Cisco CCNP ENARSI 300-410 (300-410) — Questions 19512025

2152 questions total · 29pages · All types, answers revealed

Page 26

Page 27 of 29

Page 28
1951
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection using a transform set that includes ESP encryption and authentication. The tunnel comes up, but OSPFv3 over the tunnel fails to form adjacency. The engineer notices that the tunnel interface has an MTU of 1400. What is the most likely explanation?

A.The IPsec transform set includes both ESP encryption and authentication, which adds 50+ bytes of overhead; the tunnel MTU of 1400 is too high for the actual path MTU after encapsulation.
B.OSPFv3 requires the tunnel interface to be configured with 'ipv6 ospf network point-to-point' to work over GRE.
C.The IPsec configuration is missing the 'crypto map' applied to the tunnel interface.
D.The GRE tunnel mode should be 'tunnel mode gre ipv6' instead of the default.
AnswerA

With ESP encryption and authentication, the total overhead can be 50-60 bytes. The tunnel MTU of 1400 does not account for this, causing OSPFv3 packets to be fragmented or dropped.

Why this answer

The correct answer is A. When IPsec ESP encryption and authentication are applied to a GRE tunnel, the combined overhead (typically 50–60 bytes for ESP headers, trailers, and authentication data) reduces the effective payload MTU. With a tunnel interface MTU of 1400, the actual packet size after adding GRE (20 bytes) and IPsec overhead can exceed the path MTU, causing fragmentation or drops.

OSPFv3 uses large hello packets (often 1500 bytes), and if the encapsulated packet exceeds the path MTU, adjacency cannot form.

Exam trap

Cisco often tests the concept that IPsec overhead must be accounted for when setting tunnel MTU, and candidates mistakenly assume that a tunnel MTU of 1400 is always safe for IPv6 over GRE with IPsec, ignoring the cumulative encapsulation overhead.

How to eliminate wrong answers

Option B is wrong because OSPFv3 over GRE does not require the 'ipv6 ospf network point-to-point' command; GRE tunnels are inherently point-to-point, and OSPFv3 automatically detects the network type as point-to-point over a GRE tunnel. Option C is wrong because the question states that the tunnel comes up, and IPsec protection is configured via a transform set; the crypto map is likely applied to the physical interface or tunnel interface, and the tunnel being up indicates IPsec is functioning. Option D is wrong because 'tunnel mode gre ipv6' is used for IPv6 transport over IPv6, not for IPv6 over IPv4 GRE; the default 'tunnel mode gre ip' is correct for encapsulating IPv6 in IPv4.

1952
MCQeasy

What is the default dead interval on a Cisco IOS-XE router for OSPF on a broadcast network type?

A.10 seconds
B.30 seconds
C.40 seconds
D.120 seconds
AnswerC

Correct. The dead interval is 4 × hello interval (4 × 10 = 40 seconds) by default on broadcast and point-to-point networks.

Why this answer

On a broadcast network type, OSPF uses a default dead interval of 40 seconds, which is four times the default hello interval of 10 seconds. This relationship is defined in RFC 2328, ensuring that a neighbor is declared down only after missing four consecutive hello packets.

Exam trap

Cisco often tests the default OSPF timers for different network types, and the trap here is confusing the default dead interval for broadcast (40 seconds) with the default hello interval (10 seconds) or with the dead interval for other network types like NBMA (30 seconds).

How to eliminate wrong answers

Option A is wrong because 10 seconds is the default hello interval on broadcast networks, not the dead interval. Option B is wrong because 30 seconds is the default dead interval for OSPF on non-broadcast multi-access (NBMA) networks, not broadcast. Option D is wrong because 120 seconds is the default dead interval for OSPF virtual links or point-to-multipoint networks, not for broadcast network types.

1953
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the IKE Phase 1 SA to ensure the control plane is established, then verify the IPsec Phase 2 SA for data-plane encryption. Confirm the tunnel interface is up/up, examine the crypto map to ensure it is active, and finally test traffic flow with a ping or extended ping.

1954
MCQhard

An MPLS network with IPv6 over MPLS (6PE) is experiencing loss of IPv6 routes from a remote provider edge (PE) router. Router PE1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip interface Loopback0 ip address 192.0.2.1 255.255.255.255 router ospf 1 router-id 192.0.2.1 redistribute bgp 65000 subnets. Router PE2 shows: PE2# show bgp ipv6 unicast 2001:DB8:2::/64 % Network not in table. PE2# show mpls forwarding-table 192.0.2.1 Label: 16, Interface: GigabitEthernet0/1. What is the root cause?

A.PE1 is missing the network 2001:DB8:2::/64 command under router bgp for IPv6 unicast address family.
B.The MPLS label distribution between PE1 and PE2 is failing due to LDP mismatch.
C.OSPF is not redistributing the IPv6 prefix correctly.
D.The IPv6 address family is not enabled under router bgp on PE1.
AnswerA

Without this, the IPv6 prefix is not injected into BGP, so PE2 never learns it.

Why this answer

The correct answer is A because the output shows that PE2 has an MPLS label (16) for PE1's loopback (192.0.2.1) and can forward labeled traffic, but the IPv6 route 2001:DB8:2::/64 is missing from the BGP table. This indicates that PE1 is not advertising the IPv6 prefix into BGP. The missing `network 2001:DB8:2::/64` command under the IPv6 unicast address family on PE1 prevents the prefix from being injected into BGP, even though the interface is configured with the IPv6 address and OSPF redistribution is in place.

Exam trap

Cisco often tests the distinction between interface configuration and BGP advertisement, where candidates assume that having an IPv6 address on an interface automatically makes it reachable via BGP in a 6PE design.

How to eliminate wrong answers

Option B is wrong because the `show mpls forwarding-table` output shows a valid label (16) for PE1's loopback, proving that LDP is functioning correctly and there is no mismatch. Option C is wrong because OSPF redistribution of BGP routes is not required for 6PE; 6PE relies on BGP to carry IPv6 prefixes over the MPLS core, and OSPF is only used for IPv4 IGP reachability of the loopbacks. Option D is wrong because the IPv6 address family is implicitly enabled when the `network` command is used under `router bgp` for IPv6 unicast; the issue is the missing network statement, not the absence of the address family itself.

1955
MCQmedium

A network engineer runs the following command to troubleshoot an RSPAN issue: R1# show monitor session 2 detail Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/0 Destination RSPAN VLAN : 100 What does this output indicate?

A.The session is correctly configured as an RSPAN source session.
B.The session is misconfigured because the destination must be a port, not a VLAN.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the RSPAN VLAN must be configured as a remote-span VLAN.
AnswerA

The output confirms an RSPAN source session with a specified RSPAN VLAN.

Why this answer

The output shows an RSPAN source session with source port Gi0/0 and destination RSPAN VLAN 100. This is the source side of an RSPAN configuration.

1956
MCQmedium

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps class-map: ATTACK (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 100 packets, 10000 bytes; actions: drop conformed 0 bps, exceed 0 bps Based on this output, what is happening to traffic matching class ATTACK?

A.All traffic in class ATTACK is being transmitted.
B.All traffic in class ATTACK is being dropped.
C.Traffic in class ATTACK is being rate-limited but not dropped.
D.Traffic in class ATTACK is being marked down.
AnswerB

Exceeded 100 packets, all dropped.

Why this answer

The output shows that for class ATTACK, 100 packets were exceeded and dropped. This means the traffic rate exceeded the committed information rate (CIR) of 8000 bps, and all packets were dropped as per the exceed action.

1957
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.10.10.0/24 should be forwarded to next-hop 192.168.100.2. The route map 'PBR-10' is configured with 'match ip address 130' and 'set ip next-hop 192.168.100.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is dropping packets instead of forwarding them. The engineer checks the ACL 130 and confirms it matches 10.10.10.0/24. What is the most likely cause?

A.The route map has a deny statement that matches the traffic, causing packets to be dropped.
B.The next-hop 192.168.100.2 is unreachable, and PBR drops packets when the next-hop is down.
C.The 'ip policy route-map' command is applied to the wrong interface, and the router is dropping packets due to ACL filtering.
D.The ACL 130 is missing the 'permit' keyword, causing all traffic to be denied.
AnswerA

Correct because a deny statement in the route map will cause the router to drop the packet if no other permit statement matches.

Why this answer

If PBR is dropping packets, it could be because the next-hop is unreachable and the route map has a 'set ip next-hop' command that fails, causing the router to drop the packet if no fallback is configured. However, by default, if the next-hop is unreachable, the router should use the routing table. But if the route map has a 'set ip next-hop' with 'verify-availability' and the next-hop is down, the router may drop the packet.

Another possibility is that the route map has a 'deny' statement that drops traffic. The most likely cause is that the route map has a 'deny' statement that matches the traffic, causing it to be dropped.

1958
MCQhard

A DMVPN network uses IPv6 with EIGRP as the routing protocol. Spoke routers R2 and R3 are behind NAT and use mGRE tunnels. The hub R1 has an IPv6 ACL applied inbound on the tunnel interface that permits only EIGRP and denies all other IPv6 traffic. Spoke-to-spoke traffic fails even though direct tunnels are established. R2 shows 'ping 2001:db8:3::1 source loopback0' fails, but 'ping 2001:db8:1::1' (hub) succeeds. What is the root cause?

A.R1's inbound ACL on the tunnel interface permits only EIGRP, dropping all other traffic including spoke-to-spoke data packets.
B.NAT traversal is broken for spoke-to-spoke traffic due to IPsec encryption issues.
C.EIGRP is not advertising spoke loopbacks to other spokes, causing no route.
D.The mGRE tunnel on R2 does not have a destination for R3, preventing direct communication.
AnswerA

Spoke-to-spoke traffic is forwarded through the hub if the routing table points to the hub. The ACL on the hub's tunnel interface filters this traffic.

Why this answer

The hub router R1 has an inbound IPv6 ACL on its tunnel interface that permits only EIGRP traffic and denies all other IPv6 traffic. When spoke R2 attempts to send data (e.g., ping) directly to spoke R3, the packets are routed through the hub because the spokes do not have a direct route to each other's loopback addresses. Even though a direct mGRE tunnel exists between spokes, the data packets must first reach the hub, which drops them due to the ACL, causing spoke-to-spoke communication failure.

Exam trap

Cisco often tests the misconception that a direct tunnel between spokes automatically allows direct traffic, but in reality, the hub's ACL or routing policy can still block spoke-to-spoke data if the packets are forwarded through the hub.

How to eliminate wrong answers

Option B is wrong because NAT traversal issues typically affect IPsec tunnel establishment or keepalives, not the filtering of data packets after the tunnel is up; the problem here is ACL-based dropping, not encryption or NAT. Option C is wrong because EIGRP can advertise spoke loopbacks to other spokes via the hub, but the ACL on the hub's tunnel interface blocks the data traffic, not the routing updates; the routes may exist but packets are dropped. Option D is wrong because mGRE tunnels dynamically learn peer destinations (NHRP), so R2 does not need a static destination for R3; the direct tunnel is established, but data packets are still forwarded through the hub due to routing or ACL filtering.

