Cisco CCNP ENARSI 300-410 (300-410) — Questions 76150

2152 questions total · 29pages · All types, answers revealed

Page 1

Page 2 of 29

Page 3
76
MCQmedium

What is the problem with this NAT configuration? interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255

A.The ACL is too permissive; it should only permit specific hosts.
B.The interface GigabitEthernet0/1 is missing the 'ip nat outside' command.
C.The 'overload' keyword is unnecessary for this configuration.
D.The inside interface should be GigabitEthernet0/1.
AnswerB

Without 'ip nat outside', the router does not know which interface is the outside for NAT.

Why this answer

The configuration is missing the 'ip nat outside' command on interface GigabitEthernet0/1. For NAT to function, Cisco IOS requires that the inside interface be marked with 'ip nat inside' and the outside interface with 'ip nat outside'. Without this, the router does not know which interface is the external (outside) interface, and the NAT translation will not be applied to outgoing packets.

Exam trap

The trap here is that candidates often assume that simply configuring the NAT statement and ACL is enough, overlooking the mandatory interface-level 'ip nat outside' command, which Cisco explicitly tests in the 300-410 exam to ensure understanding of NAT operation fundamentals.

How to eliminate wrong answers

Option A is wrong because the ACL is correctly configured to permit the entire 192.168.1.0/24 subnet, which is the intended inside network for dynamic NAT overload (PAT); being more restrictive is not required and would break connectivity for valid hosts. Option C is wrong because the 'overload' keyword is necessary for Port Address Translation (PAT), which allows multiple inside hosts to share the single public IP address of GigabitEthernet0/1; without it, only one inside host could be translated at a time. Option D is wrong because the inside interface is correctly identified as GigabitEthernet0/1 (the LAN side), and the outside interface should be GigabitEthernet0/1 (the WAN side), not the other way around.

77
MCQeasy

An engineer applies a CoPP policy to a router to protect the control plane from a DDoS attack. The policy includes a class-map matching UDP traffic to port 123 (NTP) and polices it to 1000 bps. After the policy is applied, the engineer notices that the router's clock is not synchronizing with its NTP server. The NTP server is reachable via ping. What is the most likely cause?

A.The CoPP policy is dropping NTP packets because the police rate is too low.
B.The NTP server is not responding because of the DDoS attack.
C.The CoPP class-map is not matching NTP packets because it uses the wrong port number.
D.The router's NTP configuration has a wrong server IP address.
AnswerA

NTP packets are small, but if the police rate is too low, they can be dropped, causing synchronization failure.

Why this answer

The CoPP policy is policing NTP traffic (UDP port 123) to only 1000 bps. NTP synchronization requires a steady exchange of packets, and a 1000 bps rate is extremely low—likely insufficient to allow the NTP packets through, causing them to be dropped. Since the NTP server is reachable via ping (ICMP is not affected by this CoPP policy), the issue is clearly that the police rate is too restrictive for NTP traffic.

Exam trap

Cisco often tests the misconception that a CoPP policy will only drop malicious traffic, but the trap here is that an overly restrictive police rate can inadvertently drop legitimate control-plane traffic like NTP, even when the class-map and port numbers are correctly configured.

How to eliminate wrong answers

Option B is wrong because the NTP server is reachable via ping, indicating it is responding and not under a DDoS attack that would prevent replies. Option C is wrong because the class-map explicitly matches UDP port 123, which is the correct port for NTP; if it were wrong, NTP would not be affected at all. Option D is wrong because if the server IP address were incorrect, the router would not be able to ping it successfully, but the NTP server is reachable via ping.

78
MCQeasy

A network engineer runs the following command to verify DHCPv4 server bindings on router R1: R1# show ip dhcp binding Output: Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.1.10 0050.7966.6800 Mar 01 2025 12:00 PM Automatic 192.168.1.11 0063.6973.636f.2d30 Mar 01 2025 01:00 PM Automatic 192.168.1.12 0100.1a.2b.3c.4d.5e Mar 01 2025 02:00 PM Automatic What does this output indicate?

A.The DHCP server has three static bindings configured.
B.The DHCP server has dynamically assigned three IP addresses to clients.
C.The DHCP server is out of IP addresses because all bindings are in use.
D.The DHCP server is using relay agents because the client IDs are long hexadecimal strings.
AnswerB

Each entry shows an IP address, client identifier, lease expiration, and type 'Automatic', confirming dynamic assignments.

Why this answer

Option B is correct because the output shows three DHCP bindings with a 'Type' of 'Automatic', which indicates that the IP addresses were dynamically assigned by the DHCP server based on the pool configuration. The 'Client-ID' field contains the MAC address or client identifier provided by the client during the DORA process, confirming dynamic allocation rather than static mapping.

Exam trap

Cisco often tests the distinction between 'Automatic' (dynamic) and 'Static' (manual) bindings in the DHCP binding table, leading candidates to mistakenly think all bindings are static when they see client IDs that look like MAC addresses.

How to eliminate wrong answers

Option A is wrong because static bindings would appear with a 'Type' of 'Static', not 'Automatic', and would typically be configured using the 'ip dhcp pool' command with a 'hardware-address' statement. Option C is wrong because the output only shows three bindings; there is no indication that the pool is exhausted, as the pool may have additional available addresses. Option D is wrong because the client IDs shown are standard MAC addresses or DHCP client identifiers (e.g., the long hex string '0063.6973.636f.2d30' is a Cisco client ID, not an indication of relay agent usage); relay agents are identified by the 'giaddr' field in the DHCP packet, not by the client ID format.

79
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel comes up and pings succeed, but OSPFv3 over the tunnel fails to form an adjacency, stuck in EXSTART state. MTU is set to 1500 on all physical interfaces. What is the most likely cause?

A.The tunnel interface MTU must be explicitly set to 1500 to match the physical interface.
B.The tunnel mode is incorrectly set to ipv6ip instead of gre; GRE adds additional overhead.
C.OSPFv3 uses the tunnel MTU (1480) for its packet size, but the physical interface MTU is 1500, causing the adjacency to stall.
D.The tunnel source interface has a different OSPF area than the tunnel interface, preventing adjacency.
AnswerC

OSPFv3 uses the interface MTU for database description packets. The tunnel MTU is 1460, but the physical path can only handle 1500 bytes including the outer header, leading to a mismatch.

Why this answer

In an IPv6 manual tunnel (IPv6-in-IPv4), the tunnel interface MTU is reduced due to encapsulation overhead, typically to 1460 bytes. OSPFv3 uses the tunnel MTU to determine the size of Database Description (DBD) packets during the EXSTART state. When the physical interface MTU is 1500, the tunnel MTU of 1460 causes OSPFv3 DBD packets to be fragmented or dropped, preventing the adjacency from progressing beyond EXSTART.

Adjusting the tunnel MTU to match the physical interface or using the ipv6 mtu-ignore command can resolve this.

Exam trap

Cisco often tests the subtlety that OSPFv3 adjacency stalls in EXSTART due to MTU mismatch, where candidates mistakenly think the issue is with tunnel mode or OSPF area configuration rather than the default tunnel MTU reduction from encapsulation overhead.

How to eliminate wrong answers

Option A is wrong because setting the tunnel MTU to 1500 would exceed the physical interface's ability to encapsulate the IPv4 header, causing fragmentation or packet loss; the tunnel MTU must be reduced to account for encapsulation overhead. Option B is wrong because 'ipv6ip' is the correct tunnel mode for an IPv6 manual tunnel (RFC 4213), and GRE is not required; GRE would add additional overhead (4 bytes) and is not the default for manual tunnels. Option D is wrong because OSPFv3 adjacency formation does not require the tunnel source interface and tunnel interface to be in the same OSPF area; the tunnel interface is a separate OSPF interface, and area mismatch between interfaces does not cause EXSTART state issues.

80
MCQhard

An engineer configures iBGP between two routers in the same AS. The routes learned via iBGP are not being installed in the routing table, even though the next-hop is reachable. The IGP is OSPF and the routes are present in the BGP table. Which is the most likely explanation?

A.The next-hop-self command is missing on the iBGP neighbor configuration.
B.The BGP synchronization rule is enabled, and the IGP does not have a route for the same prefix.
C.The administrative distance of iBGP (200) is higher than OSPF (110), so OSPF routes are preferred.
D.The BGP table indicates the route is valid but the best path selection fails due to missing MED.
AnswerB

With synchronization enabled, iBGP routes are not installed unless the IGP also knows about the prefix.

Why this answer

BGP synchronization rule (disabled by default in modern IOS) requires that for a route learned via iBGP to be considered valid, the same prefix must be present in the IGP routing table. If synchronization is enabled and the IGP does not carry the prefix, the route is not installed.

81
MCQhard

A network engineer configures a 6to4 tunnel between two sites. The tunnel works for traffic from Site A to Site B, but return traffic from Site B to Site A fails. Both sites have IPv4 connectivity. What is the most likely explanation?

A.Site B's IPv4 address is private and not reachable from Site A; 6to4 requires public IPv4 addresses on both ends.
B.The tunnel mode on Site B is configured as GRE IPv6 instead of 6to4.
C.The IPv6 MTU on the tunnel is set too high, causing fragmentation of return packets.
D.Site A has a firewall blocking incoming IPv4 protocol 41 packets.
AnswerA

6to4 requires globally routable IPv4 addresses on both tunnel endpoints. If Site B uses a private address behind NAT, the return traffic cannot be encapsulated correctly.

Why this answer

6to4 tunnels require both endpoints to have globally routable public IPv4 addresses because the tunnel encapsulation uses the IPv4 address to derive the IPv6 prefix (2002::/16). If Site B has a private IPv4 address (e.g., 10.x.x.x or 192.168.x.x), Site A cannot route return traffic to it, as private addresses are not reachable over the public Internet. This explains why traffic from Site A to Site B works (Site A's public address is reachable), but return traffic fails.

Exam trap

Cisco often tests the misconception that 6to4 tunnels can work with private IPv4 addresses if NAT is involved, but 6to4 does not support NAT traversal because the IPv4 address is embedded in the IPv6 prefix, making it incompatible with address translation.

How to eliminate wrong answers

Option B is wrong because GRE IPv6 tunnel mode (tunnel mode gre ipv6) encapsulates IPv6 packets in GRE over IPv4, which is a different mechanism than 6to4; it does not use the 2002::/16 prefix or require public IPv4 addresses, so it would not cause the described asymmetric failure. Option C is wrong because an MTU mismatch causing fragmentation would typically result in packet drops or ICMP fragmentation-needed messages in both directions, not a unidirectional failure; 6to4 tunnels have a default MTU of 1280 bytes, and while fragmentation can occur, it would not selectively block return traffic. Option D is wrong because if Site A's firewall were blocking incoming IPv4 protocol 41 (the 6to4 encapsulation protocol), then traffic from Site B to Site A would fail, but the question states that traffic from Site A to Site B works, which also uses protocol 41 in the opposite direction; a firewall blocking inbound protocol 41 would affect return traffic, but this scenario is less likely than the fundamental addressing issue described in option A.

82
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface gigabitethernet 0/0 | include uRPF IPv6 uRPF: strict mode (allow default route) Based on this output, what is the uRPF configuration on this interface?

A.uRPF is disabled
B.uRPF is enabled in strict mode with allow-default
C.uRPF is enabled in loose mode
D.uRPF is enabled but only for multicast
AnswerB

The output confirms strict mode uRPF with the allow-default option.

Why this answer

The command output explicitly shows 'IPv6 uRPF: strict mode (allow default route)', which confirms that uRPF is enabled in strict mode with the allow-default option. This configuration validates that the source address of incoming packets must have a matching route in the FIB pointing back to the same interface, and the allow-default keyword permits the use of a default route as a valid reverse path, which is necessary in scenarios where a default route is the only route to the source.

