Cisco CCNP ENARSI 300-410 (300-410) — Questions 17261800

2152 questions total · 29pages · All types, answers revealed

Page 23

Page 24 of 29

Page 25
1726
MCQhard

Router R10 is configured with SNMP and EEM. An EEM applet is configured to send an SNMP trap when a specific syslog message is generated. The applet uses the 'action snmp-trap' command. However, the NMS receives no trap. The syslog message is generated and logged. The router's show snmp statistics shows TrapsSent: 0. What is the root cause?

A.The EEM applet is configured to send a trap, but the 'snmp-server host' command is missing, so the router has no destination for the trap.
B.The syslog message is not matching the EEM trigger pattern correctly.
C.The EEM applet is not registered due to a syntax error.
D.The SNMP community string is not configured with RW privileges.
AnswerA

Without 'snmp-server host', the router does not know where to send the trap. The EEM action will fail silently.

Why this answer

Option A is correct because the EEM applet uses the 'action snmp-trap' command to generate a trap, but without the 'snmp-server host' command, the router has no configured destination to send the trap to. The 'show snmp statistics' output showing TrapsSent: 0 confirms that the trap was generated internally but never transmitted, which is the classic symptom of a missing trap destination. The syslog message being logged and the applet triggering correctly rules out pattern-matching or registration issues.

Exam trap

Cisco often tests the misconception that 'action snmp-trap' alone is sufficient to send a trap, when in fact the 'snmp-server host' command is mandatory to define the trap receiver.

How to eliminate wrong answers

Option B is wrong because the syslog message is generated and logged, indicating the EEM trigger pattern matched correctly; if it didn't match, the applet would not execute at all. Option C is wrong because if the applet had a syntax error, it would not register, and the syslog message would not trigger any action; the fact that the syslog is logged and the applet is expected to run shows registration succeeded. Option D is wrong because SNMP traps are sent using the community string configured under 'snmp-server host', which requires read-only (RO) or read-write (RW) privileges only for SNMP writes to the router, not for trap generation; traps are sent with the community string specified in the 'snmp-server host' command, and RW is irrelevant here.

1728
Drag & Dropmedium

Drag and drop the steps to verify and validate the Administrative Distance operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by showing the IP routing table to see which routes are installed, then display the specific route with its AD, next check the routing protocol database for the prefix, then verify the protocol-specific AD configuration, and finally compare the AD with other protocols to ensure correct preference.

1729
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary BGP router identifier 192.168.0.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1002 1000 10 0 0 00:15:30 5 192.168.2.2 4 65003 1005 1003 10 0 0 00:14:20 3 10.10.10.2 4 65004 0 0 0 0 0 00:00:05 Idle Based on this output, what is the problem with neighbor 10.10.10.2?

A.The neighbor is administratively shut down.
B.The BGP session is not established; possible misconfiguration or reachability issue.
C.The neighbor is in the process of establishing the session.
D.The neighbor has sent all its prefixes and is waiting for updates.
AnswerB

Idle state with no messages indicates the session is down.

Why this answer

The output shows that neighbor 10.10.10.2 is in the Idle state with zero messages sent or received, indicating the BGP session has never been established. This typically results from a misconfiguration (e.g., wrong neighbor IP, incorrect AS number, missing update-source) or a Layer 3 reachability issue preventing the TCP connection on port 179.

Exam trap

Cisco often tests the distinction between Idle (no session attempt) and Active (session attempt in progress), tricking candidates into thinking Idle means 'waiting' rather than 'not started'.

How to eliminate wrong answers

Option A is wrong because an administratively shut down BGP neighbor would show the state as 'Idle (admin)' or similar, not just 'Idle'. Option C is wrong because a session in the process of establishing would show a state like 'Active' or 'Connect', not 'Idle'. Option D is wrong because the neighbor has sent zero prefixes (PfxRcd is blank) and is in Idle, meaning no prefixes have been exchanged; waiting for updates would occur in the Established state.

1730
MCQmedium

A network engineer is troubleshooting a BGP route filtering issue. Router R1 is advertising a prefix 10.1.1.0/24 to its eBGP neighbor R2, but R2 is not receiving it. The engineer checks R1's BGP configuration and sees a route-map named FILTER-OUT applied outbound to the neighbor. The route-map references an ACL that permits 10.1.1.0/24, but the prefix is still not being sent. What is the most likely cause?

A.The route-map is missing a 'permit' statement; the default action is deny.
B.The ACL is using the wrong wildcard mask; it should be 0.0.0.255 instead of 0.0.0.0.
C.The neighbor is configured with 'soft-reconfiguration inbound' which blocks outbound updates.
D.The route-map is applied inbound instead of outbound on R1.
AnswerA

Correct because route-maps without an explicit permit will implicitly deny all prefixes.

Why this answer

The route-map must have an explicit permit statement; if the route-map is missing the permit clause, or if the sequence number is incorrect, the implicit deny at the end of the route-map will filter all routes. The ACL permitting the prefix is necessary but not sufficient if the route-map itself does not have a permit action.

1731
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP table shows the prefix, but it is not installed in the routing table. The IGP does not carry the prefix. Which is the most likely explanation?

A.The BGP synchronization rule is enabled, and the prefix is not in the IGP, so BGP does not install the route.
B.The next-hop is unreachable because of a missing static route.
C.The BGP route is filtered by an inbound route-map.
D.The maximum-paths limit is exceeded.
AnswerA

Synchronization requires that the prefix be reachable via IGP before BGP installs it; if not, the route remains in the BGP table but not the routing table.

Why this answer

Option A is correct because when BGP synchronization is enabled (default in older IOS versions), BGP will not install a route learned via iBGP into the routing table unless the same prefix is also present in the IGP. Since the IGP does not carry the prefix, BGP considers the route unsynchronized and does not install it, even though it appears in the BGP table.

Exam trap

Cisco often tests the BGP synchronization rule as a legacy behavior that candidates overlook, assuming that a prefix in the BGP table always implies installation in the routing table, but synchronization can block installation even when the next-hop is reachable.

How to eliminate wrong answers

Option B is wrong because an unreachable next-hop due to a missing static route would cause the BGP route to be marked as invalid or not installed, but the question states the BGP table shows the prefix, implying the next-hop is reachable via the IGP or a connected route. Option C is wrong because an inbound route-map filtering the route would prevent the prefix from appearing in the BGP table entirely, not just from being installed in the routing table. Option D is wrong because exceeding the maximum-paths limit affects load balancing among multiple equal-cost paths, not the installation of a single prefix; a single route would still be installed.

1732
MCQmedium

Which statement correctly describes the default behavior of Dead Peer Detection (DPD) in Cisco IOS for IPsec site-to-site VPN?

A.DPD is enabled by default with a 10-second interval
B.DPD is enabled by default with a 30-second interval
C.DPD is disabled by default
D.DPD is enabled only for IKEv2 by default
AnswerC

Cisco IOS requires explicit configuration to enable DPD.

Why this answer

Dead Peer Detection (DPD) is disabled by default in Cisco IOS for IPsec site-to-site VPNs. This means that without explicit configuration using the 'crypto isakmp keepalive' command, the router will not send DPD messages to verify the liveness of the remote peer. DPD must be manually enabled to detect peer failures and trigger failover or tunnel teardown.

Exam trap

Cisco often tests the misconception that DPD is enabled by default or that it has a fixed interval, when in fact it must be manually configured and the default state is disabled.

How to eliminate wrong answers

Option A is wrong because DPD is not enabled by default with a 10-second interval; DPD is disabled by default, and if enabled, the interval is configurable but not a fixed 10 seconds. Option B is wrong because DPD is not enabled by default with a 30-second interval; again, DPD is disabled by default, and the interval is not preset to 30 seconds. Option D is wrong because DPD is not enabled only for IKEv2 by default; DPD is disabled by default for both IKEv1 and IKEv2, and it must be explicitly configured for either version.

1733
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 UPDATE rcvd w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 BGP(0): 10.1.1.2 rcvd 192.168.1.0/24 BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 BGP(0): 10.1.1.2 rcvd 192.168.2.0/24 BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, localpref 100, metric 0 -- unreachable BGP(0): 10.1.1.2 rcvd 192.168.3.0/24 What does this output indicate?

A.The neighbor 10.1.1.2 is advertising three new prefixes: 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24.
B.The neighbor 10.1.1.2 is withdrawing the prefix 192.168.3.0/24 while advertising 192.168.1.0/24 and 192.168.2.0/24.
C.The neighbor 10.1.1.2 is flapping all three prefixes due to a BGP session reset.
D.The neighbor 10.1.1.2 is sending a malformed update for 192.168.3.0/24, causing it to be marked as unreachable.
AnswerB

The 'unreachable' keyword in the debug output indicates a route withdrawal for 192.168.3.0/24.

Why this answer

The debug ip bgp updates output shows received BGP updates from neighbor 10.1.1.2. The third update includes 'unreachable', indicating that the neighbor is withdrawing the route 192.168.3.0/24. The other prefixes are being advertised normally.

1734
MCQhard

A network engineer is troubleshooting a router that is not executing an EEM applet that is supposed to run when a specific interface goes down. The applet is configured with event syslog pattern 'LINK-3-UPDOWN' and matches the interface with a regex. The engineer checks the syslog and sees the message 'LINK-3-UPDOWN: GigabitEthernet0/1, changed state to down' but the applet does not run. What is the most likely cause?

A.The EEM applet is disabled.
B.The syslog message is not being sent to the EEM server due to logging level restrictions.
C.The regex pattern in the applet does not match the syslog message.
D.The interface is not being monitored because it is a subinterface.
AnswerC

Correct because a mismatch in the regex pattern is a common cause for an applet not triggering.

Why this answer

The EEM applet may have a regex that does not match the actual syslog message format. The engineer should verify the regex pattern using 'show event manager policy' or test the pattern.

1735
Drag & Dropmedium

Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: first, create the ACL with permit/deny statements; second, verify the ACL syntax with show access-list; third, apply it inbound on the interface; fourth, verify the interface configuration with show ip interface; fifth, test connectivity with ping or traceroute.

1736
MCQmedium

Which OSPF LSA type is used to describe a default route injected into a regular area by an Area Border Router (ABR)?

A.Type 1 (Router LSA)
B.Type 2 (Network LSA)
C.Type 3 (Summary LSA)
D.Type 5 (AS-External LSA)
AnswerC

Correct: ABRs use Type 3 LSAs to advertise inter-area routes, including default routes.

Why this answer

Option C is correct because an ABR uses a Type 3 Summary LSA to advertise a default route (0.0.0.0/0) into a regular area. This LSA type is generated by the ABR to summarize inter-area routes, and when the ABR is configured with the 'area X default-cost' command or the 'default-information originate' command, it injects a default route as a Type 3 LSA into the specified area.

Exam trap

Cisco often tests the distinction between Type 3 and Type 5 LSAs for default route injection, and the trap here is that candidates mistakenly think a default route must always be a Type 5 LSA (external) because of the 'default-information originate' command, but when injected by an ABR into a regular area, it is actually a Type 3 LSA.

How to eliminate wrong answers

Option A is wrong because Type 1 Router LSAs describe the originating router's directly attached links and are flooded only within a single area; they cannot carry a default route injected by an ABR into another area. Option B is wrong because Type 2 Network LSAs are generated by the Designated Router on a multi-access segment to describe the segment's attached routers, not to inject default routes. Option D is wrong because Type 5 AS-External LSAs are used to advertise external routes redistributed into OSPF from another routing protocol, and they are flooded throughout the entire OSPF domain (except stub areas), not specifically by an ABR to inject a default route into a regular area.

