Cisco CCNP ENARSI 300-410 (300-410) — Questions 526600

2152 questions total · 29pages · All types, answers revealed

Page 7

Page 8 of 29

Page 9
526
MCQeasy

What is the default role of an interface in IPv6 Neighbor Discovery Inspection when no policy is explicitly applied?

A.Untrusted
B.Trusted
C.Server
D.Host
AnswerA

The default role is untrusted, so ND messages are inspected.

Why this answer

In IPv6 Neighbor Discovery Inspection (NDI), an interface is considered untrusted by default when no policy is explicitly applied. This default ensures that all incoming Neighbor Discovery (ND) messages are subject to validation against the binding table, preventing attacks such as Neighbor Advertisement spoofing and Duplicate Address Detection (DAD) exploitation. Only interfaces explicitly configured with a trust policy bypass this inspection.

Exam trap

Cisco often tests the misconception that all interfaces start as trusted or that a 'host' or 'server' role exists, when in fact the default is untrusted and only two roles (untrusted and trusted) are defined for NDI.

How to eliminate wrong answers

Option B is wrong because a trusted interface would bypass ND inspection entirely, which is not the default behavior; trust must be explicitly configured. Option C is wrong because 'Server' is not a valid role for an interface in IPv6 NDI; it refers to a DHCPv6 server role in other contexts. Option D is wrong because 'Host' is not a defined interface role in IPv6 NDI; the roles are only untrusted (default) and trusted (explicit).

527
MCQmedium

A network engineer runs the following command to troubleshoot a VRF-Lite BGP route advertisement issue: R1# show bgp vpnv4 vrf CUSTOMER_D 10.2.2.0/24 Output: BGP routing table entry for 10.2.2.0/24, version 5 Paths: (1 available, best #1, table CUSTOMER_D) Advertised to update-groups: 1 Refresh Epoch 1 Local 10.1.1.2 (metric 20) from 10.1.1.2 (2.2.2.2) Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:200 mpls labels in/out nolabel/20 What does this output indicate?

A.The route 10.2.2.0/24 is learned via an external BGP peer and is not the best path.
B.The route 10.2.2.0/24 is learned from 10.1.1.2 with an MPLS label of 20 and is the best path.
C.The route 10.2.2.0/24 is not advertised to any update groups.
D.The route 10.2.2.0/24 has no extended community attached.
AnswerB

Correct. The output shows the route is internal, best, and has an MPLS label of 20.

Why this answer

The 'show bgp vpnv4 vrf' command displays BGP VPNv4 route details for a specific VRF. The output shows route 10.2.2.0/24 is learned from neighbor 10.1.1.2 (router ID 2.2.2.2) with a metric of 20. It is valid, internal, and the best path.

The route has an extended community RT:100:200 and an MPLS label of 20 (outgoing).

528
MCQmedium

What is the default flow-cache timeout for NetFlow version 9 on Cisco IOS-XE?

A.15 minutes
B.30 minutes
C.60 minutes
D.5 minutes
AnswerB

Correct. The default flow-cache timeout for NetFlow v9 is 30 minutes.

Why this answer

The default flow-cache timeout for NetFlow version 9 is 30 minutes, after which inactive flows are aged out.

529
Multi-Selecthard

Which TWO statements about PBR and route-map sequence numbers are true? (Choose TWO.)

Select 3 answers
A.If a packet matches a route-map sequence with a 'permit' keyword, the set actions are applied, and no further sequences are evaluated.
B.If a packet matches a route-map sequence with a 'deny' keyword, the packet is dropped immediately.
C.The 'match ip address' command in a PBR route map can reference a named or numbered ACL, but not a prefix list. [CORRECT]
D.If no sequence in a PBR route map matches a packet, the packet is forwarded using the routing table (normal routing).
E.The 'set ip next-hop' command can be used in a route-map sequence with a 'deny' keyword to override the default behavior.
AnswersA, C, D

If a packet matches a route-map sequence with a 'permit' keyword, the set actions are applied, and no further sequences are evaluated. This is correct.

Why this answer

Route maps used for PBR are evaluated in sequence number order. Each sequence can have match and set statements. If a packet matches a permit sequence, the set actions are applied and evaluation stops.

A deny sequence does not drop the packet; it causes the router to skip to the next sequence. If no sequence matches, the packet is forwarded using normal routing (implicit deny). In PBR, the 'match ip address' command can reference a named or numbered ACL, but not a prefix list.

To match a prefix list, you must use the 'match ip address prefix-list' command separately.

530
MCQhard

An engineer configures Control Plane Policing (CoPP) with a policy that denies all traffic in class-default. After applying the policy, BGP sessions to the router fail. What is the most likely explanation?

A.The class-default has an explicit 'drop' action, which overrides the implicit permit and drops all unmatched traffic, including BGP packets.
B.The CoPP policy was applied to the wrong interface, so BGP packets are dropped by the interface ACL.
C.The BGP packets are matched by another class with a 'drop' action, but the class-default is irrelevant.
D.The CoPP policy uses 'rate-limit' in bps instead of pps, causing BGP packets to be dropped due to rate limiting.
AnswerA

Explicit deny in class-default changes the default behavior from permit to drop.

Why this answer

CoPP class-default has an implicit permit at the end, but if an explicit deny is configured in class-default, it will drop all traffic not matched by other classes, including BGP control packets. The explicit deny overrides the implicit permit.

531
Multi-Selecthard

An engineer is troubleshooting a PAT overload configuration on a Cisco router. Inside hosts can access the Internet, but some applications (e.g., FTP, SIP) fail. Which TWO commands can be used to verify the NAT translations and identify the issue? (Choose TWO.)

Select 2 answers
A.'show ip nat translations'
B.'debug ip nat detailed'
C.'show ip nat statistics'
D.'show ip access-lists'
E.'show running-config | include nat'
AnswersA, B

Correct. This shows the current NAT table, including inside local, inside global, outside local, and outside global addresses and ports.

Why this answer

The 'show ip nat translations' command displays the current NAT translation table, including inside local, inside global, outside local, and outside global addresses. This allows the engineer to verify whether translations are being created correctly for protocols like FTP and SIP, which may fail due to missing or incorrect translations, especially when PAT overload is used and application-layer gateways (ALGs) are not handling embedded IP addresses or ports properly.

Exam trap

Cisco often tests the distinction between commands that show configuration versus commands that show operational state; the trap here is that candidates may pick 'show running-config | include nat' thinking it reveals translation issues, but it only shows static configuration, not dynamic translations or real-time failures.

532
Drag & Drophard

Drag and drop the steps to troubleshoot Control Plane Policing (CoPP) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting CoPP failures starts by checking if the control-plane policy is applied, then verifying the class-map matches the correct protocol, checking for dropped packets, temporarily disabling CoPP to test, and finally adjusting the policy to permit the necessary traffic. This systematic approach isolates the issue without disrupting the network.

533
MCQhard

Router R1 is configured with ip nat inside source list 100 interface Loopback0 overload. Internal hosts at 192.168.1.0/24 can access the internet, but external hosts cannot initiate connections to an internal server at 10.1.1.10 that is also behind NAT. The server is supposed to be reachable via static NAT. Configuration: ip nat inside source static tcp 10.1.1.10 80 interface Loopback0 80. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global tcp 10.1.1.10:80 10.1.1.10:80 --- ---. External users get connection timeouts. What is the root cause?

A.The static NAT should use a specific global IP address instead of the interface; configure ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80.
B.The access-list 100 is blocking inbound traffic.
C.The Loopback0 interface is not in the routing table.
D.The static NAT entry is missing the 'add-route' option.
AnswerA

Using the interface IP for static NAT is not supported; a specific global IP must be defined.

Why this answer

The static NAT configuration uses 'interface Loopback0' as the global address, which means it relies on the interface's dynamically assigned IP address. However, the overload rule (PAT) is also using the same interface, and the static NAT entry shown in 'show ip nat translations' displays the inside local address as the inside global address (10.1.1.10:80), indicating that the static translation is not being applied correctly. The root cause is that static NAT requires a specific global IP address (e.g., 203.0.113.10) to map the internal server, not the interface keyword, because the interface keyword is used for PAT and does not create a fixed one-to-one mapping for inbound connections.

Exam trap

Cisco often tests the distinction between using 'interface' for dynamic PAT and a specific IP for static NAT, trapping candidates who think 'interface' can serve both purposes without understanding that static NAT requires a fixed global address for inbound reachability.

How to eliminate wrong answers

Option B is wrong because access-list 100 is used only for the dynamic NAT overload rule (ip nat inside source list 100 interface Loopback0 overload) and does not affect inbound traffic for static NAT; static NAT bypasses ACLs for translation. Option C is wrong because the Loopback0 interface must be in the routing table for the router to have a route to the internet, and the scenario states internal hosts can access the internet, confirming the interface is operational and reachable. Option D is wrong because the 'add-route' option is not a valid parameter for the 'ip nat inside source static' command; it is used with 'ip nat outside source static' or in some IOS versions for route injection, but it is not required for basic static NAT to function.

534
MCQmedium

A network engineer runs the following command to troubleshoot a BFD issue: R1# debug bfd event *Mar 1 00:12:34.567: BFD: [R1-to-R2] state DOWN -> UP (async) *Mar 1 00:12:34.568: BFD: [R1-to-R2] echo mode enabled, min-echo-rx-interval 50 ms *Mar 1 00:12:34.569: BFD: [R1-to-R2] starting echo timer, interval 50 ms *Mar 1 00:12:34.570: BFD: [R1-to-R2] sending async packet, state UP, interval 300 ms What does this output indicate?

A.BFD session is flapping between DOWN and UP states.
B.BFD session is established and echo mode is active.
C.BFD session is down due to echo failure.
D.BFD async interval is misconfigured at 300 ms.
AnswerB

The output confirms BFD session is UP, echo mode enabled, and timers are running.

Why this answer

The debug output shows BFD session transitioning from DOWN to UP, with echo mode enabled and the async interval set to 300 ms. This indicates a successful BFD session establishment.

535
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic is not establishing dynamically. The engineer verifies that NHRP is configured and that the hub is configured as an NHRP server. Which is the most likely explanation?

A.The hub is not configured with 'no ip next-hop-self' for the routing protocol on the tunnel interface
B.NHRP authentication is mismatched between spokes
C.The spoke routers have not enabled NHRP redirect
D.The tunnel mode is set to GRE multipoint on the spokes
AnswerA

Correct. In Phase 2, the hub must not change the next-hop to itself; otherwise, spokes cannot build direct tunnels.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spoke routers have a route to the remote spoke's tunnel IP address via the hub. This is achieved by the hub advertising the spoke's prefix with the next-hop set to the spoke's tunnel IP. However, if the hub does not configure 'no ip next-hop-self eigrp' (or similar for the routing protocol), the hub will set the next-hop to itself, preventing the spoke from directly reaching the remote spoke.

This is a common edge case because the default behavior of routing protocols is to set the next-hop to the router's own IP.

