Click here to access our full set of Cisco 350-601 exam dumps and practice tests.
Question 121:
A router running OSPF receives Type 3 LSAs but no Type 5 LSAs in an area. What type of area is most likely configured?
A) Normal area
B) Stub area
C) NSSA
D) Backbone area
Answer: B) Stub area
Explanation:
Stub areas block Type 5 LSAs (external routes) to reduce the routing table size, but allow Type 3 summary LSAs from the ABR. Normal areas carry all LSA types, NSSA allows external routes via Type 7 LSAs, and backbone (Area 0) carries all LSAs.A stub area in OSPF is specifically designed to limit the flooding of external routing information, reducing both the size of routing tables and overall LSA processing overhead for routers within the area. Stub areas block Type 5 LSAs, which carry external routes redistributed into OSPF from other routing protocols such as BGP, RIP, or static routes. Instead of receiving many external routes, routers in a stub area rely on a single default route injected by the ABR, significantly simplifying routing. However, they still accept Type 3 LSAs, which are summary routes generated by the ABR to describe networks from other OSPF areas. This balance ensures reachability without unnecessary external route complexity.
A normal OSPF area allows all LSA types: Type 1 and Type 2 (intra-area), Type 3 (inter-area), and Type 4 and Type 5 (external). Because normal areas carry complete route information, they provide full visibility but also require higher processing and memory resources, making them less ideal for smaller routers or constrained environments.
An NSSA (Not-So-Stubby Area) is a variation of a stub area, adding the ability to import external routes using Type 7 LSAs. These Type 7 LSAs are later translated into Type 5 LSAs by the ABR when leaving the NSSA, allowing external route integration without overwhelming internal routers with Type 5 LSA floods.
The backbone area (Area 0) is the core of the OSPF domain and must carry all types of LSAs—internal, summary, and external—because it interconnects all other areas. This makes it unsuitable for stub configuration.
Overall, the correct answer is Stub area, because it uniquely blocks Type 5 LSAs while still allowing Type 3 summary LSAs, optimizing routing efficiency without sacrificing reachability.
Question 122:
In EIGRP, which metric component is used to influence the feasible distance calculation?
A) Bandwidth and delay
B) Reliability only
C) Load only
D) MTU
Answer: A) Bandwidth and delay
Explanation:
EIGRP metric is calculated using bandwidth and delay by default (unless K-values are changed). Reliability, load, and MTU can be included if configured, but are not used by default in feasible distance calculations.EIGRP uses a composite metric system to determine the best path, and by default, this calculation is based primarily on bandwidth and delay, making option A correct. These two values form the core of EIGRP’s feasible distance calculation unless the administrator manually adjusts the K-values. Bandwidth represents the slowest link along the path (the bottleneck), and delay represents the cumulative delay across all links. Together, they produce a stable and accurate metric that reflects overall path quality without being overly sensitive to rapid network fluctuations.
Reliability, listed in option B, refers to how error-free a link is, based on a 1–255 scale. While it can be included in the EIGRP metric by modifying the K-values, it is not used by default. Reliability often remains at its maximum value unless the link experiences significant issues, and because it can fluctuate rapidly, it is intentionally excluded to maintain routing stability.
Load (option C) measures how busy a link is, also on a 1–255 scale. Like reliability, it is not part of the default metric calculation. Load can vary minute by minute, making it too unstable for making consistent routing decisions. Including it could cause routes to flap frequently, leading to unnecessary reconvergence.
MTU (option D) is stored in the EIGRP topology table but is not used in the metric calculation at all, even if K-values are changed. Its purpose is only to ensure that a packet can be forwarded across the path without fragmentation.
In summary, bandwidth and delay provide a predictable, stable, and scalable metric calculation, which is why they are the default components of the EIGRP metric. Reliability, load, and MTU may be referenced or configurable, but do not influence the metric unless explicitly modified.
Question 123:
Which SD-WAN feature allows dynamic path selection based on application performance metrics?
