300-420 Designing Cisco Enterprise Networks (ENSLD) v1.1 Question and Answers

MSDP is the correct solution because the question explicitly references RFC 3618, which defines the Multicast Source Discovery Protocol. The design has separate PIM Sparse Mode multicast domains, with RP functions already configured on edge routers in each autonomous system. Cisco explains that MSDP allows rendezvous points in different PIM-SM domains to discover active multicast sources outside their local domain. When a source becomes active, the local RP can advertise source-active information to MSDP peers, allowing receivers in another domain to learn and join the stream. PIM-SSM is not correct because SSM removes the RP dependency and requires receivers to know the source directly. MP-BGP can carry multicast routing information, but it does not perform RP-to-RP source discovery. BIDIR-PIM is a multicast mode for many-to-many shared-tree forwarding, not an interdomain RP discovery mechanism under RFC 3618. Reference topics: MSDP, RFC 3618, PIM Sparse Mode, interdomain multicast, Source-Active messages, rendezvous points.

The correct BGP design is to attach the well-known No-Export community to the prefixes that should not be advertised beyond the service provider boundary. Cisco BGP communities are policy attributes that allow routes to carry instructions or classifications across BGP peers. The No-Export community tells a receiving BGP speaker not to advertise the route outside its confederation or autonomous system. That behavior is exactly what is needed when branch prefixes may be exchanged with the provider but must not be propagated to the public Internet. The No-Advertise community is stronger: it prevents the route from being advertised to any BGP peer, which may block reachability even where the provider still needs to know the route. NOPEER is used for route-server or peering policy control and is not the clean answer for excluding branch prefixes from Internet propagation. Setting a generic “Internet community” is not a standard solution by itself. The architect should also ensure that outbound prefix filters and provider-side community support are documented in the service agreement. Reference topics: BGP communities, No-Export, No-Advertise, provider edge filtering, Internet route policy.

Network management traffic should be marked and treated as a dedicated operations class, not mixed into voice signaling or real-time queues. Cisco enterprise QoS design guidance commonly reserves DSCP CS2 for operations, administration, and management traffic such as SNMP, SSH, syslog, NTP, and other management flows. The question states that all eight queuing classes are already used, so the design should integrate management traffic into the closest existing class and validate that the queue has enough bandwidth. Option D is the best fit because it uses CS2 and requires baselining before allocating more bandwidth. CS6 is normally used for network control and routing protocols; using it for ordinary management traffic would compete with routing adjacencies and control-plane stability. CS5 and CS4 are also unsuitable because they are normally associated with video/signaling-related classes in many enterprise QoS models. The professional design action is to classify management traffic explicitly, mark it CS2 at the trust boundary, map it to the existing class, and then measure queue utilization before changing bandwidth allocations. Reference topics: Cisco QoS baseline, DSCP CS2, network management traffic, queue bandwidth design.

BIDIR-PIM is the correct multicast solution for interactive many-to-many communication with many sources when source trees must not be used. Bidirectional PIM is specifically designed for applications where receivers can also be senders and where the number of sources can grow without creating per-source multicast state throughout the network. Instead of building shortest-path trees for each source, BIDIR-PIM uses a shared tree rooted at the rendezvous point and forwards traffic bidirectionally along that tree. This reduces multicast routing-table growth and control-plane churn in environments with many active sources. PIM dense mode is not appropriate because it floods and prunes traffic and is inefficient at scale. Any-source multicast with PIM-SM may create source trees, which violates the requirement. MSDP is used to exchange source information between PIM-SM domains and is not itself the forwarding mode for this campus or WAN multicast design. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, multicast source scaling, PIM design.

DiffServ is the correct QoS model for a business-critical, delay-sensitive, high-bandwidth application across DMVPN tunnels protected with IPsec. Differentiated Services classifies and marks traffic, usually with DSCP, and then applies per-hop behavior at each network device. This model scales well across enterprise WANs because routers do not need to maintain per-flow reservation state. DMVPN and IPsec overlays can carry marked traffic, and the WAN design can apply queuing, shaping, and congestion avoidance based on those markings. IntServ with RSVP can provide explicit resource reservation, but it is stateful and does not scale well across many branch tunnels. RSVP also becomes operationally difficult across encrypted overlay environments. WRED is only a congestion avoidance mechanism, not a complete QoS architecture. Because the application needs differentiated treatment but the WAN must remain scalable, DiffServ is the practical Cisco enterprise design model. Reference topics: DiffServ, DSCP marking, DMVPN QoS, IPsec QoS pre-classify, per-hop behavior, enterprise WAN QoS.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

Cisco IS-IS supports Level 1, Level 2, and Level 1/Level 2 operation, and the design should restrict each link to the level it actually needs. Cisco documentation for the isis circuit-type command states that it “configures the type of adjacency that is required for neighbors on the specified interface.” In this case, the router is configured as L1/L2 and has both L1 and L2 neighbors, which causes unnecessary LSP flooding, SPF processing, and database maintenance on links that may not need both levels. Making the entire router only L1 or only L2 would be too blunt, because the router may legitimately need to participate in both domains on different interfaces. Making the router a DIS also does not solve the underlying issue; it only controls designated intermediate system behavior on broadcast networks. The best optimization is to configure each interface with the correct circuit type, such as level-1 for intra-area links and level-2-only for backbone links. This reduces control-plane load while preserving the intended two-level hierarchy.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

Dual DMVPN with EIGRP routing is the correct solution because the requirements call for secure public-internet connectivity, redundant paths, automatic path selection, multicast support, and minimal remote-site configuration. DMVPN builds dynamic multipoint GRE tunnels protected by IPsec, allowing spoke sites to communicate securely through the public internet while supporting routing protocols and multicast over GRE. A dual DMVPN design provides redundancy through separate hubs, transports, or tunnel clouds, so a spoke can continue operating if one path fails. EIGRP can calculate alternate paths and react to metric changes, supporting automatic path selection based on failure and quality when engineered correctly. MPLS with BGP does not meet the public-internet and encryption requirements by itself. A full mesh of IPsec tunnels with OSPF or IS-IS would increase configuration complexity at every remote site and does not scale as well. DMVPN is specifically built to simplify deployment of secure, scalable, multipoint branch VPNs. Reference topics: DMVPN, IPsec, mGRE, EIGRP over DMVPN, WAN redundancy, multicast over GRE.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

When dual WAN Edge routers are deployed at a branch, first-hop redundancy and SD-WAN overlay path preference must be aligned. The correct design consideration is that HSRP priorities on the service side should match the OMP routing policy that determines which WAN Edge is preferred. If the LAN gateway points hosts to one WAN Edge while OMP policy prefers the other edge for return or remote-site traffic, traffic can become asymmetric or hairpinned through the wrong device. Proper alignment gives predictable active/standby or active/active behavior and avoids blackholing during failover. Option A describes traditional BGP path manipulation with AS-path prepending and MED; those are not the primary SD-WAN branch dual-edge design controls. Option C overstates symmetry as a universal requirement for DPI; Cisco SD-WAN can handle many traffic patterns, but gateway and OMP alignment remain the core branch design issue. Option D is wrong because SD-WAN already uses BFD across data-plane tunnels, not as a special direct adjacency between the two local WAN Edges for this purpose. Reference topics: Cisco SD-WAN branch redundancy, HSRP, OMP policy, WAN Edge preference, service-side high availability.

This YANG mapping is based on how IETF, OpenConfig, and Cisco native models differ in portability and schema organization. IETF models are produced through the standards process and are appropriate when the same management structure is expected across vendors for common protocols. OpenConfig models are also vendor-neutral, but they are built around a consistent operational model used heavily for streaming telemetry and multivendor automation. Cisco native models mirror Cisco platform configuration more closely and expose device-specific capabilities that may not exist in common models. The selected answers keep those boundaries clear. This matters because a NETCONF or RESTCONF payload is validated against the YANG schema; a payload written for one model family cannot be assumed to work against another. In design terms, the model family should be selected after confirming device software release support, feature coverage, operational-state requirements, and vendor diversity. Open models give portability; native models give feature completeness. Reference topics: IETF YANG, OpenConfig YANG, Cisco native YANG, schema validation, automation model selection.

The selected IS-IS design must place the correct routers as Level 1/Level 2 boundary routers so that area failures stay local while traffic can still reach backbone application services. In a hierarchical IS-IS design, Level 1 routers exchange detailed topology only inside their own area. Level 2 routers form the backbone used for interarea connectivity. L1/L2 routers connect the local area to the backbone and advertise reachability between the two levels. Areas 20 and 30 are expected to double in size, and link flaps inside those areas must not impact the backbone. Therefore, the design should keep internal area routers at Level 1 and use only the boundary devices that connect those areas to the backbone as L1/L2. Option A matches that principle by selecting the appropriate boundary routers for interlevel connectivity while avoiding unnecessary L1/L2 adjacencies throughout the topology. The other options either place the wrong routers in Level 2 only or fail to provide a clean transition between local areas and the backbone. Reference topics: IS-IS hierarchy, L1/L2 boundary design, area containment, backbone stability, route leaking.

The best summarization design is for the aggregation layer to advertise a default route toward the access layer and to summarize the VLAN subnets toward the core. Cisco hierarchical campus design uses summarization at natural layer boundaries so that access-layer instability is hidden from the rest of the network. If individual access VLANs flap, the core should not have to process every specific route change. Advertising a summary such as 10.0.0.0/16 from the aggregation layer toward the core reduces routing-table size, lowers CPU and memory use, and confines convergence events to the lower layer. At the same time, the access layer normally does not need full knowledge of the enterprise routing table; a default route from the aggregation layer is sufficient for northbound reachability. Summarizing at the access layer is normally less effective because the aggregation layer is the first stable boundary that sees multiple access networks. Advertising a default from the core toward aggregation would hide information in the wrong direction. Reference topics: hierarchical routing, route summarization, campus aggregation design, convergence containment, routing-table scaling.

The Cisco SD-WAN architecture mapping follows the standard controller and edge roles. WAN Edge devices are the data-plane routers that forward user traffic, build secure IPsec tunnels, participate in local routing, and apply QoS and security policies at sites. vSmart controllers provide the centralized control plane. They maintain overlay routing and policy information and distribute it to WAN Edge routers through OMP. vBond orchestrators provide the initial orchestration function, including device authentication assistance, control connection coordination, and NAT traversal support so devices can join the overlay. Depending on the exact drag-and-drop labels in the exhibit, the selected mapping assigns each element to its architectural function rather than to a deployment location. The important design principle is that vManage, vSmart, vBond, and WAN Edge have separate responsibilities and should be scaled and secured accordingly. vManage manages and monitors, vSmart controls routing and policy, vBond helps devices join and traverse NAT, and WAN Edge forwards traffic. Reference topics: Cisco SD-WAN architecture, WAN Edge, vSmart, vBond, OMP, control and data plane separation.

Weighted Random Early Detection is the QoS congestion-avoidance feature that responds to early congestion by selectively dropping packets before a queue becomes completely full. WRED can use packet markings, such as IP precedence or DSCP, to determine drop probability, so lower-priority traffic can be dropped earlier than higher-priority traffic. This helps TCP-based applications slow down before tail drop causes large synchronized retransmissions. CBWFQ is a queuing and bandwidth-allocation mechanism; it classifies traffic into queues and assigns bandwidth, but it is not specifically the feature that randomly drops lower-priority packets during congestion. Tail drop drops packets only when the queue is full and does not intelligently prefer lower-priority traffic. Strict priority queuing protects delay-sensitive traffic by servicing a priority queue first, but it does not provide weighted random early discard behavior. In Cisco QoS design, WRED is used as a congestion-avoidance mechanism, especially for TCP traffic classes where early packet drops can reduce global synchronization and protect higher-priority classes.