1737
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of an IPv6 tunneling technique into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation follows a systematic approach: start with checking the tunnel interface status and counters, then verify IPv6 connectivity across the tunnel using ping, examine routing protocol adjacency over the tunnel, validate end-to-end IPv6 reachability to remote networks, and finally confirm traffic flow with traceroute or debug commands.

1738
MCQhard

What is the default value of the 'reachable time' in IPv6 Neighbor Discovery (ND) on Cisco IOS-XE?

A.0 milliseconds (unspecified)
B.30,000 milliseconds
C.60,000 milliseconds
D.10,000 milliseconds
AnswerA

Correct. The default reachable time in the 'ipv6 nd reachable-time' command is 0, meaning no override is sent in RAs.

Why this answer

In IPv6 Neighbor Discovery (ND) on Cisco IOS-XE, the default value for the 'reachable time' is 0 milliseconds (unspecified). This means the router does not advertise a specific reachable time in its Router Advertisements (RAs), leaving the receiving hosts to use their own default value (typically 30,000 milliseconds as per RFC 4861). The 'reachable time' is the duration a node considers a neighbor reachable after confirming reachability via Neighbor Solicitation (NS) or Neighbor Advertisement (NA) messages.

Exam trap

Cisco often tests the distinction between the default value advertised by the router (0, meaning unspecified) and the default value used by hosts (30,000 ms), causing candidates to mistakenly select the host default as the router's advertised value.

How to eliminate wrong answers

Option B is wrong because 30,000 milliseconds is the default reachable time used by hosts (RFC 4861) when the router advertises an unspecified value, not the default value advertised by Cisco IOS-XE routers. Option C is wrong because 60,000 milliseconds is not a standard default for reachable time; it might be confused with the default 'retrans timer' (which is 0 unspecified, but hosts use 1000 ms). Option D is wrong because 10,000 milliseconds is a common user-configured value but is not the default; Cisco IOS-XE defaults to 0 (unspecified) to allow host-side defaults.

1739
MCQhard

A VRF route leaking configuration causes unexpected reachability. Router R1 has VRF RED and VRF BLUE. Configuration: 'ip vrf RED rd 100:1 route-target export 100:1 route-target import 100:2' and 'ip vrf BLUE rd 100:2 route-target export 100:2 route-target import 100:1'. Router R2 is a route reflector with 'address-family ipv4 vrf RED' and 'address-family ipv4 vrf BLUE'. A host in VRF RED can ping a host in VRF BLUE, but not vice versa. What is the root cause?

A.The route reflector lacks 'address-family ipv4 vrf' configuration for both VRFs, causing incomplete route propagation.
B.The VRF BLUE has a static route pointing to a next-hop that is not reachable from VRF RED, causing asymmetric reachability.
C.The route-target import/export values are reversed; they should be identical for both VRFs.
D.MPLS LDP is not enabled on the interfaces between routers, preventing label switching.
AnswerB

If VRF BLUE imports routes from RED but uses a static route for the return path that is not leaked, return traffic fails.

Why this answer

The correct answer is B. For a host in VRF RED to ping a host in VRF BLUE, the route from RED to BLUE must work, and the return route from BLUE to RED must also work. In this scenario, VRF BLUE has a static route pointing to a next-hop that is not reachable from VRF RED.

When the BLUE host tries to respond to the ping, it uses that static route to reach the RED host's subnet. Since the next-hop is unreachable (e.g., missing interface, wrong IP, or not present in the global or VRF routing table), the return traffic fails. This causes asymmetric reachability: RED can reach BLUE (via some other path, possibly the route-leaking mechanism), but BLUE cannot reach RED.

The route reflector configuration is not the issue because the route-target import/export values are correctly matched for bidirectional leaking. Therefore, the static route misconfiguration is the root cause.

1740
Drag & Dropmedium

Drag and drop the steps to configure Flexible NetFlow with a custom flow record into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows Cisco IOS-XE configuration logic: first define the flow record with match fields, then define the flow exporter with destination and source, then define the flow monitor binding record and exporter, then apply the monitor to an interface in the ingress direction, and finally verify with 'show flow monitor'.

1741
Drag & Dropmedium

Drag and drop the steps to verify and validate the SNMP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the SNMP agent status with show snmp. Then, view the SNMP community strings and access permissions. Next, examine SNMP trap and inform configurations.

After that, use show snmp mib to verify MIB object accessibility. Finally, perform a test poll from the NMS to confirm end-to-end functionality.

1742
MCQmedium

An engineer is troubleshooting a router that is not sending syslog messages to the syslog server at 192.168.1.10. The configuration includes 'logging host 192.168.1.10' and 'logging trap informational'. The engineer can ping the syslog server from the router. 'show logging' shows that the logging buffer is filling with messages. What is the most likely cause?

A.The syslog server is not listening on UDP port 514.
B.The 'logging source-interface' command is missing, causing syslog messages to use an incorrect source IP.
C.The 'logging on' command is not configured.
D.The syslog server's IP address is incorrect in the configuration.
AnswerB

Without 'logging source-interface', the router uses the IP of the egress interface, which may not be reachable from the syslog server or may be filtered.

Why this answer

The router can ping the syslog server and the logging buffer is filling, which confirms network reachability and that the router is generating syslog messages. However, without the 'logging source-interface' command, syslog packets use the IP address of the egress interface, which may not be reachable from the server (e.g., due to ACLs or routing asymmetry). This causes the server to drop the packets, even though the router can reach the server.

The 'logging host' and 'logging trap informational' commands are correctly configured, so the issue lies in the source IP selection.

Exam trap

Cisco often tests the misconception that a successful ping implies full bidirectional communication, but syslog uses UDP and the server may drop packets if the source IP is unexpected or not reachable in the return path.

How to eliminate wrong answers

Option A is wrong because the syslog server not listening on UDP port 514 would cause a different symptom: the router would still send messages, but the server would not receive them; however, the router can ping the server, and the buffer fills, indicating the server is reachable and the router is generating logs. Option C is wrong because 'logging on' is enabled by default; if it were disabled, the logging buffer would not fill with messages. Option D is wrong because the IP address is correct (the router can ping 192.168.1.10), and the configuration explicitly includes 'logging host 192.168.1.10'.

1743
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a VLAN, but the VLAN includes a voice VLAN. The mirrored traffic shows only data traffic, not voice. What is the most likely explanation?

A.The SPAN source is configured for the data VLAN only, not the voice VLAN.
B.Voice traffic uses a different CoS value, which SPAN ignores.
C.The voice VLAN is configured as a native VLAN, which SPAN does not capture.
D.The switch has a security ACL that blocks voice traffic from being mirrored.
AnswerA

SPAN VLAN-based monitoring captures only the specified VLAN; the voice VLAN must be added separately.

Why this answer

Voice VLANs are often configured as separate VLANs (e.g., VLAN 100 for voice, VLAN 10 for data). If the SPAN source is a single VLAN, it only captures traffic on that VLAN. To capture both, the SPAN session must include both VLANs or use a port-based source that includes both.

1744
MCQhard

A network engineer is troubleshooting a situation where R1 has two routes to 10.0.0.0/8: one via OSPF (AD 110) and one via RIP (AD 120). The engineer wants R1 to prefer the RIP route. After configuring the distance 80 0.0.0.0 255.255.255.255 under the RIP process, the RIP route is still not preferred. What is the most likely reason?

A.The OSPF route has an AD of 110, but the RIP route's AD was set to 80, so RIP should be preferred. The issue is that the distance command was applied to the wrong prefix.
B.The OSPF process has the distance ospf external 70 command configured, lowering the AD of OSPF external routes to 70.
C.The RIP route is not in the routing table because it is suppressed by a distribute-list.
D.The distance command under RIP only affects internal RIP routes, not redistributed routes.
AnswerB

Correct. The 'distance ospf external 70' command under OSPF reduces the AD of OSPF external routes to 70, which is lower than the RIP AD of 80, causing OSPF to still be preferred.

Why this answer

The engineer configured the 'distance 80 0.0.0.0 255.255.255.255' command under the RIP process to set the administrative distance for RIP routes to 80, expecting RIP to be preferred over OSPF (AD 110). However, OSPF allows per‑route type AD modifications using the 'distance ospf external' command. If OSPF external routes (which include the 10.0.0.0/8 route if it is external) have their AD lowered to 70, OSPF becomes more preferred despite the RIP distance change.

This overrides the intended effect, making option B correct.

Exam trap

The trap is that engineers often assume that setting the AD under the routing protocol being adjusted (RIP) will always take effect, but they overlook that another protocol (OSPF) can also have its AD lowered for specific route types, such as external routes. The 'distance ospf' command allows OSPF to dynamically adjust AD per route type, which can override the intended preference.

1745
MCQmedium

A network engineer runs the following command to troubleshoot BFD with OSPF: R1# show ip ospf interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.1, Interface address 10.1.1.1 Backup Designated router (ID) 2.2.2.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 25 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Backup Designated Router) Suppress hello for 0 neighbor(s) BFD enabled, BFD interval 100 msec, BFD multiplier 3 What does this output indicate?

A.OSPF is using BFD with a 100 ms interval and multiplier 3, enabling sub-second failure detection.
B.BFD is disabled on this OSPF interface.
C.BFD interval is set to 10 seconds, matching OSPF hello.
D.BFD session is down, causing OSPF to use dead timer.
AnswerA

BFD is enabled with the specified parameters, allowing OSPF to detect failures quickly.

Why this answer

The output shows that BFD is enabled on the OSPF interface with an interval of 100 ms and multiplier of 3. This provides fast failure detection for OSPF adjacency.

1746
MCQmedium

A network engineer is troubleshooting an IPv6 routing issue on a router that is receiving OSPFv3 routes from multiple neighbors. The engineer notices that some routes are missing from the routing table. The engineer checks the interface configuration and finds an inbound IPv6 ACL applied to the interface that permits only specific prefixes. The engineer also notices that the missing routes are from a neighbor that is sending routes with a prefix length of /48, while the ACL permits only /64 prefixes. What is the most likely cause of the missing routes?

A.The ACL is filtering the OSPFv3 routes based on prefix length, and the /48 routes are not permitted.
B.The OSPFv3 neighbor relationship is down due to a mismatched area ID.
C.The router has a route-map that is denying the /48 routes before they are installed.
D.The IPv6 ACL is applied outbound, blocking the routes from being sent.
AnswerA

Correct because the ACL permits only /64 prefixes, so /48 routes are dropped, preventing them from being installed in the routing table.

Why this answer

The inbound IPv6 ACL on the interface is filtering OSPFv3 routes based on prefix length. Since the ACL permits only /64 prefixes, any routes with a /48 prefix length are denied and not installed in the routing table. This is the most likely cause of the missing routes.

Exam trap

The trap here is that candidates may overlook that an inbound ACL on an interface can filter OSPFv3 route updates based on prefix length, assuming ACLs only filter data-plane traffic, not routing protocol updates.

How to eliminate wrong answers

Option B is wrong because a mismatched area ID would prevent the OSPFv3 neighbor relationship from forming entirely, not cause selective route filtering; the engineer already confirmed the router is receiving routes from multiple neighbors, so the neighbor relationship is up. Option C is wrong because the engineer specifically identified an ACL as the filtering mechanism, and there is no mention of a route-map; a route-map would be a separate configuration applied under the OSPFv3 process or redistribution, not on the interface. Option D is wrong because the engineer explicitly states the ACL is applied inbound, not outbound; an outbound ACL would affect routes being sent, not received.

1747
MCQmedium

A network engineer is troubleshooting a PBR (Policy-Based Routing) issue on router R5. The engineer configured a route-map to set the next-hop for traffic from a specific source subnet. The route-map is applied to the incoming interface, but traffic from the source subnet is still being forwarded using the regular routing table. The engineer verifies that the ACL matches the traffic correctly. What is the most likely cause?