A) Control policy
B) Data policy
C) Application-aware routing (AAR)
D) QoS trust policy
Answer: C) Application-aware routing (AAR)
Explanation:
AAR evaluates real-time metrics like latency, jitter, and packet loss to select the optimal path for critical applications. Data policies enforce traffic rules, control policies manage device behavior, and QoS trust policies mark traffic. Application-Aware Routing (AAR), shown in option C, is a core feature of Cisco SD-WAN that dynamically selects the best path for application traffic based on real-time network performance metrics. Unlike traditional routing, which relies primarily on static metrics such as hop count, AAR continuously measures latency, jitter, packet loss, and throughput across WAN tunnels. It then compares these values to the preconfigured Service Level Agreements (SLAs) for each application. If a path violates an SLA threshold, AAR automatically shifts the traffic to an alternative link that meets the performance requirements. This ensures that delay-sensitive applications—such as voice, video, and business-critical SaaS services—experience optimal performance even during periods of congestion or degradation.
In contrast, Data Policy (option B) is not responsible for path selection. Instead, it focuses on controlling how traffic is handled once a path is chosen. Data policies may apply firewall rules, URL filtering, access control, service chaining, or traffic redirection. They influence the treatment of packets but do not choose the preferred WAN link based on performance. Their purpose is to enforce security or forwarding rules on traffic already in motion.
Control Policy (option A) operates at the control-plane level and manages how routing information is distributed across the SD-WAN fabric. Control policies shape the overall topology by influencing route advertisement, TLOC choices, and traffic segmentation. These policies do not directly monitor or react to real-time link conditions, making them unsuitable for dynamic application path selection.
QoS Trust Policy (option D) determines whether the router trusts the DSCP or CoS markings of incoming packets. While important for maintaining QoS end-to-end, it does not evaluate link performance nor decide which path should carry traffic based on SLAs.
Therefore, only Application-Aware Routing (AAR) provides real-time, SLA-based dynamic path selection, ensuring applications always use the best available path according to current network conditions.
Question 124:
A network engineer wants to prioritize voice traffic over WAN links. Which QoS mechanism should they configure?
A) Policing
B) Shaping
C) LLQ
D) CBWFQ
Answer: C) LLQ
Explanation:
Low Latency Queuing (LLQ) provides priority queuing for delay-sensitive traffic like voice while also providing bandwidth guarantees to other traffic classes. CBWFQ allocates bandwidth but does not prioritize traffic while shaping and policing control rates. Low Latency Queuing (LLQ), shown in option C, is a specialized queuing mechanism designed to guarantee strict priority handling for delay-sensitive traffic such as voice, video conferencing, and real-time interactive applications. LLQ builds on the foundation of Class-Based Weighted Fair Queuing (CBWFQ) but adds a dedicated priority queue (PQ). Traffic classified into this priority queue is always sent first, ahead of other queues, ensuring minimal delay, jitter, and packet loss. This makes LLQ the recommended mechanism for real-time services that require consistent and predictable performance. LLQ also allows administrators to assign minimum bandwidth guarantees to non-priority classes, ensuring fairness and preventing starvation.
Policing (option A) is a traffic enforcement mechanism that monitors the traffic rate and takes action when packets exceed the configured threshold. When traffic surpasses the allowed rate, policing may drop packets or remark them to a lower QoS value. Policing does not buffer traffic or guarantee delivery; instead, it protects network resources by preventing excessive utilization. It plays no role in prioritizing sensitive traffic during periods of congestion.
Shaping (option B) controls outbound traffic rates by buffering excess packets and releasing them gradually to match a specified rate. Unlike policing, shaping does not drop excess traffic unless buffers are exhausted. However, shaping also does not prioritize certain types of traffic; it simply smooths traffic bursts to prevent congestion.
Thus, only LLQ (option C) ensures strict priority for real-time traffic while maintaining fairness for other traffic classes, making it the ideal choice for delay-sensitive applications.
Question 125:
Which BGP attribute is preferred when two routes have the same weight, LOCAL_PREF, and AS_PATH?
A) MED
B) Router ID
C) Next-hop IP
D) Community
Answer: A) MED
Explanation:
MED (Multi-Exit Discriminator) is considered after weight, LOCAL_PREF, and AS_PATH during BGP best path selection. Lower MED values are preferred to influence route selection between autonomous systems. In BGP best-path selection, MED (Multi-Exit Discriminator)—option A—is an important attribute used to influence inbound traffic between autonomous systems. MED is sent from one AS to another to indicate which entry point the sending AS prefers for incoming traffic. A key characteristic of MED is that lower values are preferred, which differentiates it from attributes like LOCAL_PREF and Weight, where higher values are better. MED is evaluated only after more influential attributes such as Weight, LOCAL_PREF, AS_PATH length, and Origin type. This means MED does not override internal routing decisions, but is useful for fine-tuning how external neighbors choose among multiple available entry points.
