Click here to access our full set of Cisco 350-601 exam dumps and practice tests.
Question 181:
Which OSPF area type blocks Type 5 LSAs but allows Type 3 LSAs to summarize routes?
A) Normal area
B) Stub area
C) Not-So-Stubby Area (NSSA)
D) Backbone area
Answer: B) Stub area
Explanation:
Stub areas prevent external routes (Type 5 LSAs) from entering to reduce the routing table size, but allow Type 3 summary LSAs from ABRs. NSSA allows Type 7 LSAs for limited external routes. In OSPF (Open Shortest Path First), areas are used to segment and simplify routing within an autonomous system. Each area type has specific characteristics and purposes. A Normal Area is a standard OSPF area that allows all types of LSAs (Link-State Advertisements) to propagate. It can carry inter-area summary routes (Type 3 LSAs), external routes from other autonomous systems (Type 5 LSAs), and intra-area routes (Type 1 and 2 LSAs). Normal areas are suitable for large networks where full route visibility is necessary, but can lead to larger routing tables.
A Stub Area, which is the correct answer in this context, is designed to reduce the size of the routing table and limit routing updates. It does so by blocking external Type 5 LSAs from entering the area while still allowing Type 3 summary LSAs from the Area Border Routers (ABRs). This ensures internal routers know about other areas in the OSPF domain but do not receive detailed external route information, reducing memory and processing overhead. Stub areas are ideal for networks at the edge, where external connectivity is limited routing complexity is desired.
A Not-So-Stubby Area (NSSA) is similar to a stub area but allows a limited form of external route advertisement using Type 7 LSAs. These Type 7 LSAs are converted to Type 5 LSAs at the ABR before entering other areas, providing controlled external route injection without fully exposing the area to all external routes. NSSAs are useful when an edge area needs to introduce specific external routes while still maintaining a mostly stub-like configuration.
Finally, the Backbone Area (Area 0) is the core of an OSPF network. All other areas must connect to the backbone directly or via virtual links. It carries all types of LSAs and serves as the central transit point for inter-area routing. The backbone ensures connectivity between areas and distributes routing information efficiently across the OSPF domain.
In summary, choosing the correct area type depends on network design: stub areas simplify routing, NSSAs allow controlled external routes, normal areas provide full routing visibility, and the backbone area ensures network-wide connectivity.
Question 182:
In EIGRP, which command allows unequal-cost load balancing across multiple paths?
A) maximum-paths
B) variance
C) redistribute
D) network
Answer: B) variance
Explanation:
The variance command lets EIGRP use routes whose metric is within a multiple of the best path, enabling unequal-cost load balancing. Maximum-paths only allows equal-cost paths. In EIGRP (Enhanced Interior Gateway Routing Protocol), routing decisions and path selection rely on metrics that consider bandwidth, delay, reliability, load, and MTU. EIGRP has several key commands that influence how routes are advertised, selected, and balanced across a network. One such command is variance, which plays a crucial role in enabling unequal-cost load balancing. By default, EIGRP only installs the best path to a destination in the routing table. The variance command allows EIGRP to include additional paths whose metric is within a specified multiple of the best path’s metric. For example, a variance of 2 means that any path with a metric up to twice the best metric is eligible for load sharing. This enables more flexible traffic distribution across multiple links, increasing network utilization and redundancy.
The maximum-paths command, on the other hand, controls the number of equal-cost paths that EIGRP can install in the routing table. While it allows for load balancing, it is limited strictly to paths that have the same metric as the best path. Unlike variance, it does not support unequal-cost load sharing. Therefore, maximum-paths is often used in conjunction with variance for more advanced routing strategies.
The redistribute command is used when routes from another routing protocol, static routes, or connected networks need to be injected into EIGRP. Redistribution allows EIGRP to advertise external routes but does not directly affect unequal-cost load balancing unless combined with metric tuning and variance.
Question 183:
Which NAT type maps multiple private IPs to a single public IP using different ports?
A) Static NAT
B) Dynamic NAT
C) PAT
D) NAT64
Answer: C) PAT
Explanation:
Port Address Translation (PAT) maps multiple private IPs to a single public IP by using different source ports. Static NAT is one-to-one, dynamic NAT uses a pool, and NAT64 translates IPv6 to IPv4.Network Address Translation (NAT) is a key technology that allows private IP addresses within a network to communicate with external public networks, such as the Internet, by translating private addresses to public addresses. There are several types of NAT, each serving a specific purpose. Port Address Translation (PAT), also known as NAT overload, is a type of NAT that enables multiple private IP addresses to share a single public IP address. PAT achieves this by assigning unique source port numbers to each session. This allows a large number of internal hosts to communicate with external networks using a single public IP, conserving valuable IPv4 addresses. PAT is the most common NAT method in home and enterprise networks due to its efficiency and scalability.