A.The route-map is missing a 'set ip next-hop' command, or the next-hop is not reachable.
B.The route-map is applied outbound instead of inbound on the interface.
C.The ACL is using a standard ACL, which cannot match source subnet correctly.
D.The route-map has a 'set default interface' command that overrides the next-hop.
AnswerA

Correct because without a valid 'set' command, PBR does not alter forwarding.

Why this answer

PBR route-maps must have at least one 'match' and one 'set' statement. If the route-map has a 'match ip address' but no 'set ip next-hop' (or the next-hop is unreachable), PBR will not apply and traffic will use the routing table. Also, the route-map must be applied to the correct interface and direction.

1748
MCQhard

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 500000, Received Multiplier: 3 Holddown (hits): 1500(0) Rx Count: 200, Tx Count: 200 Based on this output, what is the holddown timer value in milliseconds and why?

A.The holddown timer is 1500 ms, which is the received MinRxInt (500 ms) multiplied by the multiplier (3).
B.The holddown timer is 3000 ms, but the output shows 1500 ms because the holddown timer displayed is half of the actual holddown time.
C.The holddown timer is 1500 ms, which is the local MinRxInt (1000 ms) multiplied by the multiplier (3) divided by 2.
D.The holddown timer is 3000 ms, and the output is correct as is.
AnswerB

Cisco IOS divides the holddown timer by 2 for display; the actual holddown is 3000 ms.

Why this answer

The holddown timer is calculated as the maximum of the local MinRxInt and the received MinRxInt, multiplied by the multiplier. Local MinRxInt is 1000000 microseconds, received MinRxInt is 500000 microseconds. The maximum is 1000000 microseconds.

Multiplied by 3 gives 3000000 microseconds = 3000 ms. However, the output shows 1500 ms. This is because the holddown timer displayed is actually half of the calculated value due to a Cisco implementation detail where the holddown timer is divided by 2 for display purposes.

The actual holddown time is 3000 ms.

1749
MCQhard

An engineer is troubleshooting a DHCPv6 stateful (DHCPv6) deployment. The router is configured as a DHCPv6 server with a pool for prefix 2001:db8:2::/64. Clients on the LAN are configured to use DHCPv6, but they are not receiving IPv6 addresses. The router interface has 'ipv6 address 2001:db8:2::1/64' and 'ipv6 dhcp server DHCP_POOL'. The engineer sees that the clients are sending SOLICIT messages, but the router sends no REPLY. What is the issue?

A.The interface is missing the 'ipv6 nd managed-config-flag' command.
B.The DHCPv6 pool is missing the 'address prefix 2001:db8:2::/64' command.
C.The router needs the 'ipv6 dhcp relay' command on the interface.
D.The 'ipv6 unicast-routing' command is missing globally.
AnswerB

Correct because without an address prefix in the pool, the DHCPv6 server has no addresses to assign and will not send a REPLY to SOLICIT messages.

Why this answer

For stateful DHCPv6, the router must also send Router Advertisements with the 'M' (Managed) flag set to indicate that clients should use DHCPv6. Without the 'ipv6 nd managed-config-flag' command, clients may not request addresses via DHCPv6, or the server may not respond appropriately. However, the symptom says clients are sending SOLICIT messages, so they are attempting DHCPv6.

The router is not replying, which could be due to a misconfigured pool or the server not being enabled. The most likely cause is that the DHCPv6 pool does not have an 'address prefix' statement, so the server has no addresses to assign.

1750
MCQmedium

An engineer is troubleshooting why syslog messages from a router are not being received by the syslog server at 192.168.1.10. The router configuration includes 'logging host 192.168.1.10' and 'logging trap 6'. The engineer runs 'debug ip packet' and sees packets destined for 192.168.1.10 being sent but no response. What should the engineer check first?

A.Verify that the syslog server is running and listening on UDP port 514.
B.Change the logging trap level to 7 (debugging) to ensure all messages are sent.
C.Add the 'logging source-interface' command to use a loopback interface.
D.Configure 'logging on' if it is not already enabled.
AnswerA

Correct because if the server is not listening or a firewall drops the packets, the messages will never be received despite the router sending them.

Why this answer

The debug output confirms packets are leaving the router for 192.168.1.10, but no response is received. Syslog uses UDP port 514 by default, and the server must be actively listening on that port to receive and process the messages. Since the router is sending correctly, the most likely issue is that the syslog server is not running or its UDP 514 listener is blocked or unavailable.

Exam trap

Cisco often tests the misconception that increasing the logging severity level (trap level) will force messages through, but the real issue is always a missing or unreachable syslog server or a blocked UDP port 514.

How to eliminate wrong answers

Option B is wrong because logging trap level 7 (debugging) would send more messages, but the problem is that no messages are being received at all—changing the severity level does not fix a missing or unreachable server. Option C is wrong because the 'logging source-interface' command only affects the source IP of syslog packets, not the ability to reach the server; the debug shows packets are already being sent, so source interface is not the issue. Option D is wrong because 'logging on' is enabled by default and is required for syslog output, but the fact that packets are being sent indicates logging is already active; disabling it would stop all logging, not fix the reception failure.

1751
MCQeasy

A network engineer runs the following command to verify DHCPv4 server conflict detection on router R1: R1# show ip dhcp conflict Output: IP address Detection method Detection time VRF 192.168.1.50 Ping Mar 01 2025 10:00 AM default 192.168.1.75 Gratuitous ARP Mar 01 2025 11:00 AM default What does this output indicate?

A.The DHCP server has detected two IP address conflicts on the network.
B.The DHCP server has successfully assigned IP addresses 192.168.1.50 and 192.168.1.75.
C.The DHCP server uses only ping to detect conflicts.
D.The DHCP server has cleared all conflicts from the database.
AnswerA

Two IP addresses are listed with detection methods and times, indicating conflicts.

Why this answer

The 'show ip dhcp conflict' command displays IP addresses that the DHCP server has detected as conflicting with another device on the network. The output shows two entries, each with a detection method (Ping or Gratuitous ARP), indicating that the DHCP server identified conflicts for 192.168.1.50 and 192.168.1.75. This confirms that two IP address conflicts have been detected and logged in the DHCP conflict database.

Exam trap

Cisco often tests the distinction between 'show ip dhcp conflict' (which logs detected conflicts) and 'show ip dhcp binding' (which shows successfully leased addresses), leading candidates to mistakenly think conflict output indicates successful assignments.

How to eliminate wrong answers

Option B is wrong because the output shows conflicts, not successful assignments; successful assignments are tracked via 'show ip dhcp binding', not 'show ip dhcp conflict'. Option C is wrong because the output explicitly shows two detection methods: Ping and Gratuitous ARP, proving the server uses both, not only ping. Option D is wrong because the output lists two unresolved conflicts, indicating the database has not been cleared; a cleared database would show no entries.

1752
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.10.10.0/24, 1 successors, FD is 28160 via 10.1.1.2 (28160/28160), GigabitEthernet0/0 P 10.20.20.0/24, 1 successors, FD is 28160 via 10.2.2.2 (28160/28160), GigabitEthernet0/1 P 10.30.30.0/24, 1 successors, FD is 28160 via 10.3.3.2 (28160/28160), GigabitEthernet0/2 A 10.40.40.0/24, 0 successors, FD is Infinity via 10.4.4.2 (Infinity/Infinity), GigabitEthernet0/3 Based on this output, what is the problem?

A.The route to 10.40.40.0/24 is stuck-in-active and may cause a network instability.
B.The route to 10.40.40.0/24 is passive and stable.
C.The route to 10.30.30.0/24 has a feasible successor.
D.All routes are in a stable passive state.
AnswerA

A route in Active state with no successor indicates that the router is querying neighbors and has not received a reply, which can lead to SIA.

Why this answer

The route to 10.40.40.0/24 is in the Active (A) state with 0 successors and an FD of Infinity, meaning the router has lost its only feasible successor and is actively querying neighbors for a new path. This is a stuck-in-active (SIA) condition because the neighbor 10.4.4.2 is not replying, causing the route to remain active indefinitely and potentially destabilizing the EIGRP domain.

Exam trap

Cisco often tests the distinction between the 'P' (Passive) and 'A' (Active) codes in the 'show ip eigrp topology' output, where candidates may overlook the 'A' code and assume all routes are stable, missing the SIA condition indicated by 0 successors and Infinity FD.

How to eliminate wrong answers

Option B is wrong because the route to 10.40.40.0/24 is marked with 'A' (Active), not 'P' (Passive), indicating it is not stable. Option C is wrong because the route to 10.30.30.0/24 is Passive with only one successor and no feasible successor listed (the via line shows only one path). Option D is wrong because not all routes are passive; the 10.40.40.0/24 route is Active, indicating instability.

1753
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, the network becomes unstable with routing loops. The engineer checks the routing tables and notices that the same prefix is being learned from both protocols with different administrative distances. Which is the most likely explanation?

A.Routes are redistributed back and forth between OSPF and EIGRP without any filtering or tagging
B.The seed metric for OSPF redistribution into EIGRP is not configured
C.The administrative distance of OSPF is lower than EIGRP, causing OSPF routes to be preferred
D.The redistribute command is missing the subnets keyword under OSPF
AnswerA

Correct. Mutual redistribution without tagging or filtering causes a feedback loop, leading to routing loops.

Why this answer

Mutual redistribution without proper route tagging can cause routing loops because each protocol redistributes routes back into the other, creating a feedback loop. The administrative distance of the redistributed routes may cause one protocol to prefer the redistributed route over the original, leading to instability. Using route tags and filtering can prevent this, but without them, loops are common.

1754
MCQmedium

In MPLS, what is the default behavior of a Cisco IOS-XE router regarding the 'auto-summary' command for BGP routes?

A.Auto-summary is disabled by default for BGP.
B.Auto-summary is enabled by default for BGP.
C.Auto-summary is enabled by default only for directly connected routes.
D.Auto-summary is disabled by default for BGP but enabled for OSPF.
AnswerA

Cisco IOS-XE disables auto-summary by default for BGP since version 12.2(8)T.

Why this answer

By default, auto-summary is disabled in Cisco IOS-XE for BGP, meaning that BGP will not automatically summarize subnets to their classful boundaries.

1755
MCQmedium

Examine this partial configuration on router R5: flow record RECORD-3 match ipv4 source address match ipv4 destination address match ipv4 protocol collect routing source as collect routing destination as ! flow monitor MONITOR-5 record RECORD-3 cache timeout active 60 ! interface GigabitEthernet0/5 ip flow monitor MONITOR-5 input ! What is missing or incorrect in this configuration?

A.The flow record is missing 'match ipv4 source prefix-length' and 'match ipv4 destination prefix-length' to collect AS numbers.
B.The router must have BGP configured and the flow record must include 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as' to collect AS numbers.
C.The flow monitor is missing the 'cache timeout inactive' command to properly age out flows.
D.The configuration is correct; AS numbers will be collected automatically from the routing table.
AnswerB

To collect BGP AS numbers, the flow record must match BGP AS attributes using 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as'. The 'collect routing source as' command alone is insufficient without the corresponding match.

Why this answer

This question tests knowledge of BGP AS number collection requirements in Flexible NetFlow.

