Cisco CCNP ENARSI 300-410 (300-410) — Questions 676750

2152 questions total · 29pages · All types, answers revealed

Page 9

Page 10 of 29

Page 11
676
MCQmedium

Which OSPF LSA type is used to advertise prefixes from other areas into the backbone area?

A.Type 1 (Router LSA)
B.Type 2 (Network LSA)
C.Type 3 (Summary LSA)
D.Type 5 (External LSA)
AnswerC

Correct. Type 3 LSAs are used for inter-area route advertisement.

Why this answer

Type 3 LSAs (Summary LSAs) are generated by Area Border Routers (ABRs) to advertise networks from one area to another. They are used to propagate inter-area routes.

677
Multi-Selecthard

Which TWO statements about the 'ip access-group' command and its interaction with ACLs are correct? (Choose TWO.)

Select 2 answers
A.An inbound ACL processes packets after the routing decision is made.
B.An outbound ACL processes packets before they leave the interface, after the routing decision.
C.The ACL referenced in the 'ip access-group' command must already exist in the configuration.
D.The 'ip access-group' command can be applied to a Layer 2 switchport to filter IPv4 traffic.
E.The 'ip access-group' command can be applied to a VLAN interface (SVI) to filter traffic routed into or out of that VLAN.
AnswersB, C

Correct. Outbound ACLs process packets after routing, before the packet exits the interface.

Why this answer

Options B and C are correct. Option B is correct because an outbound ACL processes packets after the routing decision, just before the packet leaves the interface. Option C is correct because the ACL referenced in the 'ip access-group' command must already exist in the configuration; otherwise the command is rejected.

Option A is incorrect because an inbound ACL processes packets before the routing decision. Option D is incorrect because the 'ip access-group' command requires a Layer 3 interface; it cannot be applied to a Layer 2 switchport. Option E is incorrect because, while it is a true statement, the question specifically asks for two statements, and options B and C are the most fundamental regarding the command's interaction with ACLs.

Exam trap

Cisco often tests the misconception that an outbound ACL processes packets before routing, when in fact it processes after the routing decision, while an inbound ACL processes before routing.

678
MCQmedium

A network engineer is troubleshooting a route redistribution issue between RIP and OSPF. Router R1 runs both RIP and OSPF, and redistributes RIP routes into OSPF. The engineer notices that RIP routes are not appearing in the OSPF database on neighboring routers. The show ip ospf database external command on a neighbor shows no external routes from R1. The redistribute rip command is configured under OSPF on R1. What is the most likely cause?

A.The redistribute rip command under OSPF is missing the subnets keyword.
B.RIP has a higher administrative distance than OSPF.
C.The OSPF process on R1 has a distribute-list blocking these routes.
D.The RIP process on R1 is not running.
AnswerA

Correct: Without subnets, only classful networks are redistributed, causing missing routes.

Why this answer

When redistributing into OSPF, the subnets keyword is required to redistribute classless subnets. Without it, only classful networks are advertised, which may cause many routes to be missing.

679
MCQhard

What is the default metric for an IPv6 static route redistributed into OSPFv3?

A.0
B.1
C.20
D.10
AnswerC

OSPFv3 uses a default metric of 20 for redistributed routes.

Why this answer

When an IPv6 static route is redistributed into OSPFv3, OSPFv3 assigns a default metric of 20 to external routes (type E1 or E2). This is consistent with OSPFv2 behavior, where redistributed routes (including static routes) receive a default metric of 20 unless explicitly overridden with the `metric` keyword under the `redistribute` command. Option C is correct because the default metric for redistributed static routes in OSPFv3 is 20.

Exam trap

The trap here is that candidates often confuse the default metric for OSPFv3 redistributed routes (20) with the default metric for OSPFv3 intra-area routes (1) or with the default metric used by other routing protocols like EIGRP (10), leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because a metric of 0 is not the default for redistributed static routes in OSPFv3; a metric of 0 would imply a directly connected route or a special case, but OSPFv3 does not assign 0 to redistributed routes. Option B is wrong because a metric of 1 is the default for OSPFv3 intra-area routes (e.g., for loopback interfaces or directly connected networks), not for redistributed external routes. Option D is wrong because a metric of 10 is the default for redistributed routes in EIGRP, not OSPFv3; OSPFv3 uses 20 as the default for external routes.

680
MCQeasy

What is the default CoPP policy on a Cisco IOS-XE router if no service-policy is applied to the control-plane?

A.All control-plane traffic is rate-limited to 64000 bps.
B.Only management traffic (SSH, Telnet) is rate-limited to 32000 bps.
C.No CoPP policy is applied; all control-plane traffic is processed without rate-limiting.
D.A default policy is applied that drops all traffic exceeding 128000 bps.
AnswerC

Correct. CoPP is not enabled by default.

Why this answer

C is correct because Cisco IOS-XE routers do not apply any default CoPP policy to the control-plane. Without an explicit 'service-policy' configuration under the 'control-plane' configuration mode, all control-plane traffic (including routing protocols, management traffic, and keepalives) is processed by the route processor without any rate-limiting or filtering. CoPP is an optional feature that must be manually configured to protect the control plane from excessive traffic.

Exam trap

Cisco often tests the misconception that CoPP has a built-in default policy or that management traffic is automatically rate-limited, when in fact no CoPP policy is applied unless explicitly configured under the control-plane with a service-policy.

How to eliminate wrong answers

Option A is wrong because there is no default rate-limit of 64000 bps; CoPP policies are not applied by default, and any such value would require explicit configuration. Option B is wrong because management traffic is not automatically rate-limited to 32000 bps; without a CoPP policy, all traffic, including SSH and Telnet, is processed normally. Option D is wrong because no default policy drops traffic at 128000 bps; CoPP policies must be explicitly defined and applied to enforce any drop or rate-limit behavior.

681
MCQhard

A network engineer configures iBGP within a VRF-Lite environment. The VRF has an IGP (OSPF) running, and BGP is used to exchange customer routes. The engineer notices that BGP routes are not being installed in the VRF routing table, even though they are present in the BGP table. The 'bgp redistribute-internal' command is not configured. Which is the most likely explanation?

A.The BGP synchronization rule is enabled, and the IGP does not have a route for the prefix, so BGP does not advertise the route.
B.The next-hop of the iBGP route is not reachable via any route in the VRF routing table, so the route is not installed.
C.The 'maximum-paths' command is set to 1, and there is already a route with a lower administrative distance.
D.The BGP table shows the route as 'rR' (rIBGP and RIB-failure), indicating a RIB failure due to a higher metric.
AnswerB

iBGP requires the next-hop to be reachable. If the next-hop (e.g., a loopback) is not in the IGP, the route is not installed.

Why this answer

In iBGP, the next-hop for a route learned from an iBGP peer must be reachable via an IGP or static route. If the next-hop is not reachable, the route is not installed in the routing table. Additionally, if the IGP does not carry the next-hop route (e.g., because it is a loopback not advertised), the route remains hidden.

This is a common edge case where synchronization is not the issue, but next-hop reachability is.

682
MCQhard

A network using IPv6 over IPv4 Teredo tunnels is experiencing intermittent connectivity. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:0:4136:E378:8000:63BF:3C57:DD0B/128 tunnel source 192.0.2.1 tunnel mode ipv6ip teredo. Router R2 shows: R2# show ipv6 route 2001:0:4136:E378::/64 % Route not found. What is the root cause?

A.The Teredo server IPv4 address is not configured on R1.
B.The tunnel mode should be ipv6ip teredo relay instead of teredo.
C.The IPv4 address of the Teredo relay is not reachable.
D.Teredo is not supported on Cisco IOS.
AnswerA

Without a Teredo server, the router cannot obtain a valid Teredo address or prefix.

Why this answer

The Teredo tunnel on R1 requires a Teredo server to facilitate the initial configuration and to help the client discover its public IPv4 address and the Teredo relay. Without the 'tunnel teredo server-ip' command specifying the Teredo server's IPv4 address, R1 cannot complete the Teredo setup, leading to an incomplete or non-functional tunnel. This results in the IPv6 prefix 2001:0:4136:E378::/64 not being installed in R2's routing table, as the tunnel interface never becomes fully operational.

Exam trap

Cisco often tests the distinction between Teredo server and relay roles, leading candidates to incorrectly focus on relay reachability or mode syntax when the missing server configuration is the actual root cause.

How to eliminate wrong answers

Option B is wrong because 'ipv6ip teredo relay' is not a valid tunnel mode; the correct mode for a Teredo client is 'tunnel mode ipv6ip teredo', and a Teredo relay uses a different configuration (often with 'tunnel mode ipv6ip' and a relay address). Option C is wrong because the reachability of the Teredo relay is not the primary issue; the problem is that the Teredo server address is missing, which prevents the client from even learning the relay's address. Option D is wrong because Teredo is fully supported on Cisco IOS, as demonstrated by the 'tunnel mode ipv6ip teredo' command being accepted in the configuration.

683
Multi-Selecthard

Which THREE symptoms indicate that route summarization may be causing routing issues in a network? (Choose THREE.)

Select 3 answers
A.Suboptimal routing paths are observed for certain destinations.
B.Traffic to some subnets is dropped (black hole) even though the summary route exists.
C.Routing loops occur due to less specific summary routes pointing to routers that lack the specific subnet.
D.High CPU utilization on routers due to frequent SPF calculations.
E.Duplicate IP addresses are detected in the network.
AnswersA, B, C

Summarization can cause routers to choose a less specific route, leading to suboptimal paths.

Why this answer

Route summarization can cause suboptimal routing because the summary route may point to a less specific path. It can also cause black holes if the summary route is advertised but the specific subnets are not reachable. Additionally, summarization can hide more specific routes, leading to routing loops if the summary route is less specific and points to a router that does not have the specific subnet.

High CPU usage is not a direct symptom of summarization issues, and duplicate IP addresses are unrelated.

684
MCQeasy

Which BGP message type is sent when a fatal error is detected, causing the BGP session to close?

A.OPEN
B.UPDATE
C.NOTIFICATION
D.KEEPALIVE
AnswerC

Correct. NOTIFICATION messages indicate errors and close the session.

Why this answer

NOTIFICATION messages are sent to report errors and terminate the BGP session.

685
MCQeasy

A network engineer is troubleshooting an IPv6 routing issue where a router is not learning routes from an OSPFv3 neighbor. The engineer checks the interface and finds an inbound IPv6 ACL that permits only OSPFv3 packets with a specific area ID in the packet. The ACL is using the 'ospfv3' keyword to match packets. The engineer also notices that the OSPFv3 neighbor is in a different area. What is the most likely cause of the route learning failure?

A.The ACL is dropping OSPFv3 packets from the neighbor because they contain a different area ID than what the ACL permits.
B.The OSPFv3 process is not configured with the correct router ID.
C.The interface is not enabled for OSPFv3.
D.The ACL is applied outbound, blocking the OSPFv3 packets from being sent.
AnswerA

Correct because the ACL permits only packets with a specific area ID, and the neighbor is in a different area, so its packets are dropped.

