium

Drag and drop the steps of VRF import/export route-target policy flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with the PE receiving a VPNv4 route from MP-BGP, checking the route target against the VRF import list, matching the RT to accept the route, installing the route in the VRF routing table, and then redistributing the route to the CE.

39
Drag & Dropmedium

Drag and drop the steps of MPLS L3VPN packet forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order begins with the ingress PE receiving an IP packet from the CE, looking up the VRF to find the next hop and label, pushing the MPLS label stack, forwarding the labeled packet across the MPLS core, and finally the egress PE popping the label and forwarding the IP packet to the destination CE.

40
MCQmedium

Consider the following configuration on a Cisco IOS-XE router: vrf definition RED rd 100:1 route-target export 100:1 route-target import 100:1 ! interface GigabitEthernet0/2 vrf forwarding RED ip address 10.10.10.1 255.255.255.0 Which statement is true about this configuration?

A.The VRF RED is correctly configured for MPLS L3VPN, and the interface is placed in VRF RED.
B.The 'rd' command is optional for VRF operation and can be omitted.
C.The 'route-target export' and 'route-target import' must match the RD value exactly.
D.This configuration will cause the interface to use the global routing table for forwarding.
AnswerA

Correct. RD and RTs are set, and the interface uses VRF RED.

Why this answer

Option A is correct because the configuration defines a VRF named RED with an RD of 100:1 and matching route-target import/export values, which is the standard setup for an MPLS L3VPN. The 'vrf forwarding RED' command under the interface assigns that interface to the VRF, isolating its routing table from the global table. This allows the router to participate in a Layer 3 VPN by importing and exporting routes with the specified route-target.

Exam trap

Cisco often tests the misconception that the route-target must match the RD exactly, but in reality they serve different purposes and can be configured independently.

How to eliminate wrong answers

Option B is wrong because the 'rd' (route distinguisher) command is mandatory for VRF operation in MPLS L3VPN contexts; without it, the VRF cannot distinguish overlapping IP prefixes across different VPNs. Option C is wrong because the route-target import/export values do not have to match the RD value; they are independent identifiers used for VPN route distribution and can differ from the RD. Option D is wrong because the 'vrf forwarding RED' command under the interface causes the interface to use the VRF-specific routing table, not the global routing table.

41
Drag & Dropmedium

Drag and drop the steps of VRF-aware NAT configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the VRF, then configuring the inside and outside interfaces under the VRF, defining the NAT pool (if used), applying the access list for translation, and finally enabling NAT inside source with the VRF keyword.

42
Drag & Dropmedium

Drag and drop the steps of MP-BGP VPNv4 route advertisement between PE routers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with the local PE learning the customer route via IGP or static, then redistributing it into MP-BGP with a route distinguisher, advertising the VPNv4 route to the remote PE, which receives and installs it into the VRF, and finally the remote PE redistributes the route into the customer-facing IGP.

43
Multi-Selectmedium

Which two statements about VRF configuration in Cisco IOS-XE are true? (Choose two.)

Select 2 answers
A.A VRF instance maintains its own routing table, CEF table, and forwarding table.
B.VRF can be used with OSPF by configuring the OSPF process under the VRF context.
C.VRF requires MPLS to be enabled on the router.
D.A VRF is automatically associated with all VLANs on a switch.
E.VRF is a Layer 2 isolation mechanism.
AnswersA, B

Correct because each VRF has independent forwarding and routing tables.

Why this answer

Correct: VRF instances use separate routing tables and can be used with OSPF. Incorrect: VRFs do not require MPLS; VLANs are not automatically associated; VRF-lite does not support MPLS; VRF is not a Layer 2 concept.

44
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Correct. Default hello interval for Ethernet is 10 seconds.

Why this answer

The default OSPF hello interval on an Ethernet link is 10 seconds, as defined in RFC 2328. OSPF uses this interval to maintain neighbor adjacency and detect link failures; on broadcast multi-access networks like Ethernet, the default is 10 seconds, while on non-broadcast multi-access (NBMA) networks it is 30 seconds.

Exam trap

Cisco often tests the distinction between OSPF network types, where candidates confuse the default hello interval for Ethernet (10 seconds) with that of NBMA (30 seconds) or point-to-point (10 seconds on Cisco, but 5 seconds on some other vendors).