Option B, Router ID, plays a role in BGP tie-breaking but is evaluated much later in the selection process. The router ID is only considered when all major attributes—such as MED, next-hop, path type, and cluster list length—are identical between multiple routes. Router ID is not primarily used to influence routing decisions; rather, it ensures deterministic tie-breaking when all else is equal. Therefore, it is not relevant as an early or influential metric like MED)
Option C, Next-hop IP, is also part of the BGP best-path workflow, but it is not an attribute used to compare route preference. Instead, the next-hop must be reachable for a route to even be considered valid. If the next-hop is unreachable, the route is immediately discarded. Although essential for path validation, it does not directly determine which path is better among valid candidates.
Option D, Community, is a tagging mechanism used for applying routing policies, such as controlling route propagation or adjusting LOCAL_PREF and MED. Communities themselves do not directly influence best-path selection unless combined with policies.
Therefore, MED stands out as the correct answer because it directly impacts inter-AS path selection and is considered at a higher priority than the other listed attributes.
Question 126:
A switchport is configured as a trunk, but VLAN traffic is not passing. Which command can verify the allowed VLANs on the trunk?
A) show vlan brief
B) show interfaces trunk
C) show spanning-tree
D) show running-config
Answer: B) show interfaces trunk
Explanation:
Show interfaces trunk displays trunking mode, native VLAN, and allowed VLANs. This is critical to troubleshoot VLAN pruning or misconfigurations. Show vlan brief lists VLANs locally, not trunk membership. The correct answer is B) show interfaces trunk, because this command provides the most detailed and relevant information when troubleshooting issues related to VLAN propagation, trunk configurations, or connectivity between switches. A trunk link is responsible for carrying multiple VLANs across a single physical interface using tagging methods such as IEEE 802.1Q. If VLANs are not passing correctly between switches, the first place to investigate is the trunk link, and show interfaces trunk reveals all essential parameters—including trunk mode, encapsulation, native VLAN, and the complete list of allowed and active VLANs on the trunk. This makes it the most accurate tool for diagnosing mismatches or pruning problems that may cause devices in the same VLAN to fail to communicate.
Option A, show vlan brief, provides an overview of the VLANs configured on the local switch, listing VLAN IDs, names, and associated access ports. While useful for verifying VLAN existence, it does not show whether those VLANs are being carried across trunk links. Therefore, it cannot confirm whether a VLAN is being pruned or blocked upstream. Problems involving end-to-end VLAN connectivity require verification of VLAN transport, which only the trunk command provides.
Option C, show spanning-tree, displays STP details such as port roles, states, and root bridge information. While spanning-tree can indirectly affect VLAN forwarding if a trunk port is blocking, it does not specifically reveal trunk configuration or VLAN allowances. STP is valuable for loop prevention, but not for diagnosing VLAN pruning or misconfigured trunk parameters.
Option D, show running-config, shows the interface configurations, including trunk settings. Although useful, it does not present the real-time operational status of the interfaces. The running configuration may show a port configured as a trunk, but operational inconsistencies, pruning by VTP, or dynamic negotiation issues will only appear in the show interfaces trunk.
Thus, the show interfaces trunk command is the most precise and effective command for diagnosing trunk-related VLAN issues.
Question 127:
Which MPLS router pushes labels onto packets entering the network?
A) CE
B) PE
C) P
D) LER
Answer: D) LER
Explanation:
Label Edge Routers (LERs) assign labels to incoming packets based on Forwarding Equivalence Classes (FECs). P routers forward labels through the core without inspecting IP headers. PE routers pop/push labels at the edge. The correct answer is D) LER, because Label Edge Routers are responsible for assigning MPLS labels to incoming IP packets as they enter the MPLS domain. These routers sit at the boundary of the MPLS network and classify packets into Forwarding Equivalence Classes (FECs), determining how packets will be forwarded through the MPLS backbone. Once packets are classified, the LER attaches (pushes) the appropriate MPLS label to the packet. This initial label assignment is critical because it dictates the packet’s path through the MPLS infrastructure. The LER also performs the label removal (pop operation) when packets exit the MPLS cloud toward customer networks, restoring the original IP packet.