Why this answer

The ACL uses the 'ospfv3' keyword to match OSPFv3 packets and permits only those with a specific area ID. Since the neighbor is in a different area, its OSPFv3 packets contain a different area ID in the OSPFv3 header, causing the ACL to deny them. This prevents the router from receiving Hello packets and establishing adjacency, so routes are not learned.

Exam trap

Cisco often tests the nuance that the 'ospfv3' ACL keyword can match not only the protocol but also the area ID field, and candidates mistakenly assume the ACL only matches the protocol type (OSPFv3) without considering the area ID filter.

How to eliminate wrong answers

Option B is wrong because an incorrect router ID would affect OSPFv3 operation (e.g., adjacency formation or LSA origination), but the scenario explicitly states the ACL is filtering based on area ID, not router ID. Option C is wrong because if the interface were not enabled for OSPFv3, the router would not even attempt to send or receive OSPFv3 packets, yet the ACL is actively filtering inbound packets, implying OSPFv3 is enabled. Option D is wrong because the engineer checked the interface and found an inbound ACL; applying it outbound would not affect incoming packets, and the issue is with receiving routes, not sending them.

686
MCQeasy

What is the maximum hop count for a route in RIP?

A.15
B.16
C.255
D.32
AnswerA

Correct. The maximum valid hop count is 15; 16 indicates unreachable.

Why this answer

RIP (Routing Information Protocol) uses a maximum hop count of 15 to prevent routing loops. A route with a hop count of 16 is considered unreachable (infinite metric). This limit is defined in RFC 1058 for RIPv1 and RFC 2453 for RIPv2, ensuring that the network diameter remains small and loop-free.

Exam trap

Cisco often tests the distinction between the maximum hop count (15) and the unreachable metric (16), tricking candidates who think 16 is a valid route metric rather than a poison value.

How to eliminate wrong answers

Option B is wrong because a hop count of 16 in RIP is not a valid route metric; it is used to signify an unreachable route (infinite metric) and triggers route poisoning. Option C is wrong because 255 is the maximum TTL value in IP packets, not the RIP hop count limit; RIP uses a 4-bit metric field, which can only represent values 0–15. Option D is wrong because 32 is the maximum prefix length for IPv4 subnets, not a RIP hop count; RIP metrics are limited to 15 hops.

687
MCQeasy

A network engineer runs the following command to verify DHCPv4 pool configuration on router R1: R1# show ip dhcp pool DHCP_POOL Output: Pool DHCP_POOL : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 100 Pending event : none 1 subnet is currently in the pool : Current index IP address range Leased addresses 192.168.1.1 192.168.1.1 - 192.168.1.254 100 What does this output indicate?

A.The DHCP pool has 254 addresses available, and 100 are currently leased.
B.The DHCP pool is exhausted because 100 addresses are leased.
C.The DHCP server is using a database agent to store leases.
D.The DHCP pool has a utilization mark of 100%, meaning it is full.
AnswerA

Total addresses is 254, leased addresses is 100, so 154 are available.

Why this answer

Option A is correct because the output shows 'Total addresses: 254' and 'Leased addresses: 100', meaning the pool contains 254 total addresses (the /24 subnet) and 100 are currently leased, leaving 154 available. The 'Utilization mark (high/low): 100 / 0' indicates the thresholds for alerts, not actual usage, and the pool is not exhausted.

Exam trap

Cisco often tests the distinction between the 'Utilization mark' (a configurable threshold for alerts) and actual pool utilization, causing candidates to misinterpret the 100% high mark as meaning the pool is full.

How to eliminate wrong answers

Option B is wrong because the pool is not exhausted; only 100 of 254 addresses are leased, so 154 are still available. Option C is wrong because the output does not show any database agent configuration; the 'Pending event: none' line refers to pending DHCP events, not database agent status. Option D is wrong because the utilization mark of 100% is the high watermark threshold for alerts, not the actual utilization percentage; the actual utilization is 100/254 ≈ 39.4%.

688
MCQeasy

A network engineer is troubleshooting a VRF-Lite deployment where a router is configured with VRF_ORANGE. The engineer attempts to configure a static route in VRF_ORANGE using the command 'ip route vrf VRF_ORANGE 192.168.10.0 255.255.255.0 10.1.1.1', but the route does not appear in the routing table. The 'show ip route vrf VRF_ORANGE' does not show the static route. What is the most likely cause?

A.The next-hop IP address 10.1.1.1 is not reachable in VRF_ORANGE.
B.The 'ip classless' command is disabled.
C.The static route is missing the 'permanent' keyword.
D.The router has 'no ip routing' configured.
AnswerA

The static route will only be installed if the next-hop is reachable via a connected or dynamic route in the same VRF.

Why this answer

Static routes in VRF-Lite require that the next-hop IP address is reachable within the same VRF. If the next-hop is not in the VRF's routing table, the static route will not be installed.

689
MCQmedium

Examine the following EIGRP configuration on Router R3: interface GigabitEthernet0/1 ip bandwidth-percent eigrp 100 50 What is the effect of this command?

A.EIGRP will use only 50% of the interface bandwidth for data traffic.
B.EIGRP will limit its control traffic to 50% of the interface bandwidth.
C.EIGRP will adjust the metric calculation to use 50% of the bandwidth.
D.EIGRP will form neighbor adjacencies only when bandwidth usage is below 50%.
AnswerB

The ip bandwidth-percent eigrp command restricts the percentage of bandwidth EIGRP can use for its protocol traffic.

Why this answer

The `ip bandwidth-percent eigrp` command controls the percentage of the interface bandwidth that EIGRP can use for its control traffic (hello packets, updates, queries, and replies). By setting it to 50%, EIGRP will limit its control traffic to 50% of the configured interface bandwidth, preventing it from overwhelming the link. This does not affect data traffic or metric calculation.

Exam trap

The trap here is confusing the `ip bandwidth-percent eigrp` command (which limits EIGRP control traffic) with the `bandwidth` command (which sets the metric value and is used for QoS calculations), leading candidates to incorrectly think it adjusts metrics or data traffic limits.

How to eliminate wrong answers

Option A is wrong because the command only limits EIGRP control traffic, not data traffic; data traffic is unaffected and can use the full interface bandwidth. Option C is wrong because EIGRP metric calculation uses the interface bandwidth value directly (e.g., `bandwidth` command), not the percentage set by `ip bandwidth-percent eigrp`; this command does not alter the metric. Option D is wrong because neighbor adjacency formation is based on hello and hold timers, not on current bandwidth usage; the command does not conditionally prevent adjacency formation based on bandwidth utilization.

690
Multi-Selectmedium

Which TWO commands can be used to verify the operational state of BFD sessions on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.show bfd neighbors
B.show bfd session
C.show ip route
D.show bfd statistics
E.show running-config | include bfd
AnswersA, B

This command shows BFD neighbor details, including session state.

Why this answer

The 'show bfd neighbors' command displays BFD session details such as neighbor address, interface, state, and timers. The 'show bfd session' command provides similar information, including the local discriminator and session state. The other commands are either unrelated or do not show BFD session state.

691
MCQmedium

A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Mar 1 00:01:23.456: EIGRP: received UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 *Mar 1 00:01:23.456: AS 100, Flags 0x0, Seq 1/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:01:23.456: Int: 192.168.5.0/24, metric 30720/28160 *Mar 1 00:01:23.456: EIGRP: Enqueueing UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 iidbQ un/rely 0/1 peerQ un/rely 0/0 serno 1-1 What does this output indicate?

A.The router is receiving an EIGRP update for network 192.168.5.0/24 with a composite metric of 30720/28160.
B.The administrative distance for this route is 90 because it is internal.
C.The router is sending a query for network 192.168.5.0/24.
D.The EIGRP neighbor relationship is down.
AnswerA

The debug shows 'received UPDATE' and the metric.

Why this answer

The debug output shows EIGRP packet exchanges. It does not directly show administrative distance, but it indicates that an update is being sent and received for a specific network.

692
Multi-Selectmedium

Which THREE symptoms indicate a DHCP IPv4 starvation attack or address pool exhaustion? (Choose THREE.)

Select 3 answers
A.Legitimate clients fail to obtain an IP address via DHCP.
B.The DHCP pool shows 100% utilization with many unknown MAC addresses.
C.The DHCP server's binding table contains a large number of leases from spoofed MAC addresses.
D.Client devices experience high CPU utilization due to DHCP processing.
E.Duplicate IP address detection (DAD) failures are reported on all clients.
AnswersA, B, C

Pool exhaustion prevents new leases for real clients.

Why this answer

Option A is correct because a DHCP starvation attack exhausts the available IP addresses in the pool, preventing legitimate clients from obtaining a lease. When the address pool is fully depleted, the DHCP server cannot respond to new DISCOVER messages, causing clients to fail to acquire an IP address.

Exam trap

Cisco often tests the distinction between DHCP starvation symptoms and unrelated network issues like DAD failures or client CPU load, expecting candidates to recognize that only server-side indicators (pool exhaustion, spoofed MACs, client failure) are valid.

693
MCQhard

An engineer is troubleshooting a router that is configured as an NTP client. The router's clock is not synchronizing with the NTP server at 192.168.1.1. 'show ntp status' shows 'clock is unsynchronized', and 'show ntp associations' shows the server as '.INIT.' with no reachability. The engineer can ping the NTP server. What is the most likely cause?

A.The NTP server is not configured to respond to NTP requests from this client.
B.The router's 'ntp source' command is missing, causing NTP packets to use an incorrect source IP.
C.The router's clock is set too far in the future, causing NTP to reject the server's time.
D.The router has 'ntp authenticate' enabled without the proper key.
AnswerA

Ping works, but NTP uses UDP 123; the server may be configured to deny service to this client, or the server's NTP service is not running.

Why this answer

The '.INIT.' state in 'show ntp associations' indicates that the client has sent NTP packets to the server but has not received any valid NTP responses. Since the engineer can ping the server, Layer 3 connectivity is fine, ruling out network issues. The most likely cause is that the NTP server is not configured to respond to requests from this client, either due to an access control list (ACL) on the server, a 'restrict' statement denying the client, or the server not being configured as an NTP server at all.

Exam trap

Cisco often tests the distinction between client-side and server-side issues; the trap here is that candidates assume a reachable ping means NTP should work, but NTP uses a different protocol (UDP 123) and can be filtered or restricted independently of ICMP.

How to eliminate wrong answers

Option B is wrong because a missing 'ntp source' command would cause NTP packets to use the IP of the egress interface, which might still be reachable; it would not result in a complete lack of response ('.INIT.') unless the server specifically filters based on source IP, but that is a server-side issue, not a client-side misconfiguration. Option C is wrong because NTP uses a stratum-based hierarchy and timestamps; a client clock set too far in the future would still allow the client to receive NTP packets and update its clock (though it might take longer to synchronize), but it would not prevent the server from responding. Option D is wrong because if 'ntp authenticate' were enabled without the proper key, the client would still receive NTP packets from the server, but they would be discarded; 'show ntp associations' would show the server as '.AUTH.' or similar, not '.INIT.'.

