Practice Free 300-420 Designing Cisco Enterprise Networks (ENSLD) v1.1 Exam Questions Answers With Explanation

An MPLS Layer 3 VPN with separate VRFs for corporate and guest traffic is the correct WAN design. The customer has branch teams that must communicate with each other and access enterprise applications in the data center and cloud, while guest traffic must be isolated and allowed only to reach the Internet gateway in the data center. Cisco MPLS L3VPN designs use VRFs to create separate routing tables and isolate traffic over the shared provider backbone. A corporate VRF can carry interbranch and application traffic, while a guest VRF can be routed only toward the data-center Internet security stack. A separate service provider for guest users would increase cost and operational complexity without solving segmentation as cleanly. A firewall in the data center can enforce security, but it does not by itself provide routing separation across the WAN. A separate VRF for every branch would isolate branches from each other and would be unnecessary unless each branch required complete tenant separation. Reference topics: MPLS L3VPN, VRF segmentation, guest Internet access, enterprise WAN design, centralized Internet gateway.

The company must prevent itself from advertising routes learned from one ISP to the other ISP. If it receives full Internet tables from both providers and then re-advertises those learned prefixes, it can unintentionally become a transit autonomous system. The proper BGP design is to apply outbound route policy so only the company’s own originated prefixes are advertised to the ISPs, while routes learned from ISP1 are never advertised to ISP2 and routes learned from ISP2 are never advertised to ISP1. A route map or equivalent prefix filtering policy applied outbound to the ISP neighbors achieves that goal. Local preference influences outbound path selection inside the company AS; it does not prevent transit advertisements. MED influences how a neighboring AS may enter the company network, but it does not stop the company from advertising third-party routes. Tagging incoming routes with no-export is not as deterministic as simply filtering what is advertised to each provider and may still allow undesirable routing behavior within the directly connected provider. Therefore, the design should include outbound route filtering with a route map.

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

An additional Cisco SD-Access fabric site requires edge and border roles in addition to the control-plane function. Edge nodes connect wired endpoints, access-layer devices, and sometimes access points into the fabric. They perform endpoint detection, anycast gateway functions, and fabric encapsulation for user traffic. Border nodes provide connectivity between the fabric site and external networks such as the WAN, data center, internet edge, or shared services. Without edge nodes, the site has no practical access-layer fabric attachment for endpoints. Without border nodes, the site cannot properly exchange traffic with resources outside the local fabric. A wireless LAN controller may be needed when fabric wireless is part of the design, but it is not one of the mandatory fabric roles for every additional site. Leaf and cEdge are not Cisco SD-Access fabric roles in this context. Reference topics: Cisco SD-Access fabric roles, edge node, border node, control-plane node, fabric site expansion.

A single-homed enterprise that runs BGP with one ISP should advertise its assigned public prefix to the ISP and receive a default route from the ISP. Because there is only one upstream provider, the customer does not need the full Internet table to make path-selection decisions; all Internet destinations exit the same provider path. Receiving only a default route conserves memory and CPU on the CE router and simplifies operations. The customer must still originate its public prefix toward the ISP so the provider can advertise reachability to the Internet. The ISP should not be the originator of the customer-owned ARIN prefix toward the customer; it may advertise that prefix to the Internet after receiving it from the customer. Requesting the full BGP table or even a partial table adds unnecessary scale for a single-homed site. Advertising a default route to the ISP is also wrong because the ISP already owns upstream Internet reachability. Reference topics: single-homed BGP, CE-PE peering, default route, public prefix advertisement, Internet edge design.

PortFast is the correct functionality for the Gi1/0/1-10 interfaces when those ports are endpoint-facing access ports. Cisco spanning-tree design uses PortFast to allow edge ports to transition directly to the forwarding state, avoiding the normal listening and learning delay associated with traditional STP convergence. That improves user and endpoint connectivity after link-up events and is especially important for workstations, phones, printers, and access devices that should not participate in the Layer 2 topology. Root guard and BPDU guard are protection features, not the primary convergence optimization requested by the architect. UplinkFast was used in older STP designs to accelerate recovery for access switches with redundant uplinks, but it is not the edge-port functionality for interfaces Gi1/0/1-10. In a modern design, PortFast should be enabled only on true host-facing ports, normally together with BPDU guard to protect against accidental switch attachment. If the exhibit shows these interfaces as end-user access ports, PortFast is the feature that follows the recommendation to optimize STP convergence time. Reference topics: STP PortFast, edge-port convergence, BPDU guard, Layer 2 campus design.

Wireless endpoints in Cisco SD-Access are registered through the fabric wireless integration process, and the fabric WLC is the component that updates endpoint information as clients join the wireless network. The Host Tracking Database stores endpoint identifier and location information used by the SD-Access control plane. For wired endpoints, the fabric edge detects the endpoint and registers the binding. For wireless endpoints, the fabric WLC is integrated with the fabric and has the client session context, so it provides the endpoint information needed for HTDB updates. Border nodes do not first register ordinary wireless endpoints; their role is to connect the fabric to external networks and other domains. Fabric APs also do not own the complete EID-to-RLOC registration function in the way the controller does. The design implication is that fabric wireless requires correct WLC integration with Cisco Catalyst Center, fabric site configuration, control-plane reachability, and policy integration through Cisco ISE. Client registration, mobility, and policy enforcement depend on this controller-to-fabric relationship being stable. Reference topics: SD-Access wireless, fabric WLC, Host Tracking Database, endpoint registration, LISP control plane.

The drag-and-drop mapping is based on how Cisco differentiates YANG model families used for model-driven programmability. IETF models are standards-based and are intended for broad interoperability across vendors. They are the usual choice when the design priority is a consistent baseline for multivendor configuration or operational state. OpenConfig models are also vendor-neutral, but they are developed by the OpenConfig community and often provide an operationally consistent structure for telemetry and configuration across platforms. Cisco native models are vendor-specific models that expose detailed Cisco IOS XE, IOS XR, or NX-OS features, including capabilities that may not be represented in IETF or OpenConfig models. The design choice is therefore not simply “one model is always best.” It depends on whether the requirement prioritizes portability, abstraction, or complete Cisco feature coverage. For a standards-driven multivendor design, use IETF or OpenConfig where sufficient. For Cisco-specific device features, use Cisco native models. Reference topics: YANG models, IETF models, OpenConfig, Cisco native models, NETCONF/RESTCONF programmability.

In a Cisco SD-Access fabric, DHCP relay design must account for the fact that endpoints can attach to different fabric edge nodes while using consistent anycast gateway behavior. DHCP Option 82 is important because it inserts relay-agent information that allows the DHCP infrastructure to identify where the DHCP request originated. This enables the correct address scope and policy context to be selected for the endpoint even when the gateway address is anycast across multiple fabric edges. Cisco SD-Access DHCP guidance emphasizes the use of relay information so centralized DHCP services can assign the correct address based on fabric location and endpoint context. DHCP relay is not simply enabled on border nodes, and subnets should not be stretched across fabric edges by placing DHCP servers on borders. DHCP servers do not require a special proprietary SD-Access extension in the sense described by the incorrect option; they use standard relay information such as Option 82. Therefore, the key design consideration is enabling DHCP Option 82 so the circuit information maps the request to the fabric node where it originated.

Route tagging with a route map is the correct redistribution loop-prevention method. In a design with mutual redistribution between OSPF and IS-IS, a route learned from one domain can be redistributed into the other domain and then fed back into the original domain at another redistribution point. This creates route feedback, suboptimal routing, or loops. Cisco routing design commonly prevents this by tagging routes at the point of redistribution and then filtering or denying routes with that tag when they are seen again at another redistribution boundary. A route map can set the tag during redistribution and match the tag on the reverse redistribution direction. Changing administrative distance may influence local route selection, but it does not reliably prevent feedback throughout the network. Stub areas reduce external LSA scope in OSPF, but they do not solve a multipoint redistribution loop between OSPF and IS-IS. Prefix filtering can work, but tagging scales better and preserves route identity across redistribution points. Reference topics: route redistribution, route tagging, route maps, OSPF, IS-IS, loop prevention.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

Switch D should be the VLAN 10 primary root, Switch C should be the VLAN 10 secondary root, and link A should remain a Layer 2 trunk. The requirements say VLANs span multiple access switches and all VLANs are trunked on all uplinks. In that design, the distribution interswitch link must remain Layer 2 so the VLAN can exist consistently across the access layer. For fastest and most deterministic Rapid PVST+ convergence, the spanning-tree root bridge should align with the active first-hop gateway for the VLAN. In the exhibit, Switch D is the active gateway for VLAN 10, so making Switch D the primary STP root avoids unnecessary traffic tromboning and keeps the forwarding path optimal. Switch C becomes the secondary root for resiliency. A Layer 3 routed interdistribution link is a best practice when VLANs are not stretched, but it contradicts the stated requirement that VLANs span access switches. Reference topics: Rapid PVST+, STP root placement, FHRP alignment, Layer 2 campus distribution, VLAN spanning design.

Manual underlay is the correct deployment approach for a brownfield SD-Access scenario. In a greenfield fabric, Cisco DNA Center LAN Automation can build the routed underlay by discovering devices, assigning addresses, and creating the required underlay adjacencies. Brownfield environments already have an installed campus network, addressing plan, routing policy, operational constraints, and production dependencies. Rebuilding that underlay automatically can introduce unnecessary disruption. Cisco SD-Access brownfield designs normally preserve and validate the existing routed underlay, then use Cisco DNA Center to discover devices and automate the fabric overlay, policy, and endpoint segmentation functions. Subnet stretching is not the required deployment model and can create operational complexity. Automated underlay and LAN automation are powerful when the physical network is being newly built, but they are not the safest default for an established production environment. A professional brownfield design should first confirm MTU, routing reachability, loopback advertisements, device support, and fabric readiness before onboarding nodes. Reference topics: SD-Access brownfield migration, manual underlay, Cisco DNA Center, LAN Automation, fabric readiness.

The expected port state follows Rapid Spanning Tree Protocol role selection on equal-speed point-to-point links. With 802.1w, each non-root switch selects one root port based on the lowest path cost to the root bridge. Where there are redundant Layer 2 paths of equal speed, one side of a redundant segment must remain blocked as an alternate port to maintain a loop-free topology. Because all links are 1 Gbps, path cost is equal unless bridge priority, bridge ID, or port ID breaks the tie. The selected option identifies the port pair that becomes alternate blocking based on the root placement and tie-breakers shown in the exhibit. RSTP improves convergence compared with classic 802.1D by using proposal and agreement handshakes on point-to-point links, but it still blocks redundant paths when a pure Layer 2 loop exists. A design requiring all links to forward would need a routed access design, MEC, StackWise Virtual, VSS, or another loop-free multipath technology. Reference topics: RSTP, root port, designated port, alternate port, point-to-point links, Layer 2 loop prevention.

For model-driven telemetry with periodic updates, the architect must understand that each periodic update sends the subscribed data at the configured interval. Cisco telemetry guidance distinguishes periodic subscriptions from on-change subscriptions. A periodic subscription streams a full copy of the subscribed data element or table at each interval, even if the underlying state has not changed. That behavior is useful when the collector needs regular time-series samples, trending, or baseline monitoring, but it creates predictable bandwidth and collector-load requirements. On-change subscriptions are different: they publish updates when the subscribed state changes and are more efficient for state changes such as interface status, memory thresholds, or protocol adjacency m ovement. Empty subscription behavior and initial update timing may matter in specific implementations, but they are not the main design consideration in this question. Since the customer requires periodic updates, the design must size the transport, collector, retention system, and subscription intervals around repeated full data delivery. Reference topics: model-driven telemetry, periodic subscription, on-change subscription, YANG-modeled operational data, collector sizing.

