Click here to access our full set of Cisco 350-601 exam dumps and practice tests.
Q61. A network engineer notices that OSPF routers in Area 0 are not forming full neighbor relationships. Which command would best help diagnose adjacency issues?
A) show ip ospf database
B) show ip ospf neighbor
C) show ip route ospf
D) ping 127.0.0.1
Answer: B) show ip ospf neighbor
Explanation:
The show ip ospf neighbor command displays the OSPF neighbor state (e.g., Full, 2-way, Init) and router IDs. If adjacency is stuck in a state like “Init” or “2-way,” it indicates mismatched hello/dead intervals, authentication issues, or network type mismatch. The OSPF database shows LSAs but not adjacency states. Ping 127.0.0.1 tests local connectivity only.
In OSPF (Open Shortest Path First) networks, maintaining proper neighbor relationships is essential for accurate route propagation and network stability. The command show ip ospf neighbor provides a detailed view of OSPF neighbor states and router IDs. It shows the state of adjacency, such as Full, 2-way, or Init, and helps administrators identify issues in the OSPF neighbor formation process. If a neighbor remains stuck in states like Init or 2-way, it often indicates mismatched hello/dead intervals, authentication problems, or network type mismatches, which must be corrected to achieve full adjacency.
Other commands provide complementary information but serve different purposes. Show ip ospf database displays the Link-State Advertisements (LSAs) known to the router, including network, router, summary, and external LSAs. While this shows the network topology, it does not indicate the state of neighbor adjacencies. Show ip route ospf shows the routes that OSPF has installed in the routing table, helping verify reachability but not neighbor formation. Ping 127.0.0.1 tests local host connectivity and is useful for verifying the IP stack, but it provides no information about OSPF operations or neighbor states.
Using show ip ospf neighbor, network engineers can troubleshoot OSPF adjacency issues, verify proper neighbor establishment, and ensure that routers exchange LSAs efficiently, maintaining accurate and stable OSPF routing within the network. This command is critical for diagnosing problems and ensuring OSPF convergence across all areas.
Q62. In EIGRP, a route is marked as “Stuck in Active” (SIA). What is the most likely cause?
A) The feasible successor metric is higher than the successor route
B) The router lost connectivity to a neighbor and is awaiting replies
C) The route has been redistributed from RIP
D) The EIGRP process is running in passive mode
Answer: B) The router lost connectivity to a neighbor and is awaiting replies
Explanation:
Stuck in Active (SIA) occurs when an EIGRP router queries its neighbors for a route but does not receive replies within the active timer. This can happen due to network congestion, neighbor unreachability, or misconfigurations. Feasible successors prevent SIA for routes that have backups, redistribution does not directly cause SIA, and passive mode means no active queries are sent.
In EIGRP (Enhanced Interior Gateway Routing Protocol), the Stuck-in-Active (SIA) state occurs when a router is waiting for replies from its neighbors regarding a queried route, but no response is received within the active timer period. This usually indicates network congestion, neighbor unreachability, or misconfigurations such as mismatched K-values or access control restrictions. When an SIA occurs, EIGRP considers the route temporarily unreachable, and network convergence is delayed.
A feasible successor is a backup route that satisfies the feasibility condition, meaning its reported distance is less than the feasible distance of the successor route. Having a feasible successor prevents the SIA condition because the router can immediately use the backup path if the primary route becomes unavailable. Therefore, SIA is more common when no feasible successors exist.
Route redistribution, such as importing RIP routes into EIGRP, does not directly cause SIA. Redistribution simply introduces routes into the topology, and the SIA problem is unrelated to the protocol origin. Similarly, when an EIGRP process is running in passive mode, it does not actively query neighbors, so SIA does not occur for passive interfaces.
Understanding SIA is critical for troubleshooting EIGRP networks, as it highlights potential communication issues between neighbors and ensures proper configuration to maintain fast convergence and network stability.
Q63. A Cisco switch is not learning MAC addresses on a port. Which feature, if enabled incorrectly, could cause this behavior?
A) PortFast
B) Storm control
C) VLAN pruning
D) BPDU guard
Answer: B) Storm control
Explanation:
Storm control limits broadcast, multicast, or unicast traffic to prevent network congestion. If misconfigured with very low thresholds, it can prevent MAC learning by dropping traffic before the switch can populate the MAC table. PortFast speeds up STP convergence but does not block MAC learning. VLAN pruning removes VLANs from trunks, and BPDU guard disables ports when BPDUs are received.
In Cisco switched networks, maintaining network stability and performance requires careful management of broadcast, multicast, and unicast traffic. Storm control is a feature that limits traffic rates for broadcast, multicast, or unknown unicast traffic on switch ports to prevent network congestion caused by storms. By dropping or suppressing excess traffic, storm control protects the network from broadcast storms. However, if misconfigured with overly restrictive thresholds, it can inadvertently prevent MAC address learning, because legitimate traffic may be dropped before the switch can populate its MAC address table, leading to connectivity issues.