Static NAT provides a one-to-one mapping between a private IP address and a public IP address. This ensures that a specific internal host is always reachable at the same public IP address. Static NAT is typically used for servers, such as web or email servers, that need to be consistently accessible from outside the network. While simple and predictable, static NAT requires a dedicated public IP for each host, which can be inefficient for large networks.
Dynamic NAT uses a pool of public IP addresses to map internal private IPs. When an internal host initiates a connection to the outside network, the NAT device assigns an available public IP address from the pool. Once the session ends, the public IP returns to the pool. Unlike PAT, dynamic NAT requires multiple public IP addresses and does not allow multiple internal hosts to share a single public IP address simultaneously.
NAT64 is a specialized form of NAT used in IPv6 networks to enable communication between IPv6-only clients and IPv4 servers. It translates IPv6 addresses to IPv4 addresses and vice versa, facilitating interoperability between the two protocols.
Question 184:
Which OSPF area type allows external routes using Type 7 LSAs but not Type 5 LSAs?
A) Normal area
B) Stub area
C) NSSA
D) Backbone area
Answer: C) NSSA
Explanation:
NSSAs support Type 7 LSAs generated internally for external routes but block Type 5 LSAs. This is useful for stub-like areas that still need limited external connectivity. In OSPF (Open Shortest Path First), areas are used to segment the network and reduce routing complexity. Each area type has distinct characteristics that define how routing information is propagated. A Normal Area is the standard OSPF area that allows all types of LSAs (Link-State Advertisements) to pass through. It can carry Type 1 and Type 2 LSAs for intra-area routing, Type 3 LSAs for inter-area summaries, and Type 5 LSAs for external routes from other autonomous systems. Normal areas provide complete routing visibility and are suitable for parts of the network where full route information is required.
A Stub Area is designed to reduce the size of the routing table for routers within the area. It does this by blocking Type 5 LSAs, which represent external routes, while still accepting Type 3 summary LSAs from the Area Border Router (ABR). This allows routers to know about destinations in other areas without being overwhelmed by external routes. Stub areas are ideal for edge networks where minimal routing complexity is desired and external routes are either unnecessary or can be accessed via a default route.
A Not-So-Stubby Area (NSSA) combines the characteristics of a stub area with limited external connectivity. NSSAs block Type 5 LSAs from entering the area but allow the area’s internal routers to generate Type 7 LSAs for external routes. These Type 7 LSAs are then converted to Type 5 LSAs by the ABR when sent to other areas. NSSAs are useful when a stub-like area needs to introduce a few specific external routes, such as routes from a connected autonomous system or a stub network with limited Internet access, without fully exposing the area to all external routes.
Question 185:
Which SD-WAN component facilitates zero-touch provisioning (ZTP) and device authentication?
A) vManage
B) vSmart
C) vBond
D) vEdge
Answer: C) vBond
Explanation:
vBond orchestrates initial device onboarding, authenticates vEdge routers, and ensures secure control-plane connectivity with vSmart controllers. In Cisco SD-WAN architecture, several key components work together to provide secure, scalable, and automated WAN connectivity. vManage is the centralized network management system. It provides a graphical interface for configuration, monitoring, policy management, and troubleshooting across all SD-WAN devices. While essential for operations, it does not directly handle control-plane security or device authentication.
vSmart controllers are responsible for the control plane in SD-WAN. They distribute routing, security, and policy information to vEdge routers. vSmart ensures that data-plane traffic is forwarded according to centralized policies, but it relies on devices being authenticated and securely connected before exchanging control information.
vBond orchestrators play a crucial role in the initial onboarding and authentication of devices, particularly vEdge routers. When a new vEdge router is deployed, it contacts vBond to authenticate itself and receive information about the vSmart controllers and vManage system. vBond ensures secure connectivity between the control plane components, enabling encrypted communication between vEdge routers and vSmart controllers. Without vBond, devices cannot join the SD-WAN overlay securely, making it a critical trust anchor in the architecture.
Question 186:
Which BGP attribute is used to influence path selection within the same autonomous system?
A) Weight
B) LOCAL_PREF
C) AS_PATH
D) MED
Answer: B) LOCAL_PREF
Explanation:
LOCAL_PREF determines preferred paths within an AS. Higher LOCAL_PREF is preferred. Weight is local to the router, MED influences inter-AS selection, and AS_PATH prevents loops. In BGP (Border Gateway Protocol), path selection is determined by a series of attributes that influence which route a router prefers when multiple paths to the same destination exist. One of the most important attributes within an Autonomous System (AS) is LOCAL_PREF (Local Preference). LOCAL_PREF is used to indicate the preferred path for outbound traffic from an AS. A higher LOCAL_PREF value makes a path more desirable, allowing network administrators to control routing policies within the AS efficiently. It is propagated to all routers within the AS but is not shared with external ASes, making it ideal for internal path preference.
