Cisco CCNP ENARSI 300-410 (300-410) — Questions 301375

2152 questions total · 29pages · All types, answers revealed

Page 4

Page 5 of 29

Page 6
301
Multi-Selecthard

Which TWO statements about BFD authentication are true? (Choose TWO.)

Select 2 answers
A.BFD authentication supports both MD5 and SHA-1 hashing algorithms.
B.BFD authentication can be configured in either strict or loose mode.
C.BFD authentication is only supported for single-hop BFD sessions.
D.The BFD authentication key is configured directly under the BFD interface configuration.
E.BFD authentication uses a pre-shared key that must be identical on both sides.
AnswersA, B

Correct. BFD authentication supports MD5 and SHA-1, and on newer platforms SHA-256 as well.

Why this answer

BFD authentication can use MD5, SHA-1, or SHA-256 (depending on platform). The authentication mode can be strict (mandatory) or loose (optional). Key chains are used to manage authentication keys, and the key chain must be configured before applying it to BFD.

BFD authentication is supported for both single-hop and multihop sessions.

302
MCQhard

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

A.The PAT port range is exhausted.
B.The router's SIP ALG is disabled, so the private IP in the SDP is not translated.
C.The phone's default gateway is misconfigured.
D.The outside interface has a firewall blocking UDP ports.
AnswerB

Correct because without SIP ALG, the router does not inspect and translate the IP addresses inside the SIP messages, causing media to be sent to the private IP.

Why this answer

The SIP signaling includes the phone's private IP in the SDP body, which is used for media negotiation. When the router's SIP Application Layer Gateway (ALG) is disabled, it does not inspect and translate the private IP addresses embedded in the SDP payload. As a result, the SIP server sends media (RTP) to the private IP 192.168.2.10, which is unreachable from outside, causing the call to fail after the initial registration and signaling succeed.

Exam trap

Cisco often tests the distinction between control plane (SIP signaling) and data plane (RTP media) failures, and the trap here is that candidates assume registration success means NAT is working correctly, overlooking the need for ALG to translate embedded IPs in the SDP body.

How to eliminate wrong answers

Option A is wrong because PAT port exhaustion would cause all new outbound translations to fail, not specifically cause calls to fail after 30 seconds while registration succeeds. Option C is wrong because a misconfigured default gateway would prevent the phone from reaching the SIP server at all, not allow registration and then fail calls after 30 seconds. Option D is wrong because a firewall blocking UDP ports would likely prevent registration or call setup entirely, not allow the call to proceed for 30 seconds before failing.

303
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel using Teredo on a Windows host. The host can access some IPv6 resources on the internet but cannot reach a specific internal IPv6 server. The engineer suspects the Teredo relay is misconfigured. What is the most likely issue?

A.The Teredo relay is not in the same IPv4 network as the host, or the relay does not have a route to the internal IPv6 server.
B.The host's firewall is blocking Teredo traffic on UDP port 3544.
C.The internal server is not configured with an IPv6 address.
D.The Teredo client on the host is using an incorrect server.
AnswerA

Correct because the Teredo relay must be able to forward packets to the destination IPv6 network. If the relay lacks a route, traffic will be dropped.

Why this answer

Teredo relays are responsible for forwarding traffic between the Teredo IPv6 tunnel and the native IPv6 network. If the relay is not on the same IPv4 subnet as the host or lacks a route to the internal IPv6 server, the host can reach public IPv6 resources (via other relays) but fails to reach the internal server. This matches the symptom of partial connectivity.

Exam trap

Cisco often tests the distinction between Teredo relay and Teredo server roles, and the trap here is that candidates confuse a misconfigured relay (which affects specific destinations) with a misconfigured server (which breaks all Teredo connectivity).

How to eliminate wrong answers

Option B is wrong because a firewall blocking UDP 3544 would prevent all Teredo communication, not just access to a specific internal server. Option C is wrong because if the internal server lacked an IPv6 address, the host would not be able to reach it via any IPv6 method, but the question states the host can access some IPv6 resources, implying the server has an IPv6 address. Option D is wrong because an incorrect Teredo server would prevent the client from obtaining a valid Teredo address or establishing the tunnel, breaking all IPv6 connectivity, not just access to one internal server.

304
MCQhard

What is the maximum number of source ports that can be monitored in a single SPAN session on a typical Cisco Catalyst switch?

A.16
B.32
C.64
D.128
AnswerC

Up to 64 source ports can be included in a single SPAN session, though hardware-dependent.

Why this answer

A single SPAN session can monitor up to 64 source ports (or source VLANs, but not both in the same session). This is a hardware limitation on most Catalyst switches.

305
MCQmedium

Which control plane protocol packets are classified as 'critical' in the default CoPP policy?

A.ICMP echo requests and SSH
B.OSPF hello packets and BGP keepalives
C.Telnet and HTTP
D.NTP and SNMP
AnswerB

Routing protocol hello and keepalive packets are considered critical for network stability and are assigned to the critical class in CoPP.

Why this answer

In the default Control Plane Policing (CoPP) policy on Cisco IOS/IOS-XE devices, control plane protocol packets are classified into three categories: critical, normal, and medium. OSPF hello packets and BGP keepalives are classified as 'critical' because they are essential for maintaining neighbor adjacencies and routing protocol convergence; dropping these packets can cause immediate network instability. The default CoPP policy uses class maps to match these protocols and applies a higher priority (e.g., police rate) to ensure they are processed before less critical traffic.

Exam trap

Cisco often tests the misconception that all management plane protocols (like SSH, Telnet, SNMP) are critical, but the default CoPP policy specifically reserves 'critical' for routing protocol packets that maintain control plane stability, such as OSPF hellos and BGP keepalives.

How to eliminate wrong answers

Option A is wrong because ICMP echo requests and SSH are not classified as 'critical' in the default CoPP policy; ICMP echo requests are typically classified as 'normal' (or sometimes 'medium') and SSH as 'normal' or 'medium' depending on the platform, as they are not essential for control plane stability. Option C is wrong because Telnet and HTTP are management plane protocols, not control plane protocols, and are classified as 'normal' or 'medium' in the default CoPP policy; they are not critical for routing protocol operation. Option D is wrong because NTP and SNMP are classified as 'normal' or 'medium' in the default CoPP policy; while they are important for network time synchronization and monitoring, they are not considered critical for immediate control plane functionality like routing protocol keepalives.

306
Multi-Selecthard

Which TWO configuration changes are required to enforce role-based access control (RBAC) using Cisco IOS privilege levels and AAA? (Choose TWO.)

Select 2 answers
A.Use the 'privilege exec level 15 show running-config' command to restrict the show running-config command to privilege level 15.
B.Use the 'enable secret level 15 password' command to set a password for privilege level 15 access.
C.Use the 'username admin privilege 15 secret cisco' command to create a user with privilege level 15.
D.Use the 'aaa authorization exec default local' command to enable privilege level authorization using the local database.
E.Use the 'line vty 0 4 privilege level 15' command to set all VTY lines to privilege level 15 by default.
AnswersA, C

This command sets the show running-config command to privilege level 15, so only users with privilege level 15 can execute it.

Why this answer

Option A is correct because the 'privilege exec level 15 show running-config' command restricts the 'show running-config' command to users with privilege level 15, which is a key step in enforcing RBAC by controlling which commands are available at lower privilege levels. Option C is correct because creating a user with 'username admin privilege 15 secret cisco' assigns that user to privilege level 15, allowing them to execute commands restricted to that level. Together, these two configurations ensure that only authorized users at level 15 can run sensitive commands, while lower-privilege users are blocked.

Exam trap

Cisco often tests the distinction between controlling command access (via 'privilege' commands) and controlling user authentication or session access (via 'username' or 'line' commands), and the trap here is that candidates confuse setting a default privilege level on VTY lines (Option E) with enforcing RBAC, when in fact it bypasses role-based restrictions by granting all users the same high privilege.

307
Multi-Selecthard

Which TWO statements about RSPAN configuration and operation are correct? (Choose TWO.)

Select 2 answers
A.The RSPAN VLAN must be configured as a standard VLAN and allowed on all trunk links between the source and destination switches.
B.The source session on the source switch must specify 'remote vlan <vlan-id>' to identify the RSPAN VLAN.
C.The RSPAN VLAN can be used for normal data traffic as long as it is not the native VLAN.
D.The destination session on the remote switch uses 'monitor session <session> source remote vlan <vlan-id>' and 'destination interface <interface>'.
E.Intermediate switches that only pass the RSPAN VLAN must have a monitor session configured to forward the traffic.
AnswersB, D

This option is correct. On the source switch, the monitor session configuration includes 'destination remote vlan <vlan-id>' to specify the RSPAN VLAN.

Why this answer

RSPAN uses a dedicated VLAN to carry mirrored traffic between switches. The source switch must specify the RSPAN VLAN in the destination portion of the monitor session using the 'remote vlan' keyword. The destination switch creates a session that sources from the remote VLAN and forwards to a local interface.

The RSPAN VLAN must exist on all switches in the path but does not need to be allowed on every trunk link—only on trunks that carry the RSPAN traffic. Option A is incorrect because it states 'allowed on all trunk links,' which is overly broad; the VLAN only needs to be permitted on the specific trunks that are part of the RSPAN path. Option B is correct as the source session indeed uses 'remote vlan' to identify the RSPAN VLAN.

Option D correctly describes the destination session syntax. Options C and E are false.

308
Drag & Dropmedium

Drag and drop the steps to verify and validate the EIGRP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the overall EIGRP process status, then verify the neighbor table for adjacency, examine the topology table for feasible successors, review the routing table for installed routes, and finally use debug commands to validate ongoing operations if needed.

309
Multi-Selecthard

An engineer is troubleshooting a VRF-Lite setup where two VRFs (BLUE and RED) are configured on a router. Hosts in VRF BLUE cannot ping the default gateway of VRF RED. Which TWO statements correctly explain why this is expected behavior? (Choose TWO.)

Select 2 answers
A.Each VRF maintains its own separate routing table, so VRF BLUE has no route to the subnet of VRF RED.
B.The ARP cache in VRF BLUE does not contain the MAC address of the VRF RED gateway.
C.By default, a router does not forward packets between different VRFs unless inter-VRF routing is explicitly configured.
D.The default gateway in VRF RED is not reachable from VRF BLUE because the gateway interface is in a different VRF.
E.The ping fails because VRF BLUE does not have a default route pointing to the VRF RED gateway.
AnswersA, C

Correct. VRFs have isolated routing tables; without inter-VRF routing, there is no path.

Why this answer

VRF-Lite provides complete isolation between VRFs at Layer 3. By default, no traffic can flow between VRFs unless explicit inter-VRF routing is configured (e.g., using a router with two interfaces in different VRFs or using route leaking). Option A is correct because VRFs maintain separate routing tables.

Option C is correct because by default, a router does not forward packets between VRFs. Option B is incorrect because ARP is per-interface, but the issue is routing, not ARP. Option D is incorrect because the default gateway is reachable within its own VRF.

Option E is incorrect because the ping fails due to routing, not because of a missing default route in the source VRF.

310
MCQhard

An engineer configures OSPF with authentication on a point-to-point link. The adjacency forms, but routes are not being exchanged. Which is the most likely explanation?

A.One router has authentication configured on the interface, and the other has it configured at the area level, causing a mismatch.
B.The authentication key is different on both routers.
C.The OSPF network type is point-to-multipoint.
D.The OSPF process is configured with passive-interface default.
AnswerC

Correct. Network type mismatch (e.g., point-to-point vs. point-to-multipoint) can allow adjacency to form but disrupt LSA exchange, leading to missing routes.

