Click here to access our full set of Cisco 350-601 exam dumps and practice tests.
Question 141:
A network engineer notices OSPF neighbors in an area are not forming full adjacency. Which command helps verify neighbor states?
A) show ip ospf neighbor
B) show ip route ospf
C) show ip ospf database
D) ping 127.0.0.1
Answer: A) show ip ospf neighbor
Explanation:
Show ip ospf neighbor displays the neighbor state (Init, 2-way, Full), allowing troubleshooting of adjacency formation issues such as mismatched timers, authentication, or network types. Here’s a detailed explanation based on the four commands you mentioned:
In OSPF (Open Shortest Path First), network troubleshooting and verification often rely on several key commands. One of the most essential commands is show ip ospf neighbor. This command displays the status of OSPF neighbors, including their state, such as Init, 2-way, or Full. The neighboring state is critical for understanding adjacency formation. For example, if a router remains in the Init or 2-way state and never reaches Full, it indicates an issue in forming a complete OSPF adjacency. Common causes for this include mismatched hello or dead timers, incorrect OSPF authentication settings, or incompatible network types between neighbors. By carefully analyzing the output of this command, network engineers can pinpoint which neighbor relationships are failing and why.
The show ip route ospf command is used to display the routes that OSPF has learned and installed in the routing table. This allows verification that OSPF is properly propagating routes throughout the network. If expected routes are missing, it may indicate problems in OSPF area configuration, filtering (like route summarization or redistribution issues), or a broken adjacency preventing the exchange of LSAs (Link-State Advertisements).
Another important command is show ip ospf database, which provides a detailed view of the OSPF link-state database. This database contains all LSAs received from OSPF neighbors. By examining this database, engineers can verify whether the router has complete topology information for its area. Missing or inconsistent LSAs can indicate OSPF synchronization problems, misconfigurations, or network partitioning.
Finally, ping 127.0.0.1 tests the router’s internal TCP/IP stack. This loopback ping ensures that the OSPF process can operate locally and is not affected by hardware or interface failures. While it does not test OSPF functionality directly, it is a fundamental diagnostic step when troubleshooting connectivity or process-level issues.
In summary, these four commands together provide a comprehensive toolkit for OSPF troubleshooting, covering neighbor relationships, routing table verification, database integrity, and local interface functionality.
Question 142:
Which EIGRP command enables unequal-cost load balancing for backup paths?
A) maximum-paths
B) variance
C) redistribute
D) network
Answer: B) variance
Explanation:
The variance command allows EIGRP to use paths whose metric is within a multiple of the best route, enabling unequal-cost load balancing. Maximum-paths only allows equal-cost paths. Here’s a detailed 300-word explanation based on the four commands you mentioned:
In EIGRP (Enhanced Interior Gateway Routing Protocol), several key commands are essential for controlling routing behavior and load balancing. One of the most important commands is variance. The variance command allows EIGRP to perform unequal-cost load balancing by enabling the protocol to include routes whose metrics are within a certain multiple of the best path. For example, setting a variance of 2 allows EIGRP to install routes whose metrics are up to twice the metric of the best route. This is particularly useful in networks where multiple paths exist but have different costs, ensuring better utilization of available bandwidth.
In contrast, the maximum-paths command controls the number of routes that EIGRP can install in the routing table for equal-cost load balancing. By default, EIGRP supports up to four equal-cost paths, but this can be increased up to 16 using the maximum-paths command. Unlike variance, it does not consider routes with higher metrics than the best path, so it only affects paths that have the same metric.
The redistribute command is used to import routes from other routing protocols into EIGRP. For example, routes from OSPF, RIP, or static routes can be redistributed into EIGRP so that they are advertised to other EIGRP routers. Redistribution must be carefully configured with metrics, as EIGRP requires proper metric values for routes learned from other protocols to be installed in the routing table.
Finally, the network command is used to identify which interfaces will participate in EIGRP and advertise their connected networks. Specifying a network determines the interfaces on which EIGRP sends hello packets and establishes neighbor relationships, as well as which routes are advertised to other EIGRP routers. Without the correct network statements, some interfaces may not participate in EIGRP, and neighbors may not form properly.
In summary, variance enables unequal-cost load balancing, maximum-paths controls the number of equal-cost paths, redistribute allows route sharing between protocols, and network defines EIGRP participation and advertisement. Together, these commands give network engineers fine-grained control over routing and path selection in EIGRP networks.
Question 143:
Which NAT type translates multiple private IP addresses to a single public IP while preserving multiple sessions?