694
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set O 10.2.2.0/24 [110/20] via 192.168.12.2, 00:12:34, GigabitEthernet0/0 O IA 10.3.3.0/24 [110/30] via 192.168.13.3, 00:10:21, GigabitEthernet0/1 Based on this output, what can be determined?

A.The route to 10.2.2.0/24 is an external OSPF route.
B.The route to 10.3.3.0/24 is learned from a different area.
C.Router R1 has a default route configured.
D.Both routes have the same administrative distance.
AnswerB, D

The route to 10.3.3.0/24 is marked with 'O IA', which indicates it is an inter-area OSPF route, learned from a different area than the router's own.

Why this answer

The routing table shows two OSPF routes: one intra-area (O) and one inter-area (O IA). Both routes have the same administrative distance of 110 (as shown in the bracket). The inter-area route (10.3.3.0/24) is learned from a different area, indicated by the 'IA' code.

Option D is correct because both routes share AD 110. Option A is incorrect because the route to 10.2.2.0/24 is intra-area (O), not external. Option C is incorrect because there is no default route (Gateway of last resort is not set).

695
MCQmedium

Which authentication method is supported by default for GRE tunnels in Cisco IOS-XE?

A.MD5 authentication
B.SHA-256 authentication
C.No authentication by default
D.Plain-text password authentication
AnswerC

GRE tunnels have no authentication by default; a key must be configured manually.

Why this answer

GRE tunnels in Cisco IOS-XE do not include any built-in authentication mechanism by default. The GRE protocol (RFC 2784) defines a simple encapsulation method without authentication or encryption; any security features must be added externally, such as using IPsec to protect the tunnel traffic. Therefore, the correct answer is that no authentication is enabled by default.

Exam trap

Cisco often tests the misconception that the GRE key field provides authentication, but it is only an optional identifier and does not offer any security; candidates may incorrectly assume that a key or password is required or that GRE has built-in authentication.

How to eliminate wrong answers

Option A is wrong because MD5 authentication is not a default feature of GRE tunnels; while Cisco supports a GRE key option (which is not authentication) and IPsec can provide MD5-based HMAC, the base GRE tunnel itself has no authentication. Option B is wrong because SHA-256 authentication is not supported natively by GRE; it would require IPsec or another security protocol to be applied to the tunnel. Option D is wrong because plain-text password authentication is not a feature of GRE; GRE does not support any form of password or authentication in its standard implementation.

696
MCQhard

R1 and R2 are iBGP peers in AS 65001. R1 has: neighbor 10.1.1.2 next-hop-self. R2 advertises a prefix 10.0.0.0/8 with next-hop 10.1.1.2. R1 receives the prefix and changes the next-hop to 10.1.1.1 (its own IP) due to next-hop-self. R1 then advertises this prefix to its eBGP peer R3 in AS 65002. R3 receives the prefix with next-hop 10.1.1.1. R3 has a static route to 10.1.1.0/24 via its interface to R1. However, R3 cannot reach 10.0.0.0/8 because R1 does not have a route to 10.0.0.0/8 in its routing table. What is the root cause?

A.R1 does not have a route to 10.0.0.0/8 in its routing table because the BGP route is not installed due to next-hop unreachable or administrative distance conflict.
B.R3 should use next-hop-self to R1.
C.The next-hop-self command on R1 is misconfigured; it should be on R2.
D.R1's BGP table shows the prefix with next-hop 10.1.1.1, but that is the next-hop after next-hop-self; the issue is that R1 did not originate the route.
AnswerA

R1 must have the prefix in its routing table to forward traffic; otherwise, it will drop packets.

Why this answer

R1 uses next-hop-self to change the next-hop to its own IP, but R1 must have a valid route to the prefix in its routing table to forward traffic. If R1 does not install the BGP route (e.g., because it is not the best path due to a higher metric or because the next-hop is unreachable), then R1 will not have a route to 10.0.0.0/8 in its routing table, and packets sent to R1 for that prefix will be dropped. The root cause is that R1 does not have the prefix installed in its routing table, possibly because it learned it from R2 but the next-hop (10.1.1.2) is not reachable in R1's routing table, or because R1 has a higher administrative distance route that overrides.

697
MCQeasy

What is the default authentication type for NHRP in a DMVPN configuration?

A.Plaintext password
B.MD5 hash
C.No authentication
D.IPsec
AnswerC

Correct. NHRP has no authentication by default.

Why this answer

By default, NHRP does not use any authentication. Authentication can be configured using the 'ip nhrp authentication' command, but it is disabled by default.

698
MCQhard

A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration: interface Serial0/0 ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 ! Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?

A.The OSPFv3 process ID does not match between R1 and R2.
B.The serial interface has a mismatched network type, such as point-to-multipoint, which prevents adjacency formation on a point-to-point link.
C.The IPv6 address on the serial interface is not in the same subnet as R2's address.
D.The OSPFv3 hello interval is set to a non-default value that is not supported on serial links.
AnswerB

A network type mismatch can cause Hello packets to be ignored or not processed correctly, leading to INIT state.

Why this answer

On a point-to-point serial link, OSPFv3 defaults to the point-to-point network type. If one side is configured as point-to-multipoint (or another non-broadcast type), the routers will not form a full adjacency because the Hello protocol and neighbor discovery mechanisms differ. The debug output shows R2 receives Hellos from R1 but stays in INIT, which indicates that R2 does not see its own Router ID in the Hello packet's neighbor list — a classic symptom of network type mismatch on a serial interface.

Exam trap

Cisco often tests the misconception that OSPFv3 requires matching global IPv6 subnets or process IDs, when in fact the adjacency is built using link-local addresses and the process ID is locally significant.

How to eliminate wrong answers

Option A is wrong because OSPFv3 process IDs are locally significant and do not need to match between routers; adjacency can form with different process IDs. Option C is wrong because OSPFv3 uses link-local addresses for neighbor discovery and does not require global unicast addresses to be in the same subnet; the interface's global address is irrelevant for adjacency formation. Option D is wrong because OSPFv3 Hello intervals can be modified on serial links and are not inherently unsupported; a mismatch would cause the neighbor state to remain DOWN or EXSTART, not INIT with received Hellos.

699
MCQmedium

Consider the following partial configuration on router R1: ``` interface GigabitEthernet0/1 ip access-group MY_ACL in ! ip access-list extended MY_ACL permit tcp 10.1.1.0 0.0.0.255 any eq 80 permit icmp any any echo deny ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/1?

A.It permits HTTP requests from 10.1.1.0/24 and ICMP Echo requests from any source; all other IP traffic is denied.
B.It permits HTTP requests from 10.1.1.0/24 and all ICMP traffic; all other IP traffic is denied.
C.It permits HTTP requests from any source to 10.1.1.0/24 and ICMP Echo requests; all other traffic is denied.
D.It permits HTTP requests from 10.1.1.0/24 and ICMP Echo replies; all other IP traffic is denied.
AnswerA

Correct. The ACL permits the specified traffic and denies all other IP traffic.

Why this answer

The ACL is applied inbound on GigabitEthernet0/1. The first permit statement allows TCP traffic from source network 10.1.1.0/24 to any destination on port 80 (HTTP). The second permit statement allows ICMP Echo requests (type 8) from any source.

The final deny statement blocks all other IP traffic. Therefore, only HTTP requests from 10.1.1.0/24 and ICMP Echo requests from any source are permitted; all other IP traffic is denied.

Exam trap

Cisco often tests the distinction between ICMP Echo request and Echo reply, and the trap here is that the 'echo' keyword in an ACL permits only Echo requests, not all ICMP traffic or Echo replies.

How to eliminate wrong answers

Option B is wrong because it states 'all ICMP traffic' is permitted, but the ACL only permits ICMP Echo requests (type 8), not other ICMP types like Echo replies (type 0) or destination unreachable. Option C is wrong because it reverses the source and destination for HTTP traffic; the ACL permits HTTP from 10.1.1.0/24 to any, not from any to 10.1.1.0/24. Option D is wrong because it specifies ICMP Echo replies, but the ACL permits ICMP Echo requests (the 'echo' keyword in Cisco ACLs matches Echo requests, not replies).

700
MCQmedium

Given the following configuration snippet on Router R5: router eigrp 400 network 10.1.1.0 0.0.0.255 What is wrong with this configuration?

A.The wildcard mask should be 255.255.255.0.
B.The network address should be the classful network 10.0.0.0.
C.The configuration is correct as shown.
D.The AS number 400 is invalid; EIGRP AS numbers must be between 1 and 65535.
AnswerC

The network command with a wildcard mask is valid for EIGRP.

Why this answer

Option C is correct because the configuration uses a valid EIGRP AS number (400) and a correct wildcard mask (0.0.0.255) to match the 10.1.1.0/24 subnet. In EIGRP, the network command uses a wildcard mask to specify the exact interfaces to advertise, and 0.0.0.255 is the proper inverse of the subnet mask 255.255.255.0.

Exam trap

Cisco often tests the distinction between wildcard masks and subnet masks, leading candidates to incorrectly assume that a subnet mask (like 255.255.255.0) should be used in the EIGRP network command instead of the correct wildcard mask.

How to eliminate wrong answers

Option A is wrong because the wildcard mask 0.0.0.255 is correct; using 255.255.255.0 would be a subnet mask, not a wildcard mask, and would not match the intended network. Option B is wrong because EIGRP allows specifying a subnet with a wildcard mask, and using the classful network 10.0.0.0 would enable EIGRP on all interfaces in the 10.0.0.0/8 range, which is not required and could cause unnecessary neighbor relationships. Option D is wrong because EIGRP AS numbers can range from 1 to 65535, and 400 falls within that valid range.

701
MCQmedium

What is the default hash algorithm for IKEv1 phase 1 in Cisco IOS when not explicitly configured?

A.SHA-1
B.MD5
C.SHA-256
D.No default; hash must be configured
AnswerB

MD5 is the default hash algorithm for IKEv1.

Why this answer

In Cisco IOS, when IKEv1 phase 1 parameters are not explicitly configured, the default hash algorithm is MD5. This is because the default IKE proposal in Cisco IOS includes MD5 as the hash algorithm, along with DES encryption and Diffie-Hellman group 1. MD5 was chosen historically for its lower computational overhead, though it is now considered cryptographically weak.

Exam trap

Cisco often tests the misconception that IKEv1 has no default hash or that SHA-1 is the default, when in fact MD5 is the default for IKEv1 phase 1 in Cisco IOS.

How to eliminate wrong answers

Option A is wrong because SHA-1 is not the default hash algorithm for IKEv1 phase 1 in Cisco IOS; it must be explicitly configured if desired. Option C is wrong because SHA-256 is a stronger hash that is only available in newer IKE proposals and is never the default for IKEv1 phase 1. Option D is wrong because Cisco IOS does have a default hash algorithm (MD5) for IKEv1 phase 1; the hash does not have to be explicitly configured.

702
MCQmedium

What is the default administrative distance for a route installed by Policy-Based Routing (PBR) using the 'set ip next-hop' command?