Weight is a Cisco-specific attribute that is local to the router on which it is configured. Unlike LOCAL_PREF, weight is not propagated to other routers. It provides a way to influence BGP path selection on a single router without affecting the rest of the AS. Higher weight values are preferred, allowing fine-grained control of outbound traffic on individual devices.
The AS_PATH attribute is crucial for loop prevention and inter-AS path selection. It records the sequence of ASes a route has traversed. When a BGP router receives a route advertisement, it checks the AS_PATH to ensure it is not re-entering the same AS, preventing routing loops. Additionally, shorter AS_PATHs are generally preferred, helping BGP choose the most direct route between ASes.
The MED (Multi-Exit Discriminator) attribute is used to influence inbound traffic from neighboring ASes. A lower MED value indicates a more preferred path to external neighbors, but unlike LOCAL_PREF, MED is only a suggestion to external ASes and does not override internal path selection.
Question 187:
Which QoS mechanism enforces traffic limits by dropping excess packets?
A) Shaping
B) Policing
C) LLQ
D) CBWFQ
Answer: B) Policing
Explanation:
Policing enforces strict traffic limits, dropping or remarking packets that exceed configured rates. Shaping buffers excess traffic, LLQ prioritizes traffic, and CBWFQ allocates bandwidth. In modern networks, Quality of Service (QoS) mechanisms are critical for ensuring that applications requiring reliable or low-latency performance, such as voice, video, or critical data, operate effectively even under congestion. Cisco routers offer multiple QoS techniques to manage and control traffic. Among these, policing, shaping, Low Latency Queuing (LLQ), and Class-Based Weighted Fair Queuing (CBWFQ) are commonly used, each serving different purposes.
Policing is a strict traffic control mechanism that enforces a predefined bandwidth limit on a traffic flow. When the incoming or outgoing traffic exceeds the configured rate, excess packets are either dropped or remarked with a lower priority, depending on the configuration. Policing is typically applied at the network edge to ensure that a user or interface does not exceed its allocated bandwidth, preventing congestion downstream. However, policing does not delay packets; it only enforces compliance with the specified rate. This makes it simple and effective for strict enforcement but unsuitable for applications that are sensitive to packet loss, such as voice traffic.
Shaping, in contrast, is a more flexible traffic management technique that delays excess traffic rather than dropping it. Traffic shaping buffers packets in a queue when the traffic rate exceeds a configured limit and releases them at a steady pace, effectively smoothing out bursts. By controlling the transmission rate over time, shaping can prevent congestion while minimizing packet loss. It is particularly useful on WAN links where bandwidth is limited and a predictable traffic flow is required. Shaping ensures that traffic conforms to the committed rate, making it ideal for applications that can tolerate slight delays but are sensitive to packet loss.
Low Latency Queuing (LLQ) is an enhancement of Class-Based Weighted Fair Queuing (CBWFQ) that introduces strict priority queuing for delay-sensitive traffic. LLQ guarantees that high-priority traffic, such as voice or video, is sent before other queued traffic. While LLQ gives priority to real-time traffic, it still maintains fair queuing for lower-priority classes, ensuring that bandwidth allocation remains balanced. Without LLQ, critical traffic could experience delays during congestion, affecting performance for time-sensitive applications.
Class-Based Weighted Fair Queuing (CBWFQ) provides a mechanism to allocate bandwidth fairly among traffic classes. Network traffic is classified into different categories based on policy, and each class is assigned a percentage of the available bandwidth. Unlike LLQ, CBWFQ does not provide strict priority to any class; instead, it ensures that all traffic classes receive their allocated share. CBWFQ is effective for networks with multiple traffic types where guaranteed bandwidth is needed for critical applications but strict prioritization is unnecessary.
Question 188:
Which wireless protocol reduces roaming handoff time for clients?
A) WPA2
B) 802.11r
C) FlexConnect
D) 802.1X
Answer: B) 802.11r
Explanation:
802.11r enables fast roaming with pre-authentication and fast key exchange, improving performance for voice/video clients. WPA2 encrypts, FlexConnect is for branch APs, and 802.1X authenticates clients. In modern wireless networks, performance, security, and client mobility are critical considerations. Various IEEE standards and Cisco technologies address these needs, including 802.11r, WPA2, FlexConnect, and 802.1X.