Option A, CE (Customer Edge router), is incorrect because CE routers do not participate in MPLS label operations. These routers connect customer networks to provider networks, but they forward traditional IP packets without adding or removing any MPLS labels. CE routers depend on the provider’s PE or LER routers to handle MPLS-related functions.
Option B, PE (Provider Edge router), is closely related to LERs and often performs LER functions in most MPLS deployments. However, “Label Edge Router” is the more general term specifically referring to the router that assigns labels when packets enter the MPLS domain. While PE routers commonly act as LERs, the exam distinguishes between the two to test conceptual understanding. PE routers also handle VPN services and maintain VRFs for MPLS Layer 3 VPNs, but label assignment at the MPLS edge is attributed to LER.
Option C, P (Provider core router), is incorrect because P routers operate within the MPLS backbone and simply forward packets based on the labels they carry. They do not inspect IP headers or assign new labels. Their primary function is label swapping—replacing the incoming label with the correct outgoing label according to the Label Forwarding Information Base (LFIB).
Question 128:
Which Cisco wireless feature speeds up client roaming between APs?
A) WPA2
B) 802.11r
C) FlexConnect
D) 802.1X
Answer: B) 802.11r
Explanation:
802.11r (Fast Roaming) reduces authentication time during AP handoffs by enabling pre-authentication and fast key exchange, ideal for voice and video applications. FlexConnect handles branch AP switching, WPA2 encrypts traffic, and 802.1X authenticates users. The correct answer is B) 802.11r, because Fast BSS Transition (FT) is specifically designed to enhance roaming performance for wireless clients that frequently move between access points, such as those using mobile voice, video, or real-time applications. In standard Wi-Fi networks, a client must perform a complete authentication process every time it roams to a new AP, which causes delays of several hundred milliseconds. This can result in dropped voice calls, frozen video streams, or noticeable interruptions. With 802.11r, the authentication process is optimized by allowing clients to pre-establish encryption keys with nearby APs before the actual roam occurs. This reduces handoff time to just a few milliseconds, ensuring a smooth and continuous user experience.
Option A, WPA2, is incorrect because WPA2 is a security standard that provides encryption and data protection using protocols such as AES-CCMP. While WPA2 is essential for securing wireless communication, it does not provide any roaming enhancement capabilities. A network can support WPA2 without supporting 802.11r, and enabling WPA2 alone does nothing to speed up AP transitions.
Option C, FlexConnect, is also incorrect because FlexConnect is a deployment mode for branch or remote-site APs, allowing them to switch traffic locally even when disconnected from the controller. FlexConnect improves WAN efficiency but has nothing to do with speeding up client roaming or authentication during AP transitions. It does not provide any fast-roaming features on its own.
Option D, 802.1X, is incorrect because it is a port-based authentication method used for identity validation, typically backed by a RADIUS server. While 802.1X plays a role in securing enterprise WLANs, it actually contributes to longer roaming delays if 802.11r is not implemented, since full EAP exchanges may be required at every roam.
Question 129:
Which TrustSec component enforces policies based on user or device roles?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs abstract traffic from IP addresses and allow role-based access control, dynamically segmenting users or devices. VLANs and ACLs can be static, and port-based authentication controls access per port, but they do not segment dynamically.SGTs abstract traffic from IP addresses and allow role-based access control, dynamically segmenting users or devices. VLANs and ACLs can be static, and port-based authentication controls access per port, but they do not segment dynamically. Please write a 300-word Explanation according to the above 4 points.
The correct answer is B) Security Group Tags (SGTs) because Cisco TrustSec uses SGTs as the foundation of its software-defined segmentation model. Unlike traditional segmentation methods that rely heavily on VLANs, subnets, or IP-based ACLs, SGTs allow traffic classification and policy enforcement based on identity, not network location. Each user or device is assigned a tag that represents its role—such as employee, guest, IoT sensor, or contractor. These tags remain consistent as traffic moves throughout the network, enabling flexible and dynamic segmentation without constant reconfiguration of VLANs or ACL entries. This identity-based approach drastically simplifies policy management, especially in large or highly mobile environments.
Option A, VLANs, provides Layer 2 segmentation but requires physical or logical network redesign every time a user or device moves. VLAN assignments are tied to interfaces, making them rigid and static. If a device changes location, its segmentation policies must also be manually adjusted unless additional mobility solutions are used. VLANs simply lack the scalability and flexibility of SGT-based policies in modern networks.
