CISCO 300-410 Exam Questions 2025 | ENARSI Certification

A. This option is ambiguous as "between R2-R3-R1" does not refer to a single, configurable link cost.

C. Decreasing costs on the R6-R5-R2 segment does not alter R2's routing decision to prefer R3 as the next hop to R1.

D. Decreasing the R2-R1 cost to 41 is insufficient, as R2 would still prefer the path through R3, which has a cost of 20.

1. Cisco Systems, IP Routing: OSPF Configuration Guide, "OSPF Cost" section. This document explains that OSPF uses cost as its metric and that the path with the lowest total cost is preferred. Modifying link costs is the standard method for influencing the path selection made by the Shortest Path First (SPF) algorithm.

2. Moy, J. RFC 2328: OSPF Version 2, Section 16, "Calculating the Shortest-Path Tree for an Area". This RFC details the Dijkstra algorithm used by OSPF. Each router independently calculates the shortest path to all destinations. The calculation at R2 shows the path via R3 is preferred (cost 20) over the direct path (cost 50), which must be changed to influence the route.

3. Kurose, J., & Ross, K. Computer Networking: A Top-Down Approach, Chapter 5, "The Network Layer: Control Plane". University-level textbooks on networking explain that link-state protocols like OSPF build a complete map of the topology. Each router then independently runs an algorithm like Dijkstra's to compute the shortest path from itself to all other nodes. This confirms the analysis must focus on R2's local decision.

A. short duration, high overhead: BFD is designed to be a lightweight protocol with minimal impact on system resources, making the "high overhead" description inaccurate.

C. long duration, high overhead: This is the opposite of BFD's design goals. BFD is engineered for speed (short duration) and efficiency (low overhead).

D. long duration, low overhead: While BFD is low overhead, its main purpose is rapid failure detection, not "long duration." Routing protocol hello timers are an example of longer-duration mechanisms.

1. Cisco Systems, Inc. (2023). IP Routing: BFD Configuration Guide, Cisco IOS XE Bengaluru 17.6.x. "BFD provides a low-overhead, short-duration method of detecting failures in the path between adjacent forwarding engines, including the interfaces, data links, and forwarding planes." (Chapter: BFD Overview, Section: Finding Information About BFD, Paragraph 2).

2. Katz, D., & Ward, D. (2010). RFC 5880: Bidirectional Forwarding Detection (BFD). The Internet Engineering Task Force (IETF). "This document describes a protocol that is intended to detect faults in the path between two forwarding engines... It can provide very low-latency failure detection... It is intended to be a lightweight protocol that can be run on a wide variety of systems and platforms." (Abstract and Section 1: Introduction, Paragraph 3).

3. Cisco Systems, Inc. (2023). Cisco SD-WAN BFD and Tunnels Overview. "BFD is a low-overhead, short-duration protocol that detects failures in the path between adjacent routers." (Section: Bidirectional Forwarding Detection, Paragraph 1).

A. password encryption aes

This command is used to configure a master encryption key for features like VPNs, not for hashing local user passwords.

B. username Admin password Cisco@maedeh motamedi

This command configures a plaintext (Type 0) password, which is the exact problem the engineer is trying to resolve.

C. username Admin password 5 Cisco@maedeh motamedi

The 5 keyword indicates the string that follows is already an MD5 hash, not the plaintext password to be hashed.

E. no service password-encryption

This command disables the password encryption service, ensuring passwords remain in plaintext, which is the opposite of the desired outcome.

---

1. Cisco IOS Security Configuration Guide, Release 15M&T, "Securing User Services":

On username secret: "The secret keyword specifies that the password that follows is encrypted... We recommend using the secret option because the password option is not secure." (Found in the "Configuring Local AAA" section).

On service password-encryption: "The service password-encryption command prevents unauthorized users from seeing passwords in the configuration file." (Found in the "Encrypting Passwords" section).

2. Cisco IOS Security Command Reference, "username":

This document details the syntax username {password | secret} . It explains that secret stores the password in an encrypted format, while password stores it in clear text unless service password-encryption is enabled, in which case it uses a less secure, proprietary encryption.

3. Cisco IOS Security Command Reference, "service password-encryption":

This reference states, "To encrypt passwords, use the service password-encryption command in global configuration mode. To disable password encryption, use the no form of this command." This confirms its role in obscuring plaintext passwords.

A. Change the IP MTU of R1 Fa1/0 to 1300: This assumes R2 has an MTU of 1300. It is better practice to correct a misconfigured device to the standard value rather than lowering the correctly configured one.

B. Change the IP MTU of R2 Fa0/0 to 1300: This would only resolve the issue if R1's MTU was also 1300, which is a non-standard and less likely configuration for a FastEthernet interface.