802.11r, also known as Fast BSS Transition (FT), is designed to improve client roaming performance in wireless networks. It enables fast handoff between access points by pre-authenticating clients with neighboring APs and performing a rapid key exchange. This reduces latency during roaming, which is crucial for delay-sensitive applications like voice over Wi-Fi (VoWiFi) or real-time video conferencing. Without 802.11r, clients must perform a full authentication and key exchange every time they roam, causing temporary disruptions that can degrade the quality of voice or video calls. By implementing 802.11r, networks ensure seamless mobility for wireless clients.
WPA2 (Wi-Fi Protected Access 2) is a security protocol that provides robust encryption for wireless communications using AES (Advanced Encryption Standard). It ensures that data transmitted over Wi-Fi remains confidential and protected from unauthorized access. WPA2 secures the network but does not improve roaming performance or provide fast handoffs.
FlexConnect is a Cisco solution primarily used in branch or remote networks. It allows APs to switch traffic locally without sending it back to a central controller, reducing WAN usage and improving efficiency. While FlexConnect enhances network deployment flexibility, it is not specifically designed to speed up client roaming.
802.1X is a network access control protocol used for authenticating clients to the network, often in conjunction with RADIUS servers. It ensures that only authorized users or devices can connect, providing secure access control. However, 802.1X does not directly address roaming performance or fast handoff between APs.
Question 189:
Which Cisco TrustSec component allows role-based access without using IP addresses?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs enforce policies dynamically based on user/device roles. VLANs and ACLs are static, and port-based authentication only controls access per port. In modern network security, controlling access and enforcing policies is critical for protecting resources and ensuring compliance. Cisco TrustSec introduces Security Group Tags (SGTs), a dynamic mechanism for enforcing access policies based on user or device roles, providing a more flexible alternative to traditional methods such as VLANs, ACLs, and port-based authentication.
Security Group Tags (SGTs) are embedded within packets and allow network devices to enforce policies dynamically. Unlike VLANs, which require manual configuration and grouping of devices, SGTs assign policies based on the role or identity of the user or device, independent of the physical or logical network topology. This means that access policies can follow a user across the network, simplifying management and improving security. For example, a finance department user can retain the same security privileges regardless of which switch or location they connect to.
VLANs are a traditional method for segmenting networks logically. While they separate traffic and can enforce isolation, they are static and tied to specific switch ports. VLANs do not adapt to user roles or dynamic changes in the network. This makes them less flexible in environments where users move frequently or where policy needs to adapt to device types or security posture.
Access Control Lists (ACLs) filter traffic based on IP addresses, protocols, or ports. ACLs are effective for controlling traffic flows but are also static and require manual updates to reflect changes in users or devices. They cannot dynamically enforce policies based on roles, making them less adaptable in large, dynamic networks.
Port-based authentication, such as 802.1X, controls access at the network port level. While it ensures only authenticated devices can connect, it does not provide ongoing role-based policy enforcement once the user is inside the network.
Question 190:
Which MPLS router forwards packets using only the top label?
A) CE
B) PE
C) P
D) LER
Answer: C) P
Explanation:
P routers forward MPLS packets based on the top label only, without inspecting IP headers. LER/PE routers push/pop labels at the edges. In MPLS (Multiprotocol Label Switching) networks, different types of routers perform specialized functions to ensure efficient and scalable packet forwarding. The four main types of routers in an MPLS environment are CE (Customer Edge), PE (Provider Edge), P (Provider), and LER (Label Edge Router), each serving a distinct role.
P routers, also known as core or transit routers, are the backbone of an MPLS network. Their primary function is to forward packets based solely on the top label in the MPLS header. P routers do not examine the IP header, which allows for high-speed, label-based switching across the MPLS backbone. Since P routers only deal with labels and not the actual IP routing information, they are optimized for speed and scalability, enabling the MPLS network to handle large amounts of traffic efficiently.
LERs (Label Edge Routers) and PE routers (Provider Edge) operate at the edge of the MPLS network. They are responsible for label operations such as pushing, popping, or swapping labels as packets enter or leave the MPLS domain. LERs inspect the IP header to determine the appropriate label to attach to a packet when it enters the MPLS network, or to remove the label before forwarding it to a non-MPLS network. PE routers specifically connect to customer networks (CE routers) and act as the interface between the customer and the provider network.
CE routers (Customer Edge) are located at the customer side and are responsible for connecting to the provider network. They do not participate in MPLS label switching directly; instead, they rely on PE routers to handle MPLS encapsulation and forwarding. CE routers typically handle standard IP routing and send traffic toward the PE router for entry into the MPLS domain.