536
MCQhard

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

A.Add an 'ip nat outside' command on the inside interface.
B.Configure a route-map to exempt the VPN traffic from NAT.
C.Ensure that the router has a route to the remote site's public IP via the outside interface, and that the static NAT entry is correctly applied.
D.Change the static NAT to 'ip nat inside source static 10.0.0.10 203.0.113.10 extendable'.
AnswerC

Correct because if the return traffic from the server is routed out a different interface (e.g., a VPN tunnel interface), the NAT might not be applied; the router needs to route the traffic via the outside interface where NAT is configured.

Why this answer

The issue is that the router lacks a route back to the remote site's public IP via the outside interface, or the static NAT entry is not correctly applied for the return traffic. Without a proper route, the router cannot determine that the return packets (from the inside server 10.0.0.10 to the remote public IP) should be translated back to 203.0.113.10. Ensuring the route exists and the static NAT is correctly configured allows the router to perform the reverse translation and forward the traffic out the outside interface.

Exam trap

Cisco often tests the misconception that NAT issues are always due to missing 'ip nat outside' or 'extendable' keywords, when the real problem is a missing route or incorrect interface assignment for the return traffic.

How to eliminate wrong answers

Option A is wrong because 'ip nat outside' is placed on the interface facing the public network, not the inside interface; adding it on the inside interface would break NAT processing. Option B is wrong because the static NAT is explicitly intended to translate the server's private IP to a public IP for VPN traffic; exempting VPN traffic from NAT would prevent the translation entirely, breaking connectivity. Option D is wrong because the 'extendable' keyword allows multiple static NAT entries for the same inside local address but does not address the routing or translation of return traffic; the core problem is a missing route or misapplied NAT entry.

537
MCQeasy

What is the default action for a packet that does not match any route-map entry in a PBR policy?

A.The packet is dropped.
B.The packet is forwarded using the routing table.
C.The packet is sent to the CPU for processing.
D.The router sends an ICMP unreachable message.
AnswerB

This is the default behavior for unmatched packets.

Why this answer

If no route-map entry matches, the packet is forwarded using the normal routing table lookup. PBR does not drop unmatched packets by default.

538
MCQeasy

A network engineer runs the following command on Router R1: R1# show ipv6 access-list FILTER-IPv6 IPv6 access list FILTER-IPv6 permit ipv6 2001:DB8:1::/48 any sequence 10 deny ipv6 any any sequence 20 Based on this output, what is the effect of this access list when applied to an interface?

A.It permits all IPv6 traffic
B.It denies all IPv6 traffic from 2001:DB8:1::/48
C.It permits only IPv6 traffic from 2001:DB8:1::/48 and denies everything else
D.It permits all IPv6 traffic except from 2001:DB8:1::/48
AnswerC

Sequence 10 permits the prefix, sequence 20 denies all other traffic.

Why this answer

The access list FILTER-IPv6 has two entries: a permit statement for source 2001:DB8:1::/48 to any destination (sequence 10), followed by an implicit deny all (sequence 20). When applied to an interface, only traffic matching the permit entry is allowed; all other IPv6 traffic is denied by the implicit deny rule at the end of the list. This results in permitting only traffic from the specified prefix and denying everything else.

Exam trap

Cisco often tests the implicit deny all at the end of an access list, and the trap here is that candidates may overlook the deny ipv6 any any entry (sequence 20) or assume it is not present, leading them to incorrectly think the ACL permits all traffic (Option A) or permits all except the specified prefix (Option D).

How to eliminate wrong answers

Option A is wrong because the access list includes an explicit deny ipv6 any any (sequence 20), which blocks all traffic not matching the permit statement, so it does not permit all IPv6 traffic. Option B is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it; the deny statement applies to all other traffic. Option D is wrong because the permit statement allows traffic from 2001:DB8:1::/48, not deny it, and the deny statement blocks all other traffic, so the effect is the opposite of what is described.

539
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS can poll the router successfully. After a router reload, the NMS fails to poll the router, but the SNMP configuration is unchanged. Which is the most likely explanation?

A.The SNMP engine ID changed after the reload because it was not explicitly configured, causing authentication keys to be recalculated.
B.The router lost its SNMP configuration due to a failed startup config.
C.The NMS's SNMPv3 credentials were deleted during the reload.
D.The router's SNMP process failed to start after reload.
AnswerA

SNMPv3 keys are derived from the engine ID; if the engine ID changes, the NMS must be reconfigured with the new engine ID or the router must have a persistent engine ID configured.

Why this answer

The correct answer is A because SNMPv3 uses the engine ID as a seed to generate authentication and privacy keys. If the engine ID is not explicitly configured, it is automatically derived from the router's MAC address or other unique identifier. After a reload, the engine ID may change (e.g., due to a different interface coming up first), causing the NMS to recalculate keys that no longer match the router's keys, breaking authentication even though the configuration appears unchanged.

Exam trap

Cisco often tests the subtle behavior that SNMPv3 keys are tied to the engine ID, and candidates mistakenly assume that unchanged SNMP configuration guarantees continued operation after a reload.

How to eliminate wrong answers

Option B is wrong because the router's SNMP configuration is stored in the startup config and would survive a reload unless explicitly erased; a failed startup config would cause a complete loss of all configurations, not just SNMP. Option C is wrong because the NMS's credentials are stored locally on the NMS, not on the router, and a router reload does not affect the NMS's stored data. Option D is wrong because the SNMP process is part of the router's IOS and starts automatically with the system; if it failed to start, other services would also be affected, and the question states the SNMP configuration is unchanged, implying the process is running.

540
MCQhard

R1 and R2 are OSPF neighbors over a tunnel interface with BFD enabled. R1#show ip ospf interface tunnel0 shows 'BFD is enabled' but R1#show bfd neighbors shows the session as 'Down'. R2#show bfd neighbors shows the session as 'Down'. The tunnel is up and OSPF adjacency is full. R1 has 'bfd interval 100 min_rx 100 multiplier 3' under tunnel0. R2 has same. What is the root cause?

A.BFD is not supported over tunnel interfaces; it requires physical interfaces.
B.The tunnel mode must be changed to 'ipsec' for BFD to work.
C.OSPF must be configured with 'bfd all-interfaces' to work over tunnels.
D.The BFD timers must be increased for tunnel interfaces.
AnswerA

BFD cannot be used over tunnel interfaces because BFD requires direct layer 2 connectivity; tunnels are layer 3 virtual interfaces.

Why this answer

BFD over tunnel interfaces requires that the underlying transport (e.g., GRE) supports BFD. BFD cannot be established over a tunnel if the tunnel endpoint IP addresses are not directly connected; BFD requires physical connectivity. Since OSPF is full, the tunnel is working, but BFD fails because the tunnel is considered a virtual interface and BFD expects a direct physical link.

541
Multi-Selecthard

Which TWO statements about the configuration of an ERSPAN destination session are correct? (Choose TWO.)

Select 2 answers
A.The destination session must be configured with 'monitor session <session> type erspan-destination'.
B.The source of the destination session must specify the 'erspan-id' and the source IP address of the ERSPAN tunnel.
C.The destination session can have multiple destination interfaces to send the decapsulated traffic to multiple analyzers.
D.The destination session automatically creates a GRE tunnel interface that appears in 'show ip interface brief'.
E.The destination session must be in the same VRF as the source session's destination IP to ensure reachability.
AnswersA, B

Correct. The 'type erspan-destination' keyword is required to define the session as an ERSPAN destination.

Why this answer

ERSPAN destination sessions are configured with 'type erspan-destination'. The source must specify the ERSPAN ID and the source IP address (the same as the destination IP of the source session). The destination is a local interface.

The session automatically places itself in the same VRF as the incoming ERSPAN traffic, so no explicit VRF configuration is needed. Option E is incorrect because it implies manual VRF configuration is required.

542
Multi-Selecthard

Which TWO statements about redistributing connected routes into a routing protocol are true? (Choose TWO.)

Select 2 answers
A.The 'redistribute connected' command will redistribute all interfaces that are up/up, including loopback interfaces, unless filtered.
B.To redistribute only specific connected interfaces, a route map with 'match interface' can be used with the 'redistribute connected' command.
C.The 'redistribute connected' command requires a corresponding 'network' statement under the routing protocol to include those interfaces.
D.Redistributing connected routes automatically includes the default route (0.0.0.0/0) if one is present.
E.The 'redistribute connected' command is only available in OSPF and EIGRP, not in other routing protocols like RIP.
AnswersA, B

Correct. By default, 'redistribute connected' redistributes all active connected interfaces, including loopbacks, unless a route map or distribute list filters them out.

Why this answer

The 'redistribute connected' command redistributes all interfaces that are in an up/up state, including loopback interfaces, unless filtered by a route map or distribute list. To redistribute only specific connected interfaces, a route map with 'match interface' can be used. No corresponding 'network' statement is required, and the default route is not automatically included.

This command is available in OSPF, EIGRP, and other routing protocols like RIP.

543
MCQhard

An engineer configures BGP between two iBGP peers in the same AS. The engineer sets 'next-hop-self' on the neighbor statement. However, the routes received from the iBGP peer still show the original next-hop as unreachable. What is the most likely explanation?

A.The 'next-hop-self' command was applied under the wrong address-family.
B.The 'next-hop-self' command is not supported for iBGP peers.
C.The 'synchronization' command is enabled, causing the next-hop to be preserved.
D.The 'bgp bestpath as-path multipath-relax' command is interfering.
AnswerA

In BGP, 'next-hop-self' can be configured per address-family. If it is applied under the IPv4 unicast address-family but the routes are being exchanged in a different address-family (e.g., VPNv4), it will not take effect.

Why this answer

The 'next-hop-self' command in BGP modifies the next-hop attribute for routes advertised to the neighbor. However, if the route is received from an eBGP peer and then advertised to an iBGP peer, the next-hop is changed only for the iBGP peer if 'next-hop-self' is configured. But if the iBGP peer is also a route reflector client, the route reflector does not change the next-hop unless 'next-hop-self' is configured on the route reflector itself.

The edge case here is that the engineer may have configured 'next-hop-self' on the wrong router or the command is applied to the wrong address-family.

544
MCQmedium

A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?

A.The crypto map is applied to the wrong interface.
B.The access-list in the crypto map does not permit the traffic.
C.The ISAKMP policy is misconfigured.
D.The transform set is incorrect.
AnswerA

The crypto map must be applied to the interface that faces the remote peer. Applying it to the wrong interface prevents encryption of traffic, even if the tunnel is up. Note that crypto maps are applied to the interface itself, not a specific direction.

Why this answer

The crypto map must be applied to the interface through which VPN traffic exits. If it is applied to the wrong interface (e.g., a loopback or a LAN interface instead of the WAN-facing interface), the router will not encrypt outbound traffic or decrypt inbound traffic for the VPN, even though the tunnel (ISAKMP/IPsec SA) may be established. The show crypto map output confirming the map is on the outbound interface indicates a misapplication, as the correct interface is the one facing the remote peer.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees traffic flow, but the trap here is that the crypto map must be applied to the correct interface (the one with the route to the remote peer) for encryption to occur, and candidates may overlook this by focusing on ACL or policy issues instead.