A) Static NAT
B) Dynamic NAT
C) PAT
D) NAT64
Answer: C) PAT
Explanation:
Port Address Translation (PAT) maps many private IPs to a single public IP using different source ports for session tracking. Static NAT is one-to-one, dynamic NAT uses a pool, and NAT64 translates IPv6 to IPv4.Here’s a detailed 300-word explanation based on the four NAT types you mentioned:
Network Address Translation (NAT) is a critical technology used to map private IP addresses to public IP addresses, allowing internal devices to communicate with external networks while conserving public IP space. Among NAT types, Port Address Translation (PAT) is widely used. PAT, often called NAT overload, allows many private IP addresses to be mapped to a single public IP address by using different source port numbers for each session. This ensures that multiple devices behind a single public IP can simultaneously communicate with external networks, with the router keeping track of each session using unique port numbers. PAT is highly efficient for networks with limited public IP addresses.
Static NAT, in contrast, is a one-to-one mapping between a private IP address and a public IP address. Each internal device is assigned a specific public IP, which does not change over time. This type of NAT is commonly used for servers that need to be consistently reachable from the internet, such as web servers, email servers, or VPN endpoints. While static NAT ensures predictable addressing, it consumes public IP addresses for each internal device.
Dynamic NAT uses a pool of public IP addresses that are dynamically assigned to private IP addresses when a device initiates a connection to an external network. Unlike static NAT, the mapping is not permanent, and once the session ends, the public IP becomes available for another internal host. Dynamic NAT is suitable for organizations that have more internal hosts than available public IPs but do not require permanent mappings for each device.
Finally, NAT64 is designed for IPv6-to-IPv4 translation, allowing IPv6-only clients to communicate with IPv4-only servers. This is increasingly important in modern networks where IPv6 adoption is growing, and legacy IPv4 systems still exist. NAT64 translates IPv6 packets into IPv4 packets and vice versa, enabling seamless communication between the two protocol families.
In summary, PAT efficiently maps multiple private IPs to one public IP using ports, static NAT provides fixed one-to-one mappings, dynamic NAT assigns public IPs from a pool as needed, and NAT64 enables IPv6-IPv4 interoperability. Each type serves a specific use case in modern network design.
Question 144:
Which OSPF area type allows external routes via Type 7 LSAs but not Type 5 LSAs?
A) Normal area
B) Stub area
C) Not-So-Stubby Area (NSSA)
D) Backbone area
Answer: C) NSSA
Explanation:
NSSAs allow Type 7 LSAs (external routes generated locally) but block Type 5 LSAs, combining the benefits of stub areas with limited external route injection. In OSPF, areas are used to segment large networks, improve scalability, and reduce routing overhead. A Normal area is a standard OSPF area that allows all types of LSAs, including Type 1 (router), Type 2 (network), Type 3 (summary), Type 4 (ASBR summary), and Type 5 (external). It can fully import and advertise external routes into the OSPF domain, but this flexibility comes with a higher routing table size and processing overhead.
A Stub area is designed to reduce routing overhead by blocking Type 5 LSAs (external routes) from entering the area. Instead, all external destinations are reached via a default route, simplifying the routing table. This is useful for branch offices or areas that do not require full knowledge of external routes.
A Not-So-Stubby Area (NSSA) combines features of stub areas with limited external route capability. NSSAs block Type 5 LSAs from outside but allow Type 7 LSAs, which are external routes generated locally within the area, to be advertised internally. These Type 7 LSAs are later translated to Type 5 by the ABR when advertised to other areas. This allows stub-like areas to inject some external routes without receiving full external routing information.
Finally, the Backbone area (Area 0) is the central OSPF area responsible for routing between all other areas. All OSPF traffic between non-backbone areas must traverse the backbone, ensuring proper inter-area routing.
In summary, NSSAs provide a balance between reduced routing overhead and limited external connectivity, making them ideal for controlled external route injection in OSPF networks.
Question 145:
Which SD-WAN component handles zero-touch provisioning (ZTP) and initial authentication of devices?
