Cisco CCNP ENARSI 300-410 (300-410) — Questions 376450

2152 questions total · 29pages · All types, answers revealed

Page 5

Page 6 of 29

Page 7
376
MCQmedium

A network engineer configured the following: monitor session 3 type erspan-source source interface GigabitEthernet0/0/2 rx destination erspan-id 2 ip address 10.0.0.2 origin ip address 10.0.0.1 What traffic will be mirrored?

A.Only traffic received on GigabitEthernet0/0/2.
B.Only traffic transmitted on GigabitEthernet0/0/2.
C.Both received and transmitted traffic on GigabitEthernet0/0/2.
D.All traffic on the router, regardless of interface.
AnswerA

The 'rx' keyword specifies receive-only.

Why this answer

The 'rx' keyword indicates that only ingress (received) traffic on GigabitEthernet0/0/2 will be mirrored.

377
MCQhard

An OSPFv3 network has multiple areas. Area 0 includes R1 and R2. Area 1 includes R2 and R3. R2 is an ABR. R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only OSPFv3 and denies all other traffic. R3 advertises a prefix 2001:db8:3::/48 into Area 1. R1's routing table shows the prefix but with a next-hop of R2. R1's uRPF is configured in strict mode on the interface to R2. Traffic from R1 to 2001:db8:3::1 is dropped. R1 shows 'show ipv6 cef 2001:db8:3::/48' points to R2's link-local address. What is the root cause?

A.The source address of the traffic from R1 is not in the FIB as reachable via the interface facing R2, causing uRPF strict mode to drop the packet.
B.The ACL on R1 blocks the return traffic from the destination, causing asymmetric routing.
C.R2's link-local address is not reachable due to OSPFv3 network type mismatch.
D.The prefix 2001:db8:3::/48 is not in the OSPFv3 database on R1 due to area filtering.
AnswerA

uRPF strict requires the source address to be reachable via the incoming interface. If the source is a directly connected subnet that is not in the FIB (e.g., due to filtering), the check fails.

Why this answer

The root cause is that R1's uRPF strict mode checks the source address of incoming packets against the FIB to ensure the best reverse path to that source is via the same interface. Traffic from R1 to 2001:db8:3::1 uses a source address from R1's own subnet, but the FIB entry for that source address points out a different interface (or is not present), causing uRPF to drop the packet. The ACL permits OSPFv3 but blocks all other traffic, which prevents the return traffic from R3 from reaching R1, but the immediate failure is due to uRPF dropping the forward packet.

Exam trap

Cisco often tests the distinction between uRPF dropping forward traffic due to source address validation versus ACLs blocking return traffic, leading candidates to incorrectly blame the ACL when the real issue is the uRPF check failing on the source address.

How to eliminate wrong answers

Option B is wrong because the ACL on R1 blocks all non-OSPFv3 traffic inbound from R2, which would drop return traffic from the destination, but the question states the forward traffic from R1 is dropped, not the return traffic; asymmetric routing is not the direct cause here. Option C is wrong because R2's link-local address is reachable (as shown by the CEF entry pointing to it), and there is no indication of an OSPFv3 network type mismatch, which would prevent adjacency formation entirely. Option D is wrong because R1's routing table shows the prefix 2001:db8:3::/48 with a next-hop of R2, proving it is in the OSPFv3 database and not filtered by area.

378
MCQeasy

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.1.1.0/24 BGP routing table entry for 10.1.1.0/24, version 2 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.1 from 0.0.0.0 (10.1.1.1) Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, best rx pathid: 0, tx pathid: 0x0 Based on this output, which statement is correct?

A.The route 10.1.1.0/24 was learned from an eBGP peer.
B.The route 10.1.1.0/24 is locally originated and is the best path.
C.The route 10.1.1.0/24 has a weight of 100.
D.The route 10.1.1.0/24 is not being advertised to any peer.
AnswerB

The output shows 'sourced' and 'best', meaning it is a local network that is the best path in the BGP table.

Why this answer

The output shows a locally originated network (10.1.1.0/24) with next hop 10.1.1.1 (the router itself). It is marked as valid, sourced, and best, meaning it is injected into BGP and will be advertised to peers.

379
MCQhard

A switch is configured with SPAN to monitor traffic on interface Gi0/0/0 to a local analyzer on interface Gi0/1. The configuration: monitor session 1 source interface Gi0/0/0 both monitor session 1 destination interface Gi0/1. The analyzer sees only half of the traffic (only incoming or outgoing). The switch also has an EtherChannel configured on Gi0/0/0 as part of a port-channel. The port-channel is up/up. What is the root cause?

A.The SPAN source is a physical interface that is part of an EtherChannel; SPAN should be configured on the port-channel interface instead.
B.The destination interface Gi0/1 is not in the same VLAN as the source.
C.The monitor session is missing the 'no shutdown' command.
D.The EtherChannel load-balancing algorithm causes some traffic to be missed.
AnswerA

SPAN on a physical member of an EtherChannel only monitors that link, not the entire bundle.

Why this answer

When a source interface is part of an EtherChannel, SPAN must be configured on the port-channel interface, not on the individual physical interface. If SPAN is configured on a physical interface that is part of a port-channel, the switch may only monitor traffic on that specific physical link, not the entire EtherChannel. This can result in only a portion of the traffic being mirrored.

The fix is to use the port-channel interface as the source.

380
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic from a VRF. The mirrored traffic reaches the collector, but the source IP address in the ERSPAN header is the router's loopback, not the expected interface IP. What is the most likely cause?

A.The ERSPAN session does not specify a source IP address, so the router uses the loopback as the best source for the destination.
B.The VRF has a default route pointing to the loopback, forcing all traffic to use that IP.
C.The ERSPAN session is configured with 'erspan-id' that overrides the source IP.
D.The collector expects the loopback IP for filtering, so the router automatically uses it.
AnswerA

Without an explicit source IP, the router uses the routing table to pick the source, often the loopback.

Why this answer

When configuring ERSPAN with a source interface in a VRF, the ERSPAN session uses the VRF's routing table to determine the source IP. If the 'ip address' of the source interface is not used, the router may use the loopback if it is the preferred source for the destination. The 'monitor session' command allows specifying the source IP explicitly; otherwise, the router selects based on routing.

381
Multi-Selectmedium

Which TWO statements about the Cisco IOS-XE SSH server configuration are true? (Choose TWO.)

Select 2 answers
A.The hostname and domain name must be configured before generating RSA keys.
B.SSH version 2 is the default and is automatically enabled when RSA keys are generated.
C.The command 'ip ssh version 1' is required to enable SSH.
D.The command 'transport input ssh' must be configured globally.
E.RSA key modulus size must be at least 2048 bits for SSH version 2.
AnswersA, B

RSA keys require a fully qualified domain name (FQDN) which uses both hostname and domain name.

Why this answer

Option A is correct because Cisco IOS-XE requires both a hostname and a domain name to be configured before generating RSA keys. The RSA key generation process uses the fully qualified domain name (FQDN) as part of the key label, and without these values, the 'crypto key generate rsa' command will fail or prompt for missing parameters.

Exam trap

Cisco often tests the misconception that SSH must be explicitly enabled with a version command, when in fact SSH version 2 is the default and is automatically activated upon RSA key generation, and that 'transport input ssh' is a VTY-line command, not a global one.

382
MCQmedium

Given the configuration: monitor session 2 source vlan 10-12 both monitor session 2 destination interface GigabitEthernet1/0/3 Which statement is true?

A.Traffic from all ports in VLANs 10, 11, and 12 is copied to GigabitEthernet1/0/3.
B.Only traffic from the access ports in VLAN 10 is copied.
C.The destination port must be in VLAN 10.
D.The destination port will become a SPAN destination and cannot be used for normal traffic.
AnswerA

VLAN SPAN monitors all ports in the specified VLANs.

Why this answer

This configures a VLAN-based SPAN session that monitors all traffic on VLANs 10, 11, and 12 and sends a copy to GigabitEthernet1/0/3.

383
MCQhard

A network uses ACLs to filter traffic. Router R1 has the following ACL applied to interface GigabitEthernet0/0 in the inbound direction: access-list 100 permit tcp any any eq 22. Router R2, connected to R1, cannot SSH to R1's loopback address. R1 shows: 'show ip interface GigabitEthernet0/0' indicates the ACL is applied. What is the root cause?

A.The ACL permits only SSH, but the implicit deny blocks all other traffic, including EIGRP hellos, causing the neighbor relationship to fail and making the loopback unreachable.
B.The ACL is applied inbound, so it filters traffic entering R1; SSH traffic from R2 to R1's loopback is outbound from R2, so it is not affected.
C.R2's SSH client uses a source port that is not TCP 22.
D.R1's loopback interface has a separate ACL that blocks SSH.
AnswerA

Without explicit permit for routing protocols, the ACL blocks them, causing routing failure.

Why this answer

The ACL applied inbound on R1's GigabitEthernet0/0 permits only SSH (TCP port 22) and implicitly denies all other traffic. EIGRP uses multicast IP 224.0.0.10 and protocol number 88, which is not TCP and not permitted by the ACL. Without EIGRP hellos, the neighbor relationship between R1 and R2 fails, making R1's loopback unreachable from R2 because EIGRP cannot install the route.

Exam trap

Cisco often tests the implicit deny at the end of every ACL and how it can break routing protocols (like EIGRP, OSPF, or BGP) when the ACL does not explicitly permit the protocol's traffic, leading candidates to overlook the impact on control plane traffic.

How to eliminate wrong answers

Option B is wrong because the ACL is applied inbound on R1's interface, meaning it filters traffic entering R1; SSH traffic from R2 to R1's loopback enters R1 through that interface, so it is affected by the ACL. Option C is wrong because SSH clients use a random source port (ephemeral port) above 1023, but the ACL permits TCP any any eq 22, which matches the destination port 22 regardless of source port. Option D is wrong because the question states the ACL is applied to GigabitEthernet0/0, and there is no mention of a separate ACL on the loopback interface; the issue is caused by the inbound ACL on the physical interface.

384
MCQhard

In a VRF-Lite environment running EIGRP, what is the default maximum hop count for routes?

A.15
B.100
C.255
D.16
AnswerB

EIGRP defaults to a maximum hop count of 100.

Why this answer

EIGRP uses a maximum hop count of 100 by default, though it is not a metric but a TTL-like limit to prevent routing loops.

385
MCQmedium

A network engineer configured IP SLA 30 to monitor the reachability of a server (10.10.10.10) using ICMP echo probes. The IP SLA is linked to a track object that is used in a static default route. The engineer notices that the IP SLA state is 'Active', but the static route is not present in the routing table. The track object shows 'Up'. What should the engineer check first?