Cisco SD-WAN detects subsecond transport failure by running BFD across the IPsec tunnels between WAN Edge routers. The WAN Edge devices form encrypted data-plane tunnels over each transport, and BFD probes those tunnels to measure liveliness, loss, latency, jitter, and path availability. When BFD detects a failed or degraded tunnel, the SD-WAN fabric can withdraw or avoid that path quickly, enabling application-aware routing and fast failover. Hellos between WAN Edge routers and vSmart controllers are control-plane mechanisms and do not directly detect data-plane transport failure between edge routers. BGP is not the SD-WAN overlay control protocol for this function; OMP is used with vSmart for overlay route and policy exchange. Link-state messages between vSmart controllers do not measure transport-path liveliness. Therefore, BFD on IPsec tunnels is the correct failure-detection mechanism. The design should ensure that BFD timers, tunnel scale, controller policy, and SLA classes are chosen to balance fast failover with platform resources and transport stability. Reference topics: Cisco SD-WAN BFD, IPsec tunnels, transport failure detection, application-aware routing, data-plane liveliness.

A TLOC extension facilitates WAN Edge router redundancy within a site. In Cisco SD-WAN, a Transport Location identifies a WAN transport attachment using attributes such as system IP, color, and encapsulation. A TLOC extension allows one WAN Edge router to use a transport circuit physically connected to another WAN Edge router at the same site. This is valuable when a branch has two edge routers and two transports, but each transport is cabled to only one router. With TLOC extension, each router can still gain logical access to both transports, improving redundancy and allowing better path diversity without adding more service-provider circuits or handoffs. The feature does not simply identify the physical interface; that is part of TLOC definition. It does not increase the number of colors or create a port-channel-style aggregate. A sound design also accounts for failure domains, service-side routing, and whether the inter-router link has enough bandwidth for extended transport traffic. Reference topics: Cisco SD-WAN TLOC, TLOC extension, WAN Edge redundancy, transport color, branch resiliency.

The 8-class QoS model is the appropriate DiffServ design when an enterprise is adding voice and video to an existing data network and needs priority treatment for voice. Cisco enterprise QoS designs commonly evolve from a simple data-only model to a multi-class model that separates routing/control, voice bearer, video, signaling, transactional data, bulk data, scavenger traffic, and default traffic. This separation is important because voice requires strict low latency, low jitter, and minimal loss, while video usually requires guaranteed bandwidth but must not starve voice or network control traffic. A 4-class model can be too coarse when both VoIP and IP video are introduced because it often collapses distinct traffic types into broad queues. A 12-class model may be appropriate for very mature or complex environments, but it is more operationally demanding. The 6-class model can work in some cases, but the common Cisco campus and WAN baseline for mixed voice, video, and data is the 8-class model. Reference topics: DiffServ QoS, enterprise QoS class models, voice priority queue, video classification, DSCP design.

Route summarization and EIGRP stub routing are the two correct design techniques for a stable and scalable EIGRP deployment. Summarization reduces the number of prefixes advertised upstream, conserves bandwidth and memory, hides route flaps behind the summary boundary, and reduces the size of the EIGRP topology table. Stub routing prevents branch or access devices from being used as transit routers and limits the scope of EIGRP queries. This is critical because uncontrolled EIGRP query propagation can increase convergence time and processing load, especially in larger hierarchical networks. Prefix lists and distribute lists can filter routes, but filtering alone does not provide the same query-boundary and topology-hiding benefits as summarization and stubs. Static redistribution increases complexity and can create loop or policy risks if not controlled with tags and metrics. The question specifically asks to conserve bandwidth, memory, and CPU, prevent suboptimal routing, and avoid unnecessary queries; summarization and stub routing are the direct Cisco design answers. The architect should summarize at hierarchy boundaries and configure access or branch routers as EIGRP stubs where they should not provide transit. Reference topics: EIGRP summarization, EIGRP stub routing, query scope, hierarchical routing.

Route summarization should be planned from the aggregation layer toward both the core and the access layer. In hierarchical campus routing, aggregation or distribution devices are natural summarization boundaries because they sit between more specific access-layer networks and the core. Summarizing from aggregation toward the core prevents access-layer subnet churn from forcing unnecessary recomputation and route table growth in the core. Summarizing from aggregation toward access can also provide a concise upstream route, often a default or summary route, so access devices do not need the entire network routing table. The goal is to contain failures, reduce routing state, and preserve fast convergence at hierarchy boundaries. Summarizing from the core toward aggregation may hide useful topology details in the wrong direction, while summarizing directly from access toward aggregation is not always possible or efficient when access devices are numerous and have limited resources. The answer that places summarization at aggregation in both directions best matches Cisco hierarchical design principles. Reference topics: hierarchical campus design, route summarization, aggregation layer, core route scale, convergence containment.

Ethernet Local Management Interface is used between the customer edge and provider edge to communicate service status information for Ethernet services. Under MEF Ethernet service operations, E-LMI provides the CE with information about Ethernet Virtual Connection status, including whether a configured EVC is available or unavailable. This allows the customer device to react to a provider-side service condition without relying only on physical link state. The CE-to-PE link can remain physically up even while the provider EVC is down; E-LMI closes that operational visibility gap by reporting the EVC state to the customer edge. It is not a routing protocol and does not broadcast multicast routes from the CE to the PE. It also does not broadcast to all subnets when an EVC is added. The key function defined by the MEF process is notifying the CE of EVC availability state and related service information. Reference topics: Metro Ethernet, E-LMI, Ethernet Virtual Connection, CE-to-PE signaling, MEF service operations.

The load balancers should be co-located in area 0 because the design is using the same /32 application address from multiple OSPF-enabled devices. This is an anycast-style design: several load balancers advertise the same host route, and the routing protocol sends clients to the topologically best available instance. In OSPF, route preference is strongly affected by route type. Intra-area routes are preferred over interarea routes, and interarea summarization can also hide useful path details. If identical anycast host routes are originated from different nonbackbone areas, hosts may not always select the closest or most resilient load balancer, and failure behavior can become inconsistent. Placing the load-balancer anycast advertisements in area 0 keeps the routing decision consistent and avoids unnecessary interarea preference complications. Configuring X, Y, and Z as different areas would make the problem worse, and placing only one load balancer in area 0 does not provide uniform resilience. Reference topics: OSPF area design, anycast host routes, intra-area preference, backbone area, application load-balancer resilience.

The drag-and-drop mapping is based on the standard Cisco Catalyst SD-WAN component roles. vManage, now Cisco Catalyst SD-WAN Manager, provides centralized management, configuration, monitoring, templates, and operational visibility. vSmart Controller provides the centralized control plane, distributes OMP routing information, and applies control policy to determine reachability and path selection. vBond Orchestrator supports initial authentication, orchestration, and NAT traversal so WAN Edge devices can join the overlay. WAN Edge routers provide the data plane at branches, campuses, data centers, and cloud edges; they forward user traffic, establish secure tunnels, and apply localized policies. Correctly separating these roles is critical in the design because management, control, orchestration, and forwarding scale independently. Misidentifying vBond as the data-plane element or vManage as the route controller would lead to an incorrect SD-WAN architecture. Reference topics: Cisco Catalyst SD-WAN components, vManage, vSmart, vBond, WAN Edge, OMP control plane. This role separation is also what lets large deployments scale without mixing troubleshooting, provisioning, and forwarding responsibilities on one system.

The Cisco SD-Access fabric data plane leverages VXLAN-style MAC-in-IP encapsulation to transport endpoint traffic across the Layer 3 fabric. In SD-Access, the underlay provides IP reachability between fabric nodes, while the overlay uses encapsulation to carry user traffic and policy context across that underlay. Cisco fabric edge nodes encapsulate traffic before forwarding it through intermediate nodes and decapsulate it when it reaches the destination edge or border. LISP is used by the control plane to resolve endpoint-to-location mappings, so option A describes the mapping function rather than the data plane. IS-IS provides underlay routing reachability and is not the overlay data-plane mechanism. BGP can be used outside the fabric or in other overlay designs, but it is not the SD-Access fabric data plane. The exam option describes the essential encapsulation function, even though VXLAN is technically MAC-in-UDP over IP. Reference topics: SD-Access data plane, VXLAN encapsulation, fabric edge forwarding, underlay and overlay separation, policy transport.

BFD with default BGP timers is the best design choice because it improves failure detection without forcing BGP itself to run aggressive keepalive processing. Cisco documentation describes BFD as providing fast forwarding-path failure detection and notes that BFD can be less CPU-intensive than reduced EIGRP, BGP, and OSPF timers because parts of BFD can be distributed to the data plane. Lowering BGP keepalive and hold timers makes the BGP process detect failure sooner, but it increases control-plane activity and can create instability at scale. Tuning the BFD multiplier to an extreme value such as 50 is also counterproductive because it lengthens detection rather than improving it, depending on the interval used. The correct approach is to leave normal BGP timers in place and bind BGP neighbor fall-over to BFD. When the forwarding path fails, BFD notifies BGP quickly, allowing the route to be withdrawn and an alternate provider path to be selected faster without unnecessary BGP timer churn.

The fabric control plane in Cisco SD-Access creates and resolves endpoint-to-location mappings. SD-Access separates endpoint identity from physical topology by using LISP in the control plane. Endpoint addresses are treated as Endpoint Identifiers, and fabric node locations are represented by Routing Locators. When an endpoint appears on a fabric edge node, the edge registers that endpoint-to-edge binding with the control-plane node. When another edge needs to send traffic to that endpoint, it queries the control plane to resolve the current location and then uses the fabric data plane to encapsulate traffic toward the correct destination. Group-Based Access Control policy creation and enforcement involve Cisco ISE, security group tags, and policy components rather than the basic mapping purpose of the fabric control plane. BGP route reflection is not the SD-Access control-plane function, and extending multiple subnets to one RLOC is not the main purpose. Reference topics: SD-Access control plane, LISP, EID-to-RLOC mapping, endpoint registration, map resolution.

Redundancy for Cisco vBond Orchestrators is normally achieved by mapping the IP addresses of multiple vBond instances to a single DNS name. WAN Edge devices use the configured organization name and vBond DNS name during onboarding to resolve and contact an available orchestrator. This design allows several vBond nodes to be deployed across different locations or availability zones while giving the edge device a consistent bootstrap target. If one vBond is unavailable, DNS resolution can return another reachable vBond address, allowing control-connection orchestration to continue. Selecting only the closest vBond is not the redundancy mechanism described here, and deploying a single vBond creates an avoidable single point of failure. The answer that says WAN Edge routers are configured with all orchestrators by IP address and priority does not represent the common DNS-based design model. In production, the DNS record, certificates, firewall policy, NAT behavior, and controller reachability should all be validated so that WAN Edge devices can reach multiple vBond instances during onboarding and after failures. Reference topics: Cisco SD-WAN controller redundancy, vBond DNS, device onboarding, orchestration availability.

OpenConfig separates intended configuration from operational state by using separate config and state containers, while many IETF and Cisco native models use a single hierarchy for configuration and operational data or expose operational data differently. This distinction is important in automation because the client must know whether it is writing desired configuration or reading actual device state. OpenConfig’s structure was designed to provide consistent multivendor modeling, with configuration data placed under config containers and observed state under state containers. Cisco native models tend to mirror the Cisco device CLI and feature hierarchy more closely, while IETF models focus on standards-based interoperability. Option B correctly states the contrast presented in the question. Option A reverses the relationship. Option C incorrectly assigns split containers to IETF and native models. Option D incorrectly isolates Cisco native models as the only split-container style. Reference topics: YANG model structure, OpenConfig config and state containers, IETF YANG, Cisco native models, network automation data modeling.