How to eliminate wrong answers

Option B (30 seconds) is wrong because 30 seconds is the default OSPF hello interval on NBMA networks (e.g., Frame Relay), not on Ethernet. Option C (40 seconds) is wrong because 40 seconds is not a standard OSPF hello interval; it may be confused with the dead interval multiplier (default 4× hello) but not the hello itself. Option D (5 seconds) is wrong because 5 seconds is the default OSPF hello interval on point-to-point links in some implementations (e.g., Cisco) but not on Ethernet; Ethernet defaults to 10 seconds.

45
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.15
C.100
D.16
AnswerA

Correct. EIGRP supports up to 255 hops.

Why this answer

EIGRP uses a maximum hop count of 255, which is the default and hard limit for the protocol. This is because EIGRP is a distance-vector protocol that uses hop count as one of its metrics, but unlike RIP (which has a limit of 15), EIGRP's DUAL algorithm allows for much larger networks without the same loop-prevention constraints.

Exam trap

Cisco often tests the difference between EIGRP's maximum hop count (255) and RIP's maximum hop count (15/16), tempting candidates who confuse the two distance-vector protocols or who mistakenly think all routing protocols have a low hop limit.

How to eliminate wrong answers

Option B (15) is wrong because 15 is the maximum hop count for RIP, not EIGRP; this is a common confusion between distance-vector protocols. Option C (100) is wrong because 100 is not a standard hop count limit for any major routing protocol; it may be confused with the default administrative distance for OSPF or EIGRP summary routes. Option D (16) is wrong because 16 is the 'unreachable' metric in RIP (hop count 16 means infinite), not a valid maximum for EIGRP.

46
MCQmedium

Review the following configuration: vrf definition CUSTOMER_A rd 65000:100 route-target export 65000:100 route-target import 65000:100 ! interface GigabitEthernet0/4 vrf forwarding CUSTOMER_A ip address 192.168.100.1 255.255.255.0 ! router bgp 65000 address-family ipv4 vrf CUSTOMER_A redistribute connected What is the purpose of the 'redistribute connected' command under the VRF address-family?

A.It advertises the directly connected network of GigabitEthernet0/4 into BGP for VRF CUSTOMER_A.
B.It redistributes all BGP routes into the VRF's routing table.
C.It enables BGP to exchange routes with other VRFs on the same router.
D.It is used to leak routes between VRF CUSTOMER_A and the global routing table.
AnswerA

Correct. This redistributes the connected subnet into BGP for the VRF.

Why this answer

The 'redistribute connected' command under the BGP address-family for VRF CUSTOMER_A injects the directly connected network on GigabitEthernet0/4 (192.168.100.0/24) into the BGP table for that VRF. This allows BGP to advertise that subnet to BGP peers within the VRF, enabling reachability to the VRF's local interface network.

Exam trap

Cisco often tests the misconception that 'redistribute connected' in a VRF context applies to all connected interfaces globally, when in fact it only applies to interfaces assigned to that specific VRF.

How to eliminate wrong answers

Option B is wrong because 'redistribute connected' injects directly connected routes into BGP, not the other way around; BGP routes are not redistributed into the VRF routing table by this command. Option C is wrong because BGP does not exchange routes between VRFs on the same router unless explicit route leaking (e.g., using import/export RTs or VRF-lite) is configured, and this command does not enable inter-VRF exchange. Option D is wrong because leaking routes between a VRF and the global routing table requires additional configuration (e.g., route-target import/export between VRF and global, or using 'network' commands with a route-map), not simply redistributing connected routes under the VRF address-family.

47
MCQhard

A network engineer runs the following command on Router R2: R2# show vrf detail VRF CUSTOMER-B (VRF Id = 1); default RD 65000:1; default VPNID <not set> Interfaces: GigabitEthernet0/0.200 GigabitEthernet0/1.200 Address family IPV4 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100 No export route-map No import route-map Address family IPV6 unicast: Export VPN route-target communities: RT:65000:100 Import VPN route-target communities: RT:65000:100 Members: 10.0.0.0/24 Based on this output, what can be concluded?

A.The VRF is configured for IPv4 only
B.The VRF uses different route-targets for import and export
C.The VRF supports both IPv4 and IPv6 VPNs with matching route-targets
D.The VRF has no interfaces assigned
AnswerC

Both address families are present and use the same route-target for import and export.

Why this answer

The output shows both 'Address family IPV4 unicast' and 'Address family IPV6 unicast' sections, each with the same export and import route-target communities (RT:65000:100). This confirms the VRF CUSTOMER-B supports both IPv4 and IPv6 VPN address families with matching route-targets, enabling MPLS L3VPN services for both address families over the same VRF.

Exam trap

Cisco often tests the misconception that a VRF supports only one address family (IPv4) by default, but the 'show vrf detail' output clearly shows separate address family sections, and candidates may overlook the IPv6 unicast section if they focus only on the route-target values.

