Cisco CCNP ENARSI 300-410 (300-410) — Questions 14261500

2152 questions total · 29pages · All types, answers revealed

Page 19

Page 20 of 29

Page 21
1427
MCQeasy

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's local discriminator?

A.The local discriminator is 1.
B.The local discriminator is 3.
C.The local discriminator is 10.1.1.1.
D.The local discriminator is 10.1.1.2.
AnswerA

The LD (Local Discriminator) is 1 as shown in the output.

Why this answer

The local discriminator is the LD value shown in the output. In this case, it is 1.

1428
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp neighbors 10.1.1.2 advertised-routes BGP table version is 14, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 0.0.0.0 0 32768 i *> 192.168.1.0/24 0.0.0.0 0 32768 i Total number of prefixes 2 What does this output indicate?

A.R1 is receiving two routes from neighbor 10.1.1.2.
B.R1 is advertising two routes to neighbor 10.1.1.2, both originated locally.
C.R1 is advertising two routes, but one is suppressed due to dampening.
D.R1 is advertising two routes, but the neighbor is not receiving them due to filtering.
AnswerB

The next hop 0.0.0.0 indicates local origin, and the output shows two prefixes.

Why this answer

The show bgp neighbors advertised-routes command shows routes that R1 is advertising to neighbor 10.1.1.2. The output lists two prefixes: 10.0.0.0/24 and 192.168.1.0/24. The next hop of 0.0.0.0 indicates these are locally originated routes (e.g., via network statement or redistribution).

1429
MCQhard

A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R1 redistributes OSPF into EIGRP, and Router R2 redistributes EIGRP into OSPF. After configuration, some routes are missing, and routing loops occur. R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map OSPF-to-EIGRP. R2 has: router ospf 1 redistribute eigrp 100 subnets route-map EIGRP-to-OSPF. Show ip route on R1 shows an OSPF route 172.16.1.0/24 learned via R2, but also an EIGRP route for the same prefix with a better administrative distance. What is the root cause?

A.The route-map OSPF-to-EIGRP on R1 should include a match clause to filter out routes learned from R2 via OSPF, preventing feedback.
B.The redistribute command on R2 should have a metric-type 1 to avoid suboptimal routing.
C.The administrative distance of OSPF should be changed to 85 on R1 to prefer OSPF over EIGRP.
D.The EIGRP metric on R1 should be set to a higher value to make the redistributed route less preferred.
AnswerA

Adding a match route-map that tags routes from R2 and denies them, or using a tag-based filter, stops the redistribution loop.

Why this answer

The correct answer is A because the route-map OSPF-to-EIGRP on R1 is not filtering out the OSPF route 172.16.1.0/24 that was originally redistributed from EIGRP into OSPF by R2. This creates a routing feedback loop: R1 learns the prefix via OSPF (from R2) and then redistributes it back into EIGRP, causing R2 to see an EIGRP route with a better administrative distance (90 vs. 110) and prefer it, leading to missing routes and loops. The route-map should include a match clause to deny routes that were originally EIGRP (e.g., via a tag or prefix-list) to prevent mutual redistribution.

Exam trap

Cisco often tests the concept of mutual redistribution and route feedback loops, where candidates mistakenly focus on metric or administrative distance adjustments instead of recognizing that a route-map filter is required to break the redistribution cycle.

How to eliminate wrong answers

Option B is wrong because changing the metric-type to 1 on R2's redistribute command would affect the OSPF metric type (E1 vs. E2) but does not address the root cause of route feedback and administrative distance preference. Option C is wrong because modifying OSPF's administrative distance to 85 on R1 would make OSPF routes preferred over EIGRP (AD 90), but this only masks the symptom; the feedback loop would still exist, and routes could still be missing or cause instability.

Option D is wrong because increasing the EIGRP metric on R1's redistribute command would make the redistributed route less preferred within EIGRP, but the problem is that R1 is redistributing a route it learned via OSPF back into EIGRP, and the metric adjustment does not prevent the feedback loop.

1430
MCQhard

A network engineer is troubleshooting why the NMS cannot poll SNMP data from router R5. The router has 'snmp-server community cisco RO' configured. The NMS is on subnet 192.168.1.0/24, and the router has an ACL applied to the VTY lines that permits only 10.0.0.0/8. The NMS can ping the router. What is the most likely cause?

A.The engineer applied an ACL to the SNMP community that denies the NMS subnet, but the VTY ACL is unrelated.
B.The VTY ACL is blocking SNMP packets because SNMP uses TCP port 161.
C.The router needs the 'snmp-server ifindex persist' command to enable polling.
D.The NMS is using SNMPv3, but the router only has SNMPv2c configured.
AnswerA

Correct because the community string's ACL must permit the NMS; the VTY ACL does not affect SNMP.

Why this answer

The NMS can ping the router, confirming IP connectivity, but it cannot poll SNMP data. The VTY ACL only controls Telnet/SSH access to the router's VTY lines, not SNMP traffic, which uses UDP port 161. The most likely cause is that an ACL has been applied directly to the SNMP community string (via the `snmp-server community cisco RO <acl-number>` command) that denies the NMS subnet 192.168.1.0/24, blocking SNMP polling while leaving ping and VTY access unaffected.

Exam trap

Cisco often tests the misconception that VTY ACLs control all management plane traffic, including SNMP, when in fact VTY ACLs only apply to Telnet/SSH sessions, and SNMP is controlled by ACLs applied directly to the community string or via SNMP views.

How to eliminate wrong answers

Option B is wrong because SNMP uses UDP port 161 for polling (not TCP), and VTY ACLs only filter inbound Telnet/SSH sessions, not SNMP traffic. Option C is wrong because the `snmp-server ifindex persist` command is used to maintain interface index persistence across reboots for MIB stability, not to enable or disable SNMP polling. Option D is wrong because if the NMS were using SNMPv3 and the router only had SNMPv2c configured, the NMS would typically receive a 'noResponse' or authentication error, but the question states the router has `snmp-server community cisco RO` configured, which is an SNMPv2c community string; the NMS could still fall back to SNMPv2c, and this scenario does not explain why polling fails while ping succeeds.

1431
MCQmedium

Examine the following EIGRP configuration on Router R6: interface GigabitEthernet0/2 ip hello-interval eigrp 100 15 ip hold-time eigrp 100 45 What is the effect of these commands?

A.EIGRP will send hello packets every 15 seconds and wait 45 seconds before declaring a neighbor down.
B.EIGRP will send hello packets every 45 seconds and wait 15 seconds.
C.EIGRP will use the default hello interval of 5 seconds and hold time of 15 seconds.
D.EIGRP will not form neighbor adjacencies because the hold time is not a multiple of the hello interval.
AnswerA

The hello interval is set to 15 seconds, and hold time to 45 seconds.

Why this answer

The commands set a non-default hello interval of 15 seconds and a hold time of 45 seconds for EIGRP AS 100 on GigabitEthernet0/2. EIGRP uses the hello interval to determine how often it sends hello packets, and the hold time is the duration the router waits without receiving a hello before declaring the neighbor down. Option A correctly describes this behavior.

Exam trap

The trap here is that candidates often assume the hold time must be a multiple of the hello interval (e.g., 3x), but Cisco does not enforce this mathematically—only that the hold time is greater than the hello interval to avoid premature neighbor loss.

How to eliminate wrong answers

Option B is wrong because it reverses the values: the hello interval is 15 seconds, not 45, and the hold time is 45 seconds, not 15. Option C is wrong because the commands explicitly override the default hello interval (5 seconds on high-speed interfaces) and hold time (15 seconds) with the configured values. Option D is wrong because EIGRP does not require the hold time to be a multiple of the hello interval; the hold time must simply be greater than the hello interval to prevent flapping, and 45 is greater than 15, so adjacency can form.

1432
Drag & Dropmedium

Drag and drop the steps to troubleshoot IP SLA adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying the IP SLA operation state to see if it is active or failed, then check reachability to the target using extended ping with the same source, inspect the IP SLA configuration for errors, review access lists or routing that may block probes, and finally adjust parameters like threshold or timeout as needed.

1433
MCQhard

A network engineer configures EEM to monitor routing table changes on R1. R1 has: event manager applet ROUTE-MONITOR event syslog pattern "%ROUTING-5-ROUTECHANGE" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Routing table changed". After a route update, the engineer notices that the applet runs but the show ip route output does not reflect the change. Router R2 shows: the route is present in the routing table. What is the root cause?

A.The syslog message is generated before the routing table is updated, so the show command shows the old table.
B.The syslog pattern is incorrect; it should be %ROUTING-5-ROUTECHANGED.
C.The routing protocol is not fully converged due to a hold-down timer.
D.The 'show ip route' command is not executed in privileged mode.
AnswerA

The applet executes before the routing table change is committed; a delay is needed.

Why this answer

The syslog message %ROUTING-5-ROUTECHANGE is generated before the routing table is fully updated. The EEM applet runs immediately, capturing the routing table before the change is applied. The correct fix is to add a delay using 'action wait' to allow the routing table to converge.

1434
MCQmedium

An engineer is troubleshooting an EIGRP issue where a router is not learning any routes from a neighbor, but the neighbor adjacency is up. The engineer checks the EIGRP topology table on the local router and sees that the neighbor is listed, but no routes from that neighbor are present. The engineer also verifies that the neighbor has routes to advertise. What is the most likely cause?

A.The neighbor is configured as an EIGRP stub router.
B.The local router has a distribute-list out applied to the neighbor.
C.The EIGRP metric weights are different on the two routers.
D.The local router has a route-map applied to the EIGRP process that is filtering all routes.
AnswerA

Correct because a stub router only advertises connected and summary routes by default, so if the neighbor has other routes, they will not be advertised.

Why this answer

When an EIGRP neighbor adjacency is up but no routes are received from the neighbor, the most likely cause is that the neighbor is configured as an EIGRP stub router. A stub router advertises only a default route or its directly connected and summary routes, depending on the stub setting, and does not advertise all learned routes. Since the engineer confirmed the neighbor has routes to advertise, the stub configuration on the neighbor would prevent those routes from being sent, even though the adjacency remains established.

Exam trap

Cisco often tests the distinction between conditions that prevent adjacency formation (like mismatched K values or AS numbers) versus conditions that allow adjacency but suppress route advertisement (like stub configuration), leading candidates to incorrectly select metric weight mismatches when the adjacency is already up.

How to eliminate wrong answers

Option B is wrong because a distribute-list out applied to the neighbor would filter routes on the local router before sending them, not affect routes received from the neighbor; the issue is about not learning routes, not about sending them. Option C is wrong because mismatched EIGRP metric weights (K values) prevent the neighbor adjacency from forming entirely, but the adjacency is up, so this cannot be the cause. Option D is wrong because a route-map applied to the EIGRP process on the local router would filter routes after they are received, but the topology table shows no routes from the neighbor at all, indicating the routes are not being advertised by the neighbor, not that they are being filtered inbound.