Question 191:
Which command displays all BGP routes received from a specific neighbor?
A) show ip bgp
B) show ip bgp summary
C) show ip bgp neighbors <neighbor> routes
D) show ip route bgp
Answer: C) show ip bgp neighbors <neighbor> routes
Explanation:
Displays all routes learned from a neighbor, including path attributes. The summary shows session info, and the show ip route bgp shows installed routes only. In BGP (Border Gateway Protocol), several show commands are used to monitor routing information and neighbor relationships, each serving a distinct purpose. The show ip bgp neighbors <neighbor> routes command is particularly useful because it displays all routes learned from a specific BGP neighbor along with their path attributes, such as AS_PATH, NEXT_HOP, LOCAL_PREF, and MED. This information helps network administrators analyze route propagation, verify policy implementation, and troubleshoot routing issues between BGP peers.
The show ip bgp command provides a complete view of the BGP table on the router, listing all known BGP routes from all neighbors, not just one. It includes attributes, network prefixes, and the best path selection for each route, making it ideal for understanding the overall BGP routing environment.
The show ip bgp summary command offers a high-level overview of BGP neighbor sessions. It shows the status of each peer, session uptime, prefixes received, and general session statistics, but it does not display detailed route or path attribute information.
Finally, show ip route bgp displays only the BGP routes that have been selected and installed in the routing table. Unlike the neighbors command, it does not provide information about all routes received from a neighbor or their attributes—it only shows the active routes being used for forwarding.
Question 192:
Which OSPF LSA type advertises external routes redistributed into OSPF?
A) Type 1
B) Type 2
C) Type 3
D) Type 5
Answer: D) Type 5
Explanation:
Type 5 LSAs advertise external routes introduced by ASBRs. Type 3 LSAs summarize inter-area routes, Type 1/2 describe routers/networks. In OSPF (Open Shortest Path First), different types of LSAs (Link-State Advertisements) are used to share routing information across an OSPF domain. Type 5 LSAs are specifically used to advertise external routes that are injected into OSPF by Autonomous System Boundary Routers (ASBRs). These LSAs allow OSPF areas to learn about networks outside the OSPF autonomous system, such as routes from other routing protocols or external networks, enabling inter-domain connectivity. Type 5 LSAs are flooded throughout all normal OSPF areas except stub areas, which block them to reduce the routing table size.
Type 3 LSAs are summary LSAs generated by Area Border Routers (ABRs) to advertise inter-area routes. They summarize networks from one area and propagate them to other areas, reducing the amount of routing information exchanged and improving scalability.
Type 1 LSAs describe individual routers within an area, listing their interfaces, router IDs, and OSPF link states. They are flooded throughout the originating area to allow all routers to build a complete map of the area’s topology.
Type 2 LSAs describe network links within a broadcast or non-broadcast multi-access network, generated by the Designated Router (DR) on that network. They contain information about all routers attached to the segment and help routers calculate shortest paths.
Question 193:
Which SD-WAN component manages the control plane and distributes routing policies to vEdge routers?
A) vManage
B) vSmart
C) vBond
D) vEdge
Answer: B) vSmart
Explanation:
vSmart controllers handle routing and policy distribution. vManage provides GUI-based management, vBond handles onboarding, and vEdge is the data-plane router. Cisco SD-WAN architecture is designed to simplify WAN management, enhance security, and improve application performance across distributed networks. It consists of several key components: vManage, vSmart, vBond, and vEdge, each serving distinct roles within the network.
vSmart controllers are the central component responsible for the control plane. They handle routing, policy distribution, and security information between devices in the SD-WAN overlay. vSmart ensures that all vEdge routers in the network receive consistent routing and policy updates. It maintains secure communication channels with vEdge devices and other controllers, enabling centralized policy enforcement and optimal path selection for application traffic. By doing so, vSmart ensures efficient data forwarding and adherence to organizational policies across the WAN.
vManage is the network management component that provides a GUI-based interface for administrators. It allows configuration, monitoring, troubleshooting, and policy management for the entire SD-WAN network. Administrators can deploy templates, view analytics, and manage software upgrades centrally. While vManage does not handle control-plane decisions directly, it simplifies management and visibility, making it easier to monitor the network and enforce policies consistently.
Bond orchestrators play a crucial role in the initial onboarding of devices. When a new vEdge router is deployed, it contacts vBond to authenticate itself and obtain information about vSmart controllers and vManage. vBond establishes secure control-plane connectivity, ensuring that only authorized devices join the SD-WAN overlay. Without vBond, devices cannot participate in the network securely.
vEdge routers are the data-plane devices deployed at branch offices, remote sites, or data centers. They forward traffic across the SD-WAN, enforce policies received from vSmart, and provide secure connectivity. vEdge routers rely on vSmart for routing intelligence, on vBond for secure onboarding, and on vManage for management and monitoring.