The scalable BGP design should use VPNv4 on the PE routers for L3VPN site routes and BGP IPv4 unicast on ABRs to connect multiple IGP/LDP domains. VPNv4 is the correct MP-BGP address family for carrying customer VPN routes across a provider MPLS Layer 3 VPN core because it combines route distinguishers and VPN labels with customer prefixes. This lets the provider scale many customer routes while maintaining separation between VPNs. When the provider network spans multiple IGP or LDP domains, BGP IPv4 unicast can be used at ABRs to carry infrastructure reachability and avoid trying to flood a single IGP domain across the entire provider backbone. Full-mesh iBGP among all routers in different IGP domains is not scalable and conflicts with the requirement that thousands of routes will be added. Redistributing all IGP routes into a single BGP IPv4 instance without VPNv4 does not preserve customer VPN separation. Filtering loopbacks everywhere is not the core scaling solution. Reference topics: MP-BGP VPNv4, MPLS L3VPN, ABR design, interdomain provider routing, route scale.

Moving the link between routers C and D into area 10 provides the most direct OSPF design correction for optimal routing between the internal networks after the C-E link fails. OSPF requires careful area design because intra-area routes are preferred over interarea routes, and traffic between two routers in the same regular area should not be forced through a less optimal backbone or interarea path when a better local path exists. If the C-D link remains outside area 10, the failure of C-E can cause traffic between 10.1.1.0/24 and 172.16.1.0/24 to take a suboptimal interarea route. Placing the C-D link in area 10 keeps the alternate path within the same area and allows OSPF to calculate the best intra-area route when the primary link fails. A virtual link is used to connect a disconnected area to area 0, not to optimize this intra-area failure case. A tunnel adds unnecessary overlay complexity, and making area 10 NSSA changes external LSA behavior, not internal path optimization. Reference topics: OSPF area design, intra-area preference, failure-path optimization, link placement.

Scalable groups provide intra-VN traffic filtering and control in Cisco SD-Access. Within a virtual network, macro segmentation separates routing tables, but endpoints inside the same VN may still need policy control based on identity, role, or security posture. Cisco SD-Access uses scalable group tags and scalable group ACLs to implement group-based policy. This allows policy to be expressed as user or device group relationships instead of only subnet-based ACL entries. The result is microsegmentation inside the virtual network, where traffic between groups can be permitted or denied consistently across the fabric. MAC ACLs are limited Layer 2 filters and do not provide the identity-based policy model required for SD-Access. Prefix lists are route-filtering tools, not intra-VN access-control mechanisms. Service policies are used for QoS or traffic treatment and do not define group-based segmentation. Scalable groups are therefore the correct policy construct for intra-VN filtering in the fabric. Reference topics: Cisco SD-Access policy, scalable groups, SGT, SGACL, microsegmentation, intra-VN control.

Intermittent DMVPN tunnel flaps are commonly caused by reachability problems between routing neighbors or between the tunnel endpoints that support those neighbors. DMVPN depends on several layers working correctly: the underlay transport, GRE tunnel interface, NHRP registration and resolution, IPsec protection if used, and the routing protocol running across the tunnel. If the routing neighbor cannot remain reachable, the tunnel may appear to flap even though the encryption profile itself is not the root cause. A suboptimal routing table can produce poor forwarding or asymmetric traffic, but it is not the most common direct cause of repeated tunnel up/down events. Bandwidth congestion can degrade performance, but a correctly designed tunnel does not flap merely because utilization is high unless keepalives, NHRP, or routing packets are being lost. The fact that a GRE tunnel is not encrypted is a security design problem, not a tunnel-flap cause. The right troubleshooting posture is to verify stable underlay reachability, tunnel interface state, NHRP mappings, and routing adjacency stability before assuming an IPsec encryption failure.

The selected configuration sets are correct because the addressing plan must use VLSM to maximize subnets and minimize wasted addresses. Customer A requires 125 hosts, so it needs a /25 subnet, which provides 126 usable host addresses. Customer D requires 62 hosts, so it needs a /26 subnet, which provides 62 usable addresses exactly. Point-to-point or small WAN links B, C, and E should use the smallest appropriate link subnets shown in the exhibit, typically /30 for IPv4 point-to-point links when two usable addresses are required. A correct plan must allocate the largest blocks first, align every subnet on the proper boundary, avoid overlap, and avoid assigning a larger-than-needed subnet to any customer or link. Options A and C are the two valid combinations that satisfy those rules in the exhibit. Any option that places a /25 or /26 on the wrong boundary, overlaps with another block, or wastes larger subnets on links would fail the design objective. Reference topics: IPv4 VLSM, subnet boundary alignment, host capacity planning, point-to-point addressing, route summarization readiness.

An SD-Access intermediate node routes and transports IP traffic between fabric nodes. It is part of the underlay transport path, comparable to a routed distribution or core device that provides IP reachability between edge, border, and control-plane nodes. Intermediate nodes do not perform endpoint registration, VXLAN encapsulation for attached users, virtual-network mapping, or anycast gateway services. Those functions belong primarily to fabric edge nodes. They also do not act as LISP proxy tunnel routers, which is a border-node function used for communication between the fabric and external networks. The intermediate node’s role is deliberately simple: maintain underlay routing, provide resilient transport, and forward encapsulated traffic across the fabric infrastructure. This separation of roles is what lets Cisco SD-Access scale by keeping endpoint intelligence at the edge and mapping intelligence in the control plane while the intermediate layer remains a stable IP transport network. Reference topics: SD-Access intermediate node, routed underlay, IP transport, fabric roles, edge and border node separation.

MSDP is the correct solution because the question explicitly references RFC 3618, which defines the Multicast Source Discovery Protocol. The design has separate PIM Sparse Mode multicast domains, with RP functions already configured on edge routers in each autonomous system. Cisco explains that MSDP allows rendezvous points in different PIM-SM domains to discover active multicast sources outside their local domain. When a source becomes active, the local RP can advertise source-active information to MSDP peers, allowing receivers in another domain to learn and join the stream. PIM-SSM is not correct because SSM removes the RP dependency and requires receivers to know the source directly. MP-BGP can carry multicast routing information, but it does not perform RP-to-RP source discovery. BIDIR-PIM is a multicast mode for many-to-many shared-tree forwarding, not an interdomain RP discovery mechanism under RFC 3618. Reference topics: MSDP, RFC 3618, PIM Sparse Mode, interdomain multicast, Source-Active messages, rendezvous points.

BFD with tuned timers is the correct fault-detection solution when OSPF traffic must fail over in milliseconds and cannot wait for the OSPF dead interval. Cisco describes Bidirectional Forwarding Detection as a lightweight mechanism that detects forwarding-path failures rapidly and notifies the routing protocol. OSPF can then bring down the adjacency and switch to an alternate route without waiting for the normal hello and dead timer process. Tuning SPF delay or LSA timers improves the control-plane calculation phase after OSPF has learned about a failure, but it does not provide the fastest failure detection by itself. IP SLA tracking can detect reachability problems, but it is not the standard per-neighbor OSPF millisecond detection mechanism. Decreasing SPF timers alone does not solve the requirement to avoid waiting for the dead interval. Therefore, BFD with appropriate 100 ms timers is the correct design choice. Reference topics: OSPF high availability, BFD, fast failure detection, dead interval avoidance, subsecond convergence.

In multicast routing, a source tree is also called a shortest-path tree because it is rooted at the multicast source and follows the best unicast path from receivers back toward that source. Cisco PIM documentation describes source trees as shortest-path trees and contrasts them with shared trees, which are rooted at a rendezvous point. Because the tree is built directly toward the source, it provides an optimal forwarding path between source and receivers and generally gives the lowest latency path for multicast delivery. This is why statements A and B are correct. A shared tree, not a source tree, uses a single common root at a selected point in the network, normally the RP in PIM sparse mode. Shared trees can create suboptimal forwarding because traffic may travel through the RP before switching to the shortest-path tree. Source trees require per-source multicast state, so they may consume more control-plane resources, but they are the correct choice when optimal forwarding and minimum latency are the design priorities.

The design should use a scavenger queue for excessive or suspicious traffic and apply queuing on the access-to-distribution uplinks where congestion can occur. Cisco QoS campus design commonly uses a less-than-best-effort scavenger class to constrain traffic associated with worms, peer-to-peer applications, bulk background flows, or other nonbusiness traffic. Placing this traffic in a scavenger queue minimizes the bandwidth it can consume during congestion without harming real-time applications. Real-time voice or video traffic should be placed in a strict-priority queue so it receives low delay and low jitter treatment when links are congested. Applying queuing on access-to-distribution links is important because those uplinks are common campus congestion points, especially during bursts or abnormal traffic events. A shaping policy is not the right tool for campus LAN uplinks, and indiscriminate policing of real-time traffic can cause drops that damage voice and video quality. Reference topics: campus QoS, scavenger class, strict-priority queue, access uplink queuing, congestion management, worm mitigation.

DMVPN is preferred over individually configured point-to-point IPsec tunnels when a company has many branches because it scales the overlay more efficiently. A traditional IPsec tunnel design requires manual or template-based tunnel definitions for every required site-to-site relationship. As branches increase, tunnel count, configuration complexity, and operational overhead grow quickly. Cisco DMVPN combines multipoint GRE, NHRP, and IPsec so spokes can register with the hub and dynamically discover next-hop information for other spokes. This supports a hub-and-spoke control model while allowing dynamic spoke-to-spoke data tunnels when branch-to-branch traffic is required. That is why greater scalability and dynamic spoke-to-spoke tunnel creation are the two design advantages. AES-256 encryption is not unique to DMVPN because normal IPsec can also use strong encryption. Anycast gateway is unrelated to DMVPN WAN overlay design. Lower traffic overhead is not the best answer because DMVPN adds mGRE, NHRP, and IPsec encapsulation overhead; its advantage is operational scalability and dynamic tunnel establishment.

Service routes in OMP updates identify services that are available for centralized service insertion. In Cisco Catalyst SD-WAN, OMP does more than advertise ordinary VPN prefixes. It also carries TLOC routes, which describe transport locators, and service routes, which allow the fabric to steer traffic toward network services such as firewalls, intrusion prevention systems, or other centralized service nodes. This is how the SD-WAN control plane distributes enough information for WAN Edge routers to make policy-driven forwarding decisions without requiring each device to learn service attachment through a separate routing protocol. A service route is not used to describe the underlay transport itself, because that function is handled by TLOC information. It is also not a route to the orchestration plane or a remote management definition. The design value is that service insertion can be centrally advertised and controlled through OMP, then applied consistently through SD-WAN policy. Reference topics: Cisco SD-WAN OMP, service routes, TLOC routes, service insertion, centralized data policy.

MSDP is the correct feature when multicast receivers in one autonomous system must be able to learn and receive content from sources in another autonomous system. The scenario describes separate multicast frameworks close to the receivers in each AS and requires source resiliency across AS boundaries. In PIM Sparse Mode, a local RP learns about sources registered in its own domain. MSDP allows RPs in different domains to exchange Source-Active information, enabling receivers in one domain to discover and join toward sources that exist in another domain. Anycast RP is primarily a redundancy and load-sharing technique for RPs, often inside a multicast domain, but it does not by itself provide interdomain source discovery for independent ASs. SSM can be efficient when receivers know the source, but the question emphasizes RP-based framework placement and source availability between ASs. BIDIR-PIM is for scalable many-to-many shared-tree forwarding, not interdomain source discovery. Therefore, the design should include MSDP. Reference topics: MSDP, interdomain multicast, PIM-SM, Source-Active exchange, RP resilience across autonomous systems.