An open YANG model is the correct choice because the automation scope is multivendor and the workflow must be reusable across diverse routing and switching platforms. Native vendor models expose platform-specific details and are valuable when a feature is unique to one operating system, but they create code branching and operational inconsistency when many vendors and hardware families are in scope. The question also says the DR playbook will be adjusted in the future, which argues for a model that reduces redesign whenever a device vendor or platform changes. Open models, such as IETF or OpenConfig where supported, provide common schema structures for standard network functions and allow the microservice and controller integration to remain cleaner. A custom individualized model would increase development and maintenance burden, not reduce it, unless there is a very specific abstraction layer requirement. Using a single native vendor model cannot support the stated multivendor environment. The professional design is to use open models wherever coverage is sufficient, then fall back to native models only for unsupported platform-specific capabilities. Reference topics: YANG model selection, OpenConfig, IETF YANG, Cisco native YANG, multivendor automation.

A TLOC extension facilitates WAN Edge router redundancy within a site. In Cisco SD-WAN, a Transport Location identifies a WAN transport attachment using attributes such as system IP, color, and encapsulation. A TLOC extension allows one WAN Edge router to use a transport circuit physically connected to another WAN Edge router at the same site. This is valuable when a branch has two edge routers and two transports, but each transport is cabled to only one router. With TLOC extension, each router can still gain logical access to both transports, improving redundancy and allowing better path diversity without adding more service-provider circuits or handoffs. The feature does not simply identify the physical interface; that is part of TLOC definition. It does not increase the number of colors or create a port-channel-style aggregate. A sound design also accounts for failure domains, service-side routing, and whether the inter-router link has enough bandwidth for extended transport traffic. Reference topics: Cisco SD-WAN TLOC, TLOC extension, WAN Edge redundancy, transport color, branch resiliency.

The VRF receive feature is the mechanism that fits the constraint when the customer does not want BGP, VRF-Lite links, or static routing for the inter-VRF requirement. Inter-VRF connectivity is normally achieved through route leaking with MP-BGP, static routes, firewall interfaces in each VRF, or VRF-Lite handoff links. The question explicitly excludes those common approaches and asks for a mechanism on the core network layer. The VRF receive capability allows selected traffic received on a global routing interface to be associated with a VRF context for locally configured addresses, supporting limited interaction without building a full routing exchange between the global table and the VRF. Policy-based routing with a global set statement can solve some forwarding cases, but it is not the specific mechanism described by the option set. A route map with import features would typically depend on route leaking behavior. Therefore, the best answer is the VRF receive feature under the global routing interfaces. Reference topics: VRF, inter-VRF routing, VRF receive, route leaking alternatives, core-layer segmentation.

Improved application experience and optimized cloud connectivity are two principal advantages of Cisco SD-WAN technology. Cisco SD-WAN separates the control plane from the data plane and applies centralized policy to choose the best available transport path for business applications. Features such as application-aware routing, performance measurement, path quality monitoring, forward error correction, packet duplication for selected traffic, and QoS integration help improve user experience for voice, video, SaaS, and other critical applications. SD-WAN also improves cloud connectivity by allowing branches to access trusted SaaS and IaaS resources directly instead of backhauling all traffic through a central data center. Cloud OnRamp functions further simplify connectivity to cloud-hosted workloads and SaaS applications. Easier deployment and proactive management may be operational benefits in some designs, but the strongest technology advantages in this answer set are application experience and optimized cloud access. Consistent connectivity is too generic and does not identify a specific SD-WAN design value. Reference topics: Cisco SD-WAN benefits, application-aware routing, direct internet access, Cloud OnRamp, SaaS optimization.

Making R3 an L1/L2 router restores the required IS-IS hierarchy and prevents the outage caused by the failed R1-to-R2 link. In IS-IS, Level 1 routers have detailed topology only inside their own area, while Level 2 routers provide the interarea backbone. Routers that connect a Level 1 area to the Level 2 backbone must operate as Level 1/Level 2 devices so they can participate in both databases and provide an exit path for area traffic. If a path between areas depends on a router that is only Level 1 or only Level 2 in the wrong location, traffic can be blackholed when a key link fails. Configuring R3 as L1/L2 gives the topology an additional valid transition point between the local area and the backbone, improving continuity after the R1-to-R2 failure. Making unrelated routers L1 or L2 does not necessarily create the required interarea attachment. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

The IPv4-compatible method is the closest match when the exhibit requires IPv6 connectivity between servers across an IPv4 portion of the network without using 6to4, 6rd, or ISATAP. IPv4-compatible IPv6 addressing represents an IPv4 address inside an IPv6 address format and was historically used for automatic IPv6-over-IPv4 tunneling between dual-stack nodes. Although this technique is now considered legacy and is not preferred for new designs, it matches the answer choice that directly embeds IPv4 reachability for host-to-host connectivity. ISATAP is normally used inside an enterprise IPv4 network to connect IPv6 hosts over an IPv4 intranet. 6to4 and 6rd are provider or site transition mechanisms that use specific IPv6 prefix behavior and are not simply a direct method between the depicted mail servers. For modern Cisco design, dual-stack or manually engineered tunnels would normally be preferred, but given these choices, IPv4-compatible addressing is the method aligned to the exhibit requirement. Reference topics: IPv6 transition mechanisms, IPv4-compatible addressing, tunneling, dual-stack migration, host connectivity.

An out-of-band management network should be isolated from the production data network and protected with strict access control. Cisco SAFE design principles treat the management plane as a sensitive function because it provides administrative access to infrastructure devices. Isolation ensures that production outages, routing problems, or compromised user segments do not automatically remove the operator’s ability to manage routers, switches, firewalls, and controllers. Access control ensures that only authorized administrators and management systems can reach the management interfaces and protocols. The management network should not be treated as a backup data path, because that undermines separation and can expose management devices to production traffic risks. It should also not be used as a general-purpose data backup network. “Facilitate network integration” is too vague and can conflict with the isolation requirement. Therefore, the best practices are to enforce access control and ensure network isolation. In a mature design, this normally includes dedicated management interfaces or VRFs, jump hosts, AAA, logging, and tightly controlled management protocol access.

The design should summarize routes from the distribution layer toward the core and configure access-layer switches as EIGRP stubs. EIGRP query scope is a major design consideration in large routed campus networks. When a route is lost, EIGRP may send queries to neighbors to find an alternate path. If the network is not bounded properly, these queries can spread widely, slow convergence, and create stuck-in-active risk. Configuring the access layer as EIGRP stub tells upstream routers that the access device is not a transit path to other networks, so unnecessary queries are not sent into the access layer. Summarizing at the distribution layer toward the core hides access-link instability and provides a smaller, more stable routing table to the rest of the network. Summarizing at the access layer is usually less useful when many VLANs are aggregated at distribution. Configuring the core as stub is inappropriate because the core should provide transit. Reference topics: EIGRP stub, route summarization, query boundary, campus hierarchy, DUAL convergence.

The correct answer is bidirectional PIM. Cisco describes bidirectional PIM as a multicast mode designed for many-to-many applications where traffic is forwarded only along a shared tree rooted at the rendezvous point. Unlike traditional PIM Sparse Mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. That design reduces multicast state in the network because routers maintain group state rather than separate source and group state for every sender. PIM Sparse Mode initially uses a shared tree through the RP, but it can switch to source trees after receivers and routers learn the active source. Dense mode floods and prunes and is not a shared-tree-only model. Source-specific multicast explicitly uses source-specific joins and does not use an RP-based shared tree. The wording “shared tree only” is the key distinction: BIDIR-PIM is built for scalable many-to-many multicast, accepts some non-shortest-path forwarding tradeoff, and avoids per-source state growth. Therefore, the stored answer must be corrected to bidirectional. Reference topics: BIDIR-PIM, shared trees, rendezvous points, many-to-many multicast scaling, PIM-SM source-tree behavior.

Making R2 active for half of the VLANs improves utilization by distributing first-hop gateway forwarding across both core routers. HSRP provides default-gateway redundancy by making one router active and another standby for a VLAN. If the same router is active for every VLAN, traffic from all downstream VLANs is forwarded through the same core path, which can leave some interfaces congested while parallel links on the standby side remain underused. Cisco campus designs commonly tune HSRP priorities per VLAN and align the active HSRP gateway with the spanning-tree root for that VLAN. This creates a deterministic load-sharing model while preserving gateway redundancy. Adding more interfaces may help capacity, but the question states that some downstream interfaces are already underutilized, so the issue is load distribution rather than absolute port count. A port channel is useful only when the topology supports bundling the specific links and does not by itself move gateway activity. RSTP improves convergence, not HSRP forwarding balance. Reference topics: HSRP load sharing, per-VLAN gateway placement, STP root alignment, campus capacity design.

The standards-based mechanism for dynamic rendezvous point distribution in a large PIM domain is Bootstrap Router. BSR allows candidate RPs and candidate BSRs to participate in a standards-based election and advertisement process so PIM routers can learn the RP set dynamically. This avoids configuring every router manually with static RP information and avoids depending on a Cisco-proprietary mechanism. Auto-RP can also distribute RP information dynamically, but Auto-RP is Cisco proprietary and therefore does not meet the nonproprietary requirement. Embedded RP is associated with IPv6 multicast group addressing and is not the general-purpose answer for automating RP discovery in a large IPv4 PIM domain. Static RP configuration is simple and deterministic, but it does not automate RP distribution and becomes operationally fragile as the multicast domain grows. In Cisco multicast design, BSR is the correct choice when the network requires dynamic RP discovery, vendor-neutral behavior, and scalable PIM-SM operation across a large domain.

An OSPF sham link is the correct MPLS VPN design when backdoor links exist between customer sites and should be used only if the MPLS core is unavailable. In MPLS Layer 3 VPN designs that run OSPF between CE and PE routers, the MPLS VPN path can appear as an interarea route, while a direct dark-fiber backdoor link may appear as an intra-area route. OSPF prefers intra-area routes over interarea routes, so traffic could incorrectly prefer the dark-fiber path during normal operation. Cisco sham links solve this by creating an intra-area logical link across the MPLS VPN backbone between PE routers, making the MPLS path competitive or preferred according to OSPF cost. A virtual link connects disconnected OSPF area 0 sections and is not the right MPLS VPN tool. Stub and NSSA area types control external LSA behavior, not MPLS-backdoor path preference. The sham link preserves the desired routing hierarchy while keeping the direct dark fiber as backup. Reference topics: OSPF sham link, MPLS L3VPN, PE-CE routing, backdoor links, route preference.

The branch subnets must each support up to 200 hosts, so /120 is the correct IPv6 prefix length from the available options. A /120 provides 256 IPv6 addresses, which satisfies the 200-host requirement. A /121 provides only 128 addresses, which is not enough. The parent block is 2a01:0c30:0016:7009::3800/118. A /118 has 10 host bits, so it contains 1024 addresses and spans from ::3800 through ::3bff. The valid /120 boundaries inside that parent are ::3800/120, ::3900/120, ::3a00/120, and ::3b00/120. From the listed choices, 2a01:0c30:0016:7009::3a00/120 and 2a01:0c30:0016:7009::3b00/120 both fall inside the parent allocation and provide enough address capacity. The /121 options are too small, and ::3c00/120 is outside the /118 parent range. This is a straightforward IPv6 prefix-boundary and capacity calculation. Reference topics: IPv6 subnetting, prefix length, address block boundaries, branch address planning.

Hierarchical QoS with a parent shaping policy is the correct solution for a 1 Gbps physical handoff where the contracted provider rate is only 50 Mbps. The customer router can transmit at the physical interface speed, but the provider policer or service edge expects traffic to remain within the committed information rate. Without shaping, bursts leave the customer router at 1 Gbps and can be dropped by the provider, which is especially damaging to voice traffic because drops and jitter create choppy audio. Cisco QoS design commonly uses a parent shaper set to the provider CIR and then applies child queuing policies under that shaped rate. This allows voice and other critical classes to be prioritized before packets are transmitted into the constrained service. A parent policing policy would drop or mark excess traffic locally rather than smoothing bursts. Reducing physical bandwidth is not normally possible on a provider Ethernet handoff, and the interface bandwidth statement changes routing/QoS reference values but does not enforce the CIR. Therefore, parent shaping is required. Reference topics: hierarchical QoS, traffic shaping, CIR, LLQ, WAN edge QoS.