Exam trap

Cisco often tests the distinction between strict and loose uRPF modes, and the trap here is that candidates may overlook the 'allow default route' phrase and incorrectly assume that strict mode always drops packets matching a default route, or they may confuse strict mode with loose mode when the output explicitly states 'strict'.

How to eliminate wrong answers

Option A is wrong because the output clearly shows 'IPv6 uRPF: strict mode', indicating uRPF is enabled, not disabled. Option C is wrong because the output specifies 'strict mode', not 'loose mode'; loose mode only requires a matching route in the FIB regardless of the incoming interface. Option D is wrong because uRPF is applied to all IPv6 unicast traffic, not only multicast; multicast uRPF is a separate feature and is not indicated in the output.

83
MCQmedium

A network engineer runs the following command to verify IPv6 uRPF on an interface: R1# show ipv6 interface GigabitEthernet0/0 | include verify|suppress IPv6 verify source: strict IPv6 verify source suppress: disabled What does this output indicate?

A.Strict uRPF is enabled, and no suppression is configured, so all incoming packets are subject to strict verification.
B.Loose uRPF is enabled with suppression.
C.uRPF is disabled on this interface.
D.Suppression is enabled, so uRPF checks are bypassed.
AnswerA

Correct. Strict uRPF is active and no exceptions are configured.

Why this answer

The output shows 'IPv6 verify source: strict' and 'IPv6 verify source suppress: disabled'. This confirms that strict unicast Reverse Path Forwarding (uRPF) is enabled on the interface, meaning every incoming packet's source address is checked against the routing table to ensure the best return route uses the same incoming interface. Because suppression is disabled, no packets bypass this verification, so all incoming packets are subject to strict uRPF checks.

Exam trap

Cisco often tests the distinction between 'strict' and 'loose' uRPF modes, and the trap here is that candidates may confuse the 'suppress' keyword with disabling uRPF entirely, when in fact it only controls whether certain packets are exempt from the check.

How to eliminate wrong answers

Option B is wrong because the output explicitly states 'strict', not 'loose', and suppression is disabled, not enabled. Option C is wrong because the output clearly shows 'IPv6 verify source: strict', which means uRPF is enabled, not disabled. Option D is wrong because suppression is disabled, so uRPF checks are enforced, not bypassed.

84
MCQmedium

A network engineer configures the following on a router: ``` router eigrp 100 distance 150 10.0.0.0 0.255.255.255 ``` What is the intended effect?

A.It sets the administrative distance for all EIGRP routes to 150.
B.It sets the administrative distance to 150 for routes learned from any neighbor whose source IP matches the wildcard mask 0.255.255.255.
C.It sets the administrative distance to 150 for all routes in the routing table with destination 10.0.0.0/8.
D.It sets the administrative distance to 150 for EIGRP external routes only.
AnswerB

The ACL is applied to the source IP of the route.

Why this answer

The `distance` command with an access-list qualifier sets AD for routes matching the ACL. Here, routes from the 10.0.0.0/8 range will have AD 150.

85
MCQmedium

What is the default EIGRP hold time multiplier relative to the hello interval?

A.Hold time equals hello interval
B.Hold time is twice the hello interval
C.Hold time is three times the hello interval
D.Hold time is four times the hello interval
AnswerC

Correct. Default hold time = 3 * hello interval (e.g., 15 seconds for 5-second hello).

Why this answer

By default, EIGRP sets the hold time to three times the hello interval. This ensures that a few missed hellos do not immediately cause neighbor loss.

86
Multi-Selecthard

Which THREE commands can be used to verify the operational state of a BFD session? (Choose THREE.)

Select 3 answers
A.show bfd neighbors
B.show bfd interface details
C.show bfd session
D.show ip ospf bfd
E.show bfd peer
AnswersA, B, C

Correct. This command lists all BFD neighbors and their current session state (Up, Down, etc.).

Why this answer

The show bfd neighbors command displays all BFD neighbors and their session states. show bfd interface details shows BFD configuration and state per interface. show bfd session displays detailed session information including timers and statistics. show ip ospf bfd is not a valid command; the correct command is show ip ospf [interface] to see BFD status. show bfd peer is a valid command on some platforms but is less common; show bfd neighbors is preferred.

87
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access lists: R1# show snmp access Access-list: 10 Community: public View: v1default Access-list: 20 Community: private View: v1default What does this output indicate?

A.SNMP access is controlled by ACLs: ACL 10 for 'public' and ACL 20 for 'private'.
B.No ACLs are applied to SNMP, so all access is allowed.
C.The router uses SNMPv3 exclusively.
D.The 'public' community has read-write access.
AnswerA

The output shows the mapping between ACLs and communities.

Why this answer

The 'show snmp access' output displays the configured SNMP access control entries, which map community strings to access control lists (ACLs). In this case, ACL 10 is associated with the 'public' community and ACL 20 with the 'private' community, meaning SNMP access is restricted based on these ACLs. This is the standard method for controlling SNMPv1/v2c access, as the router uses the ACL to permit or deny SNMP requests from specific source IP addresses.

Exam trap

Cisco often tests the distinction between what 'show snmp access' reveals (ACL-to-community mapping) versus what it does not reveal (read-write permissions), leading candidates to incorrectly assume that the 'public' community has read-write access or that no ACLs are applied.

How to eliminate wrong answers

Option B is wrong because the output explicitly shows ACLs 10 and 20 are applied to the 'public' and 'private' communities, respectively, so access is not allowed without ACL filtering. Option C is wrong because SNMPv3 does not use community strings or ACL-based access control in the same way; it uses user-based security models (USM) with authentication and encryption, and the output shows community strings, indicating SNMPv1/v2c. Option D is wrong because the output does not indicate read-write access for 'public'; the 'View: v1default' suggests a default view, but the actual access level (read-only or read-write) is determined by the SNMP community configuration, which is not shown in this output.

88
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec using a crypto map. The tunnel works for unicast traffic, but OSPFv3 over the tunnel fails to form adjacency. The engineer checks the crypto map and sees that it only matches traffic with a specific access-list. What is the most likely explanation?

A.The crypto map access-list must include IPv6 protocol 89 (OSPF) to encrypt OSPFv3 packets; otherwise, they are sent in the clear and may be dropped.
B.OSPFv3 cannot be encrypted with IPsec; it requires a separate encryption mechanism.
C.The GRE tunnel interface must be configured with 'tunnel protection ipsec' instead of a crypto map.
D.The crypto map is applied to the physical interface instead of the tunnel interface.
AnswerA

OSPFv3 uses IPv6 protocol 89. If the access-list does not match this protocol, OSPFv3 packets are not protected and may be discarded by the remote IPsec policy.

Why this answer

OSPFv3 uses IPv6 protocol number 89 for its packets. When a crypto map is applied with an access-list that only matches specific traffic (e.g., unicast data), OSPFv3 packets (protocol 89) are not matched and are sent unencrypted. If the IPsec peer is configured to drop unencrypted traffic or if the GRE tunnel requires all traffic to be encrypted, OSPFv3 adjacency fails.

Adding protocol 89 to the access-list ensures OSPFv3 packets are encrypted and processed correctly.

Exam trap

Cisco often tests the misconception that OSPFv3 cannot be encrypted with IPsec or that the crypto map must be applied to the tunnel interface, when the real issue is that the access-list used by the crypto map must explicitly include the OSPFv3 protocol (89) to encrypt routing updates.

How to eliminate wrong answers

Option B is wrong because OSPFv3 can be encrypted with IPsec; in fact, IPsec is commonly used to protect OSPFv3 routing updates over tunnels. Option C is wrong because 'tunnel protection ipsec' is a valid alternative to a crypto map, but using a crypto map is also correct; the issue is the access-list not matching OSPFv3, not the method of applying IPsec. Option D is wrong because the crypto map is correctly applied to the physical interface (the tunnel source/destination) to protect GRE-encapsulated traffic; applying it to the tunnel interface would not encrypt the outer IP headers.

89
MCQhard

An engineer configures DMVPN Phase 2 on a hub-and-spoke network for an MPLS L3VPN customer. The spokes are configured with a single tunnel interface and use NHRP to register with the hub. The engineer notices that spoke-to-spoke traffic is not being established, even though the spokes have each other's NHRP mappings. The engineer verifies that the tunnel interfaces are up and that the hub can reach all spokes. What is the most likely explanation?

A.The spokes have a default route pointing to the hub, which prevents them from using the direct spoke-to-spoke tunnel.
B.The 'ip nhrp authentication' string is mismatched between the spokes.
C.The tunnel mode is set to 'gre multipoint' on the spokes, which is not supported in Phase 2.
D.The 'ip nhrp map multicast' command is missing on the spokes, preventing multicast traffic.
AnswerA

Correct. In Phase 2, spokes must have a route that allows them to use the tunnel for direct communication; a default route to the hub will force traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established dynamically using NHRP redirect and shortcut. However, a common edge case is that the spokes must have a route that points to the destination network via the tunnel interface. If the spokes have a default route or a summary route that points to the hub (Phase 1 behavior), they will not use the direct spoke-to-spoke tunnel.

In Phase 2, the hub must send an NHRP redirect to the source spoke, and the source spoke must then send an NHRP resolution request to the destination spoke. If the spokes have a static route that forces traffic through the hub, the NHRP redirect will not work. Additionally, the 'ip nhrp redirect' command must be configured on the hub, and 'ip nhrp shortcut' on the spokes.

90
MCQmedium

What is the default administrative distance for a route learned via the Enhanced Interior Gateway Routing Protocol (EIGRP) summary route?

A.90
B.170
C.5
D.1
AnswerC

Cisco IOS assigns an AD of 5 to EIGRP summary routes to ensure they are preferred over other routes.

Why this answer

EIGRP summary routes have a default administrative distance of 5, which is lower than the standard EIGRP internal distance of 90 and EIGRP external distance of 170.

91
MCQhard

A router is configured with uRPF (Unicast Reverse Path Forwarding) in strict mode on an interface that belongs to a VRF. The network uses asymmetric routing for load balancing. The engineer notices that legitimate traffic from a customer is being dropped. Which is the most likely explanation?

A.The uRPF strict mode requires that the source IP address be reachable via the same interface, but asymmetric routing causes the return path to use a different interface.
B.The uRPF loose mode is configured instead of strict mode, which only checks that a route exists for the source IP, not the interface.
C.The VRF has a default route that points to the incoming interface, causing uRPF to always succeed.
D.The 'ip verify unicast source reachable-via any' command is used, which is the loose mode, not strict.
AnswerA

Strict uRPF fails if the best route to the source is not via the incoming interface. Asymmetric routing violates this assumption.

Why this answer

Strict uRPF checks that the source IP address of incoming packets has a route in the routing table that points back to the same interface. In asymmetric routing, the return path may be different (e.g., out another interface), so the source IP may not have a route back to the incoming interface. This causes legitimate traffic to be dropped.

The edge case is that uRPF strict mode does not account for asymmetric routing, while loose mode does.

92
MCQhard

A network engineer enables IPv6 First Hop Security with 'ipv6 dhcp guard' on a switch port connected to a legitimate DHCPv6 server. Clients on other ports receive DHCPv6 replies, but the server's port is being err-disabled repeatedly. The engineer checks the logs and sees DHCPv6 server advertisements being dropped. What is the most likely cause?

A.The port is not configured as 'trusted' for DHCPv6 Guard, causing all server advertisements to be dropped.
B.The DHCPv6 server is sending messages with an invalid DUID.
C.DHCPv6 Guard only works with stateful DHCPv6, not stateless.
D.The switch is running an older IOS version that does not support DHCPv6 Guard.
AnswerA

DHCPv6 Guard requires explicit trust for server ports.