PortFast is a Spanning Tree Protocol (STP) feature that allows ports connected to end devices to transition immediately to the forwarding state, bypassing the listening and learning states. This speeds up network convergence for hosts but does not manage traffic rates or prevent MAC learning issues.
VLAN pruning is used to remove unused VLANs from trunk links, optimizing bandwidth and reducing unnecessary traffic across trunks. However, it does not actively control broadcast or multicast traffic rates.
BPDU guard protects the network from rogue switches by disabling ports that receive unexpected BPDUs, preventing potential STP topology loops. It does not regulate traffic volume.
Together, these features address different aspects of traffic management: storm control manages traffic volume, PortFast accelerates host connections, VLAN pruning optimizes VLAN propagation, and BPDU guard enforces STP security. Proper configuration ensures network reliability and prevents congestion-related issues.
Q64. You are configuring an SD-WAN overlay and need to ensure traffic between two sites is encrypted. Which protocol is used to secure the data plane?
A) SSL
B) IPsec
C) GRE
D) LISP
Answer: B) IPsec
Explanation:
Cisco SD-WAN encrypts data-plane traffic between sites using IPsec tunnels. vEdge devices automatically establish IPsec tunnels after control-plane connectivity is established via vSmart. SSL is not used for overlay data-plane traffic, GRE is a tunneling protocol without encryption, and LISP handles mapping in the overlay, not encryption.
In Cisco SD-WAN, securing data-plane traffic between sites is critical to ensure the confidentiality, integrity, and authenticity of information traversing untrusted networks, such as the Internet. This is achieved through IPsec tunnels, which provide robust encryption and authentication for all overlay traffic. vEdge devices at each site automatically establish IPsec tunnels after the control-plane connectivity is set up through vSmart controllers. These tunnels protect application traffic, prevent eavesdropping, and ensure that data transmitted across public networks remains secure. IPsec supports multiple encryption algorithms and can provide integrity checks, replay protection, and authentication of peer devices, making it the backbone of SD-WAN security.
Other protocols and technologies mentioned serve different purposes. SSL (Secure Sockets Layer) is commonly used for securing web traffic or management sessions, but is not used for SD-WAN overlay data-plane traffic, as it does not provide the performance or scalability required for site-to-site encrypted tunnels. GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates Layer 3 traffic but does not provide encryption on its own; while it can carry traffic across networks, it does not secure it. LISP (Locator/ID Separation Protocol) is used in SD-WAN overlays to handle mapping between device identities (Overlay IDs) and physical locations (underlay IP addresses) and is essential for routing traffic within the overlay, but it does not provide encryption or confidentiality.
By using IPsec, Cisco SD-WAN ensures that all branch-to-branch or branch-to-data-center communications remain secure and tamper-proof, while GRE and LISP support transport and mapping functionality, and SSL secures only management sessions. This combination allows SD-WAN to provide both secure and efficient overlay connectivity, ensuring enterprise applications perform reliably and safely across wide-area networks.
Q65. A network engineer wants to redistribute OSPF routes into EIGRP but wants to set the EIGRP metric manually. Which command accomplishes this?
A) redistribute ospf 1 metric 100000 100 255 1 1500
B) network 10.0.0.0 0.0.0.255
C) default-information originates
D) router eigrp 100
Answer: A) redistribute ospf 1 metric 100000 100 255 1 1500
Explanation:
When redistributing OSPF into EIGRP, EIGRP requires a metric because it cannot infer one from the OSPF route. The metric values correspond to bandwidth, delay, reliability, load, and MTU, ensuring proper route preference. Network statements define EIGRP participation, and default-information originate injects a default route.
In complex networks, redistributing routes between different routing protocols is often necessary to ensure connectivity across heterogeneous domains. When redistributing OSPF into EIGRP, the redistribute ospf 1 metric 100000 100 255 1 1500 command is used. EIGRP requires a metric for routes being redistributed because it cannot infer one from OSPF routes. The five parameters specify bandwidth, delay, reliability, load, and MTU, which collectively determine the EIGRP composite metric for route selection. Assigning an appropriate metric ensures that redistributed routes are properly evaluated and preferred in the EIGRP topology table, preventing routing inconsistencies or suboptimal path selection.
The network 10.0.0.0 0.0.0.255 statement defines which interfaces participate in EIGRP and advertise networks. Without the network statement, EIGRP would not include relevant interfaces in routing updates, potentially leaving portions of the network unreachable. Properly defining participating networks is critical for both internal routing and for ensuring redistributed routes propagate correctly.