The drag-and-drop mapping identifies which elements belong to each model-driven protocol or data-modeling mechanism. Cisco programmability designs distinguish the data model, the encoding, and the transport protocol. YANG defines the structure of configuration and operational data. NETCONF commonly uses XML encoding and provides transactional operations such as get-config, edit-config, lock, and commit-like workflow depending on platform support. RESTCONF exposes YANG-modeled data through HTTP methods and typically uses URI-based resources with XML or JSON encoding. gRPC and gNMI are commonly used for efficient telemetry or operational data streaming, with protocol buffers often used for serialization. The selected mapping follows those protocol boundaries rather than mixing model structure with transport behavior. In design work, this matters because the same network feature can be represented by a YANG model but accessed through different protocols, each with different capabilities, security requirements, and operational semantics. Correctly matching elements to protocols avoids invalid payloads and broken automation workflows. Reference topics: YANG, NETCONF, RESTCONF, gRPC, gNMI, XML and JSON encoding, model-driven telemetry.

Cisco IS-IS supports Level 1, Level 2, and Level 1/Level 2 operation, and the design should restrict each link to the level it actually needs. Cisco documentation for the isis circuit-type command states that it “configures the type of adjacency that is required for neighbors on the specified interface.” In this case, the router is configured as L1/L2 and has both L1 and L2 neighbors, which causes unnecessary LSP flooding, SPF processing, and database maintenance on links that may not need both levels. Making the entire router only L1 or only L2 would be too blunt, because the router may legitimately need to participate in both domains on different interfaces. Making the router a DIS also does not solve the underlying issue; it only controls designated intermediate system behavior on broadcast networks. The best optimization is to configure each interface with the correct circuit type, such as level-1 for intra-area links and level-2-only for backbone links. This reduces control-plane load while preserving the intended two-level hierarchy.

Without centralized policy, OMP allows all WAN Edge routers in the same VPN to communicate in a full-mesh overlay. Cisco Catalyst SD-WAN uses OMP as the control-plane protocol between WAN Edge routers and SD-WAN controllers. WAN Edge devices advertise OMP routes, TLOC routes, and service routes to the controllers, and the controllers distribute the reachable routes back to the relevant edge devices. Cisco policy documentation describes the default unpolicied behavior as permissive: routes are accepted and advertised so sites in the same VPN learn reachability to each other. That default route distribution produces a full-mesh data-plane capability, even though control connections remain hubbed through the controllers. Hub-and-spoke, regional isolation, point-to-point restriction, or service-chained topologies require centralized control or data policy to filter routes or steer traffic. Blocking all communication is the opposite of the default behavior. Reference topics: Cisco SD-WAN OMP, default route distribution, full-mesh overlay, centralized control policy, VPN segmentation.

The valid get-config reply must show OSPF process ID 400 with network 192.168.128.128/25 enabled for Area 0. A /25 prefix has a block size of 128 addresses, so 192.168.128.128/25 is a valid network boundary and covers addresses from 192.168.128.128 through 192.168.128.255. Any reply that shows the wrong OSPF process, an incorrect network boundary, the wrong prefix length or wildcard equivalent, or a nonzero area does not verify the requested model set. In Cisco IOS XE model-driven configuration, the readback has to match the schema path and values used by the model, not simply produce an approximate CLI interpretation. Option B is the reply that confirms the intended OSPF object. This verification method is important because YANG automation can fail silently in operational workflows when the payload is syntactically valid but targets the wrong container or key. A get-config verification step confirms the running datastore contains the exact OSPF process and area membership required by the design. Reference topics: YANG OSPF configuration, NETCONF get-config, prefix validation, IOS XE native models.

The default MTU should be increased in the Cisco SD-Access fabric underlay. SD-Access data-plane traffic uses VXLAN encapsulation, and VXLAN adds overhead beyond the original endpoint frame. If the underlay remains at a standard 1500-byte MTU, encapsulated packets can fragment or be dropped, especially when applications set the DF bit. Cisco SD-Access design guidance therefore calls for an increased underlay MTU so the fabric can carry overlay-encapsulated traffic cleanly. Reducing subnets is an overlay simplification topic, not an underlay MTU consideration. The number of supported control-plane nodes is a scale and availability design consideration, not the key underlay requirement in this question. Unified policy is part of fabric policy and segmentation, not underlay transport readiness. A professional SD-Access underlay design validates routed reachability, loopback advertisements, IGP operation, redundant paths, and MTU end to end before enabling the overlay. The MTU setting is critical because a stable underlay must transport LISP control-plane traffic and VXLAN data-plane traffic without fragmentation. Reference topics: SD-Access underlay, VXLAN overhead, MTU design, fabric transport readiness.

HSRP version 2 with MD5 authentication is the correct resilient gateway choice because the design requires IPv6 support and protection against false hello packets. HSRPv2 supports both IPv4 and IPv6 gateway redundancy and improves group scaling compared with the original version. MD5 authentication protects the HSRP control exchange by ensuring that only authorized routers participate in the redundancy group, reducing the risk of a rogue or misconfigured device sending false hello messages and influencing active gateway selection. GLBP provides load balancing but does not satisfy the same IPv6 and authenticated hello requirement in this option set. VRRP version 2 is IPv4-focused and therefore does not meet the IPv6 requirement; VRRPv3 would be the relevant standards-based IPv6-capable version, but it is not offered. Object tracking helps adjust gateway priority after link failure, but it does not protect against false hello packets by itself. Reference topics: HSRPv2, first-hop redundancy, IPv6 gateway redundancy, MD5 authentication, campus high availability.

A higher local preference on R3 for the relevant routes is the correct method to influence outbound traffic inside the autonomous system. Local preference is a well-known discretionary BGP attribute used within an AS to choose the preferred exit path. A higher local preference is preferred over a lower one, and the attribute is propagated to iBGP peers so routers in the AS make a consistent outbound decision. The requirement says all traffic originating from AS100 must pass through AS200 toward the NTP and DHCP server, and if the R3-to-R4 link fails, the path must move to the R2-to-R9 link. Applying local preference on R3 toward the routers that need to reach the data center establishes R3 as the primary exit while preserving the alternate path through R2 and R9. AS-path prepending is mainly used to influence inbound traffic from other autonomous systems, not the local AS exit choice. Redistributing IGP metrics into BGP is less deterministic and not the right policy control. Reference topics: BGP local preference, outbound traffic engineering, iBGP policy propagation, primary and backup path design.

Multichassis EtherChannel is the correct design when distribution switches support VSS and the campus needs fast Layer 2 convergence while using as much uplink bandwidth as possible. With VSS, two physical distribution switches operate as a single logical switching system from the perspective of the access layer. MEC allows an access switch to bundle links to both distribution chassis into one logical EtherChannel. This removes the normal spanning-tree blocking of redundant uplinks, uses both links actively, and provides fast convergence if one physical link or chassis fails. A plain EtherChannel normally terminates on one physical switch, so it does not provide the same chassis-level resiliency unless the distribution pair is virtualized. RSTP improves loop convergence but still blocks redundant Layer 2 paths in a traditional topology. ECMP requires Layer 3 routing, and the question notes routing protocol limitations. Therefore, MEC on VSS is the best solution for bandwidth utilization and fast Layer 2 recovery. Reference topics: VSS, Multichassis EtherChannel, Layer 2 campus resiliency, STP avoidance, access-to-distribution design.

Cisco Identity Services Engine is the SD-Access component that integrates with Cisco DNA Center to provide identity-based policy, Security Group Tags, and Security Group ACL policy enforcement. Cisco SD-Access uses Cisco TrustSec technology concepts for group-based policy, but ISE is the actual policy and identity services platform that integrates with Cisco DNA Center. DNA Center automates fabric deployment and policy orchestration, while ISE provides endpoint identity, group assignment, scalable group information, and policy authorization. SGACLs define permitted or denied communication between security groups, and SGTs classify users or endpoints into those groups. APIC-EM is not the SD-Access policy platform. Cisco Network Data Platform supports analytics and assurance functions, not identity policy enforcement. Cisco TrustSec is the underlying policy technology, but the question asks for the component that integrates with Cisco DNA Center. Therefore, the verified answer is Cisco Identity Services Engine. In design terms, ISE should be planned as a critical policy-plane dependency with redundancy, pxGrid integration, RADIUS services, and consistent scalable group policy design.

When BFD echo mode contributes to high CPU utilization on lower-resource devices, the practical design response is to use slower BFD timers for those peers rather than continuing to run an overly aggressive failure-detection profile everywhere. Cisco BFD provides fast failure detection, but timer values must match platform capability, interface scale, and the operational value of subsecond detection. Echo mode can generate frequent packets, and in some environments the processing or punt behavior can create measurable CPU pressure. Slowing the timers reduces packet rate and control-plane stress while keeping BFD available for faster detection than traditional routing protocol dead timers. Moving to asynchronous mode may be appropriate in some designs, but the listed option says “BED” and does not directly address the requirement as cleanly as reducing timer aggressiveness. BFD multihop is used for non-directly connected peers and is not a CPU-relief mechanism. Carrier delay changes interface state notification behavior, but it does not solve BFD packet processing load. Therefore, implement slower timers on peers with limited resources. Reference topics: BFD design, echo mode, failure-detection timers, CPU utilization.

The action is to configure the EIGRP stub router in receive-only mode. Cisco EIGRP stub routing limits which routes a router advertises to neighbors, reducing query scope and improving stability in hub-and-spoke or WAN designs. The receive-only keyword is the most restrictive stub option: the router receives routes from neighbors but does not advertise any routes to them. That directly satisfies the requirement that WAN routes must not be advertised to the routers in the data center. Advertising only a default route still advertises routing information, so it does not meet the wording. Summarizing local subnets reduces the number of routes, but it still advertises reachability. The “distributed mode” option is not the correct EIGRP stub behavior for this requirement; redistributed stub mode would allow redistributed routes to be advertised. Receive-only is therefore the precise design control for stopping route advertisement from the stub router. Reference topics: EIGRP stub routing, receive-only mode, query scoping, route advertisement control, WAN-to-data-center design.

The correct design is to deploy the application in both data centers, advertise the application prefix from DC1 as a /32, and advertise a broader /24 from DC2. This uses longest-prefix-match behavior to create deterministic primary and backup routing. Cisco routing logic prefers the most specific matching route in the routing table, regardless of administrative distance or metric comparisons among less specific covering routes. As long as the DC1 /32 is present, traffic for that exact application address follows DC1. If DC1, its edge path, or the /32 advertisement fails, the /32 is withdrawn and the remaining /24 covering route from DC2 provides backup reachability. Advertising the same prefix from both locations may result in load sharing or provider-dependent selection, which does not guarantee DC1 primary behavior. IP SLA could be used in some route-tracking designs, but the clean routing solution tested here is prefix specificity. Reference topics: longest-prefix match, BGP advertisement, active/standby data center routing, covering routes, route failover.

An out-of-band management network best satisfies the requirement to grant and revoke administrative access, restrict management protocols, and limit exposure of management interfaces. Out-of-band management separates administrative traffic from the production data plane by using dedicated management interfaces, management switches, terminal infrastructure, or separate routing. This isolation improves security because a compromise or congestion event in the production network does not automatically provide access to device management planes. It also allows stronger access controls, protocol restrictions, logging, and administrative segmentation for SSH, NTP, FTP, and SNMP. In-band management uses the production network and is more exposed to outages or data-plane attacks. An enterprise internal private network is too vague and does not guarantee management-plane isolation. mGRE is a tunneling technique, not a complete management access architecture. A professional design should also include AAA, role-based authorization, ACLs, management VRFs where appropriate, logging, and monitoring. Reference topics: out-of-band management, management-plane security, AAA, access control, protocol restriction, network operations design.