1756
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite issue: R1# show ip route vrf CUSTOMER_A summary Output: IP routing table name: CUSTOMER_A (0x00000001) IP routing table maximum-paths: 32 Route Source Networks Subnets Replicates Overhead Memory (bytes) connected 2 0 0 0 576 static 1 0 0 0 288 eigrp 100 3 0 0 0 864 Internal 3 0 0 0 864 External 0 0 0 0 0 ospf 200 0 0 0 0 0 Intra-area 0 0 0 0 0 Inter-area 0 0 0 0 0 External-1 0 0 0 0 0 External-2 0 0 0 0 0 NSSA-1 0 0 0 0 0 NSSA-2 0 0 0 0 0 bgp 65000 0 0 0 0 0 Internal 0 0 0 0 0 External 0 0 0 0 0 Total 6 0 0 0 1728 What does this output indicate?

A.The VRF CUSTOMER_A has 6 routes, with EIGRP 100 providing 3 internal routes.
B.The VRF CUSTOMER_A has 6 routes, all redistributed from BGP 65000.
C.The VRF CUSTOMER_A has 6 routes, with OSPF 200 providing 3 external routes.
D.The VRF CUSTOMER_A has 6 routes, all from connected and static only.
AnswerA

Correct. The summary shows 6 total routes, with EIGRP 100 contributing 3 internal routes.

Why this answer

The 'show ip route vrf summary' command displays the routing table summary for a specific VRF. It shows the number of routes from each routing protocol source. In this output, the VRF CUSTOMER_A has 6 total routes: 2 connected, 1 static, and 3 from EIGRP 100.

OSPF and BGP have 0 routes, indicating they are not contributing to the VRF's routing table.

1757
Multi-Selectmedium

Which TWO statements about route redistribution between EIGRP and OSPF are true? (Choose TWO.)

Select 2 answers
A.When redistributing EIGRP into OSPF, the OSPF metric must be explicitly configured if the default metric of 20 is not desired.
B.When redistributing OSPF into EIGRP, the default EIGRP metric is 1.
C.When redistributing OSPF into EIGRP, the default EIGRP metric is 100.
D.When redistributing OSPF into EIGRP, a seed metric must be configured for EIGRP to advertise the redistributed routes.
E.Route-maps cannot be used to filter routes during redistribution between EIGRP and OSPF.
AnswersA, D

Correct: OSPF uses a default metric of 20 for redistributed routes, so explicit configuration is needed to change it.

Why this answer

When redistributing between EIGRP and OSPF, the seed metric must be explicitly set for the receiving protocol. EIGRP uses a composite metric (bandwidth, delay, reliability, load, MTU) and OSPF uses a metric of type 1 or type 2. By default, OSPF assigns a metric of 20 to redistributed routes unless specified otherwise.

Option A is correct because OSPF requires a seed metric for redistributed routes. Option D is correct because EIGRP redistributed routes default to an infinite metric (effectively not advertised) unless a seed metric is provided. Option B is incorrect because OSPF default metric is 20, not 1.

Option C is incorrect because the default metric for EIGRP is not 100. Option E is incorrect because route-maps can be used to filter redistributed routes.

1758
MCQhard

A network engineer configures an EEM applet to monitor EIGRP stuck-in-active (SIA) events using the event syslog pattern 'EIGRP-3-SIA'. The applet is designed to clear the EIGRP neighbor. The EIGRP network has a unidirectional link that causes a route to go active, but the EEM applet does not trigger. Which is the most likely explanation?

A.The EIGRP SIA syslog message is only generated when the SIA timer expires, but a unidirectional link may prevent the query from being sent, so the timer never starts.
B.The EEM applet must use 'event eigrp' instead of 'event syslog' to catch EIGRP events.
C.The EIGRP process must be restarted for the EEM applet to take effect.
D.The unidirectional link causes a routing loop that suppresses syslog generation.
AnswerA

Correct. If the unidirectional link prevents query transmission, the SIA timer is not triggered, and no syslog is generated.

Why this answer

EIGRP SIA events generate syslog messages only when the SIA timer expires (default 3 minutes). If the unidirectional link causes the route to go active but the query propagation is blocked or the neighbor is not reachable, the SIA timer may not start because the router does not receive a reply from the neighbor. In some cases, the route may remain active indefinitely without generating an SIA syslog if the query is not sent due to the unidirectional link.

The EEM applet requires the specific 'EIGRP-3-SIA' syslog pattern, which is only generated when the SIA timer actually expires.

1759
Multi-Selectmedium

Which TWO statements about the 'match ip address' command within a route-map are true? (Choose TWO.)

Select 2 answers
A.It can reference a standard access-list, extended access-list, or prefix-list.
B.It matches the source IP address of the route.
C.It can only be used in a route-map sequence with a 'permit' clause.
D.If multiple access-lists are listed in the same match command, they are evaluated with a logical OR.
E.The command 'match ip address prefix-list' is not valid.
AnswersA, D

The command accepts access-list numbers/names and prefix-list names.

Why this answer

The 'match ip address' command can reference either a standard or extended access-list, or a prefix-list. It matches the destination network of the route. It cannot match source address (that would be 'match ip next-hop' or 'match ip route-source').

The command can be used in both permit and deny sequences. A single route-map sequence can have multiple match commands, but they are logically ANDed only if under the same match statement type.

1760
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke-to-spoke tunnels are established, but traffic between spokes is not being forwarded directly; it is still going through the hub. The engineer verifies that NHRP is working and spoke-to-spoke registrations are successful. What is the most likely explanation?

A.The hub is not sending NHRP redirect messages to the spokes.
B.The spoke routers have 'ip nhrp shortcut' disabled.
C.The hub is configured with 'no ip split-horizon' on the tunnel interface.
D.The spoke routers have mismatched IPsec transform sets.
AnswerA

In DMVPN Phase 2, the hub must send NHRP redirect messages to inform spokes of the existence of a direct path. Without these redirects, spokes do not know to send traffic directly to each other.

Why this answer

In DMVPN Phase 2, spoke-to-spoke traffic requires that the spoke routers have a route to the destination prefix via the tunnel interface with the next-hop being the remote spoke's tunnel IP. If the hub is not configured to send an NHRP redirect or if the spoke does not have a route for the remote subnet via the tunnel, traffic will continue to go through the hub. The edge case is that the hub may be using a different next-hop in its routing table, or the spoke's routing table does not have a more specific route for the remote spoke's subnet via the tunnel.

1761
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# show ip ospf database external And sees the following output: OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States LS age: 360 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 192.168.10.0 (External Network Number ) Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 100 What does this output indicate?

A.The route 192.168.10.0/24 is an OSPF internal route.
B.The route is redistributed into OSPF with a metric of 20 and a route tag of 100.
C.The forward address is 0.0.0.0, meaning the route is not reachable.
D.The route is a default route redistributed into OSPF.
AnswerD

Correct. The Type 5 LSA with forward address 0.0.0.0 and metric type 2 is characteristic of a default route redistributed into OSPF, as default routes often have a forward address of 0.0.0.0 and a route tag for identification.

Why this answer

The output shows a Type 5 LSA with a forward address of 0.0.0.0 and metric type 2. In OSPF, a forward address of 0.0.0.0 in a Type 5 LSA indicates that the advertising router is the next hop, and this is commonly observed for default routes redistributed into OSPF. Additionally, the external route tag of 100 is often used to mark default routes for filtering.

Therefore, the route is a default route redistributed into OSPF.

1762
MCQmedium

A network engineer is troubleshooting a VRF-Lite configuration where a router is using RIP as the routing protocol in VRF_BLUE. The engineer notices that RIP routes are not being learned from a neighbor router. The 'show ip rip database vrf VRF_BLUE' shows no entries. The 'show ip vrf interfaces VRF_BLUE' shows the correct interface. What is the most likely cause?

A.The 'network' command is configured under the global RIP process, not under the VRF address-family.
B.The 'version 2' command is missing under the VRF address-family.
C.The 'no auto-summary' command is missing.
D.The 'timers basic' command is set to a very low value.
AnswerA

For RIP to operate in a VRF, the network command must be under the VRF address-family.

Why this answer

RIP in VRF-Lite requires that the RIP process be associated with the VRF and that the network command is issued under the VRF context. Missing the 'address-family ipv4 vrf VRF_BLUE' configuration is a common oversight.

1763
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router. After applying the policy, OSPF neighbors go down. The engineer checks the policy and sees that OSPF packets are not explicitly matched. Which is the most likely explanation?

A.The class-default is set to 'drop', and OSPF packets fall into class-default because they are not matched by any other class.
B.The CoPP policy uses 'police' in bps, but OSPF packets are small and exceed the rate limit.
C.The CoPP policy is applied to the input direction, but OSPF packets are processed in the output direction.
D.The CoPP policy uses 'police' in pps, but OSPF hello packets are sent every 10 seconds, so they are not rate-limited.
AnswerA

CoPP processes packets in order. If OSPF is not matched by a higher class, it goes to class-default. If class-default drops, OSPF packets are dropped, causing neighbor loss.

Why this answer

When Control Plane Policing (CoPP) is configured, traffic is classified into classes based on match criteria. If OSPF packets are not explicitly matched by any configured class, they fall into the default class (class-default). If the policy-map sets class-default to 'drop', all unmatched traffic, including OSPF hello packets (which use IP protocol 89), will be dropped.

This causes OSPF neighbors to go down because the router stops receiving or sending OSPF control packets.

Exam trap

Cisco often tests the concept that class-default in CoPP can be set to 'drop', and candidates may overlook that OSPF or other routing protocols are not explicitly matched, leading to neighbor loss.

How to eliminate wrong answers

Option B is wrong because CoPP policies use 'police' in bps or pps, but the issue here is not rate-limiting; it is that OSPF packets are not matched and are dropped by class-default. Option C is wrong because CoPP is applied to the control plane, which processes both inbound and outbound control traffic; OSPF packets are sent and received via the control plane, and the input direction is the correct direction for incoming OSPF packets. Option D is wrong because even if OSPF hello packets are sent every 10 seconds, they would still be subject to rate-limiting if matched; the problem is that they are not matched at all and fall into class-default.

1764
MCQmedium

In DMVPN Phase 3 using OSPF, what is the default network type on a multipoint GRE tunnel interface?

A.broadcast
B.point-to-multipoint
C.NBMA
D.point-to-point
AnswerC

Correct. The default OSPF network type for mGRE is NBMA.

Why this answer

By default, a multipoint GRE tunnel interface is treated as an OSPF NBMA network type. This requires manual neighbor configuration unless the interface is set to broadcast or point-to-multipoint.

1765
MCQmedium

A network engineer runs the following command to troubleshoot a Route Redistribution issue: R1# debug eigrp packets And sees the following output: *Mar 1 00:15:22.123: EIGRP: Received UPDATE on Serial0/0/0 nbr 10.1.1.2 *Mar 1 00:15:22.124: AS 100, Flags 0x1, Seq 45/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:15:22.125: Ext: 192.168.10.0/255.255.255.0, metric 156160, tag 0 *Mar 1 00:15:22.126: EIGRP: Enqueueing UPDATE on Serial0/0/0 nbr 10.1.1.2 iidbQ un/rely 0/1 peerQ un/rely 0/0 serno 12-12 *Mar 1 00:15:22.127: EIGRP: Sending UPDATE on Serial0/0/0 nbr 10.1.1.2, retry 0, R=1 *Mar 1 00:15:22.128: Ext: 10.2.2.0/255.255.255.0, metric 128256, tag 0 What does this output indicate?

A.EIGRP is redistributing routes from another protocol into EIGRP, as indicated by the tag 0.
B.R1 is learning 192.168.10.0/24 via EIGRP and advertising 10.2.2.0/24 back to the same neighbor, which could indicate a routing loop.
C.R1 is receiving an EIGRP update and sending an update in response, which is normal EIGRP behavior.
D.The metric of 156160 indicates that the route 192.168.10.0/24 is redistributed from OSPF.
AnswerC

The output shows standard EIGRP update exchange. No redistribution issue is visible.