The SD-Access overlay should reduce subnet sprawl and avoid overlapping IP subnets unless there is a specific operational requirement. Cisco SD-Access creates overlay virtual networks over an IP underlay and uses anycast gateway, VXLAN encapsulation, LISP control-plane mapping, and policy constructs to simplify endpoint mobility and segmentation. Reducing the number of subnets simplifies DHCP scope management, default-gateway placement, and operational troubleshooting. Avoiding overlapping address space across overlay networks is also a practical design recommendation because overlapping subnets complicate shared services, fusion routing, security logging, and policy troubleshooting. LAN automation and a dedicated IGP process are underlay deployment considerations, not overlay design choices. Layer 3 to the access design is also associated with routed underlay and campus fabric transport, not the overlay segmentation model. A clean overlay design should define virtual networks, scalable groups, IP pools, shared-services reachability, and external connectivity before deployment. Reference topics: Cisco SD-Access overlay design, anycast gateway, virtual networks, DHCP simplification, overlapping subnet avoidance.

An out-of-band management network best satisfies the requirement to grant and revoke administrative access, restrict management protocols, and limit exposure of management interfaces. Out-of-band management separates administrative traffic from the production data plane by using dedicated management interfaces, management switches, terminal infrastructure, or separate routing. This isolation improves security because a compromise or congestion event in the production network does not automatically provide access to device management planes. It also allows stronger access controls, protocol restrictions, logging, and administrative segmentation for SSH, NTP, FTP, and SNMP. In-band management uses the production network and is more exposed to outages or data-plane attacks. An enterprise internal private network is too vague and does not guarantee management-plane isolation. mGRE is a tunneling technique, not a complete management access architecture. A professional design should also include AAA, role-based authorization, ACLs, management VRFs where appropriate, logging, and monitoring. Reference topics: out-of-band management, management-plane security, AAA, access control, protocol restriction, network operations design.

A dedicated management VRF is the correct feature when management protocols must traverse the production network but remain logically separated. The question describes in-band management because SSH, NTP, FTP, and SNMP are carried over the production network rather than over a separate physical console or out-of-band network. The design still requires routers and switches across different networks to be managed securely. A management VRF gives the management plane its own routing table, allowing the engineer to restrict management reachability, apply separate routing, and keep management traffic from leaking into user or service forwarding paths. Management Plane Protection can restrict which interfaces accept management-plane traffic, but it does not by itself provide separate routing across different networks. A terminal server or dedicated console connection is an out-of-band operational tool, not the production-network management design requested here. A dedicated management VRF per device is therefore the correct feature. Reference topics: in-band management, management VRF, SNMP and SSH reachability, management-plane segmentation, enterprise operations design.

The valid EIGRP stub options listed are receive-only and summary. Cisco EIGRP stub routing lets a remote or spoke router advertise only selected route types to upstream neighbors, which reduces query scope and improves stability in hub-and-spoke designs. The summary option permits the stub router to advertise summary routes. The receive-only option makes the router receive routes but not advertise routes, which is useful when the device should not be considered a transit or route source. “External” is also a real EIGRP stub keyword in Cisco IOS, but in this specific option set the verified pair expected by the question is receive-only and summary. “Summary-only” is not the correct EIGRP stub keyword. “Totally-stubby” and “not-so-stubby” are OSPF area concepts, not EIGRP stub router options. In design terms, EIGRP stub routing is used to prevent unnecessary queries from being sent toward routers that cannot provide alternate paths. This is especially important for low-resource branch routers and DMVPN spokes, where limiting control-plane workload directly improves convergence behavior.

Enabling EIGRP stub routing on the spokes decreases convergence time in a hub-and-spoke design by reducing unnecessary queries and preventing spokes from being treated as transit routers. EIGRP convergence can be delayed when a router loses a route and must query many neighbors to determine whether an alternate path exists. In remote-site or spoke designs, a spoke normally has no useful alternate path for networks beyond itself, so querying it wastes time and can contribute to stuck-in-active conditions. Cisco EIGRP stub routing allows the spoke to advertise only permitted route types and informs upstream routers not to query the spoke for routes outside its scope. This creates a cleaner query boundary and accelerates convergence after link or route failures. Subsecond timers can detect neighbor loss more quickly, but they do not address the broader EIGRP query behavior shown in the design. Increasing hold or dead timers would slow detection, not improve convergence. Therefore, in the displayed hub-and-spoke EIGRP design, enabling stub routing on the spokes is the correct solution to decrease convergence time.

If the RPF check is successful in PIM sparse mode, the multicast packet is forwarded according to the outgoing interface list. The Reverse Path Forwarding check verifies that the packet arrived on the interface the router would use to reach the source, or the RP in the case of shared-tree state. This prevents loops and duplicate multicast forwarding. After the check passes, the router consults the multicast forwarding entry and sends the packet only out interfaces in the OIL where downstream receivers or PIM neighbors require the traffic. It is not automatically forwarded out every PIM-enabled interface, and it is not forwarded back out the receiving interface. If the RPF check fails, the packet is dropped to protect the multicast distribution tree. The OIL therefore represents the correct controlled forwarding behavior after a successful RPF validation. Reference topics: PIM sparse mode, RPF check, outgoing interface list, multicast forwarding state, loop prevention.

When BFD echo mode contributes to high CPU utilization on lower-resource devices, the practical design response is to use slower BFD timers for those peers rather than continuing to run an overly aggressive failure-detection profile everywhere. Cisco BFD provides fast failure detection, but timer values must match platform capability, interface scale, and the operational value of subsecond detection. Echo mode can generate frequent packets, and in some environments the processing or punt behavior can create measurable CPU pressure. Slowing the timers reduces packet rate and control-plane stress while keeping BFD available for faster detection than traditional routing protocol dead timers. Moving to asynchronous mode may be appropriate in some designs, but the listed option says “BED” and does not directly address the requirement as cleanly as reducing timer aggressiveness. BFD multihop is used for non-directly connected peers and is not a CPU-relief mechanism. Carrier delay changes interface state notification behavior, but it does not solve BFD packet processing load. Therefore, implement slower timers on peers with limited resources. Reference topics: BFD design, echo mode, failure-detection timers, CPU utilization.

BGP Multipath Load Sharing is the feature used when a single router has two parallel BGP paths to the same ISP and the design goal is to install more than one eligible BGP path in the routing table. By default, BGP selects a single best path after evaluating path attributes such as weight, local preference, AS path, origin, MED, eBGP over iBGP, IGP metric to next hop, and tie breakers. When the competing paths are sufficiently equivalent and BGP multipath is enabled, Cisco IOS can install multiple BGP next hops for the same prefix and allow the forwarding plane to load share across both links. Multihop is used to establish BGP sessions to non-directly connected neighbors, not to load balance. Next-Hop Address Tracking improves convergence by tracking next-hop reachability, but it does not itself create load sharing. AS-path prepending intentionally makes a path less preferred for inbound traffic engineering. Therefore, the correct BGP feature for balancing outbound traffic across two links to the same ISP is Multipath Load Sharing.

Reverse Path Forwarding prevents multicast loops and duplicate packet forwarding. Multicast routing is source-oriented, so a router must verify that multicast traffic arrives on the interface it would use to reach the source or rendezvous point, depending on the tree state. If the packet arrives on the expected reverse-path interface, the RPF check succeeds and the router can forward the packet to the outgoing interface list. If it arrives on the wrong interface, the packet is dropped because accepting it could create a loop or duplicate stream. Cisco multicast designs rely on RPF checks with PIM to maintain loop-free distribution trees across redundant routed topologies. RPF does not notify upstream routers by itself, does not eliminate overlapping multicast group addresses, and is not simply a prune-generation mechanism. Prune behavior can occur as part of PIM tree maintenance, but the function asked here is loop prevention. Reference topics: multicast RPF check, PIM forwarding, source tree, shared tree, outgoing interface list, duplicate suppression.

The correct subnet choice is 192.168.32.0/27. The design must support at least five subnets and at least 25 usable hosts per subnet from a /24 allocation. A /27 leaves five host bits, giving 32 total addresses and 30 usable host addresses after excluding the subnet and broadcast addresses. It also borrows three bits from the /24 host field, creating eight equal /27 subnets, which satisfies the requirement for at least five departmental networks. A /26 provides 62 usable hosts, but only four subnets inside a /24, so it fails the subnet-count requirement. A /25 provides only two subnets. A /28 provides enough subnets but only 14 usable host addresses, which fails the host requirement. Cisco subnetting guidance uses exactly this host-bit and prefix-length calculation model when selecting VLSM blocks. Reference topics: IPv4 subnetting, CIDR prefix length, host-bit calculation, VLSM design, private IPv4 addressing.

A policy-based IPsec tunnel with static routing is the simplest secure design for connecting two hosts in two companies when no additional future connectivity is planned. The requirement is narrow: one host in Company A must communicate with one host in Company B over a single encrypted Internet connection. Policy-based IPsec is straightforward for this type of point-to-point encryption because crypto ACLs define exactly which interesting traffic should be protected. Static routing is sufficient because there is no complex topology, no dynamic path selection requirement, and no anticipated expansion. A DMVPN design would add unnecessary NHRP, multipoint GRE, and dynamic routing complexity. A routed IPsec tunnel with OSPF is useful when many networks or dynamic route changes are expected, but it is more complex than needed. MPLS VPN with BGP would require provider service and does not meet the simple encrypted Internet connection requirement. Reference topics: site-to-site IPsec, policy-based VPN, static routing, point-to-point secure connectivity, WAN simplicity.

Locator/ID Separation Protocol is the control-plane technology that allows endpoint identity to be separated from endpoint location. In Cisco SD-Access, LISP is used by the fabric control plane to map endpoint identifiers to routing locators, so an endpoint subnet can remain logically consistent even when endpoint reachability is provided from different network locations. This is why LISP is associated with host mobility and with designs where the same subnet or endpoint identity can exist across multiple places without forcing the physical topology to be a single stretched Layer 2 domain. VXLAN is the data-plane encapsulation used to carry overlay traffic, but VXLAN itself is not the mapping control plane. FabricPath is a Cisco Layer 2 multipath technology and does not provide LISP-style endpoint-location mapping. ISE mobility services are identity and policy functions, not a routing locator mapping system. Therefore, the correct control-plane technology is LISP. Cisco SD-Access design material describes the control plane as the mapping system that maintains endpoint-to-device relationships.

The required resource is the organization name. During manual WAN Edge onboarding, the device needs local system identity information and transport reachability so it can authenticate into the Cisco Catalyst SD-WAN overlay. Cisco onboarding workflows identify system parameters such as system IP, site ID, organization name, and vBond information as required configuration elements. The organization name must match the value configured across the SD-WAN controllers; otherwise, certificate validation and control connection establishment fail. After the WAN Edge authenticates with vBond, vBond helps it discover the vSmart controllers and vManage. That is why the vSmart hostname is not the first required onboarding resource in this question. NAT may exist in the path and vBond can assist traversal, but NAT itself is not the configuration identity item. A generic domain name is not the same as the SD-WAN organization name. Reference topics: Cisco SD-WAN onboarding, vBond orchestrator, organization-name, control connections, WAN Edge manual configuration.

PIM Source-Specific Multicast is the correct multicast protocol when receivers can subscribe to traffic from known sources and the design must avoid rendezvous points. SSM uses the (S,G) model, where receivers explicitly join a multicast group from a specific source. Because the source is known at join time, the network does not need a shared tree or RP discovery process. This makes SSM attractive for broadcast-style streaming applications, such as video channels, where each stream source is known and receivers subscribe to specific channels. PIM Sparse Mode and Any-Source Multicast use an RP to allow receivers to discover active sources, so they do not meet the requirement of no rendezvous point. BIDIR-PIM also relies on an RP-rooted shared tree and is optimized for many-to-many applications rather than source-specific broadcast channels. For a large cable TV provider streaming multiple video channels from defined sources, SSM simplifies the multicast control plane, eliminates RP dependency, and scales efficiently by creating only the source-specific state required by active receivers.