The default-information originate command is used to advertise a default route into EIGRP. This is particularly useful when OSPF has a default route pointing to an upstream gateway, allowing EIGRP routers to reach destinations outside their autonomous system. By injecting this default route, EIGRP routers can forward traffic toward external networks efficiently.
Finally, router eigrp 100 enables the EIGRP process with autonomous system number 100, establishing the routing domain. This command is essential for defining EIGRP boundaries and ensuring routers participating in AS 100 exchange routing information.
Combining these commands allows network engineers to safely redistribute OSPF routes into EIGRP, maintain proper metrics for route selection, advertise networks consistently, and provide default routing for external connectivity. Proper configuration prevents routing loops, ensures convergence, and maintains network stability across multi-protocol environments.
Q66. Which SD-WAN policy type prioritizes specific application traffic over lower-priority traffic in real-time?
A) Control policy
B) Data policy
C) Application-aware routing (AAR) policy
D) QoS trust policy
Answer: C) Application-aware routing (AAR) policy
Explanation:
Application-Aware Routing (AAR) in SD-WAN evaluates real-time WAN metrics such as jitter, latency, and loss, and selects the optimal path for critical applications. Data policies enforce routing, control policies manage control plane behavior, and QoS trust policies mark traffic but do not dynamically select paths.
In Cisco SD-WAN, policies provide the framework to control traffic flow, optimize performance, and enforce security across the WAN. Control policies manage the control plane behavior between devices, such as vEdge routers, vSmart controllers, and vBond orchestrators. They determine how routes are exchanged, which peers are preferred for control connections, and how secure tunnels are established. Control policies do not directly manipulate data traffic but are essential for maintaining the overlay network’s stability and connectivity.
Data policies, on the other hand, focus on the actual flow of application traffic through the WAN. Administrators can define rules to allow, block, or prioritize traffic, enforce firewall-like behavior, and shape traffic to meet business requirements. Data policies work at Layer 3/Layer 4 and are applied to specific application flows, user groups, or locations. This allows granular control over how critical applications traverse the network.
Application-Aware Routing (AAR) policies enhance data policies by dynamically selecting the optimal path based on real-time WAN metrics such as latency, jitter, packet loss, and available bandwidth. AAR ensures that performance-sensitive applications like voice, video, or ERP traffic use the best available path, improving user experience and reliability. Unlike data policies, which are static, AAR is adaptive, continuously monitoring network conditions to make routing decisions.
QoS trust policies work in conjunction with these policies to mark or trust traffic for priority handling. By assigning DSCP or IP precedence values, QoS policies ensure that high-priority traffic is treated appropriately by downstream devices, such as routers and switches, in both the overlay and underlay.
By combining control, data, AAR, and QoS trust policies, Cisco SD-WAN provides a comprehensive framework to manage traffic intelligently, enforce security, and optimize application performance across distributed networks, ensuring both operational efficiency and business continuity.
Q67. You see the following output: BGP state = Active on a router. What does this indicate?
A) The BGP session is fully established
B) The router is attempting to establish a TCP session with the neighbor
C) The neighbor has sent a KEEPALIVE message
D) The route map is blocking updates
Answer: B) The router is attempting to establish a TCP session with the neighbor
Explanation:
BGP Active state means the router has not yet established a TCP session with its neighbor and is still trying. Established sessions show established state, and KEEPALIVE messages maintain established sessions. Route maps may filter updates, but do not cause the Active state.
In Border Gateway Protocol (BGP), understanding session states is crucial for troubleshooting inter-domain routing issues. A BGP session progresses through several states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. The Active state occurs when a BGP router is attempting to establish a TCP session with a neighbor but has not yet succeeded. In this state, the router repeatedly tries to connect to the peer, typically on TCP port 179. If the connection succeeds, the session progresses to the OpenSent state, and eventually to Established, where routes are exchanged.
The Established state indicates that the TCP connection has been successfully formed, the BGP Open messages have been exchanged, and the session is fully operational. Only in the Established state does the router exchange UPDATE messages to advertise or receive routing information.
KEEPALIVE messages are critical for maintaining BGP sessions. Once the session is established, peers periodically send KEEPALIVE messages to confirm connectivity and prevent session timeout. They do not initiate sessions; instead, they maintain the session after it reaches the Established state.
A route map can filter updates by permitting or denying specific prefixes, controlling attributes like weight, local preference, or MED. While route maps influence which routes are advertised or accepted, they do not affect the BGP session state itself. Therefore, route maps cannot cause a neighbor to remain in Active; they only modify routing information after the session is up.