BFD is not required for the specific failure described: a physical fiber break on point-to-point routed links. In a Layer 3 campus or routed-access design, a direct physical link failure is detected by the interface state change, so the routing protocol can react immediately without waiting for hello/dead timers. Cisco campus design guidance favors point-to-point routed links partly because they give rapid convergence and avoid STP delays. BFD is valuable when a forwarding-path failure is not reliably detected by Layer 1 or Layer 2, or when a protocol adjacency must detect loss faster than its native timers. It does not automatically create convergence by itself; it detects failure and notifies the routing protocol. For a clean fiber cut on a routed point-to-point link, link-down detection is already fast enough for sub-second failover in the design. OSPF timer tuning is also not the preferred design answer for this physical-failure case. Reference topics: routed access design, point-to-point links, link-failure detection, BFD, OSPF convergence.

As a STUN server, Cisco vBond allows Cisco Catalyst SD-WAN routers to discover their public mapped IP addresses and ports when they sit behind NAT. This function is essential during overlay bring-up because many WAN Edge devices are deployed behind internet circuits, firewalls, or provider NAT devices. vBond helps devices understand how they are seen from the public transport side and facilitates the formation of secure control connections to the SD-WAN controllers. vBond also participates in orchestration and Zero-Touch Provisioning workflows, but the question specifically asks about its purpose as a Session Traversal Utilities for NAT server. That wording points directly to NAT discovery, not general ZTP. vBond does not secure user data traffic between edge routers; data-plane encryption is established between WAN Edge devices. It also has no role in integrating SD-Access wireless into a fabric. Reference topics: Cisco SD-WAN vBond, STUN, NAT traversal, orchestration, WAN Edge onboarding. This is fundamental for internet transports.

In-band management is the correct design because the management plan must reach all IP-enabled interfaces, and not every device has a dedicated management port. In-band management uses the production IP network for administrative access, allowing management stations to reach loopbacks, SVIs, routed interfaces, or front-panel interfaces through normal routing. Cisco management guidance distinguishes in-band management from out-of-band designs that depend on a separate physical management network or console path. Because the question requires reachability to all IP-enabled interfaces, in-band is the only listed model that naturally supports that scope. Security must still be enforced with encrypted protocols where supported, such as SSH and HTTPS, plus ACLs, AAA, and management-plane protection where appropriate. A terminal server provides console access, not routed IP management to every interface. A KVM server is a server-management tool, not a network-device management architecture. Out-of-band management is preferred for isolation, but it does not fit devices without dedicated management access. Reference topics: in-band management, secure management protocols, SSH, HTTPS, network management design.

Route reflectors in different clusters should peer with one another as nonclients. BGP route reflection is used to reduce the full-mesh requirement inside an AS. Within a cluster, route-reflector clients peer with their route reflector and do not need to peer with every other client. However, route reflectors still need a way to exchange routes learned from their respective clusters. Cisco BGP route-reflection rules allow a route learned from a client to be reflected to other clients and to nonclient peers. A route learned from a nonclient peer is reflected only to clients. Therefore, route reflectors in different clusters should maintain iBGP peerings as nonclients so that routes can propagate between clusters and then be reflected down to each cluster’s clients. Making route reflectors clients of each other can create confusing policy and cluster behavior. Having no peering would isolate the clusters. Peering only through another nonclient router adds unnecessary indirection and does not improve scale. The correct scalable design is route-reflector-to-route-reflector nonclient peering. Reference topics: BGP route reflectors, clusters, client and nonclient peers, iBGP scaling, route reflection rules.

The RPF check is performed against the RP address when the PIM router has shared-tree state. In PIM sparse mode, multicast traffic initially flows through the rendezvous point using the shared tree, represented as (*,G) state. For shared-tree traffic, the router verifies that packets arrive from the direction of the RP, because the RP is the root of the shared distribution tree. When the router has source-tree state, represented as (S,G), the RPF check is performed against the multicast source address instead. Dense mode behavior and directly connected membership are not the determining conditions in this question. The key distinction is whether forwarding state is shared-tree or source-tree. Cisco multicast design relies on this behavior to keep PIM forwarding loop free as traffic transitions from shared-tree delivery to shortest-path tree delivery where applicable. Selecting the shared-tree state option correctly identifies when the RP address is used for the RPF calculation. Reference topics: PIM sparse mode, shared tree, source tree, RPF toward RP, (*,G) and (S,G) state.

Traffic shaping is the QoS mechanism that queues excess packets and transmits them later to conform to a configured rate. In Cisco QoS design, shaping smooths bursts by buffering traffic instead of immediately discarding it when the offered rate exceeds the configured rate. This makes shaping appropriate on egress interfaces where the enterprise router has a higher physical interface speed than the actual provider committed information rate. WRED and RED are congestion-avoidance mechanisms that drop packets probabilistically to prevent full queue exhaustion, especially for TCP traffic. They do not intentionally hold excess packets for later transmission as the primary behavior. Policing enforces a traffic rate by dropping or remarking traffic that exceeds the configured contract; it does not buffer traffic to smooth bursts. Therefore, when the design requirement says excess packets must be queued for later transmission, the mechanism must be shaping. In WAN edge QoS, shaping is often paired with child queuing policies so latency-sensitive and business-critical classes receive correct treatment inside the shaped parent rate.

The validated answer is Option D because this item depends on the exhibit containing configuration or model fragments. In Cisco programmability questions, the correct option is determined by whether the selected YANG or API payload accurately represents the intended configuration hierarchy, data types, and device-specific path. The answer must match the complete model structure, not merely contain the right-looking address, interface name, or protocol value. Option D should therefore be retained as the verified selection because it is the only option that aligns with the expected data model structure shown in the exhibit. For these items, the professional review must avoid inventing a replacement payload when the answer choices are embedded as images. The proper explanation is that YANG-based configuration validation requires the namespace, container path, list keys, and leaf values to match the model used by the target platform. Reference topics: YANG configuration validation, RESTCONF or NETCONF payload structure, model hierarchy, Cisco IOS XE programmability, exhibit-based option verification.

The correct technologies are loop guard on uplinks and root guard on downlinks. Cisco campus Layer 2 design guidance recommends protecting the intended spanning-tree topology by placing root guard on ports where the root bridge should never appear and loop guard on non-designated ports that depend on receiving BPDUs. In a hierarchical topology, downlinks toward access switches should not be allowed to become a path to a new STP root; root guard enforces that design by moving a port to root-inconsistent state if a superior BPDU is received. Uplinks are vulnerable to failures where expected BPDUs stop arriving, which can cause an alternate or root port to incorrectly transition to forwarding. Loop guard prevents that by placing the port into loop-inconsistent blocking state. BPDU guard is not appropriate on normal interswitch uplinks or trunk downlinks because those links are expected to exchange BPDUs; it belongs mainly on PortFast edge ports. Reference topics: STP protection, loop guard, root guard, campus Layer 2 design, Rapid PVST+.

StackWise is the correct solution because the company needs more access ports while reusing the existing access-switch uplink capacity. Cisco StackWise allows multiple compatible Catalyst switches to operate as a single logical switching system, increasing access-port density without requiring each added switch to consume new uplink ports on the distribution layer. This fits the design constraint that the distribution switches have no available ports for additional uplinks, while current uplink bandwidth is not a bottleneck. VSS is normally used to combine two chassis-class switches into one logical system at the distribution or core layer; it is not the practical answer for expanding one floor’s access-port count from an existing access switch. EtherChannel aggregates physical links for bandwidth and redundancy, but it does not create additional access ports when no distribution ports are available. VDC is a Nexus virtualization construct and does not solve Catalyst access-port expansion. The correct operational design is to add a stack member and use the existing uplink design. Reference topics: Cisco StackWise, access-layer scalability, uplink preservation, Catalyst campus switching.

TLOC extension is the Cisco SD-WAN mechanism that allows a WAN Edge router without direct access to a transport to reach that transport through another WAN Edge router at the same site. Cisco describes TLOC extension as a redundancy feature in SD-WAN networks. In the question, the WAN Edge router is connected to an MPLS transport link, but Internet access is available through another WAN Edge device. With TLOC extension, the MPLS-only edge can extend traffic through the peer router toward the Internet transport, allowing the site to use multiple transports without requiring every edge router to have a physical connection to every circuit. OMP can advertise routes and TLOCs, but OMP alone does not create physical Internet access for a router attached only to MPLS. Requiring a local 4G/5G or Internet circuit on the same router is not necessary when TLOC extension is part of the design. An MPLS extranet is also not the normal SD-WAN solution for Internet transport reachability. Therefore, TLOC extension is the correct design method.

The best design is the option that prefers ISP-1 for both outbound and inbound traffic while keeping ISP-2 available as a backup. For outbound traffic from the enterprise, local preference is the correct BGP attribute because it is evaluated inside the local AS and higher local preference wins. R1 should assign a high local preference to routes learned from ISP-1, while R2 should assign a low local preference to routes learned from ISP-2. For inbound traffic from the Internet toward the enterprise, AS-path prepending is the practical signal sent to external networks. Advertising routes to ISP-1 with no prepending and routes to ISP-2 with five prepends makes the ISP-1 path look shorter and therefore more attractive. The R1-to-R2 internal advertisements should not be blocked by NO-ADVERTISE because each edge router must still share reachability internally for failover. Option B matches these controls without unnecessarily suppressing routes between the edge routers. Reference topics: BGP local preference, AS-path prepending, active/backup Internet design, inbound and outbound path control.

DiffServ is the correct QoS model for a business-critical, delay-sensitive, high-bandwidth application across DMVPN tunnels protected with IPsec. Differentiated Services classifies and marks traffic, usually with DSCP, and then applies per-hop behavior at each network device. This model scales well across enterprise WANs because routers do not need to maintain per-flow reservation state. DMVPN and IPsec overlays can carry marked traffic, and the WAN design can apply queuing, shaping, and congestion avoidance based on those markings. IntServ with RSVP can provide explicit resource reservation, but it is stateful and does not scale well across many branch tunnels. RSVP also becomes operationally difficult across encrypted overlay environments. WRED is only a congestion avoidance mechanism, not a complete QoS architecture. Because the application needs differentiated treatment but the WAN must remain scalable, DiffServ is the practical Cisco enterprise design model. Reference topics: DiffServ, DSCP marking, DMVPN QoS, IPsec QoS pre-classify, per-hop behavior, enterprise WAN QoS.

Interdomain multicast designs commonly use MP-BGP and MSDP together. MP-BGP carries multicast routing information between domains so routers can perform RPF checks based on the correct multicast topology rather than relying only on unicast routing. MSDP is used between rendezvous points in different PIM sparse-mode domains to exchange information about active sources. Cisco multicast documentation describes MSDP as a mechanism that connects multiple PIM-SM domains and allows RPs to discover multicast sources in other domains. Together, MP-BGP provides the reachability information and MSDP provides source discovery between RPs. IGMPv2 is a host-to-router group membership protocol inside a local subnet, not an interdomain multicast routing protocol. MLD provides the IPv6 equivalent of host group membership signaling. BIDIR-PIM is a multicast forwarding mode optimized for many-to-many traffic inside a domain, but it is not the pair of protocols used for interdomain source and receiver communication in this question. Therefore, the correct protocols are MP-BGP and MSDP.

EIGRP stub routing is designed to prevent remote or spoke routers from being used as transit routers. In a hub-and-spoke or dual-homed remote design, a stub router advertises only the route types permitted by its stub configuration, such as connected or summary routes, and it is not queried for routes that it cannot reasonably provide. This reduces EIGRP query scope and helps avoid stuck-in-active conditions. The tradeoff is that the network must not depend on a stub site to carry transit traffic between other parts of the topology. In this scenario, the spoke nodes are configured as EIGRP stubs. When the direct R1-to-R2 link fails, R1 cannot use the alternate path through the other spoke-side topology as a transit path to reach a subnet attached to R2. The EIGRP stub design prevents the route from being advertised in a way that would make the spoke act as a transit router. As a result, R1 has no valid route to R2 ' s attached subnet and drops the traffic. This behavior is consistent with the purpose of EIGRP stub routing.