A.0
B.1
C.The administrative distance of the routing protocol that learned the route.
D.120
AnswerC

PBR does not alter the administrative distance; the route retains the AD of the original routing protocol.

Why this answer

PBR does not change the administrative distance of the route; the route is installed with the AD of the routing protocol that learned it. The 'set ip next-hop' command does not modify AD.

703
Multi-Selectmedium

Which TWO statements about IPv4 extended access control lists are true? (Choose TWO.)

Select 2 answers
A.They can filter based on source and destination IP addresses.
B.They are typically placed as close to the source as possible.
C.They use a wildcard mask only for the destination address.
D.They can be named using numbers only.
E.They automatically log all matched packets.
AnswersA, B

Extended ACLs can specify both source and destination addresses in the permit/deny statement.

Why this answer

Option A is correct because IPv4 extended ACLs can filter traffic based on both source and destination IP addresses, as well as protocol type, port numbers, and other parameters. This is defined in the access-list command syntax (e.g., access-list 100 permit tcp 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 eq 80), which allows granular control beyond standard ACLs that only filter on source IP.

Exam trap

Cisco often tests the misconception that extended ACLs can only be numbered, but they support named ACLs as well, and that wildcard masks apply only to one address field, whereas they apply to both source and destination.

704
MCQmedium

A network engineer runs the following command to verify NAT on a VRF: R1# show ip nat translations vrf CUSTOMER Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 What is the purpose of the 'vrf CUSTOMER' parameter?

A.It filters translations for a specific VRF, allowing per-customer NAT.
B.It shows all translations across all VRFs.
C.It enables NAT on the VRF interface.
D.It creates a new VRF for NAT.
AnswerA

VRF-aware NAT is used to translate addresses for different customers.

Why this answer

The 'vrf CUSTOMER' parameter filters the output of 'show ip nat translations' to display only the NAT entries associated with the specified VRF (CUSTOMER). This allows per-customer NAT visibility in MPLS VPN or multi-VRF environments, where each VRF maintains its own separate NAT translation table. Without this parameter, the command would show all NAT translations across all VRFs, which is not the intended behavior.

Exam trap

Cisco often tests the distinction between filtering output and enabling a feature; the trap here is that candidates may think the 'vrf' parameter enables NAT on the VRF or creates a VRF, when in fact it only filters the display of existing translations.

How to eliminate wrong answers

Option B is wrong because 'show ip nat translations vrf CUSTOMER' does not show all translations across all VRFs; it specifically filters to show only translations for the VRF named CUSTOMER. Option C is wrong because the 'vrf' parameter in this command is used for filtering output, not for enabling NAT on a VRF interface; NAT is enabled on an interface using the 'ip nat inside' or 'ip nat outside' commands under the interface configuration, optionally within a VRF. Option D is wrong because the 'vrf' parameter does not create a new VRF; VRFs are created using the 'vrf definition' or 'ip vrf' command in global configuration mode.

705
Drag & Drophard

Drag and drop the steps to troubleshoot SPAN, RSPAN, and ERSPAN adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the SPAN/RSPAN/ERSPAN session status with show commands. Then, verify that the source and destination VLANs or interfaces are up. Next, confirm that any intermediate switches support the required encapsulation.

After that, test IP connectivity for ERSPAN destinations using ping. Finally, review ACLs or filters that might block mirrored traffic.

706
MCQmedium

Examine the partial BFD configuration on a router: interface GigabitEthernet0/0 bfd interval 100 min_rx 100 multiplier 3 ! interface GigabitEthernet0/1 bfd interval 200 min_rx 200 multiplier 3 ! router ospf 1 bfd all-interfaces ! The router has OSPF neighbors on both interfaces. Which statement is true?

A.Both BFD sessions will use the same timer values because OSPF is configured with 'bfd all-interfaces'.
B.The BFD session on GigabitEthernet0/0 will detect failures in 300 ms, and on GigabitEthernet0/1 in 600 ms.
C.The BFD session on GigabitEthernet0/1 will not form because the interval is too high.
D.The router will use the minimum interval across all interfaces for consistency.
AnswerB

Correct. Detection time = multiplier * interval. For Gi0/0: 3*100=300 ms; for Gi0/1: 3*200=600 ms.

Why this answer

BFD timers are configured per interface. Each BFD session independently uses the timers configured on its respective interface. The multiplier is applied per session.

707
Multi-Selecthard

Which TWO commands can be used to verify OSPFv3 interface parameters and troubleshoot adjacency issues? (Choose TWO.)

Select 2 answers
A.show ipv6 ospf interface
B.debug ipv6 ospf hello
C.show ip ospf interface
D.debug ip ospf adj
E.show ipv6 ospf database
AnswersA, B

Correct. This command displays OSPFv3 interface parameters such as area, cost, hello interval, dead interval, and neighbor state.

Why this answer

The 'show ipv6 ospf interface' command displays OSPFv3 interface parameters, and 'debug ipv6 ospf hello' can be used to troubleshoot hello packet issues. The other commands are either invalid or for OSPFv2 only.

708
MCQmedium

A network engineer runs the following command to verify OSPF interface details: R1# show ip ospf interface gigabitethernet0/0 detail GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2 Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Can be protected by per-prefix Loop-Free Fast Reroute Can be used for per-prefix Loop-Free Fast Reroute repair paths Index 1/1, flood queue length 0 Next 0(0)/0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Designated Router) Suppress hello for 0 neighbor(s) What does this output indicate?

A.The router is the DR on this segment.
B.The router has a full adjacency with the DR (2.2.2.2).
C.The interface is in a passive state with no neighbors.
D.The Hello timer is set to 40 seconds.
AnswerB

The output shows 'Adjacent with neighbor 2.2.2.2 (Designated Router)' indicating a full adjacency.

Why this answer

The output shows detailed OSPF interface parameters, including state, timers, and neighbor information.

709
MCQhard

A DMVPN phase 3 network with IPv6 over IPv4 tunnels is experiencing spoke-to-spoke tunnel failures. Hub router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic ipv6 nhrp map multicast dynamic. Spoke router R2 shows: R2# show dmvpn detail Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete NHRP domain: 1 Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, Total NBMA Peers: 1 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb 1 192.0.2.2 2001:DB8:1::2 UP 00:10:00 D. What is the root cause?

A.The hub is missing the ip nhrp redirect command under Tunnel0.
B.The spoke is missing the ip nhrp shortcut command under Tunnel0.
C.The tunnel mode should be gre multipoint on the spokes.
D.IPv6 NHRP is not supported on DMVPN phase 3.
AnswerA

This command enables NHRP redirect messages, which are essential for phase 3 spoke-to-spoke shortcut establishment.

Why this answer

In DMVPN Phase 3, spoke-to-spoke tunnels rely on the hub to send NHRP Redirect messages to trigger shortcut creation. The hub's configuration is missing the `ip nhrp redirect` command under Tunnel0, which prevents it from informing the spoke that a better path exists directly to another spoke. Without this redirect, the spoke never initiates an NHRP Resolution Request to build a direct tunnel, causing spoke-to-spoke communication to fail.

Exam trap

Cisco often tests the distinction between Phase 2 (where `ip nhrp map multicast dynamic` alone enables spoke-to-spoke tunnels) and Phase 3 (which additionally requires `ip nhrp redirect` on the hub and `ip nhrp shortcut` on spokes), causing candidates to overlook the missing redirect command.

How to eliminate wrong answers

Option B is wrong because the spoke's missing `ip nhrp shortcut` command would prevent it from installing the NHRP shortcut route, but the root cause is the hub not sending the redirect; the spoke cannot act on a redirect it never receives. Option C is wrong because DMVPN Phase 3 spokes can use either `gre multipoint` or point-to-point GRE tunnels; the spoke's tunnel mode is not the issue here. Option D is wrong because IPv6 NHRP is fully supported on DMVPN Phase 3, as evidenced by the IPv6 NHRP configuration and the hub's `ipv6 nhrp map multicast dynamic` command.

710
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers are configured with a route map that sets the next-hop to the tunnel interface for routes learned from the hub. This is intended to allow spoke-to-spoke direct communication. However, spoke-to-spoke traffic still goes through the hub. Which is the most likely explanation?

A.The route map is applied on the spoke router inbound from the hub, but it should be applied on the hub router outbound to the spokes.
B.The route map uses a prefix-list that does not match the spoke's subnet.
C.The spoke routers have NHRP authentication mismatch, preventing direct communication.
D.The tunnel mode is mGRE on the spokes, which does not support spoke-to-spoke.
AnswerA

The hub must set the next-hop to the remote spoke's tunnel IP; the spoke cannot change the next-hop for routes received from the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke direct communication requires that the spoke routers have a route with the next-hop set to the tunnel interface of the remote spoke. However, if the route map is applied inbound on the spoke from the hub, it sets the next-hop to the hub's tunnel interface, not the remote spoke. The correct approach is to use a route map on the hub that sets the next-hop to the spoke's tunnel IP when advertising routes, or to use the 'next-hop-self' command incorrectly.

The edge case is that the route map is applied on the spoke, not the hub.

711
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy match *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy routed *Mar 1 00:10:45.456: IP: FastEthernet0/0 to Serial0/0 10.1.1.2 What does this output indicate?

A.The packet was successfully policy-routed to 10.1.1.2 via Serial0/0.
B.The packet was dropped due to no matching route.
C.The next-hop 10.1.1.2 is unreachable.
D.The route-map is misconfigured with wrong ACL.
AnswerA

The output shows 'policy routed' and the egress interface and next-hop.

Why this answer

The debug shows a packet from 172.16.1.5 to 8.8.8.8 that matched the policy and was routed out of Serial0/0 to next-hop 10.1.1.2. This indicates successful PBR operation.

712
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla configuration 10 IP SLAs, Infrastructure Engine-II. Entry number: 10 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.1.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already occurred Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of history intervals kept: 0 Number of history buckets kept: 15 History Statistics: Number of history Lives kept: 0 What does this output indicate?

A.The IP SLA operation is configured as an HTTP GET request to 192.168.1.1.
B.The IP SLA operation is configured as an ICMP echo probe to 192.168.1.1 with a 60-second frequency.
C.The IP SLA operation has a timeout of 60 seconds and a frequency of 5 seconds.
D.The IP SLA operation is in a 'Pending' state and not yet active.
AnswerB

The configuration shows 'icmp-echo' type, target 192.168.1.1, and frequency 60 seconds.

Why this answer

This output shows the configuration of IP SLA operation 10. It is an ICMP echo probe to 192.168.1.1, with a 60-second frequency and 5-second timeout. The status is 'Active', meaning it is enabled.

713
MCQmedium

What is the default behavior of EEM when a policy encounters a runtime error?

A.EEM automatically retries the policy up to three times.
B.EEM logs the error and continues with the next policy.
C.EEM reloads the device to clear the error.
D.EEM ignores the error and proceeds with the next action in the same policy.
AnswerB

The error is logged, and if multiple policies are queued, execution continues with the next.

Why this answer

By default, EEM logs the error via syslog and stops executing the policy; it does not retry.

714
MCQmedium

When using 'set ip next-hop verify-availability', what mechanism does the router use to determine if the next-hop is reachable?

