Correct. Type 3 LSAs are used for inter-area route advertisement.
Why this answer
Type 3 LSAs (Summary LSAs) are generated by Area Border Routers (ABRs) to advertise networks from one area to another. They are used to propagate inter-area routes.
2152 questions total · 29pages · All types, answers revealed
Correct. Type 3 LSAs are used for inter-area route advertisement.
Why this answer
Type 3 LSAs (Summary LSAs) are generated by Area Border Routers (ABRs) to advertise networks from one area to another. They are used to propagate inter-area routes.
Which TWO statements about the 'ip access-group' command and its interaction with ACLs are correct? (Choose TWO.)
Correct. Outbound ACLs process packets after routing, before the packet exits the interface.
Why this answer
Options B and C are correct. Option B is correct because an outbound ACL processes packets after the routing decision, just before the packet leaves the interface. Option C is correct because the ACL referenced in the 'ip access-group' command must already exist in the configuration; otherwise the command is rejected.
Option A is incorrect because an inbound ACL processes packets before the routing decision. Option D is incorrect because the 'ip access-group' command requires a Layer 3 interface; it cannot be applied to a Layer 2 switchport. Option E is incorrect because, while it is a true statement, the question specifically asks for two statements, and options B and C are the most fundamental regarding the command's interaction with ACLs.
Exam trap
Cisco often tests the misconception that an outbound ACL processes packets before routing, when in fact it processes after the routing decision, while an inbound ACL processes before routing.
A network engineer is troubleshooting a route redistribution issue between RIP and OSPF. Router R1 runs both RIP and OSPF, and redistributes RIP routes into OSPF. The engineer notices that RIP routes are not appearing in the OSPF database on neighboring routers. The show ip ospf database external command on a neighbor shows no external routes from R1. The redistribute rip command is configured under OSPF on R1. What is the most likely cause?
Correct: Without subnets, only classful networks are redistributed, causing missing routes.
Why this answer
When redistributing into OSPF, the subnets keyword is required to redistribute classless subnets. Without it, only classful networks are advertised, which may cause many routes to be missing.
What is the default metric for an IPv6 static route redistributed into OSPFv3?
OSPFv3 uses a default metric of 20 for redistributed routes.
Why this answer
When an IPv6 static route is redistributed into OSPFv3, OSPFv3 assigns a default metric of 20 to external routes (type E1 or E2). This is consistent with OSPFv2 behavior, where redistributed routes (including static routes) receive a default metric of 20 unless explicitly overridden with the `metric` keyword under the `redistribute` command. Option C is correct because the default metric for redistributed static routes in OSPFv3 is 20.
How to eliminate wrong answers
Option A is wrong because a metric of 0 is not the default for redistributed static routes in OSPFv3; a metric of 0 would imply a directly connected route or a special case, but OSPFv3 does not assign 0 to redistributed routes. Option B is wrong because a metric of 1 is the default for OSPFv3 intra-area routes (e.g., for loopback interfaces or directly connected networks), not for redistributed external routes. Option D is wrong because a metric of 10 is the default for redistributed routes in EIGRP, not OSPFv3; OSPFv3 uses 20 as the default for external routes.
What is the default CoPP policy on a Cisco IOS-XE router if no service-policy is applied to the control-plane?
Correct. CoPP is not enabled by default.
Why this answer
C is correct because Cisco IOS-XE routers do not apply any default CoPP policy to the control-plane. Without an explicit 'service-policy' configuration under the 'control-plane' configuration mode, all control-plane traffic (including routing protocols, management traffic, and keepalives) is processed by the route processor without any rate-limiting or filtering. CoPP is an optional feature that must be manually configured to protect the control plane from excessive traffic.
Exam trap
Cisco often tests the misconception that CoPP has a built-in default policy or that management traffic is automatically rate-limited, when in fact no CoPP policy is applied unless explicitly configured under the control-plane with a service-policy.
How to eliminate wrong answers
Option A is wrong because there is no default rate-limit of 64000 bps; CoPP policies are not applied by default, and any such value would require explicit configuration. Option B is wrong because management traffic is not automatically rate-limited to 32000 bps; without a CoPP policy, all traffic, including SSH and Telnet, is processed normally. Option D is wrong because no default policy drops traffic at 128000 bps; CoPP policies must be explicitly defined and applied to enforce any drop or rate-limit behavior.
A network engineer configures iBGP within a VRF-Lite environment. The VRF has an IGP (OSPF) running, and BGP is used to exchange customer routes. The engineer notices that BGP routes are not being installed in the VRF routing table, even though they are present in the BGP table. The 'bgp redistribute-internal' command is not configured. Which is the most likely explanation?
iBGP requires the next-hop to be reachable. If the next-hop (e.g., a loopback) is not in the IGP, the route is not installed.
Why this answer
In iBGP, the next-hop for a route learned from an iBGP peer must be reachable via an IGP or static route. If the next-hop is not reachable, the route is not installed in the routing table. Additionally, if the IGP does not carry the next-hop route (e.g., because it is a loopback not advertised), the route remains hidden.
This is a common edge case where synchronization is not the issue, but next-hop reachability is.
A network using IPv6 over IPv4 Teredo tunnels is experiencing intermittent connectivity. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:0:4136:E378:8000:63BF:3C57:DD0B/128 tunnel source 192.0.2.1 tunnel mode ipv6ip teredo. Router R2 shows: R2# show ipv6 route 2001:0:4136:E378::/64 % Route not found. What is the root cause?
Without a Teredo server, the router cannot obtain a valid Teredo address or prefix.
Why this answer
The Teredo tunnel on R1 requires a Teredo server to facilitate the initial configuration and to help the client discover its public IPv4 address and the Teredo relay. Without the 'tunnel teredo server-ip' command specifying the Teredo server's IPv4 address, R1 cannot complete the Teredo setup, leading to an incomplete or non-functional tunnel. This results in the IPv6 prefix 2001:0:4136:E378::/64 not being installed in R2's routing table, as the tunnel interface never becomes fully operational.
Exam trap
Cisco often tests the distinction between Teredo server and relay roles, leading candidates to incorrectly focus on relay reachability or mode syntax when the missing server configuration is the actual root cause.
How to eliminate wrong answers
Option B is wrong because 'ipv6ip teredo relay' is not a valid tunnel mode; the correct mode for a Teredo client is 'tunnel mode ipv6ip teredo', and a Teredo relay uses a different configuration (often with 'tunnel mode ipv6ip' and a relay address). Option C is wrong because the reachability of the Teredo relay is not the primary issue; the problem is that the Teredo server address is missing, which prevents the client from even learning the relay's address. Option D is wrong because Teredo is fully supported on Cisco IOS, as demonstrated by the 'tunnel mode ipv6ip teredo' command being accepted in the configuration.
Which THREE symptoms indicate that route summarization may be causing routing issues in a network? (Choose THREE.)
Summarization can cause routers to choose a less specific route, leading to suboptimal paths.
Why this answer
Route summarization can cause suboptimal routing because the summary route may point to a less specific path. It can also cause black holes if the summary route is advertised but the specific subnets are not reachable. Additionally, summarization can hide more specific routes, leading to routing loops if the summary route is less specific and points to a router that does not have the specific subnet.
High CPU usage is not a direct symptom of summarization issues, and duplicate IP addresses are unrelated.
Which BGP message type is sent when a fatal error is detected, causing the BGP session to close?
Correct. NOTIFICATION messages indicate errors and close the session.
Why this answer
NOTIFICATION messages are sent to report errors and terminate the BGP session.
A network engineer is troubleshooting an IPv6 routing issue where a router is not learning routes from an OSPFv3 neighbor. The engineer checks the interface and finds an inbound IPv6 ACL that permits only OSPFv3 packets with a specific area ID in the packet. The ACL is using the 'ospfv3' keyword to match packets. The engineer also notices that the OSPFv3 neighbor is in a different area. What is the most likely cause of the route learning failure?
Correct because the ACL permits only packets with a specific area ID, and the neighbor is in a different area, so its packets are dropped.
Why this answer
The ACL uses the 'ospfv3' keyword to match OSPFv3 packets and permits only those with a specific area ID. Since the neighbor is in a different area, its OSPFv3 packets contain a different area ID in the OSPFv3 header, causing the ACL to deny them. This prevents the router from receiving Hello packets and establishing adjacency, so routes are not learned.