1435
MCQhard

DMVPN phase 2 network: spoke-to-spoke tunnels fail. Router Spoke1 has: tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp nhs 10.0.0.1. Router Spoke2 shows: show dmvpn includes Spoke1 in NHRP cache but no spoke-to-spoke tunnel. What is the root cause?

A.Spoke1 and Spoke2 have different NHRP network IDs.
B.The hub is not configured with ip nhrp redirect, preventing shortcut initiation.
C.Spoke1 has a firewall blocking GRE traffic.
D.The tunnel mode should be point-to-point for spoke-to-spoke.
AnswerB

Without redirect, spokes do not learn each other's real IPs for direct tunnels.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke tunnels require the hub to send NHRP redirect messages to inform spokes of the shortcut path. Without the 'ip nhrp redirect' command on the hub, spokes will not attempt to build direct tunnels, even if they have each other's NHRP cache entries. This is the root cause because Spoke1 and Spoke2 can see each other in the NHRP cache but lack the trigger to initiate the spoke-to-spoke GRE tunnel.

Exam trap

Cisco often tests the distinction between NHRP cache entries (which indicate registration and mapping) and the actual tunnel establishment, which requires additional mechanisms like NHRP redirect in Phase 2 or NHRP shortcut switching in Phase 3.

How to eliminate wrong answers

Option A is wrong because different NHRP network IDs would prevent the spokes from registering with the hub and appearing in each other's NHRP cache, but the scenario states Spoke1 is in the NHRP cache of Spoke2, so the network IDs must match. Option C is wrong because a firewall blocking GRE traffic would prevent any tunnel establishment, including the hub-to-spoke tunnels, but the scenario indicates that spoke-to-hub tunnels are working (since NHRP registration succeeded). Option D is wrong because DMVPN Phase 2 requires multipoint GRE (mGRE) on spokes to support multiple tunnel endpoints; point-to-point tunnels would only allow a single destination and break the DMVPN architecture.

1436
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, OSPF adjacencies go down. The policy includes a class that matches OSPF traffic with a police rate of 1000 pps. Which is the most likely explanation?

A.The OSPF traffic is matched by class-default, which has a low police rate or is set to drop, causing hello packets to be dropped.
B.The police rate of 1000 pps is too low for OSPF hello packets.
C.CoPP only applies to management traffic, not routing protocols.
D.The OSPF process is not configured to use the control plane policy.
AnswerA

If OSPF is not explicitly matched in a higher class, it falls to class-default, which may have a restrictive policy.

Why this answer

Option A is correct because when CoPP is applied, any traffic not explicitly matched by a user-defined class falls into class-default. If class-default has a low police rate or is configured to drop packets, OSPF hello packets (which are critical for adjacency maintenance) will be dropped, causing OSPF adjacencies to go down. The OSPF traffic is likely not being matched by the intended class due to incorrect classification or ordering, leaving it to be processed by class-default.

Exam trap

Cisco often tests the misconception that CoPP only affects management traffic, but the trap here is that class-default can inadvertently drop critical routing protocol packets if not properly configured, leading to adjacency loss.

How to eliminate wrong answers

Option B is wrong because a police rate of 1000 pps is generally more than sufficient for OSPF hello packets, which are small and sent every 10 seconds (default) or 30 seconds on broadcast networks; the issue is not the rate but the misclassification. Option C is wrong because CoPP is explicitly designed to protect the control plane by policing all traffic destined to the router, including routing protocol traffic like OSPF, not just management traffic (e.g., SSH, SNMP). Option D is wrong because CoPP is applied globally via the 'control-plane' configuration and does not require per-protocol configuration; OSPF automatically uses the control plane for packet processing.

1437
MCQhard

A large enterprise network is experiencing intermittent BGP session resets between R1 and R2. R1 has the following relevant configuration: event manager applet BGP-MONITOR event syslog pattern "%BGP-3-NOTIFICATION" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp *" action 3.0 syslog msg "BGP session cleared by EEM". Router R2 shows: BGP neighbor 10.1.1.1 has been up for 0:00:05, state Established. What is the root cause?

A.The EEM applet is triggered by the BGP notification and clears all BGP sessions, causing a reset loop.
B.The BGP keepalive timer is set too low on R1.
C.The syslog pattern is incorrect and matches unrelated messages.
D.There is an MTU mismatch between R1 and R2.
AnswerA

The applet clears all BGP sessions upon any BGP notification, which exacerbates the issue.

Why this answer

The EEM applet triggers on any BGP notification syslog and then executes a clear ip bgp * command, which resets all BGP sessions. This creates a loop: a BGP notification causes a clear, which causes more notifications, leading to persistent flapping. The correct fix is to make the applet more specific or avoid clearing all sessions.

1438
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes for the same prefix. The engineer also applies an inbound ACL on the OSPF interface to deny certain routes from being learned via OSPF. After the ACL is applied, the router still has the prefix in the routing table, but it is learned via EIGRP instead of OSPF. What is the most likely explanation?

A.The ACL blocks OSPF updates, so the router learns the prefix via EIGRP with a lower AD.
B.The ACL is applied outbound, so it filters OSPF routes being sent to the neighbor.
C.The router has a static route for the prefix with AD 1.
D.The OSPF process has a distribute-list that is filtering the route.
AnswerA

The ACL prevents OSPF from learning the route, but redistribution allows EIGRP to carry it, and EIGRP's lower AD makes it the best path.

Why this answer

Option A is correct because the inbound ACL on the OSPF interface blocks the OSPF-learned route from being installed in the routing table. Since mutual redistribution is configured, the same prefix is also learned via EIGRP. EIGRP has a default administrative distance (AD) of 90 for internal routes, which is lower than OSPF's AD of 110.

Therefore, the router selects the EIGRP route as the best path, and the prefix remains in the routing table but now points to the EIGRP next hop.

Exam trap

Cisco often tests the distinction between filtering routing updates via an interface ACL (which blocks the entire OSPF packet, preventing route learning) versus using a distribute-list (which filters specific routes within the routing process), leading candidates to confuse the two mechanisms.

How to eliminate wrong answers

Option B is wrong because the question explicitly states the ACL is applied inbound on the OSPF interface, not outbound; an outbound ACL would filter routes being sent to a neighbor, not affect routes received by the local router. Option C is wrong because a static route with AD 1 would always be preferred over both OSPF (AD 110) and EIGRP (AD 90), but the scenario describes the prefix being learned via EIGRP, not a static route; there is no mention of a static route being configured. Option D is wrong because a distribute-list under the OSPF process could filter the route, but the question states the ACL is applied directly on the OSPF interface, not as a distribute-list; a distribute-list is a separate filtering mechanism that operates on routing updates within the OSPF process, not on the interface itself.

1439
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf database external 10.1.1.0 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States (Area 0) LS age: 120 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.1.1.0 (External Network Number) Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 100 Based on this output, which statement is correct?

A.The route 10.1.1.0/24 is redistributed into OSPF from another protocol with a route-map setting the tag to 100.
B.The route 10.1.1.0/24 is an OSPF inter-area route from area 0.
C.The metric of 20 indicates the route is redistributed with a default metric of 20, which is correct for Type 1 external routes.
D.The forward address of 0.0.0.0 indicates that the next hop is the advertising router 2.2.2.2.
AnswerA

The External Route Tag of 100 is a common indicator that a route-map was used during redistribution to set the tag.

Why this answer

The output shows an OSPF Type-5 external LSA for 10.1.1.0/24 with Metric Type 2 and Metric 20. The default metric for redistributed routes in OSPF is 20 for Type 2. The External Route Tag of 100 indicates a redistribution tag, often used for filtering or route-maps.

1440
Multi-Selecthard

Which THREE commands are used to troubleshoot and verify device access control when using TACACS+ authentication on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.debug tacacs
B.show tacacs
C.test aaa group tacacs+ <username> <password>
D.debug radius authentication
E.show aaa method-list
AnswersA, B, C

This command provides detailed debugging of TACACS+ authentication and authorization packets.

Why this answer

Option A is correct because the 'debug tacacs' command enables real-time logging of TACACS+ authentication, authorization, and accounting transactions, allowing you to observe the exact packets exchanged between the router and the TACACS+ server, including authentication failures or successes. Option B is correct because 'show tacacs' displays the current TACACS+ server statistics, including the number of successful and failed authentication attempts, server status, and the number of pending requests, which is essential for verifying connectivity and performance. Option C is correct because 'test aaa group tacacs+ <username> <password>' directly tests the TACACS+ authentication process by sending a simulated authentication request to the configured TACACS+ server group, confirming whether the server is reachable and the credentials are valid.

Exam trap

Cisco often tests the distinction between TACACS+ and RADIUS troubleshooting commands, so the trap here is that candidates may confuse 'debug radius authentication' (Option D) as applicable to TACACS+ or assume that 'show aaa method-list' (Option E) is a valid command for verifying TACACS+ server status, when in fact it does not exist and the correct command is 'show aaa method-lists'.

1441
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/1 | include access list Outgoing access list is 140 Inbound access list is not set Then the engineer runs: R1# show ip access-lists 140 Extended IP access list 140 10 deny icmp any any 20 permit ip any any What does this output indicate?

A.ACL 140 is applied outbound on GigabitEthernet0/1, denying ICMP and permitting all other traffic.
B.ACL 140 is applied inbound on GigabitEthernet0/1, blocking ICMP.
C.ACL 140 is not applied to any interface.
D.ACL 140 is applied both inbound and outbound.
AnswerA

The output shows the ACL and its entries.

Why this answer

The output of 'show ip interface GigabitEthernet0/1 | include access list' shows 'Outgoing access list is 140', confirming ACL 140 is applied outbound on that interface. The ACL contains two entries: 'deny icmp any any' (sequence 10) and 'permit ip any any' (sequence 20). Access control lists are processed top-down, so for any outgoing traffic, the first matching entry determines the action.

ICMP traffic matches the deny icmp entry first and is therefore blocked. All other IP traffic does not match the first entry but matches the permit ip any any and is permitted. Thus, ACL 140 denies ICMP and permits all other IP traffic outbound.

Exam trap

Cisco often tests the misconception that 'permit ip any any' overrides all previous deny statements, but in reality, ACLs are processed top-down and the first matching entry determines the action, so the deny icmp entry still blocks ICMP despite the later permit all.

How to eliminate wrong answers

Option B is wrong because the 'show ip interface' output explicitly states 'Inbound access list is not set', so ACL 140 is not applied inbound. Option C is wrong because the output shows 'Outgoing access list is 140', confirming the ACL is applied outbound on the interface. Option D is wrong because the output shows only an outbound ACL; there is no inbound ACL applied, so it is not applied both inbound and outbound.

1442
MCQmedium

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 3 detail Session 3 --------- Type : ERSPAN Source Session Source Ports : Both : Gi0/0 Destination IP : 10.1.1.1 ERSPAN ID : 100 What does this output indicate?

A.The session is correctly configured as an ERSPAN source session.
B.The session is misconfigured because the destination must be a VLAN, not an IP.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the ERSPAN ID must match on both source and destination.
AnswerA

The output confirms an ERSPAN source session with a destination IP and ERSPAN ID.