Why this answer

The debug eigrp packets output shows EIGRP update packets being exchanged. R1 receives an update for 192.168.10.0/24 from neighbor 10.1.1.2 and then sends an update for 10.2.2.0/24. This indicates normal EIGRP operation; no redistribution issue is apparent from this output.

1766
MCQmedium

Examine this configuration: interface GigabitEthernet0/4 ipv6 address 2001:db8:2::1/64 ipv6 verify unicast source reachable-via any What is the effect of the 'ipv6 verify unicast source reachable-via any' command?

A.The router performs strict uRPF: the source address must be reachable via the same interface the packet arrived on.
B.The router performs loose uRPF: the source address must be reachable via any route in the FIB.
C.The router drops all packets with source addresses not in the same subnet as the interface.
D.The command is invalid because 'ipv6 verify unicast' requires a route-map.
AnswerB

Loose mode only requires a route to the source, not necessarily via the receiving interface.

Why this answer

The command 'ipv6 verify unicast source reachable-via any' enables loose unicast Reverse Path Forwarding (uRPF) for IPv6. In loose mode, the router checks that the source address of an incoming packet is reachable via any route in the Forwarding Information Base (FIB), not necessarily through the receiving interface. This is the correct behavior described in option B.

Exam trap

Cisco often tests the distinction between 'any' (loose) and 'rx' (strict) keywords in uRPF configuration, and candidates commonly confuse 'reachable-via any' with strict uRPF or assume it requires a route-map.

How to eliminate wrong answers

Option A is wrong because it describes strict uRPF, which requires the source address to be reachable via the exact interface the packet arrived on, but the command uses 'any' (loose mode), not 'rx' (strict mode). Option C is wrong because uRPF does not drop packets based on subnet matching; it checks reachability in the FIB, and loose mode allows any valid route regardless of subnet. Option D is wrong because the command is valid without a route-map; the 'ipv6 verify unicast' command can use 'reachable-via any' or 'reachable-via rx' directly, and a route-map is optional for advanced filtering.

1767
MCQmedium

Given this partial configuration on router R6: router bgp 65000 neighbor 192.168.1.1 remote-as 65001 address-family ipv4 network 172.16.0.0 mask 255.255.0.0 aggregate-address 172.16.0.0 255.255.0.0 What is missing if the administrator wants to ensure that only the aggregate route is advertised to neighbor 192.168.1.1?

A.The 'summary-only' keyword is missing from the aggregate-address command.
B.The 'network' command should be removed.
C.The 'synchronization' command must be enabled.
D.The 'neighbor 192.168.1.1 route-map' command is needed.
AnswerA

Correct. Without summary-only, more specific routes are still advertised.

Why this answer

The aggregate-address command without the summary-only keyword will advertise both the aggregate and the more specific routes. To suppress the specifics, the summary-only keyword is required.

1768
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 12 200 0 45 1 10.2.2.2 Gi0/1 12 00:10:20 15 200 0 32 2 10.3.3.2 Gi0/2 14 00:08:15 18 200 0 28 3 10.4.4.2 Gi0/3 13 00:06:10 20 200 0 22 Based on this output, which statement is correct?

A.All four EIGRP neighbors are in the established state and exchanging routes.
B.Neighbor 10.4.4.2 has a high SRTT of 20 ms, indicating a slow link.
C.The Q Cnt of 0 means that there are 0 packets queued for retransmission, but this could indicate a problem.
D.The neighbor on Gi0/3 has the lowest uptime, so it may be flapping.
AnswerA

All neighbors show a hold time, uptime, SRTT, RTO, and Q Cnt of 0, indicating a stable adjacency.

Why this answer

Option A is correct because all four neighbors show a Q Cnt of 0, which indicates no packets are queued for retransmission, and the Hold timers are within the default 15-second range, confirming that hello packets are being received regularly. The SRTT values are low (12-20 ms), and the RTO is consistent at 200 ms, which together with the established neighbor states (indicated by the 'H' column showing adjacency indices) confirms that all neighbors have successfully formed an adjacency and are exchanging routes in the EIGRP AS 100.

Exam trap

Cisco often tests the misconception that a low uptime automatically indicates flapping, but in reality, uptime only shows how long the adjacency has been established, and without evidence of repeated resets or high sequence number gaps, it is not diagnostic of instability.

How to eliminate wrong answers

Option B is wrong because an SRTT of 20 ms is not considered high; SRTT values under 100 ms are typical for healthy links, and this value alone does not indicate a slow link—SRTT reflects round-trip time for reliable packets, not link speed. Option C is wrong because a Q Cnt of 0 is normal and indicates that no packets are waiting for acknowledgment or retransmission, which is a healthy state; it does not suggest a problem. Option D is wrong because the neighbor on Gi0/3 has an uptime of 00:06:10, which is the lowest among the four, but this does not necessarily indicate flapping—it could simply mean the neighbor was recently added or the interface was reset; flapping would show repeated resets in the uptime or frequent adjacency changes, which are not evident here.

1769
Multi-Selecthard

Which TWO statements correctly describe the behavior of SNMPv3 when using the 'noAuthNoPriv' security level? (Choose TWO.)

Select 2 answers
A.The username and password are sent in clear text.
B.The SNMP engine ID is still used for message processing and identification.
C.The 'snmp-server user' command must include the 'auth' and 'priv' keywords set to 'md5' and 'des' respectively.
D.The security level is configured per user, not per group.
E.The engine ID can be manually configured or automatically generated based on the router's MAC address.
AnswersB, E

The engine ID is always used in SNMPv3 for message processing, regardless of the security level.

Why this answer

Option B is correct because SNMPv3 always uses the engine ID for message processing and identification, regardless of the security level. Even with 'noAuthNoPriv', the engine ID is included in the SNMP message to uniquely identify the SNMP engine, enabling proper message handling and context for the security model.

Exam trap

Cisco often tests the misconception that 'noAuthNoPriv' sends a password in clear text, when in fact no authentication is performed at all, so no password is transmitted.

1770
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 140 10 deny tcp any host 10.1.1.1 eq 23 (15 matches) 20 permit tcp any host 10.1.1.1 eq 22 (20 matches) 30 permit ip any any (5 matches) Based on this output, what is the problem?

A.SSH to 10.1.1.1 is being denied.
B.Telnet to 10.1.1.1 is being denied, which may be intentional.
C.All traffic is permitted because of line 30.
D.The ACL is not applied to any interface.
AnswerB

Line 10 denies Telnet with 15 matches, so Telnet traffic is blocked.

Why this answer

Option B is correct because the ACL explicitly denies TCP traffic to host 10.1.1.1 on port 23 (Telnet) with line 10, and the match count of 15 confirms that Telnet attempts are being blocked. While this may be intentional to enforce secure management via SSH (permitted on port 22), the question asks for the problem, and the output shows Telnet is being denied. The ACL does not block SSH (line 20 permits it), so the issue is specifically that Telnet access is denied.

Exam trap

Cisco often tests the misconception that a 'permit ip any any' at the end of an ACL overrides earlier deny statements, but candidates must remember that ACLs are processed sequentially and the first match wins.

How to eliminate wrong answers

Option A is wrong because SSH to 10.1.1.1 is permitted by line 20 (permit tcp any host 10.1.1.1 eq 22) with 20 matches, so SSH is not being denied. Option C is wrong because line 30 (permit ip any any) only applies to traffic that has not matched earlier lines; since Telnet to 10.1.1.1 matches line 10 (deny), it is blocked regardless of line 30. Option D is wrong because the output shows match counts (15, 20, 5), which indicate the ACL is applied to an interface and processing traffic; an unapplied ACL would show zero matches.

1771
MCQhard

In an MPLS network, Router R1 is a provider edge (PE) router that redistributes BGP routes into OSPF. The network experiences intermittent loss of reachability to a specific prefix 10.10.10.0/24. R1 configuration includes: 'router ospf 1 redistribute bgp 65000 subnets metric-type 1' and 'router bgp 65000 neighbor 10.0.0.2 route-map SET-METRIC in' with a route-map that sets metric 100. R2, a P router, shows 'show ip route 10.10.10.0' output: 'O E1 10.10.10.0/24 [110/20] via 10.0.0.1, 00:00:15' but traffic fails. What is the root cause?

A.The route-map SET-METRIC is not applied to the correct neighbor direction; it should be outbound.
B.The OSPF redistribute command lacks the 'metric' keyword to use the BGP metric; default metric 20 is used, causing inconsistency.
C.The OSPF network type mismatch on the link between R1 and R2 causes adjacency issues.
D.The BGP neighbor 10.0.0.2 is not reachable due to ACL blocking.
AnswerB

Without 'metric' in redistribute, OSPF uses default metric 20, ignoring the BGP metric set by route-map, leading to incorrect cost and potential routing loops.

Why this answer

The route-map applied to BGP inbound sets metric 100, but redistribution into OSPF uses the BGP metric as the OSPF cost. However, OSPF external route cost is calculated as metric-type 1 cost plus internal cost to the ASBR. The OSPF cost of 20 indicates the BGP metric is not being used correctly; instead, the default metric of 20 is applied because the 'metric' keyword is missing in the redistribute command, causing suboptimal path and potential blackholing due to metric mismatch.

1772
MCQmedium

A network engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Routers R1 (EIGRP) and R2 (OSPF) are redistributing routes. The engineer notices that some EIGRP routes are appearing in the OSPF database on R2, but traffic to those destinations is not being forwarded correctly. The show ip route command on R2 shows the redistributed routes with a next-hop of 0.0.0.0. What is the most likely cause?

A.The redistribute eigrp command under OSPF is missing the subnets keyword.
B.The OSPF process on R2 has a route map that is changing the next-hop.
C.EIGRP has a lower administrative distance than OSPF.
D.The EIGRP routes are not in the routing table on R2.
AnswerA

Correct: Without subnets, the next-hop may be set to 0.0.0.0 for classless routes.

Why this answer

When redistributing into OSPF, if the redistributed routes are not directly connected to the redistributing router, the next-hop may be set to 0.0.0.0 (self) if the subnets keyword is missing or if the route is not in the routing table. However, a common cause is that the redistribute command is missing the subnets keyword, causing classful behavior.

1773
MCQhard

An engineer configures an ISATAP tunnel on a router. The tunnel comes up and the router can ping the ISATAP server, but IPv6 hosts on the ISATAP network cannot reach IPv6 hosts on the native IPv6 network. The ISATAP router is configured with a static route to the native network. What is the most likely cause?

A.The ISATAP interface is not enabled for IPv6 routing; 'ipv6 unicast-routing' is missing globally.
B.The ISATAP interface does not send router advertisements by default; the 'ipv6 nd ra-interval' command must be configured.
C.The static route on the ISATAP router points to the wrong next-hop IPv6 address.
D.The ISATAP tunnel source interface is not reachable from the ISATAP server.
AnswerC

Correct. The static route points to the wrong next-hop IPv6 address, so packets from ISATAP hosts are forwarded incorrectly, preventing reachability to the native IPv6 network.

Why this answer

The ISATAP router has a static route to the native IPv6 network, but the hosts cannot reach it. Since the tunnel is up and the router can ping the ISATAP server, the tunnel itself is functional. The most likely issue is that the static route has an incorrect next-hop address, causing packets from the ISATAP hosts to be misdirected or dropped.

While ISATAP interfaces do not send Router Advertisements by default, the absence of RAs would prevent hosts from learning a default route, but the question states a static route is configured, implying the router should forward traffic; however, if the route is wrong, forwarding fails. Option B is incorrect because 'ipv6 nd ra-interval' only sets the interval for RAs, not enabling them; the proper command to enable RAs is 'ipv6 nd prefix' or 'ipv6 address autoconfig'.