Question 194:
Which QoS mechanism buffers traffic to smooth bursts and maintain a defined output rate?
A) Policing
B) Shaping
C) LLQ
D) CBWFQ
Answer: B) Shaping
Explanation:
Shaping buffers excess traffic, smoothing bursts to match the configured output rate. Policing drops excess traffic, LLQ prioritizes delay-sensitive traffic, and CBWFQ allocates bandwidth per class. In modern networks, Quality of Service (QoS) mechanisms are essential for managing traffic, ensuring fair bandwidth distribution, and maintaining performance for critical applications. Cisco routers offer several techniques to control and prioritize traffic, including shaping, policing, Low Latency Queuing (LLQ), and Class-Based Weighted Fair Queuing (CBWFQ), each with a distinct purpose.
Traffic Shaping is a technique that regulates traffic flow by buffering excess packets when the traffic rate exceeds a configured limit. The router delays these packets and releases them at a steady rate, smoothing out bursts and conforming to the desired output rate. Shaping is particularly useful on WAN links where bandwidth is limited or expensive, ensuring that traffic remains within agreed limits while minimizing packet loss. This makes shaping suitable for applications sensitive to packet drops but tolerant of slight delays, such as file transfers or video streaming.
Policing, in contrast, enforces a strict traffic rate by dropping or remarking packets that exceed the configured limit. Unlike shaping, policing does not buffer excess traffic; it simply discards it to enforce compliance. Policing is often used to limit the bandwidth of users or applications and prevent congestion on network links. However, it can lead to packet loss for bursty traffic, which may impact real-time applications like voice or video.
Low Latency Queuing (LLQ) enhances Class-Based Weighted Fair Queuing (CBWFQ) by providing a strict priority queue for delay-sensitive traffic, such as voice or video. LLQ ensures that high-priority packets are transmitted first, reducing latency and jitter while maintaining fair queuing for other traffic classes.
CBWFQ allows traffic to be classified into multiple classes and allocates bandwidth to each class based on configured weights. Unlike LLQ, CBWFQ does not provide strict priority but ensures fair distribution of available bandwidth, making it suitable for environments with multiple traffic types.
Question 195:
Which command shows all OSPF routes installed in the routing table?
A) show ip ospf database
B) show ip route ospf
C) show ip protocols
D) show running-config
Answer: B) show ip route ospf
Explanation:
Displays all OSPF-learned routes in the routing table. The database shows LSAs, not installed routes. In OSPF (Open Shortest Path First), understanding how routing information is learned, stored, and displayed is essential for network design, troubleshooting, and optimization. Cisco routers provide several commands to examine OSPF operation, each serving a distinct purpose. Among these, show ip route ospf, show ip ospf database, show ip protocols, and show running-config are commonly used.
The show ip route ospf command displays all routes that OSPF has successfully installed in the router’s routing table. These routes represent the active paths that the router will use to forward traffic. By using this command, administrators can verify which networks are reachable via OSPF and confirm that the routing table reflects the correct OSPF-learned routes. It also shows the next-hop IP addresses, exit interfaces, and administrative distances for OSPF routes. This command is particularly useful for troubleshooting connectivity issues because it highlights the paths the router actually uses, rather than simply showing what OSPF knows about the network.
The show ip ospf database command, in contrast, displays the Link-State Advertisements (LSAs) that the router has learned from its OSPF neighbors. LSAs describe the topology of the OSPF network, including router links, network segments, and external routes. This database allows OSPF to calculate the shortest path first (SPF) tree for routing decisions. While the database provides a comprehensive view of all known topology information, it does not indicate which routes have been installed in the routing table. Therefore, it is useful for understanding the full OSPF network structure and for troubleshooting convergence issues.
Finally, show running-config displays the router’s current configuration, including OSPF settings such as router IDs, area definitions, network statements, and passive interfaces. This command is critical for verifying that the OSPF configuration matches the intended design and ensuring that all required areas and networks are correctly advertised. However, it does not show dynamic routing information learned from neighbors.
Question 196:
Which BGP attribute prevents routing loops across autonomous systems?
A) Weight
B) LOCAL_PREF
C) AS_PATH
D) MED
Answer: C) AS_PATH
Explanation:
AS_PATH lists all ASes a route traverses. If the local AS is included, the route is rejected, preventing loops. In BGP (Border Gateway Protocol), path selection and routing loop prevention rely on several attributes, including AS_PATH, LOCAL_PREF, Weight, and MED. Among these, AS_PATH plays a critical role in ensuring the stability and loop-free operation of BGP across multiple Autonomous Systems (ASes). Understanding each of these attributes is key to managing inter-domain routing effectively.