Why this answer

The output shows an ERSPAN source session with source port Gi0/0, destination IP 10.1.1.1, and ERSPAN ID 100. This is the source side of an ERSPAN configuration.

1443
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet BACKUP_CONFIG event timer watchdog time 86400 action 1.0 cli command "enable" action 2.0 cli command "copy running-config tftp://192.168.1.100/backup.cfg" !--- What is the effect of this configuration?

A.The applet will copy the running configuration to the TFTP server every 24 hours.
B.The applet will copy the startup configuration instead of the running configuration.
C.The applet will fail because the TFTP server IP address is not reachable.
D.The applet will only trigger once because the watchdog timer is a one-shot timer.
AnswerA

Correct. The watchdog timer triggers the applet every 86400 seconds, and the CLI command copies the running config to the TFTP server.

Why this answer

The applet uses a watchdog timer event that triggers every 86400 seconds (24 hours). When triggered, it copies the running configuration to a TFTP server. This is a valid configuration for periodic backup.

1444
MCQhard

In Flexible NetFlow, what is the default 'collect counter bytes' setting for a flow record?

A.Byte counters are collected by default.
B.Byte counters are never collected in Flexible NetFlow.
C.Byte counters are collected only if the flow monitor includes the 'collect counter bytes' command.
D.Byte counters are collected by default only for IPv6 flows.
AnswerC

Correct. Byte counters require explicit configuration.

Why this answer

By default, byte counters are not collected unless explicitly configured with 'collect counter bytes' in the flow record.

1445
Multi-Selecthard

Which TWO statements about the 'show policy-map control-plane' command output are true? (Choose TWO.)

Select 2 answers
A.The output displays the number of packets that matched each class in the CoPP policy.
B.The output includes the number of packets dropped by each class due to policing.
C.The output shows the routing table entries that are affected by the CoPP policy.
D.The output displays the CoPP policy applied to each physical interface.
E.The output includes the ARP cache entries that are protected by CoPP.
AnswersA, B

Correct. The command shows per-class packet and byte counters for matched traffic.

Why this answer

Option A is correct because the 'show policy-map control-plane' command output displays per-class packet statistics, including the number of packets that matched each class in the Control Plane Policing (CoPP) policy. This allows administrators to verify which traffic types are being classified and how much traffic is hitting the control plane.

Exam trap

Cisco often tests the distinction between CoPP (control plane-wide policy) and per-interface QoS policies, leading candidates to incorrectly assume that 'show policy-map control-plane' shows interface-level details.

1446
MCQmedium

Router R6 has the following DHCPv6 configuration: ipv6 dhcp pool DHCP6_POOL3 address prefix 2001:db8:3::/64 lifetime 3600 600 dns-server 2001:db8::1 ! interface GigabitEthernet0/2 ipv6 address 2001:db8:3::1/64 ipv6 dhcp server DHCP6_POOL3 ipv6 nd managed-config-flag no shutdown What is the effect of the lifetime parameters 3600 and 600?

A.The preferred lifetime is 3600 seconds and the valid lifetime is 600 seconds, which is invalid because the valid lifetime must be greater than or equal to the preferred lifetime.
B.The preferred lifetime is 600 seconds and the valid lifetime is 3600 seconds, which is a typical configuration.
C.The lifetimes are applied to the DNS server address, not the address prefix.
D.The configuration is valid and will work as expected.
AnswerA

Per RFC 4862, the valid lifetime must be greater than or equal to the preferred lifetime. A shorter valid lifetime is not allowed and will cause a configuration error.

Why this answer

Option A is correct because in the `ipv6 dhcp pool` configuration, the `lifetime` command specifies the preferred lifetime first (3600 seconds) and the valid lifetime second (600 seconds). According to RFC 4862, the valid lifetime must be greater than or equal to the preferred lifetime; otherwise, the configuration is invalid and will be rejected by the router. This mismatch causes the DHCPv6 pool to fail to apply the prefix.

Exam trap

The trap here is that Cisco tests whether candidates know the correct order of the preferred and valid lifetime parameters in the `lifetime` command, as many mistakenly assume the valid lifetime comes first or that the router will accept an invalid lifetime relationship.

How to eliminate wrong answers

Option B is wrong because it reverses the order of the lifetimes: the preferred lifetime is 3600 seconds (first value) and the valid lifetime is 600 seconds (second value), not the other way around. Option C is wrong because the `lifetime` command applies exclusively to the address prefix defined in the pool, not to the DNS server address; DNS server lifetimes are not configurable in this context. Option D is wrong because the configuration is invalid due to the valid lifetime being shorter than the preferred lifetime, so the router will not accept it and the DHCPv6 pool will not function as expected.

1447
MCQeasy

An engineer is troubleshooting an EIGRP issue where a router is not learning a specific route from a neighbor, but other routes from the same neighbor are being learned. The engineer checks the EIGRP topology table and sees that the route is not present. The engineer also checks the neighbor's routing table and confirms that the route exists. What is the most likely cause?

A.A distribute-list in is applied on the local router that filters the specific route.
B.The neighbor is configured as a stub router.
C.The route is a summary route that is being suppressed by the 'summary-address' command.
D.The EIGRP metric for the route is too high, so it is not considered feasible.
AnswerA

Correct because a distribute-list can filter specific routes based on prefix or other criteria.

Why this answer

A distribute-list in applied on the local router can filter specific incoming routes from an EIGRP neighbor while allowing others. Since the neighbor has the route in its routing table and other routes from the same neighbor are learned, the most likely cause is an inbound filter that explicitly denies that particular prefix.

Exam trap

Cisco often tests the distinction between inbound and outbound filtering, and candidates may mistakenly think a stub router or metric issue causes selective route absence, but only a distribute-list in can filter a single route from an otherwise fully functional neighbor relationship.

How to eliminate wrong answers

Option B is wrong because a stub router advertises only a default route or connected/summary routes, but the neighbor still has the specific route in its routing table, so stub configuration would not cause selective filtering of one route. Option C is wrong because a summary route suppressed by the 'summary-address' command would affect the advertisement from the local router, not the learning of a specific route from a neighbor. Option D is wrong because EIGRP metric values do not prevent a route from being learned; if the route is not feasible due to metric, it would appear in the topology table as an active or stuck-in-active state, not be completely absent.

1448
MCQhard

An engineer enables 'ipv6 destination guard' on a switch to prevent IPv6 address spoofing. After configuration, a legitimate host on a port is unable to receive traffic from the network, although it can send traffic. The host has a global unicast address. The switch logs show that destination guard is dropping packets destined to that host. What is the most likely cause?

A.The host uses IPv6 privacy extensions and changes its address frequently, but the binding table only has the original address.
B.Destination Guard blocks all global unicast addresses by default.
C.The switch port is not configured as 'trusted' for destination guard.
D.The host is using a link-local address, which destination guard does not support.
AnswerA

Destination Guard relies on static bindings; privacy addresses are not learned.

Why this answer

Option A is correct because IPv6 destination guard relies on the IPv6 neighbor discovery (ND) binding table to validate destination addresses. If the host uses IPv6 privacy extensions (RFC 4941), it generates temporary addresses that change frequently. The binding table only contains the original address learned from the initial ND exchange, so packets destined to the new temporary address are dropped as spoofed, even though the traffic is legitimate.

Exam trap

Cisco often tests the interaction between IPv6 first-hop security features and privacy extensions, where candidates mistakenly think the issue is a trust configuration or address type rather than the dynamic nature of temporary addresses in the binding table.

How to eliminate wrong answers

Option B is wrong because destination guard does not block all global unicast addresses by default; it only blocks addresses that are not in the binding table. Option C is wrong because the 'trusted' port configuration is used for IPv6 source guard or RA guard, not for destination guard; destination guard uses the binding table regardless of trust state. Option D is wrong because destination guard fully supports link-local addresses; the issue described involves a global unicast address, and the host can send traffic, which indicates link-local communication is working.

1449
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 192.168.1.2 BGP neighbor is 192.168.1.2, remote AS 65001, external link BGP version 4, remote router ID 10.2.2.2 BGP state = Established, up for 00:15:00 Last read 00:00:05, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is multisession capable Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN: advertised and received Address family IPv4 Unicast: advertised and received Enhanced Refresh: advertised Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 10 5 Keepalives: 15 15 Route Refresh: 0 0 Total: 26 21 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 192.168.1.2 BGP table version 14, neighbor version 14/0 Output queue size : 0 Index 1, Advertise bit 0 1 update-group member Incoming update prefix filter list: FILTER_IN Outgoing update prefix filter list: FILTER_OUT Sent Rcvd Prefixes: 2 2 Updates: 10 5 Based on this output, what is the effect of the prefix lists?

A.The prefix lists FILTER_IN and FILTER_OUT are allowing only 2 prefixes in each direction.
B.The prefix lists are blocking all prefixes.
C.The prefix lists are not applied because the session is established.
D.The prefix lists are misconfigured and causing route flapping.
AnswerA

The counters show 2 prefixes sent and received, matching the filter lists.

Why this answer

The output shows that incoming and outgoing prefix filters (FILTER_IN and FILTER_OUT) are applied. The prefixes sent and received are both 2, indicating that the filters are allowing exactly 2 prefixes in each direction. The correct answer is that the prefix lists are filtering routes to only 2 prefixes.

1450
MCQhard

What is the default behavior of BGP synchronization in Cisco IOS-XE?

A.Enabled by default
B.Disabled by default
C.Enabled only for iBGP
D.Disabled only for eBGP
AnswerB

Correct. BGP synchronization is off by default.

Why this answer

BGP synchronization is disabled by default in IOS-XE; routes can be advertised without being in the IGP.

1451
MCQmedium

A network engineer runs the following command to troubleshoot a SPAN issue: R1# debug monitor session 1 *Mar 1 00:00:01.123: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 *Mar 1 00:00:02.456: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 What does this output indicate?

A.The SPAN session is correctly forwarding packets from Gi0/0 to Gi0/1.
B.The SPAN session is misconfigured because packets should not be forwarded.
C.The SPAN session is misconfigured because the debug output shows errors.
D.The SPAN session is misconfigured because the destination port is not specified.
AnswerA

The debug output confirms successful packet forwarding.

Why this answer

The debug output shows that packets captured on source port Gi0/0 are being forwarded to destination port Gi0/1 for session 1. This indicates that the SPAN session is operational.

1452
Drag & Dropmedium

Drag and drop the steps to configure a GRE tunnel for IPv6 over IPv4 into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the standard GRE tunnel configuration workflow for IPv6 over IPv4: first create the tunnel interface with 'interface tunnel0', then assign an IPv6 address to the tunnel, set the tunnel source, set the tunnel destination. Note that option E is incorrect because the correct command for IPv6 over IPv4 is 'tunnel mode gre ip', not 'tunnel mode gre ipv6'. Therefore, the correct steps are A, B, C, D only.

1453
MCQmedium

A network engineer is troubleshooting a router that is experiencing high CPU utilization. The engineer checks the process list and sees that the 'EEM Server' process is consuming a significant amount of CPU. The engineer reviews the EEM configuration and finds multiple applets that are triggered by syslog events. What should the engineer do first to reduce CPU utilization?