When troubleshooting an Active state, administrators should verify network reachability, firewall rules, and proper configuration of neighbor IPs and AS numbers. Misconfigurations, TCP connectivity issues, or asymmetric routing often cause a session to remain in Active, preventing routes from being exchanged and impacting network connectivity. Understanding the differences between TCP session attempts, KEEPALIVE maintenance, and route map filtering is essential for resolving BGP neighbor issues efficiently.
Q68. Which Cisco wireless feature reduces handoff time between APs for voice clients?
A) 802.1X
B) 802.11r (Fast Roaming)
C) WPA2
D) FlexConnect
Answer: B) 802.11r (Fast Roaming)
Explanation:
802.11r speeds up the authentication process during AP handoffs by enabling fast transition key exchange, reducing latency for voice and video applications. FlexConnect supports branch AP switching, 802.1X handles authentication, and WPA2 provides encryption but does not impact roaming latency.
In wireless networks, especially those supporting voice and video applications, minimizing latency during client mobility is critical. 802.11r, also known as Fast Roaming or Fast Basic Service Set (BSS) Transition, is designed to reduce the time required for a client device to roam between access points (APs). Traditionally, when a client roams, it must perform a full 802.1X authentication and key exchange with the new AP, which can cause delays of hundreds of milliseconds—potentially disrupting latency-sensitive applications like VoIP. With 802.11r, the client and AP perform a fast transition key exchange, allowing the client to authenticate with the new AP almost instantaneously. This reduces handoff times significantly, maintaining session continuity for voice, video, and other real-time applications.
FlexConnect is a Cisco feature for branch networks, enabling APs to switch traffic locally at the branch site even when the connection to a central Wireless LAN Controller (WLC) is lost. While FlexConnect ensures continuous connectivity and local policy enforcement, it does not inherently improve roaming speed or reduce authentication latency.
802.1X is a standard for network port-based authentication, providing secure access control by verifying client credentials before allowing network access. While 802.1X is often used in conjunction with WPA2, it is primarily focused on authentication, not mobility or roaming performance.
WPA2 is a security protocol that provides strong encryption using AES-CCMP to protect wireless traffic. It ensures confidentiality and integrity of data, but does not reduce roaming latency or improve fast handoffs between APs.
By combining 802.11r for fast roaming, 802.1X for authentication, WPA2 for encryption, and optionally FlexConnect for branch switching, Cisco wireless networks can deliver secure, seamless, and high-performance mobility. This integration ensures users experience uninterrupted voice and video sessions, while administrators maintain strict security and local switching capabilities.
Q69. A network engineer wants to configure QoS to drop traffic exceeding a rate limit. Which mechanism is appropriate?
A) Shaping
B) Policing
C) CBWFQ
D) LLQ
Answer: B) Policing
Explanation:
Policing enforces a traffic rate by dropping or marking excess packets, often used for SLA enforcement. Shaping buffers excess traffic and smooths bursts. CBWFQ and LLQ schedule traffic but do not enforce hard drop thresholds.
In Cisco networks, Quality of Service (QoS) mechanisms are critical for ensuring that critical applications like voice, video, and real-time data receive appropriate bandwidth and low latency. Different QoS techniques address traffic management in distinct ways, including shaping, policing, and queuing mechanisms such as CBWFQ and LLQ.
Policing is a QoS mechanism that enforces a strict traffic rate limit on an interface. It monitors traffic and drops or remarks packets that exceed the configured bandwidth threshold. Policing is often used in service provider networks or enterprise WAN links to enforce Service Level Agreements (SLAs) and prevent excessive traffic from consuming shared bandwidth. While effective at controlling traffic rates, policing can introduce packet loss if bursts exceed the limit, potentially impacting latency-sensitive applications.
Shaping, in contrast, is a proactive mechanism that buffers excess traffic instead of dropping it immediately. By smoothing traffic bursts, shaping ensures that the average traffic rate conforms to the configured policy while maintaining a steady flow. This is particularly useful for WAN links where congestion can cause variable delay. Shaping reduces packet loss and jitter, making it suitable for voice and video traffic.
Class-Based Weighted Fair Queuing (CBWFQ) is a scheduling mechanism that assigns bandwidth guarantees to traffic classes. It ensures fair distribution of bandwidth among multiple classes but does not drop packets based on traffic rate; excess traffic is queued according to class weights.
By combining policing, shaping, CBWFQ, and LLQ, network administrators can control bandwidth usage, prioritize critical traffic, and enforce SLAs, achieving optimal performance and predictable behavior for diverse applications across enterprise and service provider networks.
Q70. In an MPLS network, which router forwards labeled packets without modifying the label?
A) CE
B) PE
C) P
D) LER
Answer: C) P
Explanation:
P routers (Provider routers) forward MPLS-labeled packets through the core without adding or removing labels. PE (Provider Edge) routers push and pop labels at the edge. LER is another term for PE in some contexts, and CE (Customer Edge) routers are outside the MPLS cloud.