Exam trap
Cisco often tests the nuance that the 'ospfv3' ACL keyword can match not only the protocol but also the area ID field, and candidates mistakenly assume the ACL only matches the protocol type (OSPFv3) without considering the area ID filter.
How to eliminate wrong answers
Option B is wrong because an incorrect router ID would affect OSPFv3 operation (e.g., adjacency formation or LSA origination), but the scenario explicitly states the ACL is filtering based on area ID, not router ID. Option C is wrong because if the interface were not enabled for OSPFv3, the router would not even attempt to send or receive OSPFv3 packets, yet the ACL is actively filtering inbound packets, implying OSPFv3 is enabled. Option D is wrong because the engineer checked the interface and found an inbound ACL; applying it outbound would not affect incoming packets, and the issue is with receiving routes, not sending them.
What is the maximum hop count for a route in RIP?
Correct. The maximum valid hop count is 15; 16 indicates unreachable.
Why this answer
Exam trap
Cisco often tests the distinction between the maximum hop count (15) and the unreachable metric (16), tricking candidates who think 16 is a valid route metric rather than a poison value.
How to eliminate wrong answers
Option B is wrong because a hop count of 16 in RIP is not a valid route metric; it is used to signify an unreachable route (infinite metric) and triggers route poisoning. Option C is wrong because 255 is the maximum TTL value in IP packets, not the RIP hop count limit; RIP uses a 4-bit metric field, which can only represent values 0–15. Option D is wrong because 32 is the maximum prefix length for IPv4 subnets, not a RIP hop count; RIP metrics are limited to 15 hops.
A network engineer runs the following command to verify DHCPv4 pool configuration on router R1: R1# show ip dhcp pool DHCP_POOL Output: Pool DHCP_POOL : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 100 Pending event : none 1 subnet is currently in the pool : Current index IP address range Leased addresses 192.168.1.1 192.168.1.1 - 192.168.1.254 100 What does this output indicate?
Total addresses is 254, leased addresses is 100, so 154 are available.
Why this answer
Option A is correct because the output shows 'Total addresses: 254' and 'Leased addresses: 100', meaning the pool contains 254 total addresses (the /24 subnet) and 100 are currently leased, leaving 154 available. The 'Utilization mark (high/low): 100 / 0' indicates the thresholds for alerts, not actual usage, and the pool is not exhausted.
Exam trap
Cisco often tests the distinction between the 'Utilization mark' (a configurable threshold for alerts) and actual pool utilization, causing candidates to misinterpret the 100% high mark as meaning the pool is full.
How to eliminate wrong answers
Option B is wrong because the pool is not exhausted; only 100 of 254 addresses are leased, so 154 are still available. Option C is wrong because the output does not show any database agent configuration; the 'Pending event: none' line refers to pending DHCP events, not database agent status. Option D is wrong because the utilization mark of 100% is the high watermark threshold for alerts, not the actual utilization percentage; the actual utilization is 100/254 ≈ 39.4%.
A network engineer is troubleshooting a VRF-Lite deployment where a router is configured with VRF_ORANGE. The engineer attempts to configure a static route in VRF_ORANGE using the command 'ip route vrf VRF_ORANGE 192.168.10.0 255.255.255.0 10.1.1.1', but the route does not appear in the routing table. The 'show ip route vrf VRF_ORANGE' does not show the static route. What is the most likely cause?
The static route will only be installed if the next-hop is reachable via a connected or dynamic route in the same VRF.
Why this answer
Static routes in VRF-Lite require that the next-hop IP address is reachable within the same VRF. If the next-hop is not in the VRF's routing table, the static route will not be installed.
Examine the following EIGRP configuration on Router R3: interface GigabitEthernet0/1 ip bandwidth-percent eigrp 100 50 What is the effect of this command?
The ip bandwidth-percent eigrp command restricts the percentage of bandwidth EIGRP can use for its protocol traffic.
Why this answer
The `ip bandwidth-percent eigrp` command controls the percentage of the interface bandwidth that EIGRP can use for its control traffic (hello packets, updates, queries, and replies). By setting it to 50%, EIGRP will limit its control traffic to 50% of the configured interface bandwidth, preventing it from overwhelming the link. This does not affect data traffic or metric calculation.
How to eliminate wrong answers
Option A is wrong because the command only limits EIGRP control traffic, not data traffic; data traffic is unaffected and can use the full interface bandwidth. Option C is wrong because EIGRP metric calculation uses the interface bandwidth value directly (e.g., `bandwidth` command), not the percentage set by `ip bandwidth-percent eigrp`; this command does not alter the metric. Option D is wrong because neighbor adjacency formation is based on hello and hold timers, not on current bandwidth usage; the command does not conditionally prevent adjacency formation based on bandwidth utilization.
Which TWO commands can be used to verify the operational state of BFD sessions on a Cisco IOS-XE router? (Choose TWO.)
This command shows BFD neighbor details, including session state.
Why this answer
The 'show bfd neighbors' command displays BFD session details such as neighbor address, interface, state, and timers. The 'show bfd session' command provides similar information, including the local discriminator and session state. The other commands are either unrelated or do not show BFD session state.
A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Mar 1 00:01:23.456: EIGRP: received UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 *Mar 1 00:01:23.456: AS 100, Flags 0x0, Seq 1/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:01:23.456: Int: 192.168.5.0/24, metric 30720/28160 *Mar 1 00:01:23.456: EIGRP: Enqueueing UPDATE on GigabitEthernet0/0 nbr 10.1.1.2 iidbQ un/rely 0/1 peerQ un/rely 0/0 serno 1-1 What does this output indicate?
The debug shows 'received UPDATE' and the metric.
Why this answer
The debug output shows EIGRP packet exchanges. It does not directly show administrative distance, but it indicates that an update is being sent and received for a specific network.
Which THREE symptoms indicate a DHCP IPv4 starvation attack or address pool exhaustion? (Choose THREE.)
Pool exhaustion prevents new leases for real clients.
Why this answer
Option A is correct because a DHCP starvation attack exhausts the available IP addresses in the pool, preventing legitimate clients from obtaining a lease. When the address pool is fully depleted, the DHCP server cannot respond to new DISCOVER messages, causing clients to fail to acquire an IP address.
Exam trap
Cisco often tests the distinction between DHCP starvation symptoms and unrelated network issues like DAD failures or client CPU load, expecting candidates to recognize that only server-side indicators (pool exhaustion, spoofed MACs, client failure) are valid.
An engineer is troubleshooting a router that is configured as an NTP client. The router's clock is not synchronizing with the NTP server at 192.168.1.1. 'show ntp status' shows 'clock is unsynchronized', and 'show ntp associations' shows the server as '.INIT.' with no reachability. The engineer can ping the NTP server. What is the most likely cause?
Ping works, but NTP uses UDP 123; the server may be configured to deny service to this client, or the server's NTP service is not running.
Why this answer
The '.INIT.' state in 'show ntp associations' indicates that the client has sent NTP packets to the server but has not received any valid NTP responses. Since the engineer can ping the server, Layer 3 connectivity is fine, ruling out network issues. The most likely cause is that the NTP server is not configured to respond to requests from this client, either due to an access control list (ACL) on the server, a 'restrict' statement denying the client, or the server not being configured as an NTP server at all.
How to eliminate wrong answers
Option B is wrong because a missing 'ntp source' command would cause NTP packets to use the IP of the egress interface, which might still be reachable; it would not result in a complete lack of response ('.INIT.') unless the server specifically filters based on source IP, but that is a server-side issue, not a client-side misconfiguration. Option C is wrong because NTP uses a stratum-based hierarchy and timestamps; a client clock set too far in the future would still allow the client to receive NTP packets and update its clock (though it might take longer to synchronize), but it would not prevent the server from responding. Option D is wrong because if 'ntp authenticate' were enabled without the proper key, the client would still receive NTP packets from the server, but they would be discarded; 'show ntp associations' would show the server as '.AUTH.' or similar, not '.INIT.'.
A network engineer runs the following command on Router R1: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set O 10.2.2.0/24 [110/20] via 192.168.12.2, 00:12:34, GigabitEthernet0/0 O IA 10.3.3.0/24 [110/30] via 192.168.13.3, 00:10:21, GigabitEthernet0/1 Based on this output, what can be determined?