Why this answer

OSPF network type mismatch, such as one router configured as point-to-point and the other as point-to-multipoint, can allow the adjacency to form (since Hello packets are still exchanged) but prevent the exchange of routes because the OSPF operation differs (e.g., point-to-multipoint uses a different LSA flooding mechanism and may rely on DR/BDR election, while point-to-point does not). This explains why the adjacency comes up but routes are not learned.

311
MCQhard

A network engineer is troubleshooting an OSPFv2 adjacency issue between two routers across a Frame Relay network. R1 and R2 are connected via a point-to-point subinterface. The engineer configures 'ip ospf network point-to-point' on both subinterfaces. However, the adjacency does not form. 'show ip ospf interface' on R1 shows the interface is up and OSPF is enabled, but no neighbors are seen. What is the most likely cause?

A.The OSPF network type is set to broadcast, causing a DR/BDR election that fails on a point-to-point subinterface.
B.The subinterface is not configured with an IP address.
C.The Frame Relay map is missing or the DLCI is not assigned to the subinterface.
D.The OSPF hello and dead timers are mismatched between R1 and R2.
AnswerC

Without a proper DLCI mapping, the router cannot send Layer 2 frames to the neighbor, preventing OSPF hello packets from being exchanged.

Why this answer

On Frame Relay point-to-point subinterfaces, the OSPF network type should be point-to-point, but the adjacency may still fail if the Layer 2 mapping is incorrect. The subinterface must be mapped to the correct DLCI. If the 'frame-relay interface-dlci' command is missing or misconfigured, the router cannot send packets to the neighbor, even though OSPF is enabled.

The engineer should verify the DLCI mapping.

312
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured with EIGRP stub leaking. R2 is a stub router with 'eigrp stub connected summary'. R3 (another spoke) is not a stub. R2's loopback 10.0.0.1/32 is not reachable from R3, even though R2 advertises it via EIGRP. What is the root cause?

A.R2 is configured with 'eigrp stub receive-only', which prevents it from advertising any routes, including connected ones.
B.R3 has a distribute-list filtering the prefix 10.0.0.1/32 from EIGRP updates.
C.R2's loopback is not in the same EIGRP autonomous system as the tunnel.
D.NHRP is not configured on R2, preventing route advertisement.
AnswerD

Correct. Without NHRP on R2, R3 cannot resolve R2's tunnel IP to a physical address, so the route to 10.0.0.1/32 remains unreachable despite being advertised.

Why this answer

In DMVPN Phase 2, EIGRP stub leaking allows the hub to advertise spoke routes to other spokes, but the next-hop remains the spoke's tunnel IP. For R3 to install the route to 10.0.0.1/32, it must have an NHRP mapping to reach R2's tunnel IP. Without NHRP configured on R2, R3 cannot resolve the next-hop, making the route unreachable.

The EIGRP stub configuration is correct, but NHRP is missing.

Exam trap

Candidates often overlook the necessity of NHRP in DMVPN Phase 2 when focusing on EIGRP stub configuration. Even with proper stub leaking, a spoke without NHRP will prevent other spokes from routing to its networks.

313
MCQmedium

A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?

A.The SNMP community string is not associated with an ACL that permits the management station.
B.The SNMP version is not configured.
C.The router's SNMP agent is disabled.
D.The management station is using the wrong SNMP port.
AnswerA

If the SNMP community string is configured without an ACL, the router accepts SNMP requests from any source. Therefore, the most likely cause is that an ACL is applied to the community string that explicitly denies the management station, or the community string is missing an ACL that would permit it. The default behavior without an ACL is to allow, not deny.

Why this answer

The 'snmp-server community public RO' command configures an SNMP community string but does not restrict access by default. If no access control list (ACL) is associated with the community string, the router will respond to SNMP polls from any source. However, if an ACL is implicitly or explicitly applied that does not permit the management station's IP address, the router will silently drop the SNMP requests.

Since the management station can ping the router, Layer 3 connectivity is confirmed, isolating the issue to SNMP-specific access control.

Exam trap

Cisco often tests the nuance that an SNMP community string can have an implicit ACL (e.g., from a previous configuration or a default deny) that blocks management stations, leading candidates to overlook access control as the root cause when basic connectivity exists.

How to eliminate wrong answers

Option B is wrong because SNMP version configuration is not required for basic SNMPv2c operation; the default SNMP version is v2c when a community string is configured, and the router will respond to v2c polls without an explicit version command. Option C is wrong because the 'snmp-server community' command implicitly enables the SNMP agent on the router; the agent is not disabled unless explicitly turned off with 'no snmp-server'. Option D is wrong because SNMP polls use UDP port 161 by default, and the management station can ping the router, indicating no IP connectivity issue; if the management station were using the wrong port, the router would still receive the packet but the SNMP agent would not process it, yet the question states the router is 'not responding'—a port mismatch would typically result in an ICMP port unreachable, not a silent failure.

314
MCQhard

A network engineer is troubleshooting a router that fails to apply a specific configuration change after a reload. The engineer has an EEM applet that runs at boot time to apply a set of commands. After a reload, the engineer checks the configuration and finds that the commands were not applied. The applet is configured with event syslog pattern 'SYS-5-RESTART' and action cli command 'configure terminal'. What is the most likely cause of the failure?

A.The EEM applet is not enabled globally.
B.The syslog pattern 'SYS-5-RESTART' is misspelled.
C.The EEM applet runs before the router is fully booted, so the CLI commands fail.
D.The EEM applet requires a 'event manager directory user' command to be configured.
AnswerC

Correct because the syslog message may be generated early in the boot process, and the router may not be ready to accept configuration commands at that point.

Why this answer

The EEM applet uses the wrong event trigger. The 'SYS-5-RESTART' syslog message may not be generated or may be generated too early before the router is fully ready for configuration commands. The engineer should use 'event none' with a manual trigger or use 'event timer' to delay execution.

315
MCQhard

A DMVPN Phase 2 network is configured with VRF-Lite. Spokes can communicate with the hub, but spoke-to-spoke traffic is not working. The engineer verifies that NHRP registrations are successful and that the spoke routers have the correct NHRP mappings for other spokes. Which is the most likely explanation?

A.The hub router has 'next-hop-self' configured under BGP, causing spokes to send traffic to the hub instead of directly to the destination spoke.
B.The NHRP authentication is mismatched between spokes, preventing the establishment of spoke-to-spoke tunnels.
C.The spoke routers have a lower MTU on the physical interface, causing fragmentation issues for the GRE/IPsec packets.
D.The DMVPN phase is actually Phase 3, which requires additional configuration for spoke-to-spoke traffic.
AnswerA

In Phase 2, spokes need to know the next-hop is the remote spoke's tunnel IP. 'next-hop-self' on the hub overrides this, forcing traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are created dynamically using NHRP. However, for spoke-to-spoke traffic to work, the spoke routers must have a route to the destination subnet via the tunnel interface. Additionally, the next-hop for the spoke-to-spoke route must be the spoke router's tunnel IP, not the hub.

If the hub is configured with 'next-hop-self' under BGP or if the IGP is not propagating the correct next-hop, spoke-to-spoke traffic may be forwarded through the hub instead of directly.

316
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show mpls ldp bindings 10.10.10.0 24 lib entry: 10.10.10.0/24, rev 2 local binding: label: 101 remote binding: lsr: 10.1.1.2:0, label: 102 remote binding: lsr: 10.1.2.2:0, label: 103 What does this output indicate?

A.The router has a local label of 101 for the prefix and has learned two remote labels from two different neighbors.
B.The router has only a local label of 101; the remote bindings are not used because they are from the same LSR.
C.The label 102 is the local label for the prefix 10.10.10.0/24.
D.The router has no label for the prefix because the lib entry is incomplete.
AnswerA

The output clearly shows one local binding and two remote bindings from different LSRs.

Why this answer

The output of 'show mpls ldp bindings 10.10.10.0 24' displays the Label Information Base (LIB) entry for prefix 10.10.10.0/24. The 'local binding: label: 101' indicates that this router has assigned label 101 to the prefix. The two 'remote binding' lines show that two different LDP neighbors (LSR IDs 10.1.1.2 and 10.1.2.2) have advertised labels 102 and 103 respectively for the same prefix.

This is the normal operation of LDP, where a router learns multiple remote labels for the same FEC from different peers.

Exam trap

Cisco often tests the distinction between local and remote bindings in the LIB, and the trap here is that candidates may confuse the 'local binding' with a remote label or assume that multiple remote bindings from different LSRs are not used, when in fact they are all valid entries for potential forwarding paths.

How to eliminate wrong answers

Option B is wrong because the remote bindings are indeed used; they are from two different LSRs (10.1.1.2 and 10.1.2.2), not the same LSR, and each provides a viable label-switched path. Option C is wrong because label 102 is a remote binding learned from LSR 10.1.1.2, not a local binding; the local label is 101. Option D is wrong because the LIB entry is complete, showing both a local binding and two remote bindings, which is a fully populated entry for the prefix.

317
MCQhard

An engineer is troubleshooting an EIGRP convergence issue. After a link failure, the network takes an unusually long time to converge. The engineer notices that the EIGRP hello and hold timers are set to the default values. The network has many routers in a hub-and-spoke topology. What is the most likely cause of the slow convergence?

A.The hub router has too many EIGRP neighbors, causing CPU overload and dropped hello packets.
B.The EIGRP stub feature is not enabled on the spoke routers.
C.The EIGRP variance command is configured, causing unequal-cost load balancing.
D.The EIGRP router ID is not configured, so it defaults to the highest loopback IP.
AnswerA

Correct because a high number of neighbors can overwhelm the hub, leading to missed hello packets and adjacency resets, which prolongs convergence.

Why this answer

In a hub-and-spoke EIGRP topology, the hub router maintains a large number of neighbor adjacencies. When a link failure occurs, the hub must process many queries and replies, which can overwhelm its CPU. If the CPU is overloaded, hello packets may be dropped, causing neighbor hold timers to expire and triggering unnecessary route recomputations.

This leads to the observed slow convergence, even though hello and hold timers are at default values.

Exam trap

Cisco often tests the misconception that slow convergence is always due to timer mismatches or stub configuration, but the trap here is that default timers are fine and the real issue is hub CPU overload from excessive neighbor processing, which causes hello packet drops.

How to eliminate wrong answers

Option B is wrong because the EIGRP stub feature on spoke routers reduces query propagation and improves convergence, but its absence does not directly cause slow convergence due to CPU overload on the hub; it would instead cause the hub to send queries to all spokes, increasing convergence time but not necessarily dropping hellos. Option C is wrong because the variance command enables unequal-cost load balancing, which does not inherently slow convergence after a link failure; it affects routing table selection, not neighbor maintenance or hello processing. Option D is wrong because the EIGRP router ID defaults to the highest loopback IP if not configured, but this does not impact convergence speed; it is used for route identification and neighbor establishment, not for hello timer processing or CPU load.

318
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the status of local authentication and authorization for device access control on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show aaa local user lockout
B.show running-config | include aaa authentication login
C.show aaa servers
D.debug aaa authentication
E.show ip local policy
AnswersA, B

This command shows users locked out due to failed authentication attempts, which is part of verifying local AAA behavior.

Why this answer

Option A is correct because 'show aaa local user lockout' displays whether local users have been locked out due to failed authentication attempts, which is directly relevant to verifying local authentication and authorization status. Option B is correct because 'show running-config | include aaa authentication login' shows the configured AAA authentication method lists for login, allowing verification of local authentication policies.

Exam trap

Cisco often tests the distinction between commands that verify configuration (show commands) versus those that monitor live events (debug commands), and between local AAA status versus external server status, leading candidates to mistakenly select 'show aaa servers' or 'debug aaa authentication'.

319
MCQmedium

In Flexible NetFlow, which of the following is true regarding the 'match' and 'collect' commands in a flow record?