StackWise is the correct solution because the company needs more access ports while reusing the existing access-switch uplink capacity. Cisco StackWise allows multiple compatible Catalyst switches to operate as a single logical switching system, increasing access-port density without requiring each added switch to consume new uplink ports on the distribution layer. This fits the design constraint that the distribution switches have no available ports for additional uplinks, while current uplink bandwidth is not a bottleneck. VSS is normally used to combine two chassis-class switches into one logical system at the distribution or core layer; it is not the practical answer for expanding one floor’s access-port count from an existing access switch. EtherChannel aggregates physical links for bandwidth and redundancy, but it does not create additional access ports when no distribution ports are available. VDC is a Nexus virtualization construct and does not solve Catalyst access-port expansion. The correct operational design is to add a stack member and use the existing uplink design. Reference topics: Cisco StackWise, access-layer scalability, uplink preservation, Catalyst campus switching.

The primary HSRP device should use the preempt delay feature. When a failed primary distribution switch returns, HSRP preemption allows it to reclaim the active gateway role because it has the higher priority. However, routing protocols, trunks, line cards, FIB programming, or upstream convergence may not be fully ready at the instant HSRP becomes active again. If the device preempts too quickly, hosts forward traffic to a gateway that is not yet ready to forward all flows, causing temporary packet loss. Cisco HSRP preempt delay prevents immediate takeover by delaying preemption after reload or interface recovery, giving the switch time to rebuild control-plane and forwarding-plane state. Increasing hello timers slows failure detection and does not solve the premature takeover problem. Applying preempt delay to the backup device is not the issue because the returning primary is the device that reclaims active state. MAC refresh timers are not the primary mechanism for this condition. Therefore, the design should configure preempt delay on the primary HSRP device. Reference topics: HSRP preemption, preempt delay, gateway recovery, campus high availability, convergence coordination.

A migration from traditional IP-VPN service to Cisco SD-WAN commonly increases security and scalability. Cisco SD-WAN builds encrypted data-plane tunnels across supported transports, so the enterprise can use Internet, MPLS, or hybrid connectivity while maintaining secure site-to-site communication. The architecture also scales better operationally because policy, templates, onboarding, and routing control are centralized through the SD-WAN controllers and management plane. Increased solution complexity is not a desired characteristic; one of the design goals is to simplify operations through automation and centralized policy. Centralized application policies are also a major SD-WAN benefit, but when only two choices are selected, the stored answer emphasizes the two broad migration outcomes of security and scale. Distributed control plane is not correct because Cisco SD-WAN uses centralized control-plane logic with vSmart controllers distributing OMP routes and policies. A professional migration plan should validate transport diversity, controller redundancy, encryption policy, application-aware routing, and operational readiness. Reference topics: Cisco SD-WAN migration, encrypted overlay, scalability, centralized control plane, IP-VPN replacement.

The drag-and-drop mapping is based on how Cisco differentiates YANG model families used for model-driven programmability. IETF models are standards-based and are intended for broad interoperability across vendors. They are the usual choice when the design priority is a consistent baseline for multivendor configuration or operational state. OpenConfig models are also vendor-neutral, but they are developed by the OpenConfig community and often provide an operationally consistent structure for telemetry and configuration across platforms. Cisco native models are vendor-specific models that expose detailed Cisco IOS XE, IOS XR, or NX-OS features, including capabilities that may not be represented in IETF or OpenConfig models. The design choice is therefore not simply “one model is always best.” It depends on whether the requirement prioritizes portability, abstraction, or complete Cisco feature coverage. For a standards-driven multivendor design, use IETF or OpenConfig where sufficient. For Cisco-specific device features, use Cisco native models. Reference topics: YANG models, IETF models, OpenConfig, Cisco native models, NETCONF/RESTCONF programmability.

For multimedia conferencing over MPLS, Cisco QoS design normally classifies the traffic into the multimedia conferencing class and marks it with AF4, commonly AF41. This class is intended for interactive video conferencing and similar applications that need assured bandwidth and controlled loss, but that are not usually placed in the same strict-priority class as voice bearer traffic. A bandwidth queue provides a minimum bandwidth guarantee during congestion, while DSCP-based WRED can selectively manage congestion within the class by using the drop precedence encoded in the AF marking. AF3 is generally associated with multimedia streaming, not interactive conferencing. A simple bandwidth queue without WRED does not fully use per-hop behavior characteristics for congestion handling. LLQ is typically reserved for voice and sometimes very tightly controlled real-time classes, because overusing strict priority can starve other traffic. Therefore, bandwidth queuing with DSCP WRED using AF4 is the appropriate per-hop behavior design. Reference topics: Cisco QoS baseline, DiffServ, AF41, multimedia conferencing, MPLS QoS, WRED.

Nonstop Routing is the correct solution when the upstream router does not understand graceful restart messaging. Cisco NSF and graceful restart depend on helper behavior from neighboring routers. During a supervisor switchover, the restarting device asks neighbors to preserve forwarding and adjacency state while the control plane recovers. If the neighbor does not support or understand the graceful restart signaling, NSF cannot deliver the intended benefit and route recomputation may still occur. NSR is different because it synchronizes routing protocol state between the active and standby supervisor internally, allowing the switch to preserve routing operation during stateful switchover without requiring graceful restart support from the neighbor. Remote LFA FRR protects against data-plane failures by precomputing repair paths, but it does not address supervisor switchover route recomputation. Aggressive IS-IS timers may make failure detection faster, but they increase control-plane churn and do not solve the lack of graceful-restart helper support. Therefore, the Catalyst switch should use NSR for this design. Reference topics: IS-IS high availability, NSR, NSF, graceful restart helper support, stateful switchover.

The Cisco SD-Access underlay provides the physical and IP transport foundation that allows fabric nodes to reach each other. In plain terms, it is the routed connectivity built from the switches, routers, links, and loopback reachability that the overlay depends on. Cisco SD-Access then uses the overlay to provide virtualization, segmentation, policy, and endpoint mobility on top of that transport. This is why the underlay is best described as establishing the connectivity between the switches and routers that form the fabric. Option A describes the abstraction performed by the overlay, not the underlay. Option B is closer to a Layer 2 tunneling description and is not the main purpose of the SD-Access underlay. Option D describes encapsulated overlay behavior, especially VXLAN-based data-plane transport, not the physical/routed foundation itself. A good SD-Access design validates underlay reachability, routing adjacencies, MTU, loopback advertisement, and redundancy before onboarding the overlay services. Without a stable underlay, LISP control-plane mappings and VXLAN data-plane forwarding cannot operate predictably. Reference topics: SD-Access underlay, routed campus foundation, fabric node reachability, overlay dependency.

Cisco Identity Services Engine is the SD-Access component that integrates with Cisco DNA Center to provide identity-based policy, Security Group Tags, and Security Group ACL policy enforcement. Cisco SD-Access uses Cisco TrustSec technology concepts for group-based policy, but ISE is the actual policy and identity services platform that integrates with Cisco DNA Center. DNA Center automates fabric deployment and policy orchestration, while ISE provides endpoint identity, group assignment, scalable group information, and policy authorization. SGACLs define permitted or denied communication between security groups, and SGTs classify users or endpoints into those groups. APIC-EM is not the SD-Access policy platform. Cisco Network Data Platform supports analytics and assurance functions, not identity policy enforcement. Cisco TrustSec is the underlying policy technology, but the question asks for the component that integrates with Cisco DNA Center. Therefore, the verified answer is Cisco Identity Services Engine. In design terms, ISE should be planned as a critical policy-plane dependency with redundancy, pxGrid integration, RADIUS services, and consistent scalable group policy design.

EIGRP and BGP are the two listed routing protocols that can support unequal-cost load balancing in Cisco enterprise designs. EIGRP performs unequal-cost load sharing by using the variance command. Feasible successor routes whose feasible distance falls within the variance multiplier can be installed alongside the successor route, provided they satisfy EIGRP loop-prevention rules. This allows traffic to use links with different composite metrics while still maintaining loop-free forwarding. BGP can also support unequal-cost distribution in specific designs, such as using BGP multipath features with additional bandwidth-based mechanisms or policy to influence traffic sharing across nonidentical paths. OSPF and IS-IS commonly support equal-cost multipath, but they do not natively perform EIGRP-style unequal-cost load balancing based on different path metrics. RIPng is also limited by hop-count behavior and is not used for unequal-cost multipath in this context. The correct design answer is therefore EIGRP and BGP. In production, the engineer must still validate hardware forwarding behavior, policy consistency, and whether the traffic-sharing method is per-flow or per-prefix.

The border node is part of the Cisco SD-Access overlay architecture. In the SD-Access fabric, the overlay consists of fabric roles and services that provide endpoint connectivity, segmentation, policy, and external reachability over the routed underlay. Border nodes connect the fabric overlay to external Layer 3 networks, shared services, WAN, Internet, or other fabric/transit domains. They perform the fabric boundary function, including routing between virtual networks and external routing domains as designed. Spine and leaf are generic data center or fabric topology terms and are not the named SD-Access fabric overlay roles in this question. Cisco DNA Center, now Cisco Catalyst Center, is central to management, automation, assurance, and policy deployment, but it is not itself an overlay forwarding component. The forwarding overlay is built from roles such as edge, border, control-plane, and intermediate nodes. Therefore, the correct component from the options is the border node. The design should select border placement based on external connectivity, scale, route control, redundancy, and whether the border is internal, external, or anywhere border. Reference topics: SD-Access overlay, border node, fabric roles, external connectivity, virtual networks.

LTE is the most appropriate backup WAN option for remote sites that already rely on microwave links. A backup transport should use a different failure domain from the primary service; LTE provides carrier wireless connectivity that is operationally separate from the customer’s microwave infrastructure. It is widely available, fast to deploy, and suitable as an out-of-band or secondary WAN path for branch continuity. WiMAX is an older metropolitan wireless technology and is not the preferred current enterprise backup choice. A laser link is another line-of-sight technology and can suffer from similar environmental and alignment constraints as microwave, so it is a weaker diversity option. Bluetooth is a short-range personal-area technology and is not a viable WAN backup for enterprise branches. LTE also integrates well with SD-WAN, IPsec VPN, and routing-based failover designs. In a resilient WAN architecture, the architect should validate signal quality, carrier coverage, data plan, antenna placement, NAT behavior, and whether the backup link must support dynamic routing, VPN encryption, and QoS for critical traffic during failover.

Policing is the correct mechanism for managing traffic that exceeds the configured threshold. The application is UDP-based, inelastic, and sensitive to delay and jitter, so excess traffic should not be buffered and transmitted later. Cisco defines traffic policing as measuring traffic against a configured rate and applying an action such as transmit, drop, or remark when traffic conforms, exceeds, or violates the policy. In contrast, shaping buffers excess traffic and releases it later to smooth the output rate. That behavior is useful for TCP or provider handoff control, but it can add delay and jitter, which is harmful for inelastic real-time UDP flows. Scheduling has already been addressed by allocating bandwidth and assigning queues; it decides how queues are serviced, not how excess flows are constrained. Remarking changes packet markings but does not by itself enforce a traffic threshold. Therefore, policing is the appropriate QoS conditioning action for traffic above the configured limit. Reference topics: traffic policing, QoS conditioning, shaping versus policing, UDP real-time applications, delay and jitter control.