The route to 10.3.3.0/24 is marked with 'O IA', which indicates it is an inter-area OSPF route, learned from a different area than the router's own.
Why this answer
The routing table shows two OSPF routes: one intra-area (O) and one inter-area (O IA). Both routes have the same administrative distance of 110 (as shown in the bracket). The inter-area route (10.3.3.0/24) is learned from a different area, indicated by the 'IA' code.
Option D is correct because both routes share AD 110. Option A is incorrect because the route to 10.2.2.0/24 is intra-area (O), not external. Option C is incorrect because there is no default route (Gateway of last resort is not set).
Which authentication method is supported by default for GRE tunnels in Cisco IOS-XE?
GRE tunnels have no authentication by default; a key must be configured manually.
Why this answer
GRE tunnels in Cisco IOS-XE do not include any built-in authentication mechanism by default. The GRE protocol (RFC 2784) defines a simple encapsulation method without authentication or encryption; any security features must be added externally, such as using IPsec to protect the tunnel traffic. Therefore, the correct answer is that no authentication is enabled by default.
Exam trap
Cisco often tests the misconception that the GRE key field provides authentication, but it is only an optional identifier and does not offer any security; candidates may incorrectly assume that a key or password is required or that GRE has built-in authentication.
How to eliminate wrong answers
Option A is wrong because MD5 authentication is not a default feature of GRE tunnels; while Cisco supports a GRE key option (which is not authentication) and IPsec can provide MD5-based HMAC, the base GRE tunnel itself has no authentication. Option B is wrong because SHA-256 authentication is not supported natively by GRE; it would require IPsec or another security protocol to be applied to the tunnel. Option D is wrong because plain-text password authentication is not a feature of GRE; GRE does not support any form of password or authentication in its standard implementation.
R1 and R2 are iBGP peers in AS 65001. R1 has: neighbor 10.1.1.2 next-hop-self. R2 advertises a prefix 10.0.0.0/8 with next-hop 10.1.1.2. R1 receives the prefix and changes the next-hop to 10.1.1.1 (its own IP) due to next-hop-self. R1 then advertises this prefix to its eBGP peer R3 in AS 65002. R3 receives the prefix with next-hop 10.1.1.1. R3 has a static route to 10.1.1.0/24 via its interface to R1. However, R3 cannot reach 10.0.0.0/8 because R1 does not have a route to 10.0.0.0/8 in its routing table. What is the root cause?
R1 must have the prefix in its routing table to forward traffic; otherwise, it will drop packets.
Why this answer
R1 uses next-hop-self to change the next-hop to its own IP, but R1 must have a valid route to the prefix in its routing table to forward traffic. If R1 does not install the BGP route (e.g., because it is not the best path due to a higher metric or because the next-hop is unreachable), then R1 will not have a route to 10.0.0.0/8 in its routing table, and packets sent to R1 for that prefix will be dropped. The root cause is that R1 does not have the prefix installed in its routing table, possibly because it learned it from R2 but the next-hop (10.1.1.2) is not reachable in R1's routing table, or because R1 has a higher administrative distance route that overrides.
What is the default authentication type for NHRP in a DMVPN configuration?
Correct. NHRP has no authentication by default.
Why this answer
By default, NHRP does not use any authentication. Authentication can be configured using the 'ip nhrp authentication' command, but it is disabled by default.
A network engineer is troubleshooting IPv6 routing issues between two routers connected via a serial link. Router R1 and Router R2 are running OSPFv3. The OSPFv3 adjacency is not forming. Router R1 has the following relevant configuration: interface Serial0/0 ipv6 address 2001:DB8:1::1/64 ipv6 ospf 1 area 0 ! Router R2 shows: debug ipv6 ospf hello output indicates that R2 is receiving Hello packets from R1, but the neighbor state remains INIT. What is the root cause?
A network type mismatch can cause Hello packets to be ignored or not processed correctly, leading to INIT state.
Why this answer
On a point-to-point serial link, OSPFv3 defaults to the point-to-point network type. If one side is configured as point-to-multipoint (or another non-broadcast type), the routers will not form a full adjacency because the Hello protocol and neighbor discovery mechanisms differ. The debug output shows R2 receives Hellos from R1 but stays in INIT, which indicates that R2 does not see its own Router ID in the Hello packet's neighbor list — a classic symptom of network type mismatch on a serial interface.
Exam trap
Cisco often tests the misconception that OSPFv3 requires matching global IPv6 subnets or process IDs, when in fact the adjacency is built using link-local addresses and the process ID is locally significant.
How to eliminate wrong answers
Option A is wrong because OSPFv3 process IDs are locally significant and do not need to match between routers; adjacency can form with different process IDs. Option C is wrong because OSPFv3 uses link-local addresses for neighbor discovery and does not require global unicast addresses to be in the same subnet; the interface's global address is irrelevant for adjacency formation. Option D is wrong because OSPFv3 Hello intervals can be modified on serial links and are not inherently unsupported; a mismatch would cause the neighbor state to remain DOWN or EXSTART, not INIT with received Hellos.
Consider the following partial configuration on router R1: ``` interface GigabitEthernet0/1 ip access-group MY_ACL in ! ip access-list extended MY_ACL permit tcp 10.1.1.0 0.0.0.255 any eq 80 permit icmp any any echo deny ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/1?
Correct. The ACL permits the specified traffic and denies all other IP traffic.
Why this answer
The ACL is applied inbound on GigabitEthernet0/1. The first permit statement allows TCP traffic from source network 10.1.1.0/24 to any destination on port 80 (HTTP). The second permit statement allows ICMP Echo requests (type 8) from any source.
The final deny statement blocks all other IP traffic. Therefore, only HTTP requests from 10.1.1.0/24 and ICMP Echo requests from any source are permitted; all other IP traffic is denied.
How to eliminate wrong answers
Option B is wrong because it states 'all ICMP traffic' is permitted, but the ACL only permits ICMP Echo requests (type 8), not other ICMP types like Echo replies (type 0) or destination unreachable. Option C is wrong because it reverses the source and destination for HTTP traffic; the ACL permits HTTP from 10.1.1.0/24 to any, not from any to 10.1.1.0/24. Option D is wrong because it specifies ICMP Echo replies, but the ACL permits ICMP Echo requests (the 'echo' keyword in Cisco ACLs matches Echo requests, not replies).
Given the following configuration snippet on Router R5: router eigrp 400 network 10.1.1.0 0.0.0.255 What is wrong with this configuration?
The network command with a wildcard mask is valid for EIGRP.
Why this answer
Option C is correct because the configuration uses a valid EIGRP AS number (400) and a correct wildcard mask (0.0.0.255) to match the 10.1.1.0/24 subnet. In EIGRP, the network command uses a wildcard mask to specify the exact interfaces to advertise, and 0.0.0.255 is the proper inverse of the subnet mask 255.255.255.0.
Exam trap
Cisco often tests the distinction between wildcard masks and subnet masks, leading candidates to incorrectly assume that a subnet mask (like 255.255.255.0) should be used in the EIGRP network command instead of the correct wildcard mask.
How to eliminate wrong answers
Option A is wrong because the wildcard mask 0.0.0.255 is correct; using 255.255.255.0 would be a subnet mask, not a wildcard mask, and would not match the intended network. Option B is wrong because EIGRP allows specifying a subnet with a wildcard mask, and using the classful network 10.0.0.0 would enable EIGRP on all interfaces in the 10.0.0.0/8 range, which is not required and could cause unnecessary neighbor relationships. Option D is wrong because EIGRP AS numbers can range from 1 to 65535, and 400 falls within that valid range.
What is the default hash algorithm for IKEv1 phase 1 in Cisco IOS when not explicitly configured?
MD5 is the default hash algorithm for IKEv1.
Why this answer
In Cisco IOS, when IKEv1 phase 1 parameters are not explicitly configured, the default hash algorithm is MD5. This is because the default IKE proposal in Cisco IOS includes MD5 as the hash algorithm, along with DES encryption and Diffie-Hellman group 1. MD5 was chosen historically for its lower computational overhead, though it is now considered cryptographically weak.
Exam trap
Cisco often tests the misconception that IKEv1 has no default hash or that SHA-1 is the default, when in fact MD5 is the default for IKEv1 phase 1 in Cisco IOS.