How to eliminate wrong answers

Option A is wrong because the VRF explicitly includes an 'Address family IPV6 unicast' section, proving it is not IPv4-only. Option B is wrong because both the export and import route-target communities are identical (RT:65000:100) for both address families, not different. Option D is wrong because the output lists two interfaces (GigabitEthernet0/0.200 and GigabitEthernet0/1.200) under 'Interfaces:', so the VRF has interfaces assigned.

48
Drag & Dropmedium

Drag and drop the steps of VRF import/export route-target policy flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order starts with configuring the export RT on the VRF, the PE advertising the VPNv4 route with that RT, the remote PE receiving the route and comparing the RT with its import RT list, if matched the route is imported into the VRF, and finally the route is installed in the VRF routing table.

49
Multi-Selecteasy

Which two statements about VRF-lite configuration are true? (Choose two.)

Select 2 answers
A.In VRF-lite, each VRF maintains its own independent routing table.
B.Interfaces are assigned to a VRF using the 'ip vrf forwarding' command under interface configuration.
C.VRF-lite requires MPLS enabled on all interfaces.
D.VRF-lite can only use static routes for inter-VRF communication.
E.A router can have at most two VRFs configured.
AnswersA, B

Correct because the core concept of VRF-lite is per-VRF routing tables for path isolation.

Why this answer

VRF-lite provides path isolation on a single router without MPLS. The correct answers describe that VRF-lite uses separate routing tables and that interfaces are assigned to VRFs. The incorrect options wrongly claim that VRF-lite requires MPLS or that it supports only static routing.

50
MCQmedium

A network engineer runs the following command on Router R7: R7# show ip ospf neighbor vrf CUSTOMER-E Neighbor ID Pri State Dead Time Address Interface 10.0.0.8 1 FULL/DR 00:00:35 10.0.1.2 GigabitEthernet0/0.500 10.0.0.9 1 FULL/BDR 00:00:31 10.0.2.2 GigabitEthernet0/0.600 Based on this output, what can be concluded?

A.OSPF is not configured for VRF CUSTOMER-E
B.There is only one OSPF neighbor in VRF CUSTOMER-E
C.OSPF is operating within VRF CUSTOMER-E with two neighbors
D.The DR is 10.0.0.9
AnswerC

Two neighbors are in FULL state, indicating OSPF adjacency.

Why this answer

The command `show ip ospf neighbor vrf CUSTOMER-E` explicitly queries OSPF neighbors within the VRF named CUSTOMER-E. The output shows two neighbors (10.0.0.8 and 10.0.0.9) with states FULL/DR and FULL/BDR, confirming that OSPF is actively operating inside that VRF. Therefore, option C is correct because it accurately states that OSPF is operating within VRF CUSTOMER-E with two neighbors.

Exam trap

Cisco often tests the misconception that the DR is always the neighbor with the highest IP address or the first listed, but the DR is explicitly indicated by the state field (FULL/DR), not by the Neighbor ID or IP address.

How to eliminate wrong answers

Option A is wrong because the command successfully returned neighbor details, which would not happen if OSPF were not configured for VRF CUSTOMER-E; a missing OSPF configuration under the VRF would produce an empty output or an error. Option B is wrong because the output clearly lists two neighbors (10.0.0.8 and 10.0.0.9), not one. Option D is wrong because the DR (Designated Router) is identified by the neighbor with state FULL/DR, which is 10.0.0.8, not 10.0.0.9 (the BDR).

51
MCQmedium

Examine the following configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip vrf forwarding BLUE ip address 192.168.1.1 255.255.255.0 no shutdown What is the effect of this configuration?

A.The interface is placed into VRF BLUE, and all traffic sent or received on this interface uses the routing table of VRF BLUE.
B.The interface remains in the global routing table but is allowed to communicate with VRF BLUE via route leaking.
C.The interface is placed into VRF BLUE, but the IP address is assigned from the global routing table.
D.The configuration is invalid because VRF BLUE must be created first using 'vrf definition BLUE'.
AnswerA

Correct. The interface is now in VRF BLUE and uses its separate routing table.

Why this answer

The 'ip vrf forwarding BLUE' command associates the interface with VRF BLUE, which creates a separate routing table instance. All traffic entering or exiting this interface is forwarded using the VRF BLUE routing table, not the global routing table. This isolates the interface's traffic from the global routing domain.