A.Verify that the static route includes the 'track' keyword and references the correct track object number.
B.Check if the server is responding to ICMP echo requests.
C.Ensure the IP SLA probe is configured with a timeout value less than the frequency.
D.Reboot the router to clear any routing table inconsistencies.
AnswerA

The static route must be configured with 'ip route 0.0.0.0 0.0.0.0 <next-hop> track <track-number>'. If missing or wrong track number, the route will not be installed.

Why this answer

If the track object is up and the static route is not installed, the issue is likely that the static route configuration does not properly reference the track object, or the route is being overridden by another route with lower administrative distance.

386
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke tunnels do not form. The NHRP registration is successful, and the hub has the spoke's NBMA address. Which is the most likely explanation?

A.The spoke routers are missing the `ip nhrp redirect` command on the hub.
B.The spoke routers have different tunnel keys configured.
C.The spoke routers are using the same NHRP authentication string.
D.The hub router has a lower MTU on the physical interface, causing fragmentation.
AnswerA

In Phase 2, the hub must send NHRP redirect messages to inform spokes of better paths; without it, spokes send traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spoke routers have a route to the remote spoke's tunnel IP via the hub, and that the hub has NHRP redirect enabled. Without the redirect, the spoke does not know to initiate a direct tunnel.

387
MCQhard

A network administrator notices that SSH access to router R1 from a management station 10.10.10.10 is failing intermittently. R1 has the following configuration: access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 192.168.1.1 eq 22, line vty 0 4 access-class 100 in, and control-plane host control-plane security copp policy-map COPP class MANAGEMENT police cir 8000 bc 1500 conform-action transmit exceed-action drop. The management station is on a different subnet than the management interface. The failure occurs during peak hours. What is the root cause?

A.The access-class on the VTY lines is incorrectly configured, blocking SSH traffic from the management station.
B.The CoPP policy is rate-limiting SSH traffic to 8 kbps, and during peak hours, the traffic exceeds this rate, causing drops.
C.The management station is not reachable due to a routing issue.
D.The SSH server on R1 has a maximum session limit that is being reached.
AnswerB

The police command limits SSH traffic, and exceed-action drop causes intermittent failures when the rate is exceeded.

Why this answer

The CoPP policy-map COPP class MANAGEMENT applies a police rate of 8000 bps (8 kbps) with a burst of 1500 bytes to SSH traffic destined for the control plane. During peak hours, the SSH traffic from the management station exceeds this rate, causing packets to be dropped by the exceed-action drop. This intermittent failure aligns with the rate-limiting behavior of CoPP, not with access-list or routing issues.

Exam trap

Cisco often tests the interaction between CoPP and VTY access-class, where candidates mistakenly think the access-class is the issue, but the real culprit is CoPP rate-limiting the control plane traffic before it reaches the VTY lines.

How to eliminate wrong answers

Option A is wrong because the access-list 100 permits tcp from subnet 10.10.10.0/24 to host 192.168.1.1 on port 22, and the access-class 100 in on VTY lines correctly applies this permit to inbound SSH sessions; it does not block traffic. Option C is wrong because the management station is on a different subnet, but the question states the failure is intermittent and during peak hours, not a persistent unreachability; a routing issue would cause constant failure, not intermittent. Option D is wrong because there is no mention of an SSH session limit in the configuration; the default SSH server on Cisco IOS does not have a maximum session limit that would cause intermittent drops during peak hours, and the symptom matches rate-limiting, not session exhaustion.

388
MCQmedium

Router R2 has the following configuration: ``` interface GigabitEthernet0/2 ip address 10.2.2.2 255.255.255.0 ip policy route-map CHECK ! route-map CHECK permit 10 match ip address 101 set interface GigabitEthernet0/3 ! access-list 101 permit tcp any any eq 80 ``` What is the effect of this configuration?

A.Incoming TCP packets with destination port 80 on G0/2 are forwarded out G0/3, overriding the routing table.
B.Outgoing TCP packets with source port 80 on G0/2 are forwarded out G0/3.
C.All TCP traffic is forwarded out G0/3 regardless of port.
D.The configuration is invalid because 'set interface' cannot be used with a route-map.
AnswerA

PBR matches the ACL and sets the output interface, bypassing the routing table.

Why this answer

The route-map matches TCP traffic with destination port 80 (HTTP) and sets the output interface to GigabitEthernet0/3. This is applied inbound on GigabitEthernet0/2.

389
MCQhard

Router R1 has an ACL applied to its VTY lines for SSH access: access-list 10 permit 10.1.1.0 0.0.0.255 line vty 0 4 access-class 10 in transport input ssh R1 also has CoPP policy: class-map match-all SSH-CLASS match access-group name SSH-ACL policy-map COPP class SSH-CLASS police cir 8000 bc 1500 conform-action transmit exceed-action drop R2 (10.1.1.2) shows: R2# ssh -l admin 10.2.2.1 % Connection refused by remote host R2# telnet 10.2.2.1 Trying 10.2.2.1 ... % Connection timed out; remote host not responding What is the root cause?

A.The CoPP policy is rate-limiting SSH traffic from R2, causing drops.
B.The access-class on VTY lines blocks R2's IP address.
C.SSH is not enabled on R1's VTY lines.
D.The SSH-ACL in the class-map does not match SSH traffic.
AnswerA

The police rate of 8000 bps is too low, causing exceed-action drop for SSH packets.

Why this answer

The ACL on VTY lines permits only 10.1.1.0/24, but the SSH connection from R2 (10.1.1.2) should be allowed. However, the CoPP policy is rate-limiting SSH traffic to 8000 bps. If the police rate is exceeded, packets are dropped.

The SSH connection might be failing due to CoPP dropping the packets. The telnet is also failing because it is not permitted by the access-class (only SSH is allowed). The root cause is CoPP rate-limiting SSH traffic, causing drops.

390
MCQhard

An engineer configures IPv6 RA Guard on a switch port connected to a router running OSPFv3. Unexpectedly, OSPFv3 neighbor adjacencies fail to form on that link. Which is the most likely explanation?

A.RA Guard with device-role host drops all IPv6 traffic except Neighbor Discovery and DHCP, including OSPFv3 hellos.
B.OSPFv3 uses multicast address FF02::5 which is filtered by RA Guard by default.
C.RA Guard changes the MAC address of the router, causing OSPFv3 neighbor to be unreachable.
D.The router must send Router Advertisements for OSPFv3 to work, and RA Guard blocks them.
AnswerA

RA Guard host role restricts traffic to ND and DHCP only, blocking OSPFv3.

Why this answer

RA Guard with the device-role host command is designed to block all IPv6 traffic except Neighbor Discovery (ND) and DHCPv6 on the port. This includes OSPFv3 hellos, which use multicast address FF02::5. Since OSPFv3 relies on these hellos to form neighbor adjacencies, blocking them prevents adjacency establishment.

Exam trap

Cisco often tests the misconception that RA Guard only filters Router Advertisements, when in fact the device-role host option blocks all non-ND/DHCPv6 traffic, including OSPFv3 hellos.

How to eliminate wrong answers

Option B is wrong because RA Guard does not filter based on multicast address FF02::5 by default; it filters based on the device role (host vs router) and blocks all non-ND/DHCPv6 traffic when device-role host is configured. Option C is wrong because RA Guard does not modify MAC addresses; it inspects and potentially drops Router Advertisement messages but does not alter the router's MAC address. Option D is wrong because OSPFv3 does not require Router Advertisements to function; it uses its own hello protocol over IPv6 multicast, and RA Guard with device-role host blocks OSPFv3 hellos, not RAs.

391
MCQmedium

An engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an EIGRP neighbor relationship with a spoke. The spoke's tunnel interface is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. The engineer checks 'show ip eigrp neighbors' on the hub and sees no neighbors. What is the most likely cause?

A.The spoke's tunnel interface is missing the 'ip nhrp map multicast dynamic' command.
B.The hub's tunnel interface has 'no ip nhrp redirect' configured.
C.The spoke's EIGRP AS number does not match the hub's.
D.The hub's tunnel interface has 'ip nhrp authentication' configured but the spoke does not.
AnswerA

Correct because without multicast mapping, the spoke cannot send multicast traffic (including EIGRP hellos) to the hub.

Why this answer

EIGRP neighbor formation over a tunnel requires multicast support. In DMVPN, multicast traffic is sent via NHRP to the hub. If the spoke's tunnel interface does not have 'ip nhrp map multicast dynamic' or a static multicast map, the hub will not receive EIGRP hello packets from the spoke.

392
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches) 20 deny tcp any any eq 443 (5 matches) 30 permit ip any any (100 matches) What does this output indicate?

A.The ACL is permitting TCP traffic from 192.168.1.0/24 to any destination on port 80, denying all TCP traffic to port 443, and permitting all other IP traffic.
B.The ACL is denying all traffic because line 20 is an explicit deny.
C.The ACL is applied inbound on an interface and is blocking all traffic to port 443.
D.The ACL has no effect because the match counts are too low.
AnswerA

The ACL lines and match counts confirm this behavior.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic from source 192.168.1.0/24 to any destination on port 80 (line 10), denies TCP traffic from any source to any destination on port 443 (line 20), and then permits all other IP traffic (line 30). The match counts confirm that traffic matching each line has been processed, and the implicit deny at the end is never reached because line 30 permits everything else.

Exam trap

Cisco often tests the misconception that an explicit deny statement (like line 20) blocks all traffic, when in fact it only blocks the specific protocol and port, and subsequent permit entries can still allow other traffic.

How to eliminate wrong answers

Option B is wrong because line 20 is an explicit deny for TCP port 443 only, not an implicit deny at the end of the ACL; the ACL continues to line 30 which permits all other IP traffic, so it does not deny all traffic. Option C is wrong because the output does not indicate the direction (inbound or outbound) or the interface where the ACL is applied; the show ip access-lists command only displays the ACL contents and match counters, not its application point. Option D is wrong because match counts are not required to be high for an ACL to have effect; even low counts indicate that traffic has matched, and the ACL is actively filtering based on its entries.

393
MCQhard

An engineer configures EIGRP named mode on a router. After making a change to the metric weights, the router becomes stuck-in-active (SIA) for a route. Why does this happen in named mode but not in classic mode?

A.Named mode EIGRP uses a different metric calculation algorithm that is more sensitive to weight changes.
B.Named mode EIGRP requires a 'metric weights' change to be followed by a 'clear ip eigrp neighbors' command; otherwise, the router sends incorrect queries.
C.Named mode EIGRP does not support changing k-values on the fly; it must be done during maintenance.
D.Named mode EIGRP automatically adjusts the metric weights to match neighbors, causing a temporary SIA.
AnswerB

In named mode, changing k-values without resetting neighbors causes the router to use the new metric for new queries but the old metric for existing routes, leading to inconsistencies and SIA.

Why this answer

In named mode EIGRP, changing metric weights (k-values) does not automatically trigger a neighbor reset. Without a 'clear ip eigrp neighbors' command, the router continues to use the old k-values for existing neighbors while sending queries with the new k-values, causing a mismatch that leads to stuck-in-active (SIA) routes. Classic mode EIGRP automatically resets neighbors when metric weights change, avoiding this issue.

