CertGrid
Cisco Certification

Cisco CCNP ENARSI (300-410) Practice Exam

Validates advanced routing services — Layer 3 technologies, VPN, infrastructure security, and services.

Practice 299 exam-style Cisco CCNP ENARSI (300-410) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
299
Practice questions
60
On the real exam
825
Passing score
90 min
Exam length

What the Cisco CCNP ENARSI (300-410) exam covers

Free Cisco CCNP ENARSI (300-410) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 299.

  1. Question 1Layer 3 Technologies

    An OSPF router only installs 4 equal-cost paths although 6 exist. Which command increases the number of equal-cost routes installed?

    • Apassive-interface default
    • Bvariance 2 under the OSPF process
    • Cmaximum-paths under the OSPF processCorrect
    • Dip ospf cost 1 on the interface
    ✓ Correct answer: C

    maximum-paths under the OSPF process.

    Why the other options are wrong
    • AA (passive-interface default) is incorrect because it disables OSPF on interfaces, which prevents route computation entirely, not increases load balancing paths.
    • BB (variance 2 under OSPF) is incorrect because variance is an EIGRP feature for unequal-cost load balancing, not an OSPF command. D (ip ospf cost 1 on interface) is incorrect because manipulating interface costs affects path selection but does not increase the limit on how many equal-cost paths are installed.
    • DThe maximum-paths command in OSPF controls the maximum number of equal-cost paths that can be installed in the routing table for load balancing. By default, OSPF installs up to 4 paths; increasing this value allows up to 16 paths to be used simultaneously. This is the direct mechanism to support more than 4 equal-cost OSPF routes.
  2. Question 2Layer 3 Technologies

    eBGP-learned routes advertised into iBGP are invalid because the external next hop is unreachable by iBGP peers. Which configuration most directly fixes this?

    • Aneighbor next-hop-self on the iBGP session of the border routerCorrect
    • Bneighbor soft-reconfiguration inbound
    • CLowering the administrative distance of iBGP
    • Dbgp always-compare-med
    ✓ Correct answer: A

    When an eBGP-learned route is advertised into iBGP, the next-hop attribute reflects the external neighbor's IP address. If that external IP is not reachable from the iBGP peers' perspective, the route is invalid (next hop unreachable). The next-hop-self command on the iBGP peer relationship of the border router overwrites the next-hop to be the border router's own IP address, making the route reachable and usable to iBGP peers.

    Why the other options are wrong
    • BB (soft-reconfiguration inbound) is incorrect because it only re-applies inbound policies; it does not change the next-hop attribute.
    • CC (Lowering administrative distance of iBGP) is incorrect because AD only affects route preference when multiple routing protocols provide the same route; it does not fix an unreachable next-hop.
    • DD (bgp always-compare-med) is incorrect because it only changes the order in which BGP attributes are compared for path selection, not the reachability of the next-hop.
  3. Question 3Infrastructure Security

    When applying CoPP, what is a common gotcha that can lock you out of management access?

    • ACoPP automatically disables all interfaces
    • BAn overly aggressive policy can rate-limit or drop SSH/SNMP management traffic to the control planeCorrect
    • CCoPP requires BGP to function
    • DCoPP reassigns IP addresses via DHCP
    ✓ Correct answer: B

    Control Plane Policing (CoPP) protects the router's control plane by rate-limiting or dropping specific traffic types. If a CoPP policy is too aggressive, it can inadvertently limit management protocols like SSH (port 22) or SNMP (port 161) to the router's management interface. This creates a self-inflicted denial-of-service: the router successfully polices attacks, but it also polices the admin's legitimate management traffic, potentially locking the admin out. Careful testing and validation of CoPP policies in a lab environment before deployment is essential.

    Why the other options are wrong
    • AA is incorrect; CoPP does not automatically disable interfaces.
    • CC is incorrect; CoPP functions independently; BGP is not required.
    • DD is incorrect; CoPP does not reassign IP addresses; that is a DHCP function.
  4. Question 4Infrastructure Services

    Which command makes Cisco log messages include the date and time rather than just uptime?

    • Aservice timestamps log datetimeCorrect
    • Bservice sequence-numbers
    • CLogging facility local7
    • DLogging origin-id hostname
    ✓ Correct answer: A

    By default, Cisco IOS logs show only uptime (system boot time), making it hard to determine when an event occurred. The 'service timestamps log datetime' command appends real date/time stamps to log messages. Adding 'msec' (service timestamps log datetime msec) includes milliseconds for finer granularity, and 'service timestamps log datetime localtime' uses the device's configured timezone rather than UTC.

    Why the other options are wrong
    • BB (service sequence-numbers) adds message sequence numbers, not timestamps.
    • CC (logging facility local7) sets the syslog facility code, not the timestamp format.
    • DD (logging origin-id) adds the originating device ID, not the timestamp.
  5. Question 5Infrastructure ServicesSelect all that apply

    Which TWO security features are provided by the SNMPv3 authPriv security level? (Choose TWO)

    • AAutomatic IP address assignment
    • BAuthentication of the message senderCorrect
    • CRoute summarization
    • DEncryption (privacy) of the message payloadCorrect
    ✓ Correct answer: B, D

    SNMPv3 authPriv (authentication and privacy) provides two security services. Authentication uses HMAC to verify the message sender and ensure the message was not tampered with. Privacy (encryption) encrypts the payload using algorithms like AES-128 or DES, protecting confidentiality. Together, they provide strong security comparable to modern cryptographic standards.