A totally stubby OSPF area is the best choice for a small remote site with low-end routers and no requirement to carry transit traffic. A standard stub area blocks Type 5 external LSAs, but it still receives interarea Type 3 summary LSAs. A totally stubby area goes further by blocking external routes and most interarea summary routes, while allowing a default route to be injected by the ABR. That greatly reduces LSDB size, SPF processing, memory use, and routing-table entries on the low-end routers. The remote site still has full connectivity to the rest of the OSPF domain through the default route. NSSA and totally NSSA designs are useful when the area must inject external routes from an ASBR inside the area, but the question does not state that the remote site needs redistribution. A regular stub area is acceptable but does not minimize resources as much as a totally stubby area. Because there is no demand for traffic to pass through this area, the most efficient Cisco design is totally stubby. Reference topics: OSPF stub areas, totally stubby area, default routing, LSDB reduction, branch OSPF design.

The SD-Access control-plane node performs the LISP Map-Server and Map-Resolver functions. Cisco SD-Access uses LISP in the control plane to maintain mappings between endpoint identifiers and routing locators. Fabric edge nodes discover local endpoints and register them with the control-plane node. When a destination endpoint is not known locally, a fabric node queries the control-plane node, which resolves the endpoint location and returns the locator information needed for VXLAN forwarding through the fabric. This is why the control-plane node is the correct answer. A fabric edge node connects endpoints, provides the anycast gateway, encapsulates and decapsulates user traffic, and registers endpoints. A border node connects the fabric to external networks. An intermediate node simply transports routed underlay traffic between fabric nodes and does not hold endpoint mappings. In design terms, control-plane placement and redundancy are critical because endpoint mobility, fabric forwarding lookup, and location resolution depend on stable Map-Server and Map-Resolver services. Reference topics: Cisco SD-Access control plane, LISP Map-Server, LISP Map-Resolver, EID-to-RLOC mapping, fabric edge registration.

VRRPv3 improves protocol applicability by supporting both IPv4 and IPv6 address families. VRRPv2 is associated with IPv4 virtual router redundancy, while VRRPv3 extends the protocol so the same first-hop redundancy concept can be used for IPv6 default gateways as well. In campus and branch designs, this matters because IPv6 deployments should not require a separate redundancy design from IPv4 when a standards-based FHRP is preferred. Preemption is not a unique VRRPv3 advantage because VRRP has long supported priority-based master election and preemption behavior. Authentication is also not the correct differentiator in this comparison; VRRPv3 removed the simple protocol authentication field from the base protocol and expects security to be provided by the underlying network or IPsec where required. Stateful switchover is a platform high-availability capability, not a VRRPv3 protocol feature. Therefore, the key benefit of VRRPv3 over VRRPv2 for enterprise design is IPv4 and IPv6 support under the same redundancy protocol model.

The correct policy is to prepend the AS path on the nonpreferred advertisement for each prefix. For inbound BGP traffic engineering, the enterprise normally influences remote autonomous systems by changing attributes that those systems see when selecting a path. AS-path prepending makes a route appear less attractive by adding repeated instances of the local AS number to the AS path. In this design, network 10.1.1.0/24 should enter through R3-R1, so R2 must advertise that prefix with a prepended AS path to make the R4-R2 path less preferred unless the primary path fails. Conversely, network 10.1.2.0/24 should enter through R4-R2, so R1 must advertise that prefix with prepending to make the R3-R1 path less preferred. This creates inbound load sharing while preserving failover because the prepended route remains available as a backup. Local preference affects outbound path selection inside the local AS, not inbound selection by the provider. Reference topics: BGP traffic engineering, AS-path prepending, inbound path control, prefix-specific policy, multihomed WAN design.

The scalable EIGRP hub-and-spoke design should make each spoke a stub router and summarize routes from the spokes toward the hubs. Cisco EIGRP documentation states that stub routing improves network stability, reduces resource utilization, and simplifies branch or edge router configuration. Stub spokes limit the routes they advertise and prevent the hub routers from sending unnecessary queries through remote sites. Summarizing spoke routes toward the hubs further reduces routing-table size and contains convergence events when a subnet fails behind a spoke. Exchanging all routes between every location would increase memory, CPU, and query scope, which is the opposite of good EIGRP scale design. Summarizing only between the hubs may be useful in a dual-data-center design, but it does not solve the spoke scaling requirement. Splitting the network into two autonomous systems is unnecessary when the requirement states that all locations belong to a single AS. Reference topics: EIGRP hub-and-spoke design, stub routing, route summarization, query scope reduction, branch scale.

Universal PoE is the appropriate power technology when endpoint requirements vary from 30 watts up to 60 watts. Cisco Universal Power over Ethernet extends the PoE+ model and can source up to 60 watts per port by using all four cable pairs. PoE Plus supports up to 30 watts and therefore does not satisfy the upper range in the requirement. Fast PoE is concerned with how quickly power is restored during switch startup, not the maximum supported wattage. Perpetual PoE is the feature that maintains power during a switch reload, but by itself it does not define the 60-watt power class. In a complete campus design, the architect should select UPOE-capable Catalyst access switches and enable perpetual PoE behavior on ports where endpoints must remain powered during reload events. Among the answer choices, Universal PoE is the required power delivery solution because the 30-to-60 watt budget is mandatory. Reference topics: Cisco UPOE, PoE Plus, Perpetual PoE, Fast PoE, Catalyst access-layer power design.

The correct XML/YANG data model set is the option that accurately represents the IOS XE interface hierarchy, assigns the IPv4 address to GigabitEthernet2/1/0, and uses the correct prefix length of 27. In model-driven programmability, the payload must match both the selected YANG model schema and the target platform’s interface naming conventions. For IOS XE native models, interface configuration is structured under the Cisco native namespace, with interface type and name represented in the schema before IPv4 address elements are applied. The address 10.10.10.10/27 must also support a directly connected host at 10.10.10.1/27, which places both addresses in the same 10.10.10.0/27 subnet. Options that place the address under the wrong interface type, use the wrong namespace, incorrectly represent the mask, or configure the host route rather than the interface are invalid. Option D is the only answer aligned to the IOS XE YANG structure and the requested addressing. Reference topics: IOS XE native YANG, NETCONF XML payloads, interface configuration, IPv4 prefix length, model-driven programmability.

In Cisco SD-Access, an intermediate node is an underlay transit device. Its responsibility is to provide IP reachability between fabric edge nodes, border nodes, and other fabric infrastructure roles. Intermediate nodes forward routed underlay traffic and do not perform endpoint registration, endpoint lookup, or VXLAN encapsulation for user traffic. Endpoint-to-location mapping is handled through the fabric control plane, which is based on LISP map-server and map-resolver functions. Fabric edge nodes identify connected endpoints, apply policy, act as anycast gateways, and encapsulate user traffic into VXLAN. Border nodes connect the fabric to external networks and handle traffic entering or leaving the fabric. The intermediate node is therefore comparable to a routed distribution or core transport device in a traditional hierarchical campus, except it is participating in the SD-Access underlay. It must provide stable Layer 3 reachability and appropriate MTU for encapsulated traffic but does not maintain the host tracking database or add security group information to VXLAN headers. The correct function is transporting IP packets between edge and border nodes.

The scalable BGP design should use VPNv4 on the PE routers for L3VPN site routes and BGP IPv4 unicast on ABRs to connect multiple IGP/LDP domains. VPNv4 is the correct MP-BGP address family for carrying customer VPN routes across a provider MPLS Layer 3 VPN core because it combines route distinguishers and VPN labels with customer prefixes. This lets the provider scale many customer routes while maintaining separation between VPNs. When the provider network spans multiple IGP or LDP domains, BGP IPv4 unicast can be used at ABRs to carry infrastructure reachability and avoid trying to flood a single IGP domain across the entire provider backbone. Full-mesh iBGP among all routers in different IGP domains is not scalable and conflicts with the requirement that thousands of routes will be added. Redistributing all IGP routes into a single BGP IPv4 instance without VPNv4 does not preserve customer VPN separation. Filtering loopbacks everywhere is not the core scaling solution. Reference topics: MP-BGP VPNv4, MPLS L3VPN, ABR design, interdomain provider routing, route scale.

EIGRP stub routing is designed to prevent remote or spoke routers from being used as transit routers. In a hub-and-spoke or dual-homed remote design, a stub router advertises only the route types permitted by its stub configuration, such as connected or summary routes, and it is not queried for routes that it cannot reasonably provide. This reduces EIGRP query scope and helps avoid stuck-in-active conditions. The tradeoff is that the network must not depend on a stub site to carry transit traffic between other parts of the topology. In this scenario, the spoke nodes are configured as EIGRP stubs. When the direct R1-to-R2 link fails, R1 cannot use the alternate path through the other spoke-side topology as a transit path to reach a subnet attached to R2. The EIGRP stub design prevents the route from being advertised in a way that would make the spoke act as a transit router. As a result, R1 has no valid route to R2 ' s attached subnet and drops the traffic. This behavior is consistent with the purpose of EIGRP stub routing.

IPv6 overlay tunnels should be treated as a transition mechanism, not as the final desired enterprise architecture. Cisco IPv6 migration guidance describes tunneling as a way to connect IPv6 islands across an IPv4 infrastructure or to carry one protocol over another while the network is being migrated. This is useful when parts of the infrastructure cannot yet run IPv6 natively, but it also adds encapsulation overhead, additional MTU considerations, troubleshooting complexity, and operational dependency on the underlay transport. A permanent IPv6 architecture should eventually support IPv6 natively, or support both IPv4 and IPv6 through dual stack where required. The statement that overlay tunnels are a final IPv6 architecture is therefore incorrect. Overlay tunnels are not limited only to border devices in every design, and they do not require only the IPv6 stack; they commonly encapsulate IPv6 traffic over IPv4 infrastructure. The option stating that IPv4 packets are encapsulated in IPv6 packets also reverses the common IPv6-over-IPv4 migration use case. Therefore, overlay tunneling should be designed as a temporary transition technique.

The RPF check is performed against the RP address when the PIM router has shared-tree state. In PIM sparse mode, multicast traffic initially flows through the rendezvous point using the shared tree, represented as (*,G) state. For shared-tree traffic, the router verifies that packets arrive from the direction of the RP, because the RP is the root of the shared distribution tree. When the router has source-tree state, represented as (S,G), the RPF check is performed against the multicast source address instead. Dense mode behavior and directly connected membership are not the determining conditions in this question. The key distinction is whether forwarding state is shared-tree or source-tree. Cisco multicast design relies on this behavior to keep PIM forwarding loop free as traffic transitions from shared-tree delivery to shortest-path tree delivery where applicable. Selecting the shared-tree state option correctly identifies when the RP address is used for the RPF calculation. Reference topics: PIM sparse mode, shared tree, source tree, RPF toward RP, (*,G) and (S,G) state.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

The selected IPv6 summary must be the smallest prefix that covers all of the site subnets in the exhibit while not including unnecessary additional networks. IPv6 route summarization works by identifying the common high-order bits shared by the component prefixes and advertising the shortest aggregate that contains them all. Cisco routing design uses summarization at WAN or aggregation boundaries to reduce routing-table size, contain convergence events, and simplify policy. Option C is retained because it represents the aggregate identified by the exhibit answer set. Option A is a different /60 boundary and would be correct only if all component subnets fell under that exact nibble range. Option B is not a usable summary route in normal IPv6 prefix notation as written. Option D is too broad or malformed for a precise site summary. The professional design rule is to summarize on valid nibble or bit boundaries and verify that every component prefix is included without accidentally absorbing unrelated site networks. Reference topics: IPv6 summarization, prefix aggregation, route boundary calculation, WAN route scale, convergence containment.

An on-change telemetry subscription is the best solution when the team needs device state data while limiting impact on the device. With periodic telemetry, the device sends subscribed data at a configured interval regardless of whether the value has changed. For state such as shared memory utilization, aggressive periodic polling or streaming can create unnecessary CPU, memory, and bandwidth overhead, especially at scale. On-change telemetry sends an update only when the subscribed data changes, or when a relevant event occurs according to the model and platform behavior. This reduces needless data transmission while still providing timely visibility into meaningful state changes. IPFIX is designed for flow information and traffic accounting rather than detailed device state telemetry. Static telemetry is not the best characterization of the efficient event-driven behavior required here. A periodic subscription can provide the data, but it continuously streams updates and therefore has greater device and collector impact. Cisco model-driven telemetry design favors on-change subscriptions when the operational requirement is state awareness with minimal repeated polling.