Exam trap

Cisco often tests the subtle difference that named mode EIGRP requires an explicit 'clear ip eigrp neighbors' after changing metric weights, while classic mode handles it automatically, leading candidates to assume both modes behave identically.

How to eliminate wrong answers

Option A is wrong because both named and classic mode EIGRP use the same composite metric calculation algorithm (based on bandwidth, delay, reliability, load, and MTU); named mode is not inherently more sensitive to weight changes. Option C is wrong because named mode EIGRP does support changing k-values on the fly, but it requires a manual neighbor reset to avoid SIA; it is not restricted to maintenance windows. Option D is wrong because named mode EIGRP does not automatically adjust metric weights to match neighbors; it uses the locally configured k-values, and mismatches cause SIA, not automatic adjustment.

394
MCQmedium

According to RFC 5880, what is the maximum number of BFD sessions that can be supported by a single interface on a Cisco router?

A.1 session per interface
B.256 sessions per interface
C.Unlimited, but limited by platform resources
D.16 sessions per interface
AnswerC

Correct. RFC 5880 does not define a maximum; it is implementation-specific.

Why this answer

RFC 5880 does not specify a maximum number of BFD sessions per interface; it is platform-dependent. Cisco routers can support multiple BFD sessions per interface, limited only by hardware resources.

395
MCQeasy

What is the default NHRP holdtime value on a Cisco router?

A.3600 seconds
B.1800 seconds
C.7200 seconds
D.600 seconds
AnswerA

This is the default holdtime for NHRP mappings.

Why this answer

The default NHRP holdtime is 3600 seconds (1 hour). This value can be modified with the 'ip nhrp holdtime' command.

396
MCQmedium

Consider the following partial configuration on router R2: interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.0 ip ospf 1 area 0 ! interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 ip ospf 1 area 0 ! router ospf 1 router-id 2.2.2.2 network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 What is the effect of this configuration?

A.OSPF will not form adjacencies because the interface and network commands conflict, causing OSPF to ignore the network statements.
B.OSPF will form adjacencies on both interfaces, but the router-id 2.2.2.2 will be overridden by the highest loopback IP.
C.OSPF will form adjacencies on both interfaces as intended; the configuration is redundant but functional.
D.OSPF will only form adjacency on GigabitEthernet0/1 because the network statement for 10.0.0.0 is incorrect.
AnswerC

Both interfaces have OSPF enabled via the interface command and the network statement. This is acceptable and OSPF will operate normally.

Why this answer

Option C is correct because the configuration redundantly enables OSPF on both interfaces via both the `ip ospf 1 area 0` interface-level command and the `network` statements under the OSPF process. This is valid and does not cause conflicts; OSPF will form adjacencies on both interfaces as intended. The router-id 2.2.2.2 is explicitly configured and will not be overridden by any loopback IP unless the router-id is not set or is removed.

Exam trap

The trap here is that candidates often think interface-level and network-level OSPF commands conflict or cause redundancy errors, when in fact they are both valid and can coexist without issue.

How to eliminate wrong answers

Option A is wrong because interface and network commands do not conflict; they are both valid ways to enable OSPF on an interface, and OSPF does not ignore network statements when interface commands are present. Option B is wrong because the explicitly configured `router-id 2.2.2.2` takes precedence over any loopback IP; the router-id is only overridden by a higher loopback IP if no explicit router-id is configured. Option D is wrong because the network statement `10.0.0.0 0.0.0.255 area 0` is correct and matches the interface GigabitEthernet0/0; OSPF will form adjacency on both interfaces.

397
MCQmedium

Which of the following statements about MPLS label imposition and disposition is true?

A.The egress LER always performs the label pop operation.
B.The ingress LER performs the label push operation, and the egress LER performs the label pop operation unless PHP is used.
C.The penultimate hop router always pushes an additional label.
D.Label disposition occurs only at the ingress LER.
AnswerB

Standard MPLS operation: ingress pushes, egress pops. PHP allows the penultimate hop to pop, so the egress does not need to.

Why this answer

In MPLS, the ingress LER (Label Edge Router) imposes a label on the packet (push operation). The egress LER removes the label (pop operation). The penultimate hop router may perform penultimate hop popping (PHP) to remove the label before the egress, reducing the egress's workload.

398
MCQhard

In an MPLS network, routers R1 and R2 are LDP neighbors with BFD enabled. R1#show mpls ldp neighbor shows R2 as 'Oper Down' for the BFD session. R2#show bfd neighbors shows the session with R1 as 'Down'. R1 and R2 have matching 'mpls ldp router-id' loopback0. The link between them is up. What is the root cause?

A.The LDP router-id must be the IP address of the interface where BFD is enabled.
B.BFD is not supported with LDP on this platform.
C.The BFD interval is too low for LDP.
D.LDP must be configured with 'no bfd' to work properly.
AnswerA

BFD for LDP requires the LDP session to use the same source IP as the BFD session; otherwise, BFD cannot monitor the LDP session.

Why this answer

BFD for LDP requires that the LDP session be established over the same interface as the BFD session. If the LDP router-id is not the interface IP used for BFD, the BFD session may fail. Here, the loopback0 is used as LDP router-id, but BFD is configured on the physical link, causing mismatch.

399
Drag & Dropmedium

Drag and drop the steps to verify and validate BFD operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin with a high-level summary of all BFD sessions, then examine detailed session information, validate timers and counters, confirm BFD is active for the routing protocol, and finally test failover behavior by disabling the peer interface.

400
MCQhard

A network engineer configures IP SLA to track a BGP next-hop for a backup path. Router R1 has: ip sla 7 icmp-echo 192.168.3.3 source-ip 10.0.0.1 frequency 5 ip sla schedule 7 life forever start-time now track 7 ip sla 7 reachability router bgp 65001 neighbor 192.168.3.3 remote-as 65003 neighbor 192.168.3.3 fall-over bfd neighbor 192.168.3.3 track 7 But when the link to 192.168.3.3 goes down, the BGP session resets after 5 seconds, but the backup route is not used immediately. What is the root cause?

A.The BGP fall-over bfd overrides the track, so the BGP session resets via BFD, but the track remains up, preventing the backup route from being installed.
B.The IP SLA frequency is too low, so the track does not detect the failure quickly enough.
C.The backup route has a higher administrative distance, so it is not installed until the primary route is removed, but the primary route is still present.
D.The track 7 is not applied to the BGP neighbor correctly; it should be under the address-family.
AnswerA

When BFD is used, the track is ignored for BGP session reset, but the track might still be up, so the static route associated with the track is not removed, causing the backup route to not be used.

Why this answer

The BGP fall-over bfd and track 7 are both configured. When the link goes down, BFD detects the failure quickly and resets the BGP session. However, the track 7 might still be up because the IP SLA probe might be successful via an alternate path, so the tracked route is not removed.

The correct answer is that the track 7 is not used because BFD takes precedence, and the track does not influence the route removal.

401
MCQhard

A network engineer runs the following command to troubleshoot a VRF-Lite DMVPN issue: R1# show ip nhrp vrf CUSTOMER_G detail Output: 10.6.6.1/32 via 10.6.6.1, Tunnel0 created 00:01:00, expire 01:59:00 Type: dynamic, Flags: used NBMA address: 192.168.1.1 (no-socket) Registration handle: 0x00000001 Cache entries: 1 What does this output indicate?

A.The NHRP mapping is static and was manually configured.
B.The NHRP mapping for 10.6.6.1 is dynamic, with NBMA address 192.168.1.1, and is actively used.
C.The NHRP mapping has expired and needs to be refreshed.
D.The NHRP mapping is for a multicast group address.
AnswerB

Correct. The output shows a dynamic mapping with NBMA address 192.168.1.1 and the 'used' flag.

Why this answer

The 'show ip nhrp vrf detail' command displays NHRP cache entries for a specific VRF. The output shows a dynamic NHRP mapping for destination 10.6.6.1/32, with NBMA address 192.168.1.1, learned via Tunnel0. The entry was created 1 minute ago and will expire in 1 hour 59 minutes.

The 'used' flag indicates the mapping is actively being used.

402
Multi-Selecthard

Which THREE statements about IPv6 Source Guard are true? (Choose THREE.)

Select 3 answers
A.It filters IPv6 traffic based on the source IPv6 address of incoming packets.
B.It relies on the IPv6 snooping binding table, which is populated by DHCPv6 snooping or ND Inspection.
C.It can be configured to allow traffic from specific prefixes using a static prefix list.
D.It filters both incoming and outgoing IPv6 traffic on a port.
E.It requires DHCPv6 snooping to be enabled on the VLAN to function.
AnswersA, B, C

IPv6 Source Guard checks the source address against the binding table and drops packets with invalid source addresses.

Why this answer

Option A is correct because IPv6 Source Guard filters incoming IPv6 traffic on a per-port basis by examining the source IPv6 address of packets and comparing it against the IPv6 snooping binding table. If the source address does not match a valid binding, the packet is dropped, preventing spoofing attacks.

Exam trap

Cisco often tests the misconception that IPv6 Source Guard filters both inbound and outbound traffic, when in fact it only filters inbound traffic, and the trap here is assuming DHCPv6 snooping is mandatory when ND Inspection can also supply the binding table.

403
MCQeasy

A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla statistics 10 Round Trip Time (RTT) for Index 10 Latest RTT: 12 ms Latest RTT (milliseconds): 12 Latest RTT (microseconds): 12000 Last operation start time: 12:34:56.789 UTC Mon Mar 1 2021 Last operation return code: OK Number of successes: 100 Number of failures: 0 Operation time to live: Forever What does this output indicate?

A.The IP SLA operation has failed because the RTT is too low.
B.The IP SLA operation is working correctly with no failures.
C.The IP SLA operation has timed out and needs to be reconfigured.
D.The IP SLA operation is not configured for this index.
AnswerB

The return code 'OK' and zero failures confirm successful operation.

Why this answer

This output shows the operational state of IP SLA operation 10. The 'Latest RTT' of 12 ms, 'return code: OK', and 100 successes with 0 failures indicate the probe is functioning correctly.

404
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa detail Codes: C - IKEv1, I - IKEv2 C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59 Based on this output, which statement is correct?

A.The IKEv1 SA is established with the peer 10.1.1.2.
B.The IKEv2 SA is established with the peer 10.1.1.2.
C.The ISAKMP SA is not established; status is MM_NO_STATE.
D.The Diffie-Hellman group is group 2.
AnswerA

The 'C' code indicates IKEv1, and the status is ACTIVE.

Why this answer

The ISAKMP SA is active, using AES encryption, SHA hash, pre-shared key authentication, and Diffie-Hellman group 14. The lifetime is about 24 hours.