A.The 'match' command defines fields that are used to identify unique flows, while 'collect' defines additional fields to include in the exported record.
B.Both 'match' and 'collect' define key fields; the difference is that 'match' fields are required and 'collect' fields are optional.
C.The 'match' command is used for input flows, and 'collect' is used for output flows.
D.The 'collect' command is used to aggregate flows, while 'match' is used to filter them.
AnswerA

Match fields are used to create flow keys (e.g., source/destination IP, protocol), while collect fields are non-key fields that are included in the exported data.

Why this answer

This question tests understanding of the difference between match and collect in flow record definition.

320
MCQeasy

Which BFD session state indicates that the session is fully established and operational?

A.Down
B.Init
C.Up
D.AdminDown
AnswerC

Up is the state where the BFD session is fully established and both routers agree on parameters.

Why this answer

The Up state indicates that the BFD session is fully established, and both routers are exchanging control packets successfully.

321
MCQhard

An EIGRP network is experiencing stuck-in-active (SIA) routes after a link failure. Router R1 has the following relevant configuration: router eigrp 100 network 10.0.0.0 0.255.255.255 Router R2 shows: show ip eigrp topology 10.1.1.0/24 IP-EIGRP topology entry for 10.1.1.0/24 State: Active, 00:01:30, Reply status 10.2.2.2, 10.3.3.3 What is the root cause?

A.Query scope is too wide; configure stub routing or summarization to limit queries.
B.The K-values are mismatched; check metric weights.
C.The network command includes too many interfaces; use passive-interface.
D.The hold time is too short; increase to 180 seconds.
AnswerA

EIGRP queries propagate to all neighbors; if a router has no alternate path, it queries further, causing SIA. Stub routing or summarization reduces query domain.

Why this answer

The route is stuck-in-active because queries are sent to all neighbors and one or more are not replying. This can be due to query scope issue where routers in the query path have no route and keep querying further, causing timeout. The correct fix is to use summary routes or distribute-lists to limit query scope.

322
MCQhard

A network engineer configures mutual redistribution between EIGRP and OSPF on a DMVPN hub router. The EIGRP domain includes the DMVPN tunnel network, and OSPF includes a corporate backbone. Unexpectedly, after a few minutes, the routing table on the hub shows oscillating routes between EIGRP and OSPF for the same prefix, causing intermittent connectivity. Which is the most likely explanation?

A.The mutual redistribution creates a routing loop because the redistributed routes are re-injected into the original protocol without proper filtering, causing the hub to prefer the redistributed route with a lower AD.
B.The DMVPN tunnel interface is not included in the OSPF process, causing the redistributed routes to have an incorrect next-hop that points to the tunnel interface.
C.The EIGRP and OSPF processes are using different metric styles, causing the redistributed routes to have infinite metrics and be ignored.
D.The hub router's routing table is overloaded due to the DMVPN tunnel being a multipoint interface, causing route flapping.
AnswerA

Without route tagging, a route redistributed from EIGRP into OSPF (AD 110) and then back into EIGRP (AD 170) may be preferred over the original EIGRP internal route (AD 90) if the AD is misconfigured, but typically the original internal route has lower AD. However, if the route is external in EIGRP, the AD is 170, so the OSPF route (110) is preferred, causing a loop.

Why this answer

Mutual redistribution without route tagging or filtering can cause routing loops. When a route is redistributed from EIGRP into OSPF, it is then redistributed back into EIGRP with a different administrative distance (AD). Since OSPF has AD 110 and EIGRP has AD 90 (internal) or 170 (external), the redistributed route may be preferred over the original, causing a feedback loop.

The corner case is that the default AD values cause the redistributed route to be installed, and then the router advertises it back, leading to instability. The fix is to use route tags or distribute-lists to prevent re-redistribution.

323
MCQhard

An engineer configures a site-to-site IPsec VPN between two routers using OSPF as the routing protocol. The OSPF neighbor becomes stuck in EXSTART state. The engineer verifies that the IPsec tunnel is up and that both routers can ping each other's tunnel interfaces. What is the most likely cause of the OSPF adjacency issue?

A.The OSPF network type on the tunnel interface is set to non-broadcast, preventing DBD exchange.
B.The IPsec transform set uses ESP with authentication, adding 22 bytes of overhead, reducing the tunnel MTU to 1478 bytes, causing OSPF DBD packets larger than 1478 bytes to be dropped.
C.The OSPF hello and dead intervals are mismatched between the two routers.
D.The IPsec tunnel is using transport mode instead of tunnel mode, corrupting OSPF packets.
AnswerB

IPsec encapsulation adds overhead (e.g., 22 bytes for ESP-AES + SHA), reducing the effective MTU. OSPF DBD packets default to 1500 bytes on Ethernet, but if the tunnel MTU is lower, they are fragmented or dropped, leading to EXSTART state.

Why this answer

When OSPF neighbors are stuck in EXSTART state, it indicates a problem with Database Description (DBD) packet exchange. With an IPsec tunnel MTU of 1478 bytes (1500 minus 22 bytes for ESP authentication overhead), OSPF DBD packets that exceed this size are fragmented or dropped. Since IPsec does not support fragmentation of encrypted packets, the DBD exchange fails, preventing OSPF from progressing past EXSTART.

Exam trap

Cisco often tests the distinction between OSPF states—candidates confuse EXSTART (DBD exchange failure) with other states like INIT (hello mismatch) or 2-WAY (neighbor discovery), and overlook the impact of IPsec overhead on MTU and packet fragmentation.

How to eliminate wrong answers

Option A is wrong because the non-broadcast network type does not prevent DBD exchange; it only requires manual neighbor configuration and uses unicast for OSPF packets, but DBD exchange can still occur. Option C is wrong because mismatched hello/dead intervals cause OSPF to get stuck in INIT or 2-WAY state, not EXSTART; EXSTART is specifically about DBD negotiation. Option D is wrong because transport mode is used for host-to-host VPNs and does not inherently corrupt OSPF packets; tunnel mode is typical for site-to-site VPNs, but mode choice does not cause EXSTART issues.

324
Multi-Selecthard

Which TWO statements about BFD echo mode are true? (Choose TWO.)

Select 2 answers
A.Echo packets are generated by the sending router and forwarded back by the remote router.
B.Echo mode reduces the processing load on the remote router's control plane.
C.Echo mode requires a separate BFD session for each direction.
D.Echo mode increases the number of BFD control packets sent between routers.
E.Echo mode is enabled by default on all interfaces.
AnswersA, B

The sending router creates echo packets that the remote router loops back.

Why this answer

In BFD echo mode, the sending router generates echo packets that are looped back by the remote router, allowing detection of failures without involving the remote router's control plane. This reduces CPU load on the remote router. The other statements are false because echo mode does not require a separate session for each direction, and it does not increase the number of BFD control packets.

325
MCQhard

A service provider network uses OSPF with route summarization on Area Border Routers (ABRs). Router R1 (ABR) has the configuration: router ospf 1 area 1 range 10.1.0.0 255.255.240.0 area 1 range 10.1.16.0 255.255.240.0 Router R2 (internal to area 1) shows: R2# show ip route ospf 10.1.0.0/20 is subnetted, 1 subnets O IA 10.1.0.0/20 [110/2] via 10.2.1.1, 00:00:15, Serial0/0/0 10.1.16.0/20 is subnetted, 1 subnets O IA 10.1.16.0/20 [110/2] via 10.2.1.1, 00:00:10, Serial0/0/0 10.1.32.0/20 [110/3] via 10.2.1.2, 00:00:05, Serial0/0/1 R2 is missing a route to 10.1.48.0/20. What is the root cause?

A.The ABR R1 has a missing 'area 1 range 10.1.48.0 255.255.240.0' command.
B.R2 has a routing table limit that prevents installation of the route.
C.R1's OSPF process has a distribute-list blocking the route.
D.The missing route is a result of OSPF route filtering at the area boundary.
AnswerA

The summary range for 10.1.48.0/20 is not configured, so that route is not advertised into area 0.

Why this answer

The ABR R1 configured two summary ranges for area 1, but the missing route 10.1.48.0/20 is not covered by either summary. OSPF summarization on the ABR creates Type 3 LSAs for the configured ranges, but any routes not falling within those ranges are not advertised as summaries and are also not advertised as individual routes (unless the 'no discard-route' option is used). This causes the missing route.

The correct fix is to add an additional summary range covering 10.1.48.0/20 or use a broader summary.

326
MCQhard

A network engineer is troubleshooting an OSPF network where an ABR (R1) is configured with the 'area 1 range 10.0.0.0 255.255.0.0' command to summarize routes from area 1 into area 0. After the configuration, routers in area 0 lose connectivity to the 10.0.1.0/24 subnet, although the summary route 10.0.0.0/16 is present in their routing tables. What is the most likely cause?

A.The summary route 10.0.0.0/16 is being advertised with a metric of 0, causing routers to prefer a default route instead.
B.The ABR is not generating the summary route because the component routes are not all in the same area.
C.The 10.0.1.0/24 subnet is not included in the summary range because the range command uses a network mask that does not match the subnet's network address.
D.The summary route is installed, but the next-hop IP address for the summary route is not reachable from routers in area 0, causing traffic to be dropped.
AnswerD

Correct. In OSPF, the summary route's next hop is set to the ABR's interface IP. If that interface is down or the path is not reachable, traffic to the summary may fail, and since specific routes are suppressed, connectivity to the subnet is lost.

Why this answer

The issue is that the summary route may be installed, but the more specific routes are suppressed. If the summary route points to a next hop that is not reachable or has a higher metric, traffic may be black-holed.

327
Multi-Selecthard

Which TWO statements about verifying SPAN, RSPAN, and ERSPAN sessions are correct? (Choose TWO.)

Select 2 answers
A.The command 'show monitor session all' displays a summary of all configured SPAN, RSPAN, and ERSPAN sessions.
B.The command 'show monitor session <session> detail' displays the operational status and any errors for that session.
C.The command 'show monitor session <session> type erspan-source' is used to verify ERSPAN source sessions.
D.The command 'show spanning-tree vlan <rspan-vlan>' can confirm that the RSPAN VLAN is correctly configured and forwarding.
E.The command 'show monitor session <session> statistics' provides packet counts for mirrored traffic.
AnswersA, B

Correct. 'show monitor session all' lists all sessions with their status, source, and destination.

Why this answer

A and B are correct. 'show monitor session all' displays a summary of all SPAN, RSPAN, and ERSPAN sessions. 'show monitor session <session> detail' shows operational status and errors for any session type. Option C is incorrect because the standard verification command for ERSPAN sessions is the same 'show monitor session <session> detail' command; the 'type erspan-source' parameter is unnecessary and not universally supported. Options D and E are incorrect because 'show spanning-tree vlan' is unrelated to SPAN verification, and 'show monitor session <session> statistics' is not a valid command (though similar statistics may be available via other commands).

328
MCQeasy

A network engineer runs the following command to troubleshoot a VRF route issue: R1# show ip route vrf CUSTOMER summary IP routing table name is CUSTOMER (0x1) IP routing table maximum-paths is 32 Route Source Networks Subnets Overhead Memory (bytes) connected 2 0 0 320 static 1 0 0 160 eigrp 100 3 0 0 480 Internal 3 Total 6 0 0 960 What does this output indicate?

A.The VRF CUSTOMER routing table has 6 routes, including static and EIGRP routes.
B.The VRF CUSTOMER routing table is empty.
C.The VRF CUSTOMER has only connected routes.
D.The VRF CUSTOMER routing table has an error due to overlapping subnets.
AnswerA

The summary shows connected, static, and EIGRP routes totaling 6.

Why this answer

The output shows the VRF CUSTOMER routing table summary, listing 2 connected routes, 1 static route, and 3 EIGRP routes, totaling 6 routes. This confirms that the VRF contains routes from multiple sources, including static and EIGRP, making option A correct.