The design should use a scavenger queue for excessive or suspicious traffic and apply queuing on the access-to-distribution uplinks where congestion can occur. Cisco QoS campus design commonly uses a less-than-best-effort scavenger class to constrain traffic associated with worms, peer-to-peer applications, bulk background flows, or other nonbusiness traffic. Placing this traffic in a scavenger queue minimizes the bandwidth it can consume during congestion without harming real-time applications. Real-time voice or video traffic should be placed in a strict-priority queue so it receives low delay and low jitter treatment when links are congested. Applying queuing on access-to-distribution links is important because those uplinks are common campus congestion points, especially during bursts or abnormal traffic events. A shaping policy is not the right tool for campus LAN uplinks, and indiscriminate policing of real-time traffic can cause drops that damage voice and video quality. Reference topics: campus QoS, scavenger class, strict-priority queue, access uplink queuing, congestion management, worm mitigation.

Without centralized policy, OMP allows all WAN Edge routers in the same VPN to communicate in a full-mesh overlay. Cisco Catalyst SD-WAN uses OMP as the control-plane protocol between WAN Edge routers and SD-WAN controllers. WAN Edge devices advertise OMP routes, TLOC routes, and service routes to the controllers, and the controllers distribute the reachable routes back to the relevant edge devices. Cisco policy documentation describes the default unpolicied behavior as permissive: routes are accepted and advertised so sites in the same VPN learn reachability to each other. That default route distribution produces a full-mesh data-plane capability, even though control connections remain hubbed through the controllers. Hub-and-spoke, regional isolation, point-to-point restriction, or service-chained topologies require centralized control or data policy to filter routes or steer traffic. Blocking all communication is the opposite of the default behavior. Reference topics: Cisco SD-WAN OMP, default route distribution, full-mesh overlay, centralized control policy, VPN segmentation.

OpenConfig, IETF, and Cisco native YANG models differ mainly in scope and implementation focus. IETF models are standards-based and are intended to cover common protocol or interface functions across vendors. OpenConfig models are vendor-neutral operational and configuration models developed for broad network automation use cases and often provide a more detailed service or operational structure than the corresponding baseline IETF model. Cisco native models are device and operating-system specific, which means they usually expose the most complete Cisco feature coverage but are less portable across vendors. For the question wording, OpenConfig is more comprehensive than IETF when configuring the same general feature in a multivendor environment, because OpenConfig commonly defines richer operational and configuration containers beyond the minimum standards model. Option B is incorrect because Cisco native models are not generally less comprehensive than OpenConfig on Cisco devices. Option C is also incorrect for the same reason. Option D reverses the usual relationship. Reference topics: YANG model families, IETF models, OpenConfig models, Cisco native YANG models, model-driven programmability.

The Cisco SD-Access data plane is based on VXLAN. Cisco SD-Access separates the fabric into functional planes: the underlay provides IP reachability, the control plane uses LISP to map endpoints to locations, and the data plane uses VXLAN encapsulation to carry user traffic across the routed underlay. VXLAN allows the fabric edge node to encapsulate endpoint traffic and forward it through the fabric while preserving virtual network and segmentation information. This is what enables SD-Access to provide Layer 2 and Layer 3 overlay services over a Layer 3 routed transport. OMP is the control-plane protocol for Cisco SD-WAN, not SD-Access. NHRP is associated with DMVPN tunnel resolution. LISP is essential in SD-Access, but its role is endpoint ID to routing locator mapping, not packet encapsulation in the data plane. Therefore, VXLAN is the correct protocol for the SD-Access data plane. Reference topics: SD-Access fabric, VXLAN data plane, LISP control plane, overlay encapsulation, routed underlay.

The two practical OSPF convergence improvements are enabling Bidirectional Forwarding Detection and tuning OSPF timers and throttling behavior. Cisco describes BFD as a protocol designed to provide fast forwarding-path failure detection across media, encapsulations, topologies, and routing protocols. With OSPF, BFD allows a neighbor failure to be detected rapidly without depending only on the OSPF dead interval. OSPF parameters can also be tuned, including SPF scheduling, LSA generation, and LSA arrival throttling, so the control plane reacts quickly but not recklessly during instability. Merging all areas into one backbone area is not a convergence improvement; it usually increases the size of the link-state database and the impact of topology changes. Making every nonbackbone area stub may reduce external LSA scope, but it is not universally valid and does not directly solve failure detection. Spanning the same IP network across multiple OSPF areas is a poor design and can create operational ambiguity. Therefore, BFD plus careful OSPF parameter tuning are the appropriate convergence-focused design actions.

The EIGRP stub connected option is appropriate when the new circuit is intended to protect reachability to a connected subnet without turning the router into a broad transit point. EIGRP stub routing is used to limit the routes a router advertises to its neighbors and to constrain EIGRP query scope. A stub router can advertise connected routes, summary routes, redistributed routes, or combinations depending on the configured stub option. In this scenario, the new C-to-D circuit protects connectivity to 10.0.4.0/24 during a failure between B and D. Advertising the connected network through the stub behavior gives upstream routers a valid alternate route while still preventing unnecessary transit advertisements. Stub redistributed would be used for routes learned from another routing process, not for directly connected networks. Stub receive-only would prevent the router from advertising any routes, which would not protect reachability. Stub leak-map is used for controlled exceptions and is unnecessary if the required route is a connected subnet. Reference topics: EIGRP stub routing, connected route advertisement, query boundary design, DUAL stability.

Dedicated control-plane nodes are advisable when frequent endpoint roaming across fabric edge nodes is expected. In Cisco SD-Access, the control-plane node maintains the host tracking database and resolves endpoint identifiers to routing locators. When endpoints move between fabric edge nodes, the fabric must update endpoint-to-location mappings quickly and consistently. In smaller deployments, the control-plane function can sometimes be colocated with border nodes, but larger or more mobile environments benefit from dedicated control-plane nodes to improve scale, resilience, and operational separation. The decision is not because Cisco DNA Center is absent; DNA Center is the management and automation platform for SD-Access. It is also not because edge nodes are unable to provide control-plane functionality, since that is not their fabric role. Frequent roaming creates more mapping updates and lookup activity, so dedicated control-plane resources help maintain stable endpoint registration and resolution performance. Reference topics: Cisco SD-Access control-plane node, host tracking database, endpoint mobility, LISP map server, fabric scale.

The correct model set is the one that configures the IOS XE interface GigabitEthernet2/1/0 with IPv4 address 10.10.10.10 and prefix length 27 using valid XML according to the selected YANG schema. The directly connected host address 10.10.10.1/27 confirms the subnet relationship; both addresses belong to 10.10.10.0/27, so the interface configuration must use that prefix length rather than a host mask or an unrelated network. YANG-based configuration is strict: the namespace, container hierarchy, interface type, interface name, and address fields must match the device model. If an option places GigabitEthernet under the wrong container, represents the mask incorrectly, or uses a schema from a different model family, the device will reject the payload or configure the wrong object. Option D correctly represents the IOS XE XML structure and the required addressing. In real operations, the engineer should follow this with a get-config readback against the running datastore to prove that the structured configuration committed as intended. Reference topics: IOS XE interface YANG, XML payload structure, NETCONF configuration, IPv4 subnet validation.

GET VPN is the correct technology for this private WAN requirement. Cisco Group Encrypted Transport VPN secures unicast and multicast traffic over a private WAN using IPsec encryption and group key management. Its key advantage is that it preserves the original packet header instead of building permanent point-to-point tunnels, which reduces forwarding overhead compared with GRE/IPsec or DMVPN overlays. Cisco describes GET VPN as using a centralized key server to distribute group keys and security policy to group members, satisfying the requirement for centralized security management. It also supports multicast efficiently because the core or provider network can perform multicast replication while the traffic remains encrypted. IPsec point-to-point would not scale well across many remote sites and lacks group key management. mGRE alone does not encrypt traffic. DMVPN Phase 3 supports dynamic encrypted tunnels and spoke-to-spoke communication, but it still relies on tunnel encapsulation and does not reduce overhead the way GET VPN does on a private WAN. Reference topics: GET VPN, GDOI, IPsec group encryption, private WAN, multicast encryption.

BFD with default BGP timers is the best design choice because it improves failure detection without forcing BGP itself to run aggressive keepalive processing. Cisco documentation describes BFD as providing fast forwarding-path failure detection and notes that BFD can be less CPU-intensive than reduced EIGRP, BGP, and OSPF timers because parts of BFD can be distributed to the data plane. Lowering BGP keepalive and hold timers makes the BGP process detect failure sooner, but it increases control-plane activity and can create instability at scale. Tuning the BFD multiplier to an extreme value such as 50 is also counterproductive because it lengthens detection rather than improving it, depending on the interval used. The correct approach is to leave normal BGP timers in place and bind BGP neighbor fall-over to BFD. When the forwarding path fails, BFD notifies BGP quickly, allowing the route to be withdrawn and an alternate provider path to be selected faster without unnecessary BGP timer churn.

The configuration-protocol mapping distinguishes NETCONF and RESTCONF behavior in model-driven programmability. NETCONF is an XML-based network configuration protocol that runs over a secure transport such as SSH and supports structured operations such as get-config, edit-config, lock, unlock, commit, and datastore manipulation. It is well suited to transactional configuration workflows where candidate and running datastores are supported. RESTCONF exposes YANG-modeled data through a REST-style interface over HTTP or HTTPS, using familiar methods such as GET, POST, PUT, PATCH, and DELETE. It can encode data in XML or JSON depending on headers and implementation. Both protocols use YANG models to define the structure and semantics of configuration and operational data, but they differ in transport style, operation model, and tooling. The selected mapping therefore places NETCONF characteristics with the protocol that provides RPC-style operations and datastore handling, while RESTCONF receives HTTP method and URI-based characteristics. In design, the choice depends on controller support, device operating system, required transaction semantics, security policy, and developer tooling. Reference topics: NETCONF, RESTCONF, YANG, datastores, XML and JSON encoding.

Dial-In: collector initiates a session to the device; supports gRPC only. Dial-Out: device initiates a session to the collector; supports TCP, UDP, and gRPC.

Model-driven telemetry can operate in dial-in or dial-out mode, and the distinction is based on which side initiates the session and how the subscription is established. In dial-in telemetry, the collector initiates a session to the network device and dynamically subscribes to the required sensor paths. This is useful when the collector wants direct control over the subscription lifecycle. Cisco telemetry documentation commonly associates dial-in with gRPC-based dynamic subscriptions on supported platforms. In dial-out telemetry, the device initiates the session toward the collector based on a configured subscription. The subscription exists in the device configuration, and the device streams telemetry data to the configured destination without requiring the collector to start the connection. This design is useful when devices are behind NAT, firewalls, or operational models where the network device should push telemetry to a known collector. Therefore, the mapping is: dial-in equals collector-initiated and gRPC-only in this context; dial-out equals device-initiated and supports the listed transport options. This distinction is central to Cisco model-driven telemetry design.

The border node provides connectivity between the SD-Access fabric and networks external to the fabric. In Cisco SD-Access, fabric edge nodes connect endpoints, intermediate nodes provide underlay transport, and control-plane nodes maintain endpoint-to-location mappings. Border nodes sit at the boundary of the fabric and connect the overlay to external Layer 3 networks such as WAN, data center, Internet edge, shared services, or other fabrics. They de-encapsulate VXLAN traffic leaving the fabric and advertise or import reachability using VRFs and routing protocols. A border can be internal, external, or anywhere border depending on whether it connects to shared services, outside networks, or both. Intermediate nodes do not provide external fabric exit; they only transport traffic within the underlay. Edge nodes connect endpoints but are not normally the external gateway for the whole fabric. Control-plane nodes provide mapping services, not external connectivity. Reference topics: SD-Access border node, fabric exit, VRF mapping, external connectivity, overlay-to-underlay boundary.