How to eliminate wrong answers

Option B is wrong because if the access-list in the crypto map does not permit the traffic, the tunnel would still be up (since IKE and IPsec SAs can form for permitted traffic), but no interesting traffic would trigger encryption; however, the question states the tunnel is up, and the issue is traffic not passing, which could also be caused by ACL mismatch, but the given clue about the crypto map being on the outbound interface points directly to interface misapplication. Option C is wrong because a misconfigured ISAKMP policy would prevent the tunnel from coming up (Phase 1 failure), but the tunnel is up, so ISAKMP negotiation succeeded. Option D is wrong because an incorrect transform set would cause Phase 2 negotiation to fail, preventing the IPsec SA from forming, but the tunnel being up implies both Phase 1 and Phase 2 completed successfully.

545
MCQhard

An engineer configures an EEM applet to monitor CoPP (Control Plane Policing) drops using the event syslog pattern 'COPP-3-DROP'. The applet is intended to log when CoPP drops packets. The CoPP policy is applied with a rate-limit in bps, but the traffic exceeds the rate, and packets are dropped. The EEM applet does not trigger. Which is the most likely explanation?

A.CoPP does not generate syslog messages for individual drops unless the 'log' keyword is configured in the policy.
B.The EEM applet must use 'event class-map' to capture CoPP events.
C.The rate-limit in bps is incorrect; it should be in pps to generate syslog.
D.The CoPP policy must be applied to the input direction only for drops to be logged.
AnswerA

Correct. CoPP drops are not logged by default; the 'log' keyword must be added to the police action.

Why this answer

CoPP generates syslog messages only when the drop rate exceeds a certain threshold or when the policy is applied, not for every individual drop. By default, CoPP does not generate syslog messages for every dropped packet because it would overwhelm the router. The 'COPP-3-DROP' syslog is generated only if the 'police' action includes the 'log' keyword or if the drop rate is significant enough to trigger a log.

Without explicit logging configuration in the CoPP policy, no syslog is generated, and the EEM applet will not trigger.

546
MCQhard

An OSPF network is experiencing routing loops between two routers. R1 has the following configuration: interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip ospf network point-to-point. R2 has: interface GigabitEthernet0/0 ip address 10.1.1.2 255.255.255.0 ip ospf network broadcast. Both routers are in area 0. R1 shows: 'show ip ospf neighbor' lists R2 as FULL/DR, but R2 shows R1 as FULL/DROTHER. Traffic between two subnets behind each router is looping. What is the root cause?

A.The OSPF network type mismatch causes both routers to become DR/BDR, leading to incorrect LSA generation and routing loops.
B.The IP addresses are on the same subnet, but the OSPF cost is set differently, causing unequal cost load balancing.
C.The OSPF hello and dead intervals are mismatched due to the network type, causing the adjacency to flap.
D.The OSPF area is misconfigured; one router is in a different area.
AnswerA

R1's point-to-point configuration means it does not participate in DR election, so R2 becomes DR. R1 treats the link as a point-to-point link and may not advertise the correct type 2 LSA, while R2 advertises a type 2 LSA. This mismatch can cause R1 to learn routes via R2 and R2 to learn routes via R1, creating a loop.

Why this answer

OSPF network type mismatch on a multi-access link can cause adjacency issues. R1 is configured as point-to-point, which does not participate in DR/BDR election and expects a point-to-point link. R2 is configured as broadcast, which expects a DR/BDR election.

This mismatch can cause both routers to form an adjacency (since OSPF still works), but they have different views of the network. R1 thinks the link is point-to-point and does not expect a DR, so it may advertise the link as a stub network or with different metrics. R2 thinks it is the DR (since R1 is not participating in election), and it advertises the link as a transit network.

This inconsistency can cause routing loops because R1 may advertise a route via R2, and R2 may advertise the same route via R1, creating a loop. The correct fix is to match the network type on both ends.

547
MCQmedium

Examine the following partial configuration: ip access-list extended MGMT_ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 permit tcp 10.0.0.0 0.255.255.255 any eq 443 deny ip any any ! line vty 0 4 access-class MGMT_ACCESS in transport input ssh login local What is the effect of the 'access-class' command?

A.Only SSH and HTTPS connections from the 10.0.0.0/8 network are allowed to the VTY lines.
B.The ACL filters traffic leaving the VTY lines, allowing SSH and HTTPS from any source.
C.All traffic from the 10.0.0.0/8 network is permitted to the router.
D.The configuration is missing 'permit ip any any' to allow other management protocols.
AnswerA

The ACL permits TCP ports 22 and 443 from the specified source, and the access-class filters inbound VTY connections.

Why this answer

The `access-class` command applied to VTY lines with the `in` keyword filters inbound Telnet/SSH sessions to the router. The ACL `MGMT_ACCESS` permits TCP ports 22 (SSH) and 443 (HTTPS) from source network 10.0.0.0/8, and denies all other traffic. This restricts management access to only SSH and HTTPS connections originating from the 10.0.0.0/8 network.

Exam trap

Cisco often tests the distinction between `access-class` (applied to VTY lines for management access control) and `access-group` (applied to interfaces for transit traffic), leading candidates to confuse the direction or scope of the ACL.

How to eliminate wrong answers

Option B is wrong because the `in` keyword on `access-class` filters traffic entering the VTY lines (inbound to the router), not traffic leaving them. Option C is wrong because the ACL only permits TCP ports 22 and 443, not all traffic from 10.0.0.0/8; the implicit deny at the end blocks everything else. Option D is wrong because the configuration is complete as intended; adding `permit ip any any` would bypass the security restriction and allow all management protocols, which contradicts the purpose of the ACL.

548
Multi-Selecthard

Which TWO statements correctly describe the behavior of Policy-Based Routing (PBR) when using the 'set ip next-hop' and 'set ip default next-hop' commands? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop' command overrides the routing table only when the next-hop address is reachable; if unreachable, the packet is dropped unless a default route exists.
B.The 'set ip default next-hop' command is used to forward packets that match the route-map permit statement, regardless of whether a route exists in the routing table.
C.The 'set ip next-hop verify-availability' feature uses ICMP echo requests to verify next-hop reachability before applying PBR.
D.When using 'set interface' in a PBR route map, the router forwards the packet out the specified interface without requiring a next-hop IP address, but the interface must be up/up.
E.If a route map with 'set ip next-hop' is applied inbound on an interface, PBR processes only the first packet of a flow; subsequent packets use the routing table.
AnswersA, D

Correct. PBR with 'set ip next-hop' requires the next hop to be reachable; if not, the packet is forwarded using the routing table (if a default route exists) or dropped.

Why this answer

PBR uses route maps to override the routing table. The 'set ip next-hop' command is applied only if the packet matches the match criteria; if the next hop is unreachable, the packet is dropped (unless a default route exists). The 'set ip default next-hop' command is used only when the routing table has no explicit route for the destination.

The 'set ip next-hop verify-availability' option tracks reachability using CEF. The 'set interface' command does not require a next-hop IP but can be used for directly connected networks.

549
MCQeasy

What is the default uRPF mode when 'ipv6 verify unicast source reachable-via' is configured without any keyword?

A.Loose mode (any)
B.Strict mode (rx)
C.No uRPF is applied
D.Only default routes are allowed
AnswerB

Without keywords, the router uses strict uRPF, checking the source is reachable via the receiving interface.

Why this answer

When 'ipv6 verify unicast source reachable-via' is configured without any keyword, the default mode is strict (rx). In strict mode, the router checks that the source address of an incoming IPv6 packet is reachable via the exact interface on which the packet was received, using the FIB. This prevents source address spoofing by ensuring the return path matches the ingress interface.

Exam trap

Cisco often tests the default behavior of commands without keywords, and the trap here is that candidates mistakenly assume 'ipv6 verify unicast source reachable-via' defaults to loose mode or requires an explicit keyword to enable uRPF, when in fact strict mode is the default.

How to eliminate wrong answers

Option A is wrong because loose mode (any) requires the explicit 'any' keyword; without it, the default is strict, not loose. Option C is wrong because the command explicitly applies uRPF; omitting a keyword does not disable uRPF but defaults to strict mode. Option D is wrong because uRPF strict mode does not allow only default routes; it checks reachability via the FIB for any route, not just default routes.

550
MCQmedium

Examine this BGP configuration on router R3: router bgp 65003 bgp router-id 3.3.3.3 neighbor 10.3.3.2 remote-as 65002 neighbor 10.3.3.2 ebgp-multihop 2 neighbor 10.3.3.2 update-source Loopback0 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 What is the likely issue with this configuration?

A.The ebgp-multihop value should be 1 for directly connected neighbors.
B.The neighbor 10.3.3.2 must be reachable via the loopback address 3.3.3.3; otherwise, the session will not come up.
C.The remote-as 65002 should be the same as the local AS for eBGP.
D.The update-source command is not needed when using ebgp-multihop.
AnswerB

BGP uses the update-source address as the source IP; the neighbor must be able to reach that IP.

Why this answer

The ebgp-multihop 2 allows the neighbor to be two hops away, but the update-source is set to Loopback0 (3.3.3.3). The neighbor 10.3.3.2 must be reachable via the loopback. If 10.3.3.2 is not reachable from 3.3.3.3, the session will not establish.

551
MCQhard

A network engineer configures EEM to monitor BGP prefix limits on R1. R1 has: event manager applet BGP-PREFIX event syslog pattern "%BGP-3-PREFIX_LIMIT" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp 10.1.1.2" action 3.0 syslog msg "Cleared BGP session". Router R2 shows: BGP session with R1 is flapping, and logs show repeated prefix limit warnings. What is the root cause?

A.The EEM applet clears the BGP session, which resets the prefix count but does not prevent the neighbor from re-sending the same prefixes.
B.The syslog pattern is incorrect; it should be %BGP-4-PREFIX_LIMIT.
C.The clear command should be 'clear ip bgp *' to reset all sessions.
D.The BGP session is flapping due to a keepalive timer mismatch.
AnswerA

Clearing the session only provides temporary relief; the prefix limit is hit again after re-establishment.

Why this answer

The EEM applet clears the BGP session when a prefix limit is reached, but this does not solve the underlying issue. The prefix limit is exceeded because the neighbor is sending too many prefixes; clearing the session only temporarily resets the count, leading to a cycle. The correct fix is to increase the prefix limit or filter prefixes.

552
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 route | include Tunnel O 2001:DB8:1::/48 [110/2] via FE80::1, Tunnel0 O 2001:DB8:2::/48 [110/3] via FE80::2, Tunnel1 Based on this output, which statement is correct?

A.The routes are learned via EIGRP.
B.The tunnels are using IPv4 as the transport.
C.OSPFv3 is running over the tunnel interfaces and these routes are reachable.
D.Tunnel0 has a higher metric than Tunnel1.
AnswerC

The OSPF routes are present with next-hop addresses via tunnel interfaces.

Why this answer

The output shows OSPF routes (indicated by 'O') learned over tunnel interfaces. Since the routes are IPv6 (2001:DB8::/48) and OSPFv3 is the IPv6-capable version of OSPF, the correct interpretation is that OSPFv3 is running over the tunnels. The 'via FE80::1, Tunnel0' confirms the next hop is a link-local address reachable through the tunnel, meaning the routes are reachable via OSPFv3 over those tunnels.