A.It sends an ICMP echo request to the next-hop every 10 seconds.
B.It checks the ARP table for the next-hop MAC address.
C.It uses a tracked object that can be based on IP SLA, interface state, or other criteria.
D.It performs a recursive routing table lookup to see if the next-hop is reachable.
AnswerC

The track object defines the condition; if the track is up, the next-hop is considered reachable.

Why this answer

The 'verify-availability' option uses a tracked object (configured with the 'track' command) which can be based on IP SLA, interface line-protocol, or other criteria. It does not use ARP or ICMP by default.

715
MCQhard

An engineer configures IPsec between two routers. The tunnel does not come up. 'show crypto isakmp sa' shows MM_NO_STATE. Which is the most likely explanation?

A.The IKE mode is mismatched: the initiator is using aggressive mode, but the responder expects main mode.
B.The pre-shared key is mismatched.
C.The transform-set is mismatched.
D.The access-list for interesting traffic is misconfigured.
AnswerA

Aggressive mode and main mode are incompatible. If one side uses aggressive mode and the other uses main mode, the IKE exchange will fail, resulting in MM_NO_STATE.

Why this answer

MM_NO_STATE indicates that IKE Phase 1 has not started. In aggressive mode, the initiator sends all IKE parameters in the first packet, and if the responder does not have a matching policy, the exchange fails. However, a common edge case is that the responder is configured for main mode while the initiator is configured for aggressive mode, causing the exchange to fail before any state is established.

716
MCQhard

An engineer configures OSPF on two directly connected routers with MTU 1500 on one interface and MTU 1400 on the other. The OSPF adjacency forms but remains in EXSTART state. Which is the most likely explanation?

A.The router with the larger MTU sends DBD packets that exceed the smaller MTU, causing the receiver to drop them and remain in EXSTART.
B.The router with the smaller MTU cannot send hello packets due to fragmentation, so the adjacency never forms.
C.OSPF uses TCP, and the MTU mismatch causes TCP segmentation issues, leading to EXSTART.
D.The MTU mismatch causes a routing loop, preventing the exchange of LSAs.
AnswerA

OSPF DBD packets include the MTU of the sending interface. If the receiving interface has a smaller MTU, it will ignore the DBD packet, preventing the adjacency from progressing.

Why this answer

OSPF uses the MTU of the interface to determine the maximum size of Database Description (DBD) packets. If the MTU mismatch is such that the DBD packet from the larger MTU side is fragmented or dropped by the smaller MTU interface, the adjacency will stall in EXSTART. OSPF does not negotiate MTU; it simply compares the MTU value in the DBD packet.

If the receiving interface has a smaller MTU, it will reject the DBD packet, causing the neighbor to stay in EXSTART.

717
MCQmedium

A network engineer is troubleshooting an OSPF adjacency that fails to come up. Both routers are directly connected via a serial link. BFD is enabled on the interface. The engineer sees that the BFD session is down. The OSPF configuration shows 'ip ospf bfd' under the interface. The serial interface is up/up. What should the engineer check first?

A.Verify that the 'bfd' command is configured under the OSPF process.
B.Check if the serial interface is configured with 'encapsulation ppp'.
C.Ensure that the 'ip ospf bfd' command is also configured on the neighbor router.
D.Verify that the serial interface clock rate is set correctly.
AnswerA

For OSPF BFD to work, the 'bfd' command must be enabled under the OSPF routing process (router ospf X, then 'bfd all-interfaces' or per-neighbor). Without it, the BFD session will not be initiated.

Why this answer

BFD on serial interfaces often requires the 'bfd interval' command to be explicitly configured, as the default may be disabled. Also, serial interfaces may need the 'bfd' command under the routing protocol as well.

718
MCQmedium

An engineer is troubleshooting a BGP route selection issue. Router R1 receives two paths for prefix 10.0.0.0/8: one from eBGP peer R2 (AS 65002) with weight 0, local preference 100, and AS path 65002; and another from eBGP peer R3 (AS 65003) with weight 0, local preference 200, and AS path 65003 65004. R1's BGP table shows the path from R3 as the best route. The engineer wants the path from R2 to be preferred. What should the engineer do?

A.Configure a route-map on R1 to set local preference 150 for routes from R2.
B.Configure a route-map on R1 to set local preference 250 for routes from R2.
C.Configure a route-map on R1 to prepend two additional AS numbers to the AS path from R3.
D.Configure a route-map on R1 to set weight 100 for routes from R2.
AnswerB, D

Setting local preference 250 is higher than 200, so after weight comparison (both 0), R2 becomes the best path. Correct.

Why this answer

BGP path selection compares weight first. Option D sets weight 100 for routes from R2 (default weight 0), making the R2 path preferred over R3's path (weight 0). Option B sets local preference 250, which is higher than R3's 200, so after weight tie (both 0) it wins.

Option A sets local preference 150, which is lower than 200, so R3 still wins. Option C prepends AS numbers, which lengthens the AS path, making R3 path less preferred in AS path length comparison, but since local preference is compared first, this change is irrelevant because R2's local preference is lower than R3's. Thus only B and D achieve the goal.

719
MCQhard

EIGRP network is experiencing stuck-in-active (SIA) routes. Router R1 shows: show ip eigrp topology active includes 10.0.0.0/24. Router R2 has: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.255.0. What is the root cause?

A.The summary address on R2 is causing a query for the specific route to be suppressed.
B.R1 has a stuck interface causing the SIA.
C.EIGRP is misconfigured with wrong autonomous system number.
D.The route 10.0.0.0/24 is flapping, causing continuous queries.
AnswerA

Summary addresses can cause queries to be aggregated, leading to SIA if replies are not received.

Why this answer

The correct answer is A because the summary address configured on R2 (ip summary-address eigrp 100 10.0.0.0 255.255.255.0) causes R2 to advertise a single summary route (10.0.0.0/24) to R1. When R1 loses its route to 10.0.0.0/24 and sends a query for the specific prefix, R2 does not reply because the summary address suppresses the query for the more specific route, leaving R1 stuck-in-active (SIA) waiting for a reply that never comes.

Exam trap

Cisco often tests the subtle interaction between EIGRP summary addresses and query suppression, where candidates mistakenly think SIA is caused by flapping or interface issues, rather than understanding that a summary address on a downstream router can prevent query replies for more specific prefixes.

How to eliminate wrong answers

Option B is wrong because a stuck interface would cause neighbor loss or interface errors, not a query suppression scenario; SIA is caused by unacknowledged queries, not interface state. Option C is wrong because if the autonomous system numbers were mismatched, the EIGRP neighbors would not form at all, and the show ip eigrp topology active command would not show the route. Option D is wrong because route flapping triggers continuous updates and queries, but the root cause here is the summary address suppressing the query reply, not instability of the route itself.

720
Drag & Dropmedium

Drag and drop the steps to configure IPv6 RA Guard on a switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, globally enable IPv6 snooping. Then define an RA Guard policy with the trusted or untrusted role. Apply the policy to the desired interface.

Verify the configuration with show commands. Finally, test the RA Guard operation by sending RAs from unauthorized ports.

721
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection. The tunnel works for IPv6 traffic, but when the engineer tries to run EIGRP for IPv6 over the tunnel, the neighbor relationship forms but routes are not exchanged. The engineer checks the EIGRP configuration and sees that the tunnel interface is included in the EIGRP process. What is the most likely explanation?

A.EIGRP for IPv6 requires the 'no shutdown' command under the address-family; without it, the process is administratively down.
B.The tunnel interface is not configured with 'ipv6 eigrp' under the interface.
C.The IPsec transform set does not allow multicast traffic, which EIGRP uses for hellos.
D.The GRE tunnel does not support EIGRP for IPv6; only OSPFv3 is supported.
AnswerA

Unlike EIGRP for IPv4, EIGRP for IPv6 has a shutdown state by default. The 'no shutdown' command is required to activate the address-family.

Why this answer

Option A is correct because EIGRP for IPv6 requires the 'no shutdown' command under the address-family configuration to activate the routing process. Without it, the EIGRP process remains administratively down, which prevents route exchange even though the neighbor relationship forms (since EIGRP hellos are sent but routes are not advertised or processed). This is a common misconfiguration when transitioning from EIGRP for IPv4, which does not require an explicit 'no shutdown'.

Exam trap

Cisco often tests the 'no shutdown' requirement for EIGRP for IPv6, tricking candidates who assume the process is automatically enabled once configured, similar to EIGRP for IPv4.

How to eliminate wrong answers

Option B is wrong because the scenario states the tunnel interface is included in the EIGRP process, which implies the 'ipv6 eigrp' command under the interface is configured; the issue is the process itself being administratively down. Option C is wrong because IPsec transform sets do not inherently block multicast traffic; GRE tunnels encapsulate IPv6 multicast (including EIGRP hellos) as IPv4 unicast, and IPsec protects the GRE payload without filtering multicast. Option D is wrong because GRE tunnels fully support EIGRP for IPv6; there is no protocol restriction—EIGRP for IPv6 operates over any IPv6-capable interface, including GRE tunnels.

722
MCQmedium

Which statement accurately describes the default behavior of auto-summary in EIGRP on Cisco IOS-XE?

A.Auto-summary is enabled by default, causing EIGRP to summarize at classful boundaries.
B.Auto-summary is disabled by default, and EIGRP advertises subnets without automatic summarization.
C.Auto-summary is enabled by default but only for external routes.
D.Auto-summary is disabled by default unless the network is configured with a classful mask.
AnswerB

Correct. IOS-XE defaults to no auto-summary, preserving subnet information.

Why this answer

In Cisco IOS-XE, EIGRP auto-summary is disabled by default. This means that EIGRP advertises subnets without automatically summarizing them at classful boundaries, allowing for more granular route advertisement and preventing routing issues in discontiguous networks.

Exam trap

Cisco often tests the misconception that auto-summary is still enabled by default in EIGRP on modern IOS-XE, when in fact it was changed to disabled by default starting from IOS 15.0(1)M and later.

How to eliminate wrong answers

Option A is wrong because auto-summary is not enabled by default on Cisco IOS-XE; it was enabled by default in older IOS versions but is now disabled. Option C is wrong because auto-summary, when enabled, applies to all routes, not just external routes; there is no such distinction in the default behavior. Option D is wrong because auto-summary is disabled by default regardless of whether the network is configured with a classful mask; the classful mask configuration does not re-enable auto-summary.

723
MCQhard

A VRF-aware network uses route leaking between VRF A and VRF B. After configuring Flexible NetFlow to monitor traffic in VRF A, some routes that were previously leaked to VRF B disappear. Router R1 has: ip route vrf A 10.0.0.0 255.0.0.0 Null0. route-map LEAK permit 10 match ip address prefix-list GLOBAL. The prefix-list GLOBAL permits 10.0.0.0/8. The flow monitor is applied to the VRF A interface. What is the root cause?