    Why the other options are wrong
    • AA (Automatic IP assignment) is a DHCP function, not SNMP.
    • CC (Route summarization) is a routing function, not SNMP security.
  6. Question 6Layer 3 TechnologiesSelect all that apply

    During redistribution troubleshooting, which TWO commands help confirm the source protocol and origin of an installed route? (Choose TWO)

    • Ashow flash
    • Bshow ip protocols (shows configured redistribution and metrics)Correct
    • Cshow ip route <prefix> (shows the code/source, AD, and metric)Correct
    • Dshow clock detail
    ✓ Correct answer: B, C

    'show ip protocols' displays configured routing protocols, including redistribution commands and configured metrics. 'show ip route <prefix>' displays the installed route with the protocol code (C for connected, O for OSPF, D for EIGRP, S for static, etc.), AD, and metric. Together, they show the source and metric of a redistributed route.

    Why the other options are wrong
    • AA (show flash) is filesystem information.
    • DD (show clock detail) is the system time.
  7. Question 7VPN TechnologiesSelect all that apply

    Which TWO commands help confirm that encrypted traffic is actually flowing through an IPsec tunnel? (Choose TWO)

    • Ashow ip arp
    • Bshow crypto session detailCorrect
    • Cshow vlan brief
    • Dshow crypto ipsec sa (check encaps/decaps counters)Correct
    ✓ Correct answer: B, D

    'show crypto session detail' displays both IKE Phase 1 (ISAKMP SA) and Phase 2 (IPsec SA) session details with session ID, peer IP, and status. 'show crypto ipsec sa' displays IPsec SAs with encapsulation counter (packets encrypted) and decapsulation counter (packets decrypted). If both counters increment, traffic is flowing through the tunnel.

    Why the other options are wrong
    • AA (show ip arp) is ARP table.
    • CC (show vlan brief) is VLAN configuration.
  8. Question 8Infrastructure Services

    An integration validates reachability and SLA before automatically failing over a route. Which IOS feature tracks a probe and conditions a static route on its state?

    • ANTP broadcast
    • BIP SLA with object trackingCorrect
    • CDHCP option 82
    • DSNMP trap community
    ✓ Correct answer: B

    IP SLA probes a path (via ICMP, UDP, TCP, etc.) and reports if it is reachable and meets SLA thresholds (latency, loss, jitter). Object tracking monitors the SLA status and can be applied to a static route, causing automatic failover if the probe fails.

    Why the other options are wrong
    • AA (NTP broadcast) is time distribution.
    • CC (DHCP option 82) is relay agent info.
    • DD (SNMP trap) is event notification.
  9. Question 9Infrastructure SecuritySelect all that apply

    Edge routers are being targeted by spoofed-source traffic and high control-plane CPU. Which TWO mitigations directly help? (Choose TWO)

    • AIncrease the OSPF reference bandwidth
    • BEnable DNS round-robin on the router
    • CConfigure CoPP to rate-limit traffic destined to the control planeCorrect
    • DApply uRPF on edge interfaces to drop packets with unverifiable source addressesCorrect
    ✓ Correct answer: C, D

    CoPP (Control Plane Policing) rate-limits traffic destined to the router's control plane, protecting it from floods. uRPF (Unicast RPF) drops packets with unverifiable source addresses, preventing spoofed-source attacks. Both directly mitigate spoofing and control-plane attacks on edge routers.

    Why the other options are wrong
    • AA (OSPF reference bandwidth) is for link cost calculation.
    • BB (DNS round-robin) is load balancing.
  10. Question 10Infrastructure Security

    Which mechanism limits the number of prefixes a BGP peer can send to protect against table-overflow attacks or misconfiguration?

    • Aneighbor next-hop-self
    • Bneighbor maximum-prefixCorrect
    • Cneighbor send-community
    • Dneighbor soft-reconfiguration inbound
    ✓ Correct answer: B

    The 'neighbor maximum-prefix <value>' command limits the number of prefixes a BGP peer can advertise. If a peer exceeds this limit (due to misconfiguration, prefix leakage, or attack), the session is reset. This protects the routing table from being overwhelmed.

    Why the other options are wrong
    • AA (next-hop-self) modifies the next-hop attribute.
    • CC (send-community) propagates community tags.
    • DD (soft-reconfiguration inbound) re-applies inbound filters.
Unlock all 299 Cisco CCNP ENARSI (300-410) questions

Cisco CCNP ENARSI (300-410) practice exam FAQ

How many questions are in the Cisco CCNP ENARSI (300-410) practice exam on CertGrid?

CertGrid has 299 practice questions for Cisco CCNP ENARSI (300-410), covering 4 exam domains. The real Cisco CCNP ENARSI (300-410) exam has about 60 questions.

What is the passing score for Cisco CCNP ENARSI (300-410)?

The Cisco CCNP ENARSI (300-410) exam passing score is 825, and you have about 90 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official Cisco CCNP ENARSI (300-410) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of Cisco CCNP ENARSI (300-410), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice Cisco CCNP ENARSI (300-410) for free?

Yes. You can start practicing Cisco CCNP ENARSI (300-410) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.