Exam trap

Cisco often tests the distinction between OSPFv3 and OSPFv2 by using the route code 'O' in IPv6 routing tables, leading candidates to mistakenly think it could be EIGRP or that the transport must be IPv4, when in fact 'O' always means OSPF in any routing table context.

How to eliminate wrong answers

Option A is wrong because the route code 'O' indicates OSPF, not EIGRP (which would show 'D' for EIGRP). Option B is wrong because the output shows IPv6 next-hop addresses (FE80::1, FE80::2) and IPv6 prefixes, so the tunnels are using IPv6 as the transport, not IPv4. Option D is wrong because a higher administrative distance value (110/3) indicates a worse metric, not better; Tunnel0 has a metric of 2 (lower) and Tunnel1 has a metric of 3 (higher), so Tunnel0 actually has a lower (better) metric.

553
MCQmedium

Consider the following configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 If the remote peer has an ISAKMP policy with encryption 3des, what will happen?

A.The tunnel will use 3DES because the remote peer's policy is accepted.
B.IKE phase 1 will fail due to encryption algorithm mismatch.
C.The router will automatically adjust to use 3DES.
D.The tunnel will establish but use AES 256 anyway.
AnswerB

The encryption algorithm must match; AES 256 vs 3DES is a mismatch.

Why this answer

IKE phase 1 requires both peers to have a matching ISAKMP policy, including the encryption algorithm. Since R1 is configured with AES 256 and the remote peer uses 3DES, there is no common proposal, causing phase 1 to fail. Cisco IOS does not automatically negotiate or fall back to a different encryption algorithm; the mismatch results in a failed IKE SA.

Exam trap

Cisco often tests the misconception that IKE will automatically negotiate or fall back to a weaker algorithm, but in reality, IKE phase 1 requires an exact match of all policy parameters, and a mismatch causes the entire VPN to fail.

How to eliminate wrong answers

Option A is wrong because IKE phase 1 does not simply accept the remote peer's policy; both peers must have a matching proposal, and a mismatch causes failure. Option C is wrong because Cisco IOS does not automatically adjust encryption algorithms; each peer must have a compatible policy configured. Option D is wrong because the tunnel cannot establish if IKE phase 1 fails; no IPsec SA can be created without a successful IKE SA.

554
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast 10.3.3.0/24 BGP routing table entry for 10.3.3.0/24, version 10 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 Refresh Epoch 1 65003 65004 10.1.13.3 from 10.1.13.3 (10.3.3.3) Origin IGP, metric 0, localpref 100, valid, external rx pathid: 0, tx pathid: 0 Refresh Epoch 1 65005 10.1.15.5 from 10.1.15.5 (10.5.5.5) Origin IGP, metric 0, localpref 200, valid, external, best rx pathid: 0, tx pathid: 0x0 Based on this output, why is the path via 10.1.15.5 chosen as best?

A.Because it has a shorter AS path (65005 vs 65003 65004).
B.Because it has a higher local preference of 200.
C.Because it has a lower metric (0 vs 0).
D.Because it was learned from a lower neighbor IP address.
AnswerB

Local preference is compared before AS path length. The path with localpref 200 is preferred over 100.

Why this answer

BGP selects the best path based on several criteria. Here, both paths are external, valid, and have the same weight (default 0). The path via 10.1.15.5 has a higher local preference (200 vs 100), which is the first tiebreaker after weight.

Therefore, it is chosen as best.

555
MCQeasy

According to Cisco IOS default behavior, if a router learns the same route via both RIP and OSPF, which route will be installed in the routing table?

A.The RIP route, because RIP has a lower metric.
B.The OSPF route, because OSPF has a lower administrative distance.
C.Both routes are installed, and load balancing occurs.
D.Neither route is installed; the router will use a default route.
AnswerB

OSPF AD 110 < RIP AD 120.

Why this answer

OSPF has a default AD of 110, RIP has 120. Lower AD is preferred, so OSPF route is installed.

556
MCQmedium

Which statement correctly describes the behavior of ISATAP tunneling regarding host configuration?

A.ISATAP requires manual configuration of the entire IPv6 address on each host.
B.ISATAP uses the prefix 2002::/16 for global addresses.
C.ISATAP embeds the IPv4 address into the interface identifier (last 64 bits) of the IPv6 address.
D.ISATAP is only used for site-to-site tunnels.
AnswerC

ISATAP uses the format ::5EFE:IPv4-address for the interface identifier.

Why this answer

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) automatically generates the IPv6 address by embedding the host's IPv4 address into the interface identifier (the last 64 bits of the IPv6 address). This allows hosts to obtain a complete IPv6 address without manual configuration of the full 128-bit address, as the IPv4 address is used to form the unique interface ID. Option C correctly describes this behavior.

Exam trap

Cisco often tests the distinction between ISATAP and 6to4 tunneling, and the trap here is confusing the 2002::/16 prefix (used by 6to4) with ISATAP's use of a site-specific prefix and the embedded IPv4 address in the interface ID.

How to eliminate wrong answers

Option A is wrong because ISATAP does not require manual configuration of the entire IPv6 address; it automatically derives the interface identifier from the IPv4 address, and the prefix can be obtained via router discovery or DHCPv6. Option B is wrong because the prefix 2002::/16 is used by 6to4 tunneling, not ISATAP; ISATAP typically uses a site-specific unicast prefix (e.g., a global or unique local prefix) advertised by an ISATAP router. Option D is wrong because ISATAP is designed for host-to-router and host-to-host tunnels within a site, not exclusively for site-to-site tunnels; site-to-site tunnels are typically implemented with manual IPv6-in-IPv4 tunnels or GRE tunnels.

557
MCQmedium

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

A.The router is under a DDoS attack generating many NAT translations.
B.The NAT translation timeout is set too high, causing old entries to remain.
C.The ACL is too permissive, allowing traffic from outside to initiate NAT.
D.The outside interface is using a different IP than configured.
AnswerB

Correct because if the timeout (e.g., 'ip nat translation timeout') is high, entries for short-lived flows (like DNS) stay longer, accumulating and consuming CPU.

Why this answer

The high CPU utilization and thousands of NAT translations indicate that the router is maintaining an excessive number of translation entries. The default NAT timeout for TCP is 86400 seconds (24 hours) and for UDP is 300 seconds. If the timeout is set too high, old entries are not cleared promptly, causing the translation table to grow large and consuming CPU resources for lookups and maintenance.

This is the most likely cause given the symptoms.

Exam trap

Cisco often tests the misconception that high CPU and many NAT entries are always due to an attack or ACL misconfiguration, when the real issue is often the NAT translation timeout being too high, causing stale entries to accumulate.

How to eliminate wrong answers

Option A is wrong because a DDoS attack would typically cause a sudden spike in traffic and translations, but the scenario describes a steady accumulation of thousands of entries over time, which aligns with timeout issues rather than an attack. Option C is wrong because the ACL is used to define which inside source addresses are eligible for NAT, not to control outside-initiated traffic; outside-initiated NAT requires 'ip nat outside source' or static NAT, and the overload configuration only translates inside sources. Option D is wrong because if the outside interface IP were different, NAT translations would fail or not be created, not result in thousands of entries; the command references the interface, so the router uses its configured IP automatically.

558
Multi-Selecthard

Which TWO statements about the interaction between administrative distance and floating static routes are true? (Choose TWO.)

Select 2 answers
A.A floating static route must have an administrative distance higher than the primary route's AD to serve as a backup.
B.The default administrative distance for a static route is 0.
C.A floating static route will be installed in the routing table immediately after the primary route is removed, even if the next-hop is unreachable.
D.The 'ip route' command can be used to configure a floating static route by specifying an administrative distance value.
E.A floating static route can only be used with OSPF as the primary routing protocol.
AnswersA, D

Correct. The floating static route is configured with a higher AD so it is only used when the primary route (with lower AD) is not available.

Why this answer

A floating static route is a static route with an administrative distance greater than the dynamic routing protocol's AD, so it only appears in the routing table when the dynamic route is lost. The default AD for a static route is 1, but it can be changed. The floating static route will be installed when the primary route (with lower AD) is removed.

The backup route must have a higher AD than the primary route. The distance command under the routing protocol does not affect the static route's AD.

559
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp neighbors 192.168.1.2 advertised-routes BGP table version is 14, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 192.168.1.2 0 0 65001 i *> 10.20.20.0/24 192.168.1.2 0 0 65001 i Total number of prefixes 2 Based on this output, what is a likely issue?

A.The neighbor 192.168.1.2 is not receiving all routes because a route-map is filtering them.
B.The BGP session is down because there are no prefixes advertised.
C.The router is not receiving updates from its peers.
D.The prefix-list is misconfigured and blocking all routes.
AnswerA

Only two prefixes are advertised; a route-map applied to the neighbor could be restricting the advertisement.

Why this answer

The output shows only two prefixes advertised to the neighbor, but the network likely has more routes. The route-map applied to the neighbor may be filtering routes. The correct answer identifies that a route-map is likely filtering out other prefixes.

560
Drag & Dropmedium

Drag and drop the steps to verify and validate the MPLS L3VPN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking the VRF routing table with 'show ip route vrf <name>' to confirm CE routes are present. Then verify that VPNv4 routes are installed using 'show bgp vpnv4 unicast all'. Next, confirm the MPLS forwarding entry for a specific prefix with 'show mpls forwarding-table'.

After that, test end-to-end connectivity with a ping from the CE to a remote CE. Finally, validate that the label stack is correctly imposed using 'show ip cef vrf <name> <prefix>'.

561
MCQhard

An engineer configures ERSPAN on a Cisco router to send mirrored traffic to a remote collector via IP. The collector receives the ERSPAN packets, but the payload appears truncated or malformed. What is the most likely cause?

A.The ERSPAN GRE encapsulation adds overhead exceeding the path MTU, causing fragmentation or drop.
B.The collector is not configured to reassemble IP fragments.
C.The ERSPAN session is configured with the wrong source interface, causing incorrect IP headers.
D.The router has IPsec configured on the egress interface, encrypting the ERSPAN packets.
AnswerA

ERSPAN adds 50 bytes of overhead; if the original packet is near MTU, the encapsulated packet exceeds it, leading to fragmentation or loss.

Why this answer

ERSPAN encapsulates mirrored packets in GRE with an additional ERSPAN header. The MTU of the path between the source and collector must accommodate the extra overhead (typically 50 bytes for GRE + ERSPAN). If the path MTU is too small, packets are fragmented or dropped, causing truncation.

562
MCQmedium

Which DHCPv4 option is used by a client to request a specific IP address in the DHCPREQUEST message?

A.Option 12 (Host Name)
B.Option 50 (Requested IP Address)
C.Option 54 (Server Identifier)
D.Option 51 (IP Address Lease Time)
AnswerB

Option 50 carries the requested IP address in DHCPREQUEST.

Why this answer

Option B is correct because DHCPv4 Option 50 (Requested IP Address) is specifically used by a client in the DHCPREQUEST message to request a previously offered IP address or to attempt to renew a specific address. This option allows the client to indicate which IP address it wants to use, ensuring the server can confirm or deny the request based on availability and policy.