Why this answer

When 'ipv6 dhcp guard' is enabled on a switch port, all DHCPv6 server advertisements (REPLY and ADVERTISE messages) are dropped by default unless the port is explicitly configured as 'trusted'. Since the server's port is untrusted, the switch drops the legitimate server's advertisements, causing the port to be err-disabled due to repeated violations. Configuring 'ipv6 dhcp guard trust' on the server-facing port resolves this issue.

Exam trap

Cisco often tests the default untrusted behavior of DHCPv6 Guard, where candidates mistakenly assume that enabling the feature on a port automatically allows server traffic, rather than requiring an explicit 'trust' keyword.

How to eliminate wrong answers

Option B is wrong because an invalid DUID would cause the DHCPv6 server to reject client messages or fail to form a binding, but it would not cause the switch to drop advertisements or err-disable the port; DHCPv6 Guard operates independently of DUID validity. Option C is wrong because DHCPv6 Guard works with both stateful and stateless DHCPv6; it filters all DHCPv6 server messages (REPLY and ADVERTISE) regardless of the DHCPv6 mode. Option D is wrong because the question states that the feature is enabled and logs show advertisements being dropped, which confirms the switch supports DHCPv6 Guard; an older IOS version would simply not have the command available or would not enforce the feature.

93
MCQeasy

A network engineer runs the following command to troubleshoot a BGP prefix issue: R1# show bgp ipv4 unicast 192.168.10.0/24 BGP routing table entry for 192.168.10.0/24, version 5 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best rx pathid: 0, tx pathid: 0x0 What does this output indicate?

A.The prefix is learned via eBGP and is the best path.
B.The prefix is learned via iBGP and is not the best path.
C.The prefix is suppressed and not advertised to peers.
D.The prefix is invalid due to missing next-hop reachability.
AnswerA

The output shows 'valid, external, best', confirming it is the best eBGP route.

Why this answer

The output shows the prefix 192.168.10.0/24 is learned from neighbor 10.1.1.2 with the path type 'external', indicating eBGP. The line 'valid, external, best' confirms it is the best path, making option A correct.

Exam trap

Cisco often tests the distinction between eBGP and iBGP by using the 'external' or 'internal' keyword in the show output, and the trap here is that candidates may misread 'external' as 'iBGP' or overlook the 'best' flag, assuming the prefix is not the best path.

How to eliminate wrong answers

Option B is wrong because the output explicitly states 'external', not iBGP, and 'best' indicates it is the best path, not non-best. Option C is wrong because there is no indication of suppression (e.g., no 'suppressed' flag or 'advertise-to-all' missing), and the prefix is advertised to update-group 1. Option D is wrong because the prefix is marked 'valid' and 'best', meaning the next-hop is reachable; if the next-hop were missing, the prefix would be marked 'invalid' or 'not synchronized'.

94
MCQhard

An engineer configures MPLS forwarding on a router. The MPLS LDP neighbors are established, but some prefixes are not being assigned labels. The engineer checks the 'show mpls ldp bindings' and sees that the prefixes are missing. What is the most likely explanation?

A.The prefix is learned via BGP, and LDP does not assign labels to BGP routes by default.
B.The 'mpls ldp advertise-labels' command is configured to deny the prefix.
C.The 'mpls ldp label' command is missing on the interface.
D.The 'tag-switching' is not enabled globally.
AnswerA

LDP by default only assigns labels to IGP routes (OSPF, EIGRP, IS-IS). BGP routes are not labeled unless 'mpls ldp autoconfig bgp' or 'label-distribution' is configured for BGP.

Why this answer

MPLS LDP assigns labels to prefixes that are in the routing table and are IGP routes. If a prefix is learned via BGP, LDP will not assign a label to it by default unless the 'mpls ldp autoconfig' or 'label-distribution' is configured for BGP. Additionally, if the prefix is a connected route or a static route, LDP may not assign a label unless explicitly configured.

The edge case is that the prefix is a BGP route, and LDP does not label BGP routes by default.

95
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy active No. Class Type Version Time Created Name 1 applet system 1.0 Mar 1 00:00:12 2025 TRACK-INTERFACE Event Type: syslog (pattern OSPF-5-ADJCHG) Action: cli command 'show ip route' What does this output indicate?

A.The EEM applet 'TRACK-INTERFACE' is active and will execute 'show ip route' when a syslog message matching 'OSPF-5-ADJCHG' is generated.
B.The EEM applet 'TRACK-INTERFACE' is currently executing and has run 'show ip route'.
C.The EEM applet 'TRACK-INTERFACE' has been triggered and the output of 'show ip route' is displayed.
D.The EEM applet 'TRACK-INTERFACE' is inactive and needs to be enabled.
AnswerA

Correct. The output shows the applet is active, triggered by syslog pattern OSPF-5-ADJCHG, and will execute the CLI command 'show ip route'.

Why this answer

The output shows active EEM policies that are currently enabled and waiting for their trigger events. It displays the applet name, class, type, version, creation time, the event that triggers it, and the actions it will execute. This helps verify that an applet is active and what it does.

96
Multi-Selecthard

Which TWO configuration changes are required to enable IPsec site-to-site VPN with IKEv2 and pre-shared keys on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.Configure an IKEv2 keyring with the pre-shared key and peer IP address.
B.Apply the 'crypto isakmp key' command globally for the peer.
C.Create an IKEv2 profile that references the keyring.
D.Define a transform set under the IKEv2 policy.
E.Use the 'crypto map' command to reference the IKEv2 profile.
AnswersA, C

Correct. The keyring defines the pre-shared key and associates it with the peer.

Why this answer

A is correct because IKEv2 uses a keyring to store pre-shared keys (PSKs) and associate them with specific peer IP addresses, replacing the legacy 'crypto isakmp key' command used in IKEv1. The keyring is then referenced by an IKEv2 profile, which binds the authentication method and other parameters to the VPN session.

Exam trap

Cisco often tests the distinction between IKEv1 and IKEv2 commands, and the trap here is that candidates familiar with IKEv1 mistakenly select the 'crypto isakmp key' or 'crypto map' options, not realizing IKEv2 requires a keyring and IPsec profile instead.

97
MCQhard

R1 and R2 are running EIGRP with IPsec site-to-site VPN over a WAN link. The tunnel interface is used for the VPN. R1's EIGRP configuration includes a distribute-list out that filters prefix 192.168.1.0/24. R2's show ip eigrp topology shows the prefix as active but never transitions to passive. R2's show ip route does not have 192.168.1.0/24. What is the root cause?

A.R1's distribute-list out under EIGRP is filtering the prefix 192.168.1.0/24 from being advertised to R2.
B.EIGRP split-horizon is enabled on the tunnel interface.
C.The IPsec tunnel is dropping EIGRP multicast packets.
D.R2 has a passive interface configured for the tunnel.
AnswerA

The distribute-list out on R1 prevents the prefix from being sent to R2, so R2 never receives the route and the prefix stays in active state.

Why this answer

The distribute-list out command on R1 filters the prefix 192.168.1.0/24 from being included in EIGRP updates sent to R2. Since R2 never receives the route, it remains in an active state (query state) because it is still waiting for a reply from R1, and it never transitions to passive. This directly explains why the prefix is missing from R2's routing table.

Exam trap

Cisco often tests the distinction between a route being filtered out (distribute-list) versus a neighbor relationship failing (passive interface or multicast drop), leading candidates to incorrectly attribute the active state to connectivity issues rather than a route advertisement filter.

How to eliminate wrong answers

Option B is wrong because EIGRP split-horizon is disabled by default on tunnel interfaces (since they are point-to-point), and even if enabled, it would prevent routes learned from the tunnel from being advertised back out the same interface, not block a locally connected prefix from being advertised. Option C is wrong because if the IPsec tunnel were dropping EIGRP multicast packets (224.0.0.10), R2 would not see any EIGRP neighbors or updates, but the topology table shows the prefix as active, indicating neighbor adjacency is up and queries are being exchanged. Option D is wrong because a passive interface on R2 would prevent EIGRP from sending or receiving hellos on the tunnel, breaking the neighbor relationship entirely, yet the active topology entry proves the neighbor adjacency exists.

98
MCQmedium

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 ip nhrp map multicast dynamic tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! router eigrp 100 network 10.0.0.0 0.0.0.255 ! What is a potential issue with this configuration?

A.EIGRP split-horizon is enabled by default on the tunnel interface, preventing spokes from learning routes from other spokes.
B.The NHRP authentication is missing on the spokes.
C.The tunnel mode should be 'gre ip' instead of 'gre multipoint'.
D.The EIGRP network statement is too broad.
AnswerA

Split-horizon prevents the hub from advertising routes learned from one spoke to another spoke, which is a common issue in DMVPN.

Why this answer

EIGRP over DMVPN requires split-horizon to be disabled on the hub's tunnel interface to allow spokes to learn routes from other spokes.

99
MCQmedium

Given the following partial configuration on a Cisco IOS-XE router: logging host 10.1.1.1 transport tcp port 514 logging source-interface GigabitEthernet0/1 logging on What is missing or incorrect in this configuration?

A.The configuration is correct; no changes are needed.
B.The 'logging on' command is redundant because logging is enabled by default.
C.The syslog server must support TCP syslog, which is not defined in RFC 3164.
D.The port number should be 5140 for TCP syslog.
AnswerC

RFC 3164 defines syslog over UDP. TCP syslog is defined in RFC 6587 but is not universally supported. This configuration may fail if the server does not accept TCP.

Why this answer

By default, syslog uses UDP port 514. When using TCP transport, the syslog server must be configured to accept TCP connections, and this is not a common configuration. The configuration itself is syntactically correct, but the question tests knowledge that TCP transport for syslog is non-standard and may not work with typical syslog servers.

100
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router running OSPF. After applying the policy, OSPF neighbors intermittently drop and recover. The CoPP policy includes a class-map matching OSPF traffic with a police rate of 64000 bps. The router has multiple OSPF neighbors and the link utilization is normal. Which is the most likely explanation?

A.The CoPP policy uses the default class class-default, which drops OSPF packets.
B.The police rate is in bits per second, but OSPF hello packets are small; the packet-per-second rate is exceeded, causing drops.
C.OSPF uses UDP, and CoPP only filters TCP traffic.
D.The CoPP policy is applied to the wrong interface; it should be applied to the management interface.
AnswerB

OSPF hello packets are small, so bps rate limiting can be misleading; pps is more appropriate for protocol packets.

Why this answer

OSPF hello packets are small (typically 44–64 bytes), so a police rate of 64000 bps translates to a very low packet-per-second (pps) allowance. When multiple OSPF neighbors send hellos and other OSPF packets, the pps limit is easily exceeded, causing CoPP to drop packets and disrupt neighbor adjacencies. This is the most likely cause of intermittent OSPF neighbor drops despite normal link utilization.

Exam trap

Cisco often tests the misconception that a bps-based police rate is sufficient for small-packet protocols like OSPF, leading candidates to overlook the packet-per-second (pps) limitation that causes drops.

How to eliminate wrong answers

Option A is wrong because the default class class-default only matches traffic not explicitly classified; if OSPF traffic is matched by a specific class-map, it is not subject to class-default actions. Option C is wrong because OSPF uses IP protocol 89, not UDP or TCP, and CoPP can filter any IP traffic, not just TCP. Option D is wrong because CoPP is applied globally to the control plane using the 'service-policy input' command under 'control-plane', not to a specific interface; applying it to the management interface would not affect OSPF control-plane traffic.

101
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. However, the engineer notices that PBR is not working for traffic that is fragmented. What is the most likely reason?

A.PBR only matches the first fragment; subsequent fragments are forwarded based on the routing table because they lack Layer 4 headers.
B.The route-map is missing a 'match fragment' command.
C.Fragmented packets are always dropped by PBR.
D.The ACL in the route-map is using a 'deny' statement for fragmented packets.
AnswerA

Fragments after the first do not have Layer 4 info, so ACLs with port matching fail; PBR may not apply.