How to eliminate wrong answers
Option A is wrong because SHA-1 is not the default hash algorithm for IKEv1 phase 1 in Cisco IOS; it must be explicitly configured if desired. Option C is wrong because SHA-256 is a stronger hash that is only available in newer IKE proposals and is never the default for IKEv1 phase 1. Option D is wrong because Cisco IOS does have a default hash algorithm (MD5) for IKEv1 phase 1; the hash does not have to be explicitly configured.
What is the default administrative distance for a route installed by Policy-Based Routing (PBR) using the 'set ip next-hop' command?
PBR does not alter the administrative distance; the route retains the AD of the original routing protocol.
Why this answer
PBR does not change the administrative distance of the route; the route is installed with the AD of the routing protocol that learned it. The 'set ip next-hop' command does not modify AD.
Which TWO statements about IPv4 extended access control lists are true? (Choose TWO.)
Extended ACLs can specify both source and destination addresses in the permit/deny statement.
Why this answer
Option A is correct because IPv4 extended ACLs can filter traffic based on both source and destination IP addresses, as well as protocol type, port numbers, and other parameters. This is defined in the access-list command syntax (e.g., access-list 100 permit tcp 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 eq 80), which allows granular control beyond standard ACLs that only filter on source IP.
Exam trap
Cisco often tests the misconception that extended ACLs can only be numbered, but they support named ACLs as well, and that wildcard masks apply only to one address field, whereas they apply to both source and destination.
A network engineer runs the following command to verify NAT on a VRF: R1# show ip nat translations vrf CUSTOMER Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 What is the purpose of the 'vrf CUSTOMER' parameter?
VRF-aware NAT is used to translate addresses for different customers.
Why this answer
The 'vrf CUSTOMER' parameter filters the output of 'show ip nat translations' to display only the NAT entries associated with the specified VRF (CUSTOMER). This allows per-customer NAT visibility in MPLS VPN or multi-VRF environments, where each VRF maintains its own separate NAT translation table. Without this parameter, the command would show all NAT translations across all VRFs, which is not the intended behavior.
Exam trap
Cisco often tests the distinction between filtering output and enabling a feature; the trap here is that candidates may think the 'vrf' parameter enables NAT on the VRF or creates a VRF, when in fact it only filters the display of existing translations.
How to eliminate wrong answers
Option B is wrong because 'show ip nat translations vrf CUSTOMER' does not show all translations across all VRFs; it specifically filters to show only translations for the VRF named CUSTOMER. Option C is wrong because the 'vrf' parameter in this command is used for filtering output, not for enabling NAT on a VRF interface; NAT is enabled on an interface using the 'ip nat inside' or 'ip nat outside' commands under the interface configuration, optionally within a VRF. Option D is wrong because the 'vrf' parameter does not create a new VRF; VRFs are created using the 'vrf definition' or 'ip vrf' command in global configuration mode.
Drag and drop the steps to troubleshoot SPAN, RSPAN, and ERSPAN adjacency or connectivity failures into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Begin by checking the SPAN/RSPAN/ERSPAN session status with show commands. Then, verify that the source and destination VLANs or interfaces are up. Next, confirm that any intermediate switches support the required encapsulation.
After that, test IP connectivity for ERSPAN destinations using ping. Finally, review ACLs or filters that might block mirrored traffic.
Examine the partial BFD configuration on a router: interface GigabitEthernet0/0 bfd interval 100 min_rx 100 multiplier 3 ! interface GigabitEthernet0/1 bfd interval 200 min_rx 200 multiplier 3 ! router ospf 1 bfd all-interfaces ! The router has OSPF neighbors on both interfaces. Which statement is true?
Correct. Detection time = multiplier * interval. For Gi0/0: 3*100=300 ms; for Gi0/1: 3*200=600 ms.
Why this answer
BFD timers are configured per interface. Each BFD session independently uses the timers configured on its respective interface. The multiplier is applied per session.
Which TWO commands can be used to verify OSPFv3 interface parameters and troubleshoot adjacency issues? (Choose TWO.)
Correct. This command displays OSPFv3 interface parameters such as area, cost, hello interval, dead interval, and neighbor state.
Why this answer
The 'show ipv6 ospf interface' command displays OSPFv3 interface parameters, and 'debug ipv6 ospf hello' can be used to troubleshoot hello packet issues. The other commands are either invalid or for OSPFv2 only.
A network engineer runs the following command to verify OSPF interface details: R1# show ip ospf interface gigabitethernet0/0 detail GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2 Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Can be protected by per-prefix Loop-Free Fast Reroute Can be used for per-prefix Loop-Free Fast Reroute repair paths Index 1/1, flood queue length 0 Next 0(0)/0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Designated Router) Suppress hello for 0 neighbor(s) What does this output indicate?
The output shows 'Adjacent with neighbor 2.2.2.2 (Designated Router)' indicating a full adjacency.
Why this answer
The output shows detailed OSPF interface parameters, including state, timers, and neighbor information.
A DMVPN phase 3 network with IPv6 over IPv4 tunnels is experiencing spoke-to-spoke tunnel failures. Hub router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic ipv6 nhrp map multicast dynamic. Spoke router R2 shows: R2# show dmvpn detail Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete NHRP domain: 1 Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, Total NBMA Peers: 1 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb 1 192.0.2.2 2001:DB8:1::2 UP 00:10:00 D. What is the root cause?
This command enables NHRP redirect messages, which are essential for phase 3 spoke-to-spoke shortcut establishment.
Why this answer
In DMVPN Phase 3, spoke-to-spoke tunnels rely on the hub to send NHRP Redirect messages to trigger shortcut creation. The hub's configuration is missing the `ip nhrp redirect` command under Tunnel0, which prevents it from informing the spoke that a better path exists directly to another spoke. Without this redirect, the spoke never initiates an NHRP Resolution Request to build a direct tunnel, causing spoke-to-spoke communication to fail.
Exam trap
Cisco often tests the distinction between Phase 2 (where `ip nhrp map multicast dynamic` alone enables spoke-to-spoke tunnels) and Phase 3 (which additionally requires `ip nhrp redirect` on the hub and `ip nhrp shortcut` on spokes), causing candidates to overlook the missing redirect command.
How to eliminate wrong answers
Option B is wrong because the spoke's missing `ip nhrp shortcut` command would prevent it from installing the NHRP shortcut route, but the root cause is the hub not sending the redirect; the spoke cannot act on a redirect it never receives. Option C is wrong because DMVPN Phase 3 spokes can use either `gre multipoint` or point-to-point GRE tunnels; the spoke's tunnel mode is not the issue here. Option D is wrong because IPv6 NHRP is fully supported on DMVPN Phase 3, as evidenced by the IPv6 NHRP configuration and the hub's `ipv6 nhrp map multicast dynamic` command.
An engineer configures a DMVPN Phase 2 network. Spoke routers are configured with a route map that sets the next-hop to the tunnel interface for routes learned from the hub. This is intended to allow spoke-to-spoke direct communication. However, spoke-to-spoke traffic still goes through the hub. Which is the most likely explanation?
The hub must set the next-hop to the remote spoke's tunnel IP; the spoke cannot change the next-hop for routes received from the hub.
Why this answer
In DMVPN Phase 2, spoke-to-spoke direct communication requires that the spoke routers have a route with the next-hop set to the tunnel interface of the remote spoke. However, if the route map is applied inbound on the spoke from the hub, it sets the next-hop to the hub's tunnel interface, not the remote spoke. The correct approach is to use a route map on the hub that sets the next-hop to the spoke's tunnel IP when advertising routes, or to use the 'next-hop-self' command incorrectly.
The edge case is that the route map is applied on the spoke, not the hub.
A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy match *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy routed *Mar 1 00:10:45.456: IP: FastEthernet0/0 to Serial0/0 10.1.1.2 What does this output indicate?
The output shows 'policy routed' and the egress interface and next-hop.
Why this answer
The debug shows a packet from 172.16.1.5 to 8.8.8.8 that matched the policy and was routed out of Serial0/0 to next-hop 10.1.1.2. This indicates successful PBR operation.
A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla configuration 10 IP SLAs, Infrastructure Engine-II. Entry number: 10 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.1.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already occurred Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of history intervals kept: 0 Number of history buckets kept: 15 History Statistics: Number of history Lives kept: 0 What does this output indicate?
The configuration shows 'icmp-echo' type, target 192.168.1.1, and frequency 60 seconds.