Exam trap

Cisco often tests the distinction between Option 50 (Requested IP Address) and Option 54 (Server Identifier), as candidates may confuse the client's request for a specific IP with the server identification used in unicast DHCPREQUEST messages during the selection phase.

How to eliminate wrong answers

Option A is wrong because Option 12 (Host Name) is used to convey the client's hostname to the DHCP server, not to request a specific IP address. Option C is wrong because Option 54 (Server Identifier) is used by the client to identify which DHCP server it is responding to, typically in a DHCPREQUEST sent during the selection phase, but it does not request a specific IP address. Option D is wrong because Option 51 (IP Address Lease Time) is used to request or specify the lease duration for an IP address, not to request a particular IP address itself.

563
MCQmedium

A network engineer notices that a router is sending SNMP traps for interface state changes even when there is no actual interface flapping. The engineer checks the running configuration and finds an EEM applet that monitors interface state changes and sends a syslog message. The applet is configured with a trigger condition that matches any interface state change. What should the engineer do to resolve the issue?

A.Remove the EEM applet entirely.
B.Modify the EEM applet trigger to match only the specific interfaces of interest.
C.Increase the debounce timer on the interface to reduce flapping.
D.Disable SNMP traps for interface state changes.
AnswerB

Correct because narrowing the trigger condition prevents false positives while retaining monitoring capability.

Why this answer

The EEM applet is too broadly triggered, causing unnecessary syslog messages that may be interpreted as traps. The engineer should narrow the trigger condition to match only specific interfaces or use a more specific event filter.

564
MCQmedium

A network engineer runs the following command to troubleshoot DHCPv6 guard: R1# debug ipv6 dhcp guard *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3, client DUID 00010001abcd1234 *Mar 1 00:03:45.678: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 SOLICIT from fe80::3 is allowed by policy DHCP-POLICY *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4, server DUID 0001000156789012 *Mar 1 00:03:46.901: IPv6-DHCP-Guard: R1, Fa0/0, DHCPv6 ADVERTISE from fe80::4 is blocked by policy DHCP-POLICY What does this output indicate?

A.DHCPv6 guard is allowing client messages but blocking server messages from untrusted sources, preventing rogue DHCPv6 servers.
B.DHCPv6 guard is blocking all DHCPv6 messages, indicating a misconfiguration.
C.DHCPv6 guard is allowing all messages but logging them for analysis.
D.DHCPv6 guard is not configured; the debug output is from default DHCPv6 behavior.
AnswerA

The ADVERTISE from fe80::4 is blocked, which is typical for DHCPv6 guard on untrusted ports.

Why this answer

The debug output shows that DHCPv6 SOLICIT messages from client fe80::3 are allowed by policy DHCP-POLICY, while DHCPv6 ADVERTISE messages from server fe80::4 are blocked by the same policy. This is the expected behavior of DHCPv6 guard: it permits client messages (SOLICIT, REQUEST, etc.) to reach potential servers, but it blocks server messages (ADVERTISE, REPLY, etc.) from untrusted ports to prevent rogue DHCPv6 servers from assigning malicious configurations. Option A correctly identifies this selective filtering.

Exam trap

Cisco often tests the misconception that DHCPv6 guard blocks all DHCPv6 traffic, when in fact it only blocks server messages from untrusted sources, allowing client messages to pass through.

How to eliminate wrong answers

Option B is wrong because DHCPv6 guard is not blocking all messages; client SOLICIT messages are explicitly allowed, so the configuration is not misconfigured to block everything. Option C is wrong because the debug clearly shows messages are being allowed or blocked based on policy, not merely logged for analysis; DHCPv6 guard enforces actions, not just logging. Option D is wrong because DHCPv6 guard is configured and active (policy DHCP-POLICY is referenced), and the debug output is not from default behavior—default DHCPv6 guard would block all server messages from untrusted ports without a policy, but here a specific policy is applied.

565
Multi-Selecthard

Which THREE symptoms indicate a potential OSPFv2 neighbor adjacency problem due to a mismatch in configuration? (Choose THREE.)

Select 3 answers
A.The neighbor state remains stuck in INIT or EXSTART.
B.The neighbor state is 2WAY/DROTHER.
C.The 'show ip ospf neighbor' output shows the neighbor but with a state of DOWN.
D.The 'show ip ospf neighbor' output shows the neighbor but with a state of EXSTART/EXCHANGE.
E.The OSPF routes are missing from the routing table.
AnswersA, D, E

Mismatched parameters (e.g., timers, area ID) often prevent full adjacency, leaving the state in INIT or EXSTART.

Why this answer

A mismatch in hello/dead timers, area ID, or authentication causes neighbors to stay stuck in INIT or EXSTART state. A mismatched MTU can cause stuck in EXSTART/EXCHANGE. A mismatched network type can also cause issues.

Routes missing from the routing table is a symptom of many issues, not specific to mismatches.

566
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers using iBGP for routing. The BGP session comes up, but routes learned from the remote site are not installed in the routing table. The engineer verifies that the IPsec tunnel is up and that the BGP prefixes are present in the BGP table. What is the most likely explanation?

A.The BGP synchronization rule is enabled, and the IGP does not carry the BGP routes, preventing installation.
B.The next-hop address for the BGP routes is the physical interface IP of the remote router, which is not reachable through the tunnel, so the route is not installed.
C.The IPsec transform set uses SHA-2 authentication, which is incompatible with BGP MD5 authentication.
D.The BGP session is using loopback interfaces, and the IPsec tunnel is not configured to encrypt traffic to the loopback.
AnswerB

iBGP does not change the next hop by default. If the BGP session is over the tunnel, but the next hop is the physical IP, the router cannot reach it unless the IGP or a static route points to the tunnel. The fix is to use next-hop-self on the neighbor.

Why this answer

In iBGP, the next-hop for routes learned from an eBGP peer is not changed by default. When the remote router advertises prefixes, it sets the next-hop to its physical interface IP address. If the IPsec tunnel is configured to encrypt traffic between the two routers' tunnel endpoints (e.g., virtual tunnel interfaces or crypto maps applied to physical interfaces), the physical interface IP of the remote router may not be reachable through the tunnel.

BGP will not install a route in the routing table if the next-hop is not reachable via a valid route in the routing table, even if the BGP session is up and the prefixes are in the BGP table.

Exam trap

Cisco often tests the concept that BGP route installation depends on next-hop reachability, and candidates mistakenly assume that a working BGP session and IPsec tunnel guarantee route installation, ignoring the need for the next-hop to be reachable via the routing table.

How to eliminate wrong answers

Option A is wrong because BGP synchronization is a Cisco IOS default that requires the IGP to carry the same prefix before BGP installs it, but this rule is disabled by default in modern IOS versions and is not the most likely cause when the next-hop is unreachable. Option C is wrong because IPsec transform set authentication (SHA-2) and BGP MD5 authentication are independent mechanisms; SHA-2 is used for IPsec packet integrity, while MD5 is used for BGP TCP session authentication, and they do not conflict. Option D is wrong because using loopback interfaces for the BGP session does not inherently prevent route installation; the IPsec tunnel can be configured to encrypt traffic to loopback addresses, and the issue is specifically about next-hop reachability, not the BGP session source/destination.

567
Drag & Dropmedium

Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, check the AAA server reachability to ensure the backend is accessible. Then verify the active authentication method list applied globally. Next, confirm the authorization method list for exec or commands.

After that, validate the accounting configuration to track access. Finally, test the actual access control by attempting a remote login.

568
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DROTHER 00:00:35 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 FULL/DR 00:00:32 192.168.13.3 GigabitEthernet0/1 Based on this output, which statement is correct?

A.Router R1 is the DR on the segment connected to GigabitEthernet0/0.
B.Router R1 has a full adjacency with both neighbors and is in a stable state.
C.Router R1 is experiencing a neighbor timeout on GigabitEthernet0/1.
D.Router R1 is not receiving hello packets from 10.1.1.2.
AnswerB

Both neighbors show FULL state, indicating complete adjacency. Dead times are decreasing normally, so adjacencies are stable.

Why this answer

The output shows two OSPF neighbors. The neighbor with state FULL/DROTHER indicates it is not the DR or BDR on that segment. The neighbor with state FULL/DR is the designated router.

The dead times are within normal range, indicating the adjacency is stable.

569
MCQmedium

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

A.The host's IP address is statically assigned and conflicts with another device.
B.The host has a misconfigured subnet mask or default gateway.
C.The NAT pool is exhausted.
D.The router's inside interface is administratively down.
AnswerB

Correct because if the host's default gateway is not the router's inside interface (or subnet mask is wrong), the host will not send traffic to the router, so no NAT translation is attempted.

Why this answer

Option B is correct because the host at 10.0.0.50 is within the ACL 1 permitted range, yet no NAT translation appears, indicating the traffic never reaches the NAT process. A misconfigured subnet mask or default gateway on the host would cause its packets to be sent to the wrong next-hop or be dropped locally, preventing the router from seeing the traffic and creating a translation. Since 'show ip nat translations' shows no entry, the issue is upstream of NAT, pointing to a host-side configuration problem.

Exam trap

Cisco often tests the misconception that a missing NAT translation automatically implies a NAT configuration or ACL issue, when in fact the root cause is often a host-side misconfiguration that prevents traffic from reaching the router in the first place.

How to eliminate wrong answers

Option A is wrong because a static IP conflict would cause intermittent connectivity or duplicate IP errors, but the host would still generate traffic that the router would attempt to translate, resulting in at least a partial NAT entry or ARP issues, not a complete absence of translations. Option C is wrong because the NAT pool is not exhausted; the configuration uses PAT (overload) with a single outside interface IP (203.0.113.1), which supports up to 65,535 simultaneous translations per IP, so exhaustion is highly unlikely with a /24 subnet. Option D is wrong because if the router's inside interface were administratively down, no hosts on the 10.0.0.0/24 network would have internet access, but the question states traffic works for most hosts, ruling out a down interface.

570
MCQeasy

What is the default CoPP policer action for packets that exceed the committed information rate (CIR)?

A.Transmit with best-effort
B.Drop
C.Set DSCP to 0
D.Queue for later transmission
AnswerB

The default policer action for exceeding traffic is to drop the packets.

Why this answer

The default action for a Control Plane Policing (CoPP) policy-map class when traffic exceeds the committed information rate (CIR) is to drop the excess packets. This is because CoPP uses a single-rate, two-color policer by default, where packets conforming to the CIR are marked as 'conform' and transmitted, while packets exceeding the CIR are marked as 'exceed' and dropped. No default 'violate' action exists unless explicitly configured.

Exam trap

Cisco often tests the misconception that CoPP defaults to 'transmit' or 'remark' for excess traffic, but the default exceed action is always 'drop' unless explicitly changed in the policy-map.

How to eliminate wrong answers

Option A is wrong because CoPP does not have a default 'transmit with best-effort' action for excess traffic; that would require an explicit 'transmit' action under the 'exceed' or 'violate' clause in the policy-map. Option C is wrong because setting DSCP to 0 is not a default policer action; it would require an explicit 'set dscp 0' command under the exceed action, and CoPP defaults to drop, not remark. Option D is wrong because CoPP does not queue packets for later transmission; policing is a dropping or remarking mechanism, not a queuing or shaping function.