A.The flow monitor is configured with a match ip address prefix-list that references the same prefix-list as the route-map, but the flow monitor's action is to drop packets matching that prefix, causing the route to be withdrawn.
B.The route-map LEAK is also applied to the flow monitor as a filter, and the flow monitor's match statement is misconfigured to deny the route, preventing the route from being leaked.
C.The VRF A interface has a flow monitor applied that uses a flow record with the 'vrf' field, causing the router to ignore the route leaking configuration.
D.The route leaking configuration requires a next-hop that is not reachable due to the flow monitor consuming bandwidth.
AnswerA

This is the root cause. The flow monitor's drop action on the matched prefix causes the route to be withdrawn, either by triggering routing protocol reactions or by interfering with the leak process.

Why this answer

The flow monitor is configured with a match ip address prefix-list statement referencing the same prefix-list used in the route-map LEAK. However, the flow monitor's action is set to drop packets matching that prefix. When the flow monitor is applied in the input direction on the VRF A interface, it evaluates packets before they are processed for routing.

If the flow monitor matches a packet with the 10.0.0.0/8 destination, it drops the packet. This can cause the router to withdraw the route because the router may interpret the sustained packet drops for that prefix as an indication that the next hop is unreachable, or because the flow monitor's drop action interferes with the route-leaking process. Although Flexible NetFlow typically does not affect routing, a misconfigured flow monitor with a drop action can inadvertently influence route availability, leading to the disappearance of leaked routes.

724
MCQhard

A network engineer configures SNMP traps on router R3 to monitor BGP events. R3 is an iBGP route reflector with multiple clients. The configuration includes: snmp-server enable traps bgp, snmp-server host 192.168.1.100 version 2c public. However, the NMS receives no BGP traps. R3's show snmp pending shows no pending traps. show snmp statistics shows TrapsSent: 0. The NMS can poll R3 successfully via SNMP. What is the root cause?

A.The BGP process is not configured to send traps to the SNMP agent; the command 'snmp-server enable traps bgp' is insufficient on some IOS versions without also enabling 'bgp snmp trap' under the BGP router configuration.
B.The NMS is using SNMPv3 but the router is configured for v2c, causing trap rejection.
C.An ACL on the NMS is blocking UDP port 162 from the router.
D.The router's SNMP trap queue is full, causing traps to be dropped.
AnswerA

In some IOS versions, the SNMP agent needs explicit BGP notification enablement via 'bgp snmp trap' under the BGP router config. Without it, no BGP traps are generated.

Why this answer

Option A is correct because on many Cisco IOS versions, the command `snmp-server enable traps bgp` only enables the SNMP agent to send BGP traps, but the BGP process itself must be explicitly configured to generate those traps using the `bgp snmp trap` command under the BGP router configuration. Without this, the BGP process never sends trap notifications to the SNMP agent, resulting in zero traps sent despite the SNMP trap configuration being otherwise correct.

Exam trap

Cisco often tests the misconception that `snmp-server enable traps bgp` alone is sufficient, when in fact the BGP process requires the additional `bgp snmp trap` command to generate the trap events.

How to eliminate wrong answers

Option B is wrong because the NMS can successfully poll R3 via SNMP, indicating SNMP communication works; if the NMS were using SNMPv3 and the router only v2c, polling would also fail due to version mismatch, not just traps. Option C is wrong because an ACL blocking UDP 162 would prevent traps from reaching the NMS, but the router's `show snmp statistics` shows TrapsSent: 0, meaning the router never attempted to send any traps, so the issue is before the network layer. Option D is wrong because `show snmp pending` shows no pending traps, indicating the trap queue is empty, not full; a full queue would show pending traps that are queued but not yet sent.

725
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.1.1.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-10' is configured with 'match ip address 150' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is using the routing table to forward traffic. The engineer checks the ACL 150 and confirms it matches 10.1.1.0/24. The engineer also checks the interface configuration and sees 'ip policy route-map PBR-10' applied. What is the most likely cause?

A.The ACL 150 does not exist or is misconfigured, causing the route map to not match any traffic.
B.The 'set ip next-hop' command is misspelled as 'set ip nexthop'.
C.The router is running an older IOS version that does not support PBR.
D.The 'ip policy route-map' command is applied to the outgoing interface instead of the incoming interface.
AnswerA

Correct because if the ACL referenced in the route map does not exist, the route map will not match any traffic, and PBR will not be applied.

Why this answer

If PBR is not working and the router uses the routing table, it could be because the route map is not being processed due to a missing 'match' statement or the route map being empty. However, a common cause is that the route map has a 'match ip address' that references an ACL that does not exist or is misconfigured. The engineer should verify that the ACL 150 exists and is correctly configured.

726
Multi-Selecthard

Which THREE statements about route redistribution and administrative distance are true? (Choose THREE.)

Select 3 answers
A.EIGRP external routes (redistributed) have a default administrative distance of 170.
B.OSPF external routes (type 1 and type 2) have a default administrative distance of 110.
C.Adjusting administrative distance can be used to influence route selection and prevent routing loops during redistribution.
D.The 'distance' command in OSPF can only be applied to external routes, not internal routes.
E.When redistributing RIP into OSPF, the redistributed routes will have a lower administrative distance than OSPF internal routes.
AnswersA, B, C

Correct: EIGRP uses AD 170 for external routes, while internal routes use 90.

Why this answer

Administrative distance (AD) is crucial in redistribution because it determines which routes are preferred when multiple protocols learn the same prefix. Option A is correct: EIGRP has a default AD of 90 for internal routes and 170 for external (redistributed) routes. Option B is correct: OSPF external routes have a default AD of 110, same as internal OSPF routes, but can be changed.

Option C is correct: Changing AD can influence route selection and help prevent routing loops. Option D is incorrect: The distance command can be applied to both internal and external routes. Option E is incorrect: RIP has a default AD of 120, which is higher than OSPF's 110, so OSPF is preferred.

727
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.20.0/24 should be forwarded to next-hop 10.20.20.2. The route map 'PBR-20' is configured with 'match ip address 120' and 'set ip next-hop 10.20.20.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.20.0/24, but traffic from other subnets is also being forwarded to 10.20.20.2. What is the most likely cause?

A.The route map has a permit statement with no match condition, causing all traffic to be policy-routed.
B.The 'set ip next-hop' command is applied globally under the routing process.
C.The ACL 120 is configured with 'permit ip any any' at the end.
D.The route map is applied to the wrong interface, but the interface is receiving traffic from all subnets.
AnswerA, C

Correct because a permit statement without a match condition matches all traffic, causing PBR to apply to all packets.

Why this answer

The issue that traffic from other subnets is also being policy-routed indicates that the route map or ACL is matching more traffic than intended. Two common causes are: (A) The route map has a permit statement with no match condition, which matches all traffic. In PBR, a route-map entry with a permit clause but without a match clause will match everything. (C) The ACL 120 is configured with 'permit ip any any' at the end, which also matches all traffic.

Both scenarios result in all traffic being subject to the set next-hop command, regardless of source subnet. The engineer should verify that each route-map sequence has an appropriate match clause and that the ACL is specific to the intended subnet.

728
MCQhard

Router R1 and R2 are running EIGRP. R1 has a route to 172.16.0.0/16 with AD 90. R2 redistributes a static route for 172.16.0.0/16 into EIGRP with a route-map that sets the administrative distance to 85. R1 learns the redistributed route with AD 85 and installs it, overriding the original internal route. However, R1's 'show ip route 172.16.0.0' shows the route via R2 with AD 85, but pings to 172.16.1.1 fail. What is the most likely cause?

A.The redistributed route is a summary route that does not contain the specific subnet 172.16.1.0/24, causing packets to be dropped.
B.The route-map set distance 85 is ignored because EIGRP internal routes always have AD 90.
C.R1's EIGRP process has a distribute-list blocking the redistributed route.
D.The redistributed route has a higher metric than the internal route, but AD overrides metric.
AnswerA

The summary route may point to a null interface or a next hop that does not have the specific route.

Why this answer

Setting AD to 85 makes the redistributed route preferred over the internal route (AD 90). However, the redistributed route might have a less specific prefix (e.g., 172.16.0.0/16) while the internal route might have a more specific prefix (e.g., 172.16.1.0/24) that is now hidden. The ping fails because the redistributed route is a summary that does not have a valid next hop for the specific subnet.

The correct answer is that the redistributed route is a summary that does not include the specific subnet, causing blackholing.

729
MCQhard

A network engineer runs the following command to verify BFD session details: R1# show bfd neighbors detail | include (NeighAddr|LD/RD|State|Int|MinTxInt|Multiplier) NeighAddr LD/RD RH/RS State Int 10.4.4.2 100/200 Up Up Gi0/1 MinTxInt: 500000, MinRxInt: 500000, Multiplier: 5 What does this output indicate?

A.BFD session is UP with a detection time of 2.5 seconds (500 ms * 5).
B.BFD session is DOWN due to high multiplier.
C.BFD is using echo mode for faster detection.
D.BFD multiplier is set to 3, not 5.
AnswerA

Detection time is MinTxInt * Multiplier = 500 ms * 5 = 2500 ms (2.5 seconds).

Why this answer

The output shows a BFD session with a multiplier of 5 and intervals of 500 ms. The high multiplier may indicate a need for more tolerance, but the session is UP.

730
MCQhard

A network engineer configures BFD for EIGRP on a point-to-point link. The BFD session is up, but EIGRP neighbors are stuck in INIT state. The engineer checks that EIGRP hello packets are sent and received. Which of the following is the most likely explanation?

A.The EIGRP K values are mismatched between the two routers, preventing the adjacency from forming.
B.The 'bfd all-interfaces' command is missing under the EIGRP process, so EIGRP ignores BFD state.
C.The interface is configured with 'ip authentication mode eigrp' and 'ip authentication key-chain eigrp' with mismatched keys.
D.The EIGRP autonomous system number is different on each router.
AnswerA

Correct. EIGRP requires matching K values to form an adjacency. BFD does not influence this check.

Why this answer

EIGRP requires that the K values match between neighbors. If the K values are mismatched, EIGRP will not form an adjacency even if BFD is operational. This is a common misconfiguration because BFD does not enforce K value matching; it only reports link failures.

731
MCQmedium

A network engineer runs the following command on switch SW5: SW5# show monitor session 7 Session 7 --------- Type : Local Session Source Ports : Both : Gi0/11 Destination Ports : Gi0/12 Encapsulation : Replicate Ingress : Disabled Based on this output, which statement is correct?

A.The SPAN session will replicate the original VLAN tag on the mirrored traffic sent to Gi0/12.
B.The SPAN session will strip the VLAN tag from the mirrored traffic.
C.The SPAN session is using RSPAN because the encapsulation is set to Replicate.
D.The SPAN session is misconfigured because encapsulation Replicate is not supported.
AnswerA

The encapsulation type 'Replicate' indicates that the original VLAN tag is preserved.

Why this answer

This is a local SPAN session with source port Gi0/11 and destination port Gi0/12. The encapsulation is set to 'Replicate', which means the mirrored traffic retains its original VLAN tag. This is typical when the destination port is a trunk port and the analyzer expects tagged traffic.