A) vManage
B) vSmart
C) vBond
D) vEdge
Answer: C) vBond
Explanation:
vBond orchestrates initial device authentication, ensures devices can join the overlay securely, and facilitates control-plane connectivity with vSmart controllers. In Cisco SD-WAN, the architecture is built around several specialized components, each with distinct roles. vManage is the centralized management system that provides a graphical interface for network administrators. It allows configuration, policy deployment, monitoring, and troubleshooting across the SD-WAN environment. vManage does not participate directly in routing but orchestrates policies and device configurations.
vSmart controllers are responsible for the control plane. They distribute routing, security, and policy information to all edge devices (vEdge routers), ensuring consistent forwarding behavior across the SD-WAN overlay network. vSmart maintains secure communication with all vEdge devices and enforces policies such as VPN segmentation and QoS.
vBond acts as the orchestrator and authentication point in SD-WAN. When a new device is deployed, vBond authenticates it, assigns it to the appropriate organization, and facilitates secure connectivity with vSmart controllers. It ensures that vEdge devices can establish control-plane connections securely and traverse NAT if needed. Without vBond, new devices cannot join the overlay network safely.
vEdge routers are the data-plane devices deployed at branch offices, data centers, or cloud locations. They establish secure tunnels (DTLS/IPsec) with other vEdge devices using the control-plane information provided by vSmart. They forward application traffic across the SD-WAN overlay based on policies pushed from vManage.
In summary, vBond handles initial authentication and secure onboarding, vSmart manages control-plane policies, vManage orchestrates configuration, and vEdge performs data forwarding, creating a secure, scalable SD-WAN network.
Question 146:
Which BGP attribute is used to influence path selection within the same AS?
A) Weight
B) LOCAL_PREF
C) AS_PATH
D) MED
Answer: B) LOCAL_PREF
Explanation:
LOCAL_PREF determines the preferred path for outbound traffic within an AS. Higher values are preferred. Weight is local to a router, MED is for external path selection, and AS_PATH helps avoid loops. In BGP (Border Gateway Protocol), route selection relies on multiple path attributes that help routers choose the best path for traffic. Among these attributes, LOCAL_PREF (Local Preference) plays a crucial role in determining the preferred path for outbound traffic within an autonomous system (AS). LOCAL_PREF is advertised to all internal BGP (iBGP) peers and is not propagated to external BGP (eBGP) peers. The route with the highest LOCAL_PREF value is preferred, making it an essential tool for network administrators to control which exit point traffic uses when leaving the AS. For example, if an organization has multiple connections to the internet, adjusting LOCAL_PREF ensures that certain traffic takes the desired exit path.
The Weight attribute is similar to LOCAL_PREF, but is local to the router and is not propagated to other routers. Weight is primarily used on Cisco routers to influence path selection on a single device. A higher weight value makes a route more preferred, allowing precise control over routing decisions on that router without affecting the rest of the network.
The AS_PATH attribute is a critical factor in BGP loop prevention. It lists all the autonomous systems that a route has traversed. Routes with a shorter AS_PATH are preferred. By examining the AS_PATH, BGP can detect potential routing loops, as a route containing its own AS number is rejected. AS_PATH also provides insight into the path a route has taken, which can influence routing policies.
Finally, MED (Multi-Exit Discriminator) is used to influence incoming traffic from neighboring autonomous systems. It signals the preferred path into the AS when multiple entry points exist. Unlike LOCAL_PREF, which affects outbound traffic, MED affects how other ASes send traffic toward your network. Lower MED values are preferred.
In summary, LOCAL_PREF controls outbound path preference, Weight is a local preference tool, AS_PATH prevents loops and influences path selection, and MED affects inbound traffic from external ASes, making these four attributes fundamental in BGP routing and policy management.
Question 147:
Which QoS mechanism drops excess traffic exceeding configured limits?
A) Shaping
B) Policing
C) LLQ
D) CBWFQ
Answer: B) Policing
Explanation:
Policing enforces a hard traffic limit by dropping or remarking packets exceeding a defined rate. Shaping buffers excess traffic instead of dropping it. In networking, traffic management ensures that bandwidth is used efficiently and that critical applications receive appropriate priority. Policing is a QoS mechanism that enforces a hard traffic limit on an interface. When traffic exceeds the configured rate, excess packets are either dropped or remarked. Policing is useful for enforcing service-level agreements (SLAs) or limiting certain types of traffic, but it can lead to packet loss if traffic bursts occur.
Shaping, in contrast, buffers excess traffic instead of dropping it. Traffic is delayed and sent at a steady rate that matches the configured bandwidth limit. This approach reduces packet loss and is ideal for TCP traffic, which can adjust to delays, but it introduces latency due to buffering.
Low Latency Queuing (LLQ) is a scheduling mechanism that combines priority queuing with class-based weighted fair queuing (CBWFQ). LLQ provides a priority queue for delay-sensitive traffic, such as voice, while other traffic is handled by CBWFQ. This ensures that high-priority traffic experiences minimal delay while still fairly distributing bandwidth among other traffic classes.