Exam trap

Many candidates assume the issue is RA-related because ISATAP tunnels don't send RAs by default, but the static route misconfiguration is a more direct cause when a route is explicitly configured.

How to eliminate wrong answers

Option A is wrong because 'ipv6 unicast-routing' is a global command that enables IPv6 routing on the router, and since the tunnel is up and the router can ping the ISATAP server, IPv6 routing is already enabled. Option C is wrong because the static route pointing to the wrong next-hop would cause the router itself to be unable to reach the native network, but the problem states that the router can ping the ISATAP server (which is on the native side), so the static route is correct. Option D is wrong because the tunnel source interface is reachable from the ISATAP server, as evidenced by the router successfully pinging the ISATAP server.

1774
MCQhard

OSPF is configured on a multi-access link between R1 and R2. R1 has: interface GigabitEthernet0/0, ip ospf network point-to-point. R2 has default broadcast network type. R1 shows: show ip ospf neighbor includes R2 in FULL state, but R2 shows: show ip ospf neighbor includes R1 in INIT state. What is the root cause?

A.R1's OSPF process ID does not match R2's.
B.The network type mismatch causes R1 to use unicast hellos, while R2 expects multicast.
C.R1 has a higher router ID, preventing adjacency.
D.R2's interface is passive, blocking OSPF hellos.
AnswerB

Point-to-point uses unicast; broadcast uses multicast, leading to one-way communication.

Why this answer

When R1 is configured with 'ip ospf network point-to-point' on a multi-access link, it changes its OSPF behavior to use unicast hellos to the neighbor's IP address instead of the standard multicast address 224.0.0.5. R2, with the default broadcast network type, expects to receive OSPF hellos on the multicast address. Because R1 sends unicast hellos, R2 never receives them, so R2's neighbor state for R1 remains INIT.

R1, however, receives R2's multicast hellos and can form a full adjacency from its perspective, leading to the asymmetric state.

Exam trap

Cisco often tests the asymmetric neighbor state (FULL on one side, INIT on the other) as a signature symptom of OSPF network type mismatch, tempting candidates to blame mismatched process IDs or passive interfaces instead.

How to eliminate wrong answers

Option A is wrong because OSPF process IDs are locally significant and do not need to match between routers for adjacency formation. Option C is wrong because a higher router ID does not prevent adjacency; the router ID is used for DR/BDR election in broadcast networks, but with a point-to-point network type on R1, no DR/BDR election occurs, and a higher router ID would not block adjacency. Option D is wrong because a passive interface would suppress all OSPF hellos, causing both sides to show no neighbor or only INIT state, not the asymmetric FULL/INIT state described.

1775
MCQhard

A network uses route summarization to reduce routing table size. After enabling Flexible NetFlow, some routes that were previously summarized are now being advertised individually. Router R1 has: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0. The flow monitor is applied to the same interface. show ip route eigrp | include (10.0.0.0/8) shows the summary route, but also shows more specific routes like 10.1.0.0/16. What is the root cause?

A.The flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from routing updates that are not summarized.
B.The flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, causing the router to install a route for each destination.
C.The summary route is not configured correctly; it should be a range of /8, but the more specific routes are from a different EIGRP process.
D.The flow exporter is sending the more specific routes to the collector, which then redistributes them back.
AnswerA

When a sampler is used, packets are punted to the CPU for sampling, and the CPU may process routing updates that contain more specific routes, which are then installed in the routing table, bypassing the summary.

Why this answer

Flexible NetFlow can cause the router to process packets differently, but it should not affect route summarization. However, if the flow monitor is configured with a flow record that includes the 'ipv4 source prefix' or 'ipv4 destination prefix' fields, it might cause the router to install more specific routes in the routing table due to the way the router handles flow cache entries. The correct answer is that the flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, and the router is using that to create a route cache that overrides the summary route.

But this is not standard behavior. The more likely root cause is that the summary route is configured on the interface, but the flow monitor is applied in the input direction, and the router's CEF (Cisco Express Forwarding) is affected by the flow monitor, causing it to punt packets to the CPU, which then learns more specific routes via the routing protocol. Actually, the correct answer is that the flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from the routing updates that are not summarized.

1776
MCQmedium

Examine the following partial configuration on router R1: flow record RECORD-1 match ipv4 source address match ipv4 destination address match ipv4 protocol collect counter bytes collect counter packets ! flow monitor MONITOR-1 record RECORD-1 cache timeout active 60 ! interface GigabitEthernet0/1 ip flow monitor MONITOR-1 input ! Which statement about this configuration is true?

A.The flow monitor will export flow records every 60 seconds regardless of whether the flow is still active.
B.The flow monitor will only export flows that have been idle for 60 seconds.
C.The flow record is missing the 'collect transport tcp-flags' command to be valid.
D.The flow monitor will not export any data because no exporter has been configured.
AnswerD

Correct. The configuration lacks an exporter, which is required for NetFlow export to occur.

Why this answer

The configuration does not include an exporter. Without a flow exporter, the flow monitor cannot export any data, so no netflow export will occur, regardless of cache timeout settings.

Exam trap

The key point is that a flow exporter must be configured and referenced by the flow monitor via the 'exporter' command before any export can happen. Without it, the monitor will collect flows locally but never send them.

1777
Multi-Selectmedium

Which TWO statements about administrative distance are true? (Choose TWO.)

Select 2 answers
A.A lower administrative distance is preferred over a higher one.
B.Administrative distance is used to compare routes from different routing protocols.
C.The default administrative distance for OSPF is 90.
D.Administrative distance is used to compare routes within the same routing protocol.
E.The default administrative distance for EIGRP internal routes is 170.
AnswersA, B

The route with the lowest administrative distance is installed in the routing table.

Why this answer

Administrative distance is used to select the best route when multiple routing protocols provide routes to the same destination. A lower administrative distance is preferred. The default administrative distance for OSPF is 110, and for EIGRP it is 90 (internal) or 170 (external).

1778
MCQmedium

A network engineer is troubleshooting a route filtering issue using distribute-lists under OSPF. Router R8 has a distribute-list out applied to the OSPF process to filter routes being advertised to a specific neighbor. The distribute-list references an ACL that denies a specific prefix, but the prefix is still being advertised to the neighbor. What is the most likely cause?

A.The distribute-list is applied to the OSPF process, not to the specific neighbor; use 'neighbor distribute-list' instead.
B.The ACL is using the wrong wildcard mask; it should deny the exact prefix with 0.0.0.0 mask.
C.The distribute-list is applied inbound instead of outbound.
D.The OSPF process has 'default-information originate' that overrides the distribute-list.
AnswerA

Correct because per-neighbor filtering requires the distribute-list under the neighbor command.

Why this answer

Distribute-lists under OSPF can be applied in or out, but the 'out' direction filters routes being advertised out of the OSPF process to all neighbors. However, if the distribute-list is applied to the OSPF process (not to a specific interface), it filters routes from the routing table into OSPF, not to a specific neighbor. To filter per neighbor, a distribute-list must be applied to the neighbor under the OSPF process using 'neighbor x.x.x.x distribute-list'.

1779
MCQhard

Two routers R1 and R2 are connected via a FastEthernet link. OSPF is configured on both with network type broadcast. R1 shows: 'show ip ospf neighbor' lists R2 as FULL/DR. R2 shows: 'show ip ospf neighbor' lists R1 as FULL/BDR. However, pings between loopback interfaces on R1 and R2 fail intermittently. 'show ip route' on R1 shows the loopback of R2 as reachable via OSPF, but 'show ip ospf interface' on R1 shows the link as point-to-point. What is the root cause?

A.One router has 'ip ospf network point-to-point' configured, while the other uses the default broadcast, causing a mismatch in the network type.
B.The FastEthernet interface is operating at half-duplex, causing packet loss.
C.OSPF hello and dead timers are mismatched, preventing adjacency formation.
D.The MTU on the link is mismatched, causing OSPF packets to be dropped.
AnswerA

A network type mismatch prevents proper OSPF operation; broadcast expects DR/BDR election, while point-to-point does not, leading to inconsistent neighbor states and potential forwarding issues.

Why this answer

The root cause is a mismatch in OSPF network type between R1 and R2. R1's 'show ip ospf interface' shows the link as point-to-point, indicating that 'ip ospf network point-to-point' is configured on R1, while R2 uses the default broadcast type. This mismatch causes R1 to not send OSPF hello packets with the correct multicast address (224.0.0.5 for point-to-point vs. 224.0.0.6 for broadcast DR/BDR election), leading to intermittent connectivity and the observed neighbor states (FULL/DR and FULL/BDR) that appear correct but are actually unstable.

Exam trap

Cisco often tests the misconception that a FULL neighbor state guarantees correct OSPF operation, but here the mismatch in network type causes subtle forwarding issues even though the adjacency appears established.

How to eliminate wrong answers

Option B is wrong because half-duplex operation on a FastEthernet link can cause collisions and packet loss, but it would not cause the specific symptom of 'show ip ospf interface' showing point-to-point while the neighbor states show DR/BDR roles; half-duplex does not change the OSPF network type. Option C is wrong because mismatched hello and dead timers would prevent the OSPF adjacency from reaching FULL state entirely, but here both routers show FULL neighbor states, indicating timers are consistent. Option D is wrong because MTU mismatch typically causes OSPF packets to be dropped during database exchange (stuck in EXSTART/EXCHANGE state), not after FULL adjacency is established, and it would not cause the interface to be reported as point-to-point.

1780
MCQmedium

In DHCPv6, what is the purpose of the 'managed-config-flag' in Router Advertisement messages?

A.It indicates that hosts should use DHCPv6 to obtain their IPv6 address and other configuration parameters.
B.It indicates that hosts should use SLAAC for addressing and DHCPv6 for other configuration only.
C.It indicates that the router is a DHCPv6 server.
D.It indicates that hosts should use only stateless address autoconfiguration.
AnswerA

The M flag signals stateful DHCPv6, where hosts get both addresses and other info from a DHCPv6 server.

Why this answer

The 'managed-config-flag' (M flag) in Router Advertisement (RA) messages, as defined in RFC 3315 and RFC 4861, tells hosts to use stateful DHCPv6 for both IPv6 address assignment and other configuration parameters (e.g., DNS servers). When set to 1, hosts must use DHCPv6 to obtain their IPv6 address, overriding SLAAC for addressing. This flag is part of the RA's prefix information option and directly controls whether hosts perform stateful or stateless address configuration.

Exam trap

Cisco often tests the distinction between the M flag and the O flag, and the trap here is confusing the 'managed-config-flag' (for addressing + other config) with the 'other-config-flag' (for other config only), leading candidates to incorrectly select option B.

How to eliminate wrong answers

Option B is wrong because it describes the 'other-config-flag' (O flag), not the managed-config-flag; the O flag indicates hosts should use SLAAC for addressing and DHCPv6 for other configuration only. Option C is wrong because the managed-config-flag does not indicate that the router is a DHCPv6 server; it is a directive to hosts, and the router sending the RA may or may not be a DHCPv6 server itself. Option D is wrong because it describes the behavior when both the M and O flags are set to 0, meaning hosts should use only stateless address autoconfiguration (SLAAC) without DHCPv6.

1781
MCQhard

When using the 'access-group' command to apply an ACL to an interface, what is the default direction if none is specified?

A.Inbound
B.Outbound
C.The command defaults to inbound.
D.The command is rejected without a direction keyword.
AnswerD

The access-group command syntax requires either 'in' or 'out'.