405
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 hub-and-spoke deployment. The hub router has mGRE and NHRP configured, and spokes register successfully. However, spoke-to-spoke traffic is not being encrypted, even though IPsec profiles are applied to the mGRE tunnel interface on both the hub and spokes. The engineer verifies that the crypto map is not applied to the tunnel interface. What is the most likely cause of this issue?

A.The NHRP authentication string does not match between the hub and spokes.
B.The IPsec profile is not applied to the mGRE tunnel interface on the hub and spokes.
C.The tunnel key is not configured on the spokes.
D.The spokes have a static crypto map applied to their physical interface.
AnswerD

A static crypto map on the physical interface can cause the router to attempt IPsec on the physical interface instead of the dynamic tunnel interface, preventing spoke-to-spoke encryption. This matches the symptoms.

Why this answer

In DMVPN phase 2, IPsec profiles should be applied to the mGRE tunnel interface, not static crypto maps. The scenario states IPsec profiles are correctly applied to the tunnel interface on both hub and spokes, so option B is false. However, spokes may still have a static crypto map applied to their physical interface, which can interfere with dynamic IPsec SA negotiation for spoke-to-spoke traffic.

This is a common misconfiguration: the physical interface's crypto map can prevent the dynamic IPsec from being triggered, even though the tunnel interface has the correct profile. Therefore, the most likely cause is that the spokes have a static crypto map applied to their physical interface, overriding the dynamic IPsec for spoke-to-spoke traffic.

406
MCQhard

A network engineer runs the following command to troubleshoot a Control Plane Policing (CoPP) issue: R1# show policy-map control-plane input class CoPP-Class Class-map: CoPP-Class (match-all) 1500 packets, 120000 bytes 5 minute offered rate 10000 bps, drop rate 5000 bps Match: access-group name CoPP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 1000 packets, 80000 bytes; actions: transmit exceeded 500 packets, 40000 bytes; actions: drop conformed 8000 bps, exceed 2000 bps, violated 0 bps What does this output indicate?

A.The CoPP policy is dropping all traffic because the CIR is too low.
B.The CoPP policy is causing packet loss for traffic that exceeds the 8 kbps rate, which may impact legitimate control plane traffic.
C.The CoPP policy is not applied correctly because the drop rate is higher than the conform rate.
D.The CoPP policy is working as intended with no issues.
AnswerB

The drop rate of 5 kbps indicates that half the offered traffic is being dropped, which could affect protocols like OSPF or BGP.

Why this answer

The output shows that the CoPP policy uses a CIR of 8000 bps with a conformed rate of 8000 bps and an exceed rate of 2000 bps. The drop rate of 5000 bps indicates that traffic exceeding the CIR is being dropped, which can include legitimate control plane traffic (e.g., routing protocol packets) if they are classified under the CoPP-Class. This confirms that the policy is causing packet loss for traffic that exceeds the 8 kbps rate, potentially impacting critical control plane operations.

Exam trap

Cisco often tests the misinterpretation of CoPP output statistics, where candidates confuse the 'drop rate' with the 'exceed rate' or assume that a high drop rate always indicates a misconfiguration, rather than recognizing that it shows the policer is actively dropping traffic that exceeds the CIR, which may be intentional or problematic depending on the traffic class.

How to eliminate wrong answers

Option A is wrong because the policy is not dropping all traffic; it drops only exceeded traffic (500 packets) while conformed traffic (1000 packets) is transmitted, so the CIR is not too low for all traffic. Option C is wrong because the drop rate (5000 bps) being higher than the conform rate (8000 bps) is not an indication of incorrect application; CoPP uses a single-rate policer where exceeded traffic is dropped, and the drop rate can be lower than the conform rate as seen here. Option D is wrong because the policy is not working as intended; the drop rate of 5000 bps indicates packet loss, which may affect legitimate control plane traffic if the CoPP-ACL matches such traffic.

407
MCQmedium

Examine the following configuration: logging host 10.1.1.1 logging host 10.1.1.2 logging host 10.1.1.3 logging origin-id hostname logging facility local7 What is the purpose of the 'logging origin-id hostname' command?

A.It causes the syslog messages to include the router's hostname as the origin, overriding the default IP address.
B.It sets the syslog message format to include the hostname in the timestamp field.
C.It configures the router to send syslog messages only when the hostname changes.
D.It is used to authenticate syslog messages using the hostname as a key.
AnswerA

The origin-id hostname replaces the default source IP with the hostname in the syslog message header.

Why this answer

The 'logging origin-id' command sets the origin identifier in syslog messages. When set to 'hostname', the router's hostname is used as the origin ID instead of the default (which is the IP address of the source interface). This helps identify the source of messages in a multi-device environment.

408
MCQhard

A network engineer is troubleshooting reachability issues in a VRF-lite environment. R1 has the following configuration: ip vrf BLUE rd 100:1 route-target export 100:1 route-target import 100:1. R2 has: ip vrf BLUE rd 100:2 route-target export 100:2 route-target import 100:2. Both routers are connected via a link in the global routing table and are running OSPF in the VRF. R1 shows: 'show ip route vrf BLUE' has a route to 10.1.1.0/24 via OSPF, but R2 shows: 'show ip route vrf BLUE' does not have this route. What is the root cause?

A.The route-target export on R1 (100:1) does not match the route-target import on R2 (100:2), so R2 does not import routes from R1.
B.The OSPF process on R1 is not configured with the 'vrf BLUE' keyword.
C.The link between R1 and R2 is not in the VRF, so OSPF cannot form adjacency.
D.The route 10.1.1.0/24 is being filtered by a distribute-list in OSPF.
AnswerC

Correct. The link between R1 and R2 is not part of VRF BLUE, so OSPF cannot form an adjacency in that VRF, preventing route learning.

Why this answer

In VRF-lite, OSPF adjacency requires the link to be in the VRF context. The configuration shows both routers have OSPF in the VRF, but the connecting link is in the global routing table, not in VRF BLUE. Therefore, OSPF cannot form an adjacency over that link, and routes learned via OSPF within the VRF on R1 are not propagated to R2.

Route-target import/export is used for MP-BGP VPNv4 route distribution, not for OSPF in VRF-lite. The correct fix is to put the link in the VRF (e.g., using 'ip vrf forwarding BLUE' on the interface).

Exam trap

Candidates often confuse VRF-lite with MPLS L3VPN and assume route-target mismatch prevents route exchange, but in VRF-lite, OSPF over a link in the global table cannot form an adjacency within the VRF.

409
Multi-Selectmedium

Which TWO commands would a network engineer use to verify that EIGRP is correctly forming neighbor adjacencies and exchanging routes on an interface? (Choose TWO.)

Select 2 answers
A.show ip eigrp neighbors
B.show ip eigrp interfaces
C.show ip route eigrp
D.show ip protocols
E.show ip ospf neighbor
AnswersA, B

This command directly lists all EIGRP neighbors, their interfaces, and hold time, confirming adjacency.

Why this answer

The 'show ip eigrp neighbors' command displays the EIGRP neighbor table, which confirms that neighbor adjacencies have been successfully formed. The 'show ip eigrp interfaces' command shows which interfaces are enabled for EIGRP, including the number of peers (neighbors) on each interface, which verifies that the interface is actively participating in EIGRP and exchanging routes.

Exam trap

Cisco often tests the distinction between commands that verify the adjacency formation process (neighbor table and interface status) versus commands that show the result of that process (routing table), leading candidates to incorrectly choose 'show ip route eigrp'.

410
MCQhard

An engineer configures syslog logging to a remote server using the 'logging host' command. The engineer notices that syslog messages are not being received on the server, but the router can ping the server successfully. The engineer verifies that the logging level is set to debugging and that the server is configured to receive syslog messages. Which is the most likely explanation?

A.An ACL on the router is blocking UDP port 514 outbound
B.The logging host command requires the 'transport tcp' option to work
C.The syslog server is not configured to accept messages from the router's IP
D.The logging level is set to emergencies only
AnswerA

Correct. If an ACL is applied to the interface that blocks UDP 514, syslog messages will not reach the server.

Why this answer

A common edge case is that the syslog messages are sent via UDP port 514, but the router may have a firewall or ACL that blocks UDP traffic. Additionally, the 'logging source-interface' command might be configured, but if the source interface is not reachable from the server (e.g., due to routing issues), the server may drop the messages. Another possibility is that the server is listening on a different port or the router is using a different port due to configuration.

However, a less obvious issue is that the 'logging monitor' or 'logging buffered' commands can interfere if the logging process is overwhelmed, but the most likely is that the syslog messages are being sent but the server's firewall or the router's own ACL is blocking them.

411
MCQhard

Router R1 is leaking routes from VRF-A to the global table using route-map LEAK. The global table receives the routes, but traffic from the global table to destinations in VRF-A is dropped. R1 configuration: ip vrf VRF-A, rd 100:1, route-target export 100:1, route-target import 100:1. The route-map LEAK is applied to the VRF export. The global table has a default route pointing to null0. What is the root cause?

A.The leaked routes have a next-hop that is only reachable within VRF-A, not in the global routing table, causing traffic to be dropped.
B.The global table default route is overriding the leaked routes.
C.The route-map should be applied to the VRF import instead of export.
D.The VRF must have a route to the global table.
AnswerA

Correct: When leaking, the next-hop must be reachable in the destination table; otherwise, packets are dropped.

Why this answer

When routes are leaked from VRF to global, the global table installs them, but the reverse path (global to VRF) requires proper routing. If the global table has a default route pointing to null0, traffic to the leaked prefixes may match the default and be discarded if the leaked routes are less specific. However, the more specific leaked routes should override the default.

The issue could be that the leaked routes are not being installed due to administrative distance or that the default route is preferred. But the most common cause is that the route-map does not set the next-hop correctly, or the VRF interface is not reachable from the global table. The root cause is that the leaked routes have a next-hop that is not reachable in the global table, often because the next-hop is in the VRF.

412
MCQeasy

A network engineer runs the following command on Router R9: R9# show ip route 192.168.50.0 Routing entry for 192.168.50.0/24 Known via "ospf 1", distance 110, metric 20 Redistributing via ospf 1 Last update from 10.0.0.1 on GigabitEthernet0/0, 00:00:10 ago Routing Descriptor Blocks: * 10.0.0.1, from 10.0.0.1, 00:00:10 ago, via GigabitEthernet0/0 Route metric is 20, traffic share count is 1 R9 also has an EIGRP route for the same prefix with distance 90 and metric 28160. Which route will be installed?

A.The OSPF route will be installed because it has a lower metric.
B.The EIGRP route will be installed because it has a lower administrative distance.
C.Both routes will be installed for load balancing.
D.Neither route will be installed due to a conflict.
AnswerB

EIGRP's distance of 90 is lower than OSPF's 110, so the EIGRP route is preferred.

Why this answer

EIGRP internal routes have a default administrative distance of 90, which is lower than OSPF's default distance of 110. Therefore, the EIGRP route will be preferred and installed in the routing table.