In MPLS (Multiprotocol Label Switching) networks, understanding the roles of different router types is essential for designing and troubleshooting large-scale service provider networks. The MPLS architecture divides routers into Provider Edge (PE), Provider (P), and Customer Edge (CE) devices, with LER (Label Edge Router) sometimes used interchangeably with PE in certain contexts.
P routers, or Provider routers, operate within the MPLS core. Their primary function is to forward packets based on MPLS labels without inspecting the IP header or performing any label assignment themselves. They simply swap incoming labels with outgoing labels according to the Label Forwarding Information Base (LFIB), providing fast, efficient packet forwarding across the MPLS backbone. P routers are not aware of customer prefixes and do not perform label push or pop operations.
PE routers (Provider Edge) sit at the boundary of the MPLS cloud and interface with CE devices. PE routers are responsible for pushing labels onto incoming customer packets and popping labels off packets destined for customers. They also maintain VPN routing information, allowing Layer 3 VPNs to function across the MPLS network. In some documentation, Label Edge Router (LER) is used interchangeably with PE, emphasizing its edge role in MPLS labeling operations.
CE routers (Customer Edge) are located at the customer premises. They connect to the PE router but do not participate in MPLS forwarding. CE routers are concerned with IP routing to the provider network, leaving all MPLS label operations to the PE.
Q71. Which command on a Cisco switch displays the native VLAN for trunk interfaces?
A) Show interfaces trunk
B) show vlan brief
C) show spanning-tree
D) show running-config
Answer: A) show interfaces trunk
Explanation:
Show interfaces trunk lists trunking interfaces, allowed VLANs, and the native VLAN. This helps troubleshoot VLAN mismatches and connectivity issues. The show vlan brief command shows VLANs but not trunk configuration, while the show spanning-tree command shows STP status, and the show running-config command shows the full configuration.
In Cisco switched networks, managing VLANs and trunks is crucial to ensure proper Layer 2 connectivity and avoid broadcast, multicast, or routing issues. The show interfaces trunk command is one of the most essential tools for verifying trunk configurations. It displays which interfaces are operating as trunks, the VLANs allowed on each trunk, the native VLAN, and the operational status of the trunk link. This command is particularly useful when troubleshooting VLAN mismatches, connectivity problems between switches, or misconfigured trunk ports, as it allows administrators to quickly identify inconsistencies in VLAN propagation across the network.
The show vlan brief command provides a summary of all VLANs configured on the switch, including VLAN IDs, names, status, and the ports assigned to each VLAN. While this command is helpful for confirming VLAN creation and port membership, it does not indicate which interfaces are trunking or the VLANs allowed on trunk links.
The show spanning-tree command is used to monitor the Spanning Tree Protocol (STP) status, including port roles, states, and priority information. STP prevents Layer 2 loops in redundant topologies, and understanding its output is important for diagnosing blocked or misconfigured ports, but it does not provide information about trunking or allowed VLANs.
Finally, the show running-config command displays the full current configuration of the switch, including interface configurations, VLANs, STP settings, and more. While comprehensive, it requires manual inspection to determine trunking status and VLAN assignments, making it less efficient than show interfaces trunk for quick verification.
Q72. A network engineer needs to segment traffic for different departments using TrustSeC. Which mechanism accomplishes this?
A) VLANs
B) Security Group Tags (SGTs)
C) Access Control Lists
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
Cisco TrustSec uses SGTs to dynamically segment traffic based on user roles or device types. This enforces policies without relying on IP addresses. VLANs provide Layer 2 segmentation but are static, ACLs filter traffic, and port-based authentication controls access, but do not inherently segment traffic across the network.
In modern enterprise networks, securing and segmenting traffic is essential to maintain data integrity, control access, and simplify policy enforcement. Cisco TrustSec introduces Security Group Tags (SGTs), which provide a dynamic method of segmenting network traffic based on user roles, device types, or security levels. SGTs are applied at Layer 2 or Layer 3 and enable policy enforcement independent of IP addressing. This approach allows administrators to define policies once and have them automatically applied wherever the traffic flows in the network, enhancing security and reducing administrative overhead.
VLANs (Virtual Local Area Networks) also provide traffic segmentation, but they are static and Layer 2–2-based. VLANs separate broadcast domains and control which devices can communicate directly on the same Layer 2 network. However, VLANs require manual configuration on each switch port and do not inherently enforce role-based policies, making them less flexible for dynamic environments compared to SGTs.
Access Control Lists (ACLs) filter traffic based on IP addresses, protocols, or ports, providing granular security enforcement. ACLs are widely used for controlling access between network segments, but do not offer dynamic segmentation based on user roles or device context. They also require careful management to avoid conflicts and maintain scalability.