Why this answer

The 'access-group' command in Cisco IOS requires a direction keyword (either 'in' or 'out') to specify whether the ACL filters inbound or outbound traffic. If no direction is provided, the command is rejected with an error message because the direction is a mandatory parameter. This behavior is consistent across all Cisco IOS versions and platforms.

Exam trap

The trap here is that Cisco often tests the misconception that ACLs default to inbound when no direction is specified, but the command is actually rejected without the mandatory keyword.

How to eliminate wrong answers

Option A is wrong because the command does not default to inbound; it requires an explicit direction keyword. Option B is wrong because the command does not default to outbound; the direction must be specified. Option C is wrong because the command does not default to inbound; it is rejected without a direction keyword.

1782
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 100 detail IP packet debugging is on for access list 100 *Mar 1 00:12:34.567: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto UDP, flags 0x0, sport 12345, dport 80, access list 100: matched line 10 permit udp host 10.1.1.1 host 10.2.2.2 eq 80 *Mar 1 00:12:35.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 *Mar 1 00:12:35.124: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 What does this output indicate?

A.The ACL is applied inbound on GigabitEthernet0/0 and is permitting UDP traffic to port 80 while denying TCP traffic to port 443.
B.The ACL is applied outbound on GigabitEthernet0/0 and is permitting all traffic.
C.The ACL is misconfigured because TCP traffic to port 443 should be permitted.
D.The ACL is not applied to any interface because debug ip packet shows only the ACL number.
AnswerA

The debug output shows that UDP traffic to port 80 matches line 10 (permit) and TCP traffic to port 443 matches line 20 (deny).

Why this answer

The debug output shows packets entering GigabitEthernet0/0 (source interface) and matching ACL 100. The first packet (UDP to port 80) matches line 10 (permit), while subsequent TCP packets to port 443 match line 20 (deny). Since the source interface is the inbound interface, the ACL is applied inbound.

This confirms Option A: the ACL permits UDP to port 80 and denies TCP to port 443.

Exam trap

Cisco often tests the ability to distinguish inbound vs. outbound ACL application by interpreting the source and destination IP addresses in debug output, where the trap is that candidates mistakenly assume the ACL is outbound because the destination IP is different, ignoring that the source interface reveals the direction.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows packets being denied (matched line 20 deny), not permitted, and the source interface indicates inbound, not outbound, application. Option C is wrong because the ACL is not misconfigured; it is functioning as designed by denying TCP to port 443, and there is no requirement that TCP to port 443 must be permitted. Option D is wrong because the debug output includes the interface (GigabitEthernet0/0) in the source field, confirming the ACL is applied to that interface; the 'debug ip packet' command with an ACL number only filters packets matching that ACL, but the interface is still shown in the debug message.

1783
MCQhard

In DMVPN Phase 2, what is the default behavior of the 'ip nhrp redirect' command on the hub router?

A.It is enabled by default and causes the hub to send redirect messages to spokes.
B.It is disabled by default and must be configured for spoke-to-spoke direct communication.
C.It is disabled by default and is used in Phase 3 to enable NHRP redirects.
D.It is enabled by default and is used to disable NHRP shortcut switching.
AnswerC

Correct. The command is off by default and is a Phase 3 feature.

Why this answer

In DMVPN Phase 2, the 'ip nhrp redirect' command is not enabled by default on the hub. It is used in Phase 3 to enable NHRP redirects, which allow the hub to inform spokes that a better path exists directly to another spoke. In Phase 2, spoke-to-spoke tunnels are established based on NHRP resolution triggered by traffic, not by redirect messages.

1784
MCQmedium

A network engineer configures BGP on router R4: router bgp 65004 bgp router-id 4.4.4.4 neighbor 10.4.4.3 remote-as 65003 neighbor 10.4.4.3 password BGPsecret ! What is the effect of the password command?

A.It encrypts the BGP updates using the password as a key.
B.It enables MD5 authentication for the TCP session; the neighbor must also have the same password.
C.It sets a simple password that is sent in clear text with each BGP update.
D.It has no effect unless the neighbor is configured with the same password.
AnswerB

The password command enables TCP MD5 signature option, requiring both sides to match.

Why this answer

The password command enables MD5 authentication for the TCP connection between BGP peers. Both peers must have the same password; otherwise, the session will not establish.

1785
MCQmedium

A network engineer configures a SPAN session on a Cisco switch to monitor traffic on interface GigabitEthernet0/1 and sends it to interface GigabitEthernet0/2. The engineer notices that the destination port is up but does not forward any traffic. The engineer checks the configuration and sees that the destination port is configured as a trunk port. What is the most likely cause?

A.The destination port is configured as a trunk port instead of an access port.
B.The source interface is in a different VLAN than the destination interface.
C.The SPAN session is configured with the 'rx' direction only.
D.The destination port is not in the same VLAN as the source interface.
AnswerA

Correct because SPAN destination ports should be access ports; trunk ports are not supported for SPAN destinations on most platforms.

Why this answer

SPAN destination ports should be access ports, not trunk ports. If a trunk port is used as a destination, the switch may not forward the monitored traffic correctly because the port expects tagged traffic.

1786
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 over IPv4 tunnel adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The troubleshooting process follows a logical progression: first verify the tunnel interface is up/up, then check the IPv6 routing table for the destination prefix, inspect the tunnel source and destination IPs for correctness, verify IPv4 reachability to the tunnel destination, and finally examine ACLs or firewall rules that might block GRE protocol 47 traffic.

1787
MCQmedium

Router R1 has the following configuration: ``` interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip policy route-map PBR-OUT ! route-map PBR-OUT permit 10 match ip address 100 set ip next-hop 192.168.1.1 ! access-list 100 permit ip host 10.1.1.100 any ``` What is the effect of this configuration?

A.Packets received on GigabitEthernet0/1 from source 10.1.1.100 are forwarded to next-hop 192.168.1.1.
B.Packets transmitted out of GigabitEthernet0/1 to destination 10.1.1.100 are forwarded to next-hop 192.168.1.1.
C.All packets from 10.1.1.100 are dropped because the route-map does not have a permit statement.
D.The configuration is invalid because the ACL must match destination, not source.
AnswerA

The route-map is applied inbound, so packets arriving on this interface from 10.1.1.100 are policy-routed to 192.168.1.1.

Why this answer

The route-map is applied as an inbound policy on the interface, but the name 'PBR-OUT' suggests outbound, which is misleading. However, the 'ip policy route-map' command applies to incoming packets on that interface. The ACL matches source 10.1.1.100 to any destination, and sets next-hop 192.168.1.1.

1788
MCQmedium

A network engineer is troubleshooting a VRF-Lite setup where a router is configured with VRF_GREEN. The engineer pings the gateway IP of a host in VRF_GREEN from the router, but the ping fails. The 'show ip route vrf VRF_GREEN' command shows the connected network for the host's subnet. The 'show ip interface brief' shows the interface is up/up. What is the most likely cause?

A.The host's default gateway is not set to the router's interface IP in VRF_GREEN.
B.The router's interface in VRF_GREEN has 'ip proxy-arp' disabled.
C.The host's IP address is not in the same subnet as the router's interface IP in VRF_GREEN.
D.The 'ip routing' command is disabled in VRF_GREEN.
AnswerC

If the host's IP is in a different subnet, the router will not have a connected route for that host, and ARP will fail.

Why this answer

If the interface is up and the route is present, the issue might be with ARP resolution or the host's configuration. However, in VRF-Lite, the router might not be able to ping the gateway if the gateway IP is not in the same subnet as the interface IP, or if the host has a firewall blocking ICMP.

1789
MCQmedium

A PE router has the following configuration: ip vrf CUSTOMER-D rd 300:1 route-target export 300:1 route-target import 300:1 ! interface GigabitEthernet0/4 ip vrf forwarding CUSTOMER-D ip address 10.3.3.1 255.255.255.252 ! router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 ! address-family vpnv4 neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended exit-address-family ! address-family ipv4 vrf CUSTOMER-D neighbor 10.3.3.2 remote-as 65002 neighbor 10.3.3.2 activate exit-address-family What is the effect of this configuration?

A.The PE will successfully exchange VPNv4 routes with the remote PE and redistribute routes from CE into VPNv4.
B.The eBGP session will fail because the neighbor is not activated under the global BGP process.
C.The VPNv4 session will fail because the neighbor is not configured as a route-reflector client.
D.The VRF will not import routes because the import and export RTs are the same.
AnswerA

All necessary components are present: VRF with RT, iBGP VPNv4 session with extended community, and eBGP to CE under VRF.

Why this answer

The configuration is correct. The VRF has RD and RTs, the interface is in the VRF, the iBGP VPNv4 session is configured with extended community, and the eBGP session to the CE is configured under the VRF address-family. The PE will exchange VPNv4 routes with the remote PE and redistribute CE routes.

1790
MCQhard

A network administrator configures 'ipv6 dhcp guard' on a switch and sets the policy to 'allow only' for a specific DHCPv6 server. However, clients are still receiving DHCPv6 replies from a rogue server on the same VLAN. The engineer verifies that the rogue server's port is not trusted. What is the most likely reason the rogue server's advertisements are not being blocked?

A.IPv6 snooping is not enabled globally, so DHCPv6 Guard cannot inspect DHCPv6 messages.
B.The rogue server is using a different UDP port for DHCPv6.
C.The 'allow only' policy only works for DHCPv6 requests, not replies.
D.The rogue server is on a trunk port, and DHCPv6 Guard does not apply to trunk ports.
AnswerA

DHCPv6 Guard depends on IPv6 snooping for packet inspection.

Why this answer

DHCPv6 Guard relies on IPv6 snooping (also known as DHCPv6 snooping) to inspect DHCPv6 messages and enforce policies. If IPv6 snooping is not enabled globally on the switch, DHCPv6 Guard has no binding database or inspection mechanism to identify and block rogue DHCPv6 replies, even if the policy is configured and the rogue port is untrusted. The 'ipv6 dhcp guard' command alone is insufficient without the underlying snooping framework.

Exam trap

Cisco often tests the prerequisite dependency between IPv6 snooping and DHCPv6 Guard, trapping candidates who assume that configuring the guard policy alone is sufficient to block rogue servers.

How to eliminate wrong answers

Option B is wrong because DHCPv6 uses fixed UDP ports 546 (client) and 547 (server); a rogue server cannot use a different UDP port for standard DHCPv6 communication, and DHCPv6 Guard inspects the standard ports. Option C is wrong because the 'allow only' policy applies to both DHCPv6 requests and replies; it restricts which server can send replies, not just requests. Option D is wrong because DHCPv6 Guard does apply to trunk ports; the feature operates on VLANs and inspects traffic regardless of port mode, so a trunk port is not automatically exempt.

1791
MCQhard

A DMVPN Phase 3 network with EIGRP as the routing protocol experiences intermittent connectivity between spokes. R1 (hub) has 'ip summary-address eigrp 100 10.0.0.0 255.255.0.0' configured on the tunnel interface. R2 (spoke) shows 'show ip eigrp topology all-links' listing 10.1.0.0/24 as reachable via R1, but traffic from R2 to 10.1.0.1 (another spoke) is forwarded to R1 instead of directly via the spoke-to-spoke tunnel. What is the root cause?

A.The summary route on the hub creates a less specific route that is preferred over the more specific /24 routes learned from other spokes, causing suboptimal routing.
B.EIGRP stub configuration on spokes prevents them from learning routes from other spokes.
C.NHRP redirect is disabled on the hub, preventing spoke-to-spoke tunnel establishment.
D.The spoke-to-spoke tunnel interface has a different MTU causing fragmentation.
AnswerA

Correct. EIGRP summary routes have administrative distance 5 by default, which is lower than the distance of learned routes (90/170). This causes spokes to prefer the summary route and forward traffic to the hub, even though more specific routes exist.