Exam trap

Cisco often tests the ability to interpret the 'summary' keyword output, where candidates may mistakenly think the table is empty or only contains connected routes if they overlook the route source breakdown.

How to eliminate wrong answers

Option B is wrong because the output clearly shows 6 routes, not an empty table. Option C is wrong because the table includes static and EIGRP routes in addition to connected routes. Option D is wrong because there is no indication of overlapping subnets or errors; the summary simply lists route counts without any error messages.

329
Drag & Dropmedium

Drag and drop the steps to establish a BFD session with OSPF into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with enabling BFD globally, then configuring BFD on the interface, enabling OSPF BFD support, verifying the BFD session, and finally verifying OSPF neighbor state reflects BFD integration.

330
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/1 PBR-MAP R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop verify-availability 10.1.1.2 10 track 1 Policy routing matches: 150 packets, 12000 bytes R1# show track 1 Track 1 IP SLA 1 reachability Reachability is Down 1 change, last change 00:05:20 Latest operation return code: timeout Tracked by: ROUTE-MAP 0 Based on this output, what is the most likely outcome?

A.Packets matching ACL 101 are forwarded to 10.1.1.2 regardless.
B.Packets matching ACL 101 are dropped.
C.Packets matching ACL 101 are routed normally via the routing table.
D.The route map is removed from the interface due to the track failure.
AnswerC

When the tracked object is down, PBR skips the set clause and the packet is forwarded using the destination-based routing table.

Why this answer

The route map uses 'ip next-hop verify-availability' with tracking. Track 1 is down because IP SLA 1 reports unreachability. Therefore, the set clause will not be applied, and packets matching ACL 101 will not be forwarded to 10.1.1.2; they will be routed normally via the routing table.

331
MCQmedium

A network engineer runs the following command to verify BFD with EIGRP: R1# show ip eigrp 100 topology 10.2.2.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(10.2.2.0/24) State: Passive, Query origin flag: 1, 1 Successor(s), FD is 131072 Descriptor Blocks: 10.1.1.2 (GigabitEthernet0/0), from 10.1.1.2, Send flag: 0x0 Composite metric: (131072/130816), Route is Internal Vector metric: Minimum bandwidth is 100000 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 Originating router is 2.2.2.2 BFD enabled, BFD state: UP What does this output indicate?

A.EIGRP is using BFD with state UP, providing sub-second convergence.
B.EIGRP has no BFD session for this neighbor.
C.BFD is down, so EIGRP relies on its own hello/dead timers.
D.EIGRP is using BFD in passive mode only.
AnswerA

BFD is enabled and UP, allowing EIGRP to detect failures faster than EIGRP hello/dead timers.

Why this answer

The output shows that BFD is enabled for the EIGRP neighbor and the BFD state is UP, indicating fast failure detection is active for this route.

332
MCQmedium

A network engineer runs the following command on Router R9: R9# show logging | include %DMVPN-5-ADJCHG *Mar 1 00:01:05.123: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:02:10.456: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN *Mar 1 00:03:15.789: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is UP *Mar 1 00:04:20.012: %DMVPN-5-ADJCHG: NHRP: Peer 10.0.0.1 on Tunnel0 is DOWN Based on this output, what is the most likely problem?

A.The DMVPN tunnel is flapping due to an unstable IPsec SA.
B.The NHRP hold time is set too high.
C.The router has a mismatched DMVPN phase configuration.
D.The tunnel interface is administratively down.
AnswerA

DMVPN uses IPsec for encryption; if the IPsec SA is not established or is flapping, the NHRP peer will go up and down.

Why this answer

The output shows NHRP peer flapping on Tunnel0, indicating that the DMVPN tunnel is unstable. This is often due to a flaking physical interface, IPsec SA expiration, or routing issues. The peer 10.0.0.1 is going up and down repeatedly.

333
MCQmedium

Consider the following partial configuration on router R6: router bgp 65001 bgp router-id 6.6.6.6 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 What is the effect of this configuration?

A.Only routes that match a specific prefix will have MED set to 50; other routes will not be advertised.
B.The route-map will set the MED to 50 for all routes advertised to neighbor 10.0.0.2, and all routes will be advertised.
C.The configuration is invalid because the route-map must have a match clause.
D.The MED will only be set if the neighbor is also configured with a route-map for inbound updates.
AnswerB

The route-map has no match, so it matches all routes. The set metric command applies to all matched routes, setting MED to 50.

Why this answer

Option B is correct because the route-map SET-MED is applied as an outbound route-map on the BGP neighbor 10.0.0.2. Since the route-map has a permit statement with no match clause, it implicitly matches all routes. The set metric 50 command then sets the MED (Multi-Exit Discriminator) to 50 for all routes advertised to that neighbor.

All routes are still advertised because the route-map does not contain any deny statements or match conditions that would filter them.

Exam trap

The trap here is that candidates often assume a route-map must have a match clause to be valid, but Cisco permits a route-map with only a set clause, which then applies to all routes matched by the permit statement.

How to eliminate wrong answers

Option A is wrong because the route-map has no match clause, so it matches all routes, not just a specific prefix; also, all routes are advertised, not withheld. Option C is wrong because a route-map does not require a match clause; a permit statement without match conditions matches everything, making the configuration valid. Option D is wrong because the MED is set by the outbound route-map on R6, and no inbound route-map on the neighbor is required for the MED to be set; the neighbor's inbound policy is irrelevant to the outbound set action.

334
MCQhard

A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using OSPF with the CEs and MP-BGP between them. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route as well. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 but the output interface is 'no route'. What is the most likely cause?

A.The OSPF process on PE1 is not redistributing connected routes.
B.The PE2 loopback is not advertised into the IGP (OSPF/IS-IS) of the service provider core.
C.The VRF route-target import is misconfigured.
D.MPLS is not enabled on the core-facing interfaces.
AnswerB

Correct: The BGP next-hop must be reachable via IGP for CEF to resolve the output interface.

Why this answer

CEF has a next-hop but no output interface because the recursive routing table lookup for the BGP next-hop (192.168.1.2) fails. The IGP (OSPF or IS-IS) does not have a route to the PE2 loopback, so CEF cannot resolve the adjacency.

335
MCQhard

A network engineer configures VRF-Lite with OSPF as the routing protocol. Two routers in the same VRF are directly connected, but the OSPF neighbor state remains stuck in EXSTART/EXCHANGE. The engineer verifies that the MTU on both interfaces is 1500. Which is the most likely explanation?

A.The OSPF network type is set to point-to-multipoint on one side and broadcast on the other, causing a mismatch in DBD packet size.
B.The 'ip mtu' command is configured on one interface with a value lower than 1500, causing the DBD packet to be larger than the receiving interface's IP MTU.
C.The VRF forwarding table is missing the OSPF route for the neighbor's router ID, preventing the exchange of DBD packets.
D.The OSPF dead interval is set to 40 seconds on one router and 120 seconds on the other, causing a mismatch in hello parameters.
AnswerB

OSPF uses the IP MTU for DBD packets. If one interface has a lower IP MTU (e.g., 1400), the DBD packet from the other side (1500) is dropped, causing the stuck state.

Why this answer

OSPF uses the IP MTU of the outgoing interface to set the size of Database Description (DBD) packets. If the receiving interface has a smaller IP MTU, the DBD packet is silently dropped, causing the neighbor to stay in EXSTART/EXCHANGE. Even if the physical MTU is 1500, the IP MTU can be lowered via 'ip mtu' command, and OSPF will use that lower value.

The MTU mismatch is not necessarily the physical MTU but the IP MTU, which is a common edge case.

336
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can ping external host 203.0.113.50, but cannot establish a TCP connection to port 443. Router R1 shows: debug ip nat: NAT: s=192.168.1.10->203.0.113.1, d=203.0.113.50 [0]. The external host shows no received packets. What is the root cause?

A.An ACL on the outside interface is blocking TCP port 443; configure an ACL to permit it.
B.The NAT translation is failing for TCP due to port exhaustion.
C.The internal host has a firewall blocking outbound TCP.
D.The external host is not responding to TCP SYN packets.
AnswerA

ICMP is permitted, but TCP 443 is likely denied by an implicit or explicit ACL.

Why this answer

The correct answer is A because the debug output shows a successful NAT translation (s=192.168.1.10->203.0.113.1, d=203.0.113.50), yet the external host receives no packets. This indicates that the translated packets are being dropped after leaving R1, most likely by an ACL applied to the outside interface (GigabitEthernet0/1) that blocks TCP port 443. Since ICMP (ping) succeeds but TCP/443 fails, the ACL is filtering only TCP traffic on that port, not all traffic.

Exam trap

Cisco often tests the distinction between NAT translation success and packet forwarding success; candidates mistakenly assume that a successful NAT debug entry means the packet reached the destination, but the trap is that an ACL on the outside interface can drop the packet after translation, causing asymmetric behavior between ICMP and TCP.

How to eliminate wrong answers

Option B is wrong because port exhaustion would cause NAT to fail or show 'NAT: translation failed' in debug, but the debug shows a successful translation with a specific source port [0], indicating a fresh translation is created. Option C is wrong because the internal host can successfully ping the external host, proving outbound traffic is not blocked by a local firewall; a host firewall blocking TCP/443 would also block the TCP SYN from leaving the host, but the NAT translation occurs, meaning the packet reached R1. Option D is wrong because the external host shows no received packets, meaning the issue is before the packet reaches the external host; if the external host were not responding, R1 would still forward the SYN, and the external host would show received packets (even if it drops them).

337
Multi-Selectmedium

Which TWO statements about route targets (RT) in MPLS L3VPN are true? (Choose TWO.)

Select 2 answers
A.The export RT is added to VPNv4 routes when they are advertised from a PE to a P router.
B.The import RT is used to filter incoming VPNv4 routes into a VRF on the receiving PE.
C.Route targets are 64-bit values typically formatted as an IP address and a 16-bit number.
D.Route targets are used by LDP to distribute VPN labels between PEs.
E.The route target must match the route distinguisher for the VRF to function.
AnswersB, C

Import RT determines which routes are installed into the VRF routing table.

Why this answer

Route targets control the import and export of VPNv4 routes between VRFs. The export RT is attached to routes when they are advertised from a VRF to MP-BGP. The import RT determines which routes are imported into a VRF.

RTs are not used for label distribution (LDP handles that) and do not affect the IGP. They are not directly involved in the VRF route distinguisher (RD) process, though RD and RT are often configured together.

338
MCQmedium

Consider the following BGP configuration on router R2: router bgp 65002 bgp router-id 2.2.2.2 neighbor 10.2.2.1 remote-as 65001 neighbor 10.2.2.1 route-map FILTER in ! route-map FILTER deny 10 match ip address prefix-list BLOCKED ! route-map FILTER permit 20 ! ip prefix-list BLOCKED permit 10.0.0.0/8 le 32 Which statement is true about routes received from 10.2.2.1?

A.All routes are accepted because the deny statement is misconfigured.
B.Routes with prefix 10.0.0.0/8 or more specific are denied; all others are permitted.
C.Only routes exactly matching 10.0.0.0/8 are denied; other 10.x.x.x routes are permitted.
D.The route-map is applied outbound, so it affects routes sent to 10.2.2.1.
AnswerB

Prefix-list BLOCKED matches 10.0.0.0/8 and any more specific prefix (le 32), so those are denied. Sequence 20 permits the rest.

Why this answer

The route-map FILTER is applied inbound. Sequence 10 denies any route matching prefix-list BLOCKED (10.0.0.0/8 and more specific). Sequence 20 permits all other routes.

Routes with 10.x.x.x are denied.

339
MCQmedium

Which SNMP version introduced the use of a User-based Security Model (USM) and View-based Access Control Model (VACM)?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv2u
AnswerC

SNMPv3 introduced USM and VACM for security and access control.