Port-based authentication, such as 802.1X, controls access to a switch port by requiring user or device authentication before granting network access. While it ensures only authorized devices connect to the network, it does not inherently segment traffic once access is granted.
Q73. Which routing protocol can perform unequal-cost load balancing using the variance command?
A) OSPF
B) RIP
C) EIGRP
D) BGP
Answer: C) EIGRP
Explanation:
EIGRP supports unequal-cost load balancing through the variance command. This allows multiple paths to a destination to be used if the metric is within a factor of the best path. OSPF and RIP only allow equal-cost load balancing. BGP does not perform load balancing by default.
In enterprise networks, load balancing improves bandwidth utilization and provides redundancy by allowing multiple paths to carry traffic to a destination. EIGRP (Enhanced Interior Gateway Routing Protocol) is unique among routing protocols because it supports both equal- and unequal-cost load balancing. Using the variance command, EIGRP can include multiple feasible paths in the routing table, even if their metrics are higher than the best path, as long as they fall within the configured variance factor. This capability enables efficient utilization of network resources and ensures traffic can be distributed across multiple routes, improving network performance and resilience.
In contrast, OSPF (Open Shortest Path First) supports only equal-cost load balancing. OSPF calculates the shortest path based on its link-state database and cost metrics. If multiple paths have the same cost, OSPF installs all of them in the routing table and balances traffic evenly among them. However, paths with higher costs are ignored, limiting the protocol’s flexibility in utilizing backup links for active traffic forwarding.
RIP (Routing Information Protocol) also supports only equal-cost load balancing. RIP bases its routing decisions purely on hop count, meaning that all routes to a destination with the same hop count are considered equal and traffic is distributed evenly. RIP does not take link bandwidth, delay, or reliability into account, and unequal-cost paths are ignored entirely.
BGP (Border Gateway Protocol), primarily used for inter-domain routing, does not perform load balancing by default. BGP selects a single best path based on path attributes, such as weight, local preference, and AS path. While BGP can be configured for multipath in certain scenarios, it is not inherently designed for dynamic load balancing like EIGRP.
Q74. Which type of LSA does an ASBR generate to advertise external routes in OSPF?
A) Type 1
B) Type 2
C) Type 3
D) Type 5
Answer: D) Type 5
Explanation:
Type 5 LSAs are external LSAs generated by an ASBR (Autonomous System Boundary Router) to advertise routes from other routing protocols into OSPF. Type 3 LSAs summarize internal routes between areas, and Type 1/2 describe routers and networks within an area.
In OSPF (Open Shortest Path First), Link-State Advertisements (LSAs) are the building blocks of the routing protocol, allowing routers to share topology information and calculate the shortest path using Dijkstra’s algorithm. Different LSA types serve distinct purposes within the OSPF domain, ensuring efficient route propagation and network scalability.
Type 1 LSAs are Router LSAs generated by every OSPF router within an area. They describe the router’s interfaces, their states, and the links to directly connected networks or neighbors. Type 1 LSAs remain within the originating area and are not propagated to other areas, which helps maintain area-specific topology knowledge.
Type 2 LSAs are Network LSAs generated by the Designated Router (DR) on broadcast or non-broadcast multi-access networks. They list all routers connected to that network segment. Type 2 LSAs provide a detailed map of multi-access networks to ensure all routers in the area have consistent topology information.
Type 3 LSAs are Summary LSAs created by Area Border Routers (ABRs) to advertise networks from one OSPF area into another. They summarize routes from an internal area and distribute them to other areas, reducing the size of the link-state database in remote areas and improving scalability. Unlike Type 1 and 2 LSAs, Type 3 LSAs do not describe individual links or routers but provide summarized network reachability.
Type 5 LSAs are External LSAs generated by Autonomous System Boundary Routers (ASBRs). They advertise routes learned from external routing protocols, such as BGP or RIP, into the OSPF domain. Type 5 LSAs allow OSPF routers to reach external networks while maintaining separation from internal routing information. They are flooded in all areas except stub areas.
By understanding these LSA types, network engineers can troubleshoot OSPF behavior, optimize area design, and ensure proper propagation of internal and external routes, maintaining stability and scalability in complex OSPF networks.
Q75. A Cisco router receives multiple BGP paths for the same prefix. Which attribute is evaluated first to select the best path?
A) AS_PATH
B) LOCAL_PREF
C) MED
D) Weight
Answer: D) Weight
Explanation:
Weight is a Cisco-specific BGP attribute evaluated first when selecting the best path. Higher weight is preferred. LOCAL_PREF is evaluated next within an AS, AS_PATH helps select between external paths, and MED is considered for route preference between neighboring ASes.
