Cisco CCNP ENARSI 300-410 (300-410) — Questions 13511425

2152 questions total · 29pages · All types, answers revealed

Page 18

Page 19 of 29

Page 20
1351
Drag & Dropmedium

Drag and drop the steps for verifying and validating MPLS operations operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by confirming MPLS is enabled on interfaces (show mpls ip interface), then verify LDP peer state (show mpls ldp neighbor), review label bindings (show mpls ldp bindings), display the MPLS forwarding table (show mpls forwarding-table), and finally validate the LSP path (traceroute mpls ipv4).

1352
MCQhard

An OSPF network has multiple areas and uses Flexible NetFlow to monitor inter-area traffic. After applying a flow monitor to the ABR's interface, OSPF neighbor relationships fail to form. Router R1 (ABR) shows: show ip ospf neighbor | include (FULL|DOWN) Neighbor 10.0.0.2, interface GigabitEthernet0/0, state DOWN. show flow monitor FLOW-MONITOR statistics | include (Packets|Errors) Packets exported: 1000, Errors: 0. What is the root cause?

A.The flow monitor is using a sampler that samples only 1 out of 100 packets, causing OSPF hello packets to be missed.
B.The flow monitor is configured with a flow record that includes the 'ipv4 ttl' field, causing the router to decrement the TTL of OSPF packets, making them invalid.
C.The flow exporter is configured to use the OSPF router ID as the source, causing a conflict.
D.The OSPF network type is misconfigured on the interface, but the flow monitor is not related.
AnswerA

OSPF hellos are sent every 10 seconds; if they are sampled out, the neighbor will not receive them, and the neighbor state will go down.

Why this answer

The root cause is that the flow monitor is using a sampler with a high sampling rate (e.g., 1 out of 100 packets). OSPF Hello packets are sent periodically (default every 10 seconds) and are critical for neighbor discovery and maintenance. If the sampler drops 99 out of 100 packets, most OSPF Hellos are not processed, causing the neighbor to fail to form or stay up.

The show output shows zero errors in flow monitoring, indicating no packet drops due to hardware or software issues, but the sampler itself selectively captures packets, effectively dropping OSPF Hellos. Flexible NetFlow does not modify or drop packets; it only copies them for analysis. Therefore, only a sampler can cause this behavior.

1353
Multi-Selecthard

Which TWO statements about DHCPv6 stateless autoconfiguration (SLAAC) are true? (Choose TWO.)

Select 2 answers
A.SLAAC requires the 'A' flag to be set in Router Advertisements.
B.When using SLAAC, DHCPv6 can still be used to provide DNS server information.
C.The 'M' flag in Router Advertisements must be set for SLAAC to operate.
D.The command 'ipv6 nd other-config-flag' sets the 'M' flag in Router Advertisements.
E.SLAAC can only be used on Ethernet interfaces.
AnswersA, B

Correct. The 'A' (autonomous) flag in the RA prefix information option indicates that hosts can use SLAAC to generate addresses from that prefix.

Why this answer

SLAAC (Stateless Address Autoconfiguration) requires the 'A' (Autonomous) flag to be set in Router Advertisements (RAs). This flag tells hosts to generate their own IPv6 address using the prefix in the RA and an interface identifier (e.g., EUI-64 or privacy extension). Without the 'A' flag, hosts will not perform address autoconfiguration via SLAAC.

Exam trap

Cisco often tests the confusion between the 'M' (Managed) flag and the 'O' (Other Configuration) flag, as well as the misconception that SLAAC requires DHCPv6 or is restricted to specific interface types, leading candidates to incorrectly select options C or E.

1354
MCQeasy

Which EIGRP packet type is used to acknowledge receipt of a reliable packet?

A.Hello
B.Update
C.Reply
D.Ack
AnswerD

Correct. The Ack packet is an empty packet used to confirm receipt of reliable packets.

Why this answer

D is correct because the EIGRP Ack (Acknowledgement) packet is a special packet used exclusively to confirm the reliable delivery of EIGRP packets such as Update, Query, and Reply. Ack packets are sent as unicast to the source router and contain no data, serving only as a delivery confirmation. This mechanism ensures that EIGRP's Reliable Transport Protocol (RTP) can guarantee ordered and guaranteed delivery of critical routing information.

Exam trap

Cisco often tests the distinction between packet types that are sent reliably versus unreliably, and the trap here is that candidates confuse the Reply packet (which is a response to a Query) with an acknowledgment, when in fact Reply packets are data-carrying reliable packets that themselves require an Ack.

How to eliminate wrong answers

Option A is wrong because Hello packets are used for neighbor discovery and maintenance, not for acknowledging reliable packets; they are sent unreliably (multicast) and do not confirm receipt of any specific packet. Option B is wrong because Update packets carry routing information and are themselves sent reliably, requiring an Ack in response; they do not serve as acknowledgments. Option C is wrong because Reply packets are sent in response to Query packets during route computation and are also sent reliably, requiring their own acknowledgment; they do not function as generic acknowledgments.

1355
MCQhard

A network engineer configures an inbound IPv4 ACL on a router's interface to filter BGP updates from an eBGP neighbor. The ACL permits only specific prefixes. After applying the ACL, the BGP session remains established, but the router does not install any routes from that neighbor. What is the most likely explanation?

A.The ACL is blocking TCP port 179 packets, but keepalives are permitted due to a separate permit statement.
B.The ACL is applied outbound instead of inbound, filtering the router's own updates.
C.The BGP neighbor has a distribute-list that is filtering routes.
D.The ACL is using the wrong protocol number; BGP uses UDP port 179.
AnswerA

If the ACL permits keepalives (e.g., by allowing established connections) but denies the initial update packets, the session stays up but updates are filtered.

Why this answer

The ACL is applied inbound on the router's interface and permits only traffic destined to specific network prefixes. BGP update packets from the eBGP neighbor are TCP packets destined to the router's interface IP address, which does not match any of the permitted prefixes, so they are denied. However, a separate explicit permit statement allows TCP port 179 packets (or keepalives specifically), which maintains the BGP session.

The session remains established because keepalives are permitted, but the actual routing updates (NLRI) are dropped, preventing route installation.

Exam trap

Cisco often tests the distinction between filtering the BGP session (TCP port 179) and filtering the routing updates (NLRI) within the session; the trap here is that candidates assume an ACL that permits specific prefixes will automatically allow the BGP session to function, but the ACL must also permit the TCP transport for BGP to exchange updates.

How to eliminate wrong answers

Option B is wrong because if the ACL were applied outbound instead of inbound, it would filter the router's own outgoing updates, not the incoming updates from the neighbor; the router would still receive and process the neighbor's updates, so routes would be installed. Option C is wrong because a distribute-list on the neighbor would filter routes before they are sent to the router, but the question states the ACL is applied on the router's interface; the neighbor's distribute-list would not cause the router to fail to install routes after receiving them. Option D is wrong because BGP uses TCP port 179, not UDP; an ACL filtering by protocol number would need to match TCP (protocol 6), not UDP (protocol 17).

1356
MCQhard

An engineer configures IPsec between two PE routers in an MPLS L3VPN using a site-to-site VPN. The engineer configures a transform-set with ESP encryption (AES-256) and ESP authentication (SHA-256). The engineer also configures an ACL to define interesting traffic. The VPN tunnel comes up, but no traffic is encrypted. The engineer verifies that the ACL is correct and that the crypto map is applied to the interface. What is the most likely explanation?

A.The ACL for interesting traffic is not mirrored on the remote router; it only permits traffic in one direction.
B.The transform-set uses AES-256, which is not supported on the remote router.
C.The 'crypto map' is applied to the wrong interface, such as the loopback instead of the physical interface.
D.The 'ipsec-over-tcp' command is missing, causing the IPsec packets to be dropped.
AnswerA

Correct. IPsec requires the ACL to be mirrored on both sides; otherwise, the traffic is not considered interesting for encryption.

Why this answer

A common edge case with IPsec is that the ACL for interesting traffic must be mirrored on both sides. If the ACL on one side permits traffic from source to destination, the other side must permit traffic from destination to source. If the ACLs are not mirrored, the tunnel may come up (due to IKE) but no traffic will be encrypted because the router does not consider the traffic as interesting.

Another edge case is that the crypto map is applied to the wrong interface or that the ACL is using the wrong protocol (e.g., TCP instead of IP). However, the most likely explanation here is that the ACL is not correctly matching the traffic in both directions.

1357
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-EIGRP (match-all) 200 packets, 12000 bytes 5 minute offered rate 1000 bps, drop rate 0000 bps Match: access-group 150 police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 200 packets, 12000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop R1# show ip eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:10:00 1 200 0 5 Based on this output, which statement is correct?

A.EIGRP packets are being dropped, causing neighbor flapping.
B.EIGRP traffic is being rate-limited but no packets are dropped.
C.The police rate is set to 8000 bps.
D.The EIGRP neighbor is not established.
AnswerB

All packets are conforming and transmitted.

Why this answer

The output shows that the CoPP policy 'CoPP-IN' matches EIGRP packets (via access-group 150) and applies a police rate of 16,000 bps. The 'conformed' counter shows 200 packets transmitted, while 'exceeded' and 'violated' counters are zero, indicating no packets have been dropped. The 'show ip eigrp neighbors' output confirms the neighbor is established with an uptime of 10 minutes, so EIGRP traffic is being rate-limited but not dropped, making option B correct.

Exam trap

Cisco often tests the misconception that a police rate being applied automatically means packets are being dropped, but the key is to check the actual packet counters (conformed/exceeded/violated) to determine if drops have occurred.

How to eliminate wrong answers

Option A is wrong because the 'exceeded' and 'violated' counters are zero, meaning no EIGRP packets have been dropped, and the neighbor uptime of 10 minutes with no flapping indicates stable adjacency. Option C is wrong because the police rate is explicitly set to 16,000 bps (cir 16000 bps), not 8,000 bps. Option D is wrong because the 'show ip eigrp neighbors' output clearly shows an established neighbor (10.1.1.2, interface Gi0/0, uptime 00:10:00).

1358
MCQmedium

Examine this CoPP configuration: ip access-list extended COPP-ACL permit tcp any any eq 22 permit tcp any any eq 23 permit icmp any any echo ! class-map match-all COPP-CLASS match access-group name COPP-ACL ! policy-map COPP-POLICY class COPP-CLASS police 10000 1500 1500 conform-action transmit exceed-action drop violate-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY What is the effect of the police command in class COPP-CLASS?

A.Traffic is limited to 10000 bps with a burst of 1500 bytes; excess traffic is dropped.
B.Traffic is limited to 10000 bps with a burst of 3000 bytes; excess traffic is dropped.
C.The police command is invalid because it uses three parameters after the rate.
D.Traffic is limited to 10000 bps, but the burst values are ignored because they are not configured in bytes.
AnswerA

Correct. The police command specifies conform rate 10000 bps, normal burst 1500, excess burst 1500. Exceed and violate actions are both drop.

Why this answer

Option A is correct because the police command in class COPP-CLASS uses a committed information rate (CIR) of 10000 bps, a normal burst (Bc) of 1500 bytes, and an excess burst (Be) of 1500 bytes. The conform-action transmit, exceed-action drop, and violate-action drop ensure that any traffic exceeding the rate and burst limits is dropped, effectively limiting the matched traffic (SSH, Telnet, ICMP echo) to 10000 bps with a burst of 1500 bytes.

Exam trap

Cisco often tests the distinction between the normal burst (Bc) and excess burst (Be) parameters, where candidates mistakenly sum them or assume the second parameter is a time interval, leading to incorrect burst size calculations.