Why this answer

SNMPv3 introduced the User-based Security Model (USM) for authentication and encryption, and the View-based Access Control Model (VACM) for granular access control. These models provide message integrity, authentication, and encryption, addressing the security deficiencies of earlier SNMP versions.

Exam trap

Cisco often tests the distinction between SNMPv2u (which introduced user-based security but not VACM) and SNMPv3 (which combined USM and VACM), leading candidates to mistakenly select SNMPv2u as the version that introduced both models.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses community strings for authentication with no security model like USM or VACM. Option B is wrong because SNMPv2c also relies on community strings and lacks USM and VACM, despite being an enhanced version of SNMPv2. Option D is wrong because SNMPv2u was an experimental version that introduced user-based security but did not include VACM; it was a precursor to SNMPv3's USM and VACM.

340
Drag & Dropmedium

Drag and drop the steps to verify and validate BGP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the BGP summary for session state; then examine the BGP table for received prefixes; next verify prefix advertisement with show ip bgp neighbors; then check route propagation with show ip route bgp; finally validate path selection with show ip bgp bestpath.

341
MCQmedium

A network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?

A.The RA Guard policy is configured with 'device-role router' on the port connected to the legitimate router, but the router's MAC address is not in the allowed list.
B.DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router, preventing hosts from obtaining IPv6 addresses.
C.IPv6 Source Guard is dropping packets from the router because the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, causing it to send its own RAs and override the legitimate router.
AnswerA

Correct because RA Guard requires explicit authorization of routers; if the legitimate router's MAC is not allowed, its RAs are dropped.

Why this answer

The RA Guard policy with 'device-role router' on the port connected to the legitimate router expects the router's MAC address to be in an allowed list. If the MAC address is not explicitly permitted, the switch drops all Router Advertisements from that port, including valid ones. This causes hosts on VLAN 100 to lose connectivity to the default gateway because they never receive the necessary RA to learn the gateway's IPv6 address and on-link prefix.

Exam trap

Cisco often tests the nuance that RA Guard with 'device-role router' does not automatically trust all routers; it requires explicit MAC address matching, and candidates may mistakenly think that setting the device role to 'router' alone is sufficient to permit RAs.

How to eliminate wrong answers

Option B is wrong because DHCPv6 Guard blocks DHCPv6 Reply and Advertise messages from unauthorized DHCPv6 servers, but the issue is about Router Advertisements (RA), not DHCPv6 messages; RA Guard is the feature that filters RAs. Option C is wrong because IPv6 Source Guard drops packets based on source IPv6 address and MAC address mismatches in the binding table, but it does not filter Router Advertisements; RA Guard is specifically designed to filter RAs. Option D is wrong because enabling IPv6 unicast-routing on the switch does not cause it to send its own RAs unless an IPv6 address is configured on the VLAN interface and the 'ipv6 nd ra-interval' command is active; even if it did, the switch would not override the legitimate router's RAs unless it had a higher priority, and the issue is that valid RAs are being dropped, not that conflicting RAs are being sent.

342
Multi-Selecthard

Which THREE commands can be used to troubleshoot NAT issues on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show ip nat translations
B.debug ip nat
C.clear ip nat translation
D.show ip nat verbose
E.show ip interface brief
AnswersA, B, C

Displays active translations, which helps verify if mappings are created correctly.

Why this answer

A is correct because 'show ip nat translations' displays the current NAT translation table, showing inside local, inside global, outside local, and outside global addresses. This command is essential for verifying whether translations are being created correctly and for identifying translation mismatches or exhaustion.

Exam trap

Cisco often tests the distinction between valid troubleshooting commands and commands that sound plausible but are either nonexistent or irrelevant to the specific technology, such as 'show ip nat verbose' or 'show ip interface brief'.

343
MCQhard

An engineer is troubleshooting a BGP peering problem between two routers, R1 (AS 65001) and R2 (AS 65002), connected via a firewall. The BGP session is flapping every few seconds. The engineer notices that the TCP connection is established, but BGP OPEN messages are not exchanged. The firewall logs show that TCP port 179 is allowed, but packets with the BGP marker (0xFFFFFFFF) are being dropped. What is the most likely cause?

A.The firewall is dropping BGP packets because the BGP marker (0xFFFFFFFF) is being flagged as a potential attack or malformed packet.
B.The BGP session is flapping because the keepalive timer is set too low on both routers.
C.The BGP session is flapping because the routers have mismatched BGP AS numbers.
D.The BGP session is flapping because the firewall is performing TCP sequence number randomization, breaking the BGP session.
AnswerA

Correct because some security devices inspect BGP messages and may drop packets with the all-ones marker, especially if they are not configured to allow BGP properly.

Why this answer

BGP uses a 16-byte marker (all 0xFF) in its messages. Some firewalls or intrusion prevention systems may misinterpret this as a malformed packet and drop it, preventing BGP from establishing.

344
Multi-Selecthard

Which TWO statements about the 'show ip bgp vpnv4 vrf <vrf-name>' command output are correct? (Choose TWO.)

Select 2 answers
A.The output displays only routes that are locally originated by the PE router.
B.The output includes the Route Distinguisher (RD) for each prefix.
C.The output shows the MPLS label assigned to each route.
D.The output is equivalent to 'show ip route vrf <vrf-name>'.
E.The output provides the CEF forwarding information for each prefix.
AnswersB, C

Correct. The RD is displayed as part of the prefix (e.g., '100:1:10.1.1.0/24').

Why this answer

The command 'show ip bgp vpnv4 vrf <vrf-name>' displays the BGP table for the specified VRF, including VPNv4 routes that have been imported. It shows the RD, the next-hop, and the route label. It does not show the full VRF routing table (which is seen with 'show ip route vrf'), nor does it show the CEF forwarding table.

The output includes both locally originated and remote routes that have been accepted. The label information is present in the output.

345
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface AA:BB:CC:01:02:03 192.168.1.10 86400 dhcp-snooping 10 GigabitEthernet0/1 AA:BB:CC:01:02:04 192.168.1.11 86400 dhcp-snooping 10 GigabitEthernet0/1 AA:BB:CC:01:02:05 192.168.1.12 86400 dhcp-snooping 10 GigabitEthernet0/2 Based on this output, which statement is correct?

A.DHCP snooping is enabled and has recorded bindings for three clients.
B.DHCP snooping has detected a rogue DHCP server on GigabitEthernet0/1.
C.DHCP snooping is not functioning because the bindings are not trusted.
D.DHCP snooping has a conflict because two clients are on the same interface.
AnswerA

The table shows valid bindings.

Why this answer

Option A is correct because the output shows three DHCP snooping bindings with MAC addresses, IP addresses, lease times, and associated VLANs and interfaces, which indicates that DHCP snooping is enabled and has successfully recorded these bindings for clients. The 'dhcp-snooping' type confirms these are dynamically learned from DHCP messages, and the presence of multiple clients on the same interface (GigabitEthernet0/1) is valid as long as they are on the same VLAN.

Exam trap

Cisco often tests the misconception that multiple DHCP clients on the same interface indicate a conflict or misconfiguration, but DHCP snooping bindings can legitimately show multiple entries per interface as long as they are in the same VLAN and have unique MAC/IP pairs.

How to eliminate wrong answers

Option B is wrong because the output shows only DHCP snooping bindings, not any information about a rogue DHCP server; a rogue server would be detected via DHCP snooping's 'trusted' and 'untrusted' port configuration, which is not displayed here. Option C is wrong because the bindings are present and valid, indicating DHCP snooping is functioning correctly; the 'trusted' status applies to ports, not bindings, and untrusted ports can still have valid bindings. Option D is wrong because having two clients on the same interface (GigabitEthernet0/1) is not a conflict; DHCP snooping allows multiple bindings per interface as long as they are in the same VLAN and have unique MAC/IP pairs.

346
MCQmedium

A network engineer is troubleshooting a BGP peering issue between two directly connected routers, R1 and R2. R1 is configured with 'neighbor 10.1.1.2 remote-as 65002' and 'neighbor 10.1.1.2 update-source Loopback0', while R2 uses 'neighbor 10.1.1.1 remote-as 65001' and 'neighbor 10.1.1.1 update-source Loopback0'. The loopback interfaces are not advertised into any IGP, and there is no static route for the loopback addresses. The BGP session remains in Idle state. What is the most likely cause?

A.The BGP session is stuck in Idle because the neighbor statements reference loopback interfaces that are not reachable.
B.The BGP session is stuck in Idle because the remote-as values are mismatched.
C.The BGP session is stuck in Idle because the update-source command is not allowed on directly connected interfaces.
D.The BGP session is stuck in Idle because the neighbor statements must use the directly connected interface IP addresses.
AnswerA

Correct because BGP uses the update-source address for peering; without reachability, TCP cannot establish.

Why this answer

BGP requires reachability to the neighbor's update-source address. Since the loopback addresses are not reachable via any routing protocol or static route, the TCP connection fails, keeping the session in Idle state.

347
MCQmedium

A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip ospf database router 10.1.1.2 OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 150 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 10.1.1.2 Advertising Router: 10.1.1.2 LS Seq Number: 80000002 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.The router 10.1.1.2 is advertising two links: one to a transit network and one to a stub network, both with cost 10.
B.The router 10.1.1.2 is the DR for the transit network 10.1.1.0/24.
C.The router 10.1.1.2 is advertising a single link to a point-to-point network.
D.The router 10.1.1.2 has a misconfigured network type because it shows both transit and stub links.
AnswerA

The LSA shows exactly that: a transit link (to a DR) and a stub link (192.168.1.0/24), both with metric 10.

Why this answer

The output shows two links in the Router LSA from router 10.1.1.2: a transit network link (to a DR) and a stub network link (to a subnet). Both links have a metric of 10, confirming that router 10.1.1.2 is advertising exactly two links with equal cost. This matches option A exactly.

Exam trap

Cisco often tests the ability to interpret the 'Link connected to' fields in a Router LSA, where candidates may mistakenly think a transit link implies a point-to-point connection or that a stub link indicates a misconfiguration, rather than recognizing both are normal for a DR on a multi-access network.

How to eliminate wrong answers

Option B is wrong because the transit network link shows the Designated Router address as 10.1.1.2, which indicates that 10.1.1.2 is the DR for that segment, but the question asks what the output indicates overall, and the output shows two links, not just the DR role. Option C is wrong because the output clearly lists two links (transit and stub), not a single point-to-point link. Option D is wrong because having both a transit link and a stub link in a Router LSA is normal for a multi-access network where the router is the DR; it is not a misconfiguration.

348
MCQmedium

Consider this configuration on Router R2: ``` interface Tunnel0 ipv6 address 2001:DB8:3::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre ipv6 tunnel destination 2001:DB8:4::2 ``` Which statement is true?

A.This tunnel can only carry IPv6 traffic.
B.The tunnel source and destination must be IPv4 addresses.
C.This tunnel will encapsulate packets using GRE over an IPv6 transport.
D.The tunnel mode should be 'ipv6ip' for IPv6 transport.
AnswerC

GRE over IPv6 is correctly configured, allowing multiprotocol payload.

Why this answer

The configuration shows a tunnel with `tunnel mode gre ipv6`, which explicitly sets the tunnel to use GRE encapsulation over an IPv6 transport. The tunnel source and destination are IPv6 addresses, and GRE can carry multiple protocols (including IPv4, IPv6, and others) over the IPv6 transport. Therefore, option C is correct because the tunnel encapsulates packets using GRE over an IPv6 transport.

Exam trap

Cisco often tests the distinction between 'tunnel mode gre ipv6' (GRE over IPv6 transport) and 'tunnel mode ipv6ip' (IPv6 over IPv4 transport), and candidates mistakenly assume that any tunnel with IPv6 addresses must use ipv6ip mode.