413
MCQmedium

A network engineer runs the following command on switch SW2: SW2# show monitor session 2 Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/4 Source VLANs : RX Only : 100 Destination Ports : Gi0/5 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The session is an RSPAN source session, and the mirrored traffic is sent to Gi0/5.
B.The session is an ERSPAN source session because it monitors VLAN 100.
C.The session is a local SPAN session with source VLAN.
D.The session is misconfigured because source VLANs cannot be combined with source ports.
AnswerA

The type 'Remote Source Session' indicates RSPAN source, and the destination port Gi0/5 receives the mirrored traffic.

Why this answer

This is a remote source session (RSPAN source session). It monitors source port Gi0/4 and source VLAN 100 (RX only), and sends the mirrored traffic to destination port Gi0/5, which is typically configured as a trunk port carrying the RSPAN VLAN. The session is correctly configured for RSPAN.

414
Multi-Selecthard

Which TWO statements about Policy-Based Routing (PBR) are true? (Choose TWO.)

Select 2 answers
A.PBR is applied on the inbound interface of the router.
B.If a 'set interface' command specifies a down interface, the packet is automatically routed using the routing table.
C.PBR can be used to override the routing table for locally generated packets.
D.The 'set ip default next-hop' command overrides the routing table even when a route exists.
E.PBR uses a route-map to define match criteria and set actions for traffic.
AnswersA, E

PBR is configured with 'ip policy route-map' under the interface, which processes incoming packets.

Why this answer

PBR uses a route-map with match and set commands to override the routing table for selected traffic. The 'set interface' command can specify an outgoing interface, and if that interface is down, the packet is dropped unless a 'set ip next-hop' is also configured as a backup. PBR does not affect the router's own originated traffic by default.

The 'set ip default next-hop' is used only when there is no explicit route in the routing table, not for overriding an existing route. PBR is applied on the inbound interface.

415
MCQmedium

What is the default behavior of the 'logging buffered' command in Cisco IOS-XE when no severity level is specified?

A.It captures only messages of severity 0 through 4.
B.It captures only messages of severity 0 through 5.
C.It captures only messages of severity 0 through 6.
D.It captures messages of severity 0 through 7.
AnswerD

The default severity for buffered logging is 7, so all messages from emergencies to debugging are logged.

Why this answer

When 'logging buffered' is configured without a severity level, it defaults to severity 7 (debugging), capturing all messages.

416
MCQhard

A network engineer runs the following command to troubleshoot OSPF route redistribution: R1# show ip ospf database external 5.5.5.5 OSPF Router with ID (1.1.1.1) (Process ID 1) Type-5 AS External Link States LS age: 120 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 5.5.5.5 (External Network Number) Advertising Router: 3.3.3.3 LS Seq Number: 80000001 Checksum: 0xABCD Length: 36 Network Mask: /32 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 What does this output indicate?

A.The prefix 5.5.5.5/32 is a network inside the OSPF domain.
B.The route was redistributed into OSPF by router 3.3.3.3 with a metric of 20.
C.The forward address indicates the next-hop is 5.5.5.5.
D.This is a Type 4 Summary ASBR LSA.
AnswerB

The LSA is Type-5, advertising router is 3.3.3.3, metric type E2 with metric 20.

Why this answer

The output shows an OSPF Type 5 External LSA for prefix 5.5.5.5/32, advertised by router 3.3.3.3 with a metric type E2 and metric 20.

417
MCQmedium

Examine the following configuration on R6: !--- R6 configuration route-map FILTER deny 10 match tag 50 ! route-map FILTER permit 20 ! router eigrp 200 distribute-list route-map FILTER in ! What is the effect of this configuration?

A.All routes with tag 50 are denied; all other routes are permitted.
B.Routes with tag 50 are permitted; all other routes are denied.
C.The distribute-list is applied only to the first interface; routes with tag 50 are filtered on that interface.
D.The configuration is invalid because route-maps cannot be used with distribute-list in EIGRP.
AnswerA

Correct. Sequence 10 denies routes with tag 50; sequence 20 permits everything else.

Why this answer

The distribute-list route-map FILTER in is applied to EIGRP updates received on all interfaces (since no interface is specified). Sequence 10 denies any route with tag 50. Sequence 20 permits all other routes.

Therefore, routes with tag 50 are filtered out (not installed in the routing table), while all other routes are accepted.

418
MCQeasy

What is the maximum number of IPv6 over IPv4 tunnels that can be configured on a Cisco IOS router?

A.256
B.1024
C.Platform-dependent, no fixed maximum.
D.64
AnswerC

The number is limited by memory and CPU.

Why this answer

C is correct because the maximum number of IPv6 over IPv4 tunnels on a Cisco IOS router is platform-dependent and limited by available system resources such as CPU and memory, not by a fixed software limit. Cisco IOS does not impose a hard-coded maximum; the actual number depends on the router model, the type of tunnel (e.g., manual, 6to4, ISATAP, GRE), and the configuration complexity.

Exam trap

Cisco often tests the misconception that there is a fixed numerical limit (like 256, 1024, or 64) for IPv6 over IPv4 tunnels, when in fact the correct answer is that the limit is platform-dependent and resource-driven.

How to eliminate wrong answers

Option A is wrong because 256 is not a universal limit; while some older platforms might have had lower practical limits, modern Cisco IOS routers can support far more tunnels. Option B is wrong because 1024 is a common misconception based on a default limit for certain tunnel types (e.g., 6to4) in some IOS versions, but it is not a fixed maximum and can be exceeded with proper resource allocation. Option D is wrong because 64 is too low and does not reflect the scalability of Cisco IOS; it might be confused with the maximum number of tunnels in a specific legacy feature or a different protocol context.

419
MCQeasy

What is the default BGP hold timer value in Cisco IOS-XE?

A.90 seconds
B.120 seconds
C.180 seconds
D.240 seconds
AnswerC

Correct. BGP hold timer defaults to 180 seconds.

Why this answer

The default BGP hold timer is 180 seconds, as per RFC 4271 and Cisco IOS-XE defaults.

420
MCQhard

An engineer is troubleshooting a DHCPv6 prefix delegation scenario. The router (R1) is a DHCPv6 client on its WAN interface and is supposed to receive a /48 prefix from the ISP's DHCPv6 server to delegate to LAN interfaces. The WAN interface is configured with 'ipv6 address dhcp' and 'ipv6 dhcp client pd ISP-PREFIX'. The LAN interfaces have 'ipv6 address ISP-PREFIX 0:0:0:1::/64 eui-64'. The engineer sees that the WAN interface gets a global IPv6 address, but the LAN interfaces do not get any IPv6 address. What is the most likely cause?

A.The LAN interfaces are missing the 'ipv6 enable' command.
B.The ISP's DHCPv6 server is not configured to delegate a prefix.
C.The 'ipv6 dhcp client pd' command should be 'ipv6 dhcp client pd ISP-PREFIX hint ::/48'.
D.The WAN interface needs the 'ipv6 nd other-config-flag' command.
AnswerB

Correct because if the server does not delegate a prefix, the client's 'ipv6 dhcp client pd' request will fail, and the LAN interfaces will not receive any addresses from the delegated prefix.

Why this answer

The WAN interface successfully obtains a global IPv6 address via DHCPv6, but the LAN interfaces lack IPv6 addresses because the DHCPv6 client process on R1 has not received a delegated prefix. The 'ipv6 dhcp client pd ISP-PREFIX' command requests a prefix delegation from the ISP's DHCPv6 server; if the server is not configured to delegate prefixes (e.g., missing the 'prefix-delegation' pool or 'ipv6 dhcp server' with prefix assignment), the client never receives a prefix to assign to LAN interfaces. This is the most likely cause given the symptom.

Exam trap

Cisco often tests the distinction between DHCPv6 address assignment (IA_NA) and prefix delegation (IA_PD), trapping candidates who assume that obtaining a WAN address automatically implies a delegated prefix is also received.

How to eliminate wrong answers

Option A is wrong because 'ipv6 enable' is not required on LAN interfaces when they already have an explicit 'ipv6 address' command; the address configuration implicitly enables IPv6. Option C is wrong because the 'hint' keyword is optional and not required for prefix delegation to work; the client can request a prefix without a hint, and the server may still delegate one. Option D is wrong because 'ipv6 nd other-config-flag' is used to tell hosts to obtain other configuration (e.g., DNS) via DHCPv6, not to enable prefix delegation on the client or server side.

421
MCQhard

A network engineer is troubleshooting a route filtering problem with prefix-lists. Router R6 is using a prefix-list to filter routes from a BGP neighbor. The prefix-list is configured to permit only 192.168.0.0/16 and 192.168.1.0/24, but routes with prefix 192.168.2.0/24 are also being accepted. The engineer checks the prefix-list configuration and sees only two permit statements. What is the most likely cause?

A.The prefix-list is not applied to the BGP neighbor; the neighbor is using a different filter or no filter.
B.The prefix-list has an implicit permit at the end for all routes.
C.The prefix-list is using 'ge 24' which permits any prefix with a mask >= 24, including 192.168.2.0/24.
D.The BGP neighbor is configured with 'soft-reconfiguration inbound' which overrides prefix-list filtering.
AnswerA

Correct because if the prefix-list is not applied, no filtering occurs.

Why this answer

Prefix-lists have an implicit deny at the end, but if the prefix-list is not applied correctly (e.g., to the neighbor inbound direction), or if the prefix-list has a 'ge' or 'le' operator that is too broad, it could permit more than intended. However, the most common issue is that the prefix-list is not applied at all, or the neighbor is using a different filter.

422
MCQhard

A network engineer runs the following command on Router R1: R1# show access-lists 100 Extended IP access list 100 10 permit icmp any any echo 20 permit icmp any any echo-reply 30 permit icmp any any time-exceeded 40 permit icmp any any unreachable R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-ICMP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group 100 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what is the most likely problem?

A.The class-map uses 'match-all' instead of 'match-any'.
B.The access-list does not include all ICMP types that may be sent to the control plane.
C.The police rate is too low and is dropping all packets.
D.The policy-map is applied to the wrong direction.
AnswerB

The access-list only matches specific ICMP types, potentially missing others like router advertisement or parameter problem.

Why this answer

Option B is correct because the access list 100 only permits four specific ICMP types (echo, echo-reply, time-exceeded, unreachable), but the control plane may receive many other ICMP types (e.g., parameter problem, redirect, timestamp, address mask request) that are not explicitly permitted. Since the class-map CoPP-ICMP matches all traffic that hits access-group 100, any ICMP packet with a type not listed will not match the class and will be handled by the default control-plane policy, which typically drops or polices such traffic, leading to legitimate ICMP packets being dropped.

Exam trap

Cisco often tests the misconception that a permit ACL in a CoPP class-map automatically allows all ICMP traffic, when in fact only the explicitly listed ICMP types are permitted, and any unlisted types are implicitly denied by the class-map and handled by the default policy.