How to eliminate wrong answers

Option B is wrong because the burst size is 1500 bytes, not 3000 bytes; the two burst parameters (Bc and Be) are both set to 1500 bytes, and they are not summed. Option C is wrong because the police command with three parameters after the rate (Bc, Be, and actions) is valid in Cisco IOS; the syntax police rate bps [burst-normal] [burst-excess] conform-action action exceed-action action violate-action action is correct. Option D is wrong because the burst values are explicitly configured in bytes (1500 and 1500) and are not ignored; Cisco police command burst parameters are always in bytes by default.

1359
MCQmedium

What is the default action for a CoPP policy-map class that does not have an explicit 'police' command?

A.Drop all packets in that class
B.Transmit all packets in that class
C.Log all packets in that class
D.Apply the default aggregate policer
AnswerB

The default action for a class without a police statement is to permit and transmit all matching traffic.

Why this answer

In Control Plane Policing (CoPP), if a class within a policy-map does not contain an explicit 'police' command, the default action is to transmit all packets matching that class. This is because CoPP operates on a permit-by-default model; only classes with a configured policer will have traffic rate-limited or dropped. The absence of a police action means no restriction is applied, so packets are allowed through to the control plane.

Exam trap

Cisco often tests the misconception that CoPP classes without a police command will drop traffic by default, similar to how an ACL ends with an implicit deny; the trap here is that CoPP uses a permit-by-default model for classes without explicit policing.

How to eliminate wrong answers

Option A is wrong because CoPP does not drop packets by default; dropping only occurs when a policer is configured and the traffic exceeds the specified rate. Option C is wrong because logging is not a default action in CoPP; logging must be explicitly configured using the 'log' keyword within a police action or via separate ACL logging. Option D is wrong because there is no default aggregate policer in CoPP; aggregate policers must be explicitly defined and referenced in the policy-map.

1360
MCQmedium

A network engineer is troubleshooting a connectivity issue between two branches connected via a WAN link. Router R1 (10.1.0.0/16) is summarizing its directly connected subnets (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24) as a single 10.1.0.0/16 route to Router R2 via EIGRP. Users at R2 report that they cannot reach the 10.1.4.0/24 subnet, which was recently added to R1. What is the most likely cause of the problem?

A.The summary route 10.1.0.0/16 was configured manually, and the new subnet 10.1.4.0/24 is not within the summary range because the mask is too specific.
B.The new subnet 10.1.4.0/24 was not advertised because the summary address command suppresses more specific routes, but the summary itself is not being generated due to a missing network statement under the EIGRP process.
C.The WAN link is down, causing R2 to lose the summary route.
D.The engineer forgot to configure the summary address on the interface facing R2 for the new subnet.
AnswerB

Correct. In EIGRP, a manually configured summary address suppresses the advertisement of more specific routes and generates the summary only if the component routes exist. If the new subnet is not in the EIGRP network, the summary may not be generated or the specific route is missing.

Why this answer

The summary route 10.1.0.0/16 includes the new subnet 10.1.4.0/24, but the issue indicates that the summary is not being updated or is too broad, causing a mismatch. The most likely cause is that the summary address was configured manually and does not automatically include new subnets unless the summary range is adjusted.

1361
MCQhard

A large enterprise network is experiencing intermittent loss of reachability to a loopback interface on Router R2 from Router R1. R1 has the following relevant configuration: router eigrp 100, network 10.0.0.0 0.255.255.255, summary-address 10.0.0.0 255.255.252.0 5. R2 shows: 'show ip eigrp topology all-links' includes 10.0.0.0/22 as a summary route via Null0, but the specific /32 loopback 10.0.1.1 is not in the topology table. What is the root cause?

A.The summary-address command uses an administrative distance of 5, which is lower than the default EIGRP internal distance of 90, causing the summary to override the specific /32 route.
B.The network statement on R1 does not include the loopback interface of R2, preventing the route from being advertised.
C.The summary-address command is misconfigured; the mask should be 255.255.255.252 instead of 255.255.252.0.
D.R2 is not configured with EIGRP, so it cannot receive the route from R1.
AnswerA

The summary route with distance 5 is installed in the routing table, and EIGRP does not install the more specific route because the summary is already present with a better distance.

Why this answer

The summary-address command with an administrative distance of 5 creates a summary route (10.0.0.0/22) in the EIGRP topology table that is more preferred than the specific /32 route (10.0.1.1) learned via EIGRP with a default distance of 90. This causes the summary to be installed in the routing table, and the specific /32 route is suppressed because the summary is considered a better path, leading to intermittent loss of reachability to the loopback.

Exam trap

Cisco often tests the interaction between summary-address and administrative distance, where candidates mistakenly think the summary only affects routing table size or advertisement, but the trap is that a lower AD on the summary can suppress more specific routes and cause reachability problems.

How to eliminate wrong answers

Option B is wrong because the network statement 10.0.0.0 0.255.255.255 on R1 includes all interfaces with IPs in the 10.x.x.x range, so it does include the loopback interface of R2; the issue is not about inclusion but about the summary overriding the specific route. Option C is wrong because the mask 255.255.252.0 is correct for summarizing the 10.0.0.0/22 range, and changing it to 255.255.255.252 would create a /30 summary, which is not relevant to the problem. Option D is wrong because R2 shows EIGRP topology entries (the summary route via Null0), indicating that R2 is indeed configured with EIGRP and receiving routes from R1.

1362
MCQmedium

A network engineer runs the following command to verify MPLS L3VPN operation: R1# show ip route vrf CUSTOMER-A summary Output: Route Source Networks Subnets Overhead Memory (bytes) connected 2 0 48 288 static 1 0 24 144 ospf 100 5 2 168 1008 bgp 65000 10 3 312 1872 External: 10, Internal: 0, Local: 0 Total 18 5 552 3312 What does this output indicate?

A.The VRF has 23 total routes
B.The VRF has 10 BGP routes
C.The VRF is using OSPF as the only IGP
D.The VRF has no external BGP routes
AnswerA

18 networks + 5 subnets = 23 total routes.

Why this answer

The show ip route vrf summary command provides a summary of routes in the VRF. It shows the number of networks and subnets from each routing source, along with overhead and memory usage. For BGP, it also breaks down external vs internal routes.

This output indicates the VRF has 18 networks and 5 subnets total, with BGP as the primary source.

1363
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 172.16.0.0/16 should be forwarded to next-hop 10.10.10.2. The route map 'PBR-172' is configured with 'match ip address 140' and 'set ip next-hop 10.10.10.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 172.16.1.0/24 but not for traffic from 172.16.2.0/24. The engineer checks the ACL 140 and confirms it includes the entire 172.16.0.0/16 subnet. What is the most likely cause?

A.The route map has a sequence that matches 172.16.1.0/24 with a permit, and a later sequence that denies 172.16.2.0/24.
B.The ACL 140 has a deny statement for 172.16.2.0/24 before the permit statement.
C.The next-hop 10.10.10.2 is not reachable from the 172.16.2.0/24 subnet.
D.The 'ip policy route-map' command is applied to a subinterface that only receives traffic from 172.16.1.0/24.
AnswerA

Correct. The route map can have multiple sequences; if a later sequence denies 172.16.2.0/24, traffic from that subnet will not be policy-routed, even though ACL 140 permits it.

Why this answer

The most likely cause is that the route map PBR-172 has multiple sequence statements. The first sequence matches 172.16.1.0/24 with a permit action, and a later sequence denies 172.16.2.0/24. Even though ACL 140 includes the entire 172.16.0.0/16, the route map sequences are processed in order.

The more specific match for 172.16.1.0/24 permits PBR, while the subsequent sequence explicitly denies 172.16.2.0/24, causing it to bypass PBR. Option B is incorrect because the engineer confirmed ACL 140 permits the entire subnet; a deny statement would contradict that. Options C and D are less likely given the scenario.

1364
MCQmedium

Given the following configuration: ``` interface GigabitEthernet0/2 ip access-group FILTER_SSH in ! ip access-list extended FILTER_SSH permit tcp any host 192.168.1.10 eq 22 permit udp any host 192.168.1.10 eq 22 ``` What is the issue with this ACL?

A.The ACL permits UDP port 22, which is not used by SSH; this could allow unwanted UDP traffic.
B.The ACL is missing a deny statement at the end to block other traffic.
C.The ACL should use the 'established' keyword to allow return traffic.
D.The ACL should be applied outbound instead of inbound.
AnswerA

Correct. SSH uses TCP, so the UDP permit is unnecessary and potentially risky.

Why this answer

The ACL permits both TCP and UDP traffic to destination port 22. SSH uses only TCP port 22; UDP port 22 is not used by SSH. The second permit statement allows any UDP traffic to port 22, which could be unwanted (e.g., UDP-based attacks or non-SSH services).

This is the issue.

Exam trap

Cisco often tests the misconception that SSH uses both TCP and UDP, or that permitting UDP port 22 is harmless, when in fact only TCP port 22 is valid for SSH.

How to eliminate wrong answers

Option B is wrong because an ACL implicitly denies all traffic at the end; a deny statement is not required unless you need explicit logging or a specific deny action. Option C is wrong because the 'established' keyword is used for TCP stateful filtering to allow return traffic, but this ACL is filtering inbound traffic to a specific host; return traffic would be handled by outbound ACLs or stateful inspection, and the issue here is the UDP permit. Option D is wrong because applying the ACL outbound would filter traffic leaving the interface, but the intent is to filter inbound SSH traffic to the host; inbound application is correct for this purpose.

1365
Multi-Selectmedium

Which TWO commands are used to troubleshoot Control Plane Policing (CoPP) and identify which traffic is being dropped? (Choose TWO.)

Select 2 answers
A.show policy-map control-plane
B.debug policy-map control-plane
C.show control-plane host open-ports
D.show ip cache flow
E.show access-lists
AnswersA, C

This command displays packet counters for each class in the CoPP policy, including dropped (violate) packets.

Why this answer

The 'show policy-map control-plane' command displays the applied policy map on the control plane, including class maps, match criteria, and per-class statistics such as the number of packets matched and dropped. This allows you to verify which traffic is being classified and confirm that CoPP is dropping the intended packets. It is the primary verification command for CoPP.

Exam trap

Cisco often tests the distinction between commands that show CoPP configuration versus those that show actual drop statistics; the trap here is that candidates might think 'show access-lists' is sufficient because ACLs are used in class maps, but it does not show the policy-map actions or control-plane-specific drop counters.

1366
MCQmedium

A network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?

A.The NAT pool is exhausted.
B.The 'ip nat inside' and 'ip nat outside' commands are misapplied on the interfaces.
C.The access list used in the NAT configuration does not match the source IP of the host.
D.The host's default gateway is not the router's inside interface.
AnswerC

Correct because dynamic NAT requires the ACL to match the source; if the ACL is misconfigured (e.g., denies the subnet), no translations are created.

Why this answer

While the ACL appears to permit the source IP range (10.1.1.0/24), the most likely cause is that the ACL is not correctly applied to the NAT process. The `ip nat inside source list` command must reference the specific ACL number or name. If misreferenced or omitted, NAT will not see any traffic to translate, hence no translations appear in the table.

Other options are less likely because the pool has available addresses (A), interface commands might be correct but not the cause (B), and default gateway issues would not prevent translations but cause routing failures (D).

Exam trap

A common trap in Cisco NAT questions is that candidates see 'no translations' and immediately blame interface configuration or pool exhaustion, without verifying that the access list used in the NAT command actually matches the source traffic. Even when the ACL appears to permit the correct subnet, a small typo or incorrect wildcard mask can cause the match to fail.