How to eliminate wrong answers

Option A is wrong because GRE tunnels can carry multiple protocol types (IPv4, IPv6, MPLS, etc.), not just IPv6 traffic. Option B is wrong because the tunnel source and destination are explicitly configured as IPv6 addresses (2001:DB8:3::1 and 2001:DB8:4::2), not IPv4 addresses. Option D is wrong because 'tunnel mode ipv6ip' is used for IPv6-over-IPv4 tunnels (6in4), not for GRE over IPv6; the correct mode for GRE over IPv6 is 'tunnel mode gre ipv6'.

349
MCQhard

A network engineer configures IP SLA tracking for a static route on a Cisco router. The IP SLA operation is configured with a threshold of 100 ms and a timeout of 5000 ms. The tracked object is configured with a delay of 5 seconds for both up and down transitions. The engineer notices that when the remote host becomes unreachable, the static route is not removed from the routing table immediately. Which is the most likely explanation?

A.The IP SLA operation is still in the 'pending' state and has not yet timed out.
B.The tracked object delay of 5 seconds for down transition causes a 5-second wait before the route is removed.
C.The static route has a higher administrative distance than the IP SLA tracked route, so it remains preferred.
D.The IP SLA operation is configured with a frequency that is too low, causing a delay in detection.
AnswerB

The delay down command in the tracked object introduces a hold-down period before the object state changes, so the route remains for that duration.

Why this answer

The IP SLA tracking delay configuration introduces a delay before the tracked object changes state; this is designed to prevent route flapping but can cause the static route to remain in the routing table for the configured delay period after the IP SLA operation fails.

350
MCQhard

An engineer configures OSPF on two routers connected via a serial link. Both routers have 'ip ospf network point-to-point' configured, but the link is actually a Frame Relay multipoint subinterface. The OSPF neighbors remain stuck in EXSTART state. Which is the most likely explanation?

A.The MTU on the serial link is not consistent between the two routers, causing DBD packets to be dropped.
B.The OSPF hello timer is set too high, causing the neighbor to time out.
C.The area ID is different on the two routers.
D.The OSPF router ID is duplicated.
AnswerA

Correct. OSPF uses the interface MTU for DBD packets; mismatch prevents exchange.

Why this answer

When OSPF neighbors are stuck in EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange. In this scenario, the 'ip ospf network point-to-point' command overrides the default Frame Relay multipoint behavior, but the actual link is a multipoint subinterface. This mismatch can cause MTU inconsistencies because the multipoint subinterface may have a different MTU than the point-to-point OSPF network type expects.

If the MTU is not consistent between the two routers, DBD packets larger than the smaller MTU will be silently dropped, preventing the neighbors from progressing beyond EXSTART.

Exam trap

Cisco often tests the distinction between neighbor states—specifically that EXSTART is reached only after hello and 2-WAY states are complete, so issues like mismatched area IDs or duplicate router IDs would prevent reaching EXSTART, while MTU mismatches specifically block DBD exchange at EXSTART.

How to eliminate wrong answers

Option B is wrong because a hello timer set too high would cause neighbors to fail to form adjacency or stay in DOWN/INIT state, not get stuck in EXSTART; EXSTART is reached only after hello exchange succeeds. Option C is wrong because mismatched area IDs would prevent the routers from even reaching the 2-WAY state, as OSPF requires matching area IDs for neighbor discovery; they would not reach EXSTART. Option D is wrong because a duplicate OSPF router ID would cause one router to reject the other's hello packets, resulting in a neighbor state of DOWN or INIT, not EXSTART; EXSTART requires successful hello and database description negotiation.

351
MCQhard

R1 and R2 are OSPF neighbors over a VLAN interface with BFD enabled. R1#show ip ospf interface vlan10 shows 'BFD is enabled' but R1#show bfd neighbors shows no sessions. R2#show bfd neighbors shows no sessions. R1 has 'bfd interval 100 min_rx 100 multiplier 3' under vlan10. R2 has same. The VLAN is up. What is the root cause?

A.BFD must be enabled on the physical interface as well as the VLAN interface.
B.The VLAN interface must have 'ip ospf bfd' disabled.
C.OSPF must be configured with 'bfd all-interfaces' globally.
D.The BFD timers must match exactly on both sides.
AnswerA

BFD sessions are established on the physical interface; without BFD on the physical, the VLAN interface BFD configuration is ineffective.

Why this answer

BFD on VLAN interfaces requires that the underlying physical interface also support BFD. If the physical interface (e.g., GigabitEthernet0/1) does not have BFD enabled, the VLAN interface cannot establish BFD sessions. BFD is not automatically inherited from VLAN to physical.

352
MCQmedium

A network engineer runs the following command to verify DHCPv6 pool configuration on router R1: R1# show ipv6 dhcp pool Output: Pool DHCPv6_POOL : Prefix number: 1 Prefix: 2001:DB8:1::/48 Preferred lifetime 604800, valid lifetime 2592000 Expires at Mar 01 2025 12:00 PM (2592000 seconds) DNS server: 2001:DB8::1 Domain name: example.com Active clients: 5 What does this output indicate?

A.The DHCPv6 pool has 5 active clients and provides prefix delegation, DNS, and domain name.
B.The DHCPv6 pool is used only for stateless address autoconfiguration (SLAAC).
C.The DHCPv6 pool has 5 clients with addresses from the prefix 2001:DB8:1::/48.
D.The DHCPv6 pool has a preferred lifetime of 2592000 seconds.
AnswerA

The output shows a prefix for delegation, DNS server, domain name, and 5 active clients.

Why this answer

The output shows a DHCPv6 pool configured with prefix delegation (2001:DB8:1::/48), DNS server, and domain name, along with 5 active clients. This confirms that the pool is used for stateful DHCPv6 (prefix delegation) and provides additional options, making option A correct.

Exam trap

Cisco often tests the distinction between DHCPv6 address assignment and prefix delegation, where candidates mistakenly interpret 'Active clients' as hosts with IPv6 addresses rather than routers that have received delegated prefixes.

How to eliminate wrong answers

Option B is wrong because the pool includes prefix delegation and DNS/domain options, which are not used in stateless address autoconfiguration (SLAAC); SLAAC relies on Router Advertisements and does not require a DHCPv6 pool. Option C is wrong because the 'Active clients: 5' indicates clients that have been delegated prefixes from the pool, not that they have addresses from the prefix 2001:DB8:1::/48; DHCPv6 prefix delegation assigns prefixes to requesting routers, not host addresses. Option D is wrong because the preferred lifetime shown is 604800 seconds (not 2592000 seconds), which is the valid lifetime; the output clearly lists 'Preferred lifetime 604800, valid lifetime 2592000'.

353
MCQhard

What is the default threshold value (in milliseconds) for an IP SLA operation?

A.1000 ms
B.5000 ms
C.10000 ms
D.No default threshold
AnswerB

Correct. The default threshold is 5000 ms, same as the default timeout.

Why this answer

The default threshold for an IP SLA operation is 5000 milliseconds (5 seconds). This is the value above which the operation is considered to have exceeded a tolerable delay, triggering reaction conditions.

354
Multi-Selecthard

Which THREE symptoms indicate that an administrative distance misconfiguration might be causing routing issues? (Choose THREE.)

Select 3 answers
A.The router prefers a route learned via a less reliable protocol over a more reliable one.
B.Routes are flapping in the routing table due to metric changes.
C.Traffic to a destination takes a suboptimal path.
D.The routing table shows two routes to the same network with different AD values.
E.Connectivity to a remote network is intermittent, depending on which protocol converges first.
AnswersA, C, E

This indicates that the AD for the less reliable protocol is set lower than for the more reliable one.

Why this answer

When AD is misconfigured, the router may prefer a less reliable route, causing suboptimal or intermittent connectivity. Common symptoms include incorrect route selection, flapping routes, and traffic taking unexpected paths. These are all signs that the AD values should be reviewed.

355
MCQeasy

What is the default transport protocol used by NetFlow exporters on Cisco IOS-XE?

A.TCP
B.UDP
C.SCTP
D.ICMP
AnswerB

Correct. NetFlow uses UDP by default.

Why this answer

The default transport protocol is UDP, typically on port 2055, though configurable.

356
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 192.168.2.2 1 2WAY/DROTHER 00:00:32 10.2.2.2 GigabitEthernet0/1 192.168.3.2 1 FULL/BDR 00:00:38 10.3.3.2 GigabitEthernet0/2 Based on this output, what is a potential issue?

A.The neighbor on Gi0/1 is not forming a full adjacency because it is in 2WAY state.
B.The neighbor on Gi0/0 is the DR, which is causing high CPU usage.
C.The neighbor on Gi0/2 is the BDR, which is a problem because it should be the DR.
D.All neighbors are in FULL state, indicating no issues.
AnswerD

Correct. All neighbor states are appropriate for their roles, so there is no issue.

Why this answer

The output shows normal OSPF neighbor states on a broadcast multi-access network. The neighbor on Gi0/1 is in the 2WAY/DROTHER state, which is expected for non-DR/BDR routers. The neighbors on Gi0/0 and Gi0/2 are in FULL state (DR and BDR respectively).

All states are valid, so there is no issue.

Exam trap

Candidates often incorrectly assume that any state other than FULL indicates a problem. However, in OSPF broadcast multi-access networks, the 2WAY state between DROTHER routers is normal and does not indicate an issue.

How to eliminate wrong answers

Option B is wrong because the neighbor on Gi0/0 being in FULL/DR state is normal and does not inherently cause high CPU usage; DR election is a standard OSPF process, and high CPU would depend on network size and LSA flooding, not simply the DR role. Option C is wrong because the neighbor on Gi0/2 being in FULL/BDR state is perfectly valid; the BDR is a backup to the DR, and there is no requirement that a specific router should be the DR—election is based on priority and Router ID. Option D is wrong because not all neighbors are in FULL state; the neighbor on Gi0/1 is in 2WAY state, which is not FULL, so stating 'all neighbors are in FULL state' is factually incorrect based on the output.

357
MCQhard

An engineer configures BGP between two routers in the same AS. The iBGP session is established, but routes learned from the eBGP neighbor are not advertised to the iBGP peer. The 'show ip bgp' output shows the routes as valid but not best. Which is the most likely explanation?

A.The 'synchronization' rule is enabled and the IGP does not carry the prefix.
B.The next-hop IP of the eBGP route is not reachable via IGP, making the route invalid.
C.The 'maximum-paths' command is set to 1, preventing load balancing.
D.The 'bgp bestpath med missing-as-worst' command causes the route to be considered worse.
AnswerB

iBGP requires next-hop reachability; without next-hop-self, the next-hop is the eBGP peer's IP.

Why this answer

For iBGP, the next-hop must be reachable via IGP. If the next-hop is not reachable (e.g., no IGP route for the eBGP peer's interface IP), the route is considered invalid and not installed. This is a common edge case where next-hop-self is not configured.

358
Multi-Selecthard

Which THREE statements about IPv4 access control list sequence numbers are true? (Choose THREE.)

Select 3 answers
A.Sequence numbers allow insertion of new entries between existing ones.
B.Sequence numbers are automatically assigned in increments of 10 for numbered ACLs.
C.Named ACLs support sequence numbers.
D.The ip access-list resequence command can renumber ACL entries.
E.Resequencing an ACL changes the order of evaluation.
AnswersA, C, D

You can specify a sequence number to place an entry at a specific position in the ACL.

Why this answer

Sequence numbers in IPv4 ACLs allow administrators to insert new entries between existing ones without deleting and re-entering the entire ACL. This is because each entry is assigned a unique sequence number, and new entries can be added with a sequence number that falls between two existing numbers, enabling granular control over the order of evaluation.

Exam trap

Cisco often tests the misconception that resequencing an ACL changes the order of evaluation, but in reality, it only renumbers the entries while preserving their original sequence; the trap is confusing sequence number reassignment with rule reordering.