In BGP (Border Gateway Protocol), multiple path attributes determine the best path selection for routing between autonomous systems (ASes). Understanding these attributes is critical for network engineers to control traffic flow and influence routing decisions effectively.
Weight is a Cisco-specific attribute and is not propagated to other routers. It is considered first in the BGP path selection process. Routers prefer paths with higher weight values, making it a powerful tool for controlling outbound traffic on Cisco devices. Because it is local to the router, Weight provides a simple and immediate method to influence path selection without affecting other routers in the network.
AS_PATH is an essential BGP attribute used to prevent routing loops and influence path selection across multiple ASes. The path with the shortest AS_PATH is generally preferred, making this attribute crucial for inter-AS routing decisions. By examining AS_PATH, network engineers can also filter or manipulate routing updates based on the sequence of ASes a route traverses.
MED (Multi-Exit Discriminator) is an optional attribute used to influence inbound traffic from neighboring ASes when multiple entry points exist. Lower MED values are preferred, signaling to external ASes the preferred path into the local network. MED is typically used to optimize traffic distribution across multiple interconnections with a neighbor.
By carefully configuring Weight, LOCAL_PREF, AS_PATH, and MED, network engineers can control BGP routing behavior, optimize path selection, and ensure predictable traffic flows in complex enterprise and service provider networks. These attributes collectively enable precise and scalable routing policy implementation.
Q76. Which command would display all EIGRP topology entries that are currently feasible successors?
A) show ip eigrp topology
B) show ip route eigrp
C) show ip protocols
D) show running-config
Answer: A) show ip eigrp topology
Explanation:
Show ip eigrp topology displays all EIGRP-known routes, including successors (best paths) and feasible successors (backup paths). This helps in understanding which routes are active and which can be used for unequal-cost load balancing.
In EIGRP (Enhanced Interior Gateway Routing Protocol), understanding the topology and routing tables is crucial for monitoring network health, troubleshooting, and optimizing routing behavior. The command show ip eigrp topology is one of the most important tools for this purpose. It displays the EIGRP topology table, which contains all learned routes, including the successor routes (the best paths used for forwarding traffic) and feasible successors (backup paths that satisfy the feasibility condition). This command provides detailed information such as the reported distance, feasible distance, and route status, allowing network engineers to verify path availability and implement unequal-cost load balancing using the variance command.
The show ip route eigrp command displays the EIGRP routes that are currently installed in the routing table. Unlike the topology table, this command focuses on routes actively used by the router for packet forwarding. It shows the destination network, next-hop, administrative distance, and metric. While it is useful to see which paths are actually being utilized, it does not show potential backup routes or the complete topology, which makes show ip eigrp topology more comprehensive for troubleshooting.
The show ip protocols command provides an overview of the EIGRP process, including the networks being advertised, timers, autonomous system number, and neighbors. This information helps verify protocol configuration and identify potential issues like missing network statements or misconfigured timers.
By using these commands together, engineers gain a complete picture of EIGRP operation: the topology and backup paths, the active routing table, protocol parameters, and configuration details. This holistic understanding is essential for maintaining network stability, optimizing routing, and troubleshooting complex EIGRP deployments.
Q77. Which SD-WAN feature allows policy-based manipulation of packet forwarding based on application or traffic type?
A) Control policy
B) Data policy
C) Application-aware routing
D) SLA monitoring
Answer: B) Data policy
Explanation:
Policies in SD-WAN allow administrators to control traffic flow, apply firewall rules, prioritize applications, or block traffic. Control policies manage device onboarding and control-plane behavior, while AAR dynamically chooses paths based on metrics.
In Cisco SD-WAN, policies are the cornerstone of traffic management, security, and application optimization across the WAN. Data policies are primarily used to control traffic flow within the network. They allow administrators to classify traffic based on criteria such as application type, source/destination, or network segments, and then take actions like permitting, blocking, redirecting, or applying QoS markings. For example, a data policy can prioritize VoIP traffic to ensure low latency while limiting less-critical file transfer traffic.
Control policies operate on the control plane and manage the behavior of SD-WAN devices themselves. They handle tasks such as device onboarding, establishing secure connections between vEdge devices and vSmart controllers, and enforcing authentication and authorization policies. Control policies ensure that devices form the overlay network securely and operate consistently according to the defined architecture.
SLA monitoring works in conjunction with AAR to provide the metrics needed for path selection. By continuously monitoring performance metrics across available WAN paths, SLA monitoring allows the SD-WAN fabric to detect congestion, degradation, or failures. When thresholds are exceeded, traffic can be rerouted automatically, ensuring service-level commitments are maintained.