AS_PATH is a mandatory BGP attribute that records the sequence of Autonomous Systems a route has traversed. Each AS that a route passes through appends its AS number to the AS_PATH list. When a BGP router receives a route advertisement, it examines the AS_PATH. If the router’s own AS number is already present in the path, the route is rejected to prevent routing loops. This mechanism ensures that routing information does not circulate indefinitely and maintains loop-free paths across the Internet or large multi-AS networks. Additionally, AS_PATH is used as a selection criterion: shorter AS_PATHs are generally preferred because they indicate fewer hops between autonomous systems, potentially providing a more direct route.
LOCAL_PREF (Local Preference) is an attribute used within a single AS to indicate which path should be preferred for outbound traffic. Higher LOCAL_PREF values are favored over lower ones. This attribute is propagated to all BGP routers within the AS but not shared with external ASes. Network administrators often use LOCAL_PREF to influence routing decisions centrally, directing traffic through preferred exit points or applying traffic engineering policies. While LOCAL_PREF affects path selection within an AS, it does not prevent loops—this is the specific role of AS_PATH.
Weight is a Cisco-specific attribute that is local to a router. It is not propagated to other routers and is used to influence path selection on that specific router. Higher weight values are preferred. This attribute is useful when administrators want to control outbound traffic from a single router without affecting routing decisions across the entire AS. Weight can override other BGP attributes, including LOCAL_PREF, but it does not prevent routing loops.
Question 197:
Which SD-WAN policy selects paths based on SLA metrics like latency and jitter?
A) Control policy
B) Data policy
C) Application-aware routing (AAR)
D) QoS trust policy
Answer: C) Application-aware routing (AAR)
Explanation:
AAR monitors SLA metrics in real-time to select optimal paths for critical applications. Data policies enforce rules, control policies manage devices, and QoS trust policies mark traffic. In modern SD-WAN networks, administrators can apply various types of policies to optimize traffic flow, improve performance, and ensure security. Among the key policy types are Control Policy, Data Policy, Application-Aware Routing (AAR), and QoS Trust Policy. Each serves a distinct purpose in managing network behavior.
Application-Aware Routing (AAR) is a data-plane policy designed to intelligently route traffic based on application performance metrics and network conditions. AAR continuously monitors network characteristics such as latency, jitter, packet loss, and link availability. Based on predefined thresholds or dynamic conditions, AAR can choose the best path for each application flow, ensuring that critical applications, such as voice or video conferencing, receive optimal performance. By leveraging real-time analytics, AAR can dynamically reroute traffic over alternative WAN links to maintain service quality, reducing the risk of application degradation during congestion or link failures.
Control Policies operate at the control plane and influence how routing and control messages are processed within the SD-WAN overlay. They are used to modify route attributes, manipulate path selection, and enforce administrative preferences for traffic between devices, but they do not directly manage the forwarding of data packets.
Data Policies are broader policies applied to the forwarding plane, often encompassing routing, firewall rules, and traffic segmentation. They can prioritize or restrict traffic flows, enforce security measures, and define specific forwarding actions for different types of traffic.
QoS Trust Policies specifically manage quality of service treatment for traffic based on DSCP markings or other trust parameters. They ensure that high-priority traffic receives preferential treatment through network queues and scheduling mechanisms, but unlike AAR, they do not dynamically select paths based on real-time network conditions.
Question 198
Which command verifies the spanning-tree root bridge and port roles?
A) show spanning-tree
B) show vlan brief
C) show interfaces trunk
D) show running-config
Answer: A) show spanning-tree
Explanation:
Displays root bridge ID, port roles, and VLAN mapping, useful for troubleshooting loops or STP topology. In Ethernet networks, Spanning Tree Protocol (STP) is essential for preventing loops and ensuring a loop-free topology. Cisco switches provide several commands to monitor and troubleshoot STP, VLANs, and interface configurations, including show spanning-tree, show vlan brief, show interfaces trunk, and show running-config. Each command serves a specific purpose.
The show spanning-tree command is used to display STP information on a switch. It shows the root bridge ID, which identifies the switch acting as the root for the spanning-tree topology. It also lists port roles such as root port, designated port, and blocked port, as well as port states like forwarding or blocking. Additionally, this command provides VLAN-specific STP information, including the mapping of VLANs to ports. By examining this output, network engineers can verify the current STP topology, confirm which switch is the root bridge, and troubleshoot potential issues such as loops, blocked ports, or misconfigurations that could affect network stability.