How to eliminate wrong answers

Option A is wrong because if the NAT pool were exhausted, 'show ip nat translations' would show existing translations for other hosts, and the host's traffic would either be dropped or fall back to PAT, not result in zero translations. Option B is wrong because misapplied 'ip nat inside' and 'ip nat outside' commands would typically cause translations to appear but traffic to fail (e.g., return traffic not translated), not result in no translations at all. Option D is wrong because even if the host's default gateway is not the router's inside interface, the host would be unable to send traffic to the router at all, but the question states the host is inside the corporate network and the router is the gateway; the absence of translations points to a NAT configuration issue, not a routing issue.

1367
MCQhard

Router R1 is configured as an ERSPAN source to monitor traffic on interface Serial0/0/0. The destination is a collector at 172.16.1.100. R1's configuration: monitor session 1 type erspan-source source interface Serial0/0/0 both destination erspan-id 1 ip address 172.16.1.100 origin ip address 10.0.0.1. The collector is reachable via a default route. The network also uses CoPP (Control Plane Policing) with a policy that polices all incoming traffic to the control plane. The collector receives no packets. What is the most likely issue?

A.The ERSPAN destination IP is not in the routing table, so packets are dropped.
B.CoPP is policing the locally generated ERSPAN packets, causing them to be dropped.
C.The ERSPAN session is not configured with 'no shutdown'.
D.The source interface Serial0/0/0 is down, so no traffic is mirrored.
AnswerB

ERSPAN packets are locally generated and may be subject to CoPP if the policy applies to control plane input.

Why this answer

ERSPAN mirrored packets are process-switched by the router's control plane, meaning the route processor handles encapsulation and forwarding. In Cisco IOS, Control Plane Policing (CoPP) applied to the control plane input can affect locally generated traffic if the traffic matches a CoPP class. The CoPP policy in this scenario polices all incoming traffic to the control plane, and even though ERSPAN packets are generated locally (not incoming), the act of generating them involves the control plane, and the policy may classify them as control plane traffic.

This can cause the ERSPAN packets to be dropped. This is a known pitfall where CoPP inadvertently impacts ERSPAN traffic.

1368
MCQmedium

A router is configured to send syslog messages to two servers: 10.1.1.100 and 10.1.1.200. The engineer notices that only server 10.1.1.100 is receiving messages. The configuration shows 'logging host 10.1.1.100' and 'logging host 10.1.1.200'. Both servers are reachable via ping. What is the most likely cause?

A.The syslog service on 10.1.1.200 is not running or is blocked by a firewall.
B.The router can only send to one syslog server at a time.
C.The 'logging host 10.1.1.200' command is missing the 'transport udp' keyword.
D.The second server is configured with a different severity level using 'logging trap' under the host.
AnswerA

Correct because if the server is not listening or traffic is blocked, messages will not be received even though the router sends them.

Why this answer

Cisco IOS allows multiple logging hosts, but each must be configured with a separate 'logging host' command. If the second server is not receiving messages, it may be because the 'logging trap' level for that specific host is set to a higher severity (e.g., 'logging host 10.1.1.200 trap errors') that filters out most messages, or the server is not listening. However, a common mistake is that the second host is configured with a different port or protocol that is not supported.

But the most typical cause is that the second server's syslog service is not running or is firewalled.

1369
MCQmedium

Examine the following partial configuration on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group MY_ACL in ! access-list 100 permit tcp any host 192.168.1.1 eq 22 access-list 100 deny ip any any ! line vty 0 4 transport input ssh login local ! username admin privilege 15 secret cisco What is the effect of this configuration?

A.Only SSH connections to the router are permitted; all other IP traffic is denied inbound on this interface.
B.The ACL permits SSH and HTTP traffic to the router; all other traffic is denied.
C.The ACL is applied outbound, so it filters traffic leaving the interface; SSH is permitted outbound.
D.The ACL has no effect because it is missing a 'permit ip any any' statement.
AnswerA

The ACL permits TCP port 22 (SSH) and denies all other IP traffic, applied inbound. This restricts management access to SSH only.

Why this answer

The ACL 100 is applied inbound on GigabitEthernet0/1 via the 'ip access-group MY_ACL in' command. It explicitly permits TCP traffic to host 192.168.1.1 on port 22 (SSH) and then denies all other IP traffic. Since the router's own IP address is 192.168.1.1, this allows only SSH management access from any source, while blocking all other inbound traffic to the router or through the interface.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and candidates may mistakenly think the 'in' keyword means 'into the router' for management traffic only, or they may overlook that the ACL is applied to the interface and filters all IP traffic, not just management plane traffic.

How to eliminate wrong answers

Option B is wrong because the ACL only permits TCP port 22 (SSH); it does not include any permit statement for HTTP (port 80 or 443), so HTTP traffic is denied. Option C is wrong because the ACL is applied with the 'in' keyword, making it an inbound ACL that filters traffic entering the interface, not outbound traffic. Option D is wrong because an ACL does not require a 'permit ip any any' statement to have effect; the implicit deny at the end of the ACL already denies all traffic not explicitly permitted, and the explicit 'deny ip any any' is redundant but does not negate the ACL's functionality.

1370
MCQhard

An engineer configures ERSPAN on Router R1 to monitor traffic from VLAN 30 to a collector at 192.168.1.100. The router has multiple VRFs: VRF A and VRF B. The source interface Gi0/0/0 is in VRF A. The collector is in VRF B. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 2 ip address 192.168.1.100 origin ip address 10.0.0.1. The collector is reachable via a route in VRF B. The router has a route-leaking configuration between VRFs. The collector receives no traffic. What is the root cause?

A.The ERSPAN session must be configured with the 'vrf' keyword under the destination to use VRF B.
B.The source interface is in VRF A, but the ERSPAN source IP must be in the same VRF as the destination.
C.The route-leaking configuration is incorrect, preventing reachability between VRFs.
D.The ERSPAN session ID 2 conflicts with a VRF ID.
AnswerA

Without the VRF keyword, ERSPAN uses the global routing table, which lacks a route to the collector in VRF B.

Why this answer

ERSPAN uses the global routing table by default to route the encapsulated packets to the destination IP. If the source interface is in a VRF, the mirrored traffic is still sent using the global routing table unless the ERSPAN session is configured with a VRF. The destination IP 192.168.1.100 is in VRF B, but the global routing table may not have a route to it.

The route-leaking between VRFs does not affect the ERSPAN process because the encapsulated packet is sourced from the global routing table. The fix is to configure the ERSPAN session with the 'vrf' keyword under the destination to specify the VRF. Alternatively, the source IP must be in the same VRF as the destination.

The correct root cause is that the ERSPAN session does not specify the VRF, so it uses the global table, which has no route to the collector.

1371
Drag & Dropmedium

Drag and drop the steps to establish an eBGP session between two IOS routers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with configuring the BGP router ID, then the local AS and neighbor remote AS, followed by specifying the neighbor update source, enabling the neighbor, and finally verifying the session.

1372
MCQhard

An engineer configures IP SLA to track a route to a server in a VRF. Router R1 has: ip sla 6 icmp-echo 10.10.10.10 source-ip 192.168.1.1 frequency 10 ip sla schedule 6 life forever start-time now track 6 ip sla 6 reachability ip route vrf BLUE 0.0.0.0 0.0.0.0 192.168.1.2 track 6 But the route is never installed in the VRF routing table. Show output: show ip route vrf BLUE | include 0.0.0.0 % No default route found What is the root cause?

A.The IP SLA is not configured with the vrf BLUE option, so the probe is sent in the global table and cannot reach the server in the VRF.
B.The source IP 192.168.1.1 is not in the VRF BLUE routing table.
C.The track 6 is not supported for VRF routes.
D.The IP SLA schedule must be configured with the vrf keyword.
AnswerA

The IP SLA must be configured with 'vrf BLUE' to send probes within the VRF; otherwise, the track will not work correctly.

Why this answer

The IP SLA probe is not VRF-aware. By default, IP SLA operates in the global routing table. To track a route in a VRF, the IP SLA must be configured with the vrf keyword.

The correct answer is that the IP SLA is not associated with the VRF, so the probe fails or is sent in the wrong context.

1373
Multi-Selectmedium

Which TWO commands can be used to verify the effect of a route-map applied to a BGP neighbor? (Choose TWO.)

Select 2 answers
A.show ip bgp neighbors x.x.x.x advertised-routes
B.show ip bgp neighbors x.x.x.x routes
C.show route-map
D.show ip bgp
E.show ip bgp neighbors x.x.x.x
AnswersA, B

This command shows the routes that are actually advertised to the neighbor after any outbound route-map filtering.

Why this answer

The commands 'show ip bgp neighbors x.x.x.x advertised-routes' and 'show ip bgp neighbors x.x.x.x routes' directly show the routes being sent or received after route-map filtering. 'show route-map' only displays the route-map definition, not its effect on a specific neighbor. 'show ip bgp' displays the BGP table without neighbor-specific filtering context. 'show ip bgp neighbors' alone does not show the filtered routes.

1374
MCQmedium

Examine this partial configuration: ``` interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_F ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_G ip address 10.10.20.1 255.255.255.0 ``` What is required to enable communication between VRF CUSTOMER_F and VRF CUSTOMER_G?

A.No additional configuration is needed; VRFs can communicate by default.
B.Configure a route-map and import/export route-targets between the VRFs.
C.Add static routes with the 'vrf' keyword to point to the other VRF's next hop.
D.Use the 'ip route vrf' command to create a global route that points to the VRF interface.
AnswerC

This is correct. Static routes can be used to leak routes between VRFs.

Why this answer

By default, VRFs are isolated. To enable communication between them, route leaking must be configured, typically using static routes with the 'vrf' keyword or using route-replicate commands.

1375
MCQmedium

Consider the following configuration on a router running BGP and OSPF: ``` router bgp 65000 distance bgp 20 200 200 ``` What is the effect of this command?

A.It sets the administrative distance for eBGP routes to 20, iBGP routes to 200, and local BGP routes to 200.
B.It sets the administrative distance for all BGP routes to 20.
C.It sets the administrative distance for eBGP routes to 200 and iBGP routes to 20.
D.It sets the administrative distance for BGP routes to 20 for routes learned from AS 65000.
AnswerA

Syntax: `distance bgp <external> <internal> <local>`.

Why this answer

The `distance bgp` command sets AD for BGP routes: external (eBGP) to 20, internal (iBGP) to 200, and local to 200.

1376
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the operation of Policy-Based Routing (PBR) on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show route-map
B.show ip policy
C.show ip route
D.debug ip policy
E.show access-lists
AnswersA, B

Displays all configured route-maps, including match and set conditions used for PBR.

Why this answer

The 'show route-map' command displays the configured route-map statements and their match/set conditions. The 'show ip policy' command lists interfaces with PBR applied and the associated route-map. 'show ip route' does not show PBR policy details. 'debug ip policy' is a debug command, not a verification show command. 'show access-lists' only shows ACLs, not PBR-specific information.

1377
MCQhard

A network engineer configures CoPP on a router to limit PIM-SM control plane traffic. The policy includes a class-map matching PIM packets and polices them to 10000 bps. After the policy is applied, the engineer notices that multicast traffic is not being forwarded correctly, and PIM neighbors are not forming. The router is a PIM-SM rendezvous point (RP). What is the most likely issue?

A.The CoPP policy is dropping PIM register messages because the police rate is too low for the burst of register traffic.
B.The CoPP class-map is not matching PIM packets because it uses the wrong protocol number.
C.The PIM hello interval is set too high, causing the router to miss hello packets from neighbors.
D.The CoPP policy is applied to the wrong control plane, such as the IPv6 control plane.
AnswerA

PIM register messages can be large and bursty, and a police rate of 10000 bps may not be sufficient, causing drops and preventing RP functionality.