1959
MCQhard

What is the default OSPF metric for a route redistributed from another routing protocol into OSPF?

A.0
B.1
C.20
D.10
AnswerC

Correct. The default OSPF metric for redistributed routes (except BGP) is 20.

Why this answer

When a route is redistributed from another routing protocol into OSPF, the default metric is 20 for routes that are not BGP. This is defined in RFC 2328 and is the seed metric used when no explicit metric is configured with the redistribute command. The value 20 applies to most external routes (Type 2 by default), while BGP redistributed routes default to 1.

Exam trap

Cisco often tests the distinction between the default OSPF metric for redistributed routes (20) and the default metric for BGP redistributed routes (1), causing candidates to mistakenly choose 1 for all protocols.

How to eliminate wrong answers

Option A is wrong because 0 is not a valid default OSPF metric for redistributed routes; a metric of 0 would imply the route is directly connected, which is not the case for redistributed routes. Option B is wrong because 1 is the default metric for routes redistributed from BGP into OSPF, not for routes from other protocols like EIGRP or RIP. Option D is wrong because 10 is the default cost for a Gigabit Ethernet interface in OSPF, not the default metric for redistributed routes.

1960
Multi-Selecthard

Which TWO statements about using a route-map with the "set metric" command to influence route selection in EIGRP are true? (Choose TWO.)

Select 2 answers
A.The set metric command in a route-map can set the EIGRP composite metric components such as bandwidth and delay.
B.A route-map applied to a redistribute command under EIGRP can modify the metric of redistributed routes.
C.The route-map must be applied to the EIGRP process using the "route-map" command under router eigrp to affect all updates.
D.The set metric command can also change the administrative distance of the route.
E.The route-map can only be used to set the metric to a single value, not multiple components.
AnswersA, B

Correct. EIGRP metric components can be set using set metric bandwidth delay reliability load mtu.

Why this answer

In EIGRP, the metric is composite (bandwidth, delay, etc.). The set metric command can modify these values. A route-map can be applied to redistribute routes into EIGRP or to filter outbound updates.

The set metric command can set multiple components. However, the route-map must be applied to the redistribution or neighbor statement to affect EIGRP. The set metric command does not affect the administrative distance.

1961
Multi-Selecthard

Which TWO statements about AAA authentication on Cisco IOS-XE are true? (Choose TWO.)

Select 2 answers
A.If no AAA authentication method list is explicitly configured, the default method list uses the local user database.
B.The 'aaa authentication login default local' command creates a default method list that uses the local user database for login authentication.
C.When a named method list is applied to a line with 'login authentication LISTNAME', the default method list is ignored for that line.
D.The 'aaa authentication login default group radius local' command will first try RADIUS, and if RADIUS fails (not just rejects), it will fall back to local.
E.The 'aaa authentication login default method' command creates a method list with no authentication methods, which denies all login attempts.
AnswersB, C

This command defines the default method list for login authentication, using the local database as the first (and only) method.

Why this answer

Option B is correct because the 'aaa authentication login default local' command explicitly configures the default method list to use the local user database for login authentication. This is the standard way to define a fallback or primary local authentication method for all lines that do not have a named method list applied.

Exam trap

Cisco often tests the distinction between a method list 'failure' (which allows fallback) and a 'reject' (which denies access immediately), and the fact that an unconfigured AAA defaults to line password authentication, not local database.

1962
MCQmedium

A network engineer is troubleshooting a route redistribution issue between two EIGRP processes. Router R1 runs EIGRP AS 100 and EIGRP AS 200, and redistributes routes between them. The engineer notices that routes from EIGRP AS 100 are not appearing in the EIGRP topology table of AS 200 on R1. The redistribute eigrp 100 command is configured under EIGRP AS 200. What is the most likely cause?

A.The redistribute eigrp 100 command under EIGRP AS 200 is missing the metric specification.
B.EIGRP AS 100 has a higher administrative distance than EIGRP AS 200.
C.The redistribute eigrp 100 command under EIGRP AS 200 is missing the subnets keyword.
D.EIGRP AS 200 has a route map that is filtering all routes.
AnswerA

Correct: Without a metric, EIGRP does not accept redistributed routes.

Why this answer

When redistributing between EIGRP processes, the redistribute command must include the metric values (bandwidth, delay, reliability, load, MTU) or a default-metric must be configured. Without a metric, the redistributed routes are not accepted.

1963
MCQhard

Which EIGRP loop prevention mechanism prevents a router from installing a route that was originally learned from itself?

A.Split horizon
B.Route poisoning
C.Feasibility condition
D.Hold-down timer
AnswerA

Correct. Split horizon prohibits a router from sending an update about a route out the same interface it was learned on, thus preventing the router from learning a route it originally advertised.

Why this answer

Split horizon prevents a router from advertising a route back out the interface from which it was learned, thereby preventing the router from receiving and installing a route that originated from itself. This is the primary loop prevention mechanism that stops self-originated routes from being accepted. The feasibility condition in EIGRP ensures loop-free paths by requiring that the reported distance from a neighbor be less than the feasible distance, but it does not specifically prevent self-originated route acceptance.

Exam trap

Candidates often confuse the feasibility condition with split horizon. While both prevent loops, split horizon specifically stops a router from installing a route it originated.

1964
MCQmedium

What is the default administrative distance for routes redistributed into EIGRP from another protocol?

A.90
B.110
C.170
D.200
AnswerC

Cisco IOS assigns a default administrative distance of 170 to all routes redistributed into EIGRP, matching the distance of external EIGRP routes.

Why this answer

By default, EIGRP assigns an administrative distance of 170 to routes learned via redistribution, distinguishing them from internal EIGRP routes (AD 90) and external EIGRP routes (AD 170).

1965
Multi-Selecthard

An engineer configures PBR on a Cisco router using the following commands: 'route-map PBR permit 10', 'match ip address 100', 'set ip next-hop 10.1.1.1', and applies it inbound on interface GigabitEthernet0/1. Which TWO statements about this configuration are true? (Choose TWO.)

Select 2 answers
A.The command 'ip policy route-map PBR' must be applied under interface GigabitEthernet0/1 in global configuration mode.
B.If the next hop 10.1.1.1 becomes unreachable, packets that match ACL 100 will be dropped by default.
C.Packets that do not match ACL 100 will be forwarded using the normal routing table.
D.The command 'debug ip policy' can be used to verify which packets are being policy-routed and to which next hop.
E.The route map must also include a 'match interface' statement to specify the incoming interface.
AnswersC, D

Correct. Only packets matching the route-map (via ACL 100) are policy-routed; others are forwarded normally.

Why this answer

PBR is applied inbound on an interface. The route map matches packets using ACL 100. If the next hop is unreachable, the packet is forwarded using the routing table (if a default route exists) or dropped.

PBR can be verified using 'show route-map' and 'debug ip policy'. The route map must be applied to the interface using 'ip policy route-map PBR'.

1966
MCQhard

What is the default SNMP community string on a Cisco IOS device that has not been configured with any SNMP commands?

A.public
B.private
C.cisco
D.No default community string exists; SNMP is disabled.
AnswerD

Cisco IOS does not preconfigure any community; the device must have an snmp-server community command to enable SNMP.

Why this answer

By default, Cisco IOS devices have no SNMP community strings configured because SNMP is disabled until explicitly enabled with the 'snmp-server community' command. Without any SNMP configuration, the device does not respond to SNMP requests, making option D correct. This aligns with Cisco's security best practices to avoid exposing management access unintentionally.

Exam trap

Cisco often tests the misconception that 'public' is a default community string on IOS devices, when in fact SNMP is completely disabled by default and no community string exists until configured.

How to eliminate wrong answers

Option A is wrong because 'public' is a commonly used community string in many third-party devices but is not the default on Cisco IOS; Cisco does not pre-configure any community string. Option B is wrong because 'private' is similarly a common read-write community string in some contexts but is not a default on Cisco IOS. Option C is wrong because 'cisco' is not a default community string; Cisco IOS does not ship with any pre-set community strings, and SNMP must be explicitly configured.

1967
MCQhard

A network engineer configures BGP synchronization on an iBGP router. The IGP (OSPF) does not carry the BGP routes. Unexpectedly, the router does not advertise these iBGP routes to eBGP neighbors. What is the most likely explanation?

A.The router has 'bgp synchronization' enabled, and the iBGP route is not in the OSPF routing table, so it is not considered valid for advertisement.
B.The router has 'bgp bestpath as-path multipath-relax' configured, which suppresses eBGP advertisements for iBGP routes.
C.The iBGP session is not using 'next-hop-self', so the next hop is unreachable.
D.The router has 'bgp suppress-duplicates' enabled, which drops identical routes.
AnswerA

With synchronization enabled, the router checks the IGP for the prefix. If missing, the route is not advertised to eBGP.

Why this answer

BGP synchronization requires that an iBGP route must be present in the IGP before it can be advertised to eBGP neighbors. If the IGP does not carry the route, the router will not advertise it, even if it is in the BGP table.

1968
Multi-Selecthard

Which TWO configuration changes will prevent a specific route from being redistributed from OSPF into EIGRP using a route-map? (Choose TWO.)

Select 2 answers
A.Configure a route-map with a deny clause that matches the route, and apply it to the redistribution command.
B.Apply a distribute-list out under the EIGRP process that denies the route.
C.Use a route-map with a permit clause and no match statement, then apply it to the redistribution.
D.Create a prefix-list that denies the route, then use match ip address prefix-list in a route-map permit clause.
E.Add a match ip address prefix-list command that references a prefix-list with a deny entry, inside a route-map deny clause.
AnswersA, E

Correct. A deny clause in the route-map will prevent the route from being redistributed.

Why this answer

To block redistribution, you can either match the route with a deny clause in the route-map, or use a prefix-list that denies the route and reference it in a match clause. A distribute-list under EIGRP is not used for redistribution filtering. A route-map with a permit clause and no match will permit all routes.

A match ip address prefix-list with a permit entry will permit the route.

1969
MCQhard

An engineer applies a Control Plane Policing (CoPP) policy to a router. After applying, the router becomes unreachable via SSH and SNMP, even though the policy allows management traffic. Which is the most likely explanation?

A.The CoPP policy was applied to the wrong interface; it must be applied to the management interface.
B.The class-map for management traffic does not include all required protocols, and the class-default action is drop.
C.The CoPP policy uses rate-limit in bps instead of pps, causing all traffic to be policed.
D.The CoPP policy was applied before the class-maps were fully configured.
AnswerB

If class-default is not configured with a permit action, the implicit deny drops unmatched traffic, including management traffic not explicitly matched.

Why this answer

CoPP policies have an implicit deny at the end of the class-map. If the class-map for management traffic does not explicitly match all management protocols (e.g., SSH, SNMP, NTP), or if the policy does not have a class-default action to permit, the traffic is dropped.

1970
MCQhard

Router R1 is running EIGRP in VRF-A with two neighbors: R2 and R3. R2 is a directly connected router, R3 is reachable via R2. The network is experiencing EIGRP stuck-in-active (SIA) routes for prefixes learned from R3. R1 configuration: router eigrp 100, address-family ipv4 vrf VRF-A, network 10.0.0.0. R2 is configured similarly. The link between R1 and R2 is a serial link with low bandwidth. What is the root cause?