571
Drag & Drophard

Drag and drop the steps to troubleshoot Device Management adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting starts with checking basic IP connectivity, then verifying the management protocol (e.g., NETCONF/RESTCONF) status, ensuring the correct port is open, checking AAA/authorization, and finally reviewing logs for errors.

572
MCQmedium

A network engineer runs the following command to verify NAT on an interface: R1# show ip nat interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up NAT: inside, active NAT: outside, active NAT: overload, active What is the issue with this configuration?

A.The interface is configured as both inside and outside, which is invalid.
B.The interface is correctly configured for NAT.
C.The interface is down.
D.Overload is not active.
AnswerA

NAT requires separate inside and outside interfaces.

Why this answer

The command output shows that GigabitEthernet0/1 is configured as both 'inside' and 'active' and 'outside' and 'active' simultaneously. In Cisco IOS NAT, an interface can be either a NAT inside interface or a NAT outside interface, but not both. This misconfiguration causes ambiguous NAT behavior because the router cannot determine whether traffic entering or leaving the interface should be translated from inside to outside or vice versa, leading to translation failures.

Exam trap

Cisco often tests the misconception that an interface can be both inside and outside for NAT, leading candidates to overlook the explicit 'inside' and 'outside' flags in the 'show ip nat interface' output and incorrectly assume the configuration is valid.

How to eliminate wrong answers

Option B is wrong because the interface is not correctly configured; a single interface cannot serve as both NAT inside and NAT outside simultaneously, which violates Cisco NAT design principles. Option C is wrong because the output explicitly states 'GigabitEthernet0/1 is up, line protocol is up', so the interface is operational, not down. Option D is wrong because the output shows 'NAT: overload, active', indicating that Port Address Translation (PAT) is indeed active and functioning.

573
MCQhard

In a DMVPN network with VRF-Lite, Router R1 (hub) and R2 (spoke) are configured for VRF-A. The DMVPN tunnel is up, but spoke-to-spoke traffic between R2 and R3 (another spoke) fails. R1 has configuration: interface Tunnel0, ip vrf forwarding VRF-A, ip address 172.16.0.1 255.255.255.0, tunnel source Gig0/0, tunnel mode gre multipoint. R2 has similar configuration with tunnel destination dynamic. The NHRP map for R3 is missing on R2. What is the root cause?

A.The NHRP mapping for R3 is missing on R2, preventing direct spoke-to-spoke tunnel establishment.
B.The tunnel mode should be gre multipoint on all spokes.
C.The VRF must be removed from the tunnel interface for DMVPN to work.
D.The hub router must have a static route for each spoke.
AnswerA

Correct: Without NHRP mapping, R2 cannot send traffic directly to R3; it must go through the hub.

Why this answer

In DMVPN, spoke-to-spoke tunnels require NHRP resolution. If R2 does not have an NHRP map for R3, it cannot establish a direct tunnel. The hub (R1) should facilitate NHRP resolution, but if the VRF configuration is not properly propagated, NHRP may fail.

The root cause is that the NHRP mapping is missing, often due to VRF mismatch in NHRP configuration or because the hub is not properly forwarding NHRP requests.

574
MCQhard

An engineer configures a route map to filter BGP routes based on AS-path using a regex. The route map is applied inbound to an eBGP neighbor. The engineer notices that routes with an AS-path containing the neighbor's AS are still being accepted. Which is the most likely explanation?

A.The AS-path is prepended with the local AS before the inbound route map is applied, so the regex does not match the original AS-path.
B.The route map is applied outbound instead of inbound.
C.The regex is incorrect; it should use _AS_ to match the AS number.
D.The neighbor is configured with 'send-community' which overrides the route map.
AnswerA

eBGP prepends the local AS before route map processing; the route map sees the modified path.

Why this answer

When an eBGP route is received, the router prepends its own AS to the AS-path before the route map is applied. Therefore, if the route map is trying to match the neighbor's AS in the AS-path, it will fail because the neighbor's AS is now the first AS in the path. The edge case is that the AS-path is modified before the route map is processed.

575
MCQhard

A network engineer runs the following command on Router R1: R1# show ip eigrp topology 10.50.50.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(192.168.1.1) for 10.50.50.0/24 State: Active, Reply status: 0, Originating router: 192.168.1.1 Routing Descriptor Blocks: 10.1.1.2 (GigabitEthernet0/0), from 10.1.1.2, Send flag: 0x0 Composite metric: (4294967295/4294967295), Route is Internal Vector metric: Minimum bandwidth: 100000 Kbit Total delay: 100 microseconds Reliability: 255/255 Load: 1/255 Minimum MTU: 1500 Hop count: 1 Based on this output, what is the problem?

A.The route is in Active state with an infinite metric, indicating that the router has lost the route and is querying for a new path.
B.The route is passive and stable.
C.The metric of 4294967295 is normal for a summary route.
D.The hop count of 1 indicates the route is one hop away and reachable.
AnswerA

Active state with Infinity metric means the route is unreachable and the router is actively seeking a replacement.

Why this answer

The route is in Active state with a composite metric of 4294967295 (the maximum 32-bit value, effectively infinite), which indicates that the router has lost the feasible successor and is actively sending queries to neighbors to find an alternative path. This is a classic sign of an EIGRP query process in progress, meaning the route is not stable or reachable.

Exam trap

Cisco often tests the misconception that a route in Active state with a high metric is still reachable or that the metric value is normal, when in fact the Active state and infinite metric together indicate a route that is being actively queried and is currently unreachable.

How to eliminate wrong answers

Option B is wrong because the route is in Active state, not Passive; a Passive state would indicate stability and convergence. Option C is wrong because a metric of 4294967295 is not normal for any route—it represents an infinite metric (unreachable) in EIGRP, not a summary route. Option D is wrong because a hop count of 1 does not guarantee reachability when the metric is infinite; the route is in Active state and the router is still querying for a valid path.

576
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-MULTI R1# show route-map PBR-MULTI route-map PBR-MULTI, permit, sequence 10 Match clauses: ip address (access-lists): 140 Set clauses: ip next-hop 10.0.0.2 10.0.0.3 Policy routing matches: 200 packets, 18000 bytes R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "eigrp 1", distance 90, metric 28160 Last update from 192.168.1.2 on GigabitEthernet0/1 R1# show ip route 10.0.0.3 % Network not in routing table Based on this output, what is the most likely behavior for packets matching ACL 140?

A.Packets are load-balanced between 10.0.0.2 and 10.0.0.3.
B.Packets are forwarded to 10.0.0.2.
C.Packets are dropped because one next-hop is unreachable.
D.Packets are forwarded to 10.0.0.3 via a recursive lookup.
AnswerB

Since 10.0.0.2 is reachable, PBR uses it. The unreachable 10.0.0.3 is ignored.

Why this answer

When multiple next-hops are specified in a set clause, PBR tries them in order. The first reachable next-hop is used. Here, 10.0.0.2 is reachable, so packets are forwarded to 10.0.0.2.

The second next-hop is not reachable, but that does not affect the first.

577
Drag & Drophard

Drag and drop the steps to troubleshoot syslog connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify reachability to the syslog server using ping. Then, check if the syslog server port (UDP 514) is open. Next, review the logging configuration on the router.

After that, examine ACLs that may block syslog traffic. Finally, enable debug ip udp to monitor syslog packet flow.

578
MCQhard

A network engineer is troubleshooting MPLS traffic engineering (TE) tunnels. A TE tunnel from Router A to Router B is configured but remains down. The engineer runs show mpls traffic-eng tunnels and sees that the tunnel is in 'down' state with the error 'Path computation failed'. The IGP is OSPF with MPLS TE enabled, and the network is fully meshed. What is the most likely root cause?

A.MPLS TE is not enabled on all interfaces along the path.
B.The tunnel destination is not reachable via the IGP.
C.RSVP is not configured on the tunnel interface.
D.The tunnel bandwidth is set too high, exceeding available bandwidth.
AnswerA

Correct because MPLS TE must be enabled on each interface to advertise link attributes into the TED; otherwise, the headend cannot compute a constraint-based path.

Why this answer

The 'Path computation failed' error indicates that the headend router cannot find a path meeting the constraints. Since OSPF TE is enabled, the issue is likely that the traffic engineering database (TED) is incomplete because MPLS TE is not enabled on all intermediate interfaces, preventing the headend from learning link attributes.

579
MCQmedium

A network engineer runs the following command on Router R1: R1# show bfd neighbors detail IPv4 Sessions NeighborAddr LD/RD Int State Holdown(mult) Intf 10.1.1.2 1/3 Gi0/0 Up 3000(3) Gi0/0 Session state is UP and not using echo function. OurAddr: 10.1.1.1 Handle: 1 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3 Received MinRxInt: 1000000, Received Multiplier: 3 Holddown (hits): 3000(0) Rx Count: 100, Tx Count: 100 Based on this output, what is the BFD session's negotiated receive interval?

A.The negotiated receive interval is 1000 ms.
B.The negotiated receive interval is 500 ms.
C.The negotiated receive interval is 3000 ms.
D.The negotiated receive interval is 100 ms.
AnswerA

The local MinRxInt is 1000000 microseconds = 1000 ms, meaning the router can receive packets at that interval.

Why this answer

The negotiated receive interval is the maximum of the local MinRxInt (1000000 µs = 1000 ms) and the remote MinTxInt. The remote MinTxInt is not directly shown in the output, but the remote MinRxInt is 1000000 µs. Since the remote MinTxInt must be at least its own MinRxInt (by default, MinTxInt ≥ MinRxInt), the remote MinTxInt is at least 1000000 µs.

Thus the maximum is 1000000 µs, giving a negotiated receive interval of 1000 ms. Note that the holdown time (3000 ms) is the product of the multiplier (3) and the negotiated transmit interval, not the receive interval.

Exam trap

The holdown time (3000 ms) is often mistaken for the receive interval, but holdown is the detection time (multiplier × negotiated transmit interval).

580
Multi-Selectmedium

Which TWO commands can be used to verify OSPFv2 path selection and cost metrics on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip ospf interface
B.show ip route ospf
C.show ip ospf neighbor
D.traceroute
E.show ip protocols
AnswersA, B

This command displays the OSPF cost assigned to each interface.

Why this answer

The 'show ip ospf interface' command displays the cost of the interface. The 'show ip route ospf' command shows the metric for each OSPF route. 'show ip ospf neighbor' does not show cost; 'traceroute' shows path but not OSPF cost; 'show ip protocols' shows process info but not per-route metrics.

581
MCQmedium

A network engineer runs the following command to troubleshoot OSPF route propagation: R1# show ip ospf database router 2.2.2.2 OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 45 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 2.2.2.2 Advertising Router: 2.2.2.2 LS Seq Number: 80000005 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.Router 2.2.2.2 is advertising two stub networks.
B.Router 2.2.2.2 has a link to a transit network with DR address 10.1.1.2 and a stub network 192.168.1.0/24.
C.The LSA indicates a Type 5 External LSA from ASBR.
D.The output shows the network LSA for the transit network.
AnswerB

The LSA shows exactly these two links with their types and metrics.