C. Change the IP MTU of R1 Fa1/0 to 1500: This implies R1 is the misconfigured router. Since the provided output is from R2, it is more probable that the misconfiguration is on the local device (R2).

1. Cisco Systems, IP Routing: OSPF Configuration Guide, "OSPF Neighbor States." In the "Exstart State" section, the documentation explains that neighbors form a master/slave relationship to exchange DBD packets. It explicitly states, "If there is a mismatch in the MTU, the routers will get stuck in this state." This confirms that an MTU mismatch is a direct cause of adjacency failure after the initial Hello exchange.

2. Moy, J. (1998). RFC 2328: OSPF Version 2. Internet Engineering Task Force (IETF). Section 10.6, "Receiving Database Description Packets," p. 103. This official standard specifies the protocol behavior: "If the Interface MTU field in the Database Description packet indicates a larger MTU than the router can accept on the receiving interface, the Database Description packet is rejected." This rejection prevents the adjacency from progressing. DOI: 10.17487/RFC2328.

3. Cisco Systems, Internetworking Troubleshooting Guide, "Troubleshooting OSPF." In the section "OSPF is Stuck in EXSTART/EXCHANGE State," it details that an MTU mismatch is a primary cause. It notes that OSPF packets have the Don't Fragment (DF) bit set, so if a packet is larger than the receiving interface's MTU, it is dropped, stalling the adjacency process.

A. The delay command is configured under track configuration mode (config-track), not IP SLA configuration mode. The syntax ip sla 700 followed by a track command is incorrect.

B. Similar to option A, the delay command is not a valid subcommand for an IP SLA operation. The command syntax is incorrect.

D. While this option is syntactically correct, the specific timer values (down 20 up 30) represent a different dampening policy than option C. Given the scenario, option C is the intended correct configuration.

1. Cisco IOS IP Application Services Command Reference - track delay: "To configure a delay for a tracked object before it advertises a state change, use the delay command in tracking configuration mode. ... Using the delay command can be used to dampen the effect of a tracked object flapping." This source confirms the purpose of the delay command is for dampening flapping states.

2. Cisco IOS IP Application Services Command Reference - track ip sla: "To track the state of a Cisco IOS IP Service Level Agreements (SLAs) operation, use the track ip sla command in global configuration mode." This source confirms the syntax track ip sla state is correct for associating a track object with an IP SLA operation.

3. IP SLAs Configuration Guide, Cisco IOS XE - "Tracking with IP SLAs" section: This guide details the relationship between IP SLA operations and the tracking mechanism. It explains that tracking allows other features (like static routing) to react to the state of an IP SLA operation and that dampening features like delay can be applied to the track object.

A. Configure route tagging: Route tagging is used for route-map policies and redistribution control, not for preventing fundamental intra-AS routing loops.

C. Configure R2 as stub receive-only: While making R2 a stub router would stop it from advertising routes and thus break the loop, it is not the fundamental solution to the underlying protocol issue.

D. Configure route filtering: Route filtering with a distribute-list can manually block the looped route but only addresses the symptom, not the root cause of the loop.

---

1. Cisco Systems, IP Routing: EIGRP Configuration Guide, "How to Configure EIGRP": In the section "EIGRP Split Horizon," the documentation states, "Split horizon controls the sending of EIGRP update and query packets. When split horizon is enabled on an interface, these packets are not sent for destinations for which this interface is the next hop... By default, split horizon is enabled on all interfaces." This confirms that enabling split horizon is the standard mechanism to prevent this type of loop.

2. Cisco Press, "CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide": Chapter 7, "EIGRP," in the section "EIGRP Path-Calculation and Loop Prevention," explains that split horizon is a key loop-prevention technique. It details that "The simple split-horizon rule says that if a router learns a route through an interface, it will not advertise that same route out that same interface." The text clarifies that disabling this feature can lead to routing loops.

3. RFC 7868: Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP): Section 3.4, "Split Horizon," defines the rule: "A routing update is never sent back out the interface on which it was received. This is a fundamental loop-prevention mechanism." This RFC standardizes the behavior, confirming its role in loop prevention.

A. Enable poison reverse: Poison reverse is a stricter form of split horizon and would prevent, not enable, the advertisement of routes between spokes.

B. Enable split horizon: Split horizon is already enabled and is the cause of the issue; this action would not change the problematic state.

C. Disable poison reverse: The configuration does not show poison reverse being enabled, so disabling it would have no effect on the problem.

1. Cisco Systems, Inc., IP Routing: EIGRP Configuration Guide, Cisco IOS XE Release 3S, "How to Configure EIGRP" section, "Disabling and Enabling EIGRP Split Horizon" subsection. The document states, "Split horizon is disabled by default for multipoint subinterfaces using Frame Relay encapsulation. If you have a hub-and-spoke network, you may need to disable split horizon on the hub to allow routes to be advertised back to the spokes." This directly supports disabling split horizon as the solution.