How to eliminate wrong answers

Option A is wrong because 'match-all' requires all match conditions to be true, but here there is only one match condition (access-group 100), so 'match-all' vs 'match-any' makes no difference; the class-map will still match traffic permitted by the ACL. Option C is wrong because the police rate of 8000 bps is low but not zero, and the counters show 0 packets dropped (conformed, exceeded, violated all show 0 packets), indicating the policer is not actively dropping traffic; the problem is not rate-based. Option D is wrong because the policy-map is applied to the control-plane input direction, which is the correct direction for filtering traffic destined to the router's control plane; applying it output would be incorrect for CoPP.

423
MCQmedium

Which authentication type is the default when BFD authentication is enabled on Cisco IOS-XE?

A.Simple password (auth type 1)
B.Keyed MD5 (auth type 2)
C.Meticulous Keyed MD5 (auth type 3)
D.Keyed SHA-1 (auth type 4)
AnswerD

Cisco IOS-XE defaults to keyed SHA-1 (auth type 4) when BFD authentication is enabled.

Why this answer

Cisco IOS-XE defaults to keyed SHA-1 (auth type 4) when BFD authentication is configured, as it provides stronger security than MD5.

424
MCQhard

A network engineer runs the following command on Router R3: R3# show logging | include %OSPF-5-ADJCHG *Mar 1 00:05:10.123: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done *Mar 1 00:06:20.456: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired *Mar 1 00:07:30.789: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from DOWN to INIT, Received Hello *Mar 1 00:08:40.012: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from INIT to EXSTART, Event: start *Mar 1 00:09:50.345: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from EXSTART to EXCHANGE, Event: Negotiation Done *Mar 1 00:10:00.678: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from EXCHANGE to LOADING, Event: Exchange Done *Mar 1 00:11:10.901: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done *Mar 1 00:12:20.234: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired Based on this output, what is the most likely problem?

A.The OSPF process is misconfigured with mismatched area IDs.
B.There is a Layer 1 or Layer 2 issue causing intermittent connectivity on GigabitEthernet0/0.
C.The OSPF dead timer is set too high, causing slow convergence.
D.The router is running out of memory, causing OSPF process restarts.
AnswerB

The dead timer expiration indicates that hello packets are not received in time, which is often due to flapping interfaces or high error rates.

Why this answer

The output shows repeated OSPF adjacency changes between R3 and neighbor 10.0.0.1, with the neighbor going from FULL to DOWN due to dead timer expiration, then re-establishing. This pattern indicates an unstable OSPF neighbor relationship, likely due to a flapping interface, mismatched timers, or Layer 1 issues. The dead timer expiration suggests that hello packets are not being received consistently.

425
MCQmedium

Consider the following configuration on R5: !--- R5 configuration ip prefix-list PL-2 seq 5 permit 10.0.0.0/8 ge 16 le 24 ! route-map RMAP permit 10 match ip address prefix-list PL-2 set community 100:100 ! router bgp 65200 neighbor 192.168.1.2 route-map RMAP out ! What is the effect of this configuration?

A.Only routes with prefix 10.0.0.0/8 and mask length between 16 and 24 are sent to neighbor with community 100:100.
B.All routes with prefix 10.0.0.0/8 are sent to neighbor; routes with mask length between 16 and 24 get community 100:100.
C.Routes that match the prefix-list are sent with community 100:100; all other routes are sent without any community.
D.The configuration is invalid because the prefix-list uses ge and le together; only one can be used.
AnswerA

Correct. The prefix-list permits 10.0.0.0/8 ge 16 le 24; matching routes get community set and are advertised.

Why this answer

The prefix-list PL-2 permits prefixes that match 10.0.0.0/8 with a mask length greater than or equal to 16 and less than or equal to 24. So, for example, 10.1.0.0/16, 10.1.1.0/24 are permitted, but 10.0.0.0/8 itself (mask 8) is not. The route-map RMAP sets community 100:100 on matching routes.

Routes that do not match the prefix-list are not processed by this route-map (since there is only one sequence), so they are denied (not sent to neighbor).

426
MCQmedium

Router R3 has the following configuration: ``` interface GigabitEthernet0/4 ip address 10.3.3.3 255.255.255.0 ip policy route-map PBR-IN ! route-map PBR-IN permit 10 match ip address 102 set ip next-hop verify-availability 192.168.2.1 10 track 1 ! access-list 102 permit ip 10.3.3.0 0.0.0.255 any ``` What is the effect of the 'set ip next-hop verify-availability' command?

A.The next-hop 192.168.2.1 is used only if track object 1 is up; otherwise, normal routing applies.
B.The next-hop 192.168.2.1 is always used regardless of track status.
C.The router pings 192.168.2.1 every 10 seconds to verify reachability.
D.The configuration is invalid because 'verify-availability' requires a sequence number.
AnswerA

verify-availability checks the track object; if down, PBR does not use that next-hop and falls back to routing table.

Why this answer

This command enables Cisco Express Forwarding (CEF) and uses tracking to verify next-hop reachability. If the tracked object (track 1) is down, the next-hop is not used.

427
MCQmedium

According to RFC 2460, what is the correct behavior when an IPv6 router receives a packet with a source address that is a multicast address?

A.The router forwards the packet normally.
B.The router drops the packet silently.
C.The router sends an ICMPv6 error message back to the source.
D.The router rewrites the source address to the link-local address of the interface.
AnswerB

Per RFC 2460, a packet with a multicast source address is invalid and must be discarded.

Why this answer

RFC 2460 specifies that an IPv6 router must silently drop any packet with a multicast source address, as multicast addresses are only valid as destination addresses. This behavior prevents loops and misuse of multicast addressing in the network layer.

Exam trap

The trap here is that candidates often confuse multicast source address rules with broadcast or unicast reverse path forwarding (uRPF) checks, assuming an ICMP error is sent or that the packet is forwarded normally.

How to eliminate wrong answers

Option A is wrong because forwarding a packet with a multicast source address would violate RFC 2460 and could cause routing loops or forwarding anomalies. Option C is wrong because the router does not send an ICMPv6 error message; the packet is dropped silently to avoid generating additional traffic from an invalid source. Option D is wrong because rewriting the source address to a link-local address is not defined in any RFC and would break the integrity of the packet's source information.

428
MCQeasy

When redistributing routes from EIGRP into OSPF, what is the default OSPF metric assigned to redistributed routes if no metric is specified?

A.20
B.1
C.10
D.0
AnswerA

The default metric for redistributed routes into OSPF is 20.

Why this answer

Cisco IOS assigns a default metric of 20 to redistributed routes from other protocols into OSPF if no metric is explicitly configured. This is defined in Cisco's implementation.

429
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors detail EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 12 200 0 45 Version 12.0/2.0, Retrans: 0, Retries: 0, Restarts: 0 Topology ids from peer: 0 Passive interface: No Hello interval: 5 Hold time: 15 Based on this output, what is the problem?

A.The neighbor is operating normally with no issues.
B.The interface is configured as passive, preventing neighbor formation.
C.The neighbor has a high number of retransmissions.
D.The hold time of 15 seconds is too short and may cause flapping.
AnswerA

All parameters are within normal range, and the neighbor is fully established.

Why this answer

The output shows a fully established EIGRP neighbor adjacency with no errors. The 'Passive interface: No' confirms the interface is not configured as passive, the retransmission count is 0, and the hold time of 15 seconds is the default for a 5-second hello interval on high-speed interfaces. All metrics (SRTT, RTO, Q count, Seq Num) indicate stable operation, so there is no problem.

Exam trap

Cisco often tests the misconception that a hold time of 15 seconds is too short, but in EIGRP this is the default for high-speed interfaces and is perfectly normal; candidates may confuse it with OSPF's shorter dead intervals or misinterpret the 'Passive interface' field if they do not read the 'No' value.

How to eliminate wrong answers

Option B is wrong because the output explicitly states 'Passive interface: No', meaning the interface is not passive and neighbor formation is not blocked. Option C is wrong because the 'Retrans: 0' field shows zero retransmissions, indicating no retransmission issues. Option D is wrong because a hold time of 15 seconds is the default for EIGRP on high-speed interfaces (with a 5-second hello interval) and is not too short; it is standard and does not cause flapping.

430
MCQhard

Two routers are configured with EIGRP using `network 0.0.0.0 0.0.0.0` to enable EIGRP on all interfaces. One router has a loopback interface with IP 10.1.1.1/32. The other router learns 10.1.1.1/32 via EIGRP. An engineer then configures `distribute-list prefix FILTER out` under the EIGRP process on the first router, where FILTER denies 10.1.1.1/32. Unexpectedly, the second router still receives the route. Which is the most likely explanation?

A.The distribute-list out does not filter routes that are directly connected and enabled via the `network` command; it only filters redistributed routes.
B.The distribute-list must be applied inbound on the second router to block the route.
C.The prefix-list FILTER is misconfigured; it should deny 10.1.1.1/32 with a ge/le condition.
D.The distribute-list command is not supported in classic mode; it must be used in named mode.
AnswerA

EIGRP distribute-list out filters only routes from redistribution; connected routes advertised via network statement are not affected.

Why this answer

In EIGRP, distribute-lists applied under the router process (classic mode) affect only routes that are redistributed or injected via `network` commands. However, if the route is directly connected and the interface is enabled for EIGRP via the `network` command, the distribute-list out does not filter connected routes advertised by the network statement. To filter such routes, the distribute-list must be applied under the interface configuration or use a prefix-list that matches the interface.

431
MCQmedium

Examine the RSPAN configuration: vlan 100 name RSPAN_VLAN remote-span ! monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination remote vlan 100 What is the purpose of the 'remote-span' command under VLAN 100?

A.It allows VLAN 100 to be used for RSPAN traffic across multiple switches.
B.It enables spanning tree on VLAN 100.
C.It prevents VLAN 100 from being used for user data traffic.
D.It configures VLAN 100 as a native VLAN.
AnswerA

Correct. The 'remote-span' command marks VLAN 100 as an RSPAN VLAN, enabling it to carry mirrored traffic across switches in the network.

Why this answer

The 'remote-span' command designates VLAN 100 as an RSPAN VLAN, allowing it to carry mirrored traffic across switches. This is its primary purpose. While it also prevents user data traffic, that is a secondary effect, not the main purpose.

432
MCQmedium

Which BGP loop prevention mechanism relies on the AS_PATH attribute?

A.Split horizon
B.AS_PATH loop detection
C.TTL expiration
D.Route poisoning
AnswerB

Correct. BGP discards routes with its own AS in the AS_PATH.

Why this answer

BGP uses AS_PATH loop detection: a router rejects a route if its own AS number appears in the AS_PATH.