Why this answer

When a router is configured as a PIM-SM rendezvous point (RP), it receives PIM register messages from first-hop routers. These messages are encapsulated unicast packets that can arrive in bursts, especially when multiple sources register simultaneously. If the CoPP police rate is set too low (10000 bps), the router may drop these register messages, preventing the RP from learning about new multicast sources and causing PIM neighbors to fail to form.

Exam trap

Cisco often tests the misconception that CoPP only affects routing protocol hellos or keepalives, when in fact it can drop critical control messages like PIM register messages that are essential for RP operation in PIM-SM.

How to eliminate wrong answers

Option B is wrong because PIM packets are identified by IP protocol number 103, not by a TCP/UDP port, and a correctly configured class-map using 'match protocol pim' or an ACL matching protocol 103 will match them. Option C is wrong because the PIM hello interval (default 30 seconds) affects neighbor keepalives but does not cause the router to miss hellos; CoPP dropping hellos would cause neighbor loss, but the issue is specifically register messages. Option D is wrong because CoPP is applied to the control plane of the router, not a specific IPv4 or IPv6 sub-plane; the 'service-policy input' command under 'control-plane' applies to all control plane traffic regardless of address family.

1378
MCQhard

An engineer configures uRPF strict mode on an interface. After configuration, legitimate traffic from a directly connected network is dropped. The network is connected via a single link, and there is no asymmetric routing. Which is the most likely explanation?

A.The router has a default route pointing to a different interface, causing the source IP to fail the reachability check.
B.The directly connected network is not in the routing table because the interface is down.
C.The uRPF command is missing the 'allow-default' option, which is required for directly connected networks.
D.The router has a static route for the source network with a different next-hop, causing the interface check to fail.
AnswerA

uRPF strict mode requires that the best route to the source IP points back out the same interface. If a default route points elsewhere, the check fails, and packets are dropped.

Why this answer

In strict uRPF mode, the router checks that the source IP address of an incoming packet is reachable via the same interface on which the packet arrived. If the router has a default route pointing out a different interface, the source IP of a directly connected network may not have a specific route back through the receiving interface, causing the reachability check to fail and legitimate traffic to be dropped.

Exam trap

Cisco often tests the misconception that uRPF strict mode only checks for a route existence, when in fact it also requires the incoming interface to match the route's outgoing interface, and a default route can interfere with this check.

How to eliminate wrong answers

Option B is wrong because if the interface were down, the directly connected network would not appear in the routing table, but the question states the network is directly connected via a single link, implying the interface is operational. Option C is wrong because the 'allow-default' option is used in loose mode uRPF to permit the use of a default route for the reachability check; strict mode does not support this option, and directly connected networks do not require it. Option D is wrong because a static route with a different next-hop would cause an interface check failure only if the next-hop points out a different interface than the one receiving the traffic, but the question specifies no asymmetric routing and a single link, making this scenario unlikely.

1379
Multi-Selecthard

Which TWO statements correctly describe the behavior of BGP conditional route injection? (Choose TWO.)

Select 2 answers
A.The injected route is automatically redistributed into connected and static routes.
B.The condition for injection is defined by an exist-map, which must match a less specific prefix in the BGP table.
C.The inject-map specifies the more specific prefix to be injected along with optional attributes.
D.The 'show ip bgp neighbors' command displays the number of injected prefixes per neighbor.
E.The injected prefix must be learned from the neighbor specified in the inject-map.
AnswersB, C

Correct. The exist-map specifies the condition prefix that must be present for injection to occur.

Why this answer

BGP conditional route injection allows a router to inject a more specific prefix into BGP when a condition (the existence of a less specific prefix) is met. The injected route is sourced from a route-map that defines the inject-map, and the condition is checked via an exist-map. The injected route is not automatically redistributed into other protocols unless explicitly configured.

The 'show ip bgp neighbors' command does not display injection statistics; instead, 'show ip bgp injected-paths' is used. The injected prefix must be in the BGP table of the injecting router, but not necessarily learned from the neighbor specified in the inject-map.

1380
MCQmedium

A network engineer runs the following command to debug MPLS LDP label advertisements: R1# debug mpls ldp labels Output: *Mar 1 00:01:23.456: LDP: Sent label mapping for 192.168.1.0/24, label 101 *Mar 1 00:01:23.789: LDP: Received label mapping for 192.168.2.0/24, label 201 *Mar 1 00:01:24.012: LDP: Sent label mapping for 10.0.0.0/8, label 102 *Mar 1 00:01:24.345: LDP: Received label mapping for 10.0.0.0/8, label 202 What does this output indicate?

A.LDP label bindings are being exchanged between R1 and its LDP neighbor
B.R1 is only receiving label mappings, not sending any
C.The LDP session is down
D.R1 is using implicit null label for 10.0.0.0/8
AnswerA

The output shows both sent and received label mappings, indicating successful exchange.

Why this answer

The debug output shows label mappings being exchanged between LDP peers. R1 is sending its own label bindings (e.g., label 101 for 192.168.1.0/24) and receiving label bindings from its neighbor (e.g., label 201 for 192.168.2.0/24).

1381
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp traffic EIGRP-IPv4 Traffic Statistics for AS(100) Hellos sent/received: 5000/4995 Updates sent/received: 150/148 Queries sent/received: 10/8 Replies sent/received: 8/10 Acks sent/received: 300/298 Input queue high water mark: 10 Input queue drops: 0 SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello process ID: 123 PDM process ID: 124 Socket queue: 0/2000/10/0 (current/max/highest/drops) Input queue: 0/2000/10/0 (current/max/highest/drops) Based on this output, which statement is correct?

A.The EIGRP process is operating normally with no signs of issues.
B.There is a problem because more queries were sent than replies received.
C.The input queue drops of 0 indicate that the router is not processing EIGRP packets.
D.The SIA-Queries count of 0 indicates that the network has experienced stuck-in-active events.
AnswerA

No input drops, no SIA events, and balanced packet counts indicate a healthy EIGRP process.

Why this answer

The output shows normal EIGRP operation: Hellos are exchanged nearly equally (5000 sent vs 4995 received), Updates, Queries, Replies, and Acks are balanced, and both input queue drops and SIA counters are zero. This indicates stable neighbor relationships and no packet loss or stuck-in-active events, confirming the EIGRP process is functioning without issues.

Exam trap

Cisco often tests the misconception that an imbalance in query/reply counts automatically indicates a problem, when in fact small differences are normal and only significant, persistent mismatches with other symptoms (like SIA events) indicate trouble.

How to eliminate wrong answers

Option B is wrong because a slightly higher number of queries sent (10) than replies received (8) is normal in EIGRP; replies may be in transit or aggregated, and the difference is negligible without other signs of trouble. Option C is wrong because input queue drops of 0 indicate that the router is successfully processing all incoming EIGRP packets, not that it is failing to process them. Option D is wrong because SIA-Queries and SIA-Replies counts of 0 indicate that no stuck-in-active events have occurred, which is a healthy condition, not evidence of SIA events.

1382
Multi-Selecthard

Which THREE symptoms indicate that an Embedded Event Manager (EEM) applet configured to send a syslog message upon interface down has failed to execute? (Choose THREE.)

Select 3 answers
A.No custom syslog message appears on the console or in the log buffer when the interface goes down.
B.The 'show event manager history events' output does not include an entry for the interface down event.
C.The 'show event manager policy active' output shows the applet with a non-zero 'fail count' field.
D.The interface goes down and the router generates a default syslog message like '%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down'.
E.The 'show event manager environment' output shows the variable '_event_type' as 'none'.
AnswersA, B, C

The applet is designed to generate a syslog; its absence suggests the applet did not execute.

Why this answer

If the applet fails, no custom syslog is generated, the 'show event manager history events' will not show the trigger, and the 'show event manager policy active' may show the policy but with a non-zero failure count. The other options either describe normal behavior or unrelated issues.

1383
MCQmedium

What is the default CoPP behavior for traffic that does not match any class in the policy-map?

A.Dropped
B.Transmitted
C.Logged and dropped
D.Routed to the management plane
AnswerB

The default action for traffic not matching any class is to transmit it, unless a 'class class-default' is configured with a police action.

Why this answer

By default, Control Plane Policing (CoPP) uses a class-default in the policy-map that implicitly permits (transmits) all traffic not explicitly matched by a user-defined class. This default behavior ensures that only traffic matching a class with a 'drop' action is policed, preventing unintentional denial of service from misconfigured policies.

Exam trap

Cisco often tests the misconception that CoPP drops all unmatched traffic by default, similar to how ACLs have an implicit deny at the end, but CoPP's class-default actually permits traffic unless explicitly configured to drop.

How to eliminate wrong answers

Option A is wrong because CoPP does not drop unmatched traffic by default; it transmits it via the implicit class-default. Option C is wrong because logging and dropping is not a default action; logging requires explicit configuration (e.g., 'log' keyword under police) and is not applied to unmatched traffic. Option D is wrong because unmatched traffic is not routed to the management plane; it is forwarded to the control plane for normal processing (e.g., routing protocol packets) or punted to the CPU based on existing forwarding logic, not redirected to a separate plane.

1384
MCQhard

What is the default rate-limit interval for the 'logging rate-limit' command in Cisco IOS-XE?

A.100 milliseconds
B.1 second
C.5 seconds
D.No default; it must be specified
AnswerB

The default interval for logging rate-limit is 1 second.

Why this answer

The default rate-limit interval is 1 second, meaning the specified number of messages per second is allowed.

1385
MCQmedium

A network engineer runs the following command to troubleshoot BFD with static routes: R1# show ip route 10.8.8.0/24 Routing entry for 10.8.8.0/24 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.9.9.2, via GigabitEthernet0/3 Route metric is 0, traffic share count is 1 BFD enabled, BFD state: UP What does this output indicate?

A.Static route is installed with BFD tracking, and BFD session is UP.
B.Static route is not using BFD.
C.BFD state is DOWN, so the static route is removed.
D.Static route is using BFD only for IPv6.
AnswerA

BFD is enabled and UP, so the static route is active and monitored.

Why this answer

The output shows that BFD is enabled for the static route and the BFD state is UP, meaning the next hop is reachable and BFD is providing fast failure detection.

1386
MCQmedium

A network engineer runs the following command to verify MPLS L3VPN operation: R1# show bgp ipv4 unicast 10.1.1.0/24 Output: BGP routing table entry for 10.1.1.0/24, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 0.0.0.0 from 0.0.0.0 (10.0.0.1) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best What does this output indicate?

A.The route is locally originated and is the best path
B.The route is learned from a BGP peer
C.The route has an MPLS label
D.The route is in a VRF
AnswerA

The output shows 'sourced' and 'best', indicating local origin and best path.

Why this answer

This shows the BGP IPv4 unicast table entry for prefix 10.1.1.0/24. The path is local, with next hop 0.0.0.0, and it is valid and best. This is a standard IPv4 route, not VPNv4, so it does not have extended communities or MPLS labels.

1387
MCQhard

A network engineer runs the following command to troubleshoot an MPLS LDP issue: R1# debug mpls ldp transport LDP: Transport connection to 2.2.2.2:0 via TCP (passive) LDP: Connection from 2.2.2.2:0 to 1.1.1.1:646 LDP: Transport connection to 2.2.2.2:0 via TCP (active) LDP: Connection from 1.1.1.1:646 to 2.2.2.2:0 LDP: Hold timer expired for peer 2.2.2.2:0 LDP: Closing transport connection to 2.2.2.2:0 What does this output indicate?