Option C, ACLs, can filter traffic based on IP addresses, ports, and protocols. However, ACLs are often large, complex, and difficult to maintain in dynamic networks. They grow rapidly as environments expand, and updates must be pushed across multiple switches or routers. Because ACLs rely on IP addresses, changes in addressing or host mobility require continuous modifications. This makes ACLs less efficient and far more error-prone than SGT policies, which maintain security consistency regardless of IP changes.
Option D, port-based authentication (e.g., 802.1X), provides identity verification at a single point of entry but does not inherently segment traffic across the network. While it is useful for determining who is allowed onto the network, it does not provide a scalable method for segmenting traffic once inside.
Question 130:
Which command shows all OSPF routes installed in the routing table?
The correct answer is B) show ip route ospf, as this command specifically filters the routing table to display only the routes that OSPF has learned and installed. It provides a clear view of the network topology as recognized by the router through OSPF, showing intra-area routes (routes within the same OSPF area), inter-area routes (routes between different areas), and external routes (routes injected from other protocols or autonomous systems). This command is essential for troubleshooting OSPF route propagation, verifying which routes are actively being used for packet forwarding, and confirming proper OSPF route preference and metrics. Network engineers can quickly identify missing or incorrect routes and correlate them with OSPF configuration or neighbor relationships.
Option A, show ip ospf database, displays all OSPF Link-State Advertisements (LSAs) received from neighbors, including Type 1 (Router), Type 2 (Network), Type 3 (Summary), and Type 5 (External) LSAs. While it provides detailed insight into OSPF topology information and helps in understanding LSAs flooding, it does not indicate which routes are installed in the routing table for packet forwarding. Therefore, it’s more suitable for topology-level troubleshooting rather than route verification.
Option C, show ip protocols, provides information about OSPF and other routing protocols running on the router, such as timers, networks participating, redistribution settings, and administrative distances. It does not display actual routes learned by OSPF or their status in the routing table, so it is less useful for verifying route installation.
Option D, show running-config, shows the router’s entire configuration, including OSPF process statements, network commands, and other routing protocol configurations. While helpful for configuration verification, it does not indicate the current state of routes or OSPF route selection.
Question 131:
A network engineer wants to verify which BGP routes were learned from a specific neighbor. Which command should they use?
A) show ip bgp
B) show ip bgp summary
C) show ip bgp neighbors <neighbor> routes
D) show ip route bgp
Answer: C) show ip bgp neighbors <neighbor> routes
Explanation:
This command displays all routes received from a neighbor, along with path attributes such as AS_PATH, MED, and next-hop. The summary shows session state, and show ip route bgp only shows installed routes. The correct answer is C) show ip bgp neighbors <neighbor> routes, which is a BGP command used to display all routes received specifically from a particular BGP neighbor. This command provides detailed information about the routes learned from that neighbor, including important path attributes such as AS_PATH, MED (Multi-Exit Discriminator), next-hop IP, and other BGP-specific attributes. By using this command, network engineers can verify which routes a neighbor is advertising, analyze routing policies, and troubleshoot issues such as missing routes or incorrect path selections. It is particularly useful in multi-homed or complex BGP topologies where per-neighbor route visibility is crucial for operational analysis and policy verification.
Option A, show ip bgp, displays all BGP routes in the BGP table regardless of the neighbor from which they were learned. While it provides a global view of all BGP routes known to the router, it does not break down routes per neighbor, which can make neighbor-specific troubleshooting more difficult.
Option B, show ip bgp summary, provides a concise overview of BGP neighbor sessions, including the session state (Idle, Active, Established), number of prefixes received, and timers. It is primarily used to verify whether BGP sessions are up and healthy, but it does not display the actual routing information received from neighbors.
Option D, show ip route bgp, filters the routing table to show only BGP routes that have been installed and are actively used for forwarding. This is helpful to confirm which BGP routes are being utilized, but it does not provide all the path attributes or information about routes that may be received but not installed due to policy, administrative distance, or best-path selection.
In summary, show ip bgp neighbors <neighbor> routes gives the most detailed per-neighbor route information, making it essential for analyzing received routes, verifying path attributes, and troubleshooting BGP routing issues, whereas the other commands provide either global, summary, or installed-route views.
Question 132:
Which OSPF LSA type describes external routes redistributed into OSPF?