Why this answer

PBR processes only the first fragment of a fragmented packet; subsequent fragments do not contain Layer 4 information (e.g., TCP/UDP ports) and may not match the ACL if it includes Layer 4 criteria. Additionally, PBR may not be applied to non-initial fragments by default, causing them to be forwarded normally.

102
MCQmedium

Examine the following partial configuration on Router R1: ``` interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel destination 2001:DB8:2::2 tunnel mode ipv6ip ``` What is the effect of this configuration?

A.The tunnel will successfully encapsulate IPv6 packets in IPv4 and forward them.
B.The tunnel will not come up because the tunnel destination is an IPv6 address instead of an IPv4 address.
C.The tunnel will use IPv6 as the transport protocol, encapsulating IPv4 packets.
D.The configuration is correct for a 6to4 tunnel.
AnswerB

In ipv6ip mode, both tunnel source and destination must be IPv4 addresses.

Why this answer

The tunnel mode ipv6ip requires an IPv4 address as the tunnel destination because it encapsulates IPv6 packets inside IPv4 packets for transport over an IPv4 network. In this configuration, the tunnel destination is set to an IPv6 address (2001:DB8:2::2), which is invalid for this tunnel mode, preventing the tunnel interface from coming up.

Exam trap

Cisco often tests the distinction between tunnel transport and passenger protocols, trapping candidates who confuse the tunnel destination address family with the tunnel mode requirements.

How to eliminate wrong answers

Option A is wrong because the tunnel will not successfully encapsulate and forward packets due to the invalid IPv6 destination address; the tunnel interface will remain down. Option C is wrong because tunnel mode ipv6ip uses IPv4 as the transport protocol to carry IPv6 packets, not IPv6 as the transport. Option D is wrong because a 6to4 tunnel uses a special IPv4-embedded IPv6 address format (2002::/16) and does not use the tunnel mode ipv6ip command; this configuration lacks the required 6to4 parameters.

103
MCQmedium

A network engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Routers R1 (EIGRP) and R2 (OSPF) are redistributing routes. The engineer notices that some EIGRP external routes (redistributed into EIGRP from another protocol) are not appearing in the OSPF database on R2. The show ip ospf database external command on R2 does not list these prefixes. What is the most likely cause?

A.The redistribute eigrp command under OSPF is missing the subnets keyword.
B.The redistribute eigrp command under OSPF is missing the match external keyword.
C.EIGRP has a higher administrative distance than OSPF, causing route suppression.
D.The OSPF process on R2 has a distribute-list blocking these routes.
AnswerA

Correct. The missing 'subnets' keyword prevents subnetted routes (including external routes) from being redistributed into OSPF.

Why this answer

When redistributing routes into OSPF, the 'subnets' keyword is required to include subnetted routes. Without it, OSPF only redistributes classful network routes, which can cause external EIGRP routes (which are often subnetted) to be missing from the OSPF database. The 'match external' keyword is not a valid option for the 'redistribute eigrp' command under OSPF.

104
MCQhard

What is the default behavior of EEM when multiple policies are registered for the same event?

A.All policies run simultaneously in parallel.
B.Only the first registered policy runs.
C.Policies run in order of priority (lower number = higher priority), then alphabetically by name.
D.Policies run in reverse order of registration.
AnswerC

Priority is the primary sort; ties are broken by policy name.

Why this answer

EEM policies are executed in order of their priority; if priorities are equal, the policy with the lowest name (alphanumeric) runs first.

105
MCQmedium

A network engineer runs the following debug command to troubleshoot a DHCPv4 issue on router R1: R1# debug ip dhcp server events Output: DHCPD: DHCPDISCOVER received from 0050.7966.6800 on interface GigabitEthernet0/0 DHCPD: Sending DHCPOFFER to 0050.7966.6800 via GigabitEthernet0/0 DHCPD: DHCPREQUEST received from 0050.7966.6800 DHCPD: No binding found for client 0050.7966.6800 DHCPD: Adding binding for client 0050.7966.6800 DHCPD: Sending DHCPACK to 0050.7966.6800 via GigabitEthernet0/0 DHCPD: DHCPINFORM received from 0050.7966.6800 DHCPD: Sending DHCPACK to 0050.7966.6800 via GigabitEthernet0/0 What does this output indicate?

A.The DHCP server failed to create a binding for the client.
B.The DHCP server successfully assigned an IP address to the client, and the client sent a DHCPINFORM to request additional parameters.
C.The DHCP client is using a relay agent because the DISCOVER was received on a different interface.
D.The DHCP server rejected the DHCPREQUEST because no binding was found.
AnswerB

The sequence shows a successful DORA process (DISCOVER, OFFER, REQUEST, ACK) followed by an INFORM, which is used to get additional options like DNS servers.

Why this answer

The debug output shows the DHCP server receiving a DHCPDISCOVER, sending a DHCPOFFER, receiving a DHCPREQUEST, creating a new binding, and sending a DHCPACK. The subsequent DHCPINFORM from the client is a standard request for additional configuration parameters (like DNS or domain name) after the client already has an IP address. The server responds with a DHCPACK, confirming successful assignment and parameter delivery.

Exam trap

Cisco often tests the distinction between DHCPINFORM and DHCPREQUEST, where candidates mistakenly think DHCPINFORM indicates a failure or that the client is requesting a new IP address, rather than understanding it is a normal request for additional parameters after the client already has an IP.

How to eliminate wrong answers

Option A is wrong because the output explicitly shows 'Adding binding for client 0050.7966.6800', indicating the binding was successfully created, not failed. Option C is wrong because the DHCPDISCOVER was received on interface GigabitEthernet0/0, and the server sends the DHCPOFFER via the same interface; there is no mention of a relay agent or a different interface. Option D is wrong because although the server initially logs 'No binding found for client', it immediately adds a binding and sends a DHCPACK, meaning the DHCPREQUEST was accepted and processed successfully.

106
MCQhard

Which statement correctly describes the default authentication behavior for EEM policy files stored in flash?

A.EEM requires all policy files to be signed with a digital certificate.
B.EEM uses MD5 hash verification by default.
C.EEM does not perform any authentication or integrity check on policy files by default.
D.EEM uses the device's AAA configuration to authenticate policy execution.
AnswerC

By default, EEM trusts the file system and executes policies without authentication.

Why this answer

EEM does not enforce any authentication by default; policy files are executed as-is without integrity checks.

107
MCQhard

A network engineer runs the following command on Router R7: R7# show logging | include %SYS-2-MALLOCFAIL *Mar 1 00:05:10.123: %SYS-2-MALLOCFAIL: Memory allocation failed for size 1024, from process 0x12345678, pool Processor *Mar 1 00:06:20.456: %SYS-2-MALLOCFAIL: Memory allocation failed for size 2048, from process 0x12345678, pool Processor *Mar 1 00:07:30.789: %SYS-2-MALLOCFAIL: Memory allocation failed for size 512, from process 0x12345678, pool Processor Based on this output, what is the most likely problem?

A.The router has a memory leak or is running out of memory in the Processor pool.
B.The router is experiencing high CPU utilization due to routing protocol updates.
C.The router's logging buffer is full and cannot store new messages.
D.The router has a hardware failure in the memory module.
AnswerA

Multiple MALLOCFAIL messages indicate that the router cannot allocate memory, which is a sign of memory exhaustion or a leak.

Why this answer

The output shows memory allocation failures in the Processor pool. This indicates that the router is running low on memory, which can cause various issues including process crashes, inability to allocate buffers, and overall instability. The process ID 0x12345678 is likely a specific process that is consuming memory or failing to allocate.

108
Multi-Selecthard

Which THREE statements about MPLS label operations (push, swap, pop) are true? (Choose THREE.)

Select 3 answers
A.The ingress LSR performs a label push operation.
B.The transit LSR performs a label swap operation.
C.The egress LSR always performs a label pop operation.
D.The penultimate hop router (PHP) performs a label pop operation.
E.Label operations are determined by the IP routing table.
AnswersA, B, D

The ingress LSR adds a label to an unlabeled IP packet to begin MPLS forwarding.

Why this answer

In MPLS, the ingress LSR pushes a label, transit LSRs swap labels, and the penultimate hop router (PHP) pops the label. The egress LSR does not perform label operations if PHP is used. Label operations are based on the label forwarding table, not the routing table directly.

109
MCQhard

A network engineer runs the following command on Router R1: R1# show ip sla statistics 3 Round Trip Time (RTT) for Index 3 Latest RTT: 150 ms Latest RTT (milliseconds): 150 Latest RTT (microseconds): 150000 Number of successes: 80 Number of failures: 20 Operation time to live: Forever Output: OK R1# show track 1 Track 1 IP SLA 3 reachability Reachability is Up 2 changes, last change 00:00:10 Latest operation return code: OK Latest RTT (milliseconds): 150 Tracked by: ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1 Based on this output, which statement is correct?

A.The static route is removed because the IP SLA operation has failures.
B.The IP SLA operation is considered reachable, and the tracked static route is active.
C.The IP SLA operation has a 20% failure rate, so the track should be down.
D.The IP SLA operation is using a wrong source address.
AnswerB

The track shows 'Up', meaning the IP SLA is reachable, and the static route is installed.

Why this answer

The track shows 'Reachability is Up' based on IP SLA 3. The IP SLA statistics show successes and failures, but the latest return code is OK, so the track is up. This means the static route is active.

The failures (20) indicate some probes failed, but the track still considers it reachable because the threshold for reachability is likely based on a percentage or consecutive failures.

110
Drag & Dropmedium

Drag and drop the steps to verify and validate Route Maps and Route Filtering operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, display the route-map configuration and statistics with show route-map. Second, check which route-map is applied to interfaces or routing protocols using show ip policy. Third, verify the filtered prefixes in the BGP table with show ip bgp.

Fourth, confirm the impact on routing table entries with show ip route. Finally, test connectivity end-to-end using ping or traceroute.

111
MCQmedium

Given the following partial DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map multicast dynamic ip nhrp redirect ! What is the purpose of the 'ip nhrp redirect' command?

A.It enables the hub to send redirect messages to spokes, telling them to use a direct tunnel to another spoke.
B.It causes the hub to redirect all traffic through the hub itself.
C.It enables the hub to dynamically map multicast addresses.
D.It disables NHRP on the tunnel interface.
AnswerA

This is the correct function of NHRP redirect in Phase 3 DMVPN.

Why this answer

In DMVPN Phase 3, the hub uses NHRP redirect to inform spokes about better paths to other spokes, enabling spoke-to-spoke direct tunnels.

112
MCQhard

An engineer configures OSPF between two PE routers in an MPLS L3VPN backbone. Both routers are directly connected via a GigabitEthernet link. The OSPF adjacency forms and then repeatedly flaps between FULL and EXSTART. The engineer verifies that both routers have matching OSPF network types (broadcast), matching area IDs, and no authentication mismatch. What is the most likely cause of the flapping?

A.The MTU on one of the interfaces is lower than the other, causing DBD packet fragmentation.
B.The OSPF hello interval is mismatched between the two routers.
C.The OSPF dead interval is too short, causing the neighbor to be declared dead prematurely.
D.The OSPF router ID is duplicated on the segment.
AnswerA

Correct. A lower MTU on one side causes DBD packets to be dropped, preventing the adjacency from leaving EXSTART.

Why this answer

In OSPF, if the MTU of the interface on one side is smaller than the size of a Database Description (DBD) packet, the neighbor will be stuck in EXSTART or the adjacency will flap. This is because OSPF uses the interface MTU to determine the maximum size of DBD packets, and if a router receives a DBD packet larger than its interface MTU, it drops it and the neighbor relationship cannot progress. This is a common edge case when one interface has a reduced MTU (e.g., due to MPLS overhead or misconfiguration) while the other uses the default 1500 bytes.