A.LDP session is established and stable.
B.LDP session is flapping due to hold timer expiration.
C.LDP session is down because of authentication failure.
D.LDP session is down because of a transport address mismatch.
AnswerB

The hold timer expires, causing the session to close, which suggests flapping.

Why this answer

The output shows the LDP hold timer expiring for peer 2.2.2.2, followed by the transport connection being closed. This indicates the LDP session is repeatedly going up and down (flapping) because the hold timer expires before the session can stabilize, often due to network congestion, high CPU, or mismatched hello/hold timers. Option B correctly identifies this flapping behavior caused by hold timer expiration.

Exam trap

Cisco often tests the distinction between session flapping due to hold timer expiration versus session failure due to authentication or address mismatch, and the trap here is that candidates may see 'transport connection' messages and incorrectly assume the session is up, missing the critical 'Hold timer expired' line.

How to eliminate wrong answers

Option A is wrong because the hold timer expiration and connection closure indicate the session is not established or stable; a stable session would show 'LDP: Session up' or similar. Option C is wrong because authentication failure would produce debug messages like 'LDP: MD5 authentication failed' or 'LDP: Bad TLV', not hold timer expiration. Option D is wrong because a transport address mismatch would cause the connection to never establish or show 'LDP: Transport address mismatch' in debugs, not a hold timer expiration after a successful TCP connection.

1388
MCQhard

A network engineer notices that IPv6 hosts on a segment are not receiving Router Advertisements, even though Router R1 has IPv6 unicast-routing enabled and an IPv6 address on the interface. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 ipv6 nd suppress-ra ! Router R2, connected to the same segment, shows: no IPv6 neighbors in the neighbor cache for R1's link-local address. What is the root cause?

A.The interface is in a down state due to a Layer 1 issue, preventing RA generation.
B.The 'ipv6 nd suppress-ra' command is configured, which prevents Router Advertisements from being sent.
C.Router R2 has IPv6 routing disabled, so it cannot process RAs from R1.
D.The IPv6 address on R1 is not in the same subnet as the hosts, causing RA filtering.
AnswerB

This command suppresses all RAs, so hosts cannot autoconfigure or learn the default router.

Why this answer

The 'ipv6 nd suppress-ra' command explicitly disables the sending of Router Advertisements (RAs) on the interface. Even though IPv6 unicast-routing is enabled and an IPv6 address is configured, R1 will not transmit RAs, which prevents IPv6 hosts from autoconfiguring their addresses and default routes via SLAAC or DHCPv6. This is the direct root cause of the hosts not receiving RAs.

Exam trap

Cisco often tests the 'ipv6 nd suppress-ra' command as a direct countermeasure to RA generation, and the trap here is that candidates assume IPv6 unicast-routing alone is sufficient for RA generation, overlooking the explicit suppression command.

How to eliminate wrong answers

Option A is wrong because the interface is not in a down state; if it were, the IPv6 address would not be active and the neighbor cache issue would be different, but the problem explicitly states R1 has an IPv6 address on the interface. Option C is wrong because Router R2's ability to process RAs is irrelevant; the issue is that R1 is not sending RAs at all, not that R2 cannot receive them. Option D is wrong because RA filtering based on subnet mismatch is not a standard behavior; RAs are sent to the all-nodes multicast address (FF02::1) regardless of the configured subnet, and the hosts are on the same segment as R1's interface.

1389
MCQmedium

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 1500(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 1500(0) Rx Count: 120, Tx Count: 150 Based on this output, which statement is correct?

A.The BFD session is down because the holddown timer is incorrect.
B.The BFD session is up and the holddown timer is 1500 ms, which is correct based on the configured multiplier and MinRxInt.
C.The BFD session is using echo mode, which is why the holddown timer is 1500 ms.
D.The BFD session is up but the multiplier is set to 1, causing the holddown timer to be 1500 ms.
AnswerB

The holddown timer is calculated as MinRxInt * Multiplier = 1000000 microseconds * 3 = 3000000 microseconds = 3000 ms, but the output shows 1500 ms. This is a known behavior where the holddown timer displayed is half of the actual holddown time due to a software implementation detail. The session is up.

Why this answer

The output shows BFD session details. The Holddown value of 1500 ms is calculated as MinRxInt * Multiplier (1000 ms * 3 = 3000 ms), but the output shows 1500 ms. This discrepancy indicates a misconfiguration or a bug, but the key point is that the session is UP and the holddown timer is 1500 ms, which is half of the expected value.

However, the correct interpretation is that the BFD session is established and operating, and the holddown timer is 1500 ms as shown.

1390
MCQmedium

An engineer is troubleshooting why the NMS is not receiving SNMP traps from router R2. The configuration includes 'snmp-server enable traps', 'snmp-server host 10.1.1.100 version 2c public', and an extended ACL 100 that permits UDP port 162 from 10.1.1.100. The NMS can ping R2. What is the most likely cause?

A.The ACL is applied inbound on the interface, but it should be applied outbound to allow trap packets to leave the router.
B.The 'snmp-server host' command is missing the 'trap' keyword, causing the router to send informs instead.
C.The community string 'public' is case-sensitive; the NMS is using 'Public' with a capital P.
D.The router needs the 'snmp-server trap-source' command to specify the source interface for traps.
AnswerA

Correct because traps are sent from the router; the ACL must permit outbound UDP port 162 to the NMS, not inbound.

Why this answer

The most likely cause is that the ACL is applied inbound on the interface, but it should be applied outbound to allow trap packets to leave the router. SNMP traps are UDP packets sourced from the router (typically from a random high port) and destined to the NMS at UDP port 162. An inbound ACL filters traffic entering the interface, not leaving it, so it would not affect outgoing trap packets.

Applying the ACL outbound would permit the trap traffic to exit the router and reach the NMS.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and candidates mistakenly think an inbound ACL can filter locally generated traffic like SNMP traps, when in fact only outbound ACLs affect traffic leaving the router.

How to eliminate wrong answers

Option B is wrong because the 'snmp-server host' command without the 'trap' keyword defaults to sending traps, not informs; the 'inform' keyword is required to send SNMP informs. Option C is wrong because while community strings are case-sensitive, the NMS using 'Public' would cause authentication failure, but the question states the NMS can ping R2, implying basic reachability; however, the ACL misapplication is a more direct and common cause of trap loss. Option D is wrong because the 'snmp-server trap-source' command is optional and only needed when the source IP of traps must be a specific interface (e.g., for reachability or security); its absence does not prevent traps from being sent, as the router uses the outgoing interface IP by default.

1391
MCQeasy

Given the configuration: logging buffered 8192 warnings logging console alerts logging monitor critical Which of the following is true?

A.The logging buffer stores messages of severity 0 through 4.
B.The console displays messages of severity 0 through 3.
C.The monitor receives messages of severity 0 through 4.
D.The buffer can store up to 8192 syslog messages.
AnswerA

Level 'warnings' (4) includes severities 0-4.

Why this answer

The buffer is set to 8192 bytes with level warnings (0-4). Console is alerts (0-2). Monitor is critical (0-3).

Note that the buffer size is in bytes, not messages.

1392
MCQmedium

What is the default maximum number of NAT translations that can be created in Cisco IOS?

A.512 translations
B.1024 translations
C.Unlimited, limited only by available memory
D.4096 translations
AnswerC

Correct. Cisco IOS allows NAT translations up to the memory capacity of the device.

Why this answer

Cisco IOS does not impose a fixed upper limit on the number of NAT translations; instead, translations are dynamically allocated from router memory. The only constraint is the available DRAM and the size of the NAT translation table, making option C correct.

Exam trap

Cisco often tests the misconception that NAT has a hard-coded default limit (like 512 or 1024) to trick candidates who memorize arbitrary numbers instead of understanding that NAT is memory-bound.

How to eliminate wrong answers

Option A is wrong because 512 is not a default limit; it is a common misconception based on older platforms or arbitrary thresholds. Option B is wrong because 1024 is not a default maximum; it may appear in some documentation as a recommended limit but is not enforced by IOS. Option D is wrong because 4096 is not a default maximum; it is a value sometimes associated with hardware-specific limits or licensing, not a global IOS default.

1393
Multi-Selectmedium

Which TWO configuration steps are required to troubleshoot and fix a BGP route that is not being advertised to an EBGP neighbor due to the next-hop-self issue? (Choose TWO.)

Select 2 answers
A.Configure a network statement under BGP to advertise the prefix.
B.Apply the neighbor next-hop-self command under the BGP router configuration for the EBGP neighbor.
C.Increase the EBGP multihop TTL using the neighbor ebgp-multihop command.
D.Ensure the next-hop IP is reachable via an IGP or static route on the advertising router.
E.Use the neighbor update-source command to change the source IP of BGP updates.
AnswersB, D

This forces the router to use its own IP as the next hop for routes advertised to the neighbor.

Why this answer

The next-hop-self command on the EBGP neighbor or the IBGP peer (if the route is from IBGP) ensures the next hop is set to the local router's address. Alternatively, if the next hop is reachable via an IGP, no change is needed. Option A is incorrect because network statements do not affect next-hop.

Option C is incorrect because EBGP multihop is for TTL issues. Option E is incorrect because the update-source command sets the source IP, not the next hop.

1394
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 10.1.1.2 advertised-routes BGP table version is 10, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 0.0.0.0 0 32768 i *> 10.20.20.0/24 0.0.0.0 0 32768 i R1# show route-map route-map BLOCK_RFC1918, permit, sequence 10 Match clauses: ip address prefix-list RFC1918 Set clauses: Policy routing matches: 0 packets, 0 bytes route-map BLOCK_RFC1918, deny, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes R1# show ip prefix-list RFC1918 ip prefix-list RFC1918: 3 entries seq 5 deny 10.0.0.0/8 le 32 seq 10 deny 172.16.0.0/12 le 32 seq 15 deny 192.168.0.0/16 le 32 seq 20 permit 0.0.0.0/0 le 32 Based on this output, what is the most likely issue?

A.The route-map BLOCK_RFC1918 is not applied to the BGP neighbor, so RFC 1918 routes are being advertised.
B.The prefix-list RFC1918 is misconfigured and permits all routes.
C.The route-map is applied but the match clause is incorrect.
D.The BGP session is not established.
AnswerA

The prefix-list denies RFC 1918, but the route-map is not applied to the neighbor, so routes are advertised.

Why this answer

The route-map BLOCK_RFC1918 is applied to filter routes, but the advertised routes include 10.10.10.0/24 and 10.20.20.0/24, which are RFC 1918 addresses. The prefix-list RFC1918 should deny these, but the route-map is not being applied to the BGP neighbor, so routes are not filtered. The correct answer is that the route-map is not applied to the BGP neighbor.

1395
MCQmedium

A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?

A.The NAT pool is not configured with overload.
B.The outside interface is flapping, causing translations to be cleared.
C.The router has run out of available port numbers for PAT.
D.The access list is denying some inside hosts.
AnswerC

Correct because PAT uses a limited port range (usually 1024-65535), and with many sessions, ports can be exhausted, preventing new translations.

Why this answer

The router is using PAT (Port Address Translation) with overload, which maps multiple inside local IP addresses to a single outside global IP (198.51.100.1) by using unique source port numbers. With approximately 500 active translations and the router nearing the default limit of around 500 PAT entries (or the available port range of 1024–65535 being exhausted), new connections fail because no unique port numbers are available to assign. This is the classic symptom of PAT port exhaustion.