Why this answer
This output shows the configuration of IP SLA operation 10. It is an ICMP echo probe to 192.168.1.1, with a 60-second frequency and 5-second timeout. The status is 'Active', meaning it is enabled.
What is the default behavior of EEM when a policy encounters a runtime error?
The error is logged, and if multiple policies are queued, execution continues with the next.
Why this answer
By default, EEM logs the error via syslog and stops executing the policy; it does not retry.
When using 'set ip next-hop verify-availability', what mechanism does the router use to determine if the next-hop is reachable?
The track object defines the condition; if the track is up, the next-hop is considered reachable.
An engineer configures IPsec between two routers. The tunnel does not come up. 'show crypto isakmp sa' shows MM_NO_STATE. Which is the most likely explanation?
Aggressive mode and main mode are incompatible. If one side uses aggressive mode and the other uses main mode, the IKE exchange will fail, resulting in MM_NO_STATE.
Why this answer
MM_NO_STATE indicates that IKE Phase 1 has not started. In aggressive mode, the initiator sends all IKE parameters in the first packet, and if the responder does not have a matching policy, the exchange fails. However, a common edge case is that the responder is configured for main mode while the initiator is configured for aggressive mode, causing the exchange to fail before any state is established.
OSPF DBD packets include the MTU of the sending interface. If the receiving interface has a smaller MTU, it will ignore the DBD packet, preventing the adjacency from progressing.
Why this answer
OSPF uses the MTU of the interface to determine the maximum size of Database Description (DBD) packets. If the MTU mismatch is such that the DBD packet from the larger MTU side is fragmented or dropped by the smaller MTU interface, the adjacency will stall in EXSTART. OSPF does not negotiate MTU; it simply compares the MTU value in the DBD packet.
If the receiving interface has a smaller MTU, it will reject the DBD packet, causing the neighbor to stay in EXSTART.
A network engineer is troubleshooting an OSPF adjacency that fails to come up. Both routers are directly connected via a serial link. BFD is enabled on the interface. The engineer sees that the BFD session is down. The OSPF configuration shows 'ip ospf bfd' under the interface. The serial interface is up/up. What should the engineer check first?
For OSPF BFD to work, the 'bfd' command must be enabled under the OSPF routing process (router ospf X, then 'bfd all-interfaces' or per-neighbor). Without it, the BFD session will not be initiated.
Why this answer
BFD on serial interfaces often requires the 'bfd interval' command to be explicitly configured, as the default may be disabled. Also, serial interfaces may need the 'bfd' command under the routing protocol as well.
An engineer is troubleshooting a BGP route selection issue. Router R1 receives two paths for prefix 10.0.0.0/8: one from eBGP peer R2 (AS 65002) with weight 0, local preference 100, and AS path 65002; and another from eBGP peer R3 (AS 65003) with weight 0, local preference 200, and AS path 65003 65004. R1's BGP table shows the path from R3 as the best route. The engineer wants the path from R2 to be preferred. What should the engineer do?
Setting local preference 250 is higher than 200, so after weight comparison (both 0), R2 becomes the best path. Correct.
Why this answer
BGP path selection compares weight first. Option D sets weight 100 for routes from R2 (default weight 0), making the R2 path preferred over R3's path (weight 0). Option B sets local preference 250, which is higher than R3's 200, so after weight tie (both 0) it wins.
Option A sets local preference 150, which is lower than 200, so R3 still wins. Option C prepends AS numbers, which lengthens the AS path, making R3 path less preferred in AS path length comparison, but since local preference is compared first, this change is irrelevant because R2's local preference is lower than R3's. Thus only B and D achieve the goal.
EIGRP network is experiencing stuck-in-active (SIA) routes. Router R1 shows: show ip eigrp topology active includes 10.0.0.0/24. Router R2 has: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.255.0. What is the root cause?
Summary addresses can cause queries to be aggregated, leading to SIA if replies are not received.
Why this answer
The correct answer is A because the summary address configured on R2 (ip summary-address eigrp 100 10.0.0.0 255.255.255.0) causes R2 to advertise a single summary route (10.0.0.0/24) to R1. When R1 loses its route to 10.0.0.0/24 and sends a query for the specific prefix, R2 does not reply because the summary address suppresses the query for the more specific route, leaving R1 stuck-in-active (SIA) waiting for a reply that never comes.
Exam trap
Cisco often tests the subtle interaction between EIGRP summary addresses and query suppression, where candidates mistakenly think SIA is caused by flapping or interface issues, rather than understanding that a summary address on a downstream router can prevent query replies for more specific prefixes.
How to eliminate wrong answers
Option B is wrong because a stuck interface would cause neighbor loss or interface errors, not a query suppression scenario; SIA is caused by unacknowledged queries, not interface state. Option C is wrong because if the autonomous system numbers were mismatched, the EIGRP neighbors would not form at all, and the show ip eigrp topology active command would not show the route. Option D is wrong because route flapping triggers continuous updates and queries, but the root cause here is the summary address suppressing the query reply, not instability of the route itself.
Drag and drop the steps to configure IPv6 RA Guard on a switch into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
First, globally enable IPv6 snooping. Then define an RA Guard policy with the trusted or untrusted role. Apply the policy to the desired interface.
Verify the configuration with show commands. Finally, test the RA Guard operation by sending RAs from unauthorized ports.
A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection. The tunnel works for IPv6 traffic, but when the engineer tries to run EIGRP for IPv6 over the tunnel, the neighbor relationship forms but routes are not exchanged. The engineer checks the EIGRP configuration and sees that the tunnel interface is included in the EIGRP process. What is the most likely explanation?
Unlike EIGRP for IPv4, EIGRP for IPv6 has a shutdown state by default. The 'no shutdown' command is required to activate the address-family.
Why this answer
Option A is correct because EIGRP for IPv6 requires the 'no shutdown' command under the address-family configuration to activate the routing process. Without it, the EIGRP process remains administratively down, which prevents route exchange even though the neighbor relationship forms (since EIGRP hellos are sent but routes are not advertised or processed). This is a common misconfiguration when transitioning from EIGRP for IPv4, which does not require an explicit 'no shutdown'.
Exam trap
Cisco often tests the 'no shutdown' requirement for EIGRP for IPv6, tricking candidates who assume the process is automatically enabled once configured, similar to EIGRP for IPv4.
How to eliminate wrong answers
Option B is wrong because the scenario states the tunnel interface is included in the EIGRP process, which implies the 'ipv6 eigrp' command under the interface is configured; the issue is the process itself being administratively down. Option C is wrong because IPsec transform sets do not inherently block multicast traffic; GRE tunnels encapsulate IPv6 multicast (including EIGRP hellos) as IPv4 unicast, and IPsec protects the GRE payload without filtering multicast. Option D is wrong because GRE tunnels fully support EIGRP for IPv6; there is no protocol restriction—EIGRP for IPv6 operates over any IPv6-capable interface, including GRE tunnels.
Which statement accurately describes the default behavior of auto-summary in EIGRP on Cisco IOS-XE?
Correct. IOS-XE defaults to no auto-summary, preserving subnet information.
Why this answer
In Cisco IOS-XE, EIGRP auto-summary is disabled by default. This means that EIGRP advertises subnets without automatically summarizing them at classful boundaries, allowing for more granular route advertisement and preventing routing issues in discontiguous networks.
Exam trap
Cisco often tests the misconception that auto-summary is still enabled by default in EIGRP on modern IOS-XE, when in fact it was changed to disabled by default starting from IOS 15.0(1)M and later.
How to eliminate wrong answers
Option A is wrong because auto-summary is not enabled by default on Cisco IOS-XE; it was enabled by default in older IOS versions but is now disabled. Option C is wrong because auto-summary, when enabled, applies to all routes, not just external routes; there is no such distinction in the default behavior. Option D is wrong because auto-summary is disabled by default regardless of whether the network is configured with a classful mask; the classful mask configuration does not re-enable auto-summary.
A VRF-aware network uses route leaking between VRF A and VRF B. After configuring Flexible NetFlow to monitor traffic in VRF A, some routes that were previously leaked to VRF B disappear. Router R1 has: ip route vrf A 10.0.0.0 255.0.0.0 Null0. route-map LEAK permit 10 match ip address prefix-list GLOBAL. The prefix-list GLOBAL permits 10.0.0.0/8. The flow monitor is applied to the VRF A interface. What is the root cause?