113
MCQhard

A network engineer configures EEM to monitor interface state changes on R1. R1 has: event manager applet INT-MONITOR event syslog pattern "%LINEPROTO-5-UPDOWN" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Interface state change detected". After a link flap on interface GigabitEthernet0/1, the engineer notices that the EEM applet runs multiple times, but the show ip route output is incomplete. Router R2 shows: routing table updates are delayed. What is the root cause?

A.The EEM applet executes before the routing protocol has converged, showing incomplete routing information.
B.The syslog pattern matches too many events, causing the applet to run excessively.
C.The 'show ip route' command requires privileged mode, but the applet is already in privileged mode.
D.The interface flap is causing routing protocol instability, not the EEM applet.
AnswerA

The applet runs immediately, but routing updates take time; adding a delay ensures accurate output.

Why this answer

The EEM applet runs immediately upon the syslog message, but the routing protocol may not have converged yet. The show ip route command may show stale or incomplete routes because the routing table update occurs asynchronously. The correct fix is to add a delay using 'action wait' before executing the show command.

114
MCQhard

An engineer configures OSPF on two routers connected via a point-to-point link. The routers are stuck in EXSTART state. 'show ip ospf neighbor' shows neighbor state EXSTART/EXCHANGE. Which is the most likely explanation?

A.The OSPF network type is mismatched (point-to-point vs broadcast).
B.The MTU on the interfaces is mismatched.
C.The OSPF router IDs are identical.
D.The hello/dead intervals are mismatched.
AnswerB

An MTU mismatch prevents DBD packets from being exchanged, causing the adjacency to remain in EXSTART.

Why this answer

In OSPF, the EXSTART state involves negotiating the master/slave relationship and the Database Description (DBD) packet size. If the MTU on the interfaces differs, the larger DBD packet from the router with the larger MTU will be dropped by the router with the smaller MTU, causing the adjacency to remain stuck in EXSTART. This is a common edge case that is often overlooked.

115
Multi-Selecthard

Which TWO actions will prevent an SNMPv2c NMS from receiving traps from a Cisco router? (Choose TWO.)

Select 2 answers
A.The NMS is configured with a community string that does not match the community string used in the 'snmp-server host' command on the router.
B.The router has an ACL applied to its VTY lines that denies UDP port 162.
C.The 'snmp-server enable traps' command is missing from the router configuration.
D.The NMS is listening on UDP port 161 instead of UDP port 162.
E.The 'snmp-server host' command specifies the IP address of a different NMS.
AnswersA, C

Correct. The NMS will discard traps from the router because the community strings do not match, preventing reception.

Why this answer

In SNMPv2c, a community string mismatch (Option A) prevents the NMS from authenticating and accepting traps. Additionally, the 'snmp-server enable traps' command (Option C) is required on the router to generate traps; without it, no traps are sent. Option D is incorrect because the NMS can be configured to listen on any port; if it listens on 161 it will receive SNMP queries but not traps, but this does not prevent trap reception if the NMS also listens on 162.

Option E is incorrect because if 'snmp-server host' points to a different NMS, the trap is still sent to that NMS, but the original NMS would not receive it—however, that is a destination misconfiguration, not a prevention mechanism; in this context, it is not considered a typical prevention action.

Exam trap

Cisco often tests the distinction between the 'snmp-server enable traps' command (which enables trap generation) and the 'snmp-server host' command (which specifies the destination), leading candidates to overlook that both are required for trap delivery.

116
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.50.0/24 should be forwarded to next-hop 10.50.50.2. The route map 'PBR-50' is configured with 'match ip address 160' and 'set ip next-hop 10.50.50.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.50.0/24, but the router is also policy-routing traffic from other subnets that should not be affected. The engineer checks the ACL 160 and confirms it only matches 192.168.50.0/24. What is the most likely cause?

A.The route map has a sequence with no match condition, which matches all traffic.
B.The ACL 160 has a 'permit ip any any' statement at the end.
C.The 'ip policy route-map' command is applied to multiple interfaces, and traffic from other subnets is entering those interfaces.
D.The router is using CEF switching, and PBR is applied to all traffic regardless of ACL.
AnswerA

Correct: If the route map has a sequence without a match condition, it matches all traffic, causing PBR to apply to unintended subnets.

Why this answer

The route map 'PBR-50' has a 'match ip address 160' statement, but if there is a subsequent sequence in the route map with no match condition, that sequence will match all traffic and apply the set action. This is a common misconfiguration where an additional permit sequence without a match is present, causing policy routing for all traffic. The engineer should check the route map for any sequence without a match condition.

117
MCQmedium

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# debug ip ospf adj OSPF adjacency debugging is on R1# *Mar 1 00:05:23.123: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 1 (Hello) *Mar 1 00:05:23.123: OSPF: 2 Way Communication to 10.1.1.2 on FastEthernet0/0, state 2WAY *Mar 1 00:05:23.124: OSPF: Send immediate hello to nbr 10.1.1.2, src address 10.1.1.1, on FastEthernet0/0 *Mar 1 00:05:23.124: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0, area 0.0.0.0, packet type: 2 (DBD) *Mar 1 00:05:23.125: OSPF: Rcv DBD from 10.1.1.2, seq 0x1234, opts 0x2, flag 0x7, mtu 1500 state EXSTART *Mar 1 00:05:23.126: OSPF: Nbr 10.1.1.2 has state FULL What does this output indicate?

A.OSPF adjacency is failing due to CoPP dropping Hello packets.
B.OSPF adjacency is established successfully, indicating CoPP is not blocking OSPF traffic.
C.OSPF is experiencing packet loss due to MTU mismatch.
D.OSPF is stuck in EXSTART state due to CoPP.
AnswerB

The adjacency reached FULL state, meaning OSPF packets are being processed correctly.

Why this answer

The debug output shows the OSPF adjacency progressing through the expected states (2WAY, EXSTART) and reaching FULL after receiving a Database Description (DBD) packet. This confirms that OSPF Hello and DBD packets are being processed normally, which means Control Plane Policing (CoPP) is not dropping OSPF traffic. CoPP would typically drop packets at the control plane, preventing state transitions like 2WAY or FULL.

Exam trap

Cisco often tests the misconception that any debug output showing OSPF packet reception implies a problem, when in fact the sequence of states (2WAY to FULL) indicates successful adjacency formation, and candidates may incorrectly attribute normal behavior to CoPP failure.

How to eliminate wrong answers

Option A is wrong because the debug output shows successful reception of Hello packets and progression to 2WAY state, indicating CoPP is not dropping Hello packets. Option C is wrong because the adjacency reaches FULL with MTU 1500 in the DBD, and an MTU mismatch would cause the adjacency to stall in EXSTART/EXCHANGE state, not reach FULL. Option D is wrong because the adjacency transitions from EXSTART to FULL after receiving the DBD, proving it is not stuck in EXSTART due to CoPP or any other reason.

118
MCQhard

MPLS LDP neighbor mismatch is causing label distribution failures for summary routes. Router R1 and R2 are LDP peers. R1 has: mpls ip ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 mpls ip ! router ospf 1 network 10.0.0.0 0.0.0.255 area 0 area 0 range 10.0.0.0 255.255.252.0 ! R2 shows: R2# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0, Transport address: 10.0.0.2 TCP connection: 10.0.0.2.646 - 10.0.0.1.646 State: Oper, Msgs sent/rcvd: 10/10 R2# show mpls forwarding-table 10.0.0.0/22 Local tag outgoing tag prefix tag(s) next-hop 16 Untagged 10.0.0.0/22 0 10.0.0.1 But R2 cannot forward traffic for 10.0.1.0/24. What is the root cause?

A.The OSPF summary suppresses the /24 routes, so LDP does not assign labels to them, causing forwarding failures.
B.LDP is not enabled on the interface, so no labels are exchanged.
C.The OSPF area range command is not supported with MPLS.
D.R2 has a static route for 10.0.1.0/24 that overrides LDP.
AnswerA

LDP only labels routes present in the routing table; the /24 routes are missing.

Why this answer

The OSPF area range command creates a summary route 10.0.0.0/22 in the routing table, but LDP assigns labels only to routes that are in the routing table. The more specific /24 routes are suppressed by the summary, so LDP does not have labels for them. When R2 receives a packet for 10.0.1.0/24, it looks up the route, finds the summary, and forwards it to R1 with a label, but R1 may not have a label for the specific /24, causing a label mismatch or blackholing.

The fix is to not summarize or to use label binding for more specific prefixes.

119
MCQhard

An engineer configures route summarization in OSPF using the 'area range' command. After configuration, some routes are missing from the routing table of other routers. Which is the most likely explanation?

A.The 'area range' command is configured with the 'not-advertise' keyword, suppressing the summary.
B.The summary route is being filtered by a distribute-list on the receiving router.
C.The component routes are not present in the OSPF database.
D.The summary route is being advertised with a metric that is too high.
AnswerA

The 'not-advertise' keyword explicitly prevents the summary route from being advertised, which would cause the routes to be missing.

Why this answer

The 'area range' command in OSPF creates a summary route that is advertised as a Type 3 LSA. However, if the 'not-advertise' keyword is used, the summary route is suppressed. Additionally, if the summary route is more specific than the component routes, it may be rejected by the receiving router due to OSPF's route selection rules.

Another edge case is that the summary route may be created but the component routes are still advertised individually if the 'advertise' keyword is not explicitly used (default is advertise).

120
MCQhard

A network engineer is troubleshooting an OSPF network where routers R1, R2, and R3 are in area 0. R1 has a summary route 192.168.0.0/22 configured on its interface to R2, summarizing four /24 subnets (192.168.0.0/24 through 192.168.3.0/24). After the configuration, R3 loses connectivity to the 192.168.0.0/24 subnet, although other subnets are reachable. What is the most likely cause?

A.The summary route 192.168.0.0/22 is being advertised with a metric of 0, causing R3 to prefer a less specific route from another source.
B.The summary-address command was applied on R1 as an ABR, but R1 is not an ABR because it is in area 0 only; the command is ignored.
C.The 192.168.0.0/24 subnet is not included in the summary because the summary mask is /22, but the subnet mask of 192.168.0.0/24 is not contiguous with the others due to a configuration error.
D.The summary-address command on R1 is configured with the 'not-advertise' keyword, suppressing the summary but not the specific routes, causing a routing black hole for the 192.168.0.0/24 subnet.
AnswerB

Correct. The 'summary-address' command is only valid on ASBRs for external routes. On an internal router in area 0, the command is ignored. Internal summarization requires the 'area range' command on an ABR.

Why this answer

The most likely cause is that the 'summary-address' command was applied on R1, but R1 is in area 0 only and is not an Area Border Router (ABR). The 'summary-address' command is used on an Autonomous System Boundary Router (ASBR) to summarize external routes into OSPF, not for internal summarization. For internal routes, the 'area range' command must be used on an ABR.

Since R1 is not an ABR, the command is ignored, and the summarization does not occur. The loss of connectivity to 192.168.0.0/24 is likely due to a different configuration error or a transient issue, but option B correctly identifies the misapplication of the command.

Exam trap

Candidates often confuse the 'summary-address' command (used on ASBR for external routes) with the 'area range' command (used on ABR for internal routes). In this scenario, R1 is not an ABR, so any attempt to summarize internal routes is ignored.

121
MCQmedium

snmp-server enable traps\nsnmp-server host 192.168.1.100 traps version 2c public\nsnmp-server host 192.168.1.200 informs version 2c public What is the effect of this configuration?