A) Type 1
B) Type 2
C) Type 3
D) Type 5
Answer: D) Type 5
Explanation:
Type 5 LSAs are generated by ASBRs to advertise external routes from other routing protocols into OSPF. Type 3 LSAs summarize intra-area routes across areas, and Type 1/2 describe routers and networks within an area. In OSPF (Open Shortest Path First), LSAs (Link-State Advertisements) are the fundamental units of routing information that allow routers to build a complete topology map of the network. Each LSA type serves a specific purpose in OSPF’s hierarchical design. The correct answer here is D) Type 5, which refers to external LSAs. Type 5 LSAs are generated by Autonomous System Boundary Routers (ASBRs) to advertise routes that originate outside the OSPF autonomous system, such as those learned from other routing protocols like EIGRP, RIP, or BGP. These LSAs allow OSPF to incorporate external routes into its routing domain, making them reachable to internal OSPF routers. Type 5 LSAs are flooded throughout the OSPF network except into stub areas, which are designed to reduce the routing table size by blocking external routes.
Type 3 LSAs, in contrast, are summary LSAs generated by Area Border Routers (ABRs). They are used to summarize routes from one OSPF area and advertise them to another area. This reduces the number of LSAs and provides scalability by preventing the flooding of detailed intra-area topology information across the entire OSPF network.
Type 1 LSAs describe individual routers within an OSPF area, including the router ID, state of interfaces, and links to other routers or networks. These are flooded only within a single area. Type 2 LSAs describe network segments for multi-access networks like Ethernet and are generated by the designated router (DR) on that segment to inform all routers in the area about the connected network.
Understanding the differences among these LSAs is crucial for OSPF operation and troubleshooting. Type 5 LSAs are essential for incorporating external routes into OSPF, Type 3 LSAs enable inter-area summarization, and Type 1/2 LSAs maintain intra-area connectivity information. Proper configuration ensures efficient routing, reduced flooding, and improved network scalability.
Question 133:
In SD-WAN, which device manages control-plane routing and distributes policies to vEdge routers?
In a Cisco SD-WAN architecture, the vSmart controller plays a critical role in managing the control plane. It is responsible for distributing routing information, security policies, and encryption keys to all vEdge routers in the network. By maintaining a secure and synchronized control plane, vSmart ensures that all vEdge devices can dynamically discover optimal paths, enforce policy decisions, and communicate securely across the WAN. This centralized control-plane management is essential for maintaining consistent and scalable network behavior across multiple sites.
The vManage platform provides a GUI-based centralized management interface for administrators. Through vManage, network engineers can configure policies, deploy templates, monitor device and network health, and troubleshoot connectivity issues. While vManage is key for operational oversight, it does not directly handle the distribution of routing information or encryption keys—that responsibility remains with the vSmart controller.
vBond orchestrates onboarding and zero-touch provisioning (ZTP) of new devices. It authenticates vEdge routers joining the SD-WAN overlay, facilitates initial connectivity to the control plane, and directs devices to the appropriate vSmart and vManage controllers. This ensures that devices can securely join the network without manual intervention, simplifying deployment at branch or remote sites.
Together, these four components—vSmart, vManage, vBond, and vEdge—form a cohesive SD-WAN solution. vSmart ensures secure and consistent routing decisions, vManage provides operational oversight, vBond simplifies onboarding, and vEdge executes data-plane forwarding. Understanding the distinct roles of each is essential for designing, deploying, and troubleshooting a robust SD-WAN network.
Question 134:
Which QoS mechanism enforces traffic limits by dropping or remarking excess packets?
A) Shaping
B) Policing
C) LLQ
D) CBWFQ
Answer: B) Policing
Explanation:
Policing enforces a rate limit by dropping or remarking excess packets. Shaping buffers excess traffic to smooth bursts, LLQ prioritizes delay-sensitive traffic, and CBWFQ allocates bandwidth per class. In network traffic management, several mechanisms are used to control congestion, prioritize critical traffic, and ensure compliance with Service Level Agreements (SLAs). Among these, policing, shaping, LLQ (Low Latency Queuing), and CBWFQ (Class-Based Weighted Fair Queuing) are commonly deployed in Cisco networks, each serving a distinct purpose.
Policing is a rate-limiting mechanism that enforces a defined bandwidth limit on traffic. When traffic exceeds the configured rate, policing can either drop excess packets or remark them with a lower priority. This approach is useful for enforcing contractual bandwidth limits and ensuring that no traffic class consumes more than its allocated share. However, policing can lead to packet loss, which may affect real-time applications such as voice or video if applied aggressively.