CBWFQ allows bandwidth to be allocated to different traffic classes based on policies. Each class receives a guaranteed portion of bandwidth, helping prevent congestion, but unlike LLQ, it does not provide strict priority for time-sensitive traffic.
In summary, policing enforces strict limits, shaping smooth traffic bursts, LLQ prioritizes critical traffic, and CBWFQ ensures fair bandwidth allocation for multiple traffic classes.
Question 148:
Which Cisco wireless protocol enables fast roaming between access points for voice and video clients?
A) WPA2
B) 802.11r
C) FlexConnect
D) 802.1X
Answer: B) 802.11r
Explanation:
802.11r (Fast Roaming) reduces authentication time by pre-establishing keys, enabling seamless handoff. FlexConnect is for branch AP deployments, WPA2 encrypts traffic, and 802.1X handles authentication. In wireless networking, ensuring secure and seamless connectivity is critical, especially in enterprise environments with mobile users. 802.11r, also known as Fast Roaming, is designed to reduce the time required for a client to roam between access points (APs). It achieves this by pre-establishing encryption keys so that when a device moves from one AP to another, the authentication process is largely bypassed, enabling near-instant handoff. This is essential for delay-sensitive applications such as VoIP or video conferencing.
FlexConnect is a Cisco-specific deployment mode for APs, typically used in branch offices. It allows APs to switch traffic locally at the branch while still maintaining centralized control through a controller. FlexConnect reduces dependency on the WAN for client traffic and can operate even if the connection to the central controller is lost.
WPA2 (Wi-Fi Protected Access 2) is a security protocol that provides strong encryption for wireless traffic using AES. It protects data confidentiality and integrity between the client and the AP, ensuring secure communications over Wi-Fi networks.
802.1X is a network access control protocol that handles authentication. It ensures that only authorized users or devices can access the network, typically using credentials, certificates, or other authentication methods.
In summary, 802.11r enables seamless roaming, FlexConnect optimizes branch deployments, WPA2 secures traffic, and 802.1X authenticates users, each playing a unique role in modern enterprise Wi-Fi networks.
Question 149:
Which TrustSec component enforces role-based access control without relying on IP addresses?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs enable dynamic segmentation and policy enforcement based on user or device roles, independent of IP addresses. VLANs and ACLs are static, and port-based authentication controls access per interface. In modern networks, segmentation and access control are critical for enforcing security policies and reducing attack surfaces. Security Group Tags (SGTs) provide a flexible and dynamic way to segment the network. SGTs assign a tag to a user, device, or endpoint based on its role or security group, allowing policies to be applied independent of IP addresses or physical location. This enables consistent policy enforcement even as devices move across the network, supporting dynamic segmentation in large enterprise environments.
VLANs (Virtual Local Area Networks) provide traditional segmentation by grouping devices logically within the same broadcast domain. While effective for separating traffic, VLANs are static, tied to switch ports or subnets, and do not adapt to user or device roles.
ACLs (Access Control Lists) are used to filter traffic based on IP addresses, protocols, or ports. ACLs enforce policies statically and require manual updates as network conditions or user roles change, making them less flexible than SGT-based segmentation.
Port-based authentication, such as 802.1X, controls network access per interface. Devices or users must authenticate before gaining access, but once authenticated, the policy applied is tied to the port rather than the role or security group.
In summary, SGTs enable dynamic, role-based segmentation, VLANs and ACLs are static, and port-based authentication enforces access per interface, making SGTs the most flexible method for modern, scalable policy enforcement.
Question 150:
Which MPLS router forwards packets based solely on the top label without inspecting IP headers?
A) CE
B) PE
C) P
D) LER
Answer: C) P
Explanation:
P routers forward MPLS-labeled packets based on the top label only. Edge routers (LER/PE) push or pop labels at network boundaries, while CE routers connect to customer networks. In an MPLS (Multiprotocol Label Switching) network, routers have specific roles that determine how they handle labeled traffic. One of these roles is the P router (Provider router). P routers are core routers in the MPLS backbone responsible for forwarding MPLS-labeled packets based solely on the top label. They do not directly interface with customer networks, nor do they assign or remove labels themselves—they simply switch traffic across the MPLS network. P routers are optimized for high-speed transit, maintaining the backbone’s efficiency and scalability by focusing only on label switching.