Why this answer

The hub's summary route 10.0.0.0/16 is advertised to spokes, causing them to prefer the summary route over the more specific /24 routes learned from other spokes via NHRP redirect. This prevents spoke-to-spoke direct tunnels from being established or used, as traffic is forwarded to the hub based on the summary route.

1792
MCQmedium

Which BGP attribute is used as the first tie-breaker when multiple paths are available for the same prefix, assuming default settings?

A.Local preference
B.AS-path length
C.Weight
D.MED (Multi-Exit Discriminator)
AnswerC

Correct: Weight is checked first in the BGP path selection process.

Why this answer

C is correct because, under default BGP settings, the Weight attribute is the first tie-breaker when multiple paths exist for the same prefix. Weight is a Cisco-proprietary attribute that is locally significant to the router and is evaluated before any other BGP path selection criteria, including Local Preference and AS-path length.

Exam trap

Cisco often tests the order of BGP path selection attributes, and the trap here is that candidates mistakenly remember Local Preference as the first tie-breaker because it is the first global attribute, but Weight (which is local to the router) actually takes precedence.

How to eliminate wrong answers

Option A is wrong because Local Preference is the second tie-breaker in the BGP best-path selection process, not the first; it is evaluated after Weight. Option B is wrong because AS-path length is the fourth tie-breaker, used only after Weight, Local Preference, and locally originated routes have been compared. Option D is wrong because MED (Multi-Exit Discriminator) is the fifth tie-breaker, considered only after Weight, Local Preference, locally originated routes, and AS-path length have been evaluated.

1793
MCQhard

An engineer configures an IPv6 ACL to filter OSPFv3 traffic on a router interface. The ACL includes a deny entry for OSPFv3 (protocol 89) followed by a permit ipv6 any any. However, OSPFv3 adjacencies still fail to form over that interface. Which is the most likely explanation?

A.The ACL is applied outbound, but OSPFv3 packets are generated locally and are not subject to outbound ACL filtering.
B.The ACL uses 'deny ospf' but OSPFv3 uses protocol 89, which is not matched by 'deny ospf' in IPv6 ACLs.
C.The ACL must include a permit entry for the link-local address of the neighbor, otherwise OSPFv3 packets are dropped.
D.The ACL is applied to the interface but the router has 'ipv6 ospf authentication' configured, which changes the packet format and bypasses ACL filtering.
AnswerA

Correct. Outbound ACLs do not filter locally generated packets, including OSPFv3 Hellos. The ACL must be applied inbound to filter incoming OSPFv3 packets.

Why this answer

Option A is correct because OSPFv3 packets are generated by the router's own control plane (the OSPF process) and are not subject to outbound ACL filtering on the interface. Outbound ACLs only filter packets that are being forwarded through the interface, not packets originated by the router itself. Since the ACL is applied outbound, the deny entry for protocol 89 never applies to locally generated OSPFv3 hello packets, so they are sent out, but the inbound side of the neighbor might still be blocked or the adjacency fails due to other reasons—but the core issue here is that outbound ACLs do not filter locally originated traffic.

Exam trap

Cisco often tests the distinction between locally generated traffic and transit traffic with respect to outbound ACLs, and the trap here is that candidates assume outbound ACLs filter all traffic leaving the interface, including control plane packets like OSPFv3 hellos.

How to eliminate wrong answers

Option B is wrong because 'deny ospf' in an IPv6 ACL does match OSPFv3 (protocol 89) — the IPv6 ACL syntax uses the protocol number or name, and 'ospf' is a recognized keyword that maps to protocol 89. Option C is wrong because IPv6 ACLs can filter based on source/destination addresses, but OSPFv3 uses link-local addresses for neighbor communication; however, the ACL does not need a specific permit entry for the neighbor's link-local address unless the ACL explicitly denies that address—the 'permit ipv6 any any' at the end would permit all traffic, including from link-local addresses. Option D is wrong because IPv6 OSPF authentication does not change the packet format in a way that bypasses ACL filtering; ACLs filter based on Layer 3 and Layer 4 headers, and authentication (such as IPsec or MD5) does not alter the protocol number or the IP header fields that ACLs inspect.

1794
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 170, metric 30720 Redistributing via eigrp 100 Last update from 192.168.1.2 on GigabitEthernet0/0, 00:00:05 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:05 ago, via GigabitEthernet0/0 Route metric is 30720, traffic share count is 1 Based on this output, which statement is correct?

A.The route 10.1.1.0/24 is an EIGRP internal route.
B.The route 10.1.1.0/24 is an EIGRP external route, likely redistributed.
C.The route 10.1.1.0/24 is learned via OSPF and redistributed into EIGRP.
D.The administrative distance of 170 is non-default and must have been manually configured.
AnswerB

The administrative distance of 170 is the default for EIGRP external routes, confirming redistribution.

Why this answer

The output shows an EIGRP route with an administrative distance of 170, which is the default distance for EIGRP external routes. This indicates the route was redistributed into EIGRP from another protocol or process. The metric of 30720 is the default for a redistributed connected route.

1795
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp community Community name: PUBLIC Community Index: PUBLIC Permission: read-only View: v1default Community name: PRIVATE Community Index: PRIVATE Permission: read-write View: v1default Community name: MONITOR Community Index: MONITOR Permission: read-only View: restricted Based on this output, which statement is correct?

A.The 'MONITOR' community may not have access to any MIB objects if the 'restricted' view is not configured.
B.The 'PUBLIC' community can be used to modify router configurations.
C.The 'PRIVATE' community uses a view named 'restricted'.
D.All three communities have the same access rights.
AnswerA

If the view 'restricted' is not defined, SNMP requests using the 'MONITOR' community will fail or return no data.

Why this answer

Option A is correct because the 'MONITOR' community is associated with a view named 'restricted'. If that view is not explicitly configured in the SNMP view table, it does not exist, and by default SNMPv2c (used here) grants no access to any MIB objects for a non-existent view. Therefore, the MONITOR community may have no access to any MIB objects until the 'restricted' view is defined with specific OID trees.

Exam trap

Cisco often tests the misconception that simply naming a view in the community configuration automatically creates it, when in fact the view must be explicitly defined with the 'snmp-server view' command to grant any MIB access.

How to eliminate wrong answers

Option B is wrong because the 'PUBLIC' community has 'read-only' permission, which cannot modify router configurations; only read-write communities like 'PRIVATE' can. Option C is wrong because the 'PRIVATE' community uses a view named 'v1default', not 'restricted'; the 'restricted' view is associated only with the 'MONITOR' community. Option D is wrong because the three communities have different access rights: PUBLIC is read-only, PRIVATE is read-write, and MONITOR is read-only but with a different view (restricted vs. v1default).

1796
Multi-Selectmedium

Which TWO statements about RSPAN are true? (Choose TWO.)

Select 2 answers
A.RSPAN uses a dedicated VLAN to carry monitored traffic between switches.
B.The RSPAN VLAN must be allowed on all trunk links between the source and destination switches.
C.RSPAN encapsulates traffic in GRE headers for transport across Layer 3 networks.
D.RSPAN requires a dedicated monitoring server at the source switch.
E.RSPAN can only be configured on a single switch.
AnswersA, B

The RSPAN VLAN is used to transport mirrored traffic across the network.

Why this answer

RSPAN uses a dedicated VLAN (the RSPAN VLAN) to transport monitored traffic across switches. This VLAN must be configured on all switches in the path and trunked. It does not use GRE encapsulation (that is ERSPAN).

It does not require a separate monitoring server at the source, and it is not limited to a single switch.

1797
MCQmedium

A network engineer is troubleshooting a router that is not responding to SNMP polls from the NMS at 10.1.1.100. The SNMP configuration includes 'snmp-server community public RO' and 'snmp-server community private RW'. The engineer can ping the router from the NMS. 'show snmp' shows SNMP is enabled. What is the most likely cause?

A.The NMS is using the wrong SNMP version.
B.An ACL is applied to the SNMP community that denies the NMS IP.
C.The router's SNMP agent is disabled due to high CPU.
D.The NMS is using the wrong community string.
AnswerB

The configuration may include 'snmp-server community public RO 10', where ACL 10 denies the NMS; this is a common misconfiguration.

Why this answer

The NMS can ping the router, confirming IP reachability, and 'show snmp' confirms SNMP is enabled. The most likely cause is an ACL applied to the SNMP community that denies the NMS IP address (10.1.1.100). Cisco IOS allows an access-list to be attached to an SNMP community string using the 'snmp-server community <string> [RO|RW] <acl-number>' command, which filters SNMP requests based on source IP.

Since the NMS can ping but not poll, the ACL is blocking SNMP traffic while permitting ICMP.

Exam trap

Cisco often tests the distinction between reachability (ping working) and SNMP-specific filtering (ACL on community), leading candidates to incorrectly blame community string mismatch or SNMP version when the real issue is an access-list silently dropping SNMP packets.

How to eliminate wrong answers

Option A is wrong because the SNMP version is not specified in the configuration; the 'snmp-server community' command defaults to SNMPv1/v2c, and if the NMS were using a different version (e.g., SNMPv3), the router would still respond to SNMPv1/v2c polls unless explicitly disabled, and the question does not indicate version mismatch. Option C is wrong because 'show snmp' shows SNMP is enabled; high CPU might cause delayed responses but does not disable the SNMP agent entirely, and the router still responds to pings, indicating it is not overwhelmed. Option D is wrong because the configuration includes both 'public' (RO) and 'private' (RW) community strings; if the NMS were using the wrong string, it would receive an authentication failure (noSuchName) error, but the question states the router is 'not responding' at all, which points to an ACL block rather than a community mismatch.

1798
Multi-Selecthard

Which TWO statements about SNMPv3 configuration on Cisco IOS XE are true? (Choose TWO.)

Select 2 answers
A.The 'snmp-server group' command creates a group and assigns a username to it.
B.The 'snmp-server user' command can specify an authentication and privacy password for a user.
C.The engine ID is automatically generated and cannot be manually configured.
D.The 'snmp-server host' command for SNMPv3 requires a username to be specified when sending traps or informs.
E.SNMPv3 supports only the authPriv security level.
AnswersB, D

Correct. The 'snmp-server user' command allows configuration of authentication (MD5/SHA) and privacy (DES/AES) passwords for SNMPv3 users.

Why this answer

Option B is correct because the 'snmp-server user' command in Cisco IOS XE allows you to configure both an authentication password (e.g., MD5 or SHA) and a privacy password (e.g., DES or AES) for an SNMPv3 user, enabling secure message exchange. This is essential for implementing the authPriv security level, which provides both authentication and encryption.

Exam trap

Cisco often tests the misconception that the engine ID is immutable and cannot be manually configured, leading candidates to incorrectly select option C as true.

1799
MCQhard

What is the default maximum recursion depth for EEM Tcl policies?

A.10
B.50
C.100
D.Unlimited
AnswerC

The default recursion limit for Tcl policies is 100.

Why this answer

EEM limits Tcl policy recursion to 100 levels by default to prevent infinite loops.

1800
Drag & Drophard

Drag and drop the steps to troubleshoot OSPF adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting OSPF adjacency failures starts with verifying Layer 3 connectivity using ping. Next, check that OSPF is enabled on the correct interfaces with show ip ospf interface. Then, verify OSPF network type and area ID match on both sides.

After that, check for mismatched authentication settings. Finally, clear the OSPF process to reset adjacency attempts.

Page 23

Page 24 of 29

Page 25
Cisco CCNP ENARSI 300-410 300-410 Questions 1726–1800 | Page 24/29 | Courseiva