The show vlan brief command provides a summary of all VLANs configured on the switch, including VLAN IDs, names, status, and the ports assigned to each VLAN. While it is primarily used to verify VLAN configurations and port assignments, it does not provide detailed STP information.
The show interfaces trunk command displays trunk interfaces and the VLANs allowed on each trunk. This is important for ensuring VLAN traffic is correctly propagated between switches, but it does not show STP port roles or the root bridge.
Question 199:
Which MPLS router pushes labels onto packets entering the network?
A) CE
B) PE
C) P
D) LER
Answer: D) LER
Explanation:
LERs assign labels based on Forwarding Equivalence Classes (FECs) at the network edge. P routers forward labels, CE routers connect to customer networks. In MPLS (Multiprotocol Label Switching) networks, routers are classified based on their roles and responsibilities in the forwarding and labeling process. The main router types include CE (Customer Edge), PE (Provider Edge), P (Provider), and LER (Label Edge Router). Understanding these roles is essential for designing, troubleshooting, and optimizing MPLS networks.
LERs (Label Edge Routers) operate at the edge of the MPLS network and are responsible for assigning labels to incoming packets based on Forwarding Equivalence Classes (FECs). An FEC is a group of packets that share the same forwarding treatment across the MPLS network, such as the same destination prefix or QoS requirements. LERs examine the IP header of incoming packets from customer networks and determine the appropriate MPLS label to push onto the packet. When packets leave the MPLS network, LERs pop the labels before delivering them to the destination network. This label assignment and removal process ensures that the MPLS core can efficiently forward packets without inspecting the IP header.
P routers, also called core or transit routers, operate within the MPLS backbone. They do not assign or remove labels but instead forward packets based on the top label only, performing label switching at high speed. P routers maintain the MPLS label forwarding tables and ensure efficient transit of labeled packets across the network.
PE routers (Provider Edge) are LERs that specifically connect the provider’s MPLS network to customer networks (CE routers). PE routers handle label assignment, route distribution, and interaction with BGP or other routing protocols to exchange reachability information with CE routers.
CE routers (Customer Edge) are located on the customer side and connect to the PE routers. CE devices typically handle standard IP routing and are unaware of MPLS labels. Their role is to send and receive traffic to and from the provider network.
Question 200:
Which Cisco wireless feature enforces role-based access control without VLAN changes?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs enable dynamic access control based on user/device roles, independent of VLAN assignment. VLANs are static, ACLs filter traffic, and port-based authentication controls access per port. In modern enterprise networks, securing resources and enforcing access policies dynamically has become increasingly critical. Traditional methods, such as VLANs, Access Control Lists (ACLs), and port-based authentication, provide a certain level of segmentation and control. However, they have limitations in terms of scalability and adaptability. Cisco TrustSec introduces Security Group Tags (SGTs), a mechanism that enables dynamic, role-based access control, providing flexibility and enhanced security in complex networks.
Security Group Tags (SGTs) allow policies to be applied dynamically based on the role of a user or device, rather than relying solely on network topology. SGTs are embedded in packets, and network devices enforce policies according to the assigned tags. This approach enables access policies to follow users and devices across the network, independent of VLAN or physical location. For example, a finance department employee can retain the same access privileges whether connected in the headquarters, a branch office, or remotely. SGTs support scalable security policy enforcement across the network, reducing the complexity of managing VLANs or ACLs for large numbers of users. Additionally, SGTs integrate with Cisco TrustSec policy enforcement points (PEPs) to automatically enforce policies on switches, routers, and wireless access points.
VLANs (Virtual Local Area Networks) are a traditional method of network segmentation. VLANs separate traffic logically within the same physical network, which improves isolation and can prevent broadcast storms from affecting unrelated devices. While VLANs provide basic segmentation, they are inherently static and tied to switch ports or interfaces. This means that any change in device location or network topology requires manual reconfiguration of VLAN assignments, making them less flexible for dynamic environments.
Access Control Lists (ACLs) filter network traffic based on criteria such as source and destination IP addresses, protocols, or port numbers. ACLs can restrict or permit traffic flows and are widely used to enforce security policies. However, ACLs are static and do not adapt automatically to changes in user roles, device types, or location. Managing large ACLs can be complex and error-prone, particularly in networks with hundreds or thousands of endpoints.
Port-based authentication, such as 802.1X, controls access at the individual switch port level. It ensures that only authenticated devices or users can connect to the network, providing a baseline of security. However, once a device gains access, port-based authentication does not provide ongoing role-based policy enforcement. It does not dynamically adjust access based on user roles, making it insufficient for complex, highly mobile environments.