A.Traps are sent to 192.168.1.100 and informs are sent to 192.168.1.200.
B.Both hosts receive traps.
C.Both hosts receive informs.
D.Only traps are enabled; informs require SNMPv3.
AnswerA

The first host is configured for traps, the second for informs, as specified by the 'traps' and 'informs' keywords.

Why this answer

The configuration explicitly uses the 'traps' keyword for 192.168.1.100 and the 'informs' keyword for 192.168.1.200. In SNMP, the 'snmp-server host' command defines the destination and type of notification; 'traps' are unacknowledged UDP messages, while 'informs' are acknowledged (requiring a response from the receiver). Therefore, traps are sent to 192.168.1.100 and informs to 192.168.1.200, making option A correct.

Exam trap

Cisco often tests the misconception that informs are only available in SNMPv3, but SNMPv2c also supports informs, and the 'traps' vs 'informs' keywords in the 'snmp-server host' command directly determine the notification type per destination.

How to eliminate wrong answers

Option B is wrong because the configuration specifies different notification types for each host; 192.168.1.200 is set to receive informs, not traps, so both hosts do not receive traps. Option C is wrong because 192.168.1.100 is configured to receive traps, not informs, so both hosts do not receive informs. Option D is wrong because informs are fully supported with SNMPv2c (as used here with version 2c); the statement that informs require SNMPv3 is incorrect—SNMPv2c supports informs, though they require a reliable transport mechanism.

122
MCQmedium

Router R5 has this DHCP configuration: ip dhcp pool POOL3 network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 option 150 ip 10.10.10.10 ! interface GigabitEthernet0/0 ip address 172.16.0.1 255.255.255.0 no shutdown What is the purpose of the option 150 command?

A.It provides the IP address of a TFTP server to DHCP clients, typically used by VoIP phones.
B.It sets the DNS server for the DHCP pool.
C.It defines a custom option that is ignored by standard DHCP clients.
D.It specifies the default gateway for the clients.
AnswerA

Option 150 is used to specify a TFTP server for VoIP phones or other devices that need to download configuration files.

Why this answer

Option 150 is a DHCP option that specifies the IP address of a TFTP server. Cisco IP phones use this option to locate the TFTP server from which they download their configuration and firmware files. The correct answer is A because this is the standard purpose of option 150 in a Cisco VoIP environment.

Exam trap

The trap here is that candidates often confuse option 150 with option 66 (TFTP server name) or assume it is a generic custom option, but Cisco specifically tests that option 150 provides the TFTP server IP address for VoIP phones.

How to eliminate wrong answers

Option B is wrong because the DNS server is set using the 'dns-server' command in the DHCP pool, not option 150. Option C is wrong because option 150 is a well-known DHCP option defined by Cisco for TFTP server address, not a custom or ignored option. Option D is wrong because the default gateway is set using the 'default-router' command, not option 150.

123
MCQhard

A router R1 is redistributing BGP routes into OSPF, but some prefixes are missing. Router R1 has the following relevant configuration: router bgp 65000 neighbor 10.1.1.2 remote-as 65001 address-family ipv4 unicast neighbor 10.1.1.2 activate network 172.16.0.0 mask 255.255.255.0 router ospf 1 redistribute bgp 65000 subnets metric 100 Router R2 shows: show ip ospf database external 172.16.0.0 OSPF Router with ID 10.1.1.1 Type-5 AS External Link States LS age: 600 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 172.16.0.0 Advertising Router: 10.1.1.1 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any valid route) TOS: 0 Metric: 16777215 Forward Address: 0.0.0.0 External Route Tag: 0 What is the root cause?

A.The BGP route 172.16.0.0/24 is not in the routing table; check BGP table and next-hop reachability.
B.The metric 100 is too low; increase to match OSPF cost.
C.The subnets keyword is missing; add it to redistribute classful routes.
D.The OSPF process ID is mismatched; use process 1 on both routers.
AnswerA

OSPF redistributes only routes from routing table; if BGP route is not installed, OSPF may inject a default or max-metric route.

Why this answer

The metric of 16777215 (max) indicates the route is unreachable. This happens when BGP route is not valid (e.g., missing next-hop reachability) or when route-map sets metric to max. The BGP route may not be installed in routing table due to missing network statement or next-hop issue.

The correct fix is to ensure BGP route is valid and reachable.

124
MCQhard

A network engineer configures IP SLA with a UDP echo operation to monitor a remote server. The IP SLA responder is configured on the remote router. The engineer notices that the operation shows 'Timeout' intermittently, but standard UDP connectivity tests from the router to the server succeed. The engineer checks the IP SLA responder configuration and finds that the control port is set to a non-default value. Which is the most likely explanation?

A.The IP SLA responder is not configured to respond to UDP echo requests from the initiator.
B.The IP SLA initiator must be configured with the 'control' keyword to match the non-default control port on the responder.
C.The UDP echo operation uses a different protocol than standard UDP, causing packet drops.
D.The IP SLA operation has a threshold that is too low, causing the operation to time out.
AnswerB

The control port mismatch causes the initiator to fail to establish the operation, leading to timeouts.

Why this answer

IP SLA UDP echo operations require the IP SLA responder to be configured with the correct control port. If the responder uses a non-default control port, the initiator must be configured to use that port using the 'control' keyword under the IP SLA operation. Without this, the initiator uses the default control port (1967), causing communication failures and intermittent timeouts.

126
MCQhard

What is the default BGP update timer interval in Cisco IOS-XE?

A.30 seconds for eBGP, 0 seconds for iBGP
B.60 seconds for both eBGP and iBGP
C.5 seconds for eBGP, 15 seconds for iBGP
D.0 seconds for eBGP, 30 seconds for iBGP
AnswerA

Correct. The MRAI timer defaults to 30 seconds for eBGP and 0 for iBGP.

Why this answer

BGP does not have a fixed update timer like RIP; updates are triggered by changes, but the default minimum route advertisement interval (MRAI) is 30 seconds for eBGP and 0 seconds for iBGP.

127
Drag & Dropmedium

Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying physical connectivity with ping to isolate Layer 1/2 issues. Then check the access control configuration on the interface to ensure it is not blocking traffic. Next, examine the adjacency table to confirm neighbor relationships.

After that, review logs for authentication or authorization errors. Finally, use debug commands to capture real-time access control events.

128
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 Policy routing matches: 50 packets, 6000 bytes What does this output indicate?

A.PBR is successfully forwarding matching traffic to 10.1.1.2.
B.The next-hop 10.1.1.2 is not reachable.
C.The ACL 101 is misconfigured.
D.PBR is not applied to any interface.
AnswerA

The packet counter shows successful matches and forwarding.

Why this answer

The output shows that 50 packets have matched the route-map and have been policy-routed to next-hop 10.1.1.2. This indicates PBR is working.

129
MCQhard

A network engineer configures EEM to monitor OSPF neighbor state changes. R1 has: event manager applet OSPF-MON event syslog pattern "%OSPF-5-ADJCHG" action 1.0 cli command "enable" action 2.0 cli command "show ip ospf neighbor" action 3.0 syslog msg "OSPF neighbor change detected". After a link flap, the engineer notices that the EEM applet does not execute. Router R2 shows: OSPF neighbor state changes are logged, but no EEM actions occur. What is the root cause?

A.The EEM applet is not registered correctly; it needs to be enabled with 'event manager applet OSPF-MON trigger'
B.The syslog pattern matches, but the OSPF ADJCHG message is severity 5, which is below the default EEM syslog severity threshold of 4.
C.The 'action 1.0 cli command "enable"' fails because the applet is already in privileged mode.
D.The OSPF neighbor change is not generating a syslog message due to logging buffer size.
AnswerB

EEM syslog triggers require severity 0-4 by default; OSPF ADJCHG is severity 5.

Why this answer

The EEM applet uses the syslog pattern trigger, but the OSPF ADJCHG message is logged at severity 5 (notification). By default, EEM syslog triggers only match severity 0-4 (emergency through warning). The engineer must adjust the logging severity or use a different trigger (e.g., event syslog pattern with severity).

130
MCQhard

A network engineer configures IP SLA with an HTTP GET operation to monitor a web server. The operation shows 'Success' but the response time is extremely high. The engineer checks the web server and finds it is overloaded. The engineer wants to configure a threshold so that the IP SLA operation triggers a track object when the response time exceeds 500 ms. Which configuration change is required?

A.Configure the 'threshold' command under the IP SLA operation and use the 'track' command with 'threshold' keyword in the track object.
B.Configure the 'timeout' command to 500 ms; the track object will automatically react to timeouts.
C.Use the 'reaction' command under the IP SLA operation to trigger a trap; the track object cannot react to thresholds.
D.Configure the IP SLA operation with a lower frequency to get more samples; the track object will average the response time.
AnswerA

The track object must be configured to monitor the threshold state using the 'threshold' keyword; otherwise, it only tracks reachability.

Why this answer

IP SLA HTTP operations measure response time, but to trigger a track object based on threshold violation, the engineer must configure the 'threshold' command under the IP SLA operation and then configure the track object to react to the 'threshold' state, not just the 'up/down' state. By default, track objects only track up/down, not threshold violations.

131
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-QOS R1# show route-map PBR-QOS route-map PBR-QOS, permit, sequence 10 Match clauses: ip address (access-lists): 120 Set clauses: ip next-hop 10.0.0.2 Policy routing matches: 500 packets, 45000 bytes R1# show access-lists 120 Extended IP access list 120 10 permit ip 192.168.1.0 0.0.0.255 any R1# debug ip policy Policy routing debugging is on *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy match *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy rejected Based on this output, what is the most likely problem?

A.The next-hop 10.0.0.2 is unreachable.
B.The access list 120 is misconfigured.
C.The route map is applied to the wrong interface.
D.The route map sequence number is incorrect.
AnswerA

The debug 'policy rejected' after a match typically means the set next-hop is not reachable, so the packet is not policy-routed.

Why this answer

The debug output shows 'policy match' followed by 'policy rejected'. This indicates that the packet matched the route map, but the set clause was not applied because the next-hop is unreachable or the route map's set condition fails (e.g., verify-availability if used, or next-hop not in routing table). The show route-map shows matches, but the packet is rejected and forwarded normally.

132
MCQhard

A network engineer configures DMVPN Phase 2 with NHRP. Spoke routers can communicate with the hub, but spoke-to-spoke traffic fails. The 'show dmvpn' on spokes shows the hub's NBMA address but not other spokes. Which is the most likely explanation?

A.The hub is configured with 'ip nhrp redirect' but spokes are missing 'ip nhrp shortcut'.
B.The tunnel interface mode is GRE IP, not mGRE.
C.The spokes have different IPsec transform sets configured.
D.The NHRP authentication string is missing on the hub.
AnswerA

Without 'ip nhrp shortcut' on spokes, they will not install dynamic NHRP entries.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require NHRP redirect from the hub and NHRP shortcut on spokes. The hub is correctly configured with 'ip nhrp redirect', which sends redirect messages to spokes when traffic destined for another spoke passes through the hub. However, if spokes are missing 'ip nhrp shortcut', they will ignore the redirect messages and not install a direct NHRP shortcut path.

Consequently, spoke-to-spoke traffic continues to be forwarded via the hub, and the 'show dmvpn' output on spokes will not show other spokes' NBMA addresses because no shortcut sessions are established.

133
MCQhard

A network engineer is troubleshooting a PBR route-map that is supposed to set the next-hop for traffic from a specific source to a different next-hop. The route-map is applied to the incoming interface, and the ACL matches the traffic. However, the engineer notices that the traffic is still being forwarded using the routing table. The engineer checks the route-map and sees that the 'set ip next-hop' command points to an IP address that is not reachable. What is the most likely result?