A.The low-bandwidth serial link between R1 and R2 causes EIGRP query packets to be delayed, exceeding the active timer and resulting in SIA.
B.The VRF configuration on R2 is missing the network statement for the link to R3.
C.EIGRP is not supported in VRF-Lite.
D.The active timer should be increased to prevent SIA.
AnswerA

Correct: Slow link can delay query/reply packets, leading to SIA.

Why this answer

EIGRP SIA occurs when a query is sent to a neighbor and the reply is not received within the active timer (default 3 minutes). In a VRF-Lite scenario, if the query scope is not limited, the query may propagate to R3 via R2, but if the serial link has low bandwidth or high delay, the query may time out. However, the most common cause in VRF-Lite is that the query is sent to all neighbors, and if one neighbor (R2) does not reply due to a slow link, SIA occurs.

The issue is that the query scope includes R2, but the link is slow, causing the active timer to expire.

1971
Multi-Selectmedium

Which THREE symptoms indicate a BFD session failure? (Choose THREE.)

Select 3 answers
A.The BFD neighbor state shows 'Down'
B.The OSPF neighbor state changes from Full to Down
C.BFD timer expiry messages appear in logs
D.The interface MTU is set to 1500
E.The BFD discriminator value is zero
AnswersA, B, C

A 'Down' state directly indicates session failure.

Why this answer

A BFD session failure typically results in the neighbor state being 'Down', the routing protocol (like OSPF or EIGRP) neighbor going down due to BFD's fast detection, and BFD timers expiring. The other options are not direct symptoms of a BFD session failure.

1972
MCQmedium

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show bgp ipv4 unicast summary BGP router identifier 1.1.1.1, local AS number 65000 BGP table version is 15, main routing table version 15 2 network entries using 288 bytes of memory 2 path entries using 160 bytes of memory 2/2 BGP path/bestpath attribute entries using 296 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory BGP using 800 total bytes of memory BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65001 15 15 15 0 0 00:12:34 2 10.2.2.2 4 65002 10 12 15 0 0 00:08:21 0 What does this output indicate?

A.Both neighbors are fully operational and exchanging routes.
B.Neighbor 10.1.1.2 is not sending any routes.
C.Neighbor 10.2.2.2 is not sending any routes, possibly due to filtering or no routes to advertise.
D.The BGP session with 10.2.2.2 is down.
AnswerC

The PfxRcd column shows 0 for 10.2.2.2, meaning no prefixes are received from that neighbor.

Why this answer

The show bgp summary output shows BGP neighbor states and prefix counts. Neighbor 10.1.1.2 is up and has sent 2 prefixes. Neighbor 10.2.2.2 is up but has sent 0 prefixes, indicating a possible issue with route advertisement or filtering.

1973
Drag & Dropmedium

Drag and drop the steps to configure SNMPv3 with auth-priv and verify traps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the SNMPv3 group with security model and privacy settings. Next, create the user with authentication and privacy passwords. Then, enable SNMP traps globally.

After that, specify the trap receiver host with the correct security parameters. Finally, verify the configuration using show snmp user and show snmp host.

1974
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router. After configuration, OSPF neighbors are flapping. Which is the most likely explanation?

A.The class-default is configured with a police action that drops OSPF packets exceeding the rate.
B.The CoPP policy is applied to the wrong direction (input vs output).
C.The access-list used to classify OSPF packets is missing the 'permit' statement for OSPF protocol.
D.The CoPP policy uses 'drop' action for OSPF class.
AnswerA

If OSPF packets are not explicitly classified and permitted, they fall into class-default. The police action in class-default will drop packets that exceed the configured rate, causing OSPF hello packets to be dropped and neighbors to flap.

Why this answer

CoPP applies a policy-map to the control plane. If the default class-default is used without an explicit permit for OSPF packets, the implicit deny at the end of the policy-map will drop OSPF packets. The default class-default action is 'drop' if not explicitly configured, but even if a 'police' action is configured, the default behavior is to drop packets that exceed the rate.

1975
MCQhard

A network administrator configures 'ipv6 nd raguard' on a switch port connected to a router. The router is sending Router Advertisements with a non-zero Router Lifetime. The switch logs indicate that RAs are being dropped, and the port goes into err-disable state. The engineer checks the RA Guard policy and sees that the default policy is applied. What is the most likely reason for the drops?

A.The RA has a hop-limit less than 255, which RA Guard treats as invalid and drops.
B.The RA Guard policy is configured to block all RAs regardless of source.
C.The router is using a multicast MAC address that is not allowed by RA Guard.
D.The switch port is in access mode, and RA Guard only works on trunk ports.
AnswerA

RA Guard expects hop-limit of 255 for locally generated RAs.

Why this answer

The default RA Guard policy on Cisco switches blocks Router Advertisements (RAs) that do not have a hop limit of 255. This is because legitimate routers always send RAs with a hop limit of 255, as specified in RFC 4861. When the router sends an RA with a hop limit less than 255, RA Guard treats it as invalid and drops it, which can also trigger err-disable state on the port.

Exam trap

Cisco often tests the specific hop-limit validation in the default RA Guard policy, where candidates mistakenly think the issue is with port mode or MAC addressing rather than the hop-limit field.

How to eliminate wrong answers

Option B is wrong because the default RA Guard policy does not block all RAs; it uses a device-role-based approach that validates specific fields like hop limit and source address. Option C is wrong because RA Guard does not filter based on multicast MAC addresses; it validates the IPv6 source address and hop limit, not the MAC layer. Option D is wrong because RA Guard works on both access and trunk ports; the port mode does not affect RA Guard functionality.

1976
MCQmedium

In IPv6 FHS, which protocol is used to secure Neighbor Discovery messages with cryptographic authentication?

A.IPsec
B.SEND
C.SSL/TLS
D.MACsec
AnswerB

Correct. SEND (Secure Neighbor Discovery) uses CGAs and RSA signatures to authenticate ND messages.

Why this answer

B is correct because SEND (Secure Neighbor Discovery, RFC 3971) uses Cryptographically Generated Addresses (CGAs) and RSA signatures to authenticate Neighbor Discovery (ND) messages, protecting against threats like Neighbor Advertisement spoofing and Duplicate Address Detection (DAD) attacks. Unlike IPsec, SEND does not require a pre-established security infrastructure or key management, making it practical for securing ND in IPv6 first-hop segments.

Exam trap

Cisco often tests the misconception that IPsec is the universal security solution for IPv6, but the trap here is that SEND is the specific protocol designed to authenticate Neighbor Discovery messages, while IPsec is used for general IPv6 traffic protection and requires a different trust model.

How to eliminate wrong answers

Option A is wrong because IPsec can encrypt and authenticate IPv6 traffic but requires a pre-shared key or PKI infrastructure and is not designed specifically for securing Neighbor Discovery messages; SEND is the dedicated protocol for ND message authentication. Option C is wrong because SSL/TLS operates at the transport layer (TCP) and is used for securing application-layer communications (e.g., HTTPS), not for authenticating link-layer Neighbor Discovery messages in IPv6. Option D is wrong because MACsec (IEEE 802.1AE) provides hop-by-hop encryption and authentication at Layer 2 (Ethernet) but does not authenticate IPv6 ND messages; it secures the physical link, not the ND protocol itself.

1977
MCQmedium

Given the following partial configuration on router R1: ``` interface GigabitEthernet0/0 ip vrf forwarding CUSTOMER_A ip address 192.168.1.1 255.255.255.0 ``` What is the effect of this configuration?

A.The interface is placed into VRF CUSTOMER_A, and the IP address is assigned correctly.
B.The interface is placed into VRF CUSTOMER_A, but the IP address is ignored because it must be configured before the VRF command.
C.The VRF name is misspelled; it should be 'vrf forwarding CUSTOMER_A' under the interface.
D.The configuration will fail because VRF CUSTOMER_A must be created globally first.
AnswerA

This is correct. The VRF association is applied before the IP address, so the IP address is associated with the VRF.

Why this answer

The 'ip vrf forwarding' command associates the interface with a VRF. It removes the IP address if one was previously configured, requiring it to be re-applied. This ensures traffic on this interface is forwarded using the VRF's routing table.

1978
MCQhard

What is the default MTU size for ERSPAN encapsulated packets on Cisco IOS-XE?

A.1500 bytes
B.1492 bytes
C.The ERSPAN packet inherits the interface MTU, with no separate default.
D.The default ERSPAN MTU is 1518 bytes.
AnswerC

ERSPAN does not have a configurable MTU; it uses the interface MTU, and the encapsulation adds 8 bytes (Type II) overhead.

Why this answer

ERSPAN adds a GRE header (4 bytes) and an ERSPAN header (4 bytes for Type II) to the original packet. The default system MTU is 1500 bytes, but the ERSPAN packet may exceed this; however, the default MTU for the ERSPAN session itself is not explicitly set—it inherits the interface MTU. There is no separate default ERSPAN MTU; the question tests understanding that ERSPAN adds 8 bytes overhead.

1979
MCQmedium

Examine the following configuration: ``` interface GigabitEthernet0/3 ip access-group WEB_ONLY out ! ip access-list extended WEB_ONLY permit tcp any any eq 80 permit tcp any any eq 443 ``` What is the effect of this ACL when applied outbound on GigabitEthernet0/3?

A.It permits all web traffic entering the interface.
B.It permits only HTTP and HTTPS traffic to leave the interface; all other traffic is denied.
C.It permits all TCP traffic to any destination.
D.It has no effect because the ACL is missing a deny statement.
AnswerB

Correct. The ACL permits web traffic and implicitly denies everything else.

Why this answer

The ACL named WEB_ONLY explicitly permits TCP traffic destined for ports 80 (HTTP) and 443 (HTTPS). When applied outbound on GigabitEthernet0/3, it filters traffic leaving the interface. Since every ACL has an implicit deny any at the end, only HTTP and HTTPS traffic is permitted outbound; all other traffic is denied.

Exam trap

Cisco often tests the implicit deny any concept and the distinction between inbound and outbound ACL application, causing candidates to overlook that an ACL without an explicit deny still denies all non-permitted traffic.

How to eliminate wrong answers

Option A is wrong because the ACL is applied outbound, not inbound, so it filters traffic leaving the interface, not entering. Option C is wrong because the ACL only permits TCP traffic to ports 80 and 443, not all TCP traffic to any destination. Option D is wrong because an explicit deny statement is not required; every ACL has an implicit deny any at the end, so the ACL does have an effect by denying all other traffic.

1980
MCQmedium

What is the default behavior of EIGRP auto-summary in IOS-XE 15.x and later?

A.Auto-summary is enabled by default
B.Auto-summary is disabled by default
C.Auto-summary is enabled only for connected routes
D.Auto-summary is disabled only for point-to-point links
AnswerB

Correct. IOS-XE 15.x and later disable auto-summary by default to avoid suboptimal routing.