This is the root cause. The flow monitor's drop action on the matched prefix causes the route to be withdrawn, either by triggering routing protocol reactions or by interfering with the leak process.
Why this answer
The flow monitor is configured with a match ip address prefix-list statement referencing the same prefix-list used in the route-map LEAK. However, the flow monitor's action is set to drop packets matching that prefix. When the flow monitor is applied in the input direction on the VRF A interface, it evaluates packets before they are processed for routing.
If the flow monitor matches a packet with the 10.0.0.0/8 destination, it drops the packet. This can cause the router to withdraw the route because the router may interpret the sustained packet drops for that prefix as an indication that the next hop is unreachable, or because the flow monitor's drop action interferes with the route-leaking process. Although Flexible NetFlow typically does not affect routing, a misconfigured flow monitor with a drop action can inadvertently influence route availability, leading to the disappearance of leaked routes.
A network engineer configures SNMP traps on router R3 to monitor BGP events. R3 is an iBGP route reflector with multiple clients. The configuration includes: snmp-server enable traps bgp, snmp-server host 192.168.1.100 version 2c public. However, the NMS receives no BGP traps. R3's show snmp pending shows no pending traps. show snmp statistics shows TrapsSent: 0. The NMS can poll R3 successfully via SNMP. What is the root cause?
In some IOS versions, the SNMP agent needs explicit BGP notification enablement via 'bgp snmp trap' under the BGP router config. Without it, no BGP traps are generated.
Why this answer
Option A is correct because on many Cisco IOS versions, the command `snmp-server enable traps bgp` only enables the SNMP agent to send BGP traps, but the BGP process itself must be explicitly configured to generate those traps using the `bgp snmp trap` command under the BGP router configuration. Without this, the BGP process never sends trap notifications to the SNMP agent, resulting in zero traps sent despite the SNMP trap configuration being otherwise correct.
How to eliminate wrong answers
Option B is wrong because the NMS can successfully poll R3 via SNMP, indicating SNMP communication works; if the NMS were using SNMPv3 and the router only v2c, polling would also fail due to version mismatch, not just traps. Option C is wrong because an ACL blocking UDP 162 would prevent traps from reaching the NMS, but the router's `show snmp statistics` shows TrapsSent: 0, meaning the router never attempted to send any traps, so the issue is before the network layer. Option D is wrong because `show snmp pending` shows no pending traps, indicating the trap queue is empty, not full; a full queue would show pending traps that are queued but not yet sent.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.1.1.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-10' is configured with 'match ip address 150' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is using the routing table to forward traffic. The engineer checks the ACL 150 and confirms it matches 10.1.1.0/24. The engineer also checks the interface configuration and sees 'ip policy route-map PBR-10' applied. What is the most likely cause?
Correct because if the ACL referenced in the route map does not exist, the route map will not match any traffic, and PBR will not be applied.
Why this answer
If PBR is not working and the router uses the routing table, it could be because the route map is not being processed due to a missing 'match' statement or the route map being empty. However, a common cause is that the route map has a 'match ip address' that references an ACL that does not exist or is misconfigured. The engineer should verify that the ACL 150 exists and is correctly configured.
Which THREE statements about route redistribution and administrative distance are true? (Choose THREE.)
Correct: EIGRP uses AD 170 for external routes, while internal routes use 90.
Why this answer
Administrative distance (AD) is crucial in redistribution because it determines which routes are preferred when multiple protocols learn the same prefix. Option A is correct: EIGRP has a default AD of 90 for internal routes and 170 for external (redistributed) routes. Option B is correct: OSPF external routes have a default AD of 110, same as internal OSPF routes, but can be changed.
Option C is correct: Changing AD can influence route selection and help prevent routing loops. Option D is incorrect: The distance command can be applied to both internal and external routes. Option E is incorrect: RIP has a default AD of 120, which is higher than OSPF's 110, so OSPF is preferred.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.20.0/24 should be forwarded to next-hop 10.20.20.2. The route map 'PBR-20' is configured with 'match ip address 120' and 'set ip next-hop 10.20.20.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.20.0/24, but traffic from other subnets is also being forwarded to 10.20.20.2. What is the most likely cause?
Correct because a permit statement without a match condition matches all traffic, causing PBR to apply to all packets.
Why this answer
The issue that traffic from other subnets is also being policy-routed indicates that the route map or ACL is matching more traffic than intended. Two common causes are: (A) The route map has a permit statement with no match condition, which matches all traffic. In PBR, a route-map entry with a permit clause but without a match clause will match everything. (C) The ACL 120 is configured with 'permit ip any any' at the end, which also matches all traffic.
Both scenarios result in all traffic being subject to the set next-hop command, regardless of source subnet. The engineer should verify that each route-map sequence has an appropriate match clause and that the ACL is specific to the intended subnet.
Router R1 and R2 are running EIGRP. R1 has a route to 172.16.0.0/16 with AD 90. R2 redistributes a static route for 172.16.0.0/16 into EIGRP with a route-map that sets the administrative distance to 85. R1 learns the redistributed route with AD 85 and installs it, overriding the original internal route. However, R1's 'show ip route 172.16.0.0' shows the route via R2 with AD 85, but pings to 172.16.1.1 fail. What is the most likely cause?
The summary route may point to a null interface or a next hop that does not have the specific route.
Why this answer
Setting AD to 85 makes the redistributed route preferred over the internal route (AD 90). However, the redistributed route might have a less specific prefix (e.g., 172.16.0.0/16) while the internal route might have a more specific prefix (e.g., 172.16.1.0/24) that is now hidden. The ping fails because the redistributed route is a summary that does not have a valid next hop for the specific subnet.
The correct answer is that the redistributed route is a summary that does not include the specific subnet, causing blackholing.
A network engineer runs the following command to verify BFD session details: R1# show bfd neighbors detail | include (NeighAddr|LD/RD|State|Int|MinTxInt|Multiplier) NeighAddr LD/RD RH/RS State Int 10.4.4.2 100/200 Up Up Gi0/1 MinTxInt: 500000, MinRxInt: 500000, Multiplier: 5 What does this output indicate?
Detection time is MinTxInt * Multiplier = 500 ms * 5 = 2500 ms (2.5 seconds).
Why this answer
The output shows a BFD session with a multiplier of 5 and intervals of 500 ms. The high multiplier may indicate a need for more tolerance, but the session is UP.
A network engineer configures BFD for EIGRP on a point-to-point link. The BFD session is up, but EIGRP neighbors are stuck in INIT state. The engineer checks that EIGRP hello packets are sent and received. Which of the following is the most likely explanation?
Correct. EIGRP requires matching K values to form an adjacency. BFD does not influence this check.
Why this answer
EIGRP requires that the K values match between neighbors. If the K values are mismatched, EIGRP will not form an adjacency even if BFD is operational. This is a common misconfiguration because BFD does not enforce K value matching; it only reports link failures.
A network engineer runs the following command on switch SW5: SW5# show monitor session 7 Session 7 --------- Type : Local Session Source Ports : Both : Gi0/11 Destination Ports : Gi0/12 Encapsulation : Replicate Ingress : Disabled Based on this output, which statement is correct?
The encapsulation type 'Replicate' indicates that the original VLAN tag is preserved.
Why this answer
This is a local SPAN session with source port Gi0/11 and destination port Gi0/12. The encapsulation is set to 'Replicate', which means the mirrored traffic retains its original VLAN tag. This is typical when the destination port is a trunk port and the analyzer expects tagged traffic.
A network engineer runs the following command on Router R1: R1# show ip ospf neighbor detail Neighbor 10.1.1.4, interface address 192.168.14.4 In the area 0 via interface GigabitEthernet0/2 Neighbor priority is 1, State is 2WAY, 2 state changes DR is 10.1.1.1, BDR is 10.1.1.4 Options is 0x12 (L L S R) Dead timer due in 00:00:38 Neighbor is up for 00:05:22 Index 1/1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, time is 0 msec Last retransmission scan time is 0 msec Based on this output, what is the problem?
2WAY state indicates that the routers have seen each other's hello packets but have not exchanged LSAs. FULL is required for complete adjacency.
Why this answer
The neighbor state is 2WAY, not FULL. This indicates that the neighbor relationship has not progressed to full adjacency. On a broadcast network, routers in 2WAY state have exchanged hello packets but have not completed database exchange.