PE (Provider Edge) routers are edge devices that sit at the boundary of the MPLS network. PE routers perform the push and pop operations on MPLS labels. When traffic enters the MPLS network from a customer, the PE router assigns a label (push). Similarly, when traffic leaves the MPLS network toward a customer, the PE router removes the label (pop). PE routers are also responsible for exchanging routing information with customer edge devices (CE routers) and often maintain VPN information for MPLS-based services.
CE (Customer Edge) routers reside at the customer side of the network. They connect directly to the provider’s edge routers (PE) and do not participate in MPLS labeling. CE routers are unaware of MPLS labels and rely on standard routing protocols (such as BGP, OSPF, or static routes) to communicate with the provider network.
LER (Label Edge Router) is a term sometimes used to describe routers that perform label push or pop operations at the edge of an MPLS network. Essentially, LER functionality is typically implemented by PE routers, distinguishing them from core P routers.
In summary, P routers handle high-speed label switching in the MPLS core, PE/LER routers push and pop labels at network boundaries, and CE routers interface with customer networks. Understanding these roles is crucial for designing and troubleshooting MPLS networks effectively, ensuring proper label distribution, forwarding, and end-to-end connectivity.
Question 151:
Which command shows all BGP routes received from a specific neighbor?
A) show ip bgp
B) show ip bgp summary
C) show ip bgp neighbors <neighbor> routes
D) show ip route bgp
Answer: C) show ip bgp neighbors <neighbor> routes
Explanation:
Command displays routes learned from a specific neighbor, including attributes like AS_PATH, next-hop, and MED.) The summary shows the session state, and the show ip route bgp shows installed routes only. In BGP (Border Gateway Protocol), verifying route information and neighbor relationships is critical for network stability and troubleshooting. One of the most detailed commands is show ip bgp neighbors <neighbor> routes. This command displays the routes that have been learned from a specific BGP neighbor, including essential path attributes such as AS_PATH, next-hop, local preference, MED (Multi-Exit Discriminator), and origin type. By examining this output, network engineers can confirm whether specific routes are being received correctly from a neighbor, understand the path a route has traversed, and troubleshoot routing policy issues such as route filtering, redistribution, or path preference problems.
The show ip bgp command provides a broader view of all BGP routes known to the router, including the status of each route (whether it is valid, best, or suppressed). It displays key attributes for all entries, helping network engineers see the complete routing table for BGP and compare paths when multiple options exist.
Show ip bgp summary focuses on the BGP session state and statistics rather than individual routes. It lists all BGP neighbors, their AS numbers, session uptime, the number of prefixes received, and whether the session is in the established state. This command is particularly useful for quickly verifying neighbor connectivity and ensuring that BGP sessions are operational.
Finally, show ip route bgp displays only the BGP routes that have been installed in the routing table. This helps differentiate between routes that have been learned via BGP and those actually used for forwarding traffic. Routes not installed in the routing table might be filtered, less preferred, or fail other route selection criteria.
In summary, show ip bgp neighbors <neighbor> routes provides detailed per-neighbor route information, show ip bgp shows all known BGP routes, show ip bgp summary checks neighbor session health, and show ip route bgp displays installed BGP routes. Together, these commands give a comprehensive view of BGP operation and troubleshooting.
Question 152:
Which OSPF LSA type is used to advertise external routes redistributed into OSPF?
A) Type 1
B) Type 2
C) Type 3
D) Type 5
Answer: D) Type 5
Explanation:
Type 5 LSAs are generated by ASBRs to advertise external routes from other protocols into OSPF. Type 3 LSAs summarize intra-area routes between areas. In OSPF (Open Shortest Path First), Link-State Advertisements (LSAs) are used to share routing information between routers, enabling all routers to build a complete network topology. Type 1 LSAs, also called Router LSAs, are generated by every router within an OSPF area. They describe the router’s links, their states, and associated costs. These LSAs remain within the originating area and are not propagated to other areas.
Type 2 LSAs, or Network LSAs, are generated by Designated Routers (DRs) on multi-access networks such as Ethernet. Type 2 LSAs describe all routers attached to the network and their link costs, helping routers within the same area understand the local network topology.
Type 3 LSAs are Summary LSAs generated by Area Border Routers (ABRs). They summarize routes from one area to another, allowing OSPF to reduce the amount of routing information exchanged between areas. Type 3 LSAs carry intra-area network information, enabling routers in different areas to reach remote networks without flooding full details.