Why this answer

In IOS-XE 15.x and later, EIGRP auto-summary is disabled by default. This change was introduced to align with modern network designs that require classless routing and to prevent unintended route summarization at classful boundaries, which can cause routing loops or suboptimal path selection in discontiguous networks.

Exam trap

Cisco often tests the misconception that auto-summary remains enabled by default in newer IOS versions, as it was in older releases, leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because auto-summary was enabled by default in older IOS versions (pre-15.x), but Cisco changed the default to disabled starting with IOS-XE 15.x and IOS 15.0(1)M. Option C is wrong because auto-summary, when enabled, applies to all EIGRP-learned routes, not just connected routes; connected routes are automatically advertised without summarization unless explicitly configured. Option D is wrong because auto-summary behavior is not interface-type specific; it is a global EIGRP process setting that applies to all routes regardless of link type (point-to-point or multipoint).

1981
Multi-Selecthard

Which THREE commands would a network engineer use to troubleshoot an MPLS L3VPN issue where a CE router cannot reach a remote CE? (Choose THREE.)

Select 3 answers
A.show ip route vrf CUSTOMER_A
B.show ip bgp vpnv4 vrf CUSTOMER_A
C.show mpls forwarding-table vrf CUSTOMER_A
D.ping vrf CUSTOMER_A <remote-ce-ip>
E.show mpls ldp neighbor
AnswersA, B, C

Checks if the remote CE prefix is in the VRF routing table.

Why this answer

Troubleshooting end-to-end connectivity involves checking the VRF routing table, the BGP VPNv4 table, and the MPLS forwarding table. 'show ip route vrf <vrf>' verifies that the remote prefix is present. 'show ip bgp vpnv4 vrf <vrf>' confirms BGP has the route. 'show mpls forwarding-table vrf <vrf>' checks for label entries. 'ping vrf' tests connectivity from the PE. 'show mpls ldp neighbor' checks LDP status, which is important for the underlay but not directly for VPN route presence.

1982
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-VOICE R1# show route-map PBR-VOICE route-map PBR-VOICE, permit, sequence 10 Match clauses: ip address (access-lists): 130 Set clauses: ip next-hop 192.168.10.1 Policy routing matches: 0 packets, 0 bytes R1# show access-lists 130 Extended IP access list 130 10 permit udp any any range 16384 32767 R1# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 R1# show ip route 192.168.10.1 % Network not in routing table Based on this output, what is the most likely problem?

A.The access list 130 is not matching any traffic.
B.The next-hop 192.168.10.1 is not reachable.
C.The interface GigabitEthernet0/0 is down.
D.The route map is missing a permit statement.
AnswerB

The show ip route output indicates the network is not in the routing table, so the next-hop is unreachable, causing PBR to fail to apply the set clause.

Why this answer

The next-hop 192.168.10.1 is not in the routing table. For PBR to forward packets to a next-hop, that next-hop must be reachable (in the routing table). If it is not, packets that match the route map are forwarded using the normal routing table instead.

The zero matches could be because no traffic matching ACL 130 has arrived, or because the next-hop is missing, but the missing route is a clear issue.

1983
MCQmedium

Consider the following BGP configuration on router R5: router bgp 65005 bgp router-id 5.5.5.5 neighbor 10.5.5.6 remote-as 65006 neighbor 10.5.5.6 route-map SET-LP in ! route-map SET-LP permit 10 set local-preference 150 ! What is the result of this configuration?

A.All routes from 10.5.5.6 have their local preference set to 150, making them more preferred.
B.Only routes that match a prefix-list are affected; otherwise, default local preference is used.
C.Local preference is set to 150 for routes sent to 10.5.5.6.
D.The route-map is ignored because local-preference can only be set outbound.
AnswerA

The route-map matches all routes (no match condition) and sets local-preference to 150.

Why this answer

The route-map SET-LP is applied inbound. It sets the local preference to 150 for all routes received from 10.5.5.6. This makes those routes more preferred within the local AS compared to routes with default local preference (100).

1984
Multi-Selecthard

An engineer is redistributing OSPF routes into EIGRP. Which TWO commands can be used to verify that the redistribution is working correctly? (Choose TWO.)

Select 2 answers
A.show ip route eigrp
B.show ip eigrp topology
C.show ip ospf database
D.show ip protocols
E.show ip route ospf
AnswersA, B

Correct. This command displays EIGRP routes in the routing table. If OSPF routes are successfully redistributed into EIGRP, they will appear as EIGRP routes (usually marked with 'D EX' for external).

Why this answer

To verify redistribution, you can check the routing table of the receiving protocol (EIGRP) to see if the redistributed routes appear. Additionally, 'show ip eigrp topology' shows the EIGRP topology table, which includes redistributed routes. 'show ip ospf database' is for OSPF LSDB and does not show redistributed routes into EIGRP. 'show ip protocols' shows redistribution configuration but not active routes. 'show ip route eigrp' shows only EIGRP routes, but if redistribution is working, those routes should appear there.

1985
Multi-Selectmedium

Which THREE symptoms indicate that Policy-Based Routing (PBR) is not working as expected? (Choose THREE.)

Select 3 answers
A.Traffic that should be policy-routed follows the routing table instead.
B.High CPU usage on the router when processing PBR traffic.
C.The 'show ip policy' command shows the route-map applied to the interface.
D.Packets are dropped when the 'set interface' specifies a down interface.
E.The routing table is updated with new routes from PBR.
AnswersA, B, D

This indicates PBR is not matching the traffic or not applied correctly.

Why this answer

If traffic that should be policy-routed follows the routing table instead, PBR may not be applied or the route-map may not match. High CPU usage can occur if PBR is process-switched and ACLs are large. If the 'set interface' specifies a down interface, packets are dropped.

The 'show ip policy' command shows PBR application, not a symptom of failure. PBR does not affect routing table updates. A mismatch in ACLs can cause unintended forwarding.

1986
Multi-Selecthard

Which TWO statements about PBR and the 'set ip next-hop recursive' command are true? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop recursive' command can specify a next-hop address that is not directly connected, and the router will perform a recursive lookup to determine the outgoing interface.
B.The 'set ip next-hop recursive' command is the default behavior for 'set ip next-hop' when the next hop is not directly connected.
C.Using 'set ip next-hop recursive' can cause the router to perform additional routing table lookups, potentially increasing CPU utilization.
D.The 'set ip next-hop recursive' command is only supported on Cisco IOS-XE platforms, not on classic IOS.
E.When using 'set ip next-hop recursive', the router will drop the packet if the recursive lookup fails to find a route to the next hop.
AnswersA, C

Correct. This command is designed for non-directly connected next hops; the router uses the routing table to resolve the next hop recursively.

Why this answer

The 'set ip next-hop recursive' command allows PBR to use a next-hop address that is not directly connected; the router performs recursive lookup to find the outgoing interface. This is different from 'set ip next-hop' which requires a directly connected next hop. The recursive option is useful when the next hop is multiple hops away.

However, it can impact performance due to the recursive lookup.

1987
MCQhard

A network engineer runs the following command to debug Flexible NetFlow cache events: R1# debug flow monitor FLOW-MONITOR-1 Flow Monitor FLOW-MONITOR-1 debugging is on R1# *Mar 1 00:10:15.123: FLOW MONITOR: Cache entry created for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) *Mar 1 00:10:15.124: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 1460, packets: 1 *Mar 1 00:10:15.125: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 2920, packets: 2 *Mar 1 00:10:45.123: FLOW MONITOR: Cache entry aged for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - reason: inactive timeout What does this output indicate?

A.The flow was aged due to active timeout after 1800 seconds.
B.The flow was created, updated twice, and then aged due to inactive timeout, indicating a normal flow lifecycle.
C.The flow was dropped because the cache was full.
D.The flow is still active in the cache.
AnswerB

The debug shows creation, two updates as packets arrive, and eventual aging due to inactivity, which is expected.

Why this answer

The debug output shows the lifecycle of a flow in the Flexible NetFlow cache. A flow is created, then updated as packets are received, and eventually aged out due to inactive timeout after 30 seconds of inactivity (the default is 15 seconds, but this may be configured differently). This is normal behavior for a TCP connection that has ended.

1988
MCQmedium

Which BGP attribute is used as the first tie-breaker in the route selection process when comparing routes from different peers?

A.Local preference
B.Weight
C.AS path length
D.MED
AnswerB

Correct. Weight is the first attribute checked; it is Cisco proprietary.

Why this answer

The BGP best-path selection algorithm first prefers the path with the highest weight (Cisco proprietary), then highest local preference, then locally originated routes.

1989
MCQhard

An engineer configures a Cisco router with 'ip http server' and 'ip http authentication local' for web-based management. The engineer creates a local username 'admin' with privilege level 15. However, when accessing the router via HTTP, the engineer is prompted for credentials but access is denied. What is the most likely cause?

A.The HTTP server is not configured with an access-class that permits the client.
B.The username 'admin' does not have a password.
C.The HTTP server is using a different port.
D.The 'ip http secure-server' is required for HTTP access.
AnswerA

An access-class can restrict which source IPs can access the HTTP server. If an access-class is configured without including the client's IP, access is denied even with valid credentials. By default, if no access-class is applied, all sources are permitted.

Why this answer

The 'ip http authentication local' command requires the HTTP server to authenticate users against the local username database. However, even with valid credentials, the router's HTTP server may deny access if an access-class is applied to the HTTP server that does not permit the client's IP address. The access-class restricts which source IP addresses can connect to the HTTP server, and if the client is not in the permitted list, authentication will fail with a denial even if the username and password are correct.

Exam trap

Cisco often tests the nuance that an access-class on the HTTP server can block access even with correct local credentials, leading candidates to incorrectly blame password issues or missing secure-server commands.

How to eliminate wrong answers

Option B is wrong because the username 'admin' with privilege level 15 can be created without a password only if the 'username admin privilege 15' command is used without the 'secret' or 'password' keyword; however, the question states the engineer created the username, and the most common practice is to assign a password or secret, so the lack of a password is not the most likely cause given the symptom of being prompted for credentials. Option C is wrong because the default HTTP port is 80, and unless explicitly changed with 'ip http port', the router will listen on port 80; a different port would not cause a denial after credentials are entered—it would cause a connection failure or no prompt. Option D is wrong because 'ip http secure-server' is required only for HTTPS (SSL/TLS) access, not for plain HTTP; the question explicitly uses 'ip http server', which enables unencrypted HTTP, and authentication works without secure-server.

1990
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel that is used to connect two remote sites. The tunnel is configured with a tunnel source that is a loopback interface. The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address. The engineer checks the routing table and sees a route to the remote loopback's IPv4 address via a default route. What is the most likely cause?

A.The remote router does not have a route to the loopback network used as the tunnel source; it only has a default route that may not cover that prefix.
B.The tunnel destination is configured with the loopback address of the remote router, but the remote router's tunnel source is a different interface.
C.The tunnel interface is missing the 'tunnel mode ipv6ip' command.
D.The IPv6 address on the tunnel interface is not in the same subnet as the remote tunnel IPv6 address.
AnswerA

Correct because the tunnel source loopback address must be reachable from the remote router. If the default route does not include that specific prefix (e.g., due to routing policy or subnet mismatch), the tunnel cannot encapsulate packets.