WAN Edge: traffic forwarding, security, encryption, QoS, and routing protocols; vSmart: distributes routes and policy information via OMP; vManage: centralized provisioning and simplified network changes; vBond: communication for devices behind NAT.

The Cisco SD-WAN component mapping follows the normal separation of management, control, orchestration, and data-plane roles. WAN Edge routers are the data-plane devices at branches, data centers, campuses, or cloud edges. They forward user traffic and apply routing, QoS, encryption, segmentation, and security services. vSmart controllers provide the centralized control plane and distribute reachability and policy information with OMP, including prefixes, TLOCs, and service routes. vManage is the management-plane system; it supplies centralized provisioning, device templates, policy configuration, software lifecycle functions, monitoring, and operational visibility. vBond operates as the orchestration-plane component, authenticating devices during onboarding and helping devices behind NAT discover and establish the correct secure control connections. This separation is critical in enterprise design because each component has different redundancy, reachability, and scale requirements. The architect should not blur vManage and vSmart roles: vManage configures and monitors, while vSmart computes and distributes control policy. Reference topics: Cisco Catalyst SD-WAN architecture, WAN Edge data plane, vSmart OMP, vManage management plane, vBond orchestration.

is responsible for traffic forwarding, security, encryption, QoS,and routing protocols

distributes routes and policy information via OMP

enables centralized provisioning and simplifies network changes

enables the communication of devices that sit behind NAT

The verifying get-config reply must reflect the same YANG model hierarchy and configured values that were pushed by the Postman request. In model-driven automation, a successful transport response is not enough; the engineer must confirm that the intended datastore contains the exact interface, routing, or protocol objects described by the model. Option D is the selected reply because it matches the expected YANG structure for the configuration operation shown in the exhibit. The key principle is that get-config returns configuration data from a specified datastore, such as running or candidate, using the schema-defined XML hierarchy. If the returned XML uses the wrong container, wrong namespace, incorrect key value, or an unexpected leaf, the model set was not designed or addressed correctly. Cisco NETCONF/YANG workflows rely on strict namespace and path accuracy, so even a small mismatch can result in configuration being placed in the wrong subtree or not applied. A clean validation checks the model namespace, parent containers, list keys, leaf names, and actual configured value. Reference topics: NETCONF get-config, YANG XML encoding, datastore validation, Postman automation workflow.

An additional Cisco SD-Access fabric site requires edge and border roles in addition to the control-plane function. Edge nodes connect wired endpoints, access-layer devices, and sometimes access points into the fabric. They perform endpoint detection, anycast gateway functions, and fabric encapsulation for user traffic. Border nodes provide connectivity between the fabric site and external networks such as the WAN, data center, internet edge, or shared services. Without edge nodes, the site has no practical access-layer fabric attachment for endpoints. Without border nodes, the site cannot properly exchange traffic with resources outside the local fabric. A wireless LAN controller may be needed when fabric wireless is part of the design, but it is not one of the mandatory fabric roles for every additional site. Leaf and cEdge are not Cisco SD-Access fabric roles in this context. Reference topics: Cisco SD-Access fabric roles, edge node, border node, control-plane node, fabric site expansion.

Cisco SD-WAN uses the Overlay Management Protocol to exchange control-plane information between WAN Edge routers and vSmart controllers. OMP advertises three major categories of routing information: OMP routes, TLOC routes, and service routes. OMP routes represent reachability to prefixes in service VPNs, such as connected, static, OSPF, EIGRP, BGP, or other routes learned at the local site. TLOC routes describe transport locations, which bind a system IP, color, and encapsulation to a WAN transport attachment. Service routes indicate service insertion capabilities, such as firewalls or other network services that can be reached through a particular site. This separation allows Cisco SD-WAN to build a secure overlay over any public or private transport while keeping transport reachability, service-side prefixes, and inserted services distinct. The other answer choices use generic terms such as underlay, MPLS, Internet, backup, or primary routes, but those are not the formal OMP advertisement categories. Therefore, the correct answer is prefix, TLOC, and service.

The telemetry-mode mapping distinguishes configured subscriptions from dynamic collector-initiated subscriptions. In dial-out telemetry, the network device initiates the connection to the collector according to a configured subscription. This model is useful when devices must proactively stream data to a known receiver, especially where firewall policy allows outbound sessions from the network device. In dial-in telemetry, the collector initiates the session to the device and subscribes to the desired data stream. This approach is useful for ad hoc collection, testing, or centralized collectors that can reach the devices directly. Cisco model-driven telemetry also distinguishes periodic and on-change behavior. Periodic subscriptions send data at configured intervals, while on-change subscriptions publish updates when subscribed state changes. These design choices affect firewall rules, collector reachability, device configuration, scale, and data volume. The architect should match telemetry mode to operational requirements: dial-out for stable production streams from many devices, dial-in for collector-driven access, periodic for baselines, and on-change for efficient state-change monitoring. Reference topics: model-driven telemetry, dial-in, dial-out, subscriptions, periodic and on-change streaming.

OSPF with stub areas is the correct implementation. The reference to RFC 5340 points to OSPFv3, which Cisco documents as the OSPF version used for IPv6 and also capable of carrying IPv4 unicast address families in modern implementations. OSPF is a link-state routing protocol that provides loop-free convergence through SPF calculation, making it a stronger fit than static routing or RIP for a growing WAN. Stub areas reduce routing information inside branch or regional areas by blocking external LSAs and allowing the ABR to inject a default route. That reduces route-table size and limits update propagation, which matches the requirement to optimize routing tables and reduce routing updates between routers. EIGRP with multiple autonomous systems is not aligned with RFC 5340. BGP address families are useful in provider and MPLS VPN designs but are not the best internal route-optimization answer here. OMP is specific to Cisco SD-WAN, not a generic RFC 5340 routing design. Reference topics: OSPFv3, RFC 5340, stub areas, LSA reduction, SPF convergence.

Graceful restart is the correct high-availability design when the routing process on an intermediate OSPF router must undergo maintenance while the data plane remains available. Cisco describes graceful restart as a mechanism that allows a restarting router to continue forwarding traffic while neighbors temporarily preserve adjacency and route information. In OSPF, helper-capable neighbors assist the restarting router by maintaining forwarding state during the restart interval, preventing unnecessary route withdrawal and reconvergence. BFD is a failure-detection mechanism, so it would actually accelerate detection of a failure rather than preserve the forwarding path during planned process maintenance. Nonstop forwarding must be enabled on the device performing the control-plane restart and supported by neighbors, but the broad answer choice that captures the required routing-protocol behavior across the design is graceful restart on the participating routers. Configuring it only on R1 and R3 or only on R3 would not support the R2 process maintenance scenario. Reference topics: OSPF graceful restart, NSF, helper mode, control-plane maintenance, data-plane availability.

Dual stack is the migration topology that supports IPv6 while preserving existing IPv4 services during the transition. In a dual-stack design, hosts and network devices run IPv4 and IPv6 in parallel, allowing applications and services to move gradually from IPv4 to IPv6 without forcing an immediate cutover. That matches the customer’s plan: keep the current IPv4 topology and services, introduce IPv6 connectivity, migrate services, and eventually decommission the IPv4 topology. 6VPE is used to carry IPv6 VPN routes across an MPLS IPv4 provider core, which is a service-provider VPN use case rather than a general enterprise migration topology. 6to4 is an automatic tunneling mechanism and is not appropriate as a stable enterprise migration plan. NAT64 enables IPv6-only clients to reach IPv4 resources through translation, but it does not preserve the complete IPv4 topology while services migrate. Cisco migration guidance treats dual stack as the cleanest operational model when infrastructure supports both protocols, because it avoids translation side effects and allows DNS and application behavior to determine which protocol is used.

The BGP maximum-paths feature should be included when the design goal is to install multiple eligible BGP paths in the routing table and use them for load sharing. By default, BGP selects a single best path after comparing attributes such as weight, local preference, AS path, origin, MED, eBGP over iBGP, IGP metric to next hop, and other tie breakers. If two links between autonomous systems should both carry traffic, the router must be allowed to retain more than one equal or eligible path for forwarding. The maximum-paths command enables BGP multipath installation so the data plane can load share across the available links. Update-source is used to source a BGP session from a loopback or specific interface, not to perform load sharing. Next-hop-self influences recursive reachability and next-hop handling but does not install multiple paths by itself. eBGP multihop changes TTL behavior for non-directly connected eBGP neighbors and is unrelated to load sharing over the two links. Reference topics: BGP multipath, maximum-paths, eBGP load sharing, BGP path selection, route installation.

The drag-and-drop answer follows the practical distinction between the YANG model families. IETF models are standards-based models intended to provide a common structure for widely implemented protocol and interface functions. OpenConfig models are vendor-neutral operational and configuration models developed for cross-vendor automation, with a strong focus on consistent telemetry and network state representation. Cisco native models expose Cisco platform-specific capabilities and usually provide the deepest coverage for IOS XE, IOS XR, or NX-OS features that are not fully represented in a common model. The selected mapping therefore assigns model elements according to origin, portability, and feature depth. In a production automation design, engineers should start with open models when interoperability and long-term portability matter, but they should choose Cisco native models when a required Cisco feature is not available or is incomplete in IETF or OpenConfig. The choice is not cosmetic; it affects payload structure, namespace, validation behavior, and operational consistency across device families. Reference topics: YANG model families, IETF YANG, OpenConfig, Cisco native YANG, model-driven configuration.

When Cisco SD-WAN edge router redundancy is designed, VRRP is the supported first-hop redundancy protocol in the SD-WAN edge context. VRRP provides a virtual default gateway for LAN-side devices, allowing one WAN Edge router to act as the active gateway while another can take over if the active router or tracked condition fails. Cisco SD-WAN designs use VRRP with tracking and policy alignment so branch LAN traffic can fail over to the appropriate edge router while the SD-WAN overlay handles transport and tunnel selection. HSRP and GLBP are traditional campus first-hop redundancy protocols, but they are not the supported FHRP answer for vEdge router redundancy in this design context. OMP is the SD-WAN control-plane routing protocol used between WAN Edge routers and vSmart controllers; it is not a first-hop redundancy protocol for LAN hosts. Therefore, the correct FHRP for vEdge router redundancy is VRRP. The design should also ensure that VRRP priorities, tracking, and SD-WAN routing preferences align so traffic exits the intended edge during normal and failure conditions.

The multicast Reverse Path Forwarding check is a loop-prevention mechanism. Cisco multicast forwarding does not forward traffic merely because the packet arrived on any multicast-enabled interface. Instead, the router checks whether the packet arrived on the interface that would be used to route traffic back toward the multicast source or, in shared-tree cases, back toward the rendezvous point. If the packet arrives on the expected reverse path, it passes the RPF check and can be replicated to the outgoing interface list. If it arrives on the wrong interface, it is dropped to prevent loops and duplicate packets. This supports a loop-free multicast distribution tree from sources to receivers. Auto-RP mapping agents, bootstrap messages, and RP-set discovery are separate rendezvous point distribution mechanisms; they are not the function of the RPF check. In enterprise designs with redundant links, asymmetric routing, or multiple equal paths, multicast RPF behavior must be reviewed carefully because unicast routing choices directly influence whether multicast packets are accepted or discarded. Reference topics: multicast RPF, PIM forwarding, loop prevention, outgoing interface list.

Interdomain multicast designs commonly use MP-BGP and MSDP together. MP-BGP carries multicast routing information between domains so routers can perform RPF checks based on the correct multicast topology rather than relying only on unicast routing. MSDP is used between rendezvous points in different PIM sparse-mode domains to exchange information about active sources. Cisco multicast documentation describes MSDP as a mechanism that connects multiple PIM-SM domains and allows RPs to discover multicast sources in other domains. Together, MP-BGP provides the reachability information and MSDP provides source discovery between RPs. IGMPv2 is a host-to-router group membership protocol inside a local subnet, not an interdomain multicast routing protocol. MLD provides the IPv6 equivalent of host group membership signaling. BIDIR-PIM is a multicast forwarding mode optimized for many-to-many traffic inside a domain, but it is not the pair of protocols used for interdomain source and receiver communication in this question. Therefore, the correct protocols are MP-BGP and MSDP.