Type 5 LSAs are generated by Autonomous System Boundary Routers (ASBRs) to advertise external routes learned from other routing protocols, such as BGP or RIP, into the OSPF domain. Type 5 LSAs allow OSPF routers to reach destinations outside the autonomous system.
In summary, Type 1 and Type 2 LSAs describe internal area topology, Type 3 LSAs summarize routes between areas, and Type 5 LSAs advertise external routes, providing hierarchical and scalable routing in OSPF networks.
Question 153:
Which SD-WAN component manages the control plane and distributes routing and policy information to vEdge routers?
A) vManage
B) vSmart
C) vBond
D) vEdge
Answer: B) vSmart
Explanation:
vSmart controllers manage the control plane, distributing routing updates, policies, and encryption keys. vManage provides GUI management, vBond handles onboarding, and vEdge handles the data plane. In Cisco SD-WAN, vSmart controllers manage the control plane, distributing routing updates, security policies, and encryption keys to all edge devices, ensuring consistent and secure communication across the network. vManage provides a centralized GUI for configuration, monitoring, and policy management, allowing administrators to orchestrate the network easily. vBond handles device onboarding and initial authentication, ensuring new devices can join the overlay securely. vEdge routers operate on the data plane, forwarding application traffic across the SD-WAN overlay according to policies provided by vSmart and vManage. Together, these components create a secure, scalable SD-WAN network.
Question 154:
Which QoS mechanism buffers traffic to smooth bursts and match a configured output rate?
A) Policing
B) Shaping
C) LLQ
D) CBWFQ
Answer: B) Shaping
Explanation:
Shaping buffers excess traffic to smooth bursts and control output rates. Policing drops excess traffic, LLQ prioritizes delay-sensitive traffic, and CBWFQ allocates bandwidth per class. In networking, shaping smooths traffic bursts by buffering excess packets, sending them at a controlled rate to prevent congestion. In contrast, policing enforces a strict traffic limit by dropping or remarking packets that exceed the configured rate, which can lead to packet loss. Low Latency Queuing (LLQ) combines priority queuing with class-based queuing, ensuring delay-sensitive traffic, such as voice or video, is forwarded first. Class-Based Weighted Fair Queuing (CBWFQ) allocates guaranteed bandwidth to each traffic class, providing fair distribution while preventing one class from monopolizing the link. These mechanisms work together to manage network performance effectively.
Question 155:
Which command shows all OSPF routes installed in the routing table?
A) show ip ospf database
B) show ip route ospf
C) show ip protocols
D) show running-config
Answer: B) show ip route ospf
Explanation:
Show ip route ospf filters the routing table to display only OSPF-learned routes, including intra-area, inter-area, and external routes. The OSPF database shows LSAs, not installed routes. In OSPF, verifying routing information and network topology requires using different commands, each serving a specific purpose. The show ip route ospf command filters the routing table to display only routes learned via OSPF, including intra-area, inter-area, and external routes. This allows network engineers to quickly identify which OSPF routes are actively used for forwarding traffic and to verify correct route installation in the routing table.
In contrast, show ip ospf database displays the link-state database (LSDB), which contains all the Link-State Advertisements (LSAs) received from OSPF neighbors. This provides detailed topology information, showing all routers, networks, and summary routes in the area, but it does not indicate which routes are installed in the routing table. It is primarily used for troubleshooting OSPF convergence and ensuring that all expected LSAs are present.
Show ip protocols provides information about the OSPF process itself, including configured networks, timers, router ID, and neighbors. It is useful for confirming protocol-level configuration and understanding how the OSPF process is operating on the router.
Finally, show running-config displays the router’s current configuration, including OSPF network statements, area assignments, and other interface settings. While not specific to routes, it helps verify the configuration matches design requirements.
In summary, show ip route ospf shows installed routes, show ip ospf database shows LSAs, show ip protocols details OSPF settings, and show running-config provides the overall configuration context.
Question 156:
Which BGP attribute is used to prevent routing loops across autonomous systems?
A) Weight
B) LOCAL_PREF
C) AS_PATH
D) MED
Answer: C) AS_PATH
Explanation:
AS_PATH lists all autonomous systems a route has traversed. If the local AS appears in the path, the route is rejected to prevent loops. In BGP, several attributes determine how routes are selected and propagated. The AS_PATH attribute is a critical component used for loop prevention and path selection. AS_PATH records the sequence of autonomous systems (ASes) that a route has traversed. When a BGP router receives a route advertisement, it examines the AS_PATH; if the router detects its own AS number in the path, the route is rejected, preventing routing loops within the network. Additionally, routes with shorter AS_PATHs are generally preferred, as they indicate a shorter path to the destination.