A.Disable all EEM applets.
B.Use the 'show event manager statistics' command to see which applets are triggered most often.
C.Increase the router's CPU priority for the EEM process.
D.Change the syslog trigger to use a less frequent pattern.
AnswerB

Correct because this command provides per-applet trigger counts, helping pinpoint the culprit.

Why this answer

High CPU from EEM is often due to excessive syslog triggers. The engineer should first identify which applets are being triggered most frequently and either optimize their conditions or reduce the number of applets.

1454
MCQeasy

What is the default OSPF network type for a tunnel interface configured with 'tunnel mode gre multipoint'?

A.Broadcast
B.Point-to-multipoint
C.Point-to-point
D.Non-broadcast
AnswerA

The default OSPF network type for multipoint GRE tunnels is broadcast.

Why this answer

By default, a multipoint GRE tunnel interface uses the broadcast network type, which requires DR/BDR elections.

1455
MCQeasy

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0 What does this output indicate?

A.The IPsec VPN is actively encrypting and decrypting traffic.
B.The IPsec SAs are established but no traffic is flowing, possibly due to routing or ACL issues.
C.The crypto engine is overloaded and cannot process packets.
D.The IPsec SAs are using the wrong transform set.
AnswerB

Zero packets suggest the SAs are idle; the issue is likely with traffic matching the crypto ACL or routing.

Why this answer

The output shows three IPsec Security Associations (SAs) with zero encrypted and zero decrypted packets, and a LastSeqNo of 0. This indicates the SAs are established (the tunnels are up) but no traffic is being processed through them. The most common causes are routing issues preventing traffic from reaching the tunnel interface, or ACLs that do not match the interesting traffic for encryption.

Exam trap

Cisco often tests the misconception that a non-zero number of SAs in 'show crypto engine connections active' automatically means traffic is flowing, when in fact the Encrypt/Decrypt counters must be checked to confirm actual data processing.

How to eliminate wrong answers

Option A is wrong because the Encrypt and Decrypt counters are both 0, which means no traffic is being encrypted or decrypted; active encryption would show non-zero counts. Option C is wrong because the crypto engine is not overloaded; an overloaded engine would typically show high packet counts or errors, not all zeros. Option D is wrong because the output does not indicate a transform set mismatch; mismatched transform sets would prevent SA establishment entirely, but here the SAs are listed (ID 1, 2, 3), meaning Phase 2 negotiation succeeded.

1456
Multi-Selectmedium

Which TWO commands verify the operational status of a local SPAN session on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show monitor session 1
B.show monitor
C.show spanning-tree
D.show interfaces
E.show vlan
AnswersA, B

Displays detailed information about a specific SPAN session, including source, destination, and operational status.

Why this answer

The 'show monitor session 1' command displays details of a specific SPAN session, including source and destination interfaces and operational state. The 'show monitor' command lists all configured SPAN sessions and their status. 'show spanning-tree' is unrelated, 'show interfaces' does not show SPAN status, and 'show vlan' is for VLAN information.

1457
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 ip next-hop verify-availability Policy routing matches: 0 packets, 0 bytes What does this output indicate?

A.The route-map is correctly configured but no traffic has matched it yet.
B.The next-hop 10.1.1.2 is unreachable, causing PBR to fail.
C.The access-list 101 is misconfigured and blocking all traffic.
D.The verify-availability feature is preventing any matches.
AnswerA

The packet counter shows 0 matches, so no packets have triggered PBR.

Why this answer

The output shows that the route-map PBR-MAP has a match clause referencing access-list 101 and a set clause with next-hop 10.1.1.2 and next-hop verify-availability. The packet counter is 0, meaning no packets have been policy-routed yet.

1458
MCQeasy

What is the default OSPF reference bandwidth used in the cost calculation formula on Cisco IOS?

A.10 Mbps
B.100 Mbps
C.1000 Mbps
D.1 Gbps
AnswerB

Cisco IOS uses 100 Mbps as the reference bandwidth by default.

Why this answer

The default reference bandwidth is 100 Mbps, meaning the cost is calculated as 100,000,000 / interface bandwidth in bps.

1459
MCQhard

A network uses Control Plane Policing (CoPP) to protect the router. Router R1 has CoPP policy applied that rate-limits all traffic to 1 Mbps. R1 shows: 'show policy-map control-plane' indicates drops for EIGRP packets. R1's EIGRP neighbor R2 is flapping. What is the root cause?

A.The CoPP policy rate-limits EIGRP packets to 1 Mbps, but EIGRP hellos are small and frequent; the rate-limit may still drop them if the policer is not properly configured for burst.
B.R2 is sending too many EIGRP packets, exceeding the rate-limit.
C.R1 has an ACL that blocks EIGRP packets before they reach the control plane.
D.The CoPP policy is applied to the wrong interface.
AnswerA

Even small packets can be dropped if the policer uses a strict rate without adequate burst size.

Why this answer

EIGRP hello packets are small and sent frequently (every 5 seconds on most LAN interfaces by default). A CoPP policer that rate-limits all traffic to 1 Mbps without an adequate burst parameter will treat the burst of small hello packets as exceeding the committed burst (Bc), causing drops. These drops prevent EIGRP neighbor keepalives from reaching the control plane, leading to neighbor flapping.

The root cause is not the total bandwidth but the policer's inability to accommodate the packet-per-second (PPS) burst of small EIGRP hellos.

Exam trap

Cisco often tests the misconception that CoPP drops are caused by exceeding the bandwidth rate-limit, when in reality the trap is that small, frequent control-plane packets (like EIGRP hellos) are dropped due to an insufficient burst size, not the overall traffic rate.

How to eliminate wrong answers

Option B is wrong because EIGRP packets, especially hellos, are very small (typically 40-60 bytes) and the total bandwidth used by EIGRP is far below 1 Mbps; the issue is not the volume of traffic but the burst characteristic. Option C is wrong because the question states that drops are shown for EIGRP packets in the CoPP policy, not that packets are blocked by an ACL before reaching the control plane; an ACL would cause drops at the interface level, not within the CoPP policy-map counters. Option D is wrong because CoPP is applied globally to the control plane, not to a specific interface; the 'show policy-map control-plane' output confirms the policy is correctly applied to the control plane itself.

1460
MCQhard

A network engineer is troubleshooting a router that is generating excessive syslog messages, filling up the local logging buffer and causing performance issues. The engineer wants to reduce the volume of messages sent to the remote syslog server while still capturing critical alerts locally. The current configuration includes 'logging buffered 4096 debugging' and 'logging host 10.1.1.100'. What is the best approach?

A.Change 'logging buffered 4096 debugging' to 'logging buffered 4096 errors' to reduce local messages.
B.Configure 'logging trap errors' under the logging host configuration to limit remote messages to severity 3 and above.
C.Remove the 'logging buffered' command to stop all local logging.
D.Add 'logging rate-limit 10' to limit the number of messages per second.
AnswerB

Correct because 'logging trap errors' sets the remote syslog threshold to severity 3 (errors), reducing volume while keeping local debugging intact.

Why this answer

Option B is correct because the 'logging trap errors' command limits the severity of syslog messages sent to the remote syslog server (10.1.1.100) to level 3 (errors) and above, reducing the volume of remote messages while leaving the local 'logging buffered 4096 debugging' unchanged to capture critical alerts locally. This directly addresses the requirement to reduce remote syslog traffic without affecting local logging of critical alerts.

Exam trap

Cisco often tests the distinction between 'logging buffered' (local logging) and 'logging trap' (remote logging severity), and the trap here is that candidates may confuse which command controls local vs. remote syslog filtering, leading them to incorrectly modify the local buffer command (Option A) instead of the remote trap level.

How to eliminate wrong answers

Option A is wrong because changing 'logging buffered 4096 debugging' to 'logging buffered 4096 errors' would reduce local messages to severity 3 and above, which contradicts the requirement to capture critical alerts locally (the engineer wants to keep local logging for critical alerts, not reduce it). Option C is wrong because removing the 'logging buffered' command would stop all local logging entirely, which is not the goal—the engineer wants to keep capturing critical alerts locally. Option D is wrong because 'logging rate-limit 10' limits the rate of syslog messages per second globally (both local and remote), which could suppress critical alerts and does not specifically target remote syslog traffic reduction.

1461
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map TEST route-map TEST, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: metric 50 Policy routing matches: 0 packets, 0 bytes route-map TEST, deny, sequence 20 Match clauses: ip address (access-lists): 101 Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, which statement is correct?

A.The route-map is applied to an interface but no traffic has matched it yet.
B.The route-map is misconfigured because sequence 20 does not have a set clause.
C.The route-map will set the metric to 50 for all packets.
D.The route-map is applied globally and is affecting all routing decisions.
AnswerA

The 'Policy routing matches: 0 packets' indicates that the route-map is configured but has not yet been used to route any packets.

Why this answer

The output shows 'Policy routing matches: 0 packets, 0 bytes' for both sequences, which indicates the route-map has been applied to an interface (for policy-based routing) but no traffic has matched any of the match clauses yet. This is the only conclusion that can be drawn from the provided data.

Exam trap

Cisco often tests the distinction between route-maps used for policy-based routing (which show 'Policy routing matches' counters) versus those used for redistribution or routing protocol filtering (which do not show those counters), leading candidates to incorrectly assume a route-map is globally applied.

How to eliminate wrong answers

Option B is wrong because a set clause is not required in a deny sequence; the deny action itself is sufficient to reject matching traffic, and the set clause is irrelevant. Option C is wrong because the route-map only sets the metric to 50 for packets that match access-list 100 in sequence 10, not for all packets; packets matching sequence 20 (deny) or not matching any sequence will not have their metric set. Option D is wrong because the output shows 'Policy routing matches' which is specific to policy-based routing applied on an interface, not a global routing process; route-maps used globally (e.g., with redistribute or route-map in BGP) would not display 'Policy routing matches' counters.

1462
MCQmedium

A network engineer is troubleshooting an OSPF adjacency that is flapping between two routers. The adjacency forms and then drops repeatedly. Both routers are configured for BFD on the OSPF interface. The engineer checks the BFD session and sees it is up, but the OSPF neighbor state transitions from FULL to DOWN every few seconds. What is the most likely cause of this issue?

A.The BFD timers are set too low on one router.
B.The OSPF dead interval is mismatched between the two routers.
C.The interface is flapping due to a physical issue.
D.BFD is configured with the 'strict-mode' command, causing OSPF to ignore BFD state.
AnswerB

A mismatch in OSPF dead interval (or hello interval) causes the adjacency to reset even if BFD is healthy, because OSPF uses its own keepalive mechanism.

Why this answer

The BFD session is up, so BFD is not causing the flap. The issue is likely a mismatch in OSPF parameters that causes the adjacency to reset independently of BFD.

1463
MCQhard

An engineer configures Control Plane Policing (CoPP) on a PE router in an MPLS L3VPN to protect the control plane. The engineer creates a policy-map that matches BGP packets and applies a police rate of 100 pps. The engineer also configures a class-default with a police rate of 10 pps. After applying the policy to the control-plane, the engineer notices that BGP sessions are flapping and the router is dropping BGP packets. The engineer verifies that the ACL for BGP is correct. What is the most likely explanation?