Exam trap

The trap here is that candidates assume the interface remains in the global routing table or that the VRF must be explicitly defined before use, but Cisco IOS-XE allows VRF creation via the interface command, and the interface is fully moved into the VRF's routing domain.

How to eliminate wrong answers

Option B is wrong because the interface is not in the global routing table; 'ip vrf forwarding' moves the interface entirely into the VRF, and route leaking is an explicit additional configuration (e.g., using 'route-map' and 'import/export' commands) not implied here. Option C is wrong because the IP address is assigned within the VRF context, not from the global routing table; the VRF must already exist or be created dynamically, and the address belongs to the VRF's address space. Option D is wrong because the configuration is valid; VRF BLUE can be created implicitly by the 'ip vrf forwarding' command on the interface, or it may have been created earlier via 'vrf definition BLUE' or 'ip vrf BLUE' (legacy), but the snippet alone does not show an error.

52
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route vrf CUSTOMER-A VRF CUSTOMER-A: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.0.0/30 is directly connected, GigabitEthernet0/0.100 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0.100 B 10.0.2.0/24 [200/0] via 192.168.1.2, 00:12:34 Based on this output, what can be concluded?

A.VRF CUSTOMER-A has a BGP-learned route to 10.0.2.0/24
B.VRF CUSTOMER-A is not using BGP for routing
C.The default route is learned via BGP
D.GigabitEthernet0/0.100 is not associated with VRF CUSTOMER-A
AnswerA

The B entry shows a BGP route with next-hop 192.168.1.2, indicating BGP learned the prefix 10.0.2.0/24.

Why this answer

The output shows a BGP-learned route to 10.0.2.0/24 with the code 'B' and the administrative distance [200/0], indicating it is an external BGP route. The route is installed in the VRF CUSTOMER-A routing table, confirming that VRF CUSTOMER-A is using BGP and has learned this prefix via BGP from the next-hop 192.168.1.2.

Exam trap

Cisco often tests the distinction between the 'Gateway of last resort' and BGP-learned default routes; candidates may incorrectly assume the default route is BGP-learned because BGP is present in the table, but the output explicitly shows the gateway is 10.0.1.1, not a BGP next-hop.

How to eliminate wrong answers

Option B is wrong because the presence of a BGP-learned route (code 'B') in the VRF table proves that VRF CUSTOMER-A is using BGP for routing. Option C is wrong because the default route (Gateway of last resort) is set to 10.0.1.1, which is not a BGP-learned route; it is likely a static or connected default, and no BGP default route is shown in the table. Option D is wrong because the directly connected subnet 10.0.0.0/30 and local host route 10.0.0.1/32 are both on GigabitEthernet0/0.100, which is listed under VRF CUSTOMER-A, proving the interface is associated with the VRF.

53
Matchingmedium

Drag and drop each MPLS VPN role on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects directly to the provider edge and advertises customer routes

Attaches MPLS labels to customer packets and maintains VRFs

Core router that switches MPLS labels without holding VPN routes

Distributes VPNv4 routes within the MPLS VPN core

Connects different MPLS VPN domains

Why these pairings

The CE device connects directly to the PE and advertises customer routes; the PE device attaches labels and maintains VRFs; the P device is a core router that switches MPLS labels without holding VPN routes; the RR (Route Reflector) distributes VPNv4 routes within the MPLS VPN core; the ASBR connects different MPLS VPN domains.

54
MCQmedium

A network engineer runs the following command on Router R5: R5# show ip interface brief | include VRF Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0.100 10.0.0.1 YES NVRAM up up GigabitEthernet0/0.200 10.0.1.1 YES NVRAM up up GigabitEthernet0/0.300 10.0.2.1 YES NVRAM up up Loopback100 10.100.0.1 YES NVRAM up up R5# show vrf brief Name Default RD Protocols Interfaces CUSTOMER-A 65000:1 ipv4 Gi0/0.100 CUSTOMER-B 65000:2 ipv4 Gi0/0.200 CUSTOMER-C 65000:3 ipv4 Gi0/0.300 Based on this output, what can be concluded?

A.All interfaces belong to the same VRF
B.VRF CUSTOMER-A uses RD 65000:1 and is associated with GigabitEthernet0/0.100
C.Loopback100 is in VRF CUSTOMER-C
D.There is no VRF configured on Router R5
AnswerB

The output shows CUSTOMER-A with RD 65000:1 and interface Gi0/0.100.

Why this answer

Option B is correct because the 'show vrf brief' output explicitly lists CUSTOMER-A with Route Distinguisher (RD) 65000:1 and its associated interface GigabitEthernet0/0.100. This confirms the VRF configuration and the interface-to-VRF mapping, which is fundamental for MPLS L3VPN path isolation.