Traffic shaping, in contrast, buffers excess packets and sends them out at a controlled rate. By smoothing bursts and regulating the flow of traffic, shaping ensures that traffic conforms to a specified output rate without abrupt drops. This is particularly beneficial for delay-sensitive applications, as it reduces jitter and ensures more predictable performance.
LLQ (Low Latency Queuing) provides priority treatment to delay-sensitive traffic, such as voice or video, by creating a priority queue. LLQ ensures that high-priority traffic is transmitted first while still allowing other classes to receive guaranteed bandwidth. This prevents voice or critical real-time applications from being affected by lower-priority traffic, ensuring quality and reliability.
CBWFQ allocates bandwidth fairly across different traffic classes defined by class maps. While it ensures that each class receives a guaranteed portion of bandwidth, it does not provide strict priority like LLQ. CBWFQ is ideal for managing multiple traffic types with varying importance without giving absolute priority to any single class.
In summary, these mechanisms complement each other: policing enforces strict limits, shaping smooths bursts, LLQ prioritizes critical traffic, and CBWFQ allocates bandwidth fairly. Deploying them appropriately ensures efficient traffic management, reduced congestion, and improved application performance across the network.
Question 135:
Which command verifies the current spanning-tree root bridge and port roles?
A) show spanning-tree
B) show vlan brief
C) show interfaces trunk
D) show running-config
Answer: A) show spanning-tree
Explanation:
Show spanning-tree displays root bridge ID, port roles (root/designated/blocking), and VLAN mapping, useful for troubleshooting STP topology and loops. Other commands do not show root information. The show spanning-tree command is a crucial tool in Cisco networks for monitoring and troubleshooting the Spanning Tree Protocol (STP), which is used to prevent Layer 2 loops in a switched network. This command provides detailed information about the STP topology, including the root bridge ID, port roles, port states, and VLAN-to-port mapping. Understanding this information helps network engineers ensure that the spanning tree is operating correctly and that there are no loops that could cause broadcast storms or network outages.
The root bridge ID identifies the switch that is elected as the root of the spanning tree for each VLAN. All path calculations in STP are made relative to the root bridge. By viewing the root bridge, administrators can verify whether the correct switch is acting as the root, ensuring optimal path selection for traffic.
The port roles displayed by the show spanning-tree include root ports, designated ports, and blocked ports. Root ports are the ports on non-root switches that lead toward the root bridge. Designated ports are the ports that forward traffic toward a network segment, and blocked ports do not forward traffic to prevent loops. This role information helps in diagnosing misconfigurations, misbehaving ports, or unexpected topology changes.
Additionally, the command shows the STP state of each port (forwarding, learning, blocking), which is useful for determining which ports are actively forwarding traffic versus those that are in a protective state. VLAN mapping information is also included, helping to understand how STP operates per VLAN in environments using VLAN Trunking.
Other commands, like show vlan brief, only display VLAN IDs, names, and status, but do not provide STP-related data. Show interfaces trunk shows trunk configuration and allowed VLANs, but does not indicate root bridges or port roles. Show running-config displays the full configuration but does not give real-time STP operational information. Therefore, show spanning-tree is the definitive command for verifying STP topology, troubleshooting loops, and ensuring proper network redundancy and stability.
Question 136:
Which MPLS router forwards labeled packets based on the top label without inspecting the IP header?
A) CE
B) PE
C) P
D) LER
Answer: C) P
Explanation:
P routers forward MPLS packets based on the top label only. LER/PE routers push/pop labels at the edge, and CE routers connect to customer networks. In an MPLS (Multiprotocol Label Switching) network, different router roles define how packets are handled and forwarded. Understanding these roles is crucial for designing and troubleshooting MPLS networks.
P routers, also known as Provider routers, reside in the core of the MPLS network. Their primary function is to forward packets based solely on the top MPLS label. P routers do not examine the IP header of the packets; instead, they perform label switching, looking up the incoming label in the label forwarding table and swapping it with the outgoing label as dictated by the label information. This allows for fast and efficient packet forwarding within the MPLS backbone, without involving complex routing decisions at every hop. P routers do not perform label push or pop operations—they only switch labels.