LOCAL_PREF (Local Preference) is used to influence the selection of outbound routes within the same AS. A higher LOCAL_PREF value makes a route more preferred, allowing network administrators to control which exit point traffic uses when leaving the AS.
Weight is a Cisco-specific attribute that is local to the router. Routes with higher weight are preferred over lower-weight routes, but this value is not shared with other routers, making it useful for controlling path selection on a single device.
MED (Multi-Exit Discriminator) influences incoming traffic from neighboring ASes. Routes with lower MED values are preferred by external neighbors when multiple entry points exist, helping guide traffic into the AS efficiently.
In summary, AS_PATH prevents loops, LOCAL_PREF and Weight control outbound route preference, and MED influences inbound traffic, together enabling flexible and loop-free BGP routing.
Question 157:
Which SD-WAN policy dynamically selects paths based on SLA metrics such as jitter, latency, and packet loss?
A) Control policy
B) Data policy
C) Application-aware routing (AAR)
D) QoS trust policy
Answer: C) Application-aware routing (AAR)
Explanation:
AAR monitors SLA metrics in real-time to select optimal paths for critical applications. Data policies enforce rules, control policies manage devices, and QoS trust policies mark traffic. In Cisco SD-WAN, policies play a crucial role in controlling how traffic is managed, prioritized, and routed across the network. One advanced mechanism is Application-Aware Routing (AAR), which continuously monitors real-time SLA metrics, such as latency, jitter, and packet loss, for available paths. Based on these metrics, AAR dynamically selects the optimal path for critical applications, ensuring consistent performance and minimal disruption. For example, VoIP or video conferencing traffic can be steered away from congested WAN links, while less critical applications use lower-priority paths. This capability enables intelligent, SLA-driven routing, improving user experience and network efficiency.
Data policies define rules for handling data-plane traffic. They can include traffic classification, segmentation, and routing decisions. For instance, a data policy may route HR application traffic through a secure MPLS link while directing internet-bound web traffic over broadband, ensuring both security and performance compliance.
Control policies operate at the control plane level, governing the behavior of devices and overlays. Control policies manage how vEdge routers connect, exchange routing information, and apply security rules. They are essential for orchestrating network-wide routing behavior and enforcing consistent operational standards across all SD-WAN devices.
QoS trust policies are used to mark traffic based on type or priority, enabling QoS mechanisms to differentiate and prioritize flows appropriately. For example, voice traffic may be marked with a high-priority DSCP value to ensure minimal latency, while bulk data transfers receive a lower priority.
In summary, AAR optimizes application performance based on SLA metrics, data policies enforce traffic-handling rules, control policies govern device and overlay behavior, and QoS trust policies mark traffic for priority handling. Together, these policies provide comprehensive control over traffic routing, performance, and network security in Cisco SD-WAN deployments.
Question 158:
Which command verifies the spanning-tree root bridge and port roles on a switch?
A) show spanning-tree
B) show vlan brief
C) show interfaces trunk
D) show running-config
Answer: A) show spanning-tree
Explanation:
Show spanning-tree displays root bridge ID, port roles (root/designated/blocking), and VLAN mapping, helping troubleshoot loops or STP issues. In Ethernet networks, Spanning Tree Protocol (STP) prevents loops by dynamically blocking redundant paths while maintaining network connectivity. The show spanning-tree command is essential for troubleshooting STP. It displays the root bridge ID, port roles (root, designated, or blocking), and the VLAN mapping for each interface. This allows network engineers to verify that STP has converged correctly, identify the root bridge, and detect misconfigured or blocked ports that may cause traffic disruptions. It is particularly useful for diagnosing loops, topology changes, or unexpected blocking behavior.
The show vlan brief command lists all VLANs configured on a switch, their status, and associated ports. This helps ensure that VLANs are properly defined and active, which is critical because STP operates within VLANs and relies on correct VLAN configurations to prevent loops. The show interfaces trunk provides information about trunked ports, including allowed VLANs and operational status. Since STP behavior depends on VLANs traversing trunk links, this command helps verify that trunks are carrying the correct VLANs and that STP applies appropriately across the network.
Finally, show running-config displays the active configuration on the switch, allowing verification of STP settings such as priority, portfast, and BPDU guard. Reviewing the running configuration ensures that STP is configured according to best practices.
In summary, show spanning-tree is key for STP monitoring, while VLAN, trunk, and running-config commands provide context and verification for proper loop prevention and network stability.