Exam trap

Cisco often tests the distinction between NAT pool exhaustion (running out of IP addresses) and PAT port exhaustion (running out of port numbers), and candidates may mistakenly think the problem is with the access list or interface stability when the real issue is the finite number of available PAT ports.

How to eliminate wrong answers

Option A is wrong because the command 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' already configures overload (PAT) on the interface, so a separate NAT pool is not required and the pool is not the issue. Option B is wrong because an interface flapping would clear all translations abruptly, not cause gradual exhaustion with many entries still visible in 'show ip nat translations'. Option D is wrong because the access list (list 1) is used to define which inside hosts are eligible for NAT; if it were denying some hosts, those hosts would never get translations, but the problem is that existing translations are working and new connections from all hosts are failing after port exhaustion.

1396
MCQmedium

Which BGP attribute is used as the first tie-breaker when selecting the best path in a VRF-Lite environment?

A.Local preference
B.Weight
C.AS path length
D.MED
AnswerB

Weight is a Cisco-proprietary attribute and is checked first in the BGP best-path selection process.

Why this answer

BGP selects the path with the highest weight (Cisco proprietary) as the first tie-breaker, followed by local preference.

1397
MCQhard

An engineer configures IP SLA with an ICMP echo operation and uses it to track a static default route. The engineer also configures a backup static route with a higher administrative distance. The IP SLA operation is configured with a timeout of 2000 ms and a frequency of 5 seconds. The engineer notices that when the primary route is removed due to IP SLA failure, the backup route is installed, but when the IP SLA operation recovers, the primary route is not reinstalled. The show ip route shows the backup route still present. Which is the most likely explanation?

A.The IP SLA operation has a frequency that is too low, causing a delay in detection of recovery.
B.The track object has a 'delay up' configured, causing a delay before the primary route is reinstalled.
C.The backup static route has a lower administrative distance than the primary route.
D.The IP SLA operation is still in the 'pending' state and has not yet recovered.
AnswerB

The delay up command in the track object introduces a hold-down period before the object state changes to up, so the primary route is not reinstalled immediately.

Why this answer

When a tracked static route is removed, the backup route with higher AD is installed. When the IP SLA operation recovers, the track object goes up, and the primary route should be reinstalled. However, if the IP SLA operation recovers but the track object has a delay up configured, or if the primary route's AD is not lower than the backup route, the primary route may not be reinstalled.

In this scenario, the most likely edge case is that the track object has a 'delay up' configured, which delays the route installation.

1398
MCQhard

An EIGRP network is experiencing frequent stuck-in-active (SIA) events. Router R1 shows: 'show ip eigrp topology' includes routes in active state for several minutes. R1's configuration: router eigrp 100 timers active-time 3. R2, a neighbor, is reachable but has a large number of routes. What is the root cause?

A.The active-time timer is set too low (3 minutes), causing queries to time out before R2 can reply.
B.R2 has a stuck-in-active condition due to a routing loop.
C.R1 has a misconfigured distribute-list that blocks query replies from R2.
D.The network has a high latency link that delays query propagation.
AnswerA

The default active-time is 3 minutes. If R2 has many routes, it may take longer to process queries, leading to SIA.

Why this answer

The correct answer is A because the 'timers active-time 3' command sets the active-time timer to 3 minutes, which is the default value. In a network where R2 has a large number of routes, the query and reply process can take longer than 3 minutes, causing R1 to declare the route as stuck-in-active (SIA) and reset the neighbor relationship. This is a common misconfiguration where the active-time timer is not increased to accommodate slow query propagation or large route tables.

Exam trap

Cisco often tests the misconception that the default active-time timer is always sufficient, but the trap here is that candidates may overlook the need to increase the timer when the network has a large number of routes or high latency, leading to frequent SIA events.

How to eliminate wrong answers

Option B is wrong because a stuck-in-active condition on R2 would cause R2 to be unable to reply, but the scenario states R2 is reachable and the issue is with R1 timing out queries. Option C is wrong because a distribute-list blocking query replies would cause R1 to never receive replies, leading to routes staying in active state indefinitely, not timing out after 3 minutes. Option D is wrong because high latency links would delay query propagation, but the active-time timer of 3 minutes is the default and should be increased to accommodate such delays; the root cause is the timer being too low, not the latency itself.

1399
MCQeasy

Which statement about the Next Hop Resolution Protocol (NHRP) in DMVPN is correct regarding the purpose of NHRP Registration Request packets?

A.They are used to resolve the NBMA address of a destination tunnel IP address.
B.They are used to register the spoke's tunnel IP and NBMA address with the hub.
C.They are used to purge outdated NHRP cache entries on the hub.
D.They are used to establish an IPsec security association between spokes.
AnswerB

Correct. Registration Request packets register the spoke's mapping with the hub.

Why this answer

NHRP Registration Request packets are sent from spoke routers to the hub to register their tunnel IP address (NHS) and corresponding NBMA address. This allows the hub to build a mapping database for forwarding.

1400
MCQmedium

An engineer applies the following configuration to an interface: interface GigabitEthernet0/5 ipv6 dhcp guard attach-policy DHCP_GUARD ipv6 snooping database file nvram:ipv6-snoop.db Which statement is true?

A.The DHCP guard policy is applied to the interface, and the snooping database is stored in NVRAM.
B.The DHCP guard policy is applied only if the snooping database is present.
C.The interface will not forward any DHCP messages until the database is populated.
D.The snooping database is used to validate DHCP server messages.
AnswerA

Both commands are independent; the guard policy filters DHCP, and the database stores bindings.

Why this answer

Option A is correct because the 'ipv6 dhcp guard attach-policy DHCP_GUARD' command applies the DHCP Guard policy to the interface, and the 'ipv6 snooping database file nvram:ipv6-snoop.db' command configures the snooping database to be stored in NVRAM. These two commands operate independently; the DHCP Guard policy is enforced immediately upon attachment, regardless of the database's presence or population state.

Exam trap

Cisco often tests the independence of First Hop Security features; the trap here is assuming that the snooping database must be present or populated for DHCP Guard to function, when in fact DHCP Guard operates based on the policy configuration alone.

How to eliminate wrong answers

Option B is wrong because the DHCP Guard policy is applied immediately when attached to the interface; it does not depend on the snooping database being present. Option C is wrong because the interface will forward DHCP messages normally; DHCP Guard only drops messages that violate the policy (e.g., unauthorized DHCP server messages), and the database does not need to be populated for forwarding to occur. Option D is wrong because the snooping database is used to store IPv6 snooping entries (e.g., bindings learned from ND and DHCP), not to validate DHCP server messages; validation is performed by the DHCP Guard policy itself based on the configured policy rules.

1401
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-SET R1# show route-map PBR-SET route-map PBR-SET, permit, sequence 10 Match clauses: ip address (access-lists): 160 Set clauses: ip next-hop 192.168.1.2 ip tos 184 Policy routing matches: 300 packets, 24000 bytes R1# show access-lists 160 Extended IP access list 160 10 permit ip 10.0.0.0 0.255.255.255 any R1# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.0.0.1/24 Based on this output, a packet from source 10.0.0.5 to destination 8.8.8.8 arrives on GigabitEthernet0/0. What is the most likely behavior?

A.The packet is forwarded using the routing table because the next-hop is not specified correctly.
B.The packet is forwarded to 192.168.1.2 with the ToS field set to 184.
C.The packet is dropped because the ToS value is invalid.
D.The packet is forwarded to 192.168.1.2 but the ToS is not changed.
AnswerB

The route map matches the packet and sets both next-hop and ToS, so the packet is policy-routed with the new ToS value.

Why this answer

The packet matches ACL 160 (source 10.0.0.0/8). The route map sets both next-hop and ToS. The next-hop 192.168.1.2 must be reachable for PBR to apply.

Assuming it is reachable (not shown but implied by matches), the packet will be forwarded to 192.168.1.2 with ToS set to 184 (which is 0xB8, or IP precedence 5, DSCP 46).

1402
Multi-Selecthard

Which TWO configuration steps are required to implement Control Plane Policing (CoPP) on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.Apply the policy map to a physical interface using the 'service-policy input' command.
B.Create a policy map that defines a police action for the classified traffic.
C.Create a class map to match the traffic that should be policed.
D.Configure a 'shape average' command in the policy map to limit traffic rate.
E.Apply the policy map to the control plane using the 'service-policy input' command under the interface configuration mode.
AnswersB, C

A policy map with a 'police' command is required to specify the rate and action for CoPP.

Why this answer

Option B is correct because a policy map is required to define the police action (e.g., 'police rate 10000 conform-action transmit exceed-action drop') that enforces rate limiting on the classified traffic. Without a policy map specifying the policing parameters, CoPP cannot apply any QoS action to the control plane traffic. Option C is correct because a class map is necessary to classify the specific traffic types (e.g., SSH, BGP, ICMP) that should be subjected to policing, using match statements based on access lists or protocol headers.

Exam trap

Cisco often tests the distinction between applying the policy map under 'control-plane' configuration mode versus under a physical interface, as candidates mistakenly use 'interface GigabitEthernet0/0' instead of 'control-plane' to attach the CoPP policy.

1403
MCQmedium

A network engineer configures a DMVPN spoke with the following: interface Tunnel0 ip address 10.0.0.3 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ip nhrp map multicast 192.168.1.1 ! What will happen when the spoke tries to send traffic to another spoke (10.0.0.4)?

A.The spoke will send traffic directly to 10.0.0.4 if it has a cached NHRP mapping, otherwise through the hub.
B.The spoke will always send traffic through the hub because of the static multicast map.
C.The spoke will send traffic directly to 10.0.0.4 without using the hub.
D.The spoke will drop the traffic because it does not have a route to 10.0.0.4.
AnswerA

Spokes can build direct tunnels if they have learned the mapping via NHRP; otherwise, traffic goes via the hub.

Why this answer

In DMVPN Phase 2/3, spokes initially send traffic through the hub. The hub then uses NHRP redirect (if configured) to tell the spoke to establish a direct tunnel. Without NHRP redirect on the hub, traffic always goes through the hub.

1404
MCQmedium

Consider this OSPFv3 configuration on router R2: ipv6 router ospf 10 router-id 2.2.2.2 area 0 authentication ipsec spi 256 md5 1234567890abcdef1234567890abcdef interface GigabitEthernet0/0 ipv6 address 2001:db8:1::1/64 ipv6 ospf 10 area 0 What is the effect of this configuration?

A.OSPFv3 will use IPsec MD5 authentication for all packets in area 0, including on GigabitEthernet0/0.
B.Authentication is applied only to the GigabitEthernet0/0 interface, not the entire area.
C.The configuration is invalid because OSPFv3 does not support IPsec authentication.
D.The router-id is missing, so OSPFv3 will not start.
AnswerA

Correct. The area authentication command applies to all interfaces in that area.

Why this answer

The area authentication command under OSPFv3 enables IPsec authentication for the entire area. The interface is enabled for OSPFv3 in area 0, so it will use the area authentication. However, OSPFv3 authentication uses IPsec AH or ESP; the configuration shown is valid.

1405
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of IPv4 ACLs into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, display all ACLs with show access-list; second, check interface bindings with show ip interface; third, verify hits on each entry; fourth, confirm the ACL is active using show running-config; fifth, test traffic with extended ping or traffic generator.

1406
MCQmedium

Examine the following configuration snippet: ``` interface GigabitEthernet0/0 ip access-group BLOCK_TELNET out ! ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ``` What is the effect of applying this ACL outbound on GigabitEthernet0/0?

A.It blocks Telnet traffic entering the interface from the network.
B.It blocks Telnet traffic leaving the interface, but permits all other IP traffic.
C.It permits Telnet traffic and blocks all other IP traffic.
D.It has no effect because the ACL is missing a sequence number.
AnswerB

Correct. The outbound ACL denies Telnet and permits all other IP traffic.