Exam trap

Cisco often tests the misconception that the 'show ip interface brief | include VRF' command displays VRF membership, when in fact it only filters lines containing the string 'VRF' (which may not appear in the output), leading candidates to incorrectly conclude no VRFs exist or that all interfaces share a single VRF.

How to eliminate wrong answers

Option A is wrong because the 'show vrf brief' output shows three separate VRFs (CUSTOMER-A, CUSTOMER-B, CUSTOMER-C), each with its own RD and distinct subinterfaces, so not all interfaces belong to the same VRF. Option C is wrong because Loopback100 is not listed under any VRF in the 'show vrf brief' output; it remains in the global routing table, not in CUSTOMER-C. Option D is wrong because the 'show vrf brief' output clearly shows three VRFs configured, so VRFs are present on Router R5.

55
MCQhard

A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor vrf CUSTOMER-C Peer LDP Ident: 10.0.0.5:0; Local LDP Ident 10.0.0.4:0 TCP connection: 10.0.0.5.646 - 10.0.0.4.646 State: Oper; Msgs sent/rcvd: 500/500; Downstream Up time: 02:30:00 LDP discovery sources: GigabitEthernet0/0.300, Src IP addr: 10.0.1.2 hello sent/rcvd: 1000/1000 Addresses bound to peer LDP Ident: 10.0.1.2 10.0.2.2 Based on this output, what can be concluded?

A.LDP is not configured for VRF CUSTOMER-C
B.The LDP session is operational with peer 10.0.0.5
C.The LDP session is using TCP port 179
D.The peer is discovered via OSPF
AnswerB

State is 'Oper' (operational), indicating the session is up.

Why this answer

The output shows 'State: Oper' and 'Up time: 02:30:00', which confirms the LDP session is fully operational. The peer LDP Ident is 10.0.0.5:0 and the local LDP Ident is 10.0.0.4:0, with a TCP connection established on port 646. This directly indicates that the LDP session with peer 10.0.0.5 is up and running.

Exam trap

Cisco often tests the distinction between LDP (TCP port 646) and BGP (TCP port 179), and candidates may confuse the 'Oper' state with a BGP session or assume LDP uses port 179 by default.

How to eliminate wrong answers

Option A is wrong because the command 'show mpls ldp neighbor vrf CUSTOMER-C' successfully returned detailed neighbor information, proving LDP is configured for that VRF. Option C is wrong because LDP uses TCP port 646, not port 179 (which is used by BGP). Option D is wrong because the output does not mention OSPF or any IGP; LDP discovery sources show a directly connected interface (GigabitEthernet0/0.300) and the peer's IP addresses, but the underlying IGP is not specified.

56
Matchingmedium

Drag and drop each VRF-Lite vs MPLS VPN characteristic on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses only VRFs without MPLS labels for path isolation

Uses MPLS labels to isolate traffic across the provider core

Why these pairings

VRF-Lite uses only VRFs without MPLS labels; MPLS VPN uses labels for isolation; VRF-Lite is limited to a single router; MPLS VPN scales across the core; VRF-Lite does not require MP-BGP; MPLS VPN uses MP-BGP for VPNv4 route exchange.

57
Matchingmedium

Drag and drop each VRF component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Makes an IPv4 prefix globally unique across the MPLS VPN network

Controls which routes are imported into or exported from a VRF

Stores routing information for the VRF instance

Contains the IP routing table and forwarding table for the VRF

Used for MPLS label switching to forward traffic within the VPN

Why these pairings

The Route Distinguisher (RD) makes a customer prefix globally unique; the Route Target (RT) controls import/export of routes between VRFs; the RIB stores routing information for the VRF; the VRF table holds the IP routing table for the VRF; the VRF label is used for MPLS forwarding.

58
Matchingmedium

Drag and drop each MP-BGP address family on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries IPv4 VPN routes with MPLS labels across the provider core

Carries IPv6 VPN routes with MPLS labels across the provider core

Carries global IPv4 unicast routes (non-VPN)

Carries global IPv6 unicast routes (non-VPN)

Carries Layer 2 VPN information such as pseudowires and VPLS

Why these pairings

VPNv4 address family carries IPv4 VPN routes; VPNv6 carries IPv6 VPN routes; IPv4 unicast carries global IPv4 routes; IPv6 unicast carries global IPv6 routes; L2VPN address family carries Layer 2 VPN information.

Ready to test yourself?

Try a timed practice session using only Vrf And Path Isolation questions.