IPv6 overlay tunnels should be treated as a transition mechanism, not as the final desired enterprise architecture. Cisco IPv6 migration guidance describes tunneling as a way to connect IPv6 islands across an IPv4 infrastructure or to carry one protocol over another while the network is being migrated. This is useful when parts of the infrastructure cannot yet run IPv6 natively, but it also adds encapsulation overhead, additional MTU considerations, troubleshooting complexity, and operational dependency on the underlay transport. A permanent IPv6 architecture should eventually support IPv6 natively, or support both IPv4 and IPv6 through dual stack where required. The statement that overlay tunnels are a final IPv6 architecture is therefore incorrect. Overlay tunnels are not limited only to border devices in every design, and they do not require only the IPv6 stack; they commonly encapsulate IPv6 traffic over IPv4 infrastructure. The option stating that IPv4 packets are encapsulated in IPv6 packets also reverses the common IPv6-over-IPv4 migration use case. Therefore, overlay tunneling should be designed as a temporary transition technique.

For a standards-driven YANG model in a multivendor environment, the engineer should choose IETF models. IETF YANG models are produced through the Internet Engineering Task Force standards process and define vendor-neutral data structures for common network functions. This makes them the best answer when the requirement emphasizes standards-based operation across multiple vendors. OpenConfig models are also vendor-neutral and widely used for operational consistency, but OpenConfig is an operator-driven model set rather than an IETF standards body output. Cisco native models expose platform-specific Cisco IOS XE, NX-OS, or IOS XR features and often provide the most complete coverage for Cisco-specific capabilities, but they are not intended as the primary multivendor standard model. IEEE NETCONF is not the correct model category; NETCONF is a protocol, and IEEE is not the YANG model set normally selected for general device configuration in this context. In Cisco automation design, the model choice should match the use case: IETF for standards-driven multivendor workflows, OpenConfig for operator-neutral abstractions, and native models for vendor-specific feature completeness.

EIGRP with branch routers configured as stubs and equal-cost multipath is the best fit for this hub-and-spoke DMVPN design. The branch routers have limited memory and CPU resources, so they should not be forced to maintain unnecessary topology information or answer broad queries from the rest of the network. EIGRP stub routing limits the routes a branch advertises and prevents it from being used as a transit path, which reduces query scope and improves stability. Because the two internet links are both 100 Mbps, equal-cost multipath can use both links for active forwarding during traffic spikes. OSPF can operate over DMVPN, but a single area or hub-and-spoke design may create more overhead and less efficient query containment for small branch routers. IS-IS is less common for this WAN overlay use case, and iBGP with route reflectors can scale but does not natively consider link utilization or provide the same simple branch stub behavior. Reference topics: EIGRP stub, DMVPN, ECMP, branch routing, query containment, WAN convergence.

The vSmart controller provides the centralized control plane in a Cisco SD-WAN deployment. It establishes secure control connections with WAN Edge routers and exchanges routing, topology, security, and policy information using OMP. The vSmart controller does not forward user data traffic; data-plane forwarding occurs directly between WAN Edge routers over IPsec or other supported encapsulations. Its function is to distribute reachability information, TLOC information, service routes, centralized policies, application-aware routing policies, and segmentation information that determines how the overlay operates. vBond orchestrates onboarding, authentication facilitation, and NAT traversal for control connections. vManage provides centralized management, monitoring, configuration templates, and operational GUI/API functions. vEdge or Cisco IOS XE SD-WAN routers provide the branch or site data plane and local routing functions. Therefore, among the choices, the vSmart controller is responsible for the centralized control plane of the SD-WAN network. Correctly separating orchestration, management, control, and data-plane roles is a core Cisco SD-WAN design principle.

Cisco weight is the Cisco-proprietary BGP path attribute used to influence outbound traffic selection on a local router. Weight is locally significant and is not advertised to BGP neighbors. A higher weight is preferred, and because weight is evaluated early in the Cisco BGP best-path algorithm, it is a direct way to make one exit path preferred over another on the router where the attribute is configured. Local preference also influences outbound traffic, but it is a well-known discretionary BGP attribute used inside an AS and is not Cisco proprietary. MED is primarily used to influence inbound path selection by suggesting to a neighboring AS which entry point should be preferred. AS-path prepending is also typically used for inbound traffic engineering by making a route appear less attractive to external peers. Communities can carry policy information, but they are not the Cisco-proprietary attribute in the list. Therefore, when the requirement specifically asks for the Cisco proprietary BGP path attribute that influences outbound traffic flow, the answer is weight.

The correct QoS design is to shape outbound traffic and police inbound traffic. Traffic shaping buffers and schedules outbound packets so the customer does not send bursts beyond the 10 Mbps Internet connection rate. This is useful on egress because the local router controls the transmit queue and can smooth bursts before they reach the provider. Cisco QoS design distinguishes shaping from policing: shaping delays excess traffic, while policing drops or remarks excess traffic immediately. Inbound shaping is generally not effective because the traffic has already arrived on the interface; the device cannot delay packets before they consume the inbound circuit. Inbound policing can protect business-critical traffic by limiting or dropping lower-priority excess traffic as it enters the network. Policing outbound would enforce the rate but would cause avoidable drops during bursts, which is less desirable when the router can shape before transmission. Therefore, outbound shaping and inbound policing satisfy both rate-control and protection requirements. Reference topics: traffic shaping, traffic policing, QoS queuing, Internet edge QoS, congestion management.

The dial-out model-driven telemetry approach is initiated by the network device, not by the collector. Cisco IOS XE telemetry documentation describes configured subscriptions as dial-out because the publisher, meaning the router or switch, initiates the connection to the configured receiver. After the session is established, the device streams the subscribed YANG-modeled data at the configured cadence or when the configured on-change condition occurs. This model is useful when the telemetry collector is a fixed destination and the network operator wants the device to maintain the outbound session automatically. Option B describes dial-in telemetry, where the collector or subscriber connects to the device and requests the subscription. Option C is also dial-in oriented because the collector initiates the session. Option D is close in wording, but the key design point is that the session is based on an already configured subscription rather than a negotiation process. Reference topics: model-driven telemetry, configured subscriptions, dial-out telemetry, YANG-push, telemetry collectors.

The client edge can reach the Internet through ISP1 only if downstream routers inside the client network have a usable route toward the Internet. Since ISP1 provides full Internet connectivity and ISP2 is used for direct exchange with selected third parties, the edge design should advertise a default route into the client network. This gives internal routers a simple, scalable route for all Internet destinations while preserving specific routing where necessary. Running separate VRFs for each ISP may be a valid segmentation technique, but it does not by itself tell downstream routers how to reach the Internet. AS-path prepending toward ISP2 influences inbound path preference from external networks; it does not solve internal default routing. Filtering outbound advertisements so the client advertises only its own originated routes is important to avoid becoming a transit AS, but it is not the mechanism that enables internal users to reach the Internet through ISP1. The clean design is to receive or originate a default route at the edge and advertise that default to the client routing domain. Reference topics: BGP Internet edge design, default route advertisement, transit prevention, ISP peering policy.

The most efficient campus design aligns the active first-hop gateway with the Layer 2 forwarding path. In a traditional access-distribution topology using STP and HSRP, traffic should not cross the distribution-to-distribution link simply because the HSRP active gateway is on the opposite distribution switch from the STP forwarding path. Cisco campus design guidance stresses aligning the STP root bridge with the active FHRP gateway so hosts forward northbound traffic directly to the distribution switch that owns the optimal Layer 2 path. Reconfiguring distribution switch A to become the HSRP active device fixes the asymmetric and inefficient traffic flow in the exhibit. Adding a link between access switches would extend the Layer 2 domain and increase loop-prevention complexity, not improve the northbound default-gateway path. Changing the distribution interconnect to a routed link may be valid in a routed-access redesign, but it is not the targeted correction for this Layer 2/FHRP misalignment. An EtherChannel between distribution switches only increases interswitch capacity; it does not remove the unnecessary hairpin path caused by the wrong active gateway.

Rapid PVST+ and VTP address the stated redesign goals. Moving from IEEE 802.1D STP to Rapid PVST+ reduces the impact of topology changes because rapid spanning tree provides faster convergence through proposal/agreement behavior and faster port-role transitions. That improves availability compared with classic STP timers. VTP reduces administrative effort and manual configuration errors by centrally propagating VLAN information across switches in the same VTP domain. It can also support pruning so unused VLAN traffic is not unnecessarily carried across trunks. MST could reduce spanning-tree instance count, but the question emphasizes reducing topology-change impact and reducing manual VLAN configuration work; Rapid PVST+ plus VTP addresses both directly. Storm control helps limit broadcast and multicast traffic but does not solve STP convergence or VLAN administration. Dynamic Trunking Protocol negotiates trunk state; it does not propagate VLAN information and is often avoided in deterministic campus designs. In production, VTP should be used carefully with version control, domain/password discipline, and change governance because incorrect VTP configuration can have broad impact. Reference topics: Rapid PVST+, STP convergence, VTP, VLAN pruning, campus Layer 2 operations.

Single-topology IS-IS with the transition feature is the correct design when IPv6 is being added to an existing IPv4 IS-IS network and both topologies must match exactly. In single-topology mode, IS-IS calculates one topology and uses it for both IPv4 and IPv6, which fits the requirement that the IPv4 and IPv6 paths and router levels remain the same on each interface. Cisco documentation notes that single-topology IS-IS IPv6 requires routers to run the same set of address families for adjacency consistency; during migration, transition support allows the network to operate while IPv6 is introduced gradually. Multi-topology IS-IS is used when IPv4 and IPv6 should be allowed to follow different topologies or when not all routers support the same address families. The question explicitly says the topologies will match exactly, so multi-topology is unnecessary. Single topology without the transition feature is risky during phased migration because routers that do not yet run both address families may fail adjacency checks or create blackholing. Reference topics: IS-IS for IPv6, single-topology IS-IS, transition mode, address-family consistency, IPv6 migration.

Network management traffic should be marked and treated as a dedicated operations class, not mixed into voice signaling or real-time queues. Cisco enterprise QoS design guidance commonly reserves DSCP CS2 for operations, administration, and management traffic such as SNMP, SSH, syslog, NTP, and other management flows. The question states that all eight queuing classes are already used, so the design should integrate management traffic into the closest existing class and validate that the queue has enough bandwidth. Option D is the best fit because it uses CS2 and requires baselining before allocating more bandwidth. CS6 is normally used for network control and routing protocols; using it for ordinary management traffic would compete with routing adjacencies and control-plane stability. CS5 and CS4 are also unsuitable because they are normally associated with video/signaling-related classes in many enterprise QoS models. The professional design action is to classify management traffic explicitly, mark it CS2 at the trust boundary, map it to the existing class, and then measure queue utilization before changing bandwidth allocations. Reference topics: Cisco QoS baseline, DSCP CS2, network management traffic, queue bandwidth design.