359
MCQhard

In an iBGP network, router R1 has: router bgp 65000 bgp bestpath as-path multipath-relax neighbor 10.1.1.2 route-map SET-MED in route-map SET-MED permit 10 set metric 50 neighbor 10.1.1.3 route-map SET-MED2 in route-map SET-MED2 permit 10 set metric 100 Router R2 shows: R2# show ip bgp 192.168.1.0/24 BGP routing table entry for 192.168.1.0/24, version 2 Paths: (2 available, best #2) Path #1: via 10.1.1.1, metric 50 Path #2: via 10.1.1.4, metric 100 R2# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via "bgp 65000", distance 200, metric 100 Last update from 10.1.1.4 00:00:10 Serial0/0/1 R2 is choosing the path with higher metric. What is the root cause?

A.The path with lower MED is from a different AS, so MED is not compared.
B.The route-map on R1 is misconfigured; it should set metric on the neighbor statement.
C.R2 has a higher local preference for the path via 10.1.1.4.
D.The 'bgp bestpath as-path multipath-relax' command causes MED to be ignored.
AnswerA

MED is only compared between paths from the same AS. The path via 10.1.1.1 might have a different AS_PATH.

Why this answer

BGP best path selection compares MED only if paths come from the same AS. If the paths have different AS_PATH lengths, MED is ignored. The output shows two paths, but the path via 10.1.1.1 might have a different AS_PATH length.

The 'bgp bestpath as-path multipath-relax' allows multipath but does not affect MED comparison. The higher metric path is chosen due to a different tie-breaker (e.g., lower neighbor IP).

360
Multi-Selecthard

An engineer is troubleshooting an OSPF network where route summarization is configured on an ABR. Which TWO statements correctly describe the behavior of OSPF inter-area route summarization using the 'area range' command? (Choose TWO.)

Select 2 answers
A.The 'area range' command creates a single Type 3 LSA for the summary prefix and suppresses the advertisement of individual Type 3 LSAs for the component networks.
B.The cost of the summary LSA is set to the lowest cost among the component routes within the range.
C.The 'area range' command also summarizes external routes redistributed into OSPF from other protocols.
D.The summary route is advertised with a metric type of E1 or E2, depending on the original external metric type.
E.The 'area range' command can be configured only on ABRs and not on ASBRs.
AnswersA, E

Correct. The ABR generates one Type 3 LSA for the range and does not advertise the individual Type 3 LSAs for the more specific routes.

Why this answer

The 'area range' command on an ABR summarizes routes from one area into another. It creates a single Type 3 LSA for the summary prefix, suppresses the individual Type 3 LSAs for the component networks, and does not affect Type 1 or Type 2 LSAs within the area. The summary LSA is advertised with a cost equal to the highest cost among the component routes, not the lowest.

The command does not automatically summarize redistributed routes; that requires the 'summary-address' command under the OSPF process.

361
MCQhard

A network engineer is troubleshooting an EIGRP issue where a route is flapping in and out of the routing table. The engineer checks the logs and sees messages indicating that the route is being learned from two different neighbors, but the metric keeps changing. The route is a summary route. What is the most likely cause of the flapping?

A.The summary route is being advertised by multiple routers with different metrics.
B.The EIGRP stub feature is configured on one of the neighbors.
C.The passive-interface command is applied to the interface receiving the summary route.
D.The EIGRP router ID is the same on both neighbors.
AnswerA

Correct because if the summary route is originated by multiple routers, the metric may vary, causing the router to flap between the best paths.

Why this answer

When a summary route is learned from multiple EIGRP neighbors with different metrics, the router will alternate between the best paths as the metrics change, causing the route to flap in and out of the routing table. EIGRP uses the feasible successor logic, but if the metric from each neighbor varies (e.g., due to unequal link speeds or load), the route may be repeatedly inserted and withdrawn as the topology table updates.

Exam trap

The trap here is that candidates often assume flapping is caused by neighbor adjacency issues (like duplicate router IDs) or interface misconfigurations, rather than recognizing that metric instability between multiple sources of the same summary route is the root cause.

How to eliminate wrong answers

Option B is wrong because the EIGRP stub feature prevents the stub router from advertising routes learned from other neighbors, but it does not cause a summary route to flap due to metric changes; stubs simply limit query propagation and route advertisement. Option C is wrong because the passive-interface command suppresses the sending of EIGRP hellos and updates on an interface, which would prevent the route from being learned at all, not cause flapping. Option D is wrong because duplicate EIGRP router IDs would cause neighbor adjacency issues or routing loops, but they do not directly cause a summary route to flap due to metric changes; the router would reject the second neighbor or have inconsistent topology tables.

362
MCQhard

An engineer configures EIGRP stub with `eigrp stub connected static` on a remote router. The remote router has a directly connected network and a static route redistributed into EIGRP. Unexpectedly, the hub router does not receive the static route, although the connected route is learned. Which is the most likely explanation?

A.The stub router must also have `redistribute static` configured under the EIGRP process for the static route to be advertised.
B.The hub router has a route filter that blocks the static route due to administrative distance mismatch.
C.The stub router is configured with `eigrp stub connected static` but the static route is not directly connected, so it is ignored.
D.The stub router must use `eigrp stub receive-only` to advertise static routes.
AnswerA

The `eigrp stub static` keyword only permits advertisement of static routes that are already in the EIGRP topology; redistribution is required first.

Why this answer

The `eigrp stub connected static` command only advertises connected and static routes that are directly configured on the stub router, but it does not automatically redistribute the static route into EIGRP unless redistribution is explicitly configured. The stub command only controls which routes are advertised, not the redistribution process. Without `redistribute static` under the EIGRP process, the static route is not injected into EIGRP.

363
MCQhard

A network engineer runs the following command to troubleshoot a BGP Troubleshooting issue: R1# show ip bgp vpnv4 vrf CUSTOMER routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf CUSTOMER) *> 10.0.0.0/24 10.1.1.2 0 100 0 65001 i *> 192.168.1.0/24 10.1.1.2 0 100 0 65001 i Total number of prefixes 2 What does this output indicate?

A.The VRF CUSTOMER has two routes, both learned via BGP from AS 65001.
B.The VRF CUSTOMER is not receiving any routes because the RD is incorrect.
C.The VRF CUSTOMER has two routes, but they are not installed in the routing table.
D.The VRF CUSTOMER has two routes, but they are filtered by RT import policy.
AnswerA

The output shows two prefixes with path AS 65001, valid and best in the VRF.

Why this answer

The show ip bgp vpnv4 vrf CUSTOMER routes command displays BGP VPNv4 routes for a specific VRF. The output shows two routes with route distinguisher 100:1, received from AS 65001. These are the routes available in the VRF CUSTOMER.

364
MCQmedium

Given the following BGP configuration on router R1: router bgp 65001 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 65002 neighbor 10.1.1.2 route-map SET-MED out ! route-map SET-MED permit 10 match ip address prefix-list LOOPBACKS set metric 100 ! route-map SET-MED permit 20 ! ip prefix-list LOOPBACKS permit 192.168.0.0/24 What is the effect of this configuration?

A.Only the 192.168.0.0/24 route is advertised to 10.1.1.2, with MED 100.
B.All routes are advertised to 10.1.1.2; the 192.168.0.0/24 route has MED 100, others have no MED.
C.All routes are advertised with MED 100 because the route-map is applied outbound.
D.Only the 192.168.0.0/24 route is advertised with no MED because the set metric is ignored.
AnswerB

Sequence 10 matches and sets MED 100 for 192.168.0.0/24; sequence 20 permits all other routes without modifying MED.

Why this answer

The route-map SET-MED has two sequences. Sequence 10 matches prefix-list LOOPBACKS (192.168.0.0/24) and sets MED to 100. Sequence 20 permits everything else without setting MED, so other routes are advertised with their original MED.

365
MCQmedium

Examine the following partial router configuration: logging buffered 16384 logging console warnings logging monitor notifications logging trap debugging logging source-interface Loopback0 logging 192.168.1.100 What is the effect of this configuration?

A.Syslog messages of severity 0 through 7 are sent to the server 192.168.1.100.
B.Only syslog messages of severity 0 through 4 are sent to the server 192.168.1.100.
C.The syslog server receives messages with the IP address of the outgoing interface as the source.
D.The logging buffer stores up to 16384 syslog messages.
AnswerA

The 'logging trap debugging' command sets the syslog trap level to debugging, which includes all severities (0-7).

Why this answer

This configuration sets up logging with different severity levels for different destinations. The 'logging trap debugging' sends all messages (severity 0-7) to the syslog server at 192.168.1.100, while console gets only warnings (severity 4) and monitor gets notifications (severity 5). The buffer is set to 16384 bytes.

366
MCQmedium

A network engineer runs the following command to debug NetFlow export: R1# debug ip flow export IP Flow export debugging is on R1# *Mar 1 00:05:23.123: FLOW: export v9 flow 1 with 30 packets *Mar 1 00:05:23.124: FLOW: export v9 flow 2 with 15 packets *Mar 1 00:05:23.125: FLOW: export v9 flow 3 with 22 packets *Mar 1 00:05:23.126: FLOW: export v9 flow 4 with 8 packets *Mar 1 00:05:23.127: FLOW: export v9 flow 5 with 12 packets What does this output indicate?

A.NetFlow export is failing because the flows are too small.
B.NetFlow version 9 export is functioning correctly, exporting multiple flows with their packet counts.
C.Only one flow is being exported at a time.
D.The export is using NetFlow version 5.
AnswerB

The debug messages confirm that NetFlow v9 export is operational and exporting flows with their respective packet counts.

Why this answer

The debug output shows that NetFlow version 9 export is working, with flows being exported in real time. Each line shows a flow ID and the number of packets in that flow. This indicates that NetFlow is actively exporting flow data.

367
MCQmedium

A network engineer runs the following command to troubleshoot an SNMP issue: R1# debug snmp packets SNMP: Packet received via UDP from 10.1.1.1 on port 161 SNMP: GetRequest, reqid 12345, errstat 0, errindex 0 SNMP: Community string: public SNMP: MIB object: 1.3.6.1.2.1.1.1.0 (sysDescr) SNMP: Value: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M SNMP: Packet sent via UDP to 10.1.1.1 on port 161 SNMP: GetResponse, reqid 12345, errstat 0, errindex 0 What does this debug output indicate?

A.The SNMP agent is correctly responding to a GetRequest from the NMS at 10.1.1.1.
B.The SNMP agent is failing to process the request due to a community string mismatch.
C.The SNMP agent is sending a trap to the NMS at 10.1.1.1.
D.The SNMP agent is ignoring the request due to an ACL blocking the NMS.
AnswerA

The debug output shows a GetRequest followed by a GetResponse with errstat 0, indicating successful communication.

Why this answer

The debug output shows a complete SNMP GetRequest/GetResponse exchange between the NMS at 10.1.1.1 and the router acting as an SNMP agent. The agent receives a GetRequest for sysDescr (OID 1.3.6.1.2.1.1.1.0), processes it successfully (errstat 0, errindex 0), and sends back a GetResponse containing the system description. This confirms the SNMP agent is functioning correctly and responding to queries from the NMS.

Exam trap

Cisco often tests the distinction between SNMP Get/Set operations (which use UDP 161) and SNMP traps/informs (which use UDP 162), so candidates may mistakenly interpret a GetResponse as a trap if they overlook the direction and port details in the debug output.

How to eliminate wrong answers

Option B is wrong because the debug output shows the community string 'public' is accepted and the request is processed with errstat 0, indicating no authentication failure or mismatch. Option C is wrong because the output shows a GetRequest/GetResponse pair, not a trap; traps are unsolicited messages sent from agent to NMS, not a response to a query. Option D is wrong because the packet is received and processed successfully, with no indication of an ACL drop; if an ACL were blocking the NMS, the packet would not appear in the debug output at all.