A.The class-default policy is dropping BGP packets that are not matched by the BGP class due to an incomplete ACL.
B.The police rate for BGP is too low, causing BGP packets to be dropped even when matched.
C.The CoPP policy is applied to the wrong control-plane (e.g., 'control-plane host' instead of 'control-plane transit').
D.The 'service-policy' command is missing the 'input' keyword, causing the policy to be applied only to output traffic.
AnswerA

Correct. If the ACL does not match all BGP packets (e.g., only matching TCP port 179 from one direction), some BGP packets fall into class-default and are dropped.

Why this answer

Although the engineer verified the ACL syntax for BGP, the ACL may still be incomplete in practice (e.g., missing specific neighbor IPs, bidirectional matching, or related control plane packets). This causes some BGP packets to fall into the class-default, which has a very low police rate of 10 pps, leading to drops and BGP session flaps. The correct classification and policing of all BGP traffic is essential, and any oversight in ACL coverage can cause this issue.

1464
Multi-Selecthard

Which TWO statements correctly describe the behavior of automatic 6to4 tunneling? (Choose TWO.)

Select 2 answers
A.The 6to4 prefix is 2002::/16, where the next 32 bits are the IPv4 address of the tunnel source in hexadecimal.
B.A 6to4 relay router must have an IPv6 route to 2002::/16 pointing to the tunnel interface.
C.6to4 tunnels can use private IPv4 addresses as the tunnel source.
D.The 6to4 prefix is 2001::/16, and the IPv4 address is embedded in the interface ID.
E.The tunnel interface must be configured with tunnel mode ipv6ip.
AnswersA, B

Correct. The 6to4 prefix is 2002::/16, and the IPv4 address is embedded in hex in the next 32 bits.

Why this answer

Option A is correct because RFC 3056 defines the 6to4 prefix as 2002::/16, and the next 32 bits are the IPv4 address of the tunnel source converted to hexadecimal. This embeds the IPv4 address directly into the IPv6 prefix, allowing automatic tunnel creation without explicit peer configuration.

Exam trap

Cisco often tests the distinction between 6to4 (2002::/16) and Teredo (2001::/16), and candidates mistakenly think private IPv4 addresses are acceptable for 6to4 tunnel sources.

1465
MCQhard

A large enterprise network is experiencing intermittent IPv6 connectivity between two remote sites connected via an IPv6-in-IPv4 manual tunnel. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 ipv6 route 2001:DB8:2::/64 Tunnel0. Router R2 shows: R2# show ipv6 route 2001:DB8:1::/64 % Route not found. The tunnel interface is up/up on both routers, and IPv4 reachability between tunnel endpoints is verified. What is the root cause?

A.The tunnel destination on R1 is incorrect and should be 198.51.100.2.
B.R2 is missing a static route for 2001:DB8:1::/64 pointing to its Tunnel0 interface.
C.The tunnel mode must be changed to ipv6ip for IPv6-in-IPv4 tunneling.
D.IPv6 unicast-routing is disabled on R2.
AnswerB

Without a return route, R2 cannot forward packets back to R1's IPv6 network.

Why this answer

The issue is that R2 has no route to the 2001:DB8:1::/64 network, which is the tunnel subnet on R1's side. Even though the tunnel is up/up and IPv4 reachability exists, R2 cannot return traffic to R1's tunnel endpoint address because it lacks a static route pointing to its own Tunnel0 interface. This is a common misconfiguration in point-to-point IPv6-in-IPv4 manual tunnels where both sides must have reciprocal static routes for the remote tunnel networks.

Exam trap

Cisco often tests the misconception that if the tunnel is up/up and IPv4 reachability is verified, IPv6 routing will automatically work, but they intentionally omit the reciprocal static route to trap candidates who overlook the need for explicit routing on both sides.

How to eliminate wrong answers

Option A is wrong because the tunnel destination on R1 is 198.51.100.1, which is the tunnel source address of R2; changing it to 198.51.100.2 would be incorrect as that is not the configured tunnel source on R2. Option B is correct and not wrong. Option C is wrong because the default tunnel mode for a manual IPv6-in-IPv4 tunnel is 'ipv6ip' (or 'tunnel mode ipv6ip'), and no mode change is needed; the configuration shown uses the correct default.

Option D is wrong because the 'ipv6 unicast-routing' command enables IPv6 routing globally, but the symptom here is a missing route, not a routing protocol or forwarding issue; R2 can still forward packets with static routes even if unicast-routing is disabled (though it is typically required for dynamic routing).

1466
MCQhard

What is the default SNMPv3 engine ID format on a Cisco IOS device?

A.A random 32-bit integer
B.The IP address of the management interface
C.The MAC address of the lowest-numbered interface
D.A manually configured string; no default exists
AnswerC

Cisco IOS uses the MAC address of the lowest-numbered interface (e.g., GigabitEthernet0/0) to form the engine ID.

Why this answer

The default SNMPv3 engine ID on a Cisco IOS device is derived from the MAC address of the lowest-numbered interface (e.g., GigabitEthernet0/0). This ensures a unique identifier for the SNMP engine, as required by RFC 3411, without requiring manual configuration. The engine ID is constructed by concatenating a 12-character hex string representing the MAC address with a fixed enterprise-specific prefix.

Exam trap

Cisco often tests the misconception that the default SNMPv3 engine ID is based on the management interface's IP address, but the actual default uses the MAC address of the lowest-numbered interface to ensure persistence and uniqueness.

How to eliminate wrong answers

Option A is wrong because the default SNMPv3 engine ID is not a random 32-bit integer; it is derived from a fixed MAC address to guarantee uniqueness within a network. Option B is wrong because the IP address of the management interface is not used; IP addresses can change or be duplicated, making them unsuitable for a persistent engine ID. Option D is wrong because a default engine ID does exist on Cisco IOS devices; it is automatically generated from the MAC address, so manual configuration is optional, not required.

1467
MCQeasy

A network engineer is troubleshooting a BGP route advertisement issue. Router R1 (AS 65001) is an eBGP peer of R2 (AS 65002). R1 is advertising the prefix 10.0.0.0/8 to R2. R2 has an iBGP session with R3 (AS 65002). R3's BGP table shows the prefix 10.0.0.0/8 with next-hop 10.1.1.1 (R1's interface). However, R3 does not install this route in its routing table. The output of 'show ip route 10.0.0.0' on R3 shows no route. The engineer checks the routing table on R3 and sees that the interface connected to 10.1.1.0/24 is down. What is the most likely cause?

A.The next-hop 10.1.1.1 is not reachable because the directly connected interface is down.
B.The route is not installed because BGP synchronization is enabled.
C.The route is not installed because the prefix is being filtered by an inbound route-map on R3.
D.The route is not installed because the administrative distance of the route is too high.
AnswerA

Correct because BGP requires the next-hop to be reachable; a down interface makes the next-hop unreachable.

Why this answer

For BGP to install a route, the next-hop must be reachable. If the interface to the next-hop is down, the route is considered unreachable and will not be installed.

1468
MCQhard

An engineer configures iBGP between two PE routers in an MPLS L3VPN. The PE routers are in the same AS and are directly connected. The engineer configures 'neighbor x.x.x.x next-hop-self' on the route reflector (RR) but notices that the RR is not sending the VPNv4 routes to the client PE with the next-hop set to itself. The client PE receives the routes but the next-hop remains the original PE. What is the most likely explanation?

A.The 'next-hop-self' command is not applied to the route-reflector client session; it must be applied to the client's neighbor statement on the RR, but it is ignored for reflected routes.
B.The 'next-hop-self' command is only applicable to eBGP sessions, not iBGP.
C.The 'next-hop-self' command requires the 'soft-reconfiguration inbound' to be configured to take effect.
D.The 'next-hop-self' command is overridden by the 'next-hop-unchanged' command on the route reflector.
AnswerA

Correct. 'next-hop-self' is not effective for routes reflected by a route reflector; the RR preserves the original next-hop.

Why this answer

In BGP, the 'next-hop-self' command is only effective for eBGP sessions or for iBGP sessions when the neighbor is not a route-reflector client. When a route reflector sends a route to a client, it does not change the next-hop attribute by default, even if 'next-hop-self' is configured. This is because the route reflector is expected to preserve the next-hop as learned from the original router.

To change the next-hop on a route reflector, the engineer must use 'neighbor x.x.x.x next-hop-self' on the RR for the client, but this command is ignored for routes that are reflected from another iBGP speaker. This is a known edge case that can cause reachability issues if the client cannot reach the original next-hop.

1469
MCQhard

An engineer configures a route map to filter OSPF routes using a distribute-list in OSPF process 1. The distribute-list references a prefix-list that permits only the 10.0.0.0/8 network. After applying the distribute-list in, the engineer notices that the OSPF neighbor state remains stuck in EXSTART/EXCHANGE. Which is the most likely explanation?

A.The distribute-list is applied incorrectly; it should be applied out instead of in.
B.The distribute-list filters LSAs during the exchange, causing the neighbor to be stuck.
C.There is an MTU mismatch between the OSPF neighbors, preventing the exchange of Database Description packets.
D.The prefix-list is misconfigured; it should permit 10.0.0.0/8 with a ge 24 operator.
AnswerC

MTU mismatch causes OSPF to get stuck in EXSTART/EXCHANGE because DBD packets are dropped.

Why this answer

OSPF distribute-list in only filters routes in the routing table, not LSAs. It does not affect the exchange of LSAs during adjacency formation. The adjacency stall is unrelated to the distribute-list; the issue is likely an MTU mismatch between the interfaces.

1470
MCQeasy

What is the maximum hop count for a route in RIPv2 by default?

A.15
B.16
C.255
D.32
AnswerA

15 is the maximum metric; 16 means infinity (unreachable).

Why this answer

RIP uses a maximum hop count of 15, with 16 considered unreachable, to prevent routing loops.

1471
MCQeasy

Which DHCPv6 option carries the DNS recursive name server information?

A.Option 6 (Domain Name Server)
B.Option 23 (DNS Recursive Name Server)
C.Option 24 (Domain Search List)
D.Option 21 (SIP Server Domain Name)
AnswerB

Option 23 is the DHCPv6 option for DNS servers.

Why this answer

Option B is correct because DHCPv6 Option 23 (DNS Recursive Name Server) is specifically defined in RFC 3646 to carry the IPv6 addresses of DNS recursive name servers to DHCPv6 clients. This is the standard mechanism for IPv6 hosts to learn DNS server addresses via DHCPv6, analogous to DHCPv4 Option 6 for IPv4.

Exam trap

Cisco often tests the distinction between DHCPv4 Option 6 and DHCPv6 Option 23, trapping candidates who assume the same option number applies to both protocols.