Why this answer

The output shows the router LSA from neighbor 2.2.2.2, listing its connected links including a transit network and a stub network.

582
Multi-Selecthard

Which TWO statements about SNMPv3 engine ID configuration are true? (Choose TWO.)

Select 2 answers
A.The engine ID must be manually configured for SNMPv3 to function.
B.If the engine ID is changed, all existing SNMPv3 users must be reconfigured.
C.The engine ID is used to generate the authentication and encryption keys for SNMPv3 users.
D.The engine ID can be up to 64 octets in length.
E.The engine ID is automatically generated based on the router's serial number.
AnswersB, C

Changing the engine ID invalidates the authentication and encryption keys derived from the old engine ID, requiring users to be reconfigured.

Why this answer

Option B is correct because the SNMPv3 engine ID is a key component in generating the authentication and encryption keys for each user. If the engine ID changes, the keys derived from it become invalid, requiring all existing SNMPv3 users to be reconfigured with new passwords or keys to re-establish secure communication.

Exam trap

Cisco often tests the misconception that the engine ID is based on the router's serial number, but it is actually derived from the MAC address or IP address, and the maximum length is 27 octets, not 64.

583
MCQhard

Examine this configuration on Router R6: router ospf 1 redistribute eigrp 100 subnets default-information originate always What is a likely problem with this configuration?

A.The 'default-information originate always' command is not allowed with redistribution.
B.The router will advertise a default route into OSPF even if it does not have a default route itself, potentially causing blackholing.
C.The 'subnets' keyword is missing for EIGRP redistribution.
D.The redistribution will only work if EIGRP routes have a metric set.
AnswerB

The 'always' keyword forces the default route advertisement regardless of the local routing table.

Why this answer

The 'default-information originate always' will generate a default route into OSPF regardless of whether a default route exists in the routing table. This can cause routing issues if the router does not actually have a default route, as it will attract traffic for unknown destinations.

584
MCQeasy

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 statistics Monitor: FLOW-MONITOR-1 Record: netflow-original Exporter: EXPORTER-1 Cache size: 1000 Current entries: 0 Flows exported: 0 Packets exported: 0 Sampler: Not configured Flow Monitor is not attached to any interface Based on this output, what action should the engineer take to resolve the issue?

A.Configure a sampler on the flow monitor.
B.Apply the flow monitor to an interface using the 'ip flow monitor FLOW-MONITOR-1 input' command.
C.Increase the cache size to 2000 entries.
D.Change the record type to netflow ipv4 original.
AnswerB

The flow monitor must be attached to an interface to capture traffic.

Why this answer

The output explicitly states 'Flow Monitor is not attached to any interface'. The solution is to apply the flow monitor to an interface using the 'ip flow monitor' command.

585
MCQhard

EIGRP stuck-in-active (SIA) occurs in a large network. Router R1 shows 'show ip eigrp topology 10.0.0.0/24' output: 'P 10.0.0.0/24, 1 successors, FD is 128000, Q is 0, SIA is 00:01:00' and 'show ip eigrp neighbors' shows neighbor R2 in state 'Active'. R1 configuration includes 'router eigrp 100 network 10.0.0.0 passive-interface default'. What is the root cause?

A.R2 has 'passive-interface default' configured, which prevents it from sending query replies back to R1.
B.R1 has a route-map that filters the query for prefix 10.0.0.0/24.
C.The EIGRP K-values mismatch between R1 and R2 causes neighbor relationship issues.
D.The network 10.0.0.0 is not directly connected; need redistribution.
AnswerB

Correct. A route-map filtering the specific prefix 10.0.0.0/24 can block the query from being sent to R2, so R2 never replies, causing SIA.

Why this answer

EIGRP SIA occurs when a router does not receive a reply to its query within the active timer. The scenario shows R1 has a neighbor R2 in Active state, but R1's configuration includes 'passive-interface default', which would normally prevent neighbor formation. Since the neighbor exists, the passive-interface default is likely overridden or not affecting the interface to R2.

Option B is the most plausible cause: R1 has a route-map that filters the query for prefix 10.0.0.0/24, preventing the query from being sent to R2. Without receiving the query, R2 cannot reply, leading to SIA.

Exam trap

Passive-interface is often blamed for SIA, but here the actual cause is a distribute-list or route-map that filters the specific query. Ensure you check for route filtering when neighbors exist and SIA occurs.

586
Drag & Drophard

Drag and drop the steps for troubleshooting MPLS operations adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying LDP neighbor state, then check interface MPLS enablement, inspect label bindings, test end-to-end LSP connectivity, and finally validate TTL propagation for troubleshooting.

587
MCQhard

A network engineer runs the following command on Router R1: R1# show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 10.1.1.0/24 0 Gi0/0 192.168.1.2 17 21 10.2.2.0/24 1500 Gi0/0 192.168.1.2 18 Untagged 10.3.3.0/24 0 Gi0/1 192.168.2.2 Based on this output, what is the problem with the label entry for 10.3.3.0/24?

A.The label 18 is being swapped correctly.
B.The prefix 10.3.3.0/24 is being forwarded with MPLS label 18.
C.The next-hop router 192.168.2.2 is not an LDP neighbor for this prefix.
D.The label 18 is being popped by the next-hop router.
AnswerC

'Untagged' indicates the next hop did not provide a label.

Why this answer

The entry for 10.3.3.0/24 shows 'Untagged' in the outgoing label column, meaning the router is forwarding IP packets without an MPLS label. This indicates that the next-hop router (192.168.2.2) did not assign a label for this prefix, possibly because LDP is not enabled on that interface or the neighbor is not an LDP peer.

588
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 3 map-id 1 overload [Id] ip nat inside source list ACL1 pool POOL1 overload refcount 3 Based on this output, which statement is correct?

A.PAT is working correctly; translations are dynamic and overload is enabled.
B.NAT is failing because the pool is exhausted.
C.Static NAT is configured, but dynamic NAT is not working.
D.The inside and outside interfaces are reversed.
AnswerA

The output shows dynamic mappings with overload, and translations are active. No errors or misses indicate proper operation.

Why this answer

The output shows three dynamic translations from the inside local addresses (10.0.0.10–12) to inside global addresses (192.0.2.10–12) using the pool POOL1 (192.0.2.10–20). The 'overload' keyword in the NAT configuration enables Port Address Translation (PAT), allowing multiple inside hosts to share a single global IP by using unique port numbers. The 'refcount 3' and the presence of three active translations confirm that PAT is working correctly.

Exam trap

Cisco often tests the misconception that 'overload' always forces all hosts to share a single IP address, but in reality, PAT will first assign unique IPs from the pool if available, and only reuse IPs with port differentiation when the pool is exhausted.

How to eliminate wrong answers

Option B is wrong because the pool has 17 usable addresses (192.0.2.10–20 with netmask 255.255.255.240), and only three are in use, so the pool is far from exhausted. Option C is wrong because the statistics show 0 static translations and 3 dynamic translations, and the configuration uses 'ip nat inside source list ACL1 pool POOL1 overload', which is dynamic NAT with PAT, not static NAT. Option D is wrong because the 'show ip nat statistics' output explicitly lists 'Inside interfaces: GigabitEthernet0/0' and 'Outside interfaces: GigabitEthernet0/1', which is the correct orientation for translating inside local to inside global addresses.

589
MCQhard

EIGRP network with routers R1, R2, R3. R1 has: router eigrp 100 network 10.0.0.0 R2 has: router eigrp 100 network 10.0.0.0 R3 has: router eigrp 100 network 10.0.0.0 R1 shows: R1# show ip eigrp topology 10.1.1.0/24 EIGRP-IPv4 Topology Entry for 10.1.1.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256 Routing Descriptor Blocks: 10.2.1.2 (Serial0/0/0), from 10.2.1.2, Send flag is 0x0 Composite metric is (128256/156160), Route is Internal 10.3.1.3 (Serial0/0/1), from 10.3.1.3, Send flag is 0x0 Composite metric is (156160/128256), Route is Internal R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 90, metric 128256 Last update from 10.2.1.2 on Serial0/0/0 R1 is using the path with higher feasible distance as successor. What is the root cause?

A.The path with higher FD is not feasible; EIGRP always selects the lowest FD.
B.An offset-list is applied to the lower FD path, increasing its metric.
C.The route is in active state, causing EIGRP to use a backup path.
D.R1 has a distribute-list blocking the lower FD path.
AnswerA

Correct. EIGRP always selects the path with the lowest feasible distance as the successor. The higher FD path is not feasible as a successor because it has a higher metric. The show ip route output confirms the lower FD path is installed.

Why this answer

The show ip route output clearly shows that R1 is using the path with metric 128256 (lower FD) as the successor, not the higher FD path (156160). The premise of the question is false. Option A correctly explains that the path with higher FD is not feasible as a successor because EIGRP always selects the path with the lowest feasible distance.

The root cause is a misinterpretation of the show commands; the observer mistakenly thought the higher FD path was used.

Exam trap

Candidates may misread the show ip eigrp topology output and assume the path with higher metric is used, but the routing table shows the actual installed route. Always verify with show ip route.

590
Drag & Dropmedium

Drag and drop the steps to verify and validate IPv6 First Hop Security operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking global IPv6 snooping status. Then display the binding table for learned entries. Verify interface-specific FHS policies.

Check the RA Guard policy counters for drops. Finally, validate the neighbor cache for correct MAC-to-IPv6 mappings.

591
MCQhard

A network engineer notices that BGP sessions between two directly connected routers are flapping every few minutes. The routers are running IOS-XE 17.3 and have CoPP enabled. The engineer checks the CoPP policy and sees a class-map matching BGP packets with a police rate of 8000 bps. The BGP session uses MD5 authentication and the routers exchange a full BGP table with 500,000 prefixes. What is the most likely cause of the BGP session flapping?

A.The BGP MD5 authentication is causing excessive CPU utilization, triggering CoPP drops.
B.The CoPP police rate of 8000 bps is too low for the BGP keepalive and update traffic, causing packet drops.
C.The CoPP class-map is not matching BGP packets correctly because it uses a wrong access-list.
D.The BGP hold timer is set too low, causing the session to reset before CoPP drops are noticed.
AnswerB

BGP with 500,000 prefixes generates significant update traffic, and 8000 bps is insufficient, leading to dropped packets and session flapping.

Why this answer

The CoPP police rate of 8000 bps is insufficient for the BGP traffic generated by exchanging a full BGP table of 500,000 prefixes. BGP updates for such a large table can easily exceed 8000 bps, especially when combined with keepalive messages. When the police rate is exceeded, CoPP drops BGP packets, causing the session to flap as the hold timer expires due to missing keepalives or updates.

Exam trap

Cisco often tests the misconception that MD5 authentication causes CPU spikes leading to CoPP drops, but the real issue is that CoPP police rates must be sized to accommodate the actual BGP traffic volume, especially during full table exchanges.