Why this answer

The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address because the remote router lacks a route back to the loopback network used as the tunnel source. The remote router only has a default route, which may not cover the specific prefix of the local loopback, causing return traffic to be dropped. For IPv6 over IPv4 tunnels, the tunnel source and destination must be reachable via unicast routing; a missing or insufficient route (like a default that doesn't match) breaks bidirectional communication.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees end-to-end reachability, but the real issue is asymmetric routing caused by missing return routes for the tunnel source IPv4 address.

How to eliminate wrong answers

Option B is wrong because the tunnel destination is correctly configured with the remote router's loopback address; the issue is not about mismatched tunnel sources, but about the remote router lacking a route back to the local loopback network. Option C is wrong because if the tunnel is up, the 'tunnel mode ipv6ip' command is already applied; without it, the tunnel would not come up at all. Option D is wrong because IPv6 addresses on tunnel interfaces do not need to be in the same subnet for ping to work; they only need to be routable, and the tunnel itself provides the logical link.

1991
MCQhard

A dual-stack network uses BGP for IPv6 between two ISPs. R1 (AS 100) receives a full BGP table from R2 (AS 200). R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only BGP (TCP 179) and denies all other traffic. R1 also has uRPF configured in strict mode on the same interface. R1's BGP table has a route to 2001:db8:1::/48 with next-hop 2001:db8:2::2. R1's routing table shows the route, but traffic from R1 to 2001:db8:1::1 fails. R1 shows 'show ipv6 cef 2001:db8:1::/48' points to 2001:db8:2::2 via the interface to R2. What is the root cause?

A.The ACL on R1 blocks the return traffic from the destination, which is not BGP, causing the ping to fail.
B.uRPF strict mode drops the outgoing traffic because the source address is not reachable via the interface.
C.The next-hop 2001:db8:2::2 is not reachable due to a missing ND entry.
D.BGP next-hop resolution fails because the next-hop is not in the FIB.
AnswerA

The ACL permits only BGP. Return traffic (ICMPv6 echo reply) is blocked, so the ping fails.

Why this answer

The IPv6 ACL on R1 permits only BGP (TCP port 179) inbound from R2. When R1 sends a ping to 2001:db8:1::1, the return ICMPv6 echo-reply traffic from the destination (via R2) is not BGP and is therefore denied by the inbound ACL, causing the ping to fail. The BGP table and routing table are correct, but the ACL blocks the non-BGP return traffic.

Exam trap

Cisco often tests the directional nature of ACLs—candidates assume an inbound ACL only affects traffic initiated from the remote side, forgetting that return traffic for locally initiated sessions is also subject to the inbound ACL.

How to eliminate wrong answers

Option B is wrong because uRPF strict mode checks the source address of incoming packets against the FIB to ensure it is reachable via the receiving interface; it does not drop outgoing traffic. Option C is wrong because if the next-hop 2001:db8:2::2 were unreachable due to a missing ND entry, the route would not appear in the routing table or CEF, but the question states both tables show the route. Option D is wrong because BGP next-hop resolution has already succeeded—the route is in the FIB and CEF points to the correct next-hop and interface.

1992
MCQhard

A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R3 is redistributing OSPF routes into EIGRP, but some OSPF external routes are not appearing in the EIGRP topology table. The engineer checks the redistribute command under EIGRP and sees a route-map named RM-OSPF that uses a prefix-list to match specific prefixes. The missing routes are permitted by the prefix-list. What is the most likely cause?

A.The route-map is missing a 'set metric' command; EIGRP requires a metric for redistributed routes.
B.The prefix-list is using the wrong sequence number and is being overridden by a later deny statement.
C.The OSPF routes are type-5 LSAs, which cannot be redistributed into EIGRP.
D.The route-map is applied to the OSPF process instead of the EIGRP process.
AnswerA

Correct because EIGRP will not accept redistributed routes without an explicit metric.

Why this answer

The route-map may have a 'set metric' command that is misconfigured, or the route-map may be missing the 'set metric' command entirely, causing EIGRP to reject the route because it requires a metric for redistributed routes. Alternatively, the route-map might have a 'match route-type' that excludes external type-2 routes.

1993
MCQhard

In a VRF-Lite environment, EIGRP is configured between two routers. The engineer notices that the EIGRP neighbor relationship is flapping intermittently. Debug output shows 'dually' messages and the route is occasionally marked as 'stuck-in-active' (SIA). The link is Ethernet with no errors. Which is the most likely explanation?

A.The EIGRP K-values are mismatched between the two routers, causing the neighbor to reset.
B.A unidirectional link issue is present, where EIGRP packets are successfully sent but not received, causing the query process to time out.
C.The EIGRP stub routing feature is enabled on one router, preventing query propagation and causing the active process to hang.
D.The 'eigrp log-neighbor-changes' command is causing excessive logging, which delays EIGRP processing.
AnswerB

Unidirectional link causes queries to be sent but replies not received, leading to SIA and neighbor flapping.

Why this answer

EIGRP uses the Reliable Transport Protocol (RTP) for updates, queries, and replies. If there is a unidirectional link issue (e.g., one direction has high latency or packet loss), the query process may not receive replies in time, causing the route to become SIA. This is a classic edge case where the link appears operational but is unidirectional for EIGRP packets.

1994
MCQmedium

According to RFC 2663, what is the term for the process of translating both the source and destination IP addresses in a packet?

A.Static NAT
B.Twice NAT
C.PAT
D.Double NAT
AnswerB

Twice NAT translates both source and destination addresses.

Why this answer

RFC 2663 defines 'Twice NAT' as the process of translating both the source and destination IP addresses within a single packet. This is necessary when the private and public address spaces overlap, requiring simultaneous translation of both the source and destination fields to ensure proper routing and reachability.

Exam trap

The trap here is confusing 'Twice NAT' with 'Double NAT' — Cisco often tests this distinction, where Double NAT implies two separate NAT devices in series, while Twice NAT is a single device performing bidirectional translation as defined in RFC 2663.

How to eliminate wrong answers

Option A is wrong because Static NAT only translates the source IP address (or destination IP address in reverse) on a one-to-one basis, not both addresses in the same packet. Option C is wrong because PAT (Port Address Translation) translates only the source IP address and port, leaving the destination IP address unchanged. Option D is wrong because Double NAT refers to two separate NAT devices performing translations sequentially (e.g., ISP and customer CPE), not a single device translating both source and destination addresses in one packet.

1995
MCQhard

An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?

A.The console line is not configured with 'login authentication default'.
B.The username 'admin' is not in the local database.
C.The password 'cisco' is incorrect.
D.The 'aaa new-model' command is missing.
AnswerA

Correct because the default AAA login method list must be applied to the console line using the 'login authentication' command.

Why this answer

Option A is correct because, by default, the console line does not inherit the AAA authentication methods defined under 'aaa authentication login default local'. The 'login authentication default' command must be explicitly applied to the console line under line configuration to use the global AAA authentication method. Without it, the console line falls back to its default behavior, which does not use AAA, causing the login to fail despite the local user being configured.

Exam trap

Cisco often tests the distinction between defining a default AAA method list and applying it to a specific line, trapping candidates who assume that 'aaa authentication login default local' automatically applies to the console without the 'login authentication default' command.

How to eliminate wrong answers

Option B is wrong because the username 'admin' is explicitly stated as configured locally, so it is in the local database. Option C is wrong because the password 'cisco' is also stated as configured correctly, and the failure is not due to a password mismatch but due to the AAA method not being applied to the console line. Option D is wrong because the presence of 'aaa authentication login default local' and 'aaa authorization exec default local' implies that 'aaa new-model' has already been enabled; without it, these AAA commands would be rejected by the router.

1996
Multi-Selecthard

An engineer is troubleshooting an EIGRP network where some routers are not learning all routes, and suspects a route filtering issue. Which TWO statements about EIGRP route filtering are true? (Choose TWO.)

Select 2 answers
A.A distribute-list configured under the EIGRP process using an ACL will filter routes based on the source IP address of the EIGRP update, not the route prefix.
B.A prefix-list applied in a distribute-list under EIGRP can filter routes based on both the prefix and the prefix length, using ge and le operators.
C.An outbound distribute-list on an EIGRP router will prevent the router from installing filtered routes in its own routing table.
D.If a distribute-list is applied both at the EIGRP process level and on a specific interface, the process-level distribute-list takes precedence for that interface.
E.The 'distance' command configured under EIGRP can be used to filter routes by setting the administrative distance to 255, which prevents the route from being installed.
AnswersA, B

When using an ACL in a distribute-list under EIGRP, the ACL matches the source IP address of the router sending the update, not the route prefix itself. This is a common misconception.

Why this answer

A is correct because a distribute-list using an ACL matches the source IP of the EIGRP update, not the route prefix. B is correct because a prefix-list can use ge and le operators to match both prefix and prefix length. C is false because an outbound distribute-list filters routes before sending to neighbors, not local installation.

D is false because an interface-specific distribute-list takes precedence over a process-level one. E is false because the distance command sets administrative distance; while a value of 255 prevents route installation, it is not considered a route filtering method in the context of EIGRP distribute-lists. Thus, only A and B are true.

1997
Drag & Dropmedium

Drag and drop the steps to configure uRPF in strict mode on an edge router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then configuring the interface, enabling IPv6 on the interface, applying uRPF strict mode, and finally verifying the configuration with a show command.

1998
MCQmedium

Examine this CoPP configuration: ip access-list extended PROTECT-ACL permit tcp any any eq 22 permit tcp any any eq 23 permit tcp any any eq 179 ! class-map match-all PROTECT-CLASS match access-group name PROTECT-ACL ! policy-map PROTECT-POLICY class PROTECT-CLASS police 16000 conform-action transmit exceed-action drop class class-default police 64000 conform-action transmit exceed-action drop ! control-plane service-policy input PROTECT-POLICY What will happen to SSH traffic that exceeds 16000 bps?

A.SSH traffic exceeding 16000 bps is dropped.
B.SSH traffic exceeding 16000 bps is still accepted because SSH is critical.
C.SSH traffic is not affected because the ACL uses 'permit' and the class-map uses 'match-all'.
D.SSH traffic exceeding 16000 bps is sent with a lower priority.
AnswerA

Correct. The exceed-action is drop, so any SSH traffic above the conform rate is dropped.

Why this answer

The CoPP policy applies a police rate of 16000 bps to the PROTECT-CLASS class, which matches SSH traffic via the ACL. When SSH traffic exceeds this rate, the exceed-action is configured to drop, so any SSH packets beyond 16000 bps are discarded. This is standard CoPP behavior: the policer enforces the rate limit regardless of the protocol's importance.

Exam trap

Cisco often tests the misconception that CoPP can prioritize or remark traffic instead of simply dropping it, leading candidates to choose 'lower priority' or 'still accepted' options, but the exceed-action explicitly defines the fate of excess traffic.