Secure segmentation is the Cisco SD-WAN Secure Direct Cloud Access function that separates user traffic into different zones and VPNs or VRFs. In Cisco SD-WAN, VPNs provide logical segmentation that is comparable to VRF separation in traditional routing. Secure Direct Cloud Access extends this segmentation model when users access internet and cloud applications directly from the branch. The design can keep corporate, guest, payment, voice, IoT, and other traffic classes isolated, with policy and security controls applied per segment or zone. Centralized data policy controls forwarding behavior, but the feature that divides traffic into separate zones and VPN or VRF contexts is secure segmentation. Perimeter control and application-aware routing are useful security and performance functions, but they do not describe the core segmentation mechanism. Segmentation is a fundamental SD-WAN design requirement because direct cloud access must not collapse trust boundaries simply because traffic no longer hairpins through a central data center. Reference topics: Cisco SD-WAN secure segmentation, VPNs, VRFs, direct cloud access, zone-based policy.

The SD-Access control-plane node maintains the endpoint database and resolves mappings between endpoints and the fabric edge nodes where those endpoints are located. Cisco SD-Access uses LISP in the fabric control plane. Edge nodes register endpoint identifiers with the control-plane node, and other fabric nodes query the control plane when they need to locate a destination endpoint. This control-plane function is commonly described through LISP Map-Server and Map-Resolver behavior. Option B is not correct because endpoint detection occurs at the edge node, not at the control-plane node. The edge is the device connected to users, access points, or endpoint-facing networks, so it learns local endpoint presence and registers that information. Option C refers to authentication and identity, which is integrated with Cisco ISE. Option D describes the border-node role, because border nodes connect the fabric to external networks. The corrected answer is therefore A. A stable SD-Access design must provide redundant control-plane reachability and scale the control-plane role according to fabric size, mobility, and endpoint churn. Reference topics: SD-Access control plane, LISP Map-Server, LISP Map-Resolver, endpoint-to-location mapping.

The primary HSRP device should use the preempt delay feature. When a failed primary distribution switch returns, HSRP preemption allows it to reclaim the active gateway role because it has the higher priority. However, routing protocols, trunks, line cards, FIB programming, or upstream convergence may not be fully ready at the instant HSRP becomes active again. If the device preempts too quickly, hosts forward traffic to a gateway that is not yet ready to forward all flows, causing temporary packet loss. Cisco HSRP preempt delay prevents immediate takeover by delaying preemption after reload or interface recovery, giving the switch time to rebuild control-plane and forwarding-plane state. Increasing hello timers slows failure detection and does not solve the premature takeover problem. Applying preempt delay to the backup device is not the issue because the returning primary is the device that reclaims active state. MAC refresh timers are not the primary mechanism for this condition. Therefore, the design should configure preempt delay on the primary HSRP device. Reference topics: HSRP preemption, preempt delay, gateway recovery, campus high availability, convergence coordination.

The correct design is to advertise a default route from the aggregation layer toward the access layer and summarize the VLAN subnets at the aggregation layer toward the core. Cisco hierarchical campus design places summarization at aggregation or distribution boundaries because that is where access-layer routes are collected before entering the core. Summarizing the VLAN ranges into 10.0.0.0/16 hides individual access VLAN instability from the core, reducing routing table entries, protocol churn, and memory consumption on core devices. Sending a default route from aggregation to access also keeps access switches simple and prevents them from carrying unnecessary campus routing detail. This design contains failures and convergence events inside the appropriate block. Summarizing at the access layer is less practical when multiple VLANs aggregate at distribution. Advertising a default toward the core is backwards, because the core must know the summarized access block. Reference topics: hierarchical campus routing, aggregation-layer summarization, default routing to access, route-table reduction, convergence containment.

Implementing network summarization on the edge routers is the correct EIGRP design action to reduce query range and improve convergence. In EIGRP, when a route is lost and no feasible successor exists, DUAL sends queries to neighbors. If the network is large or poorly summarized, those queries can propagate widely and increase convergence time. Hierarchical addressing allows each office or edge block to advertise a summary instead of many specific prefixes. If a specific subnet inside an office fails, the summary can remain stable toward the rest of the network, preventing the failure from triggering unnecessary queries across the dark-fiber interoffice topology. Stub routing can also reduce query scope, but the option says to configure stub areas on non-edge routers, which is not the right EIGRP terminology or placement. Different EIGRP processes add redistribution complexity, and route filtering alone does not provide the same clean convergence boundary as summarization. Reference topics: EIGRP summarization, DUAL query scope, hierarchical addressing, convergence optimization, dark-fiber campus routing.

The selected IPv4 plan is correct because the design must maximize the number of subnets while still meeting the host requirements for each location. With VLSM, the largest subnet must be allocated first. A segment requiring 500 hosts needs at least 9 host bits, because 2^9 provides 512 addresses and 510 usable host addresses, so a /23 is required. A segment requiring 100 hosts needs 7 host bits, giving 126 usable addresses, so a /25 is sufficient. A segment requiring 25 hosts needs 5 host bits, giving 30 usable addresses, so a /27 is sufficient. Any plan that uses larger prefixes than necessary wastes addresses and reduces the number of available subnets inside 172.16.0.0/16. Any plan using smaller subnets would fail the host requirement. The correct option is the one that uses the smallest valid subnet size for each requirement while keeping the addressing blocks aligned. Reference topics: IPv4 VLSM, CIDR, subnet sizing, usable host calculation, hierarchical addressing plans.

The vSmart controller is the Cisco SD-WAN control-plane element that maintains centralized routing and policy information. WAN Edge routers form secure control connections to vSmart, and vSmart distributes OMP routes, TLOC information, service routes, and policy information across the overlay. It does not forward user traffic in the data plane; forwarding is performed by the WAN Edge routers. It also does not provide the primary management GUI, because that role belongs to vManage. vBond handles orchestration, authentication facilitation, and NAT traversal during control-plane bring-up, not the centralized routing table. The importance of vSmart in the design is that it removes the need for every WAN Edge router to maintain complex direct control-plane relationships with every other edge. It also enforces centralized control policy, which determines which routes and paths are available to which sites. Reference topics: Cisco SD-WAN architecture, vSmart controller, OMP, centralized route table, control policy, WAN Edge. This preserves scalable WAN control-plane behavior.

The ORF filter should be applied so the route reflector or upstream peer suppresses the unwanted Branch A prefix before sending updates toward the resource-constrained branch. Cisco BGP outbound route filtering lets a receiving router advertise a prefix-list filter to its peer, causing that peer to apply the filter outbound. This is useful when a router has limited CPU or memory because unwanted prefixes are never sent across the session. In the described design, HQ must prevent Branch A prefixes from reaching R4, while Branch B has limited resources. The answer using the 10.10.10.0/24 prefix list on R2 aligns with filtering the Branch A prefix at the point where HQ can control route reflection or advertisement toward the constrained branch path. Applying the filter on the wrong router or using the wrong prefix would still allow unnecessary updates. ORF is preferred over simple inbound filtering when the goal is to reduce received route volume. Reference topics: BGP ORF, prefix-list signaling, route-reflector filtering, branch route scale, outbound update suppression.

Static routes tied to IP SLA with a floating static backup route provide the cleanest active/standby design for this requirement. The MPLS L3VPN path is the primary connection and should carry traffic while it is available. IP SLA can actively test reachability across the primary path, and object tracking can remove the primary static route if the test fails. The backup IPsec VPN route is configured with a higher administrative distance, so it remains inactive until the primary route is withdrawn. This design is deterministic and prevents traffic from using the backup tunnel during normal operation. Running EIGRP across both paths could allow dynamic path selection, but it would require careful metric manipulation and could still introduce unintended failover behavior. BGP multipath is the opposite of the requirement because it is designed to install multiple paths simultaneously for load sharing. OSPF passive-interface on the backup connection would prevent neighbor formation rather than provide reliable backup routing. For a branch with one primary MPLS path and one backup IPsec path, tracked static routing with IP SLA is the appropriate design.

The requirements point to a Layer 2 multipoint WAN service. VPLS provides an emulated Ethernet LAN across a provider network, allowing multiple sites to appear as if they are connected to the same Layer 2 domain. This supports full-mesh Layer 2 connectivity and preserves customer control over higher-layer services such as IPv6, multicast, routing protocols, and QoS markings. Because the provider delivers an Ethernet multipoint service, the enterprise can retain protocol independence rather than depending on the service provider to participate in IPv6 routing or multicast routing. CoS marking is also a Layer 2 QoS mechanism, so a Layer 2 VPN service is better aligned to the stated QoS requirement. VPWS is point-to-point rather than full-mesh multipoint, so it does not meet the topology requirement by itself. MPLS Layer 3 VPN is a provider-routed service and does not give the customer full Layer 2 mesh behavior. DMVPN is an overlay routed VPN and does not provide a native Layer 2 full-mesh service. Therefore, VPLS is the correct WAN connectivity option.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

GET VPN is the correct private WAN encryption technology when traffic must always be encrypted, multicast must be supported, forwarding overhead must be reduced, and security management must be centralized. Cisco Group Encrypted Transport VPN protects traffic over a private WAN without building traditional point-to-point or multipoint tunnel overlays. Because it preserves the original IP header, the provider or enterprise routing core can still make normal forwarding decisions, and multicast, QoS, and routing behavior are easier to preserve than with heavy tunnel overlays. GET VPN uses a key server model to centralize group policy and distribute encryption keys to group members. This reduces the operational burden of maintaining many permanent tunnels. DMVPN supports multicast through GRE and provides dynamic tunnels, but it adds tunnel encapsulation overhead and does not meet the reduced-overhead private WAN requirement as cleanly. Plain mGRE lacks the full centralized group encryption model. Reference topics: GET VPN, group encryption, private WAN security, multicast support, key server, tunnel-less IPsec.

An on-change telemetry subscription is the best solution when the team needs device state data while limiting impact on the device. With periodic telemetry, the device sends subscribed data at a configured interval regardless of whether the value has changed. For state such as shared memory utilization, aggressive periodic polling or streaming can create unnecessary CPU, memory, and bandwidth overhead, especially at scale. On-change telemetry sends an update only when the subscribed data changes, or when a relevant event occurs according to the model and platform behavior. This reduces needless data transmission while still providing timely visibility into meaningful state changes. IPFIX is designed for flow information and traffic accounting rather than detailed device state telemetry. Static telemetry is not the best characterization of the efficient event-driven behavior required here. A periodic subscription can provide the data, but it continuously streams updates and therefore has greater device and collector impact. Cisco model-driven telemetry design favors on-change subscriptions when the operational requirement is state awareness with minimal repeated polling.

Cisco SD-Access LAN automation deploys IS-IS as the underlay routing protocol to build node-to-node adjacencies automatically. The underlay must provide stable IP reachability between fabric nodes before the overlay control plane and VXLAN data plane can operate correctly. Cisco SD-Access design guidance uses an automated routed access underlay in which point-to-point links are discovered and provisioned, and IS-IS is used to advertise infrastructure reachability. This approach reduces manual configuration, accelerates brownfield or greenfield onboarding, and creates a consistent transport foundation for the fabric. LISP is used in the SD-Access control plane for endpoint mapping, not for building underlay adjacencies. VXLAN is the overlay data-plane encapsulation and does not establish routing adjacencies. OSPF can be used in some routed networks, but LAN automation for SD-Access uses IS-IS as the automated underlay protocol. Reference topics: SD-Access LAN automation, routed underlay, IS-IS underlay, fabric node discovery, Cisco Catalyst Center automation.

Weighted Random Early Detection is the QoS congestion-avoidance feature that responds to early congestion by selectively dropping packets before a queue becomes completely full. WRED can use packet markings, such as IP precedence or DSCP, to determine drop probability, so lower-priority traffic can be dropped earlier than higher-priority traffic. This helps TCP-based applications slow down before tail drop causes large synchronized retransmissions. CBWFQ is a queuing and bandwidth-allocation mechanism; it classifies traffic into queues and assigns bandwidth, but it is not specifically the feature that randomly drops lower-priority packets during congestion. Tail drop drops packets only when the queue is full and does not intelligently prefer lower-priority traffic. Strict priority queuing protects delay-sensitive traffic by servicing a priority queue first, but it does not provide weighted random early discard behavior. In Cisco QoS design, WRED is used as a congestion-avoidance mechanism, especially for TCP traffic classes where early packet drops can reduce global synchronization and protect higher-priority classes.