How to eliminate wrong answers

Option A is wrong because BGP MD5 authentication adds a small amount of CPU overhead for HMAC computation, but it does not directly cause CoPP drops; CoPP drops are based on traffic rate, not CPU utilization. Option C is wrong because the question states that the class-map matches BGP packets, and there is no indication of a misconfigured access-list; the issue is the police rate, not the match criteria. Option D is wrong because the hold timer is not mentioned as being changed; the default hold timer (typically 180 seconds) is sufficient, and the flapping is due to CoPP dropping packets, not a low timer setting.

592
MCQhard

An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?

A.The RA Guard policy is configured with 'device-role host' on port Gi1/0/1, which causes the switch to drop all RAs received on that port.
B.DHCPv6 Guard is configured on port Gi1/0/1, blocking the router's DHCPv6 server messages.
C.IPv6 Source Guard is enabled on the VLAN, and the router's IPv6 address is not in the binding table.
D.The switch has IPv6 unicast-routing enabled, and it is sending its own RAs, causing a conflict.
AnswerA

Correct because 'device-role host' tells the switch that only hosts are allowed on that port; RAs from a router will be dropped.

Why this answer

RA Guard drops Router Advertisements (RAs) on ports where the policy's 'device-role' is set to 'host'. On port Gi1/0/1, the legitimate router is connected, but if the RA Guard policy incorrectly assigns 'device-role host' to that port, the switch will treat the router as a host and drop all incoming RAs, preventing hosts on VLAN 10 from receiving them. This matches the symptom where the router sends RAs but hosts do not receive them, and the switch reports RA Guard dropping packets on that port.

Exam trap

Cisco often tests the specific behavior of RA Guard's 'device-role' setting, where candidates mistakenly think RA Guard only blocks RAs from unauthorized routers, but the trap is that setting 'device-role host' on a port will drop all RAs, including those from the legitimate router, because the switch treats that port as a host port.

How to eliminate wrong answers

Option B is wrong because DHCPv6 Guard blocks DHCPv6 server messages, not Router Advertisements (RAs), and the issue is specifically about RAs being dropped, not DHCPv6 traffic. Option C is wrong because IPv6 Source Guard filters traffic based on the IPv6 source address and binding table, but it does not drop RAs; RA Guard is the feature responsible for dropping RAs, and the symptom points to RA Guard, not Source Guard. Option D is wrong because if the switch had IPv6 unicast-routing enabled and sent its own RAs, it would not cause RA Guard to drop the router's RAs on port Gi1/0/1; instead, it might cause a conflict with the router's RAs, but the switch's RA Guard policy would still need to be misconfigured to drop the router's RAs, and the symptom explicitly shows RA Guard dropping packets on that port.

593
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 mld interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is FE80::1 MLD is enabled on interface Current MLD version is 2 MLD query interval is 125 seconds MLD querier timeout is 255 seconds MLD max query response time is 10 seconds Last member query response interval is 1 second MLD activity: 0 joins, 0 leaves MLD querying router is FE80::1 (this system) Based on this output, what can be concluded?

A.MLD is disabled on this interface.
B.This router is not the MLD querier.
C.There are no multicast listeners on this tunnel interface.
D.MLD version 1 is in use.
AnswerC

0 joins indicates no hosts have joined any multicast groups.

Why this answer

The output shows 'MLD activity: 0 joins, 0 leaves', indicating that no multicast listeners have joined any multicast group on this tunnel interface. Since MLD (Multicast Listener Discovery) is used to track group membership, zero joins means there are no active listeners. Therefore, option C is correct.

Exam trap

Cisco often tests the distinction between 'MLD enabled' and 'active listeners' — candidates may mistakenly think that MLD being enabled implies there are active group members, but the 'joins' counter directly reveals listener activity.

How to eliminate wrong answers

Option A is wrong because the output explicitly states 'MLD is enabled on interface', so MLD is not disabled. Option B is wrong because the output states 'MLD querying router is FE80::1 (this system)', confirming that this router is the MLD querier. Option D is wrong because the output shows 'Current MLD version is 2', not version 1.

594
MCQmedium

A network engineer has configured BFD for OSPF as shown: interface GigabitEthernet0/0 bfd interval 300 min_rx 300 multiplier 3 ! router ospf 1 bfd all-interfaces ! However, BFD sessions are not coming up. What is the most likely missing configuration?

A.The 'bfd all-interfaces' command should be replaced with 'bfd interface GigabitEthernet0/0'.
B.The interface has no IP address configured.
C.The BFD timers must be set to 100 ms or less for OSPF.
D.The router must be configured with 'bfd map' commands for each neighbor.
AnswerB

Correct. Without an IP address on the interface, OSPF cannot form a neighbor relationship, and BFD requires an established OSPF adjacency to operate.

Why this answer

BFD requires that the interface has an IP address and is up/up. The configuration shown lacks an IP address on the interface, which is necessary for BFD to establish a session.

595
Multi-Selecthard

An engineer must implement CoPP to protect the control plane of a Cisco IOS router from a DoS attack targeting SSH and SNMP. Which TWO configuration changes are required? (Choose TWO.)

Select 2 answers
A.Create an extended ACL that matches TCP port 22 (SSH) and UDP port 161 (SNMP).
B.Apply the CoPP policy under the interface configuration mode using 'service-policy input'.
C.Configure a class-map that matches the ACL created in step A.
D.Apply the CoPP policy under the control-plane configuration using 'service-policy output'.
E.Use the 'police' command with 'conform-action drop' to drop all SSH and SNMP traffic.
AnswersA, C

Correct. ACLs are used to match the specific control plane traffic (SSH and SNMP) for classification.

Why this answer

Option A is correct because CoPP uses an extended ACL to classify traffic for the control plane. SSH uses TCP port 22 and SNMP uses UDP port 161, so an extended ACL matching these protocols and ports is required to identify the DoS attack traffic. This ACL is then referenced by a class-map to define the traffic class for the CoPP policy.

Exam trap

Cisco often tests the distinction between applying CoPP under control-plane configuration versus interface configuration, and the correct direction (input vs output) for protecting the control plane from inbound attacks.

596
MCQhard

Which statement correctly describes the behavior of OSPF network type 'point-to-multipoint' regarding neighbor discovery?

A.Neighbors are discovered via multicast hello packets and a DR/BDR is elected.
B.Neighbors are discovered via unicast hello packets and no DR/BDR is elected.
C.Neighbors are discovered via multicast hello packets but no DR/BDR is elected.
D.Neighbors are discovered via unicast hello packets and a DR/BDR is elected.
AnswerB

Correct. Point-to-multipoint uses unicast hellos and no DR/BDR election.

Why this answer

In OSPF point-to-multipoint network type, neighbors are manually configured or discovered via unicast hello packets because the network does not support broadcast or multicast flooding. No Designated Router (DR) or Backup Designated Router (BDR) is elected because the network is treated as a collection of point-to-point links, avoiding the need for a central adjacency point.

Exam trap

Cisco often tests the misconception that point-to-multipoint uses multicast hellos (like broadcast or point-to-point) or that it still requires a DR/BDR (like NBMA), leading candidates to confuse it with other OSPF network types.

How to eliminate wrong answers

Option A is wrong because point-to-multipoint uses unicast hello packets, not multicast, and does not elect a DR/BDR. Option C is wrong because although it correctly states no DR/BDR is elected, it incorrectly claims neighbors are discovered via multicast hello packets. Option D is wrong because it incorrectly states that a DR/BDR is elected, which is not true for point-to-multipoint; this behavior is characteristic of broadcast or non-broadcast multi-access (NBMA) networks.

597
Multi-Selectmedium

Which TWO configuration steps are required to enable VRF-Lite on a Cisco IOS-XE router for a customer with two separate routing domains? (Choose TWO.)

Select 2 answers
A.Create the VRF using the 'vrf definition <vrf-name>' command and assign a route distinguisher with the 'rd' command.
B.Assign the VRF to an interface using the 'vrf forwarding <vrf-name>' command under interface configuration.
C.Configure route target import/export statements under the VRF.
D.Apply an import map and export map to control route redistribution.
E.Enable BGP to exchange routes between VRFs.
AnswersA, B

This defines the VRF and its route distinguisher, which is mandatory for VRF-Lite.

Why this answer

The two essential steps are: creating the VRF with a route distinguisher using 'vrf definition <name>' and 'rd <value>', and assigning interfaces to the VRF with 'vrf forwarding <name>' under the interface. The other options are incorrect: 'ip vrf <name>' is legacy syntax but still works; however, 'rd' is required. Route targets are for MPLS VPN, not VRF-Lite.

Import/export maps are optional. BGP is not mandatory.

598
MCQmedium

Which OSPF LSA type is used to advertise a summary route for a network outside the area but within the same OSPF domain?

A.Type 1
B.Type 2
C.Type 3
D.Type 5
AnswerC

Type 3 LSAs are Summary LSAs, used for inter-area routes.

Why this answer

Type 3 LSAs (Summary LSAs) are generated by Area Border Routers (ABRs) to advertise inter-area routes.

599
Multi-Selecthard

Which TWO commands can be used to verify the configured AAA authentication method lists on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show aaa
B.show aaa method-lists
C.show running-config | include aaa authentication
D.show aaa authentication
E.show authentication method-lists
AnswersB, C

This command displays all configured AAA method lists for authentication, authorization, and accounting.

Why this answer

Option B is correct because 'show aaa method-lists' directly displays all configured AAA authentication, authorization, and accounting method lists, including the default lists and any custom lists. Option C is correct because 'show running-config | include aaa authentication' filters the running configuration to show only lines containing 'aaa authentication', which explicitly lists the authentication method lists configured. Both commands provide a reliable way to verify the AAA authentication method lists on a Cisco IOS-XE device.

Exam trap

Cisco often tests the exact command syntax, and the trap here is that candidates confuse 'show aaa method-lists' with non-existent commands like 'show aaa authentication' or 'show authentication method-lists', or they forget that 'show running-config | include aaa authentication' is a valid verification method.

600
Multi-Selecthard

Which THREE symptoms indicate that Control Plane Policing (CoPP) might be misconfigured or causing connectivity issues? (Choose THREE.)

Select 3 answers
A.OSPF or BGP neighbors are flapping, with log messages indicating adjacency timeouts.
B.SSH or Telnet sessions to the device are intermittent or time out.
C.CPU utilization remains high despite CoPP being configured.
D.CPU utilization is consistently low, and all control plane traffic is passing without drops.
E.Throughput on data interfaces increases significantly.
AnswersA, B, C

If CoPP drops routing protocol hello packets, neighbors may flap, indicating misclassification or overly restrictive policing.

Why this answer

Option A is correct because CoPP is designed to protect the control plane by rate-limiting traffic. If CoPP is misconfigured with overly restrictive policies, it can drop OSPF or BGP hello packets, causing neighbor adjacencies to time out and flap. Log messages showing adjacency timeouts directly point to control plane packet loss, a classic symptom of CoPP misconfiguration.

Exam trap

Cisco often tests the misconception that CoPP only affects management traffic (SSH/Telnet), but candidates forget that routing protocol packets (OSPF, BGP) are also control plane traffic and can be dropped by CoPP, causing neighbor flapping.

Page 7

Page 8 of 29

Page 9