PE (Provider Edge) routers or LERs (Label Edge Routers) operate at the edge of the MPLS network. They are responsible for pushing labels onto packets entering the MPLS network and popping labels off packets exiting the MPLS domain. PE routers also classify packets into Forwarding Equivalence Classes (FECs), which determine how traffic is labeled and forwarded through the MPLS cloud. This label assignment enables MPLS to support traffic engineering, VPNs, and QoS.
CE (Customer Edge) routers are located at the customer site and connect directly to the PE router of the service provider. CE routers are not aware of MPLS labels; they send and receive standard IP packets. The PE router handles the translation between IP routing and MPLS forwarding for the customer traffic.
By separating these roles, MPLS networks achieve scalability, efficient packet forwarding, and support for multiple services like VPNs and traffic engineering. P routers focus on speed and core switching efficiency, PE/LER routers manage edge label operations, and CE routers handle customer connectivity. Understanding these distinctions is essential for network design, troubleshooting, and ensuring proper MPLS functionality.
Question 137:
Which command on a Cisco switch verifies allowed VLANs on a trunk interface?
A) show vlan brief
B) show interfaces trunk
C) show running-config
D) show spanning-tree
Answer: B) show interfaces trunk
Explanation:
Show interfaces trunk lists trunk mode, native VLAN, and allowed VLANs, helping diagnose VLAN pruning or misconfiguration. The show vlan brief command shows VLANs locally only. The show interfaces trunk command is essential for troubleshooting VLAN propagation across trunk links, as it displays trunking mode, native VLAN, and the list of allowed VLANs. This helps identify issues such as VLAN pruning or mismatched native VLANs between switches. In contrast, the show vlan brief command provides only a summary of locally configured VLANs and their assigned ports, without showing trunk-specific information. Show running-config lists the entire switch configuration, which requires manual inspection, while show spanning-tree displays STP roles and status but does not provide VLAN membership details on trunks.
Question 138:
Which SD-WAN policy prioritizes traffic based on application performance metrics?
A) Control policy
B) Data policy
C) Application-aware routing (AAR)
D) QoS trust policy
Answer: C) Application-aware routing (AAR)
Explanation:
AAR policy evaluates SLA metrics like latency, jitter, and packet loss to dynamically select the best path for critical applications. Data policies enforce routing rules, control policies manage devices, and QoS trust policies mark traffic. Application-Aware Routing (AAR) in Cisco SD-WAN is designed to optimize the delivery of critical applications by dynamically selecting the best path based on real-time SLA metrics such as latency, jitter, and packet loss. This ensures that high-priority traffic like voice or video takes the most efficient route. In comparison, data policies control traffic flow by enforcing routing rules, firewall actions, or blocking traffic. Control policies manage the behavior of devices within the control plane, while QoS trust policies focus solely on marking and classifying traffic, without influencing path selection.
Question 139:
Which wireless protocol enables fast roaming between APs for voice clients?
A) WPA2
B) 802.11r
C) FlexConnect
D) 802.1X
Answer: B) 802.11r
Explanation:
802.11r (Fast Roaming) allows clients to pre-authenticate with new APs, reducing handoff time and improving performance for voice and video. FlexConnect is for branch AP deployment, WPA2 encrypts traffic, and 802.1X authenticates. c02.11r, also known as Fast Roaming, is a wireless standard that enables clients to pre-authenticate with a new access point before disconnecting from the current one. This significantly reduces handoff time, ensuring seamless connectivity for latency-sensitive applications such as voice and video. FlexConnect is a deployment mode for branch APs, allowing local switching and partial controller independence. WPA2 provides encryption for wireless traffic to ensure security, while 802.1X handles client authentication. Unlike 802.11r, these features do not reduce roaming latency but focus on security and network deployment flexibility.
Question 140:
Which Cisco feature allows network access control based on user roles without relying on IP addresses?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs enable role-based segmentation in Cisco TrustSec, decoupling policies from IP addresses. VLANs and ACLs can be static, and port-based authentication controls access per interface only. Security Group Tags (SGTs) in Cisco TrustSec provide dynamic, role-based segmentation by assigning tags to users or devices. This allows network policies to be enforced based on roles rather than relying on static IP addresses, enabling flexible and scalable security across the network. VLANs offer Layer 2 segmentation but are static and limited in flexibility. Access Control Lists (ACLs) filter traffic based on IP addresses or ports, but do not dynamically adapt to user roles. Port-based authentication (e.g., 802.1X) controls device access at the interface level but does not provide broader, dynamic traffic segmentation like SGTs do.