How to eliminate wrong answers

Option B is wrong because CoPP does not prioritize traffic based on criticality; the policer enforces the configured rate limit, and exceeding traffic is dropped per the exceed-action. Option C is wrong because the ACL's 'permit' entries and the class-map's 'match-all' logic correctly classify SSH traffic into the PROTECT-CLASS, so the policer applies to it; there is no bypass due to ACL or class-map syntax. Option D is wrong because CoPP policers only support conform-action and exceed-action (transmit or drop), not lowering priority; there is no 'lower priority' action in a CoPP policer.

1999
Multi-Selecthard

Which TWO statements correctly describe the behavior of VRF-Lite when using OSPF as the IGP? (Choose TWO.)

Select 2 answers
A.The OSPF process must be configured with the 'vrf <name>' keyword to associate it with a specific VRF.
B.OSPF in VRF-Lite requires an MP-BGP session to exchange routes between VRFs.
C.By default, OSPF automatically redistributes all connected routes in the VRF into OSPF.
D.The 'network' command under the OSPF process can be used to enable OSPF on interfaces belonging to the VRF.
E.OSPF in VRF-Lite uses different LSA types compared to global OSPF.
AnswersA, D

Correct. The command 'router ospf <pid> vrf <name>' creates a VRF-aware OSPF instance.

Why this answer

In VRF-Lite, OSPF can be configured per VRF, and the OSPF process uses the VRF's routing table. The 'router ospf <process-id> vrf <name>' command creates a VRF-aware OSPF process. By default, OSPF uses the VRF's route table, not the global table.

The 'network' statement under the OSPF process is still used to enable OSPF on interfaces, but the interface must be in the same VRF. Option A is correct because the OSPF process is VRF-specific. Option D is correct because the 'network' command is still valid.

Option B is incorrect because OSPF does not require BGP; it can run directly. Option C is incorrect because OSPF does not automatically redistribute connected routes; a redistribution command is needed. Option E is incorrect because OSPF LSA types are the same in VRF-Lite.

2000
MCQhard

An engineer is troubleshooting why SNMPv3 informs are not being received by the NMS from router R6. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.100 informs version 3 priv admin'. The NMS can receive SNMPv3 traps from other routers. What is the most likely cause?

A.The NMS is not configured to respond to SNMP informs, so the router does not receive acknowledgment.
B.The 'snmp-server host' command should use 'traps' instead of 'informs' for SNMPv3.
C.The router needs the 'snmp-server enable informs' command globally.
D.The SNMPv3 user must have the 'auth' privilege instead of 'priv' to send informs.
AnswerA

Correct because informs require an acknowledgment; if the NMS does not support it, informs fail.

Why this answer

SNMPv3 informs require the NMS to send an acknowledgment back to the router. If the NMS is not configured to respond to informs, the router never receives the acknowledgment and will not send the inform. The configuration shown is correct for sending informs, so the issue is likely on the NMS side, especially since the NMS can receive traps from other routers.

Exam trap

Cisco often tests the distinction between traps (unconfirmed) and informs (confirmed), leading candidates to incorrectly assume that a missing global command or wrong privilege level is the cause, rather than the NMS's inability to acknowledge the inform.

How to eliminate wrong answers

Option B is wrong because SNMPv3 supports both traps and informs; the 'informs' keyword is valid and does not need to be replaced with 'traps'. Option C is wrong because the 'snmp-server enable informs' command is not a valid global command in Cisco IOS; informs are enabled per host using the 'informs' keyword in the 'snmp-server host' command. Option D is wrong because the 'priv' privilege level is required for sending informs with privacy (encryption), and 'auth' would only provide authentication without encryption, which is not the issue here.

2001
MCQeasy

What is the default administrative distance for IPv6 static routes in Cisco IOS-XE?

A.0
B.1
C.5
D.20
AnswerB

IPv6 static routes have a default AD of 1.

Why this answer

The default administrative distance for IPv6 static routes in Cisco IOS-XE is 1. This is because Cisco assigns a default administrative distance of 1 to all static routes, including IPv6 static routes configured with the 'ipv6 route' command. This value ensures that static routes are preferred over most dynamic routing protocols like OSPF (110) or EIGRP (90/170) but are less preferred than directly connected interfaces (0).

Exam trap

The trap here is that candidates often confuse the administrative distance of IPv6 static routes with that of IPv4 static routes (both are 1) or mistakenly think IPv6 static routes have a different default distance due to IPv6-specific routing protocols, leading them to select 20 (eBGP) or 0 (connected) instead.

How to eliminate wrong answers

Option A is wrong because an administrative distance of 0 is reserved for directly connected routes, not static routes; a static route with distance 0 would be treated as a connected route, which is not the default behavior. Option C is wrong because 5 is not a standard administrative distance for any Cisco routing protocol or static route; it is an arbitrary value that might be confused with the distance for a floating static route if misconfigured. Option D is wrong because 20 is the default administrative distance for external BGP (eBGP) routes, not for static routes; candidates often confuse this with the distance for static routes due to BGP's common use in IPv6.

2002
MCQeasy

What is the default administrative distance for internal EIGRP routes?

A.90
B.110
C.120
D.170
AnswerA

Internal EIGRP routes have a default AD of 90.

Why this answer

The default administrative distance for internal Enhanced Interior Gateway Routing Protocol (EIGRP) routes is 90. This value is used by Cisco routers to select the best path when multiple routing protocols provide route information for the same destination network, with a lower administrative distance being preferred over a higher one.

Exam trap

Cisco often tests the distinction between internal and external EIGRP administrative distances, so the trap here is that candidates may confuse the default AD of 170 for external EIGRP routes with the AD of 90 for internal EIGRP routes.

How to eliminate wrong answers

Option B is wrong because 110 is the default administrative distance for Open Shortest Path First (OSPF) routes, not for EIGRP. Option C is wrong because 120 is the default administrative distance for Routing Information Protocol (RIP) routes. Option D is wrong because 170 is the default administrative distance for external EIGRP routes (routes redistributed into EIGRP from another protocol), not for internal EIGRP routes.

2003
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- ----------------- --------------- ----- -------- ----- 1 10.0.0.2 10.1.1.2 UP 00:10:00 D 2 10.0.0.3 10.1.1.3 UP 00:05:00 D Based on this output, what is the role of Router R1 in the DMVPN network?

A.Router R1 is the hub router with two active spoke connections.
B.Router R1 is a spoke router with two hub connections.
C.Router R1 is a spoke router with two other spoke connections.
D.Router R1 is not participating in DMVPN because the tunnel is down.
AnswerA

The 'Type:Hub' and two UP peers indicate it is a hub.

Why this answer

The output shows that Router R1 has a Tunnel0 interface configured as a DMVPN hub (Type:Hub) with two NHRP peers (10.1.1.2 and 10.1.1.3) in the UP state. The 'D' attribute in the Attrb column indicates these peers are directly connected spokes, confirming R1 is the hub router with two active spoke connections.

Exam trap

Cisco often tests the distinction between the 'Type:Hub' and 'Type:Spoke' fields in the show dmvpn output, and candidates may misinterpret the 'D' attribute as meaning the router is a spoke or that the tunnel is down, when it actually indicates a dynamic peer relationship on the hub.

How to eliminate wrong answers

Option B is wrong because the output explicitly shows Type:Hub, not a spoke, and a spoke router would have a single hub connection, not two hub connections. Option C is wrong because a spoke router does not have two other spoke connections in a typical DMVPN phase 2/3; spokes only connect to the hub, and the output shows the hub role. Option D is wrong because the tunnel state is UP (as indicated by the 'UP' status for both peers), meaning R1 is actively participating in DMVPN.

2004
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Session_Reset R1# show event manager history events Event History: No. Time Type Name 1 00:02:00 UTC Mar 1 syslog BGP_Session_Reset 2 00:02:05 UTC Mar 1 syslog BGP_Session_Reset 3 00:02:10 UTC Mar 1 syslog BGP_Session_Reset Based on this output, which statement is correct?

A.The BGP session reset event has occurred three times.
B.The EEM policy is not triggering any events.
C.The BGP session is stable.
D.The EEM policy is disabled.
AnswerA

The event history shows three entries for BGP_Session_Reset, each at different times.

Why this answer

The output shows one registered EEM applet policy named BGP_Session_Reset, and three triggered syslog events for that policy. The correct answer is that the BGP session reset event has occurred multiple times, indicating a persistent issue.

2005
MCQeasy

A network engineer runs the following command on Router R4: R4# show ip route 10.10.10.0 Routing entry for 10.10.10.0/24 Known via "connected", distance 0, metric 0 (connected) Redistributing via eigrp 100 Last update from 10.10.10.1 on GigabitEthernet0/0, 00:00:00 ago Routing Descriptor Blocks: * 10.10.10.1, via GigabitEthernet0/0 Route metric is 0, traffic share count is 1 Based on this output, which statement is true?

A.The route is a static route with distance 0.
B.The route is a connected route, as indicated by distance 0.
C.The route is redistributed from EIGRP into connected.
D.The administrative distance of 0 indicates a floating static route.
AnswerB

Connected routes have an administrative distance of 0, confirming this is a directly connected network.

Why this answer

The route is directly connected, as indicated by 'known via connected' and distance 0. The administrative distance of 0 is the default for connected routes.

2006
MCQhard

A network engineer is troubleshooting a DHCPv4 issue where a router configured as a DHCP server is not assigning addresses from a pool to clients on a specific VLAN. The pool is configured with 'network 10.1.1.0 255.255.255.0' and 'default-router 10.1.1.1'. The router's interface Gi0/0.10 (subinterface) has encapsulation dot1Q 10 and IP 10.1.1.1/24. Clients send DISCOVER messages, but the router does not respond. The engineer notices that the router has multiple DHCP pools configured. What is the most likely cause?

A.The DHCP pool is configured under a VRF, but the interface is not in that VRF.
B.The subinterface is missing the 'ip helper-address' command.
C.The 'ip dhcp server' command is missing globally.
D.The encapsulation dot1Q 10 is misconfigured, causing the router to not receive broadcasts.
AnswerA

Correct because if the pool is defined with 'vrf <name>', it will only respond to DHCP requests on interfaces belonging to that VRF; the subinterface is not in any VRF, so the pool is ignored.

Why this answer

The router has multiple DHCP pools configured, and the pool for VLAN 10 is likely bound to a VRF. When a DHCP pool is configured under a VRF, the router only responds to DHCP DISCOVER messages received on interfaces that belong to that same VRF. Since the subinterface Gi0/0.10 is not in the VRF, the router ignores the client broadcasts, even though the IP address and subnet match the pool.

Exam trap

Cisco often tests the VRF-aware DHCP concept by presenting a scenario where a DHCP server has multiple pools and clients are not getting addresses, leading candidates to incorrectly suspect missing helper addresses or global DHCP commands, when the real issue is a VRF mismatch between the pool and the interface.