The main purpose of the Cisco SD-Access underlay is to provide a stable routed transport that carries the overlay efficiently between fabric nodes. Among the available choices, optimizing network traffic routing and load-balancing is closest to that function. The underlay is not the security segmentation layer; segmentation is created in the overlay through virtual networks, SGTs, and policy enforcement. The underlay also is not primarily responsible for firewall or IPS services. While LAN automation can help build the underlay, automation is a deployment method rather than the underlay design purpose. A good underlay provides IP reachability, fast convergence, consistent MTU, and resilient routing so that VXLAN-encapsulated overlay traffic can move between edge, border, intermediate, and control-plane nodes. If the underlay is unstable, the overlay will inherit packet loss, convergence problems, and poor application performance. Reference topics: Cisco SD-Access underlay, routed access, IP reachability, fabric transport, underlay resilience, overlay support. This preserves stable fabric forwarding.

The company must configure a summary route on R1. The branch routers must remain normal EIGRP routers, and auto-summary is not allowed, so the scalable design choice is manual summarization at the hub. Cisco EIGRP documentation states that manual summarization can be configured on an interface using the ip summary-address eigrp command and can summarize routes on almost any bit boundary. In a DMVPN hub-and-spoke topology, a hub summary reduces the number of individual routes advertised to branches, limits routing-table growth, and helps contain EIGRP queries. It also keeps branch configuration simple because the branches do not need to be converted to stub routers to meet this specific requirement. Disabling split horizon is a common DMVPN Phase 2 consideration when the hub must advertise spoke routes back out the same multipoint tunnel interface, but it does not summarize HQ routes. A multipoint interface is already implied by DMVPN, and disabling the SIA timer is not a design solution. Reference topics: EIGRP manual summarization, DMVPN hub design, no auto-summary, query containment.

The selected design is correct because the requirement describes a resilient campus architecture that must support the same VXLAN at any access-layer switch while maintaining fast convergence and high availability. In Cisco campus and data-center-style fabric designs, VXLAN provides network virtualization by carrying Layer 2 adjacency over a routed or resilient transport. The correct design must avoid a fragile single spanning-tree domain and must provide redundant forwarding paths so that an access switch or uplink failure does not isolate the VLAN or VXLAN segment. The selected option represents the design that meets those conditions by allowing the overlay segment to be extended consistently across access switches while keeping the underlay resilient. Designs that rely on a traditional Layer 2 tree, a single aggregation point, or blocked redundant links would not meet the high availability and fast convergence objectives. The important design principle is that VXLAN should ride on a stable, redundant transport and should not depend on large Layer 2 failure domains. Reference topics: VXLAN campus design, overlay networking, fast convergence, access-layer resiliency, high availability.

DiffServ is the correct technology because the customer wants distributed QoS based on packet marking and per-hop treatment. Cisco differentiated services designs classify and mark traffic at the network edge, normally using DSCP values, and each device along the path applies a locally defined per-hop behavior to that traffic class. This model scales well in enterprise WANs because routers do not need to maintain per-flow state across the entire network. CBWFQ and LLQ are queuing mechanisms that can implement DiffServ treatment, but they are not the overall QoS architecture requested by the question. IntServ uses RSVP and per-flow resource reservation, which provides stronger admission-style guarantees but does not scale as well for large distributed WAN environments. The question specifically mentions individual packet marking and forwarding based on hop-by-hop treatment, which is the language of DiffServ. A complete design should define trust boundaries, DSCP markings, class maps, queue policy, and provider handoff behavior. Reference topics: DiffServ, DSCP marking, per-hop behavior, distributed QoS, WAN QoS architecture.

The active logical interface count for Switch A is 202 based on the spanning-tree scalability method used for logical ports. In STP design, a logical port is counted per active VLAN instance on each active trunk or access interface. A trunk carrying multiple VLANs therefore consumes multiple logical STP ports, while an access link normally consumes one logical STP port for its VLAN. Cisco campus design guidance uses logical-port counts to ensure that the selected STP mode and platform stay within supported scalability limits. The calculation in the exhibit produces 202 active logical interfaces for Switch A, not simply the number of physical links. Answer A counts only physical interfaces and ignores VLAN instances. Answer D is too low because it does not account for all active VLANs across the relevant links. Answer B overstates the count by including VLANs or links that are not active for Switch A. Reference topics: STP scalability, logical ports, VLAN instances, trunk design, Layer 2 campus sizing.

NETCONF supports XML, while RESTCONF supports both XML and JSON. Cisco programmability documentation describes NETCONF as an XML-based protocol that exchanges RPC requests and replies such as get, get-config, and edit-config using XML encoding. NETCONF is tightly aligned with YANG-modeled data, but the protocol message format itself is XML. RESTCONF exposes YANG-modeled data through an HTTP or HTTPS API and can represent payloads in XML or JSON. Cisco DevNet material commonly summarizes the comparison as NETCONF equals XML, while RESTCONF equals XML or JSON. That is why option D is accurate. Option A is wrong because NETCONF does not use JSON in the same way RESTCONF does. Option B is incomplete because RESTCONF is not limited to JSON. Option C reverses the protocol encodings. This distinction matters in automation design because tool selection, content type, parsing, and API workflows differ by protocol. Reference topics: NETCONF, RESTCONF, YANG, XML encoding, JSON encoding, model-driven programmability.

The correct solution is again a management VRF with SSH keys for device access. This duplicate item tests the same design principle: management traffic should be logically isolated from the overlay and production forwarding paths. A VRF gives the management plane its own routing table, so changes or failures in the overlay do not normally alter management reachability. That makes the network easier to operate because engineers can troubleshoot device access, routing, and overlay behavior as separate concerns. SSH keys satisfy the secure-access requirement by providing encrypted management sessions with public-key authentication. Private VLANs and standard VLANs can segment Layer 2 traffic, but they do not solve routing separation by themselves. TACACS+ and RADIUS provide authentication, authorization, and accounting, but they do not prevent overlay routing from interacting with management reachability. A separate physical interface can help in some designs, but option A is the cleanest answer because it combines routing isolation with secure access. Reference topics: management VRF, SSH, secure management plane, route isolation, overlay troubleshooting.

PIM BSR is the best final design action because the source uses group 239.1.1.1, which is an administratively scoped ASM multicast group, and dense mode is not allowed. In PIM sparse mode, ASM groups require a rendezvous point so receivers can join the shared tree and sources can register. PIM SSM is not the right match for 239.1.1.1 because SSM normally uses the 232.0.0.0/8 group range and requires receivers to know the source address. Auto-RP can distribute RP information, but traditional Auto-RP discovery relies on multicast groups that often require sparse-dense behavior, which conflicts with the requirement that dense mode is not allowed. BSR is the standards-based PIM mechanism for dynamic RP discovery in sparse-mode networks and avoids static RP configuration on every router. Anycast RP is an RP redundancy design but still requires RP discovery or static RP configuration. Reference topics: PIM sparse mode, Bootstrap Router, ASM, RP discovery, administratively scoped multicast.

The correct policy is to prepend the AS path on the nonpreferred advertisement for each prefix. For inbound BGP traffic engineering, the enterprise normally influences remote autonomous systems by changing attributes that those systems see when selecting a path. AS-path prepending makes a route appear less attractive by adding repeated instances of the local AS number to the AS path. In this design, network 10.1.1.0/24 should enter through R3-R1, so R2 must advertise that prefix with a prepended AS path to make the R4-R2 path less preferred unless the primary path fails. Conversely, network 10.1.2.0/24 should enter through R4-R2, so R1 must advertise that prefix with prepending to make the R3-R1 path less preferred. This creates inbound load sharing while preserving failover because the prepended route remains available as a backup. Local preference affects outbound path selection inside the local AS, not inbound selection by the provider. Reference topics: BGP traffic engineering, AS-path prepending, inbound path control, prefix-specific policy, multihomed WAN design.

The required resource is the organization name. During manual WAN Edge onboarding, the device needs local system identity information and transport reachability so it can authenticate into the Cisco Catalyst SD-WAN overlay. Cisco onboarding workflows identify system parameters such as system IP, site ID, organization name, and vBond information as required configuration elements. The organization name must match the value configured across the SD-WAN controllers; otherwise, certificate validation and control connection establishment fail. After the WAN Edge authenticates with vBond, vBond helps it discover the vSmart controllers and vManage. That is why the vSmart hostname is not the first required onboarding resource in this question. NAT may exist in the path and vBond can assist traversal, but NAT itself is not the configuration identity item. A generic domain name is not the same as the SD-WAN organization name. Reference topics: Cisco SD-WAN onboarding, vBond orchestrator, organization-name, control connections, WAN Edge manual configuration.

The Cisco SD-Access edge node acts as the access-layer fabric device that connects endpoints to the fabric, provides the anycast Layer 3 gateway, and maps users or endpoints into the correct virtual network. Cisco SD-Access fabric edges register endpoint information with the control-plane node and encapsulate user traffic into VXLAN for transport across the fabric. The anycast gateway function allows a consistent default gateway to exist on multiple edge nodes, supporting mobility without forcing traffic through a central gateway. The edge node also applies policy context by associating users, endpoints, or ports with a virtual network and scalable group information. Advertising EID subnets is primarily associated with border connectivity and external route advertisement. LISP proxy tunnel router functionality belongs to border node behavior for external connectivity. Routing and transporting IP packets between fabric nodes is the intermediate-node underlay role. Therefore, the two edge-node functions in the options are acting as the anycast Layer 3 gateway and mapping users to virtual networks. Reference topics: SD-Access edge node, anycast gateway, endpoint registration, virtual networks, fabric policy.

Graceful restart is the correct high-availability design when the routing process on an intermediate OSPF router must undergo maintenance while the data plane remains available. Cisco describes graceful restart as a mechanism that allows a restarting router to continue forwarding traffic while neighbors temporarily preserve adjacency and route information. In OSPF, helper-capable neighbors assist the restarting router by maintaining forwarding state during the restart interval, preventing unnecessary route withdrawal and reconvergence. BFD is a failure-detection mechanism, so it would actually accelerate detection of a failure rather than preserve the forwarding path during planned process maintenance. Nonstop forwarding must be enabled on the device performing the control-plane restart and supported by neighbors, but the broad answer choice that captures the required routing-protocol behavior across the design is graceful restart on the participating routers. Configuring it only on R1 and R3 or only on R3 would not support the R2 process maintenance scenario. Reference topics: OSPF graceful restart, NSF, helper mode, control-plane maintenance, data-plane availability.

Because the wireless access points must remain in a common VLAN, the practical design is to align the HSRP active gateway with the spanning-tree root bridge for that VLAN. Unicast flooding commonly occurs when a Layer 2 domain is stretched between aggregation and access layers and the traffic path becomes asymmetric. If the HSRP active gateway is on one aggregation switch while STP forwards the Layer 2 path through a different aggregation switch, return traffic can be forced across inter-switch links and CAM table aging can create flooding conditions. Cisco campus design guidance emphasizes aligning Layer 2 and Layer 3 forwarding roles so the active default gateway and spanning-tree root are colocated for each VLAN. Migrating to routed access is usually the best long-term design, but it requires the APs to run on separate VLANs; the question states they use a common VLAN. Reducing ARP timers to match CAM timers can help some flooding cases, but it is not the core design fix offered here. Reference topics: HSRP and STP alignment, unicast flooding, Layer 2 campus design, wireless AP VLAN design.