368
MCQhard

What is the maximum number of entries that can be configured in a single IPv4 ACL in Cisco IOS?

A.1000
B.500
C.Unlimited
D.256
AnswerA

Cisco IOS generally supports up to 1000 ACEs per ACL, though hardware limits may be lower.

Why this answer

Cisco IOS limits a single IPv4 ACL to a maximum of 1000 entries (ACE lines) to prevent performance degradation and excessive memory consumption on the router. This hard limit applies to both standard and extended numbered ACLs, as well as named ACLs, and is enforced by the software to ensure predictable forwarding behavior.

Exam trap

Cisco often tests the 1000-entry limit to catch candidates who assume ACLs are unlimited or who confuse the limit with the 256-entry limit common on older Catalyst switch ACLs.

How to eliminate wrong answers

Option B is wrong because 500 is not the maximum; it is a common misconception that the limit is lower, but Cisco documentation explicitly states 1000 as the cap. Option C is wrong because ACL entries are not unlimited; a finite limit exists to protect router CPU and memory resources, and attempting to exceed 1000 entries results in a configuration rejection. Option D is wrong because 256 is the maximum number of entries for an older or platform-specific ACL (e.g., some Catalyst switches), but for general Cisco IOS routers, the limit is 1000.

369
MCQeasy

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show ip route summary IP routing table name: Default-IP-Routing-Table (0x0) IP routing table maximum-paths: 32 Route entry limits: 1000000 active, 2000000 total Number of prefixes: 500 Prefixes with memory: 500 Number of paths: 600 Paths with memory: 600 Number of operations: 1200 Number of deleted entries: 0 What does this output indicate?

A.The routing table is empty due to CoPP dropping routing updates.
B.The routing table has 500 prefixes, indicating that routing protocols are functioning and CoPP is not blocking updates.
C.The routing table has too many prefixes, causing CoPP to drop packets.
D.The routing table is not being updated due to a CoPP policy.
AnswerB

A healthy routing table with no deleted entries suggests CoPP is not causing issues.

Why this answer

The output shows 500 prefixes and 600 paths in the routing table, which indicates that routing protocols are exchanging routes and the routing table is being populated normally. Since CoPP is designed to protect the control plane by rate-limiting or dropping excessive traffic, a healthy routing table with a typical number of prefixes suggests that CoPP is not blocking routing updates. Therefore, option B is correct.

Exam trap

Cisco often tests the misconception that a low or moderate number of prefixes automatically indicates CoPP is dropping updates, when in fact CoPP would cause routing table instability or missing routes, not a static but healthy prefix count.

How to eliminate wrong answers

Option A is wrong because the routing table is not empty; it contains 500 prefixes, proving that routing updates are being received and processed. Option C is wrong because 500 prefixes is not an excessive number; modern routers can handle hundreds of thousands of routes, and CoPP would only drop packets if the control plane were overwhelmed, which is not indicated here. Option D is wrong because the routing table is being updated (as shown by the 500 prefixes and 600 paths), so CoPP is not blocking updates.

370
MCQhard

An engineer configures SPAN on a Cisco switch to monitor both ingress and egress traffic on a trunk port. The monitor session shows only egress traffic, not ingress. What is the most likely explanation?

A.The trunk port is configured with 'switchport trunk allowed vlan' that excludes the VLANs carrying the ingress traffic.
B.The SPAN session is configured with 'monitor session 1 source interface gigabitethernet0/1 rx', missing the 'tx' keyword.
C.The switch has 'spanning-tree portfast' enabled on the trunk, disabling ingress monitoring.
D.The SPAN destination port is in the same VLAN as the ingress traffic, causing a loop.
AnswerA

SPAN only captures traffic on VLANs that are allowed on the trunk; pruned VLANs are not monitored.

Why this answer

When monitoring a trunk port with SPAN, the source can be specified as both ingress and egress. However, if the trunk port is configured with 'switchport trunk allowed vlan' to prune certain VLANs, ingress traffic on pruned VLANs is not forwarded to the SPAN destination. Additionally, SPAN may not capture ingress traffic on the native VLAN if the native VLAN is not explicitly included.

371
MCQmedium

Consider the following configuration on router R2: !--- R2 configuration ip prefix-list FILTER seq 5 deny 10.1.0.0/16 le 24 ip prefix-list FILTER seq 10 permit 0.0.0.0/0 le 32 ! route-map BGP-IN permit 10 match ip address prefix-list FILTER ! router bgp 65000 neighbor 192.168.1.1 route-map BGP-IN in ! What is the effect of this configuration?

A.All routes from neighbor 192.168.1.1 are accepted; the prefix-list is not applied correctly because the route-map only has a permit sequence.
B.Routes within 10.1.0.0/16 with mask length 24 or shorter are denied; all other routes are permitted.
C.Only routes with mask length exactly 24 are denied; all other routes are permitted.
D.The configuration is incomplete; a route-map must have a deny statement to filter routes.
AnswerB

Correct. The prefix-list denies 10.1.0.0/16 le 24, which includes /16 to /24 subnets; all other prefixes are permitted.

Why this answer

The prefix-list FILTER denies any prefix within 10.1.0.0/16 with a mask length less than or equal to 24 (i.e., 10.1.0.0/16 through 10.1.255.0/24). The permit statement allows all other prefixes. The route-map BGP-IN calls this prefix-list; since there is only one permit sequence, routes that match the deny statement in the prefix-list are implicitly denied by the route-map.

Therefore, routes like 10.1.0.0/16, 10.1.1.0/24, etc., are filtered out.

372
MCQhard

An experienced network engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes to the same prefix, but after redistribution, a routing loop occurs. The engineer did not use route tagging. Which is the most likely explanation?

A.The seed metric for EIGRP was not configured, causing routes to be rejected.
B.The redistribute command without route-map or tag allows routes to be re-advertised back into the source protocol, creating a loop.
C.OSPF has a lower administrative distance than EIGRP, so OSPF routes are always preferred.
D.EIGRP stub configuration on the redistributing router prevents routes from being advertised.
AnswerB

Mutual redistribution without tagging and filtering causes a feedback loop.

Why this answer

Without route tagging, redistributed routes are re-injected back into the original protocol, causing a feedback loop. Administrative distance comparison (OSPF 110 vs EIGRP 90/170) can cause suboptimal path selection, but the loop is primarily due to lack of tagging and filtering.

373
MCQhard

An engineer is troubleshooting an issue where a rogue IPv6 router is sending false Router Advertisements on the network, causing hosts to use a malicious default gateway. The switch is configured with IPv6 First Hop Security features. The engineer wants to prevent this attack while allowing the legitimate router to send RAs. What is the correct configuration approach?

A.Configure RA Guard with a policy that sets the legitimate router's port as 'device-role router' and all other ports as 'device-role host', and apply the policy globally.
B.Enable DHCPv6 Guard on all ports to block any DHCPv6 server messages, which will also block RAs.
C.Use IPv6 Source Guard to filter traffic from the rogue router based on its IPv6 address.
D.Configure a static IPv6 neighbor entry for the legitimate router on the switch to override rogue RAs.
AnswerA

Correct because RA Guard will allow RAs only on ports configured as 'device-role router', blocking rogue RAs on host ports.

Why this answer

RA Guard is the correct IPv6 First Hop Security feature to block rogue Router Advertisements (RAs) while allowing legitimate RAs. By configuring a policy that sets the legitimate router's port as 'device-role router' and all other ports as 'device-role host', the switch will forward RAs only from the trusted router port and drop RAs received on host ports. This directly prevents the attack described.

Exam trap

Cisco often tests the distinction between IPv6 First Hop Security features (RA Guard, DHCPv6 Guard, Source Guard, ND Inspection) and expects candidates to know that only RA Guard specifically blocks rogue Router Advertisements based on port role.

How to eliminate wrong answers

Option B is wrong because DHCPv6 Guard blocks DHCPv6 server messages, not Router Advertisements; RAs are sent by routers using ICMPv6, not DHCPv6, so this would not prevent the attack. Option C is wrong because IPv6 Source Guard filters traffic based on source IPv6 address and MAC address binding, but a rogue router can use a legitimate IPv6 address or a different address, and Source Guard does not inspect RA content or device role. Option D is wrong because a static neighbor entry only maps an IPv6 address to a MAC address for neighbor discovery; it does not prevent the switch from forwarding rogue RAs to hosts, and hosts would still process the malicious RA.

374
MCQmedium

An engineer is troubleshooting a routing loop between two routers. R1 and R2 are running both OSPF and EIGRP. R1 learns the prefix 172.16.1.0/24 via OSPF with AD 110 and via EIGRP internal with AD 90. The engineer notices that R1 installs the EIGRP route, but traffic to 172.16.1.0/24 is being dropped. What is the most likely issue?

A.The OSPF route has a better metric, but the EIGRP route is preferred due to lower AD.
B.The EIGRP route is a summary route pointing to a null0 interface.
C.The OSPF route has a higher AD because it is a type 5 LSA.
D.The EIGRP route is an external route with AD 170.
AnswerB

If R1 has an EIGRP summary route for 172.16.1.0/24 pointing to Null0, it will be installed with AD 90 and drop traffic, causing a black hole.

Why this answer

EIGRP internal routes have AD 90, which is lower than OSPF's 110, so EIGRP is preferred. However, if the EIGRP route points to a next-hop that is not reachable or is a backup path, traffic may be dropped. The root cause could be that the EIGRP route is learned via a secondary path that is not optimal or has a next-hop issue.

375
MCQeasy

A router has a CoPP policy that includes a class-map matching all traffic from a specific source IP address (the management station) and polices it to 100000 bps. The engineer notices that SNMP polls from the management station are timing out. The SNMP traffic uses UDP port 161. The engineer checks the CoPP statistics and sees that the class for the management station has dropped packets. What is the most likely cause?

A.The CoPP police rate of 100000 bps is too low for the SNMP traffic from the management station.
B.The SNMP community string is incorrect on the management station.
C.The CoPP class-map is matching the wrong source IP address.
D.The SNMP agent on the router is not responding due to high CPU.
AnswerA

SNMP polls can be bursty, and 100000 bps may not be sufficient, leading to drops and timeouts.

Why this answer

The CoPP policy polices traffic from the management station to 100,000 bps. SNMP polls typically consist of multiple small UDP packets (e.g., get-request, get-response), but the aggregate rate of these polls can exceed 100 kbps if the polling interval is aggressive or multiple OIDs are queried. The dropped packets in the CoPP class statistics confirm that the policer is throttling the SNMP traffic, causing timeouts.

Therefore, the police rate is too low for the actual SNMP traffic volume.

Exam trap

Cisco often tests the misconception that CoPP drops are always due to incorrect classification or CPU issues, but the trap here is that the engineer sees drops in the correct class, so the root cause is simply that the police rate is insufficient for the actual traffic load.

How to eliminate wrong answers

Option B is wrong because an incorrect SNMP community string would cause authentication failures (e.g., 'noSuchName' or timeouts due to access denial), not CoPP drops; the engineer already sees dropped packets in the CoPP class, which points to policing, not authentication. Option C is wrong because if the class-map matched the wrong source IP, the management station's traffic would not be classified into that class, and no drops would be seen for that class; the fact that drops are occurring in the class indicates the traffic is being matched correctly. Option D is wrong because high CPU on the router would cause general packet loss or slow responses, but the CoPP statistics show drops specifically in the management station's class, which is a direct result of the policer, not CPU overload; CoPP drops occur before the packets reach the control plane CPU.

Page 4

Page 5 of 29

Page 6
Cisco CCNP ENARSI 300-410 300-410 Questions 301–375 | Page 5/29 | Courseiva