Why this answer

The ACL is applied outbound on GigabitEthernet0/0, meaning it filters traffic as it leaves the interface. The first rule denies TCP traffic destined for port 23 (Telnet), and the second rule permits all other IP traffic. Therefore, Telnet sessions initiated from inside the network and exiting this interface are blocked, while all other traffic is allowed.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and the trap here is that candidates mistakenly think an outbound ACL filters traffic entering the interface rather than leaving it.

How to eliminate wrong answers

Option A is wrong because the ACL is applied outbound, not inbound; it blocks traffic leaving the interface, not entering. Option C is wrong because the ACL denies Telnet traffic (port 23) and permits all other IP traffic, not the reverse. Option D is wrong because sequence numbers are not required for named extended ACLs; the ACL is valid and functional as written.

1407
MCQmedium

Examine the following configuration: ``` interface GigabitEthernet0/1 ip vrf forwarding CUSTOMER_C ip address 10.1.1.1 255.255.255.0 no shutdown ``` What is missing from this configuration to ensure that routes from VRF CUSTOMER_C are properly isolated?

A.A route-target import/export statement under the VRF definition.
B.The command 'ip vrf forwarding CUSTOMER_C' must be preceded by 'no ip address' to avoid IP address removal.
C.Nothing is missing; this configuration provides proper VRF isolation.
D.A 'vrf definition CUSTOMER_C' must be used instead of 'ip vrf' on newer IOS versions.
AnswerC

This is correct. The interface is in a VRF, so all traffic uses the VRF-specific routing table, ensuring isolation.

Why this answer

The configuration is complete for basic VRF-Lite. VRF isolation is achieved by associating the interface with a VRF, which creates a separate routing table. No additional commands are required for isolation.

1408
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp trap SNMP Trap: enabled Trap receiver: 192.168.1.100 Community: PUBLIC Version: 2c UDP port: 162 Enable traps: snmp, interface, bgp Trap receiver: 192.168.1.200 Community: PRIVATE Version: 2c UDP port: 162 Enable traps: snmp, ospf Based on this output, which statement is correct?

A.BGP traps will be sent to 192.168.1.100 but not to 192.168.1.200.
B.Both receivers will receive OSPF traps.
C.The traps are sent using SNMPv3.
D.Interface traps are sent to 192.168.1.200.
AnswerA

The first receiver has 'bgp' in its enable traps list, while the second does not.

Why this answer

The output shows that traps are configured per receiver. The first receiver (192.168.1.100) has 'Enable traps: snmp, interface, bgp', while the second receiver (192.168.1.200) has 'Enable traps: snmp, ospf'. Since BGP is not listed for the second receiver, BGP traps will only be sent to 192.168.1.100, making option A correct.

Exam trap

Cisco often tests the misconception that all trap receivers receive the same set of traps, but in reality, trap enablement can be configured per receiver, and the 'show snmp trap' output clearly shows which traps are enabled for each host.

How to eliminate wrong answers

Option B is wrong because OSPF traps are only enabled for the second receiver (192.168.1.200), not for the first receiver (192.168.1.100), so both receivers will not receive OSPF traps. Option C is wrong because the output explicitly shows 'Version: 2c' for both receivers, indicating SNMPv2c is used, not SNMPv3. Option D is wrong because interface traps are enabled only for the first receiver (192.168.1.100), not for 192.168.1.200.

1409
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-ICMP (match-all) 100 packets, 6000 bytes 5 minute offered rate 500 bps, drop rate 500 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 50 packets, 3000 bytes; actions: transmit exceeded 25 packets, 1500 bytes; actions: drop violated 25 packets, 1500 bytes; actions: drop Based on this output, what is the most likely impact on the router?

A.All ICMP packets are being transmitted without drops.
B.ICMP traffic is being rate-limited, causing some ping requests to fail.
C.The police rate is set to 16000 bps.
D.The class-default is matching ICMP traffic.
AnswerB

Dropped ICMP packets can result in ping loss.

Why this answer

The output shows that ICMP traffic matching access-group 100 is being policed with a CIR of 8000 bps. Out of 100 packets, 50 were conformed (transmitted), 25 exceeded (dropped), and 25 violated (dropped). This results in a 50% packet loss, causing some ping requests to fail.

The drop rate equals the offered rate (500 bps) because the policer is dropping half the traffic. Therefore, option B is correct.

Exam trap

Candidates may misinterpret the 'conformed' counter as meaning all traffic is transmitted, but the exceeded and violated counters indicate actual drops. In this case, 50 packets were transmitted and 50 dropped, so the ICMP traffic is rate-limited, not completely blocked.

How to eliminate wrong answers

Option A is wrong because the drop rate is 500 bps, meaning packets are being dropped, not all transmitted. Option C is wrong because the police rate is explicitly set to 8000 bps (CIR), not 16000 bps. Option D is wrong because the class-map is CoPP-ICMP, not class-default; class-default would only match traffic not classified by other class-maps.

1410
MCQhard

An engineer configures OSPFv2 with a route-map to set the metric on redistributed routes. After redistribution, the metric is not being set as expected. Which is the most likely explanation?

A.The route-map does not have a match statement, so it applies to no routes.
B.The redistribution command uses the 'subnets' keyword, which overrides the route-map.
C.The route-map is applied to the wrong direction.
D.The OSPF process is configured with 'default-metric' command, which overrides the route-map.
AnswerA

Without a match statement, the route-map does not apply to any routes, and the default metric is used.

Why this answer

When redistributing routes into OSPF, the metric is set using the 'metric' keyword in the redistribution command or via a route-map. However, if the route-map does not explicitly match the routes, the default metric (20 for external type 2) is used. Additionally, if the route-map uses 'set metric' but the redistribution command also has a 'metric' keyword, the route-map overrides the redistribution command.

1411
MCQhard

An OSPF network has a multi-access link between routers R1 and R2. R1 is configured with 'ip ospf network point-to-point' on the interface, while R2 uses the default broadcast network type. R1 shows: 'show ip ospf neighbor' lists R2 as FULL/DR, but R2 shows: 'show ip ospf neighbor' lists R1 as FULL/DROTHER. Traffic from R1 to R2's loopback is fine, but from R2 to R1's loopback is intermittent. What is the root cause?

A.R1's point-to-point configuration disables DR/BDR election, but R2 still expects it, causing R1 to ignore R2's LSUs.
B.R2's DR election is incorrect because it has a higher router ID, but R1 should be the DR.
C.R1's interface has an MTU mismatch that causes OSPF packets to be dropped.
D.R2 has a firewall that blocks OSPF packets from R1.
AnswerA

With mismatched network types, R1 sends packets without a DR, but R2 expects them from the DR, leading to packet loss.

Why this answer

R1's 'ip ospf network point-to-point' command disables DR/BDR election on its interface, meaning R1 will not participate in the election and will not form a full adjacency with a DR or BDR. However, R2, using the default broadcast network type, expects a DR/BDR election and elects itself as DR (likely due to higher router ID). R1 sees R2 as FULL/DR because R1 still receives Hellos and forms a neighbor relationship, but R1 ignores LSUs from R2 because R1's point-to-point logic does not recognize the DR as a valid next hop for flooding, causing intermittent reachability to R1's loopback.

Exam trap

Cisco often tests the misconception that 'ip ospf network point-to-point' only affects hello/dead timers or neighbor state, when in reality it fundamentally changes the OSPF operational model on that link, including DR/BDR election and flooding behavior.

How to eliminate wrong answers

Option B is wrong because the DR election is not 'incorrect' based on router ID; R2 becomes DR because R1's point-to-point configuration effectively removes R1 from the election, so R2 wins by default. The issue is not about which router should be DR, but that R1's point-to-point mode breaks the expected DR/BDR flooding mechanism. Option C is wrong because an MTU mismatch would cause OSPF packets to be dropped entirely, preventing the neighbor relationship from reaching FULL state, but here both routers show FULL adjacency.

Option D is wrong because a firewall blocking OSPF packets would prevent neighbor formation altogether, not cause intermittent traffic while maintaining FULL neighbor state.

1412
Multi-Selecthard

Which TWO statements about the 'ip nat outside source' feature are true? (Choose TWO.)

Select 2 answers
A.It translates the source IP address of packets arriving on an interface configured as 'ip nat outside'.
B.It can be used to map an external public IP to an internal private IP so that inside routers can route to the private address.
C.It requires the 'overload' keyword to perform Port Address Translation.
D.It translates the destination IP address of packets leaving the inside network.
E.The translation is unidirectional; return traffic is not translated back.
AnswersA, B

Correct. The command translates the source address of outside-originated traffic.

Why this answer

Option A is correct because the 'ip nat outside source' command translates the source IP address of packets that arrive on an interface configured as 'ip nat outside'. This is used when an external host's source address needs to be translated to a different address, typically to allow inside routers to route return traffic to a private address that the external host is mapped to.

Exam trap

Cisco often tests the distinction between 'ip nat inside source' and 'ip nat outside source', and candidates mistakenly assume that 'outside source' translates destination addresses or that translations are unidirectional.

1413
MCQhard

An engineer configures CoPP with a class-map that matches all IP traffic and polices it to 10000 pps. The router also has uRPF strict mode enabled on the WAN interface. After applying CoPP, the router stops receiving routing updates from a neighbor, but pings to the neighbor succeed. Which is the most likely explanation?

A.CoPP drops routing updates, causing the routing table to lack the neighbor's source network, so uRPF drops the neighbor's packets.
B.uRPF is applied after CoPP, so CoPP drops the routing updates first.
C.The CoPP policy matches all IP traffic, including uRPF failure packets.
D.Pings succeed because they use a different protocol than routing updates.
AnswerA

uRPF strict mode requires a route back to the source; without it, packets are dropped, including routing updates.

Why this answer

CoPP is applied to control plane traffic, but it does not process packets before uRPF on the ingress interface. In this scenario, the class-map matching all IP traffic and policing to 10000 pps drops routing update packets (e.g., OSPF, EIGRP, BGP) when they exceed the policer rate. Without these updates, the router lacks a route to the neighbor's source network.

Therefore, when the neighbor sends packets to the router (e.g., pings from neighbor to router), uRPF strict mode on the WAN interface drops them because the reverse path check fails. Pings from the router to the neighbor succeed because they are outgoing and not subject to inbound uRPF. Thus, CoPP indirectly causes uRPF drops, leading to the observed behavior.

Exam trap

The key trap is that CoPP dropping routing updates causes loss of routing table entries, which then triggers uRPF to drop packets from that neighbor. Candidates may overlook the causal chain and incorrectly believe uRPF drops before CoPP, missing that CoPP indirectly causes uRPF failures.

How to eliminate wrong answers

Option B is wrong because uRPF is applied on the forwarding plane (ingress interface) before packets reach the control plane, so CoPP cannot drop packets that uRPF has already dropped; the order is uRPF first, then CoPP. Option C is wrong because CoPP matches all IP traffic, but uRPF failure packets are dropped by uRPF before they ever reach the control plane, so CoPP does not see them. Option D is wrong because pings (ICMP) and routing updates (e.g., OSPF, EIGRP) are both IP traffic subject to the same CoPP policer; the success of pings is due to their lower rate or different timing, not a protocol difference.

1414
MCQeasy

What is the default BGP hold timer value in an MPLS L3VPN deployment on Cisco IOS-XE?

A.60 seconds
B.90 seconds
C.120 seconds
D.180 seconds
AnswerD

Correct. The default hold timer is 180 seconds.