732
MCQhard

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor detail Neighbor 10.1.1.4, interface address 192.168.14.4 In the area 0 via interface GigabitEthernet0/2 Neighbor priority is 1, State is 2WAY, 2 state changes DR is 10.1.1.1, BDR is 10.1.1.4 Options is 0x12 (L L S R) Dead timer due in 00:00:38 Neighbor is up for 00:05:22 Index 1/1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, time is 0 msec Last retransmission scan time is 0 msec Based on this output, what is the problem?

A.The neighbor is in 2WAY state, meaning the adjacency is not fully established.
B.Router R1 is the DR and the neighbor is the BDR, so the state is correct.
C.The dead timer is about to expire, causing the neighbor to go down.
D.The neighbor has a lower priority than R1, so it remains in 2WAY.
AnswerA

2WAY state indicates that the routers have seen each other's hello packets but have not exchanged LSAs. FULL is required for complete adjacency.

Why this answer

The neighbor state is 2WAY, not FULL. This indicates that the neighbor relationship has not progressed to full adjacency. On a broadcast network, routers in 2WAY state have exchanged hello packets but have not completed database exchange.

This could be due to mismatched MTU, authentication, or other issues, but the key observation is that the state is not FULL.

733
MCQmedium

According to RFC 3164, which facility code is used by default for Cisco IOS syslog messages?

A.Local0
B.Local7
C.User
D.Syslog
AnswerB

Cisco IOS defaults to facility local7 for syslog messages.

Why this answer

RFC 3164 defines facility codes. Cisco IOS uses local7 (facility 23) as the default for syslog messages, though this can be changed with the 'logging facility' command.

734
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# debug ip bgp 10.1.1.2 updates BGP: 10.1.1.2 sending UPDATE with 2 prefixes, 0 withdrawn BGP: 10.1.1.2 sending UPDATE with 0 prefixes, 1 withdrawn What does this output indicate?

A.The neighbor 10.1.1.2 is receiving two new routes and one route withdrawal.
B.The neighbor 10.1.1.2 is sending two new routes and one route withdrawal.
C.The BGP session with 10.1.1.2 is flapping.
D.The neighbor 10.1.1.2 is not reachable.
AnswerA

The debug shows updates sent to the neighbor: two prefixes advertised and one withdrawn.

Why this answer

The debug ip bgp updates with neighbor IP shows updates sent to the neighbor. The first line indicates an update with two prefixes advertised. The second line indicates an update with one prefix withdrawn.

This is normal BGP operation.

735
MCQmedium

Given this partial configuration: ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ip nat inside source list 1 pool MYPOOL access-list 1 permit 192.168.1.0 0.0.0.255 What is the effect?

A.Inside hosts are translated to addresses in the pool using PAT.
B.Inside hosts are dynamically mapped to a pool address; if the pool is exhausted, new translations fail.
C.The router uses the pool address as the source for all outbound traffic, regardless of ACL.
D.This configuration requires the 'ip nat outside' interface command to function.
AnswerB

Without overload, each translation consumes one pool address; exhaustion blocks new flows.

Why this answer

The configuration uses a standard ACL to match inside hosts (192.168.1.0/24) and dynamically assigns them a unique address from the pool 203.0.113.10–203.0.113.20. Because no 'overload' keyword is present, PAT is not enabled; each translation consumes a pool address, and once all 11 addresses are used, new translations fail until an existing translation times out or is cleared.

Exam trap

Cisco often tests the distinction between dynamic NAT and PAT by omitting the 'overload' keyword, leading candidates to assume PAT is always used with a pool when in fact it must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because PAT requires the 'overload' keyword on the 'ip nat inside source list 1 pool MYPOOL' command; without it, the router performs dynamic one-to-one NAT, not port address translation. Option C is wrong because the ACL restricts which inside hosts are eligible for translation; traffic from hosts not matching the ACL (or from outside interfaces) is not translated using the pool. Option D is wrong because while 'ip nat outside' is required on the egress interface for NAT to function, the statement says 'requires the ip nat outside interface command to function' as if it were the only missing piece, but the configuration is incomplete without both 'ip nat inside' and 'ip nat outside' on the respective interfaces; the question's phrasing implies a misunderstanding that only the outside command is needed.

736
MCQmedium

A network engineer runs the following command to verify DHCPv6 guard policy: R1# show ipv6 dhcp guard policy DHCP-POLICY Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10 What does this output indicate?

A.The policy blocks DHCPv6 server messages on Fa0/0 except from server 2001:db8::10.
B.The policy allows all DHCPv6 messages on Fa0/0 without any filtering.
C.The policy only applies to DHCPv6 client messages and ignores server messages.
D.The policy is inactive and not applied to any interface.
AnswerA

The action is block, and server validation is enabled with a specific server list.

Why this answer

The output shows that DHCPv6 guard is enabled with an action of 'block' on untrusted port Fa0/0, and DHCPv6 server validation is enabled with a server list containing 2001:db8::10. This means the policy blocks DHCPv6 server messages (e.g., ADVERTISE, REPLY) received on Fa0/0, but allows them if they originate from the specified server address. Thus, only server messages from 2001:db8::10 are permitted, while all other DHCPv6 server messages are blocked.

Exam trap

Cisco often tests the distinction between the 'device role' (dhcp-client vs. dhcp-server) and the filtering direction; the trap here is assuming that 'dhcp-client' role means the policy filters client messages, when in fact it filters server messages on that port to protect clients from rogue servers.

How to eliminate wrong answers

Option B is wrong because the policy explicitly blocks DHCPv6 server messages on Fa0/0 (action: block) and does not allow all DHCPv6 messages without filtering. Option C is wrong because the policy applies to DHCPv6 server messages, not client messages; the device role is 'dhcp-client', meaning the port is treated as a client-facing port, and the guard filters incoming server messages. Option D is wrong because the policy status is 'Active' and it is applied to interface Fa0/0 as an untrusted port, so it is active and applied.

737
MCQeasy

What is the default BGP keepalive timer value in Cisco IOS-XE?

A.30 seconds
B.60 seconds
C.90 seconds
D.180 seconds
AnswerB

Correct. BGP keepalive defaults to 60 seconds.

Why this answer

The default BGP keepalive timer is 60 seconds, as defined in RFC 4271 and implemented in Cisco IOS-XE.

738
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor vrf BLUE Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:32 10.1.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:35 10.1.2.2 GigabitEthernet0/1 Based on this output, which statement is correct?

A.Neighbor 10.0.0.3 is not forming a full adjacency because it is a DROTHER.
B.Neighbor 10.0.0.2 is the Backup Designated Router.
C.Both neighbors are in the FULL state.
D.The OSPF adjacencies are functioning normally.
AnswerD

The states are appropriate for the network type; FULL for DR and 2WAY for DROTHER.

Why this answer

The output shows two OSPF neighbors for VRF BLUE. Neighbor 10.0.0.2 is in FULL state and is the DR on GigabitEthernet0/0. Neighbor 10.0.0.3 is in 2WAY state and is a DROTHER on GigabitEthernet0/1.

The 2WAY state is normal for neighbors that are not DR/BDR on a multi-access network. No problem is evident.

739
Drag & Drophard

Drag and drop the steps to troubleshoot EEM adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying the EEM policy is registered and enabled, then check for any connectivity issues using ping or traceroute, review syslog or debug output for event triggers, examine the policy logic for errors, and finally test the policy manually to confirm resolution.

740
MCQmedium

A spoke router has the following DMVPN configuration: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ! What is missing from this configuration?

A.The spoke is missing the 'ip nhrp map multicast dynamic' command to register with the hub.
B.The spoke is missing the 'ip nhrp authentication' command.
C.The spoke is missing the 'tunnel key' command.
D.The spoke is missing the 'ip nhrp holdtime' command.
AnswerC

The 'tunnel key' command is missing. In DMVPN, the hub often uses a tunnel key to identify the mGRE tunnel. Without matching tunnel key on the spoke, the tunnel might not come up properly. This is a common requirement in production environments.

Why this answer

The spoke configuration is missing the 'tunnel key' command, which is required in many DMVPN deployments when the hub is configured with a tunnel key. The tunnel key ensures that the mGRE interface on the spoke only accepts packets with the correct key, preventing misconfiguration. The existing commands 'ip nhrp nhs' and 'ip nhrp map' are sufficient for NHRP registration and unicast communication, but without a matching tunnel key, the spoke may not establish the tunnel correctly with the hub.

741
MCQhard

A large enterprise network uses OSPFv3 for IPv6 routing. Router R1 and R2 are connected via a multi-access Ethernet link. R1 is configured with 'ipv6 ospf network point-to-point' while R2 uses the default broadcast network type. R1 has an IPv6 ACL applied inbound on its interface that permits only OSPF (89) and denies all other traffic. R2 is unable to form a full OSPF adjacency with R1. R2 shows 'OSPFv3 adjacency state is EXSTART/EXCHANGE' and logs 'Bad LSReq'. What is the root cause?

A.R1's ACL blocks OSPFv3 multicast hello packets (FF02::5), preventing adjacency formation on the broadcast link.
B.R2's OSPFv3 process is configured with a different router-id, causing a DR election conflict.
C.The MTU mismatch between R1 and R2 causes OSPFv3 packet fragmentation, leading to LSReq errors.
D.R2 has a passive interface configured, preventing it from sending OSPFv3 hellos.
AnswerA

On a broadcast network, OSPFv3 sends hellos to FF02::5. R1's ACL permits only OSPF protocol, but the destination address is filtered because the ACL does not explicitly permit multicast. The network type mismatch exacerbates the issue as R1 expects unicast hellos.

Why this answer

R1's inbound IPv6 ACL permits only OSPF (protocol 89) but denies all other traffic. When R1's interface is configured as 'ipv6 ospf network point-to-point', it expects to send unicast OSPFv3 packets to the neighbor, not multicast. However, R2, using the default broadcast network type, sends OSPFv3 hellos to the multicast address FF02::5 (AllSPFRouters).

R1's ACL blocks these multicast hellos because they are not protocol 89 unicast packets, preventing adjacency formation. The 'Bad LSReq' error in EXSTART/EXCHANGE indicates that R1 never received R2's hellos, so it cannot build a proper link-state database.

Exam trap

Cisco often tests the interaction between OSPF network types and ACLs, where candidates assume that permitting OSPF protocol 89 is sufficient, forgetting that multicast packets (FF02::5) may be dropped if the ACL does not explicitly allow them or if the interface is configured for unicast-only communication.

How to eliminate wrong answers

Option B is wrong because a router-id conflict would cause a different issue, such as duplicate router-id detection or adjacency flapping, not a 'Bad LSReq' error specifically tied to ACL filtering. Option C is wrong because an MTU mismatch typically causes OSPF to stall in EXSTART/EXCHANGE with 'Bad LSReq' or 'Seq# mismatch', but the root cause here is the ACL blocking multicast hellos, not fragmentation. Option D is wrong because a passive interface on R2 would prevent it from sending hellos entirely, leading to a DOWN state, not EXSTART/EXCHANGE with 'Bad LSReq'.