433
MCQhard

A BGP-based network uses route reflectors and Flexible NetFlow to monitor traffic. After applying a flow monitor to the route reflector's interface, some BGP routes are not being reflected to clients. Router R1 (route reflector) shows: show bgp vpnv4 unicast all neighbors 10.0.0.2 advertised-routes | include (10.1.1.0/24) No entries. The BGP session is up, and the route 10.1.1.0/24 is in the BGP table. What is the root cause?

A.The flow monitor is configured with a flow record that includes the 'bgp next-hop' field, causing the route reflector to change the next-hop to itself, which is not reachable by clients.
B.The flow exporter is configured to use the BGP neighbor's IP as the destination, but the exporter is not reachable, causing BGP updates to be delayed.
C.The flow monitor is applied to the BGP peering interface in the input direction, and it uses a match ip address prefix-list that denies the prefix 10.1.1.0/24, causing the route reflector to not process the route.
D.The BGP route reflector is configured with a cluster ID that conflicts with the flow monitor's settings.
AnswerD

Correct. A cluster ID conflict prevents the route reflector from reflecting routes that already contain its own cluster ID, even though the routes are present in the BGP table.

Why this answer

The root cause is a cluster ID conflict. Route reflectors use a cluster ID to prevent routing loops. If the route reflector receives a BGP update that already contains its own cluster ID in the cluster list, it will not reflect that route to clients, even though the route is present in the BGP table.

This explains why 10.1.1.0/24 appears in the BGP table but is not advertised to neighbors. The other options are incorrect because Flexible NetFlow flow monitors do not filter or modify BGP updates, and exporter reachability does not affect BGP advertisements.

Exam trap

A common trap is assuming that Flexible NetFlow flow monitors can filter BGP updates. In reality, flow monitors only capture traffic statistics and do not interfere with control plane packets like BGP updates.

434
Multi-Selecthard

An engineer is configuring a DMVPN Phase 3 network with EIGRP as the routing protocol. The hub router has the following configuration snippet: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 1 ip nhrp redirect tunnel source GigabitEthernet0/1 tunnel mode gre multipoint ! router eigrp 100 network 10.0.0.0 0.0.0.255 Which TWO additional configuration changes are required on the hub to ensure that spokes can establish direct spoke-to-spoke tunnels? (Choose TWO.)

Select 2 answers
A.Add the command 'ip nhrp shortcut' under interface Tunnel0.
B.Add the command 'ip nhrp nhs 10.0.0.1' under interface Tunnel0.
C.Add the command 'ip nhrp map multicast dynamic' under interface Tunnel0.
D.Add the command 'no ip split-horizon eigrp 100' under interface Tunnel0.
E.Add the command 'ip nhrp authentication cisco123' under interface Tunnel0.
AnswersC, D

Correct. This command allows the hub to dynamically learn the NBMA addresses of spokes for multicast forwarding, which is required for routing protocol updates.

Why this answer

In DMVPN Phase 3, the hub must have 'ip nhrp redirect' to send redirect messages, and spokes need 'ip nhrp shortcut' to install the /32 route. However, the question asks about the hub. The hub already has 'ip nhrp redirect'.

To allow spokes to learn the hub's NBMA address, the hub needs 'ip nhrp map multicast dynamic' to accept dynamic registrations. Also, the hub must have a valid tunnel source IP and the tunnel interface must be up. The hub does not need 'ip nhrp shortcut' (that's for spokes).

The hub does not need 'ip nhrp nhs' (that's for spokes). The hub does not need 'no ip split-horizon' for EIGRP if using Phase 3 with BGP or if the hub is configured correctly; but in Phase 3, EIGRP split horizon can prevent spoke routes from being advertised to other spokes. Actually, to allow spokes to learn routes from other spokes, the hub must disable EIGRP split horizon on the tunnel interface.

So the two correct changes are: add 'ip nhrp map multicast dynamic' and 'no ip split-horizon eigrp 100'.

435
MCQhard

A network engineer configures an RSPAN session on Switch A to monitor traffic from interface GigabitEthernet0/1 and sends it to Switch B. The engineer creates RSPAN VLAN 50 on both switches and configures the trunk between them to allow VLAN 50. On Switch B, the engineer configures the destination port as GigabitEthernet0/2 in VLAN 50. The engineer notices that the destination port is not forwarding any traffic. What should the engineer check first?

A.Verify that the RSPAN VLAN is configured with the 'remote-span' command on both switches.
B.Check that the destination port is not in a shutdown state.
C.Ensure that the source interface is not configured with 'no monitor session'.
D.Confirm that the trunk between switches is configured as a dot1q trunk.
AnswerA

Correct because the 'remote-span' command is essential to designate the VLAN as an RSPAN VLAN; without it, the VLAN behaves as a normal VLAN.

Why this answer

RSPAN requires that the RSPAN VLAN be configured with the 'remote-span' command on all switches that participate. Without this, the VLAN may not be treated as an RSPAN VLAN and traffic may not be forwarded correctly.

436
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip sla statistics 6 Round Trip Time (RTT) for Index 6 Latest RTT: 0 ms Latest RTT (milliseconds): 0 Latest RTT (microseconds): 0 Number of successes: 0 Number of failures: 100 Operation time to live: Forever Output: No connection R1# show track 4 Track 4 IP SLA 6 reachability Reachability is Down 3 changes, last change 00:05:00 Latest operation return code: No connection Latest RTT (milliseconds): 0 Tracked by: ip route 0.0.0.0 0.0.0.0 192.168.4.1 track 4 R1# show ip route 0.0.0.0 0.0.0.0 % Network not in table Based on this output, which statement is correct?

A.The static route is still present because the track is down.
B.The IP SLA operation is successful, but the track is misconfigured.
C.The target 192.168.4.1 is unreachable, causing the IP SLA to fail and the static route to be removed.
D.The IP SLA operation has a threshold violation, but the route is still active.
AnswerC

The 'No connection' indicates unreachability, and the track down removes the static route.

Why this answer

The track is down due to 'No connection', and the static route is not in the routing table. This indicates that the IP SLA probe cannot reach the target, and the tracked route has been removed.

437
MCQhard

A network engineer runs the following command to debug NAT with overload: R1# debug ip nat overload NAT: overload: s=10.1.1.1:1234->203.0.113.1:5678, d=192.168.1.1:80 [50] NAT: overload: s=10.1.1.1:1235->203.0.113.1:5679, d=192.168.1.1:80 [51] NAT: overload: s=10.1.1.2:80->203.0.113.1:5680, d=192.168.1.1:1024 [52] What does this output indicate?

A.PAT is working correctly, translating multiple inside hosts to one outside IP.
B.NAT is failing because the outside address is the same for all.
C.The translations are static.
D.The inside hosts are using the same port numbers.
AnswerA

Each inside host gets a unique source port on the outside IP.

Why this answer

The debug output shows PAT (Port Address Translation) functioning correctly: three distinct inside local addresses (10.1.1.1:1234, 10.1.1.1:1235, 10.1.1.2:80) are being translated to the same outside global address (203.0.113.1) but with unique port numbers (5678, 5679, 5680). This is the essence of NAT with overload, where multiple inside hosts share a single public IP by multiplexing on Layer 4 ports.

Exam trap

Cisco often tests the misconception that NAT with overload is 'failing' when multiple inside hosts share the same outside IP, leading candidates to incorrectly select Option B, when in fact this is the intended behavior of PAT.

How to eliminate wrong answers

Option B is wrong because the output shows successful translations, not failures; NAT with overload deliberately uses the same outside address for all translations, and the debug confirms each translation is completed. Option C is wrong because static NAT would show a fixed one-to-one mapping without port translation, whereas this output shows dynamic port allocation (e.g., 10.1.1.1:1234→203.0.113.1:5678). Option D is wrong because the inside hosts are using different port numbers (1234, 1235, 80) and the translated ports are also unique (5678, 5679, 5680); the debug does not show any port conflict.

438
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, the router becomes unreachable via SSH and SNMP. The engineer checks the policy and confirms that the class-map for SSH and SNMP traffic is set to 'permit'. What is the most likely explanation?

A.The class-default is set to 'drop', causing all unmatched traffic to be dropped, including SSH and SNMP if they are not correctly classified.
B.The 'rate-limit' is configured in bps instead of pps, causing excessive policing.
C.The 'service-policy' is applied to the control-plane input direction, but SSH and SNMP are output traffic.
D.The class-map for SSH and SNMP uses a 'match-all' condition, but the access-list has multiple entries that are ORed.
AnswerA

In CoPP, the class-default is the default class for all traffic not matched by other classes. If it is set to drop, any traffic that does not match the explicit classes will be dropped. If SSH or SNMP traffic is not correctly matched by the class-map (e.g., due to a typo in the access-list), it will fall into class-default and be dropped.

Why this answer

A common edge case with CoPP is that the default class class-default is often set to 'drop' or 'police' with a very low rate, which can drop all traffic not explicitly matched by other classes. Even if SSH and SNMP are permitted, if the class-default is set to drop, any traffic that does not match the explicit classes (e.g., due to a misclassification) will be dropped. Additionally, the order of class-maps matters; if a broader class matches before the specific one, the traffic may be policed incorrectly.

439
Multi-Selecthard

Which THREE symptoms indicate that IPv6 unicast RPF is misconfigured or failing on an interface? (Choose THREE.)

Select 3 answers
A.Traffic from a valid source IP is being dropped on the interface.
B.The router logs 'IPv6 unicast RPF drop' messages.
C.The command 'ipv6 verify unicast source reachable-via any' is present in the running config.
D.High CPU utilization is observed due to RPF processing.
E.The 'show ipv6 interface' output shows an increasing 'RPF drops' counter.
AnswersA, B, E

uRPF drops packets when the source IP is not reachable via the incoming interface, even if the IP is valid.

Why this answer

Option A is correct because IPv6 unicast RPF (uRPF) drops traffic when the source address is not reachable via the incoming interface according to the FIB. If a valid source IP is being dropped, it indicates that the RPF check is failing, often due to asymmetric routing or a missing route in the FIB for that source prefix.

Exam trap

Cisco often tests the distinction between strict and loose mode RPF, and the trap here is that candidates may incorrectly assume that the presence of the 'ipv6 verify unicast source reachable-via any' command itself is a symptom of misconfiguration, when in fact it is a legitimate configuration for loose mode.

440
Drag & Dropmedium

Drag and drop the steps to verify and validate Device Management operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the management interface status, then confirm the management protocol is operational, verify the device is reachable, validate data model support, and finally perform a test retrieval of configuration data.

441
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Entries: 2 Interface: Tunnel0, IPv4 NHRP Details Type: Hub, NHRP Peers: 2, # Ent Peer NBMA Addr Peer Tunnel Addr State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.2 10.0.0.2 UP 00:15:30 D 2 192.168.2.2 10.0.0.3 UP 00:14:20 D Based on this output, which statement is correct?