A.PBR will fall back to the routing table and forward the packet normally.
B.The packet will be dropped because PBR cannot forward it.
C.The router will send an ICMP unreachable message to the source.
D.The route-map will be ignored and all traffic will be dropped.
AnswerA

Correct because PBR uses the routing table if the next-hop is unreachable.

Why this answer

If the next-hop in a PBR set command is not reachable (i.e., not in the routing table), PBR will fall back to the routing table for forwarding. PBR does not drop the packet; it uses the default routing decision.

134
MCQhard

R1 and R2 are connected via an IPsec VPN tunnel. They are running OSPF over the tunnel. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip ospf database shows the LSA from R2 but with a high age (e.g., 3600). R1's show ip route does not have routes from R2. What is the root cause?

A.The OSPF dead interval on R1's tunnel interface is too short, causing frequent neighbor resets and LSA aging.
B.The IPsec tunnel is dropping OSPF packets due to MTU issues.
C.OSPF network type is point-to-multipoint, causing LSA flooding issues.
D.R2 has a distribute-list out filtering OSPF routes.
AnswerA

A short dead interval causes the neighbor to be declared dead and re-established, but LSAs are not refreshed, leading to high age and eventual removal.

Why this answer

The correct answer is A. When the OSPF dead interval on R1's tunnel interface is too short, R1 may temporarily lose neighbor adjacency with R2, causing the LSA from R2 to be prematurely aged out (age reaches 3600, the MaxAge) and removed from the OSPF database. Even though the neighbor state shows FULL at the moment of inspection, the LSA has already been flushed due to a previous timeout, so routes are not installed in the routing table.

Exam trap

Cisco often tests the distinction between neighbor state (which can appear FULL momentarily after a flap) and LSA age (which reflects the last successful refresh), leading candidates to overlook that a short dead interval can cause LSA expiration without a permanent neighbor down state.

How to eliminate wrong answers

Option B is wrong because MTU issues would typically cause OSPF packets to be fragmented or dropped, leading to neighbor state changes (e.g., stuck in EXSTART/EXCHANGE) or packet loss, not a FULL neighbor state with a high-aged LSA. Option C is wrong because point-to-multipoint network type does not inherently cause LSA flooding issues that result in a high age of 3600; it uses additional LSAs (Type 2) but still maintains proper aging. Option D is wrong because a distribute-list out on R2 would filter routes from being advertised into OSPF, which would prevent the LSA from being generated in the first place, not cause an existing LSA to age to 3600 while the neighbor remains FULL.

135
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 150 IP packet debugging is on for access list 150 *Mar 1 00:25:45.678: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto UDP, flags 0x0, sport 12345, dport 53, access list 150: matched line 10 permit udp host 192.168.1.1 host 10.1.1.1 eq 53 *Mar 1 00:25:45.679: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto TCP, flags 0x2, sport 12346, dport 53, access list 150: matched line 20 permit tcp host 192.168.1.1 host 10.1.1.1 eq 53 What does this output indicate?

A.DNS traffic from 192.168.1.1 to 10.1.1.1 is being permitted by ACL 150.
B.DNS traffic from 192.168.1.1 to 10.1.1.1 is being denied by ACL 150.
C.ACL 150 is applied outbound on GigabitEthernet0/0.
D.ACL 150 has no line 10 or 20.
AnswerA

Both UDP and TCP DNS packets match permit lines.

Why this answer

The debug output shows that packets from source 192.168.1.1 to destination 10.1.1.1 with destination port 53 (DNS) are matching permit statements in ACL 150 (line 10 for UDP and line 20 for TCP). Since the ACL is permitting these packets, DNS traffic is allowed through the interface where the ACL is applied.

Exam trap

Cisco often tests the misconception that 'debug ip packet' output shows only denied packets, but it actually shows all packets that match the ACL, whether permitted or denied, and the 'permit' or 'deny' keyword in the matched line is what determines the action.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows 'permit' for both UDP and TCP DNS packets, not 'deny'. Option C is wrong because the debug output does not indicate the direction (inbound or outbound) of the ACL application; it only shows that packets are being matched against ACL 150 on GigabitEthernet0/0, but the direction is not specified. Option D is wrong because the debug output clearly shows 'matched line 10' and 'matched line 20', confirming that lines 10 and 20 exist in ACL 150.

136
Multi-Selecthard

Which TWO configuration steps are required to enable SNMPv3 with authentication and encryption on a Cisco router? (Choose TWO.)

Select 2 answers
A.snmp-server group GROUP v3 priv
B.snmp-server user USER GROUP v3 auth sha PASSWORD priv aes 128 PASSWORD
C.snmp-server community PUBLIC ro
D.snmp-server host 10.1.1.1 version 3 priv USER
E.snmp-server enable traps
AnswersA, B

Creates an SNMPv3 group with the 'priv' keyword to enable encryption.

Why this answer

Option A is correct because the `snmp-server group GROUP v3 priv` command creates an SNMPv3 group that enforces the `priv` security level, which requires both authentication and encryption for all users in that group. This is the foundational step to enable SNMPv3 with auth and encryption, as the group defines the minimum security model (noAuthNoPriv, authNoPriv, or authPriv) that users must meet. Without this group configuration, users cannot be assigned the necessary privileges for encrypted communication.

Exam trap

Cisco often tests the distinction between the group-level security level and the user-level auth/priv parameters; the trap here is that candidates think only the user command is needed, forgetting that the group must first be configured with `priv` to allow the user to use encryption.

137
Drag & Dropmedium

Drag and drop the steps to verify and validate SPAN, RSPAN, and ERSPAN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, use show monitor session all to list all sessions. Then, inspect the specific session details with show monitor session <id>. Next, check the RSPAN VLAN status if using RSPAN.

After that, verify ERSPAN packet capture at the destination. Finally, confirm that the mirrored traffic matches expected patterns.

138
Multi-Selecthard

Which TWO statements about IPv6 First Hop Security (FHS) Source Guard are true? (Choose TWO.)

Select 2 answers
A.IPv6 Source Guard dynamically creates binding entries for all IPv6 addresses learned via ND.
B.IPv6 Source Guard uses the IPv6 binding table to permit or deny traffic based on source address.
C.IPv6 Source Guard filters traffic based on the destination IPv6 address in the packet.
D.IPv6 Source Guard can be enabled on a per-interface or per-VLAN basis.
E.IPv6 Source Guard only works with addresses learned via DHCPv6.
AnswersB, D

Correct. Source Guard checks the source IPv6 address and MAC against the binding table and drops unauthorized traffic.

Why this answer

IPv6 Source Guard uses the IPv6 binding table (populated by ND snooping and/or DHCPv6 snooping) to permit or deny traffic based on the source IPv6 address in the packet. This prevents spoofing attacks by ensuring that only traffic from legitimate, learned source addresses is forwarded, similar to IPv4 Source Guard.

Exam trap

Cisco often tests the misconception that IPv6 Source Guard creates its own bindings or only works with DHCPv6, when in fact it relies on the binding table built by ND snooping and DHCPv6 snooping, and it filters based on source address, not destination.

139
MCQmedium

When troubleshooting SNMPv3 authentication failures, which default HMAC algorithm is used if the user is configured with "auth md5"?

A.HMAC-SHA-96
B.HMAC-MD5-96
C.HMAC-SHA-256
D.No HMAC is used; MD5 is used directly.
AnswerB

RFC 3414 defines HMAC-MD5-96 as the authentication protocol for usmHMACMD5AuthProtocol.

Why this answer

When a user is configured with 'auth md5' in SNMPv3, the default HMAC algorithm used is HMAC-MD5-96. This is defined in RFC 3414, which specifies that the authentication protocol 'MD5' actually refers to HMAC-MD5-96, not raw MD5. The HMAC construction provides keyed hashing for message integrity and authentication, and the '-96' indicates that the output is truncated to 96 bits (12 bytes).

Exam trap

Cisco often tests the misconception that 'auth md5' uses raw MD5 directly, when in fact SNMPv3 always wraps the hash in an HMAC construction, and the '-96' suffix indicates the truncated output length.

How to eliminate wrong answers

Option A is wrong because HMAC-SHA-96 is used when the user is configured with 'auth sha', not 'auth md5'. Option C is wrong because HMAC-SHA-256 is a stronger hash used with 'auth sha-256' in newer SNMPv3 implementations, not with 'auth md5'. Option D is wrong because SNMPv3 always uses HMAC (keyed-hash) for authentication, never raw MD5 directly; the 'auth md5' configuration invokes HMAC-MD5-96 per RFC 3414.

140
MCQhard

A network using IPv6 over IPv4 ISATAP tunnels is experiencing connectivity issues. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::/64 eui-64 tunnel source 192.0.2.1 tunnel mode ipv6ip isatap. Router R2 shows: R2# show ipv6 interface Tunnel0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5EFE:192.0.2.2 Global unicast address(es): 2001:DB8:1::5EFE:192.0.2.2. What is the root cause?

A.The IPv6 address on R1 should be configured without the eui-64 keyword to allow manual assignment.
B.The tunnel mode should be ipv6ip isatap on both ends, but R2's address shows correct ISATAP format, indicating R1's address is wrong.
C.The tunnel source on R1 should be the IPv4 address of R2.
D.ISATAP requires the use of a link-local address only.
AnswerB

R1's address uses EUI-64, which does not produce the ISATAP-specific interface identifier, causing address mismatch.

Why this answer

Option B is correct because ISATAP tunnels require both endpoints to use the same tunnel mode (ipv6ip isatap) and to form the IPv6 interface identifier from the IPv4 tunnel source using the format ::5EFE:w.x.y.z. R2's global address 2001:DB8:1::5EFE:192.0.2.2 correctly embeds its IPv4 address 192.0.2.2, but R1's configuration with the eui-64 keyword causes it to derive an interface identifier from its MAC address instead of the required ISATAP format. This mismatch prevents proper IPv6 neighbor discovery and connectivity over the tunnel.

Exam trap

Cisco often tests the distinction between standard EUI-64 address generation and ISATAP's fixed interface identifier format, trapping candidates who assume that eui-64 is always correct for IPv6 tunnel interfaces.

How to eliminate wrong answers

Option A is wrong because removing the eui-64 keyword and manually assigning an address would not fix the root cause; the issue is that R1 must use the ISATAP-specific interface identifier (::5EFE:IPv4) derived from its tunnel source, not a manually assigned or MAC-based identifier. Option C is wrong because the tunnel source on R1 should be its own IPv4 address (192.0.2.1) to identify the tunnel endpoint; pointing to R2's IPv4 address would break the tunnel encapsulation. Option D is wrong because ISATAP tunnels support both link-local and global unicast addresses; the link-local address is automatically derived, but global addresses are required for end-to-end connectivity and are correctly used in this scenario.

141
MCQhard

Router R1 and R2 are running OSPF and BGP. R1 is an ASBR redistributing BGP routes into OSPF. R2 is an ABR between area 0 and area 1. R2 has 'distance ospf external 150' configured. R3 in area 1 learns a BGP-redistributed route 10.0.0.0/8 via R2 with AD 150. R3 also learns the same prefix via a different path from R4 (another ABR) with AD 110 (default OSPF external). R3's 'show ip route 10.0.0.0' shows the route via R4. What is the root cause?

A.R2's 'distance ospf external 150' makes the external route less preferred than the default AD 110 from R4.
B.R4's route is an inter-area route (AD 110) while R2's route is external (AD 150), so inter-area is preferred.
C.R3 has a route-map that prefers routes from R4.
D.The route from R2 is not in the OSPF database due to a filter.
AnswerA

Higher AD means less trust; R3 chooses the lower AD route.

Why this answer

OSPF administrative distance can be set per route type. With 'distance ospf external 150', the external routes from R2 have AD 150, while routes from R4 have default AD 110. R3 prefers the route with lower AD (110 via R4).