742
MCQeasy

What is the default lease duration for a DHCPv4 address pool on a Cisco IOS router?

A.1 day
B.7 days
C.30 minutes
D.Infinite
AnswerA

The default lease time is 1 day (24 hours) unless overridden with the lease command.

Why this answer

The default lease duration for a DHCPv4 address pool on a Cisco IOS router is 1 day (86400 seconds). This is defined by the Cisco IOS DHCP server implementation, which uses a 24-hour lease as the default when no lease duration is explicitly configured under the DHCP pool configuration.

Exam trap

Cisco often tests the default lease value as a memorization point, and the trap here is that candidates may confuse the Cisco default with the RFC 2131 suggested default of 1 day (which is the same) or assume a longer lease like 7 days is standard for enterprise networks.

How to eliminate wrong answers

Option B is wrong because 7 days is not the default; it is a commonly configured lease duration for networks with stable devices, but Cisco IOS defaults to 1 day. Option C is wrong because 30 minutes is a very short lease typically used for high-turnover environments like Wi-Fi hotspots, not the default. Option D is wrong because an infinite lease is not a default behavior; it would require explicit configuration using the 'lease infinite' command, and DHCP leases are designed to expire to allow address reclamation.

743
MCQhard

A BGP speaker R1 is advertising a prefix 10.10.0.0/16 to its eBGP neighbor R2. R2 is also receiving the same prefix from another eBGP neighbor R3 with a lower local preference. R1 configuration: router bgp 100, neighbor 192.168.1.2 remote-as 200, neighbor 192.168.1.2 route-map SET-LP in. Route-map SET-LP sets local-preference 150. R2 shows: 'show ip bgp 10.10.0.0/16' shows two paths: one from R1 with local pref 150, and one from R3 with local pref 100. The best path is via R3. Why is the path from R1 not selected?

A.The route-map is applied inbound on R1, but it should be applied outbound to affect the local preference on routes sent to R2.
B.The local-preference value of 150 is not high enough; it should be at least 200 to override the path from R3.
C.R2 has a route-map that sets local preference to 100 for all routes, overriding the value set by R1.
D.The prefix 10.10.0.0/16 is not in the BGP table of R1 because it is not originated or learned.
AnswerA

Inbound route-maps affect routes received from the neighbor; outbound affects routes sent. To set local preference on routes advertised to R2, the route-map must be applied outbound.

Why this answer

The route-map SET-LP is applied inbound on R1 (neighbor 192.168.1.2 route-map SET-LP in), which means it sets local preference on routes received from R2, not on routes sent to R2. Local preference is a BGP attribute that is propagated only to iBGP peers and is not exchanged between eBGP peers. To influence R2's best path selection, the route-map must be applied outbound on R1 (neighbor 192.168.1.2 route-map SET-LP out) so that the local-preference value is set on the update sent to R2.

Since R1 sets local preference inbound, R2 never receives the modified value, and R2's best path selection defaults to the path from R3 with local preference 100, which is the only local preference R2 sees from R1 (default 100).

Exam trap

Cisco often tests the distinction between inbound and outbound route-map application on eBGP peers, specifically that local preference set inbound affects the local router's decision but is not sent to the neighbor, leading candidates to mistakenly think the neighbor will see the modified value.

How to eliminate wrong answers

Option B is wrong because BGP best path selection does not require a specific numeric threshold; local preference is compared directly, and 150 is higher than 100, so if the value were correctly applied, the path from R1 would be preferred. Option C is wrong because there is no evidence or mention of a route-map on R2 that overrides local preference; the question states R2 sees two paths with local preferences 150 and 100, indicating no override. Option D is wrong because R1 is advertising the prefix 10.10.0.0/16 to R2, which implies the prefix is in R1's BGP table (either originated or learned from another source); otherwise, R1 could not send the update.

744
MCQmedium

A PE router has the following configuration: router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended exit-address-family What is wrong with this configuration?

A.The neighbor is missing the 'send-community extended' command under the VPNv4 address-family.
B.The neighbor must be configured under the IPv4 unicast address-family first.
C.The update-source should be the interface facing the peer, not Loopback0.
D.The neighbor remote-as should be different for VPNv4 sessions.
AnswerA

Incorrect. The configuration includes 'neighbor 10.0.0.1 send-community extended' under the VPNv4 address-family, so it is not missing.

Why this answer

The configuration is correct. The 'neighbor 10.0.0.1 send-community extended' command is present under the VPNv4 address-family, which is required for carrying VPN routing information. Options B, C, and D are incorrect: the neighbor does not need to be configured under IPv4 unicast first, using Loopback0 as update-source is standard for iBGP sessions between PEs, and the remote-as is correctly set to the same AS for iBGP.

745
MCQhard

In Cisco IOS, what is the default encryption algorithm for IKEv1 phase 1 if not specified in the ISAKMP policy?

A.AES 256
B.3DES
C.DES
D.AES 128
AnswerC

Cisco IOS defaults to DES if no encryption is specified.

Why this answer

In Cisco IOS, when an IKEv1 ISAKMP policy is configured without specifying an encryption algorithm, the default encryption algorithm is DES (Data Encryption Standard). This is because Cisco IOS defaults to DES for IKEv1 phase 1 if no encryption is explicitly defined in the ISAKMP policy, as per the default policy parameters. DES uses a 56-bit key and is considered weak by modern standards, but it remains the default for backward compatibility.

Exam trap

Cisco often tests the default encryption algorithm for IKEv1 phase 1, and the trap here is that candidates assume a stronger algorithm like AES or 3DES is the default, but Cisco IOS defaults to the weaker DES for backward compatibility.

How to eliminate wrong answers

Option A is wrong because AES 256 is not the default encryption algorithm for IKEv1 phase 1; it must be explicitly configured using the 'encryption aes 256' command under the ISAKMP policy. Option B is wrong because 3DES is not the default; it is a stronger alternative that must be specified with 'encryption 3des' in the ISAKMP policy. Option D is wrong because AES 128 is not the default; it requires explicit configuration via 'encryption aes 128' in the ISAKMP policy.

746
Drag & Dropmedium

Drag and drop the steps to verify and validate IP SLA operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the overall IP SLA configuration to confirm the operation is defined, then review the latest statistics for RTT and success rate, examine the reaction configuration if tracking is used, verify the tracking object status, and finally confirm that tracked objects are influencing routing or policy.

747
Multi-Selecthard

Which TWO statements correctly describe the behavior of EIGRP route summarization when using the 'summary-address' command under an interface? (Choose TWO.)

Select 2 answers
A.A summary route is advertised with the metric equal to the best metric among the component routes.
B.The summary route is automatically assigned an administrative distance of 90 by default.
C.A local discard route (null0) is automatically installed for the summary prefix to prevent routing loops.
D.The 'summary-address' command also summarizes connected routes that fall within the summary range.
E.More specific routes are still advertised out the same interface even after the summary is configured.
AnswersA, C

Correct. EIGRP uses the best (lowest) metric from the component routes for the summary route advertisement.

Why this answer

EIGRP route summarization using the interface-level 'summary-address' command creates a local discard route to prevent routing loops, suppresses more specific routes from being advertised out that interface, and does not automatically summarize connected routes unless they are redistributed. The summary route is advertised with the metric of the best component route, and the administrative distance of the summary is set to 5 by default, not 90.

748
MCQhard

An engineer configures DHCPv4 on a router with multiple pools for different subnets. Clients in subnet A receive addresses correctly, but clients in subnet B receive addresses from subnet A's pool. The router has 'ip dhcp relay' configured. Which is the most likely explanation?

A.The DHCP server selects the pool based on the giaddr; if the relay agent does not set the giaddr correctly, the server may use the first matching pool.
B.The pools are configured in the wrong order; the server uses the first pool that matches the client's MAC address.
C.The router has 'ip dhcp smart-relay' enabled, which overrides pool selection.
D.The DHCP server is configured with 'network' statements that overlap.
AnswerA

Correct: The giaddr is critical for pool selection. If it is not set (e.g., due to missing 'ip helper-address' on the correct interface), the server may assign from a different pool.

Why this answer

Option A is correct because when a DHCP relay agent forwards a client's request to the server, it inserts its own IP address (the interface address on the client's subnet) into the giaddr (gateway IP address) field. The DHCP server uses this giaddr to select the appropriate pool. If the relay agent fails to set the giaddr correctly—for example, due to misconfiguration or the relay interface not being on the correct subnet—the server may receive a giaddr of 0.0.0.0 or an incorrect address, causing it to fall back to the first configured pool that matches, which in this case is subnet A's pool.

Exam trap

Cisco often tests the misconception that DHCP pool selection is based on pool order or client MAC address, when in fact it relies on the giaddr set by the relay agent.

How to eliminate wrong answers

Option B is wrong because DHCP pool selection is not based on the order of pools or the client's MAC address; the server selects a pool based on the giaddr or the subnet of the receiving interface, not MAC address. Option C is wrong because 'ip dhcp smart-relay' is a Cisco feature that allows the relay agent to insert a giaddr when the client's broadcast is received on an interface without an IP address; it does not override pool selection but rather enables relaying in scenarios where the giaddr would otherwise be missing. Option D is wrong because overlapping 'network' statements would cause an ambiguous pool selection error or lease assignment failure, not a consistent misassignment to a different subnet's pool.

749
Multi-Selectmedium

Which TWO commands would a network engineer use to verify SNMP agent configuration and connectivity on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show snmp
B.show snmp host
C.show snmp group
D.show snmp user
E.debug snmp packets
AnswersA, B

Displays SNMP agent statistics, community strings, and trap status.

Why this answer

The `show snmp` command displays the overall SNMP agent configuration, including contact, location, community strings, and SNMP version. The `show snmp host` command lists the configured SNMP notification receivers (trap or inform destinations) and verifies that the router is correctly configured to send SNMP messages to the management station. Together, these two commands confirm both the agent's operational state and its connectivity to remote hosts.

Exam trap

Cisco often tests the distinction between verification commands (show) and troubleshooting commands (debug), and the trap here is that candidates mistakenly choose `debug snmp packets` as a verification tool when it is actually a high-overhead diagnostic command that should only be used after initial configuration checks fail.

750
Multi-Selecthard

Which TWO statements about BFD echo mode are true? (Choose TWO.)

Select 1 answer
A.In echo mode, the remote router generates and sends the echo packets back to the local router.
B.Echo mode reduces the processing load on the remote router because it does not need to process BFD control packets.
C.BFD echo mode can be used for both single-hop and multihop BFD sessions.
D.When echo mode is enabled, the BFD control packet interval must be set to a lower value than the echo interval.
E.Echo mode requires the bfd echo command under the BFD neighbor configuration.
AnswersB

Correct. Echo mode offloads control packet processing from the remote router, as it only reflects echo packets.

Why this answer

BFD echo mode reduces the processing load on the remote router because the remote router simply reflects echo packets back without processing BFD control packets, thus requiring fewer CPU resources. However, echo mode is only supported for single-hop BFD sessions, not for multihop sessions. Therefore, Option B is correct, and Option C is incorrect.

Page 9

Page 10 of 29

Page 11