How to eliminate wrong answers

Option A is wrong because DHCPv6 Option 6 does not exist; Option 6 is a DHCPv4 option (Domain Name Server) that carries IPv4 DNS server addresses, not IPv6. Option C is wrong because DHCPv6 Option 24 (Domain Search List) carries the domain search list for DNS resolution, not the recursive name server addresses. Option D is wrong because DHCPv6 Option 21 (SIP Server Domain Name) is used to provide SIP server domain names, not DNS recursive name server information.

1472
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp host Host: 192.168.1.100 Port: 162 Timeout: 1.5 seconds Retries: 3 Version: 2c Community: PUBLIC Host: 192.168.1.200 Port: 162 Timeout: 3 seconds Retries: 5 Version: 3 User: admin Security level: authPriv Based on this output, which statement is correct?

A.SNMP traps sent to 192.168.1.200 will be encrypted.
B.Both hosts use the same SNMP version.
C.The host at 192.168.1.100 uses SNMPv3 with user 'admin'.
D.Traps to 192.168.1.200 will be sent with community string 'admin'.
AnswerA

The security level 'authPriv' requires both authentication and privacy (encryption).

Why this answer

Option A is correct because the SNMPv3 security level 'authPriv' for the host at 192.168.1.200 means authentication and privacy (encryption) are both enabled. SNMPv3 with authPriv uses the User-based Security Model (USM) to encrypt the entire SNMP packet payload, including the trap data, using protocols like AES or DES. This ensures that traps sent to 192.168.1.200 are encrypted.

Exam trap

Cisco often tests the distinction between SNMPv2c community strings and SNMPv3 users/security levels, leading candidates to mistakenly associate a community string or user with the wrong host or version.

How to eliminate wrong answers

Option B is wrong because the output shows Host 192.168.1.100 uses SNMP version 2c, while Host 192.168.1.200 uses SNMP version 3, so they do not use the same SNMP version. Option C is wrong because Host 192.168.1.100 is configured with SNMPv2c and community string 'PUBLIC', not SNMPv3 with user 'admin'; the user 'admin' is only associated with Host 192.168.1.200. Option D is wrong because SNMPv3 does not use community strings; traps to 192.168.1.200 are sent with the user 'admin' and security level authPriv, not a community string.

1473
MCQmedium

A network engineer configures NetFlow on a router using the legacy 'ip flow-export' commands. After applying 'ip route-cache flow' on an interface, 'show ip flow export' shows packets being sent, but the collector reports that all flows have a source IP of the router's management interface instead of the actual source IPs. What is the most likely cause?

A.The 'ip flow-export source' command is set to the management interface, which becomes the source IP of export packets.
B.The router is performing NAT on the flow data before exporting.
C.The flow record is configured to match the router's interface IP as the source.
D.The collector is misconfigured to display the export packet source instead of the flow source.
AnswerA

The export source IP is the source of the NetFlow packets, not the flow data. The collector should display flow source IPs separately.

Why this answer

In legacy NetFlow, the 'ip flow-export source' command sets the source IP of export packets, not the flow data. The symptom described is normal; the collector sees the source IP of the export packets, not the flow source IPs. However, if the collector is misconfigured to interpret the export source as flow source, that is a collector issue.

But more likely, the engineer is misreading the collector output. The question tests understanding that export source IP is not the flow source.

1474
Multi-Selecthard

Which TWO configuration steps are required to enable NETCONF over SSH on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.Configure 'netconf-yang' under the 'router' configuration mode.
B.Issue the command 'netconf ssh' in global configuration mode.
C.Enable the 'netconf-yang' feature using the command 'netconf-yang' in global configuration mode.
D.Configure 'ip ssh version 2' to ensure SSH is available.
E.Issue the command 'netconf' in global configuration mode.
AnswersB, C

This command enables the NETCONF SSH subsystem.

Why this answer

Option B is correct because 'netconf ssh' is the command that enables the NETCONF-over-SSH subsystem on a Cisco IOS-XE device, binding the NETCONF protocol to the SSH transport. Option C is correct because 'netconf-yang' in global configuration mode enables the NETCONF YANG data model service, which is a prerequisite for NETCONF operations. Both steps are required: the feature must be enabled, and the SSH transport must be explicitly configured.

Exam trap

Cisco often tests the distinction between enabling the NETCONF YANG service ('netconf-yang') and binding it to SSH ('netconf ssh'), leading candidates to mistakenly think only one command is needed or that 'netconf' alone is sufficient.

1475
MCQeasy

What is the default behavior of an EEM applet when a 'set' action modifies a variable that is used in a subsequent 'if' condition?

A.The variable is evaluated at the start of the applet, so the 'if' condition uses the original value.
B.The variable is evaluated at the time the 'if' condition is executed, so it uses the updated value.
C.The 'set' action cannot modify a variable that is used in an 'if' condition.
D.The applet will fail if a variable is modified after being used in an 'if' condition.
AnswerB

Correct. EEM actions are executed sequentially, so the 'if' condition uses the current value of the variable.

Why this answer

EEM applets execute actions sequentially. If a 'set' action modifies a variable, that new value is used in any subsequent 'if' condition that references the same variable. Variables are not pre-evaluated; they are evaluated at the time the action is executed.

1476
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 192.0.2.10:80 10.0.0.10:80 203.0.113.5:12345 203.0.113.5:12345 tcp 192.0.2.10:80 10.0.0.11:80 203.0.113.5:67890 203.0.113.5:67890 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50 Misses: 0 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload refcount 2 Based on this output, what is the problem?

A.PAT is not assigning unique source ports; both translations use port 80, which will cause conflicts.
B.The NAT pool is misconfigured because it uses the interface address.
C.The inside and outside interfaces are swapped.
D.Static NAT is interfering with dynamic NAT.
AnswerA

In PAT, the router should change the source port to a unique value. Both translations showing the same inside global port 80 indicates a problem.

Why this answer

The output shows two dynamic NAT translations mapping different inside local hosts (10.0.0.10 and 10.0.0.11) to the same inside global IP address (192.0.2.10) and the same source port (80). PAT (Port Address Translation) should assign unique source ports to differentiate the sessions, but here both translations use port 80, which will cause conflicts when return traffic arrives because the router cannot determine which inside host should receive the packet. This indicates a misconfiguration or a bug where PAT is not performing port overload correctly.

Exam trap

Cisco often tests the misconception that PAT always works automatically without verifying unique port assignments, leading candidates to overlook the duplicate port issue in the translation output.

How to eliminate wrong answers

Option B is wrong because the NAT pool is not misconfigured; the configuration uses 'ip nat inside source list ACL1 interface GigabitEthernet0/1 overload', which correctly uses the interface address for PAT, and the output shows translations are active. Option C is wrong because the interfaces are correctly assigned: GigabitEthernet0/1 is the outside interface and GigabitEthernet0/0 is the inside interface, as shown in the statistics output. Option D is wrong because there are no static NAT entries (0 static translations), so static NAT cannot be interfering with dynamic NAT.

1477
MCQhard

R1 and R2 are iBGP peers. R1 has: neighbor 10.1.1.2 route-map RM_SET in. The route-map RM_SET sets community 100:100. R2 advertises a prefix 172.16.1.0/24 with community 200:200. R1 receives the prefix and the community is changed to 100:100. However, R1's BGP table shows the prefix with community 100:100, but R1 does not propagate this prefix to its other iBGP peer R3. R3 has no special configuration. What is the root cause?

A.iBGP split-horizon rule prevents R1 from advertising routes learned from an iBGP peer to another iBGP peer.
B.The community 100:100 is being filtered by R3's inbound policy.
C.The route-map RM_SET should have been applied outbound on R2 instead.
D.R1 must have a network statement for 172.16.1.0/24 to advertise it.
AnswerA

iBGP does not advertise routes learned from one iBGP neighbor to another iBGP neighbor unless route reflection or confederation is used.

Why this answer

By default, iBGP learned routes are not advertised to other iBGP peers to prevent loops, unless the router is a route reflector or confederation. R1 is not a route reflector, so it will not advertise the prefix learned from R2 to R3. The community manipulation is irrelevant to the propagation issue.

The root cause is that iBGP split-horizon prevents R1 from advertising the prefix to R3.

1478
MCQhard

A network engineer runs the following command to troubleshoot SNMPv3: R1# show snmp user User name: admin Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: AES128 Group: admin-group User name: monitor Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: MD5 Privacy Protocol: DES Group: monitor-group What does this output indicate?

A.Two SNMPv3 users are configured: 'admin' with SHA/AES128 and 'monitor' with MD5/DES.
B.SNMPv3 is not configured because no users are shown.
C.Both users use the same authentication and privacy protocols.
D.The users are in the same SNMP group.
AnswerA

The output shows the authentication and privacy protocols for each user.

Why this answer

The output from 'show snmp user' displays two SNMPv3 users: 'admin' with SHA authentication and AES128 privacy, and 'monitor' with MD5 authentication and DES privacy. This confirms that both users are configured with different security levels, making option A correct.

Exam trap

Cisco often tests the ability to read the 'show snmp user' output carefully, where candidates may overlook the different groups or security protocols and assume all users share the same settings.

How to eliminate wrong answers

Option B is wrong because the output clearly shows two SNMPv3 users, indicating SNMPv3 is configured. Option C is wrong because 'admin' uses SHA/AES128 while 'monitor' uses MD5/DES, which are different authentication and privacy protocols. Option D is wrong because the users belong to different groups: 'admin' is in 'admin-group' and 'monitor' is in 'monitor-group'.

1479
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE Based on this output, what is the problem?

A.The IPsec SA is established and working correctly.
B.The IKE phase 1 negotiation has failed; the pre-shared key may be mismatched.
C.The tunnel is up but no interesting traffic is triggering the IPsec SA.
D.The ISAKMP SA is in MM_ACTIVE state, meaning phase 1 is complete.
AnswerB

MM_NO_STATE indicates no ISAKMP SA has been formed, often due to pre-shared key mismatch or firewall blocking UDP 500.

Why this answer

The MM_NO_STATE indicates that the IKE phase 1 negotiation has not progressed past the initial state. This typically means the peer is not responding to the ISAKMP proposals, often due to mismatched pre-shared keys or access-list blocking UDP port 500.

1480
MCQhard

A network uses PBR to route traffic from a specific subnet (192.168.1.0/24) through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being sent to the WAN link but is being dropped. Router R1 shows: 'show route-map' shows the route-map is applied, 'debug ip policy' shows traffic being forwarded to 10.10.10.2, but 'show ip route 10.10.10.2' shows a route via a different interface (GigabitEthernet0/1). What is the root cause?

A.The next-hop 10.10.10.2 is not directly connected to the interface where PBR is applied. PBR requires the next-hop to be directly connected. Use a directly connected next-hop or configure a static route to make it directly connected.
B.The route-map is missing a 'set ip next-hop verify-availability' command, causing PBR to use the next-hop even when it is not reachable.
C.The routing table on R1 has a better route to the destination via a different next-hop, overriding PBR.
D.The interface where PBR is applied is in a different VRF, causing the next-hop to be unreachable.
AnswerA

PBR's 'set ip next-hop' command requires the next-hop to be on a directly connected subnet. If it is reachable via a route, PBR will drop the packet. This is a common misconfiguration when the next-hop is on a remote subnet.