A.The DMVPN tunnel is not functioning because there are only two peers.
B.Both spoke routers have established dynamic NHRP registrations with the hub.
C.The hub router has static NHRP entries for the spokes.
D.The spokes are not able to communicate with each other.
AnswerB

The state is UP and attribute is D (dynamic).

Why this answer

The output shows two dynamic (D) NHRP entries for peers 10.0.0.2 and 10.0.0.3, each with an NBMA address of 192.168.1.2 and 192.168.2.2 respectively. The 'D' attribute indicates these registrations were established dynamically via NHRP registration requests from the spoke routers to the hub, confirming that both spokes have successfully registered with the hub. This is the expected behavior for a DMVPN Phase 2 or Phase 3 hub, where spokes dynamically register their tunnel and NBMA addresses.

Exam trap

Cisco often tests the distinction between the NHRP 'Attrb' column attributes (S, D, I, N, L, X) to trick candidates into misinterpreting dynamic registrations as static or assuming that a hub output showing only hub-spoke entries implies a lack of spoke-to-spoke connectivity.

How to eliminate wrong answers

Option A is wrong because having two peers is normal for a DMVPN hub with two spokes; the number of peers does not indicate a malfunction. Option C is wrong because the 'D' attribute in the Attrb column explicitly indicates dynamic NHRP entries, not static (S). Option D is wrong because the output only shows hub-to-spoke relationships; spoke-to-spoke communication is possible in DMVPN Phase 2/3 via dynamic NHRP resolution and does not require direct hub involvement for data traffic, so the absence of spoke-to-spoke entries in this hub output does not imply they cannot communicate.

442
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog OSPF_Neighbor_Down 2 00:01:31 UTC Mar 1 syslog OSPF_Neighbor_Up 3 00:01:32 UTC Mar 1 syslog OSPF_Neighbor_Down 4 00:01:33 UTC Mar 1 syslog OSPF_Neighbor_Up Based on this output, which statement is correct?

A.The OSPF neighbor is stable.
B.The OSPF neighbor is flapping.
C.The EEM policy is not configured.
D.The OSPF neighbor is down permanently.
AnswerB

The rapid succession of down and up events is characteristic of flapping.

Why this answer

The event history shows alternating OSPF neighbor down and up events within seconds, indicating a flapping condition. The correct answer is that the OSPF neighbor is flapping.

443
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:32 FE80::2 Tunnel0 192.168.1.3 1 FULL/BDR 00:00:35 FE80::3 Tunnel0 Based on this output, which statement is correct?

A.OSPFv3 is not running on this router.
B.The router with Neighbor ID 192.168.1.3 is the Designated Router.
C.OSPFv3 adjacencies are fully established over the tunnel.
D.The tunnel is using IPv4 transport.
AnswerC

Both neighbors are in FULL state.

Why this answer

The output shows two OSPFv3 neighbors in the FULL state, which indicates that the adjacency process has completed successfully and the routers are exchanging link-state advertisements. The presence of the FULL state for both neighbors confirms that OSPFv3 adjacencies are fully established over the Tunnel0 interface, making option C correct.

Exam trap

Cisco often tests the distinction between OSPFv2 and OSPFv3, and the trap here is that candidates may assume the presence of IPv4-like neighbor IDs (192.168.1.x) implies IPv4 transport, but OSPFv3 uses a 32-bit Router ID (often derived from an IPv4 address) regardless of the underlying IPv6 transport.

How to eliminate wrong answers

Option A is wrong because the 'show ipv6 ospf neighbor' command itself proves that OSPFv3 is running on this router; if it were not, the command would return no output or an error. Option B is wrong because the neighbor with Neighbor ID 192.168.1.3 is listed as BDR (Backup Designated Router), not DR; the DR is 192.168.1.2, as indicated by the 'FULL/DR' state. Option D is wrong because the output shows IPv6 link-local addresses (FE80::2 and FE80::3) and the command is specific to IPv6 OSPF (OSPFv3), which operates natively over IPv6; the tunnel could be using IPv6 transport, and there is no evidence of IPv4 transport in this output.

444
MCQmedium

Consider this EIGRP configuration on router R5: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.10.0.0 255.255.0.0 5 router eigrp 100 network 10.0.0.0 What is the effect of the 'ip summary-address eigrp' command on interface GigabitEthernet0/0?

A.It creates a summary route 10.10.0.0/16 with administrative distance 5, advertised only out GigabitEthernet0/0.
B.It creates a summary route 10.10.0.0/16 with metric 5, advertised out all interfaces.
C.It creates a summary route 10.10.0.0/16 and suppresses all more specific routes globally.
D.It creates a summary route 10.10.0.0/16 and redistributes it into other routing protocols.
AnswerA

Correct. The command is interface-specific and the distance value is optional.

Why this answer

The interface-level 'ip summary-address eigrp' command creates a summary route that is advertised out that specific interface. The optional administrative distance (5) sets the distance for the summary route.

445
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route 10.0.0.0 255.255.252.0 longer-prefixes Routing entry for 10.0.0.0/22 Known via "eigrp 100", distance 90, metric 2172416, type internal Last update from 192.168.1.2 on GigabitEthernet0/0, 00:00:10 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:10 ago, via GigabitEthernet0/0 Route metric is 2172416, traffic share count is 1 Routing entry for 10.0.1.0/24 Known via "eigrp 100", distance 90, metric 2812416, type internal Last update from 192.168.1.2 on GigabitEthernet0/0, 00:00:10 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:10 ago, via GigabitEthernet0/0 Route metric is 2812416, traffic share count is 1 Based on this output, what is the effect of the summary route 10.0.0.0/22?

A.The summary route is working correctly and suppressing all specifics.
B.The summary route is not suppressing the more specific route 10.0.1.0/24.
C.The summary route has a better metric than the specific route.
D.The summary route is not installed in the routing table.
AnswerB

Both the summary and a more specific route are in the table, indicating the summary is not suppressing specifics.

Why this answer

The presence of both the summary route (10.0.0.0/22) and a more specific route (10.0.1.0/24) in the routing table indicates that the summary route is not suppressing the more specific routes, possibly due to a configuration issue or because the summary is not configured as a discard route.

446
MCQhard

An engineer configures AS path prepending on an eBGP route to influence inbound traffic. However, traffic from a specific iBGP neighbor still prefers the prepended path. What is the most likely explanation?

A.AS path prepending only affects eBGP path selection; iBGP routers ignore AS path length when comparing paths from different eBGP routers.
B.The prepending was applied with 'set as-path prepend last-as 1', which only prepends the last AS, not the full path.
C.The iBGP neighbor has 'bgp bestpath as-path ignore' configured, which ignores AS path length entirely.
D.The prepending was done on a route reflector, and the client does not see the prepended AS path.
AnswerA

iBGP uses the IGP metric to the next hop, not AS path length, so prepending does not influence iBGP decisions.

Why this answer

AS path prepending is applied only to eBGP updates, increasing the AS path length for routes sent to eBGP neighbors. However, when an iBGP router receives multiple routes for the same prefix from different eBGP routers via iBGP, it does not consider AS path length during best path selection. Instead, iBGP routers rely on attributes like local preference, weight, and IGP metric to select the best path.

Therefore, traffic from an iBGP neighbor may still prefer the prepended path if it has a better IGP metric or other preferred attributes, making AS path prepending ineffective for influencing iBGP path selection.

447
MCQmedium

Examine the following partial configuration on R1: !--- R1 configuration route-map RMAP permit 10 match ip address prefix-list PL-1 set metric 100 ! route-map RMAP permit 20 set metric 200 ! router eigrp 100 network 10.0.0.0 redistribute ospf 1 metric 1000 100 255 1 1500 route-map RMAP ! What is the effect of this configuration?

A.Only routes matching prefix-list PL-1 are redistributed into EIGRP with metric 100; all other OSPF routes are denied.
B.Routes matching prefix-list PL-1 are redistributed with metric 100; all other OSPF routes are redistributed with metric 200.
C.The route-map is missing a deny statement; without it, all routes are permitted with default metric.
D.The route-map is applied to redistribution, but the metric values are ignored because redistribute command also specifies metric.
AnswerB

Correct. Sequence 10 matches PL-1 and sets metric 100; sequence 20 matches all other routes and sets metric 200.

Why this answer

The route-map RMAP has two permit sequences. The first matches prefix-list PL-1 and sets metric to 100. The second is a catch-all permit with no match, setting metric to 200.

All redistributed OSPF routes will match either sequence and have their metric set accordingly. If a route matches the first sequence, its metric is set to 100; otherwise, it matches the second and gets metric 200. There is no deny sequence, so no routes are filtered.

448
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet RELOAD_NOTIFY event syslog pattern "%SYS-5-RELOAD" action 1.0 cli command "enable" action 2.0 cli command "send log "Router is reloading"" !--- What is the effect of this configuration?

A.The applet will send a log message to the console when a reload is initiated.
B.The applet will fail because 'send log' is not a valid IOS command.
C.The applet will prevent the reload from occurring.
D.The applet will generate a syslog message with the text "Router is reloading".
AnswerB

Correct. 'send log' is not a valid command; the correct command would be 'logger' or 'send' with appropriate parameters.

Why this answer

The applet triggers on a syslog message indicating a reload. It then executes a 'send log' command, which is not a valid IOS command. The correct command is 'send log' is not valid; the intended command might be 'send' or 'logger'.

This will cause the action to fail, and the applet will not execute successfully.

449
Multi-Selectmedium

Which TWO statements about IP SLA ICMP echo operations are true? (Choose TWO.)

Select 2 answers
A.It measures round-trip time (RTT) between the source and destination.
B.It measures jitter in the network path.
C.The operation must be scheduled using the 'ip sla schedule' command.
D.The destination can be specified as a hostname without any additional configuration.
E.The operation runs continuously by default after configuration.
AnswersA, C

The ICMP echo operation sends ICMP packets and calculates the RTT based on the reply.

Why this answer

IP SLA ICMP echo measures round-trip time (RTT) by sending ICMP echo requests and waiting for replies. It does not measure jitter (that requires UDP jitter operations). It can be configured with a frequency and a timeout, and the operation must be started with the 'ip sla schedule' command.

The source IP can be specified, but the destination must be an IP address, not a hostname unless DNS resolution is configured.

450
MCQmedium

Which statement about RSPAN VLAN is correct?

A.The RSPAN VLAN must be the same as the native VLAN on the trunk.
B.The RSPAN VLAN can be used for normal user traffic if needed.
C.The RSPAN VLAN must be configured with the 'remote-span' command on all switches in the network.
D.The RSPAN VLAN must be pruned from all trunk links to avoid unnecessary flooding.
AnswerC

The 'remote-span' command is required on the VLAN to prevent it from being used for normal traffic and to allow it to be flooded across the network.

Why this answer

An RSPAN VLAN is a dedicated VLAN used to carry mirrored traffic from source switches to a destination switch. It must be configured as a remote-span VLAN, and no end devices should be connected to it.

Page 5

Page 6 of 29

Page 7