This could be due to mismatched MTU, authentication, or other issues, but the key observation is that the state is not FULL.
According to RFC 3164, which facility code is used by default for Cisco IOS syslog messages?
Cisco IOS defaults to facility local7 for syslog messages.
Why this answer
RFC 3164 defines facility codes. Cisco IOS uses local7 (facility 23) as the default for syslog messages, though this can be changed with the 'logging facility' command.
A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# debug ip bgp 10.1.1.2 updates BGP: 10.1.1.2 sending UPDATE with 2 prefixes, 0 withdrawn BGP: 10.1.1.2 sending UPDATE with 0 prefixes, 1 withdrawn What does this output indicate?
The debug shows updates sent to the neighbor: two prefixes advertised and one withdrawn.
Given this partial configuration: ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ip nat inside source list 1 pool MYPOOL access-list 1 permit 192.168.1.0 0.0.0.255 What is the effect?
Without overload, each translation consumes one pool address; exhaustion blocks new flows.
Why this answer
The configuration uses a standard ACL to match inside hosts (192.168.1.0/24) and dynamically assigns them a unique address from the pool 203.0.113.10–203.0.113.20. Because no 'overload' keyword is present, PAT is not enabled; each translation consumes a pool address, and once all 11 addresses are used, new translations fail until an existing translation times out or is cleared.
How to eliminate wrong answers
Option A is wrong because PAT requires the 'overload' keyword on the 'ip nat inside source list 1 pool MYPOOL' command; without it, the router performs dynamic one-to-one NAT, not port address translation. Option C is wrong because the ACL restricts which inside hosts are eligible for translation; traffic from hosts not matching the ACL (or from outside interfaces) is not translated using the pool. Option D is wrong because while 'ip nat outside' is required on the egress interface for NAT to function, the statement says 'requires the ip nat outside interface command to function' as if it were the only missing piece, but the configuration is incomplete without both 'ip nat inside' and 'ip nat outside' on the respective interfaces; the question's phrasing implies a misunderstanding that only the outside command is needed.
A network engineer runs the following command to verify DHCPv6 guard policy: R1# show ipv6 dhcp guard policy DHCP-POLICY Policy: DHCP-POLICY Status: Active Device role: dhcp-client Trusted ports: none Untrusted ports: Fa0/0 DHCPv6 guard: enabled DHCPv6 guard action: block DHCPv6 server validation: enabled DHCPv6 server list: 2001:db8::10 What does this output indicate?
The action is block, and server validation is enabled with a specific server list.
Why this answer
The output shows that DHCPv6 guard is enabled with an action of 'block' on untrusted port Fa0/0, and DHCPv6 server validation is enabled with a server list containing 2001:db8::10. This means the policy blocks DHCPv6 server messages (e.g., ADVERTISE, REPLY) received on Fa0/0, but allows them if they originate from the specified server address. Thus, only server messages from 2001:db8::10 are permitted, while all other DHCPv6 server messages are blocked.
Exam trap
Cisco often tests the distinction between the 'device role' (dhcp-client vs. dhcp-server) and the filtering direction; the trap here is assuming that 'dhcp-client' role means the policy filters client messages, when in fact it filters server messages on that port to protect clients from rogue servers.
How to eliminate wrong answers
Option B is wrong because the policy explicitly blocks DHCPv6 server messages on Fa0/0 (action: block) and does not allow all DHCPv6 messages without filtering. Option C is wrong because the policy applies to DHCPv6 server messages, not client messages; the device role is 'dhcp-client', meaning the port is treated as a client-facing port, and the guard filters incoming server messages. Option D is wrong because the policy status is 'Active' and it is applied to interface Fa0/0 as an untrusted port, so it is active and applied.
What is the default BGP keepalive timer value in Cisco IOS-XE?
Correct. BGP keepalive defaults to 60 seconds.
Why this answer
The default BGP keepalive timer is 60 seconds, as defined in RFC 4271 and implemented in Cisco IOS-XE.
A network engineer runs the following command on Router R1: R1# show ip ospf neighbor vrf BLUE Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:32 10.1.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:35 10.1.2.2 GigabitEthernet0/1 Based on this output, which statement is correct?
The states are appropriate for the network type; FULL for DR and 2WAY for DROTHER.
Why this answer
The output shows two OSPF neighbors for VRF BLUE. Neighbor 10.0.0.2 is in FULL state and is the DR on GigabitEthernet0/0. Neighbor 10.0.0.3 is in 2WAY state and is a DROTHER on GigabitEthernet0/1.
The 2WAY state is normal for neighbors that are not DR/BDR on a multi-access network. No problem is evident.
Drag and drop the steps to troubleshoot EEM adjacency or connectivity failures into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Start by verifying the EEM policy is registered and enabled, then check for any connectivity issues using ping or traceroute, review syslog or debug output for event triggers, examine the policy logic for errors, and finally test the policy manually to confirm resolution.
A spoke router has the following DMVPN configuration: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ! What is missing from this configuration?
The 'tunnel key' command is missing. In DMVPN, the hub often uses a tunnel key to identify the mGRE tunnel. Without matching tunnel key on the spoke, the tunnel might not come up properly. This is a common requirement in production environments.
Why this answer
The spoke configuration is missing the 'tunnel key' command, which is required in many DMVPN deployments when the hub is configured with a tunnel key. The tunnel key ensures that the mGRE interface on the spoke only accepts packets with the correct key, preventing misconfiguration. The existing commands 'ip nhrp nhs' and 'ip nhrp map' are sufficient for NHRP registration and unicast communication, but without a matching tunnel key, the spoke may not establish the tunnel correctly with the hub.
A large enterprise network uses OSPFv3 for IPv6 routing. Router R1 and R2 are connected via a multi-access Ethernet link. R1 is configured with 'ipv6 ospf network point-to-point' while R2 uses the default broadcast network type. R1 has an IPv6 ACL applied inbound on its interface that permits only OSPF (89) and denies all other traffic. R2 is unable to form a full OSPF adjacency with R1. R2 shows 'OSPFv3 adjacency state is EXSTART/EXCHANGE' and logs 'Bad LSReq'. What is the root cause?
On a broadcast network, OSPFv3 sends hellos to FF02::5. R1's ACL permits only OSPF protocol, but the destination address is filtered because the ACL does not explicitly permit multicast. The network type mismatch exacerbates the issue as R1 expects unicast hellos.
Why this answer
R1's inbound IPv6 ACL permits only OSPF (protocol 89) but denies all other traffic. When R1's interface is configured as 'ipv6 ospf network point-to-point', it expects to send unicast OSPFv3 packets to the neighbor, not multicast. However, R2, using the default broadcast network type, sends OSPFv3 hellos to the multicast address FF02::5 (AllSPFRouters).
R1's ACL blocks these multicast hellos because they are not protocol 89 unicast packets, preventing adjacency formation. The 'Bad LSReq' error in EXSTART/EXCHANGE indicates that R1 never received R2's hellos, so it cannot build a proper link-state database.
Exam trap
Cisco often tests the interaction between OSPF network types and ACLs, where candidates assume that permitting OSPF protocol 89 is sufficient, forgetting that multicast packets (FF02::5) may be dropped if the ACL does not explicitly allow them or if the interface is configured for unicast-only communication.
How to eliminate wrong answers
Option B is wrong because a router-id conflict would cause a different issue, such as duplicate router-id detection or adjacency flapping, not a 'Bad LSReq' error specifically tied to ACL filtering. Option C is wrong because an MTU mismatch typically causes OSPF to stall in EXSTART/EXCHANGE with 'Bad LSReq' or 'Seq# mismatch', but the root cause here is the ACL blocking multicast hellos, not fragmentation. Option D is wrong because a passive interface on R2 would prevent it from sending hellos entirely, leading to a DOWN state, not EXSTART/EXCHANGE with 'Bad LSReq'.
What is the default lease duration for a DHCPv4 address pool on a Cisco IOS router?
The default lease time is 1 day (24 hours) unless overridden with the lease command.
Why this answer
The default lease duration for a DHCPv4 address pool on a Cisco IOS router is 1 day (86400 seconds). This is defined by the Cisco IOS DHCP server implementation, which uses a 24-hour lease as the default when no lease duration is explicitly configured under the DHCP pool configuration.
Exam trap
Cisco often tests the default lease value as a memorization point, and the trap here is that candidates may confuse the Cisco default with the RFC 2131 suggested default of 1 day (which is the same) or assume a longer lease like 7 days is standard for enterprise networks.