Together, these four mechanisms provide comprehensive network control: control policies secure and manage devices, data policies regulate traffic flow, AAR dynamically optimizes application paths, and SLA monitoring ensures network performance meets operational requirements. This layered approach enables modern SD-WAN deployments to deliver reliable, secure, and high-performing WAN connectivity for enterprises.
Q78. In Cisco wireless networks, which protocol prevents loops in AP redundancy scenarios?
A) STP
B) RSTP
C) PVST+
D) None, APs manage redundancy internally
Answer: D) None, APs manage redundancy internally
Explanation:
In wireless LANs, APs handle redundancy and client failover internally via the controller. STP/RSTP/PVST+ are Layer 2 switching protocols for wired networks. Wireless controllers manage roaming, load balancing, and AP redundancy without using STP.
In wireless LANs (WLANs), redundancy and failover for access points (APs) are handled differently than in traditional wired networks. Unlike switches, where loops can cause broadcast storms and network failures, APs rely on wireless controllers to manage redundancy, client failover, and load balancing. This ensures uninterrupted connectivity for wireless clients without depending on Layer 2 protocols such as STP, RSTP, or PVST+.
STP (Spanning Tree Protocol), RSTP (Rapid Spanning Tree Protocol), and PVST+ (Per-VLAN Spanning Tree Plus) are protocols designed for wired Layer 2 networks. They prevent loops by logically blocking redundant paths while maintaining a loop-free topology. STP is the original standard and reacts slowly to topology changes, RSTP improves convergence speed, and PVST+ allows a separate spanning tree per VLAN for better traffic optimization. However, these protocols are not used by wireless APs because WLANs operate differently: clients connect via APs, which are managed centrally by controllers, and there are no Layer 2 loops in the wireless air interface.
Wireless controllers ensure redundancy and failover by monitoring AP health, client associations, and RF coverage. If an AP fails, clients can automatically roam to neighboring APs within the same controller or mobility group. The controller handles session continuity, security policies, and load distribution, ensuring minimal disruption.
Q79. Which command shows the BGP routing table entries received from a specific neighbor and their next-hop attributes?
A) show ip bgp neighbors <neighbor> routes
B) show ip bgp summary
C) show ip route bgp
D) show ip bgp
Answer: A) show ip bgp neighbors <neighbor> routes
Explanation:
This command displays BGP routes received from a specific neighbor, including their next-hop, origin, and attributes. Show ip bgp summary shows session state, show ip route bgp shows routes installed in the routing table, and show ip bgp shows all routes.
The command show ip bgp neighbors <neighbor> routes is used to display detailed information about the BGP routes learned from a specific BGP neighbor. It lists all prefixes received from that neighbor, including next-hop addresses, route origin, AS path, MED, and other BGP attributes. This command is particularly useful for troubleshooting neighbor-specific issues, verifying route advertisements, and ensuring that routing policies such as prefix filtering or route maps are applied correctly. By examining the routes from a single neighbor, network engineers can pinpoint misconfigurations or unexpected route behavior without being overwhelmed by the full BGP table.
In contrast, show ip bgp summary provides a high-level overview of all BGP neighbors, showing the session state (Idle, Active, Established), number of prefixes received, uptime, and timers. While this command is excellent for quickly verifying the status of BGP sessions and detecting session flaps, it does not display detailed routing information.
The show ip route bgp command focuses on the routes that have been selected by the BGP process and installed into the IP routing table. This command helps confirm which BGP-learned prefixes are actively being used for packet forwarding. It is useful for understanding the impact of BGP route selection on actual traffic paths, but it does not show all BGP attributes or routes that were learned but not installed.
Using these commands together allows network engineers to monitor BGP neighbor health, inspect route advertisements, verify policy enforcement, and troubleshoot routing inconsistencies. Each command provides a different layer of detail, from high-level session status to granular neighbor-specific route information, ensuring effective BGP management and network stability.
Q80. A network engineer wants to verify which VLANs are allowed across a trunk link. Which command should they use?
A) Show interfaces trunk
B) show vlan brief
C) show running-config
D) show spanning-tree
Answer: A) show interfaces trunk
Explanation:
The show interfaces trunk provides allowed VLANs, trunking mode, and operational status, making it ideal for verifying VLAN propagation across trunk links. The show vlan brief only lists VLANs on the switch, while the show running-config shows config, and the show spanning-tree shows STP state. The command show interfaces trunk displays all trunking interfaces on a switch, their operational status, trunking mode, and the VLANs allowed across each trunk. This is essential for verifying that VLANs are correctly propagated between switches and troubleshooting connectivity issues across trunks. In comparison, the show vlan brief lists all VLANs and associated ports, but does not indicate which interfaces are trunking. Show running-config provides the complete device configuration, requiring manual inspection to check trunk settings, while show spanning-tree shows STP port roles and states but does not provide VLAN trunk information.