Question 159:
Which MPLS router type pushes labels onto packets entering the network based on FEC?
A) CE
B) PE
C) P
D) LER
Answer: D) LER
Explanation:
Label Edge Routers (LERs) classify packets into Forwarding Equivalence Classes (FECs) and push labels for MPLS forwarding. P routers forward based on labels without inspecting the payload. In an MPLS (Multiprotocol Label Switching) network, routers perform specific functions depending on their role. Label Edge Routers (LERs), also called Provider Edge (PE) routers, sit at the boundary of the MPLS network. LERs are responsible for classifying incoming packets into Forwarding Equivalence Classes (FECs) and pushing MPLS labels onto the packets before entering the MPLS core. On the egress side, LERs pop labels and forward packets to their final destination, allowing seamless integration between MPLS and non-MPLS networks.
P routers operate in the core of the MPLS network. Unlike LERs, they do not classify packets or assign labels. Instead, P routers forward packets based solely on the top MPLS label, switching traffic quickly and efficiently through the backbone. This separation of responsibilities allows the core to focus on high-speed forwarding, while edge routers handle the more complex operations of classification and label management.
CE (Customer Edge) routers are located on the customer side and connect to PE/LER routers. CE devices are unaware of MPLS labels and rely on standard routing protocols such as BGP, OSPF, or static routes to communicate with the provider network.
In summary, LERs/PE routers manage FEC classification and label operations, P routers handle high-speed label switching, and CE routers interface with customer networks, forming a hierarchical and efficient MPLS architecture.
Question 160:
Which Cisco wireless feature allows role-based access without changing VLANs?
A) VLANs
B) Security Group Tags (SGTs)
C) ACLs
D) Port-based authentication
Answer: B) Security Group Tags (SGTs)
Explanation:
SGTs in Cisco TrustSec enforce policies dynamically based on user/device roles, independent of VLAN assignment. ACLs are static, VLANs require configuration, and port-based authentication controls access per port. In modern enterprise networks, segmentation and access control are critical components for enhancing security, improving manageability, and controlling traffic flows. Cisco TrustSec introduces Security Group Tags (SGTs) as a dynamic and flexible method for network segmentation. SGTs assign a tag to a user, device, or endpoint based on its role, security group, or policy context. These tags enable policies to be enforced dynamically, independent of the device’s IP address, physical location, or VLAN membership. This approach allows administrators to apply consistent access and security policies across the entire network. For example, an employee’s laptop could receive a different SGT than a guest device, ensuring that internal resources are accessible only to authorized users, while guests are restricted to the internet. SGT-based policies are propagated across the network using the Scalable Group Tag Exchange Protocol (SXP), which maintains role-based access control across switches and routers, providing a scalable solution for enterprise environments.
Traditional VLANs (Virtual Local Area Networks) provide segmentation by grouping devices into logical broadcast domains. While VLANs are effective at isolating traffic and preventing broadcast storms, they are static and require manual configuration on switches and trunk links. Each VLAN must be explicitly assigned to ports, and changes often require administrative intervention. VLANs cannot enforce policies based on user or device roles; they only segment traffic by network topology.
Access Control Lists (ACLs) are another method for controlling traffic by filtering packets based on IP addresses, protocols, or port numbers. ACLs can be applied on routers or switches to permit or deny specific traffic flows. However, ACLs are static, requiring updates whenever new users, devices, or applications are added to the network. Managing ACLs across large, dynamic environments can be complex and error-prone, as administrators must maintain consistent rules across multiple devices to avoid security gaps or misconfigurations.
Port-based authentication, typically implemented using 802.1X, controls network access on a per-port basis. Devices or users must authenticate before gaining access to the network. Once authenticated, the switch port can apply VLAN assignments or access policies. While this approach effectively prevents unauthorized devices from connecting, it is tied to the physical port rather than the user or device role. If a device moves to another port, policies may not follow, making it less flexible than SGT-based segmentation for dynamic environments.
In summary, SGTs enable dynamic, role-based segmentation and policy enforcement, making them ideal for modern enterprise networks with mobile users and diverse devices. VLANs provide static traffic isolation, ACLs enforce packet-based rules, and port-based authentication restricts access per interface. Among these methods, SGTs offer the most flexible, scalable, and consistent approach for securing large, dynamic networks while reducing administrative overhead. By separating policy from physical topology, SGTs enhance security posture and simplify network management in a way that traditional VLANs, ACLs, and port-based controls cannot.