How to eliminate wrong answers

Option B is wrong because the 'ip helper-address' command is used to forward DHCP broadcasts to a remote DHCP server, not to enable a local DHCP server to respond; the router is acting as the DHCP server itself, so this command is unnecessary. Option C is wrong because the global 'ip dhcp server' command does not exist in Cisco IOS; DHCP server functionality is enabled by default when a pool is configured, and the correct global command is 'service dhcp' (which is enabled by default). Option D is wrong because the encapsulation dot1Q 10 is correctly configured for the subinterface to receive VLAN 10 traffic; if it were misconfigured, the router would not receive any frames from that VLAN, but the question states clients send DISCOVER messages, implying the router receives them.

2007
MCQmedium

A network engineer runs the following command to troubleshoot a Network Logging and Syslog issue: R1# show logging Output: Syslog logging: enabled Console logging: level debugging, 10 messages logged Monitor logging: level informational, 5 messages logged Buffer logging: level warnings, 23 messages logged Trap logging: level errors, 7 messages logged What does this output indicate?

A.The router has logging enabled with messages being sent to console, monitor, buffer, and a syslog server (trap).
B.The router is experiencing syslog server authentication failures.
C.The router has no active logging configurations.
D.The router is only logging at debugging level.
AnswerA

Correct. The output shows entries for console, monitor, buffer, and trap logging, indicating multiple destinations and severity levels.

Why this answer

The output from 'show logging' indicates that syslog logging is enabled and messages are being logged to multiple destinations at various severity levels: console (debugging), monitor (informational), buffer (warnings), and trap (errors). This shows that the router is actively logging messages to different output locations based on severity thresholds.

Exam trap

A candidate might mistakenly think that 'trap logging' refers to SNMP traps, but in the context of Cisco logging, 'trap logging' refers to syslog messages sent to a remote server.

2008
MCQhard

A network engineer configures OSPF on two routers connected via Ethernet. The adjacency forms but remains stuck in EXSTART state. Both routers have identical OSPF configuration except for MTU. Which is the most likely explanation?

A.The OSPF network type is point-to-point on one side and broadcast on the other.
B.The MTU on the interfaces is mismatched, causing DBD packet rejection.
C.The OSPF router ID is identical on both routers.
D.The 'ip ospf authentication' is configured only on one side.
AnswerB

MTU mismatch is a classic cause of EXSTART state.

Why this answer

OSPF uses the interface MTU in Database Description (DBD) packets. If MTU values differ, the neighbor will reject DBD packets larger than its own MTU, causing the adjacency to stall in EXSTART. The fix is to use 'ip ospf mtu-ignore' or match MTU.

2009
MCQhard

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy rejected *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy routed *Mar 1 00:15:30.789: IP: FastEthernet0/0 to GigabitEthernet0/1 192.168.1.1 What does this output indicate?

A.The route-map has multiple sequences or ACL entries; one source is permitted, the other is denied or fails next-hop check.
B.Both packets should have been rejected due to a misconfiguration.
C.The next-hop 192.168.1.1 is unreachable for the first packet.
D.The ACL is blocking all traffic from 10.0.0.1.
AnswerA

The different treatment indicates different match conditions or set clause outcomes.

Why this answer

The debug shows two packets: the first from 10.0.0.1 was rejected, while the second from 10.0.0.2 was successfully routed to 192.168.1.1. This suggests that the route-map may have multiple sequences or the ACL differentiates between the sources.

2010
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 tunnel brief Tunnel2: IPv6/IP, intf id 0/0/2, 6to4, mtu 1280 Source: 192.168.1.1 (GigabitEthernet0/0) Destination: 192.168.2.1 Tunnel transport: IPv4 Based on this output, which statement is correct?

A.This is a correctly configured 6to4 tunnel.
B.This tunnel is actually a manually configured IPv6/IP tunnel, not a 6to4 tunnel.
C.The tunnel is an ISATAP tunnel.
D.The tunnel is in an up/up state and passing traffic.
AnswerB

The presence of a specific destination address indicates a manual tunnel; 6to4 tunnels have no configured destination.

Why this answer

The output shows a manually configured IPv6/IP tunnel because it specifies both a source and destination IPv4 address. In a true 6to4 tunnel, the destination is automatically derived from the 6to4 prefix (2002::/16) and the destination IPv4 address, not statically configured. The presence of a static destination address indicates this is a manually configured tunnel, not a 6to4 tunnel.

Exam trap

Cisco often tests the distinction between automatic 6to4 tunnels (where the destination is derived from the IPv6 address) and manually configured tunnels (where both source and destination are explicitly set), leading candidates to assume any tunnel with '6to4' in the output is correctly configured.

How to eliminate wrong answers

Option A is wrong because a correctly configured 6to4 tunnel does not have a statically configured destination IPv4 address; the destination is derived automatically from the 6to4 prefix. Option C is wrong because an ISATAP tunnel uses a different interface identifier format (::0:5EFE:IPv4-address) and typically does not show a static destination address in this manner. Option D is wrong because the output does not show interface status or traffic statistics; 'show ipv6 tunnel brief' only displays configuration parameters, not operational state.

2011
MCQeasy

What is the maximum number of VRFs that can be configured on a Cisco IOS router?

A.256
B.1024
C.Platform-dependent, typically limited by available memory.
D.Unlimited
AnswerC

This is correct. The number of VRFs is constrained by hardware resources.

Why this answer

The maximum number of VRFs is platform-dependent. There is no fixed IOS-wide limit; it varies based on hardware and software resources.

2012
MCQhard

An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers have MP-BGP peering and the VRF is configured with route-target import 100:100. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, but the show ip route vrf CUSTOMER command does not have this route. The show ip bgp vpnv4 all 10.2.2.0/24 command on PE1 shows the route is received but not best. What is the most likely cause?

A.The route-target import on PE1 is missing.
B.The BGP next-hop (PE2 loopback) is not reachable in the global routing table.
C.The VRF on PE1 has a different route-target export.
D.The MP-BGP session is using an incorrect address family.
AnswerB

Correct: BGP requires the next-hop to be reachable for the route to be considered best and installed.

Why this answer

The route is received but not marked as best, so it is not installed in the routing table. Common reasons include the route being suppressed due to a higher AD from another source or the next-hop being unreachable. In this scenario, the most likely cause is that the BGP next-hop is not reachable in the global routing table.

2013
MCQeasy

Which statement correctly describes the default behavior of EIGRP auto-summary on Cisco IOS-XE?

A.Auto-summary is enabled by default, summarizing classful boundaries.
B.Auto-summary is disabled by default, so subnets are advertised without summarization.
C.Auto-summary is enabled only for EIGRP named mode configurations.
D.Auto-summary is disabled by default, but only for IPv6 EIGRP.
AnswerB

Correct: In IOS-XE, auto-summary is off by default, preventing unwanted classful summarization.

Why this answer

In Cisco IOS-XE, EIGRP auto-summary is disabled by default. This means that EIGRP advertises subnets without summarizing them to their classful boundaries, preserving the original prefix lengths. This behavior changed from older IOS versions where auto-summary was enabled by default, which could cause routing issues in discontiguous networks.

Exam trap

Cisco often tests the change in default behavior between older IOS and IOS-XE, where candidates may incorrectly assume auto-summary is still enabled by default based on legacy knowledge.

How to eliminate wrong answers

Option A is wrong because auto-summary is not enabled by default on Cisco IOS-XE; it was enabled by default in older IOS versions but is now disabled. Option C is wrong because auto-summary behavior is consistent across both classic and named mode EIGRP configurations; named mode does not enable auto-summary by default. Option D is wrong because auto-summary is disabled by default for both IPv4 and IPv6 EIGRP, not only for IPv6; additionally, auto-summary does not apply to IPv6 EIGRP as it is classless by design.

2014
Multi-Selectmedium

Which TWO commands can be used to verify the NHRP shortcut route creation in a DMVPN Phase 3 network? (Choose TWO.)

Select 2 answers
A.show ip nhrp
B.show ip route
C.show dmvpn
D.show crypto ipsec sa
E.show ip eigrp topology
AnswersA, B

This command shows NHRP cache entries, including shortcut routes with the 'shortcut' flag.

Why this answer

In DMVPN Phase 3, shortcut routes are created by NHRP. The 'show ip nhrp' command displays the NHRP cache, which includes shortcut entries. The 'show ip route' command shows the routing table, where shortcut routes appear as NHRP-learned routes.

The other commands do not show shortcut route information.

2015
MCQhard

A network engineer notices that after redistributing EIGRP into OSPF, a routing loop occurs between two routers. Router R1 config: router ospf 1 redistribute eigrp 100 subnets ! router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 R1# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "eigrp 100", distance 90, metric 128256 Redistributing via eigrp 100 Last update from 10.1.1.2 on GigabitEthernet0/0 R2# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "ospf 1", distance 110, metric 20 Redistributing via ospf 1 Last update from 10.1.1.1 on GigabitEthernet0/0 What is the root cause?

A.The redistribute commands are missing route-map filters, causing mutual redistribution and a loop.
B.The EIGRP metric is too low, causing OSPF to prefer the redistributed route.
C.The OSPF administrative distance is higher than EIGRP, causing suboptimal path selection.
D.The subnets keyword under OSPF redistribution is causing classful behavior.
AnswerA

Without filtering, routes learned from one protocol are redistributed back, creating a loop.

Why this answer

Mutual redistribution between EIGRP and OSPF without route filtering causes a routing loop. R1 learns the route via EIGRP and redistributes into OSPF; R2 learns via OSPF and redistributes back into EIGRP, creating a loop. The fix is to use route-maps to filter redistributed routes or set administrative distance to prefer one source.

2016
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 traffic | include tunnel 0 tunnel packets received 0 tunnel packets sent 0 tunnel packets dropped Based on this output, what can be concluded?

A.The tunnel is passing traffic normally.
B.The tunnel is not carrying any IPv6 traffic.
C.The tunnel is dropping all packets.
D.The tunnel is using IPsec encryption.
AnswerB

All counters are zero, meaning no traffic.

Why this answer

The 'show ipv6 traffic | include tunnel' command filters the output to show only lines containing 'tunnel'. The counters for packets received, sent, and dropped are all zero, which indicates that no IPv6 packets have been encapsulated or decapsulated by any tunnel interface. This means the tunnel is not carrying any IPv6 traffic, making option B correct.

Exam trap

Cisco often tests the misinterpretation of zero counters as 'no issues' (option A) or as 'dropping all packets' (option C), when in fact zero counters simply indicate no activity on the tunnel.

How to eliminate wrong answers

Option A is wrong because zero packets received and sent indicates no traffic is passing, not normal operation. Option C is wrong because zero packets dropped means no packets have been discarded; dropping all packets would show non-zero drop counters. Option D is wrong because the output provides no information about IPsec encryption; IPsec status is verified with commands like 'show crypto ipsec sa' or 'show crypto map', not from IPv6 traffic counters.

2017
Drag & Drophard

Drag and drop the steps to troubleshoot SNMP adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic IP connectivity using ping to the SNMP manager. Next, verify that the SNMP agent is enabled and listening on the correct port. Then, review ACLs and firewall rules that might block SNMP traffic.

After that, examine SNMP community strings or security credentials for mismatches. Finally, enable debug snmp packets to capture and analyze packet exchanges.