2. Cisco Systems, Inc., Cisco IOS IP Routing: EIGRP Command Reference, "ip split-horizon eigrp" command documentation. It notes: "Split horizon is enabled by default on all interfaces except for Frame Relay and SMDS multipoint subinterfaces (it is disabled by default on these interfaces)." The question's configuration explicitly enables it, which is contrary to the required setting for a functional hub-and-spoke topology.

3. Teare, D., et al. (2015). Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: (CCNP ROUTE 300-101). Cisco Press. Chapter 4, "Implementing EIGRP for IPv4," section "EIGRP in an NBMA Topology." The text explains, "On a multipoint subinterface, split horizon is disabled by default. This is the desired behavior in a hub-and-spoke topology, so that the hub can advertise the routes learned from one spoke to the other spokes."

B. The command ip tcp adjust-mtu is not a valid Cisco IOS command for this purpose. The correct command to modify the TCP Maximum Segment Size is ip tcp adjust-mss.

C. The command crypto ipsec fragmentation mtu-discovery is not a valid Cisco IOS command. Path MTU Discovery (PMTUD) is typically managed using the df-bit setting, not this syntax.

D. This option contains two invalid commands for this scenario: ip tcp adjust-mtu and crypto ipsec fragmentation mtu-discovery.

1. Cisco Systems, "DMVPN Configuration Guide" (Cisco IOS XE Gibraltar 16.12.x). In the section "Resolve IP Fragmentation and MTU-Size Issues," the guide explicitly recommends this configuration: "The recommended values are ip mtu 1400 and ip tcp adjust-mss 1360 on the tunnel interface... IPsec post-fragmentation (fragmentation after encryption) is the recommended method. To configure IPsec post-fragmentation, use the crypto ipsec fragmentation after-encryption command in global configuration mode."

2. Cisco Systems, "IPsec Command Reference" (Cisco IOS XE). The documentation for the crypto ipsec fragmentation command states that after-encryption is the default and preferred behavior. It specifies that this command "enables IPsec packet fragmentation after encryption."

3. Cisco Systems, "IP Addressing Services Command Reference" (Cisco IOS XE). The documentation for the ip tcp adjust-mss command confirms its function: "To adjust the maximum segment size (MSS) for TCP connections, use the ip tcp adjust-mss command in interface configuration mode." It is used to prevent fragmentation by reducing the TCP segment size.

A. Micro BFD is not selective; its purpose is to monitor all member links, irrespective of their bandwidth, to ensure complete bundle integrity.

B. While aggressive timers are a feature of BFD, a specific value like "3x3 ms" is a configuration detail, not a fundamental goal of the protocol.

D. Monitoring just "any" member link is insufficient; the goal is to monitor all links comprehensively to prevent any single point of failure within the bundle.

1. Cisco Systems, Inc., IP Routing: BFD Configuration Guide, Cisco IOS XE Cupertino 17.9.x, "BFD over Link Aggregation Group (LAG) Interfaces" section. The guide states, "The BFD over LAG feature allows BFD sessions to monitor individual member links in a LAG. This is also known as micro BFD... A separate BFD session is created for each member link". This supports that each link must run BFD (E) to monitor individual links (C).

2. Cisco Systems, Inc., Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide, Release 10.3(x), "Configuring BFD" chapter, "BFD for Link Aggregation (LAG)" section. This document specifies, "BFD for LAG provides fast failure detection on a per-member link basis. A separate BFD session runs on each member of a port channel." This directly validates verifying continuity for each link (C) and running BFD on each member (E).

A. This adds a new entry to permit all other traffic but does not alter the logging behavior of the first entry, which is the source of the messages.

C. Replacing log-input with log would still generate log messages for denied Telnet packets, although the messages would contain less detail (no L2 info).

D. This adds a new entry with logging enabled. It does not stop the logging caused by the existing deny entry on line 10.

1. Cisco IOS IP Application Services Configuration Guide, Release 15M&T, "Configuring IP Access Lists" section, "IP Access List Entry Logging" subsection.

This document states, "To generate logging messages for packets that are permitted or denied by an access list, use the log or log-input keyword when you configure the access-list command." It further explains that log-input adds the input interface and source MAC address to the log. This confirms that removing the keyword is the correct action to stop the logging it enables.

2. Cisco IOS Security Command Reference, "access-list (IP extended)" command.

In the command syntax description, the log and log-input arguments are detailed as optional keywords that enable logging for matching packets. The documentation implicitly supports that the absence of these keywords means no logging will occur for that specific ACE.