This is expected behavior, but the question might imply that the route via R2 should be preferred due to some other reason. The correct answer is that the configuration on R2 increases the AD for external routes, making them less preferred.

142
MCQmedium

A network engineer runs the following command to troubleshoot a NAT issue: R1# debug ip nat detailed NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [45] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [46] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [47] NAT*: s=192.168.1.1, d=10.2.2.2->10.1.1.1 [48] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [49] What does this output indicate?

A.NAT is working correctly; the asterisk indicates a packet that was translated and fast-switched.
B.NAT is failing; the asterisk indicates a packet that was dropped.
C.NAT is working but only for outbound traffic; return traffic is not being translated.
D.NAT is not configured; the output shows only routing information.
AnswerA

The asterisk shows fast-switching, and translations are occurring bidirectionally.

Why this answer

The output shows successful NAT translations: the source IP 10.1.1.1 is translated to 10.2.2.2 for outbound packets (lines without asterisk), and the return packet from 192.168.1.1 has its destination translated back to 10.1.1.1 (line with asterisk). The asterisk in 'NAT*' indicates that the packet was both translated and fast-switched (process-switched packets lack the asterisk), confirming correct operation.

Exam trap

Cisco often tests the misconception that the asterisk in NAT debug output indicates a problem or drop, when in fact it confirms fast-switched translation and successful bidirectional NAT operation.

How to eliminate wrong answers

Option B is wrong because the asterisk does not indicate a dropped packet; it indicates a fast-switched translation, and the output shows successful translation of both outbound and return traffic. Option C is wrong because the return traffic is clearly being translated (line [48] shows destination translation from 10.2.2.2 to 10.1.1.1), so NAT is working bidirectionally. Option D is wrong because the output explicitly shows NAT translations (s=10.1.1.1->10.2.2.2), not routing information; the 'debug ip nat detailed' command only displays NAT events.

143
MCQhard

A network engineer configures an EEM applet to monitor OSPF network type mismatches using the event syslog pattern 'OSPF-5-ADJCHG'. The applet is supposed to send a notification when an adjacency fails. Two routers are connected with an OSPF network type mismatch (one is broadcast, the other is point-to-point). The adjacency fails, but the EEM applet does not trigger. Which is the most likely explanation?

A.A network type mismatch prevents the routers from reaching the 2WAY state, so no OSPF-5-ADJCHG syslog is generated.
B.The EEM applet must use 'event ospf' to capture OSPF network type mismatches.
C.The network type mismatch generates a syslog with pattern 'OSPF-4-ERRRCV', but the EEM applet is looking for 'OSPF-5-ADJCHG'.
D.The OSPF process must be restarted for the EEM applet to detect the mismatch.
AnswerA

Correct. The adjacency fails early, and the syslog for state change is not generated because FULL was never reached.

Why this answer

When OSPF network types mismatch, the adjacency may fail during the database exchange process, but the syslog message generated is often 'OSPF-4-ERRRCV' or 'OSPF-5-ADJCHG' depending on the specific failure. However, if the mismatch is between broadcast and point-to-point, the routers may not even form a neighbor relationship because they interpret Hello packets differently. In some IOS versions, the syslog message is not generated at all because the routers never reach the 2WAY state.

The EEM applet relies on the 'OSPF-5-ADJCHG' pattern, which is only generated when there is a state change from FULL to DOWN or vice versa. If the adjacency never progresses beyond INIT, no ADJCHG message is produced.

144
MCQeasy

A network engineer is troubleshooting a connectivity issue between two sites. R1 learns the prefix 10.0.0.0/8 via RIP (AD 120) from R2, and also via a directly connected interface on R3. The engineer notices that R1 uses the RIP route instead of the connected route. What is the most likely cause?

A.The connected interface on R3 has a higher metric than the RIP route.
B.The RIP route has an AD of 120, but the connected route is for a different subnet mask.
C.The distance rip 0 command was applied under RIP, making RIP routes have AD 0.
D.The connected interface is administratively down.
AnswerB

If the connected route is for 10.0.0.0/16 and the RIP route is for 10.0.0.0/8, they are different prefixes; the router will use the most specific match, but if the connected route is not for the exact prefix, RIP may be the only route.

Why this answer

Connected routes have an AD of 0, which is always preferred over any dynamic routing protocol. If the connected route is not used, it likely does not exist for that exact prefix, or the interface is down. However, if the prefix is learned via RIP with AD 120, the connected route should take precedence.

The only way RIP is preferred is if the connected route is not present for that prefix.

146
MCQhard

An engineer configures uRPF loose mode on an interface that is part of an IPv6 network with multiple equal-cost paths to the same destination via different interfaces. The router receives traffic from a source that is reachable via one of the paths, but the traffic arrives on a different interface. The traffic is dropped. Which is the most likely explanation?

A.The source address is a link-local address (fe80::), which is not installed in the global routing table, causing uRPF loose mode to drop the packet.
B.The router has 'ipv6 uRPF strict' configured instead of loose, but the show command indicates loose.
C.The equal-cost paths cause the routing table to have multiple entries, and uRPF loose mode requires a single best path.
D.The interface has an IPv6 ACL that denies the traffic before uRPF is applied.
AnswerA

Correct. Link-local addresses are not in the routing table, so uRPF loose mode drops them.

Why this answer

In uRPF loose mode, the router checks that the source address of an incoming packet has a matching entry in the routing table, but it does not require that the packet arrives on the interface used to reach that source. However, link-local addresses (fe80::/10) are not installed in the global IPv6 routing table; they are only reachable on the local link. Therefore, when a packet with a link-local source address arrives, uRPF loose mode finds no matching route and drops the packet, regardless of the interface.

Exam trap

Cisco often tests the distinction between uRPF strict and loose modes, but the trap here is that candidates forget link-local addresses are not in the global routing table, leading them to incorrectly attribute the drop to a mode mismatch or routing table issue.

How to eliminate wrong answers

Option B is wrong because if 'ipv6 uRPF strict' were configured, the packet would be dropped due to the interface mismatch, but the question states the show command indicates loose mode, so the configuration is correct. Option C is wrong because uRPF loose mode does not require a single best path; it only checks for the existence of any route to the source, and multiple equal-cost paths are perfectly valid. Option D is wrong because an IPv6 ACL would be applied before uRPF, but the question states the traffic is dropped due to uRPF, not an ACL; if an ACL were the cause, the drop would be attributed to the ACL, not uRPF.

147
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 First Hop Security adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic connectivity with ping. Then examine the neighbor cache for incomplete entries. Verify if IPv6 snooping is enabled and inspect the binding table.

Check RA Guard and DHCPv6 Guard policies that may drop packets. Finally, use debug ipv6 snooping to capture packet drops.

148
MCQhard

An engineer configures an IPsec VPN between two routers using a transform-set with ESP encryption (AES 256) and ESP authentication (SHA-256). The engineer also applies an IPv4 ACL to define interesting traffic that matches all IP traffic. After configuration, the VPN tunnel comes up, but only ICMP traffic is encrypted; other traffic like HTTP is sent in clear text. What is the most likely explanation?

A.The ACL for interesting traffic only permits ICMP, so only ICMP is encrypted.
B.The transform-set does not support HTTP traffic due to port filtering.
C.The IPsec SA is only established for ICMP; other traffic requires a separate SA.
D.The router has a NAT rule that bypasses IPsec for HTTP traffic.
AnswerA

IPsec uses the ACL to determine which traffic to protect; if only ICMP is permitted, other traffic is not encrypted.

Why this answer

The most likely explanation is that the ACL for interesting traffic only permits ICMP, so only ICMP is encrypted. In Cisco IOS, the crypto map uses the ACL to identify which traffic should be protected by IPsec. If the ACL only matches ICMP (e.g., 'permit icmp any any'), then only ICMP packets trigger IPsec encryption; all other traffic, such as HTTP, is forwarded in clear text because it does not match the ACL and is therefore not subject to IPsec processing.

Exam trap

Cisco often tests the misconception that the transform-set or the IPsec SA itself filters traffic by port or protocol, when in reality the ACL is the sole mechanism for defining interesting traffic in a crypto map.

How to eliminate wrong answers

Option B is wrong because transform-sets define encryption and authentication algorithms (e.g., ESP with AES 256 and SHA-256) and do not perform port filtering; they apply to all traffic matched by the ACL. Option C is wrong because IPsec SAs are established per traffic selector (as defined by the ACL), but if the ACL only matches ICMP, only one SA is created for ICMP; other traffic like HTTP would not trigger a separate SA because it is not matched by the ACL. Option D is wrong because while a NAT rule could bypass IPsec, the question states the tunnel comes up and ICMP is encrypted, indicating IPsec is functioning; the most direct and common cause is a restrictive ACL, not a NAT misconfiguration.

149
Multi-Selectmedium

Which TWO configuration steps are required to enable TACACS+ authentication for device access control on a Cisco IOS router, assuming the TACACS+ server is already reachable? (Choose TWO.)

Select 2 answers
A.Configure the TACACS+ server with the 'tacacs server' command and specify the server IP and key.
B.Create an AAA authentication login method list using 'aaa authentication login default group tacacs+' to use TACACS+ as the primary method.
C.Configure 'aaa authorization exec default group tacacs+' to authorize user commands after authentication.
D.Use 'radius-server host' to define the authentication server.
E.Enable 'aaa new-model' to activate AAA services.
AnswersA, B

This is required to define the TACACS+ server for the router to communicate with.

Why this answer

Option A is correct because the 'tacacs server' command is required to define the TACACS+ server's IP address and the shared secret key, which is necessary for the router to communicate securely with the server. Option B is correct because 'aaa authentication login default group tacacs+' creates an authentication method list that tells the router to use TACACS+ as the primary method for login authentication, which is essential for device access control.

Exam trap

Cisco often tests the distinction between authentication (verifying identity) and authorization (granting permissions), so candidates mistakenly select authorization commands like 'aaa authorization exec' when the question explicitly asks for authentication steps.

150
MCQmedium

A network engineer is troubleshooting a routing issue in an EIGRP network. Router R1 is not learning a specific route from its neighbor R2, even though R2 has the route in its routing table. The engineer checks the EIGRP topology table on R1 and does not see the route. The output of 'show ip eigrp neighbors' shows that R1 and R2 are adjacent. What should the engineer check next?

A.Check if a distribute-list in or out is applied under the EIGRP process on R1.
B.Check if the route is being summarized on R2.
C.Check if the EIGRP metric for the route is too high.
D.Check if the route is a connected route on R2.
AnswerA

Correct because a distribute-list can filter incoming or outgoing routes, preventing them from being added to the topology table.

Why this answer

The correct answer is A because if R1 and R2 are EIGRP neighbors but R1 does not have the route in its topology table, a distribute-list applied inbound on R1 or outbound on R2 could be filtering the route. Distribute-lists use access-lists or prefix-lists to permit or deny routes during the update process, preventing specific routes from being installed in the topology table even though the neighbor adjacency is established.

Exam trap

Cisco often tests the distinction between a route being absent from the topology table versus being present but not selected as the best path; candidates may incorrectly assume metric issues or summarization when the real cause is a distribute-list filtering the route before it enters the topology table.

How to eliminate wrong answers

Option B is wrong because route summarization on R2 would cause R1 to see a summary route (possibly with a null0 next-hop) rather than the specific route, but the specific route would still appear in R2's routing table and R1 would see the summary in its topology table; the question states the route is not seen at all in R1's topology table. Option C is wrong because EIGRP does not have a maximum metric threshold that would cause a route to be hidden; a high metric would still result in the route being present in the topology table, though it might not be selected as the best path. Option D is wrong because whether the route is connected on R2 is irrelevant; EIGRP can redistribute connected routes, and if the route is in R2's routing table, it should be advertised to neighbors unless filtering is applied.

Page 1

Page 2 of 29

Page 3