Why this answer

PBR requires that the next-hop specified in the 'set ip next-hop' command be directly connected to the router. If the next-hop is reachable via a route through another interface (as in this case where 10.10.10.2 is reachable via GigabitEthernet0/1), the router will attempt to forward the packet but will drop it because the next-hop is not on the same subnet as the outgoing interface. The debug output showing 'forwarding to 10.10.10.2' indicates that the route-map matched and the next-hop was set, but the actual packet is dropped.

To fix this, ensure the next-hop is directly connected or use a different next-hop.

1481
MCQmedium

Router R3 has the following DHCP configuration: ip dhcp pool POOL2 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 10.10.10.2 lease 7 ! interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.0 ip dhcp relay information option no shutdown What is the problem with this configuration?

A.The relay information option should not be configured on the server interface; it is intended for relay agents and may cause DHCP packets to be dropped or misprocessed.
B.The lease duration of 7 days is invalid; valid lease values are in hours or minutes only.
C.The default-router address is missing the subnet mask, which will cause clients to receive an incomplete configuration.
D.The DNS server address is on the same subnet as the clients, which is not allowed.
AnswerA

The ip dhcp relay information option is meant for interfaces acting as DHCP relay agents. On a server interface, it can cause the server to add Option 82 to its own packets, leading to confusion or packet rejection.

Why this answer

The 'ip dhcp relay information option' command is intended for DHCP relay agents to insert Option 82 (Relay Agent Information) into DHCP packets. When configured on a DHCP server interface, it causes the server to expect and process Option 82, but since the server itself is not a relay agent, this can lead to malformed packets, dropped requests, or misprocessing of DHCP messages. In this scenario, R3 is acting as the DHCP server on GigabitEthernet0/0, so the command should be removed to ensure normal DHCP operation.

Exam trap

Cisco often tests the misconception that 'ip dhcp relay information option' is a generic DHCP feature that can be applied anywhere, when in fact it is strictly for relay agents and causes problems if enabled on a DHCP server interface.

How to eliminate wrong answers

Option B is wrong because the lease duration of 7 days is valid; Cisco IOS DHCP supports lease values in days, hours, or minutes (e.g., 'lease 7' means 7 days). Option C is wrong because the 'default-router' command does not require a subnet mask; the mask is derived from the 'network' statement, and clients receive the default gateway IP without a mask. Option D is wrong because there is no restriction preventing the DNS server from being on the same subnet as the clients; in fact, it is common and fully supported.

1482
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show ip route summary Output: Route Source Networks Subnets Overhead Memory (bytes) connected 0 2 0 0 static 0 0 0 0 ospf 1 5 10 0 0 bgp 65001 3 5 0 0 Total 8 17 0 0 What does this output indicate?

A.The routing table contains 8 networks and 17 subnets, with OSPF contributing the most routes.
B.The router has a routing table with 25 total routes.
C.The router is using BGP as the primary routing protocol.
D.The router has no static routes configured.
AnswerA

The totals show 8 networks and 17 subnets; OSPF has 5 networks and 10 subnets.

Why this answer

The output shows the routing table summary, including the number of networks and subnets from each routing protocol. This helps in understanding the routing table size and protocol contributions.

1483
MCQhard

An engineer configures IPsec between two VRF-Lite routers using a site-to-site VPN. The tunnel is established, but no traffic is encrypted. The engineer verifies that the crypto map is applied to the correct interface and that the ACL for interesting traffic matches the VRF traffic. Which is the most likely explanation?

A.The crypto map is applied to the wrong interface; it should be applied to the VRF interface, not the physical interface.
B.The ACL for interesting traffic is not matching the VRF traffic because the ACL is evaluated in the global routing table, not the VRF.
C.The IPsec transform set has a mismatch in the encryption algorithm, causing the tunnel to fail to establish.
D.The 'crypto isakmp key' command is missing the VRF keyword, causing IKE to fail.
AnswerB

IPsec crypto maps are evaluated in the global routing table. VRF traffic must be redirected to the global table using PBR or the crypto map must be VRF-aware.

Why this answer

In VRF-Lite, traffic is forwarded based on the VRF routing table. However, IPsec crypto maps operate on the global routing table by default. If the traffic is in a VRF, the crypto map must be applied with the VRF keyword or the traffic must be redirected using a policy-based route (PBR) to the global table.

Without this, the crypto engine does not see the traffic as interesting, so it is not encrypted.

1484
Drag & Dropmedium

Drag and drop the steps to verify and validate OSPF operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The verification process starts by checking the OSPF neighbor state with show ip ospf neighbor. Next, examine the OSPF database using show ip ospf database to see LSAs. Then, verify the routing table for OSPF routes with show ip route ospf.

After that, check interface-specific OSPF details with show ip ospf interface. Finally, test end-to-end connectivity with extended ping to validate reachability.

1485
MCQmedium

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla history 10 Point by Point History Entry = 10 Life = 1 Time of Event = 12:34:56.789 UTC Mon Mar 1 2021 Start Time = 12:34:56.789 UTC Mon Mar 1 2021 Completion Time = 12:34:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 12 ms Life = 2 Time of Event = 12:35:56.789 UTC Mon Mar 1 2021 Start Time = 12:35:56.789 UTC Mon Mar 1 2021 Completion Time = 12:35:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 14 ms Life = 3 Time of Event = 12:36:56.789 UTC Mon Mar 1 2021 Start Time = 12:36:56.789 UTC Mon Mar 1 2021 Completion Time = 12:36:57.001 UTC Mon Mar 1 2021 Return Code = OK RTT = 11 ms What does this output indicate?

A.The IP SLA operation has experienced multiple timeouts.
B.The IP SLA operation shows a history of successful probes with low RTT values.
C.The IP SLA operation has failed because the RTT values are inconsistent.
D.The IP SLA operation is not configured because no history is shown.
AnswerB

Each entry shows 'Return Code = OK' and RTT between 11-14 ms.

Why this answer

This output shows historical data for IP SLA operation 10. Each entry shows a successful probe with RTT around 11-14 ms, indicating consistent performance over time.

1486
MCQmedium

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's detection time?

A.The detection time is 3000 ms.
B.The detection time is 1000 ms.
C.The detection time is 1500 ms.
D.The detection time is 9000 ms.
AnswerA

It is the holddown timer shown in the output, which is 3000 ms.

Why this answer

The detection time is the holddown timer, which is the negotiated transmit interval multiplied by the multiplier. The negotiated transmit interval is 1000 ms (maximum of local MinTxInt and received MinRxInt), and the multiplier is 3, so the detection time is 3000 ms.

1487
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp group group name: readonly security model: v3 security level: authNoPriv context: <none> read view: iso write view: <none> notify view: <none> Group name: admin security model: v3 security level: authPriv context: <none> read view: iso write view: iso notify view: iso Based on this output, which statement is correct?

A.The 'readonly' group can read all MIB objects because its read view is 'iso'.
B.The 'admin' group requires only authentication, not encryption.
C.The 'readonly' group can send SNMP traps.
D.Both groups have the same security level.
AnswerA

The read view 'iso' typically includes the entire MIB tree, allowing read access to all objects.

Why this answer

Option A is correct because the 'readonly' group has a read view set to 'iso', which corresponds to the entire ISO OID tree (1.3.6.1). This means the group can read all MIB objects accessible under that subtree, effectively granting full read access to all standard SNMP MIBs.

Exam trap

Cisco often tests the distinction between security levels and view configurations, where candidates mistakenly assume 'authNoPriv' includes encryption or that a missing notify view still allows traps.

How to eliminate wrong answers

Option B is wrong because the 'admin' group has security level 'authPriv', which requires both authentication and encryption (privacy), not just authentication. Option C is wrong because the 'readonly' group has a notify view set to '<none>', meaning it cannot send SNMP traps or notifications; a notify view must be configured for trap generation. Option D is wrong because the 'readonly' group uses security level 'authNoPriv' (authentication only) while the 'admin' group uses 'authPriv' (authentication and encryption), so they have different security levels.

1488
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# debug ip bgp updates And sees the following output: *Mar 1 00:25:44.789: BGP(0): 10.1.1.2 UPDATE out about 192.168.10.0/24, NEXT_HOP 10.1.1.1, LOCAL_PREF 100, MED 0, origin i, path 65000 65001 *Mar 1 00:25:44.790: BGP(0): 10.1.1.2 UPDATE run, update sent *Mar 1 00:25:44.791: BGP(0): 10.1.1.2 UPDATE in about 10.2.2.0/24, NEXT_HOP 10.1.1.2, LOCAL_PREF 100, MED 0, origin i, path 65002 What does this output indicate?

A.BGP is redistributing routes from OSPF into BGP, as shown by the AS path.
B.R1 is advertising 192.168.10.0/24 to neighbor 10.1.1.2 and learning 10.2.2.0/24 from the same neighbor.
C.The route 192.168.10.0/24 is being filtered due to AS path length.
D.BGP is not receiving any routes because of a redistribution issue.
AnswerB

The output shows outbound update for 192.168.10.0/24 and inbound update for 10.2.2.0/24, indicating BGP peering is working.

Why this answer

The debug ip bgp updates output shows BGP updates being sent and received. R1 sends an update for 192.168.10.0/24 with AS path 65000 65001 and receives an update for 10.2.2.0/24 with AS path 65002. This indicates BGP is exchanging routes, but if redistribution is expected, the AS path may indicate the route origin.

1489
Multi-Selecthard

Which TWO statements about the behavior of administrative distance in Cisco IOS are correct? (Choose TWO.)

Select 2 answers
A.The default administrative distance for an EIGRP summary route is 5.
B.The default administrative distance for OSPF is 90.
C.The distance command applied under a routing protocol can modify the AD for all routes, including connected and static routes, learned via that protocol.
D.The show ip route command displays the administrative distance of each route in the routing table.
E.When two different routing protocols provide routes to the same destination, the route with the higher administrative distance is installed in the routing table.
AnswersA, D

Correct. EIGRP summary routes have a default AD of 5, which is lower than the AD of any dynamic routing protocol, ensuring they are preferred.

Why this answer

Administrative distance (AD) is a trustworthiness metric used to select the best route among multiple routing protocols. A lower AD is preferred. The default AD for EIGRP summary routes is 5, which is lower than the default AD for OSPF (110).

The distance command can be applied to a routing process to change the AD for all routes learned via that protocol, but it does not affect connected or static routes unless explicitly configured. The show ip route command displays the AD of each route, and the AD value is used to break ties when multiple protocols provide routes to the same destination.

1490
MCQhard

A network engineer configures EEM to monitor memory usage on R1. R1 has: event manager applet MEM-MONITOR event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op gt entry-val 90 poll-interval 10 action 1.0 cli command "enable" action 2.0 cli command "show processes memory" action 3.0 syslog msg "High memory usage detected". After a few days, the engineer notices that the applet never triggers, even though memory usage exceeds 90%. Router R2 shows: memory usage is at 95%, but no syslog from EEM. What is the root cause?