2018
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp interfaces EIGRP-IPv4 Interfaces for AS(100) Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/0 1 0/0 12 0/10 50 0 Gi0/1 1 0/0 15 0/10 50 0 Gi0/2 1 0/0 18 0/10 50 0 Gi0/3 1 0/0 20 0/10 50 0 Gi0/4 0 0/0 0 0/10 50 0 Based on this output, which statement is correct?

A.Interface Gi0/4 has no EIGRP neighbor, which may indicate a configuration issue or lack of connectivity.
B.All interfaces have at least one EIGRP neighbor.
C.The mean SRTT on Gi0/2 is 18 ms, which is too high and indicates a problem.
D.The pending routes count of 0 on all interfaces indicates a routing loop.
AnswerA

A peer count of 0 means no EIGRP adjacency exists on that interface.

Why this answer

The output shows that interface Gi0/4 has 0 peers, while all other interfaces have 1 peer. In EIGRP, a peer count of 0 indicates that no neighbor adjacency has been formed on that interface. This could be due to a configuration mismatch (e.g., different AS numbers, passive interface, or authentication) or a Layer 1/2 connectivity issue.

Therefore, option A is correct.

Exam trap

Cisco often tests the misinterpretation of SRTT values as indicators of problems, when in fact normal SRTT values vary by network and are not inherently problematic unless they are excessively high (e.g., >5000 ms) or accompanied by retransmissions.

How to eliminate wrong answers

Option B is wrong because Gi0/4 has 0 peers, so not all interfaces have at least one EIGRP neighbor. Option C is wrong because a mean SRTT of 18 ms on Gi0/2 is well within normal operational range (typically under 100 ms) and does not indicate a problem; SRTT values are used for metric calculation and retransmission timing, not as a direct indicator of faults. Option D is wrong because a pending routes count of 0 is normal and expected when the EIGRP topology table is fully converged; it does not indicate a routing loop—routing loops are detected via other mechanisms like feasible successor checks and hold-down timers.

2019
MCQmedium

A network engineer runs the following command to troubleshoot DMVPN with NHRP filtering: R1# show ip nhrp detail 10.1.1.2/8 via 10.1.1.2, Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: authoritative unique registered NBMA address: 192.168.1.2 (no-socket) (no-socket) What does this output indicate?

A.The spoke at 10.1.1.2 has registered with the hub and is reachable via NBMA address 192.168.1.2.
B.The spoke is being filtered by an NHRP filter.
C.The NHRP entry is static and configured manually.
D.The spoke is not reachable because the NBMA address is incorrect.
AnswerA

The entry shows a dynamic registration with the NBMA address, indicating successful NHRP registration.

Why this answer

The output shows an NHRP cache entry for a remote spoke (10.1.1.2) with NBMA address 192.168.1.2. The entry is dynamic and registered, indicating that the spoke has successfully registered with the hub.

2020
MCQmedium

In an extended IPv4 ACL, what is the default action if only a source and destination are specified without a protocol?

A.The ACL matches all IP traffic.
B.The ACL matches only TCP traffic.
C.The command is rejected by the IOS parser.
D.The ACL matches only UDP traffic.
AnswerC

Extended ACL syntax requires a protocol field; omission causes a syntax error.

Why this answer

In an extended IPv4 ACL, the protocol keyword is mandatory. If you omit it, the IOS parser rejects the command because it cannot determine which protocol to filter. The correct syntax requires a protocol (e.g., ip, tcp, udp) after the permit or deny keyword; without it, the parser returns an error.

Exam trap

Cisco often tests the mandatory nature of the protocol field in extended ACLs, trapping candidates who assume a default protocol (like IP, TCP, or UDP) is applied when none is specified.

How to eliminate wrong answers

Option A is wrong because an extended ACL does not default to matching all IP traffic when only source and destination are specified; the protocol field is required, and omitting it causes a parser error, not an implicit 'permit ip any any'. Option B is wrong because there is no default protocol of TCP; the ACL command is invalid without a protocol keyword. Option D is wrong because there is no default protocol of UDP; the command is rejected, not interpreted as UDP traffic.

2021
MCQmedium

A network engineer runs the following command to troubleshoot OSPF over DMVPN: R1# debug ip ospf adj OSPF: 2 Way Communication to 10.0.0.2 on Tunnel0, state 2WAY OSPF: Send DBD to 10.0.0.2 on Tunnel0 seq 0x1234 opt 0x52 flag 0x7 OSPF: Rcv DBD from 10.0.0.2 on Tunnel0 seq 0x1235 opt 0x52 flag 0x2 OSPF: Exchange Done with 10.0.0.2 on Tunnel0 OSPF: Build router LSA for area 0, router ID 1.1.1.1 What does this output indicate?

A.OSPF adjacency with 10.0.0.2 is stuck in 2WAY state and not progressing.
B.OSPF adjacency with 10.0.0.2 is forming successfully and will reach FULL state.
C.OSPF is not enabled on Tunnel0.
D.There is an OSPF MTU mismatch causing the adjacency to fail.
AnswerB

Correct: The sequence shows normal adjacency formation steps.

Why this answer

The debug shows OSPF adjacency formation: 2-way state, database description exchange, and exchange done, indicating a full adjacency is being established.

2022
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip eigrp topology 10.10.10.0/24 all-links P 10.10.10.0/24, 1 successors, FD is 1310720 via 10.1.1.2 (1310720/1310720), GigabitEthernet0/0 via 10.1.2.2 (1310720/1310720), GigabitEthernet0/1 What does this output indicate?

A.There are two equal-cost paths to 10.10.10.0/24, and EIGRP will load balance across them.
B.Only the first path via 10.1.1.2 is installed because the second path has a higher FD.
C.The path via 10.1.2.2 is a feasible successor but is not used because it has a higher RD.
D.The router has no route to 10.10.10.0/24 because the FD is the same as the RD.
AnswerA

Both paths have the same FD and RD, making them equal-cost successors; EIGRP will install both and load balance.

Why this answer

The output shows two EIGRP routes to 10.10.10.0/24 with identical Feasible Distances (FD) of 1310720, indicating equal-cost paths. EIGRP installs up to four equal-cost routes by default and performs per-destination load balancing across them, so both paths are active and used.

Exam trap

Cisco often tests the distinction between equal-cost paths (same FD) and feasible successors (RD < FD), leading candidates to mistakenly label an equal-cost path as a feasible successor or assume only the first path is used.

How to eliminate wrong answers

Option B is wrong because both paths have the same FD (1310720), so the second path is not rejected due to a higher FD; it is an equal-cost path. Option C is wrong because a feasible successor must have a Reported Distance (RD) less than the current successor's FD; here both RDs equal the FD (1310720), so the second path is not a feasible successor—it is an equal-cost successor. Option D is wrong because the router does have a route to 10.10.10.0/24; the FD and RD being the same is normal for directly connected or redistributed routes and does not prevent route installation.

2023
Multi-Selecthard

Which TWO statements correctly describe the verification of route summarization using Cisco IOS commands? (Choose TWO.)

Select 2 answers
A.The 'show ip route' command displays the summary route with a next-hop of Null0 for EIGRP and OSPF summarization.
B.The 'show ip eigrp topology' command displays all configured summary addresses and their metrics.
C.The 'show ip protocols' command lists the configured summary-address ranges under each routing process.
D.The 'debug ip routing' command provides detailed information about summary route creation and suppression.
E.The 'show ip ospf database summary' command displays the Type 3 LSAs, including those generated by the 'area range' command.
AnswersC, E

Option C is correct. The 'show ip protocols' command lists configured summary-address ranges under each routing process, making it a direct verification method.

Why this answer

To verify route summarization, the 'show ip protocols' command displays configured summary-address ranges under each routing process. For OSPF, the 'show ip ospf database summary' command shows Type 3 LSAs generated by the 'area range' command, which is a direct verification of summarization. Option A is incorrect because the 'show ip route' command only displays a Null0 summary route for EIGRP summarization, not for OSPF.

Option B is incorrect because 'show ip eigrp topology' does not display summary addresses. Option D is incorrect because 'debug ip routing' does not provide summary-specific events.

Exam trap

Many candidates assume that 'show ip route' always shows a discard route for summarization, but this only applies to EIGRP. OSPF uses Type 3 LSAs for summarization verification, requiring the 'show ip ospf database summary' command.

2024
MCQhard

An engineer configures CoPP on a router with the following policy: class-map match-any PROTECT, match protocol ospf, police 1000 pps; class class-default, police 500 pps. After applying, OSPF neighbors form, but the router's CPU utilization remains high. Which is the most likely explanation?

A.The class-default police rate is too low, causing ARP packets to be dropped, but CPU is high due to the policing overhead.
B.OSPF traffic is being policed to 1000 pps, which is too high, causing CPU overload.
C.CoPP only works on hardware-switched platforms, not software.
D.The class-default should have a higher rate than the OSPF class.
AnswerA

Policing itself consumes CPU, and dropping packets may cause retries, increasing CPU.

Why this answer

The correct answer is A because the class-default police rate of 500 pps is too low to handle essential control-plane traffic like ARP, which falls into class-default. When ARP packets are dropped, the router must retry ARP resolution, generating additional CPU overhead from policing and retransmissions, keeping CPU utilization high. OSPF neighbors form because OSPF traffic is explicitly protected in the PROTECT class with a 1000 pps policer, but the underlying ARP starvation causes CPU strain.

Exam trap

Cisco often tests the misconception that CoPP only affects the protected class, but the trap here is that the class-default policer can starve essential control-plane traffic (like ARP) that is not explicitly matched, causing CPU issues even when OSPF appears healthy.

How to eliminate wrong answers

Option B is wrong because OSPF traffic being policed to 1000 pps is not too high; it is actually a reasonable rate that allows OSPF hellos and updates to pass, as evidenced by OSPF neighbors forming. Option C is wrong because CoPP (Control Plane Policing) works on both hardware-switched and software-switched platforms; it is applied to the control plane of the router, regardless of forwarding path. Option D is wrong because the class-default rate does not need to be higher than the OSPF class; the issue is that class-default is too low for essential traffic like ARP, not that it must exceed the PROTECT class rate.

2025
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp vrf RED neighbors EIGRP-IPv4 Neighbors for AS(100) VRF RED H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/2 13 00:15:30 12 200 0 45 1 192.168.2.2 Gi0/3 12 00:14:20 15 200 0 32 Based on this output, what is the problem?

A.The EIGRP neighbors are not exchanging routes because the Seq numbers are low.
B.Both neighbors are in the Init state.
C.The EIGRP adjacency is functioning correctly.
D.The hold time of 13 seconds indicates a problem.
AnswerC

The neighbors are up with low SRTT and no Q count, indicating stable adjacencies.

Why this answer

The output shows two EIGRP neighbors for VRF RED in the established state (indicated by the absence of 'Init' and the presence of sequence numbers). The Hold times (13 and 12 seconds) are within normal expected ranges, SRTT and RTO values are low, and the Q Cnt (queue count) is 0, indicating no backpressure. The Seq numbers (45 and 32) show that routes are being exchanged.

Therefore, there is no problem; the EIGRP adjacency is functioning correctly.

Page 26

Page 27 of 29

Page 28