How to eliminate wrong answers
Option B is wrong because 7 days is not the default; it is a commonly configured lease duration for networks with stable devices, but Cisco IOS defaults to 1 day. Option C is wrong because 30 minutes is a very short lease typically used for high-turnover environments like Wi-Fi hotspots, not the default. Option D is wrong because an infinite lease is not a default behavior; it would require explicit configuration using the 'lease infinite' command, and DHCP leases are designed to expire to allow address reclamation.
A BGP speaker R1 is advertising a prefix 10.10.0.0/16 to its eBGP neighbor R2. R2 is also receiving the same prefix from another eBGP neighbor R3 with a lower local preference. R1 configuration: router bgp 100, neighbor 192.168.1.2 remote-as 200, neighbor 192.168.1.2 route-map SET-LP in. Route-map SET-LP sets local-preference 150. R2 shows: 'show ip bgp 10.10.0.0/16' shows two paths: one from R1 with local pref 150, and one from R3 with local pref 100. The best path is via R3. Why is the path from R1 not selected?
Inbound route-maps affect routes received from the neighbor; outbound affects routes sent. To set local preference on routes advertised to R2, the route-map must be applied outbound.
Why this answer
The route-map SET-LP is applied inbound on R1 (neighbor 192.168.1.2 route-map SET-LP in), which means it sets local preference on routes received from R2, not on routes sent to R2. Local preference is a BGP attribute that is propagated only to iBGP peers and is not exchanged between eBGP peers. To influence R2's best path selection, the route-map must be applied outbound on R1 (neighbor 192.168.1.2 route-map SET-LP out) so that the local-preference value is set on the update sent to R2.
Since R1 sets local preference inbound, R2 never receives the modified value, and R2's best path selection defaults to the path from R3 with local preference 100, which is the only local preference R2 sees from R1 (default 100).
Exam trap
Cisco often tests the distinction between inbound and outbound route-map application on eBGP peers, specifically that local preference set inbound affects the local router's decision but is not sent to the neighbor, leading candidates to mistakenly think the neighbor will see the modified value.
How to eliminate wrong answers
Option B is wrong because BGP best path selection does not require a specific numeric threshold; local preference is compared directly, and 150 is higher than 100, so if the value were correctly applied, the path from R1 would be preferred. Option C is wrong because there is no evidence or mention of a route-map on R2 that overrides local preference; the question states R2 sees two paths with local preferences 150 and 100, indicating no override. Option D is wrong because R1 is advertising the prefix 10.10.0.0/16 to R2, which implies the prefix is in R1's BGP table (either originated or learned from another source); otherwise, R1 could not send the update.
A PE router has the following configuration: router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended exit-address-family What is wrong with this configuration?
Incorrect. The configuration includes 'neighbor 10.0.0.1 send-community extended' under the VPNv4 address-family, so it is not missing.
Why this answer
The configuration is correct. The 'neighbor 10.0.0.1 send-community extended' command is present under the VPNv4 address-family, which is required for carrying VPN routing information. Options B, C, and D are incorrect: the neighbor does not need to be configured under IPv4 unicast first, using Loopback0 as update-source is standard for iBGP sessions between PEs, and the remote-as is correctly set to the same AS for iBGP.
In Cisco IOS, what is the default encryption algorithm for IKEv1 phase 1 if not specified in the ISAKMP policy?
Cisco IOS defaults to DES if no encryption is specified.
Why this answer
In Cisco IOS, when an IKEv1 ISAKMP policy is configured without specifying an encryption algorithm, the default encryption algorithm is DES (Data Encryption Standard). This is because Cisco IOS defaults to DES for IKEv1 phase 1 if no encryption is explicitly defined in the ISAKMP policy, as per the default policy parameters. DES uses a 56-bit key and is considered weak by modern standards, but it remains the default for backward compatibility.
Exam trap
Cisco often tests the default encryption algorithm for IKEv1 phase 1, and the trap here is that candidates assume a stronger algorithm like AES or 3DES is the default, but Cisco IOS defaults to the weaker DES for backward compatibility.
How to eliminate wrong answers
Option A is wrong because AES 256 is not the default encryption algorithm for IKEv1 phase 1; it must be explicitly configured using the 'encryption aes 256' command under the ISAKMP policy. Option B is wrong because 3DES is not the default; it is a stronger alternative that must be specified with 'encryption 3des' in the ISAKMP policy. Option D is wrong because AES 128 is not the default; it requires explicit configuration via 'encryption aes 128' in the ISAKMP policy.
Drag and drop the steps to verify and validate IP SLA operational state into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Begin by checking the overall IP SLA configuration to confirm the operation is defined, then review the latest statistics for RTT and success rate, examine the reaction configuration if tracking is used, verify the tracking object status, and finally confirm that tracked objects are influencing routing or policy.
Which TWO statements correctly describe the behavior of EIGRP route summarization when using the 'summary-address' command under an interface? (Choose TWO.)
Correct. EIGRP uses the best (lowest) metric from the component routes for the summary route advertisement.
Why this answer
EIGRP route summarization using the interface-level 'summary-address' command creates a local discard route to prevent routing loops, suppresses more specific routes from being advertised out that interface, and does not automatically summarize connected routes unless they are redistributed. The summary route is advertised with the metric of the best component route, and the administrative distance of the summary is set to 5 by default, not 90.
An engineer configures DHCPv4 on a router with multiple pools for different subnets. Clients in subnet A receive addresses correctly, but clients in subnet B receive addresses from subnet A's pool. The router has 'ip dhcp relay' configured. Which is the most likely explanation?
Correct: The giaddr is critical for pool selection. If it is not set (e.g., due to missing 'ip helper-address' on the correct interface), the server may assign from a different pool.
Why this answer
Option A is correct because when a DHCP relay agent forwards a client's request to the server, it inserts its own IP address (the interface address on the client's subnet) into the giaddr (gateway IP address) field. The DHCP server uses this giaddr to select the appropriate pool. If the relay agent fails to set the giaddr correctly—for example, due to misconfiguration or the relay interface not being on the correct subnet—the server may receive a giaddr of 0.0.0.0 or an incorrect address, causing it to fall back to the first configured pool that matches, which in this case is subnet A's pool.
Exam trap
Cisco often tests the misconception that DHCP pool selection is based on pool order or client MAC address, when in fact it relies on the giaddr set by the relay agent.
How to eliminate wrong answers
Option B is wrong because DHCP pool selection is not based on the order of pools or the client's MAC address; the server selects a pool based on the giaddr or the subnet of the receiving interface, not MAC address. Option C is wrong because 'ip dhcp smart-relay' is a Cisco feature that allows the relay agent to insert a giaddr when the client's broadcast is received on an interface without an IP address; it does not override pool selection but rather enables relaying in scenarios where the giaddr would otherwise be missing. Option D is wrong because overlapping 'network' statements would cause an ambiguous pool selection error or lease assignment failure, not a consistent misassignment to a different subnet's pool.
Which TWO commands would a network engineer use to verify SNMP agent configuration and connectivity on a Cisco IOS router? (Choose TWO.)
Displays SNMP agent statistics, community strings, and trap status.
Why this answer
The `show snmp` command displays the overall SNMP agent configuration, including contact, location, community strings, and SNMP version. The `show snmp host` command lists the configured SNMP notification receivers (trap or inform destinations) and verifies that the router is correctly configured to send SNMP messages to the management station. Together, these two commands confirm both the agent's operational state and its connectivity to remote hosts.
Exam trap
Cisco often tests the distinction between verification commands (show) and troubleshooting commands (debug), and the trap here is that candidates mistakenly choose `debug snmp packets` as a verification tool when it is actually a high-overhead diagnostic command that should only be used after initial configuration checks fail.
Which TWO statements about BFD echo mode are true? (Choose TWO.)
Correct. Echo mode offloads control packet processing from the remote router, as it only reflects echo packets.
Why this answer
BFD echo mode reduces the processing load on the remote router because the remote router simply reflects echo packets back without processing BFD control packets, thus requiring fewer CPU resources. However, echo mode is only supported for single-hop BFD sessions, not for multihop sessions. Therefore, Option B is correct, and Option C is incorrect.
Practice 300-410 by domain
Target a specific domain to shore up weak areas.