An end-to-end QoS strategy with an SLA is the best fit for an application that cannot tolerate drops and requires very low latency across countries. The customer is asking for guaranteed service behavior, not just local classification on one router. A service line with an SLA defines the expected treatment across the provider network, including bandwidth, delay, jitter, and loss commitments. This is especially important for industrial or manufacturing applications that process large data chunks and are sensitive to packet loss. A purely domain-based PHB design can mark and forward traffic differently at each hop, but it does not by itself guarantee the business outcome unless backed by an end-to-end service agreement. A flow-based approach with per-flow queuing on every ISP node would consume more provider resources and scale poorly. FEC can help selected traffic but does not replace a QoS service model. Reference topics: QoS design, service-level agreements, end-to-end QoS, low-latency applications, loss-sensitive traffic, provider WAN services.

The drag-and-drop mapping identifies which elements belong to each model-driven protocol or data-modeling mechanism. Cisco programmability designs distinguish the data model, the encoding, and the transport protocol. YANG defines the structure of configuration and operational data. NETCONF commonly uses XML encoding and provides transactional operations such as get-config, edit-config, lock, and commit-like workflow depending on platform support. RESTCONF exposes YANG-modeled data through HTTP methods and typically uses URI-based resources with XML or JSON encoding. gRPC and gNMI are commonly used for efficient telemetry or operational data streaming, with protocol buffers often used for serialization. The selected mapping follows those protocol boundaries rather than mixing model structure with transport behavior. In design work, this matters because the same network feature can be represented by a YANG model but accessed through different protocols, each with different capabilities, security requirements, and operational semantics. Correctly matching elements to protocols avoids invalid payloads and broken automation workflows. Reference topics: YANG, NETCONF, RESTCONF, gRPC, gNMI, XML and JSON encoding, model-driven telemetry.

Cisco SD-WAN WAN Edge devices can be brought into the overlay through automated zero-touch provisioning or through manual bootstrap configuration. Zero-touch provisioning allows a device to discover the SD-WAN controllers and receive the information needed to authenticate and join the overlay with minimal on-site work. This is a core operational benefit of Cisco SD-WAN because branch routers can be shipped to sites and onboarded without a specialist manually building the entire control-plane configuration locally. Manual configuration remains available when ZTP is not used, when the site has special connectivity constraints, or when the administrator needs to stage the router directly. DHCP options and DNS records can help devices learn controller information in some deployment models, but they are not the complete pair of bootstrap methods named for vEdge onboarding. vManage is the management system, not a bootstrap method by itself. Therefore, the correct methods are ZTP and manual configuration. The design should also validate certificates, organization name, system IP, site ID, and transport interface reachability during onboarding.

VRRP object tracking allows the effective priority of a VRRP router to change when a tracked object changes state. Cisco documentation states that VRRP object tracking ensures the best VRRP router is master by altering VRRP priorities according to tracked objects such as interface or IP route states. This directly supports answer A. It also supports answer D, because VRRP can track interfaces and routes through the tracking process. The priority does not have to remain fixed; object tracking is specifically designed so a router can lower its priority when an uplink, route, or critical dependency fails. A VRRP group is not limited to one tracked object in modern Cisco implementations, so option C is too restrictive. VRRP does not support only interface tracking; route tracking is also a common use case, especially when the LAN interface is still up but upstream reachability has failed. In a resilient campus or branch gateway design, object tracking prevents a router from remaining master when it no longer has a valid upstream path, improving deterministic failover.

The Cisco SD-Access fabric data plane leverages VXLAN-style MAC-in-IP encapsulation to transport endpoint traffic across the Layer 3 fabric. In SD-Access, the underlay provides IP reachability between fabric nodes, while the overlay uses encapsulation to carry user traffic and policy context across that underlay. Cisco fabric edge nodes encapsulate traffic before forwarding it through intermediate nodes and decapsulate it when it reaches the destination edge or border. LISP is used by the control plane to resolve endpoint-to-location mappings, so option A describes the mapping function rather than the data plane. IS-IS provides underlay routing reachability and is not the overlay data-plane mechanism. BGP can be used outside the fabric or in other overlay designs, but it is not the SD-Access fabric data plane. The exam option describes the essential encapsulation function, even though VXLAN is technically MAC-in-UDP over IP. Reference topics: SD-Access data plane, VXLAN encapsulation, fabric edge forwarding, underlay and overlay separation, policy transport.

The control-plane node in Cisco SD-Access acts as the map system that manages endpoint-to-device relationships. Cisco SD-Access documentation describes control-plane nodes as maintaining the host database that maps endpoint identifiers to the fabric edge devices where those endpoints are attached. This mapping function is based on LISP control-plane behavior. When an endpoint appears on an edge node, the edge registers the endpoint information with the control plane. When another fabric device needs to send traffic to that endpoint, it queries the control-plane node to resolve the endpoint location. A fabric edge node is the device that connects wired endpoints to the fabric, so option A describes an edge role. Wireless endpoints may attach through fabric AP and fabric WLC integration, but that is not the control-plane node’s role. External Layer 3 networks are connected through border nodes, not through the control-plane node. Therefore, the correct role is endpoint-to-device mapping. Accurate control-plane design is essential for fabric scale, endpoint mobility, and fast location resolution.

Redundancy for Cisco vBond Orchestrators is normally achieved by mapping the IP addresses of multiple vBond instances to a single DNS name. WAN Edge devices use the configured organization name and vBond DNS name during onboarding to resolve and contact an available orchestrator. This design allows several vBond nodes to be deployed across different locations or availability zones while giving the edge device a consistent bootstrap target. If one vBond is unavailable, DNS resolution can return another reachable vBond address, allowing control-connection orchestration to continue. Selecting only the closest vBond is not the redundancy mechanism described here, and deploying a single vBond creates an avoidable single point of failure. The answer that says WAN Edge routers are configured with all orchestrators by IP address and priority does not represent the common DNS-based design model. In production, the DNS record, certificates, firewall policy, NAT behavior, and controller reachability should all be validated so that WAN Edge devices can reach multiple vBond instances during onboarding and after failures. Reference topics: Cisco SD-WAN controller redundancy, vBond DNS, device onboarding, orchestration availability.

Dynamic NAT-PT is the correct selection when IPv6 hosts in an IPv6 island must access IPv4-only servers and services. NAT-PT translates between IPv6 and IPv4 packet headers and allows IPv6-only nodes to communicate with IPv4-only destinations by dynamically creating translation state. In this scenario, IPv6 hosts need access to file servers and DNS services in an IPv4 network, so a dynamic translation mechanism is required. Stateless NAT66 and stateful NAT66 are IPv6-to-IPv6 translation mechanisms and do not connect IPv6 hosts to IPv4-only resources. Static NAT-PT would be appropriate for fixed one-to-one mappings where specific hosts are permanently mapped, but the question describes general access from an IPv6 island to IPv4 services, making dynamic NAT-PT the better match. In modern designs, NAT64 and DNS64 are commonly preferred successors, but within the answer choices NAT-PT is the IPv6-to-IPv4 transition mechanism. Reference topics: IPv6 transition, NAT-PT, IPv6-to-IPv4 translation, DNS access, dual-protocol migration.

The correct overlay considerations are that virtual networks provide data-plane isolation and that overlapping IP addresses should be avoided for operational simplicity. In Cisco SD-Access, virtual networks are used for macro segmentation and are commonly mapped to VRFs. This separates routing and forwarding tables between major groups such as corporate users, guests, IoT, and shared services. Security Group Tags provide finer policy control and microsegmentation, but they are not the primary mechanism for data-plane isolation between virtual networks. The phrase “virtual networks should be used for microsegmentation” is therefore inaccurate; microsegmentation is SGT and SGACL driven. Although overlapping IP addresses can technically exist in separate VRF-like contexts, Cisco design practice discourages unnecessary overlap because it complicates troubleshooting, service insertion, external connectivity, and inter-VN communication. A clean overlay address plan improves operations and reduces policy ambiguity. Reference topics: SD-Access overlay design, virtual networks, macro segmentation, SGTs, microsegmentation, overlapping IP avoidance. This also simplifies day-two operations.

gRPC provides efficient integration by using protocol buffers to serialize and deserialize structured data over the network. In network programmability and telemetry designs, gRPC is commonly used as the transport framework for streaming model-driven telemetry or for remote procedure calls between collectors, controllers, and network devices. Protocol buffers define compact structured messages that are faster and less ambiguous than parsing text output. This makes gRPC suitable for high-volume telemetry and programmatic device interaction. LDAP is a directory and authentication-related protocol, not the integration mechanism provided by gRPC. XMPP is associated with messaging and presence systems, not gRPC data serialization. Graph API is not a gRPC feature. The operational value of gRPC is that it provides a modern RPC framework with efficient message encoding, service definitions, and support for secure transport through TLS when implemented by the platform. Reference topics: gRPC, protocol buffers, model-driven telemetry, network programmability, structured data serialization. It improves controller interoperability.

TLOC information is the OMP update that allows Cisco SD-WAN to build an overlay over any public or private transport without depending on the actual underlay link addressing. Cisco OMP advertises route reachability along with Transport Location mappings. A TLOC represents where and how a WAN Edge can be reached in the transport network, using attributes such as system IP, transport color, encapsulation, and next-hop information. Remote WAN Edge routers use this information to form secure data-plane tunnels to the correct transport attachment. RLOC is a LISP locator term associated with SD-Access and LISP designs, not the SD-WAN OMP construct. DTLS is the secure transport used for control connections, but it is not an OMP route information type. LISP PITR is unrelated to Cisco SD-WAN OMP. The secure overlay is built by combining OMP routes, TLOCs, policy, and encrypted tunnel establishment. Reference topics: Cisco SD-WAN OMP, TLOC routes, transport color, overlay routing, secure data-plane tunnels.

Before troubleshooting IPsec in a DMVPN deployment, the administrator should verify the GRE tunnel operation. DMVPN is built from multipoint GRE, NHRP, routing, and usually IPsec encryption. IPsec protects the tunnel traffic, but the logical tunnel and overlay reachability must be valid first. If the tunnel interface is down, incorrectly addressed, or unable to carry GRE traffic, troubleshooting crypto maps or ISAKMP will waste time because encryption cannot fix a broken overlay. After the GRE tunnel state is validated, the administrator can confirm NHRP registration and resolution, routing adjacencies, and then IPsec security associations. ISAKMP and crypto map troubleshooting are relevant only after basic tunnel operation is known to be correct. NHRP is also critical in DMVPN, but the question asks what to do before troubleshooting IPsec configuration; the first prerequisite is to verify that the GRE tunnel itself is functioning. This layered troubleshooting order follows Cisco operational practice: confirm transport reachability, then tunnel interface behavior, then NHRP and routing, and finally cryptographic protection.

Cisco SD-Access LAN automation deploys IS-IS as the underlay routing protocol to build node-to-node adjacencies automatically. The underlay must provide stable IP reachability between fabric nodes before the overlay control plane and VXLAN data plane can operate correctly. Cisco SD-Access design guidance uses an automated routed access underlay in which point-to-point links are discovered and provisioned, and IS-IS is used to advertise infrastructure reachability. This approach reduces manual configuration, accelerates brownfield or greenfield onboarding, and creates a consistent transport foundation for the fabric. LISP is used in the SD-Access control plane for endpoint mapping, not for building underlay adjacencies. VXLAN is the overlay data-plane encapsulation and does not establish routing adjacencies. OSPF can be used in some routed networks, but LAN automation for SD-Access uses IS-IS as the automated underlay protocol. Reference topics: SD-Access LAN automation, routed underlay, IS-IS underlay, fabric node discovery, Cisco Catalyst Center automation.