Why this answer

The default BGP hold timer is 180 seconds, meaning a peer is declared dead if no keepalive or update is received within that interval.

1415
MCQhard

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down R1# show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/0 13 00:02:00 40 200 0 5 Based on this output, what is the most likely problem?

A.The EIGRP neighbor is down.
B.The EEM policy has been triggered.
C.The EIGRP neighbor is up, and the EEM policy is ready to trigger if it goes down.
D.The EEM policy is misconfigured.
AnswerC

The neighbor is operational, so the down event has not occurred.

Why this answer

The EEM policy EIGRP_Neighbor_Down is registered, but the EIGRP neighbor is present with an uptime of 2 minutes. The correct answer is that the EEM policy has not been triggered because the neighbor is up; however, the policy is ready to act if the neighbor goes down.

1416
MCQhard

An engineer applies a Control Plane Policing (CoPP) policy to a router. After applying, OSPF adjacencies go down. The policy has a class that matches OSPF traffic with a police rate of 1000 pps. The 'show policy-map control-plane' shows no drops. Which is the most likely explanation?

A.The CoPP policy uses 'match protocol ospf' but the router runs OSPFv3, which is not matched by that statement.
B.The police rate is configured in bps instead of pps, causing OSPF hellos to be dropped.
C.The 'class class-default' is configured with a police rate that drops all traffic.
D.The CoPP policy is applied to the input direction, but OSPF packets are sent from the router.
AnswerA

OSPFv3 uses IPv6; 'match protocol ospf' matches OSPFv2 only.

Why this answer

CoPP policies have an implicit 'deny all' at the end. If the OSPF traffic is not matched by any class, it will be dropped by the implicit deny. However, the engineer may have configured a class that matches OSPF but the police rate is in bps, not pps, causing OSPF hellos to be dropped if they exceed the rate.

But the question states no drops, so the issue is likely that the OSPF class is not matching due to incorrect match criteria (e.g., match protocol ospf vs match access-group).

1417
MCQhard

A network engineer configures CoPP to protect the control plane, but after redistributing routes, some legitimate routing updates are dropped. Router R1 config: control-plane service-policy input COPP ! class-map match-all ROUTING match access-group name ROUTING ! policy-map COPP class ROUTING police 100000 15000 15000 conform-action transmit exceed-action drop ! access-list ROUTING permit tcp any any eq bgp access-list ROUTING permit udp any any eq 520 access-list ROUTING permit ospf any any R1# show policy-map control-plane input Class-map: ROUTING (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps drop rate 0 bps Match: access-group name ROUTING police: cir 100000 bps, bc 15000 bytes, be 15000 bytes conformed 90 packets, 9000 bytes; actions: transmit exceeded 10 packets, 1000 bytes; actions: drop What is the root cause?

A.The CoPP police rate is too low for the volume of routing updates during redistribution, causing drops.
B.The access-list is missing EIGRP protocol, causing EIGRP packets to be dropped.
C.The class-map is match-all, which requires all conditions to match, but only one ACL is present.
D.The policy-map is applied to the input of the control-plane, but redistribution uses output.
AnswerA

Redistribution generates many routing updates; the police rate is insufficient, leading to drops.

Why this answer

The CoPP policy is policing routing protocol traffic at 100 kbps, which may be insufficient during redistribution bursts. The exceeded drops indicate that some packets are being dropped, likely due to the burst size being too small. The fix is to increase the police rate or burst size to accommodate the redistribution traffic.

1418
MCQhard

A DMVPN Phase 3 network with OSPF as the IGP experiences routing loops between hubs. R1 and R2 are both hubs with OSPF adjacencies to each other and to spokes. R1 has a route to 10.0.0.0/8 via a spoke, and redistributes it into OSPF. R2 learns this route and also has a direct connection to the same spoke, causing a loop. What is the root cause?

A.R1 is redistributing a route learned from a spoke into OSPF, and R2 learns this route and forwards traffic back to R1, creating a loop due to lack of route tagging and filtering.
B.OSPF network type is set to broadcast on both hubs, causing DR/BDR election issues.
C.NHRP redirect is enabled on both hubs, causing conflicting redirect messages.
D.R2 has a higher OSPF router ID, causing it to become DR and attract traffic.
AnswerA

Correct. Redistribution without route tagging (e.g., using a route-map with tag) can cause loops. The route should be tagged to prevent re-redistribution.

Why this answer

Redistribution of routes from one routing protocol into OSPF can cause routing loops if not properly filtered. In this case, R1 redistributes a route learned from a spoke into OSPF, and R2 learns it and may forward traffic back to R1, creating a loop. The issue is that OSPF does not have a mechanism to prevent loops from redistribution without proper route tagging and filtering.

1419
MCQhard

In BFD multihop sessions, what is the default value for the TTL (or hop limit) in outgoing BFD Control packets on Cisco IOS-XE?

A.1
B.64
C.128
D.255
AnswerD

The default TTL for BFD multihop sessions is 255, as per Cisco IOS-XE and RFC 5883.

Why this answer

For BFD multihop sessions, Cisco IOS-XE defaults to a TTL of 255, as per RFC 5883, to ensure the packet can traverse multiple hops.

1420
MCQmedium

A network engineer runs the following command to troubleshoot OSPFv3 adjacency: R1# debug ipv6 ospf adj *Mar 1 00:15:23.456: OSPFv3-1-IPv6 ADJ Gi0/0: Rcv pkt from 2001:DB8:1::2, src 2001:DB8:1::2, area 0 *Mar 1 00:15:23.457: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Our address 2001:DB8:1::1, his address 2001:DB8:1::2 *Mar 1 00:15:23.458: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Neighbor is not DR, state 2WAY *Mar 1 00:15:23.459: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: DR is 2001:DB8:1::2, BDR is 2001:DB8:1::1 *Mar 1 00:15:23.460: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Build the Start DBD *Mar 1 00:15:23.462: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Master/Slave negotiation done *Mar 1 00:15:23.464: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Exchange done, loading started *Mar 1 00:15:23.466: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Loading done *Mar 1 00:15:23.468: OSPFv3-1-IPv6 ADJ Gi0/0: Nbr 2.2.2.2: Full What does this output indicate?

A.The OSPFv3 adjacency failed due to area mismatch.
B.The OSPFv3 adjacency formed successfully between routers with router IDs 1.1.1.1 and 2.2.2.2.
C.The adjacency is stuck in Exstart state due to interface MTU mismatch.
D.The router is the DR on this segment.
AnswerB

The debug shows the neighbor with router ID 2.2.2.2 and the adjacency reaching Full.

Why this answer

The debug output shows the successful OSPFv3 adjacency formation between two routers on interface Gi0/0.

1421
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 OSPF_Neighbor_Down R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:36 192.168.1.2 GigabitEthernet0/0 Based on this output, what is the most likely conclusion?

A.The OSPF neighbor is down.
B.The EEM policy has been triggered.
C.The EEM policy is registered but not yet triggered because the OSPF neighbor is up.
D.The EEM policy is misconfigured.
AnswerC

The neighbor state FULL shows the neighbor is operational, so the down event has not occurred.

Why this answer

The EEM policy OSPF_Neighbor_Down is registered, but the OSPF neighbor is in FULL state. The correct answer is that the EEM policy has not been triggered because the OSPF neighbor is up.

1422
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Addr State UpDn Tm Attrb ----- --------------- ---------------- ----- -------- ----- 1 10.1.1.2 172.16.0.2 UP 00:02:15 D 1 10.1.1.3 172.16.0.3 UP 00:01:45 D Based on this output, which statement is correct?

A.Router R1 is a spoke with two hub peers.
B.Router R1 is a hub with two dynamically registered spokes.
C.The NHRP peers are static and not dynamic.
D.One spoke is experiencing a registration failure.
AnswerB

Type:Hub and two dynamic (D) entries confirm this.

Why this answer

The show dmvpn command displays NHRP peers. The output shows two dynamic peers (D) with their NBMA and tunnel addresses. The hub has two spokes registered, both in UP state.

The correct answer identifies the role and peer count.

1423
MCQmedium

A network engineer is troubleshooting a site-to-site VPN that intermittently drops. The engineer configured IP SLA 10 to track reachability of the remote LAN gateway (10.1.2.1) using ICMP echo probes every 5 seconds. The IP SLA is used in a static route to influence failover. The engineer notices that the IP SLA state shows 'Active' but the tracked route is not installed. What is the most likely cause?

A.The IP SLA probe is sending packets to the wrong destination IP.
B.The track object is configured with 'ip sla 10 reachability' but the static route references the track object incorrectly.
C.The IP SLA probe frequency is too high, causing the router to ignore the results.
D.The remote gateway is not responding to ICMP echo requests due to firewall rules.
AnswerB

If the track object is not properly linked (e.g., 'track 1 ip sla 10 reachability' missing), or the static route uses a different track number, the route will not be installed even though the IP SLA is active.

Why this answer

The IP SLA is active, but the tracked object might not be configured correctly to react to the IP SLA state. The issue is that the track object is not linked to the IP SLA or the threshold is misconfigured.

1424
MCQmedium

A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# show bgp neighbors 10.0.0.2 advertised-routes Output: BGP table version is 10, local router ID is 10.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.1.1.0/24 0.0.0.0 0 32768 i *> 10.2.2.0/24 0.0.0.0 0 32768 i Total number of prefixes 2 What does this output indicate?

A.R1 is advertising two local prefixes to BGP neighbor 10.0.0.2
B.R1 is receiving two prefixes from BGP neighbor 10.0.0.2
C.R1 has no BGP routes
D.R1 is using OSPF to learn these prefixes
AnswerA

The output shows two prefixes with next hop 0.0.0.0, indicating local origin, being advertised.

Why this answer

The show bgp neighbors advertised-routes command displays routes that the router is advertising to the specified neighbor. Here, R1 is advertising two prefixes (10.1.1.0/24 and 10.2.2.0/24) to neighbor 10.0.0.2. Both are locally originated (next hop 0.0.0.0) with origin IGP.

1425
MCQhard

Router R1 and R2 are running EIGRP as the IGP, and R1 is redistributing a connected subnet 10.1.1.0/24 into EIGRP. R2 also runs BGP with an external peer, and BGP is redistributing the same prefix 10.1.1.0/24 into EIGRP with a route-map that sets the administrative distance to 100. On R3, a downstream EIGRP router, 'show ip route 10.1.1.0' shows the route via R2. What is the most likely cause of suboptimal routing?

A.The route-map set distance 100 overrides the default AD, making the redistributed route preferred over the internal route (AD 90).
B.The internal EIGRP route is not present in R3's routing table due to a distribute-list inbound from R1, so the redistributed route with AD 100 is the only path.
C.The redistributed route has AD 170 by default, and the route-map is ignored because redistribution from BGP always uses AD 170.
D.R3 prefers routes with lower metric, not AD, and the redistributed route has a better metric.
AnswerB

If the internal route is filtered, the redistributed route becomes the best path, causing suboptimal routing.

Why this answer

EIGRP internal routes have AD 90, external routes AD 170. Redistribution from BGP into EIGRP creates external routes (AD 170) unless a route-map changes the distance. Setting AD to 100 makes the redistributed route preferred over the original internal route (AD 90) because 100 > 90, so the internal route should be preferred.

However, if the internal route is not present due to a filter, or if the distance is set lower than 90, the redistributed route is chosen. The correct answer is that the route-map set distance 100 is higher than 90, so the internal route (AD 90) is still preferred; the issue is that the internal route is being suppressed by a distribute-list on R3.

Page 18

Page 19 of 29

Page 20