A.The SNMP OID is for free memory, and the condition checks if free memory is greater than 90%, which is not met when memory is low.
B.The poll-interval of 10 seconds is too short and causes the applet to be suppressed.
C.The SNMP community string is not configured, so the OID cannot be polled.
D.The applet requires 'event manager applet MEM-MONITOR trigger' to start.
AnswerA

The OID returns free memory; the applet triggers only when free memory >90%, which never happens when memory is high.

Why this answer

The SNMP OID used (1.3.6.1.4.1.9.9.48.1.1.1.6.1) is for the free memory, not used memory. The applet checks if free memory is greater than 90%, which is false when memory is low. The correct OID should be for used memory or the comparison operator should be 'lt' for free memory below 10%.

1491
Drag & Dropmedium

Drag and drop the steps to establish a DMVPN Phase 2 spoke-to-spoke tunnel into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, spoke-to-spoke tunnels are built dynamically. First, the spoke must have a valid NHRP registration to the hub. When traffic from one spoke to another triggers an NHRP resolution request, the hub forwards it to the target spoke, which replies.

The spoke then initiates a direct mGRE tunnel, and finally, the spoke-to-spoke IPsec session is established.

1492
MCQmedium

Which of the following statements about MPLS L3VPN label operations is true?

A.The ingress PE pushes two labels: the outer IGP label and the inner VPN label.
B.The egress PE uses the IGP label to determine the VRF.
C.The P routers swap the VPN label as they forward the packet.
D.The ingress PE pushes only one label (the VPN label) and uses the IP destination for forwarding.
AnswerA

The outer label is used to reach the egress PE, and the inner label identifies the VRF and the specific prefix.

Why this answer

In MPLS L3VPN, the PE router assigns a per-VRF label (VPN label) for each prefix in the VRF. When forwarding a packet from the CE, the ingress PE pushes an IGP label (for the egress PE) and the VPN label. The egress PE pops the IGP label and uses the VPN label to identify the VRF and forward to the correct CE.

1493
MCQeasy

In a VRF-Lite scenario with OSPF, what is the default network type on a physical Ethernet interface?

A.Point-to-point
B.Broadcast
C.Non-broadcast
D.Point-to-multipoint
AnswerB

Ethernet defaults to broadcast network type in OSPF.

Why this answer

By default, OSPF sets the network type to broadcast on Ethernet interfaces, which enables DR/BDR election.

1494
Multi-Selecthard

Which TWO statements about IP SLA reaction configuration and event monitoring are true? (Choose TWO.)

Select 2 answers
A.The 'reaction-configuration' command can be used to generate a syslog trap when an IP SLA operation times out.
B.The 'reaction-configuration' command with 'react connectionLoss' and 'action trigger' will cause the track object to change state immediately upon loss of connectivity.
C.The default action for a reaction configuration is 'trigger'.
D.The 'reaction-configuration' command supports the 'react rtt' option with 'action trigger' to immediately change the track state when RTT exceeds a threshold.
E.Multiple reaction configurations can be applied to the same IP SLA operation.
AnswersA, B

Correct. Using 'reaction-configuration' with 'react timeout' and 'action trapOnly' will generate a syslog trap on timeout.

Why this answer

Option A is correct because the 'reaction-configuration' command with 'react timeout' and 'action trapOnly' generates a syslog trap when the operation times out. Option B is correct because 'reaction-configuration' with 'react connectionLoss' and 'action trigger' immediately changes the state of a tracked object upon loss of connectivity. Option C is incorrect because the default action is 'trapOnly', not 'trigger'.

Option D is incorrect because 'react rtt' uses threshold-based monitoring and does not support 'action trigger' to directly change track state; instead, it triggers based on threshold violations. Option E is incorrect because only one reaction configuration can be applied per IP SLA operation; multiple configurations are not supported.

1495
MCQhard

A network engineer is troubleshooting a router that has been running for 200 days. The router experiences a sudden reboot, and after reload, the configuration is missing. 'show startup-config' returns 'startup-config is not present'. The engineer checks the boot variable: 'boot system flash:ios-image.bin'. What is the most likely cause of the configuration loss?

A.The router's NVRAM has a hardware failure and lost the configuration.
B.The engineer did not execute 'copy running-config startup-config' before the reboot.
C.The 'boot system' command points to a TFTP server that also contains a configuration file, overwriting the local startup-config.
D.The router's configuration register is set to 0x2142, ignoring startup-config.
AnswerB

The router had been running for 200 days without a save; after reload, the running-config is lost, and startup-config is empty because it was never saved.

Why this answer

The correct answer is B because the router's startup configuration is stored in NVRAM, and if the engineer never executed 'copy running-config startup-config' (or equivalent 'write memory'), the running configuration exists only in RAM. Upon reboot, the router loads the IOS image from flash as specified by the 'boot system flash:ios-image.bin' variable, but NVRAM contains no saved startup configuration, resulting in 'startup-config is not present'. This is a classic operational oversight where changes are made to the running configuration but not saved to NVRAM.

Exam trap

Cisco often tests the distinction between a missing startup configuration (due to failure to save) and a configuration that is present but ignored (due to the configuration register), so candidates must recognize that 'startup-config is not present' indicates an empty NVRAM, not a register override.

How to eliminate wrong answers

Option A is wrong because a hardware failure in NVRAM would typically cause a checksum error or corruption message, not a clean 'startup-config is not present' response; the router would also likely fail to boot or show other symptoms. Option C is wrong because the 'boot system' command only specifies the IOS image location; it does not point to a TFTP server for configuration files, and even if a TFTP configuration were used, it would not overwrite the local startup-config unless explicitly configured via 'boot network' or 'service config'. Option D is wrong because a configuration register of 0x2142 causes the router to ignore the startup configuration during boot, but the startup-config file itself remains intact in NVRAM; 'show startup-config' would still display the configuration, not return 'startup-config is not present'.

1496
MCQmedium

Which BGP path attribute is used as the tie-breaker after the local preference and AS-path length in the BGP best path selection algorithm?

A.MED (Multi-Exit Discriminator)
B.Origin type
C.Neighbor IP address
D.Router ID
AnswerB

Correct. Origin type is the third tie-breaker: IGP > EGP > incomplete.

Why this answer

After comparing local preference (highest wins) and AS-path length (shortest wins), the next tie-breaker is the origin type, where IGP is preferred over EGP, and EGP over incomplete.

1497
MCQmedium

Which BGP attribute is considered the highest priority (most preferred) in the BGP best path selection process?

A.Local preference
B.AS path length
C.Weight
D.MED
AnswerC

Weight is the first attribute checked in the BGP best path selection process (Cisco-specific).

Why this answer

C is correct because the Weight attribute is Cisco-proprietary and is evaluated first in the BGP best path selection process. It has the highest priority, with a higher weight being preferred, and it is local to the router only.

Exam trap

Cisco often tests the order of BGP path selection attributes, and the trap here is that candidates confuse Local Preference as the highest priority because it is the first well-known mandatory attribute, forgetting that the Cisco-proprietary Weight is evaluated first.

How to eliminate wrong answers

Option A is wrong because Local Preference is evaluated after Weight; it is the second step in the BGP best path selection and is used to influence outbound traffic from an AS. Option B is wrong because AS path length is evaluated after Local Preference (step 4) and is used to prefer shorter paths, not as the highest priority. Option D is wrong because MED (Multi-Exit Discriminator) is evaluated after AS path length (step 5) and is used to influence inbound traffic to an AS, not as the highest priority.

1498
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit ip 10.0.0.0 0.255.255.255 any (500 matches) 20 deny ip any any (100 matches) Based on this output, which statement is correct?

A.Traffic from 10.0.0.0/8 is denied.
B.Traffic not from 10.0.0.0/8 is denied.
C.All traffic is permitted.
D.The ACL has no effect.
AnswerB

Line 20 denies all other traffic with 100 matches.

Why this answer

The ACL 150 has a permit entry for source 10.0.0.0/8 (wildcard 0.255.255.255) followed by a deny any any. Traffic matching the permit (from 10.0.0.0/8) is allowed, while all other traffic is denied by the implicit deny or the explicit deny entry. Thus, traffic not from the 10.0.0.0/8 network is denied, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with a permit entry followed by a deny entry permits all traffic, when in fact the deny explicitly blocks everything not matching the earlier permit.

How to eliminate wrong answers

Option A is wrong because the ACL permits traffic from 10.0.0.0/8 (500 matches), not denies it. Option C is wrong because the ACL includes an explicit deny ip any any (100 matches), which blocks all traffic not matching the permit, so not all traffic is permitted. Option D is wrong because the ACL is applied (matches are shown) and actively filters traffic, so it has an effect.

1499
Multi-Selectmedium

Which TWO commands can be used to verify the operation of IPv6 First Hop Security features such as RA Guard and DHCPv6 Guard on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show ipv6 snooping
B.show ipv6 dhcp guard
C.show ipv6 nd raguard
D.show ipv6 dhcp binding
E.show ipv6 source guard
AnswersA, B

This command displays the operational status of IPv6 snooping features, including RA Guard and DHCPv6 Guard, and is a primary verification tool.

Why this answer

Option A is correct because the 'show ipv6 snooping' command is the primary verification tool for IPv6 First Hop Security (FHS) features, including RA Guard and DHCPv6 Guard. It displays the IPv6 snooping policy database, which tracks all discovered IPv6 neighbors and their binding states, directly reflecting the operational status of RA Guard and DHCPv6 Guard enforcement on the switch.

Exam trap

Cisco often tests the distinction between the generic 'show ipv6 snooping' command and the specific but non-existent 'show ipv6 nd raguard' command, leading candidates to incorrectly assume each FHS feature has its own dedicated show command.

1500
MCQmedium

Which TCP flag combination triggers the NAT translation timeout to change from the default to the 'ip nat translation tcp-timeout' value?

A.SYN
B.FIN or RST
C.ACK
D.URG
AnswerB

FIN and RST indicate connection termination, causing the NAT entry to expire quickly.

Why this answer

By default, NAT translations for TCP sessions use a timeout based on the TCP connection's state. When a TCP session ends with a FIN or RST flag, the NAT device immediately transitions the translation to a 'finish' or 'reset' state, which then uses the value configured under 'ip nat translation tcp-timeout' (default 60 seconds) instead of the longer default idle timeout (typically 86400 seconds). This allows the NAT table to reclaim resources quickly after a connection is explicitly terminated.

Exam trap

Cisco often tests the misconception that any TCP flag (like SYN or ACK) can trigger the shorter timeout, but only FIN or RST explicitly signal connection termination and thus change the NAT timeout to the configured tcp-timeout value.

How to eliminate wrong answers

Option A (SYN) is wrong because the SYN flag initiates a TCP connection and triggers the default idle timeout, not the shorter tcp-timeout value. Option C (ACK) is wrong because ACK is used for acknowledging data and maintaining an established connection; it does not signal termination, so the translation remains under the default idle timeout. Option D (URG) is wrong because the URG flag indicates urgent data within a segment and has no effect on NAT translation timers; it is unrelated to connection teardown.

Page 19

Page 20 of 29

Page 21