300-420 Designing Cisco Enterprise Networks (ENSLD) v1.1 Questions and Answers

The primary consideration is that the participating hosts must support dual stack. The pilot is contained within a single VLAN, so the application traffic remains inside the same Layer 2 broadcast domain across the dual-site data center environment. Layer 2 switches forward Ethernet frames and do not need to understand the IPv6 header to carry IPv6 traffic inside the VLAN. Layer 3 switches need IPv6 capability only where IPv6 routing, gateways, ACLs, or services are required. For this pilot, the essential requirement is that the servers and endpoints running the IPv6 application can operate with both IPv4 and IPv6 enabled while the existing environment continues to support IPv4. Dual stack allows IPv6 testing without removing IPv4 reachability or forcing translation. Requiring every Layer 2 and Layer 3 switch in both data centers to be dual-stack overstates the design requirement. The hosts participating in the pilot are the critical dependency. Reference topics: IPv6 migration, dual stack, Layer 2 VLAN transport, data-center pilot design, IPv4 and IPv6 coexistence.

Cisco IS-IS supports Level 1, Level 2, and Level 1/Level 2 operation, and the design should restrict each link to the level it actually needs. Cisco documentation for the isis circuit-type command states that it “configures the type of adjacency that is required for neighbors on the specified interface.” In this case, the router is configured as L1/L2 and has both L1 and L2 neighbors, which causes unnecessary LSP flooding, SPF processing, and database maintenance on links that may not need both levels. Making the entire router only L1 or only L2 would be too blunt, because the router may legitimately need to participate in both domains on different interfaces. Making the router a DIS also does not solve the underlying issue; it only controls designated intermediate system behavior on broadcast networks. The best optimization is to configure each interface with the correct circuit type, such as level-1 for intra-area links and level-2-only for backbone links. This reduces control-plane load while preserving the intended two-level hierarchy.

For streaming multimedia over a WAN using DiffServ per-hop behavior, the best answer is CBWFQ with DSCP AF3. Cisco QoS design separates real-time interactive voice from streaming multimedia. Voice bearer traffic commonly uses EF and a strict priority queue because it is extremely sensitive to delay and jitter. Streaming multimedia, however, is usually buffered and bandwidth-intensive; it should receive assured bandwidth and controlled drop behavior rather than strict priority treatment. The Assured Forwarding classes are designed for this kind of preferential forwarding within DiffServ. AF3 is commonly associated with multimedia streaming in Cisco QoS baseline models, while CBWFQ provides bandwidth guarantees without allowing the class to starve other traffic. LLQ with EF is too aggressive for streaming multimedia and should be reserved for voice bearer traffic or similarly strict real-time flows. AF2 is more commonly used for transactional data or lower-priority assured service, depending on the model. The correct marking and queuing design is therefore CBWFQ with DSCP AF3. Reference topics: DiffServ, per-hop behavior, CBWFQ, DSCP AF classes, multimedia streaming QoS.

Before troubleshooting IPsec in a DMVPN deployment, the administrator should verify the GRE tunnel operation. DMVPN is built from multipoint GRE, NHRP, routing, and usually IPsec encryption. IPsec protects the tunnel traffic, but the logical tunnel and overlay reachability must be valid first. If the tunnel interface is down, incorrectly addressed, or unable to carry GRE traffic, troubleshooting crypto maps or ISAKMP will waste time because encryption cannot fix a broken overlay. After the GRE tunnel state is validated, the administrator can confirm NHRP registration and resolution, routing adjacencies, and then IPsec security associations. ISAKMP and crypto map troubleshooting are relevant only after basic tunnel operation is known to be correct. NHRP is also critical in DMVPN, but the question asks what to do before troubleshooting IPsec configuration; the first prerequisite is to verify that the GRE tunnel itself is functioning. This layered troubleshooting order follows Cisco operational practice: confirm transport reachability, then tunnel interface behavior, then NHRP and routing, and finally cryptographic protection.

The border node provides connectivity between the SD-Access fabric and networks outside the fabric. In Cisco SD-Access, edge nodes connect endpoints to the fabric, intermediate nodes transport routed IP traffic through the underlay, control-plane nodes maintain endpoint location mappings, and border nodes connect the fabric to external Layer 3 domains such as the data center, WAN, internet edge, or shared services network. A border node may perform proxy tunnel router functions and can de-encapsulate fabric traffic that is destined outside the overlay, but its design purpose is external connectivity for the fabric site. Network virtualization is primarily delivered through virtual networks, VRF separation, LISP control-plane mappings, and VXLAN encapsulation. Expanding the network is too vague and does not identify a Cisco SD-Access role. Therefore, among the available options, the border node is the component used to connect the fabric to the required external network resources. Reference topics: Cisco SD-Access border node, external connectivity, fabric roles, LISP proxy tunnel router, VN-to-VRF mapping.

This YANG mapping is based on how IETF, OpenConfig, and Cisco native models differ in portability and schema organization. IETF models are produced through the standards process and are appropriate when the same management structure is expected across vendors for common protocols. OpenConfig models are also vendor-neutral, but they are built around a consistent operational model used heavily for streaming telemetry and multivendor automation. Cisco native models mirror Cisco platform configuration more closely and expose device-specific capabilities that may not exist in common models. The selected answers keep those boundaries clear. This matters because a NETCONF or RESTCONF payload is validated against the YANG schema; a payload written for one model family cannot be assumed to work against another. In design terms, the model family should be selected after confirming device software release support, feature coverage, operational-state requirements, and vendor diversity. Open models give portability; native models give feature completeness. Reference topics: IETF YANG, OpenConfig YANG, Cisco native YANG, schema validation, automation model selection.

The Cisco SD-Access component mapping is based on the normal fabric roles. A fabric edge node is the access-facing fabric device that connects wired endpoints and fabric access points, acts as the anycast Layer 3 gateway, encapsulates endpoint traffic into VXLAN, and registers endpoint reachability with the control plane. A control-plane node supplies the LISP map-server and map-resolver functions, maintaining endpoint-to-location mappings. A border node connects the fabric to external Layer 3 domains, shared services, WAN, Internet, or another fabric/transit domain, and it de-encapsulates traffic as it leaves the fabric. Intermediate nodes provide routed IP transport inside the underlay and move packets between edge, border, and control-plane nodes without owning endpoint policy or registration. This role separation is important because a design failure often comes from assigning the wrong function to the wrong node. Access-facing policy and endpoint onboarding belong at the edge; external connectivity belongs at the border; location resolution belongs to the control plane; transport belongs to intermediate nodes. Reference topics: SD-Access fabric roles, edge node, border node, control-plane node, intermediate node.

Cisco Express Forwarding uses the adjacency table to store the Layer 2 rewrite information needed to forward packets efficiently. CEF separates forwarding decisions into the Forwarding Information Base and the adjacency table. The FIB identifies the best next hop based on routing information, while the adjacency table contains the directly connected next-hop details, including the MAC address and encapsulation rewrite string used on the outgoing interface. That is why the correct layer is Layer 2. CEF is not using the adjacency table to populate Layer 3 routes; the routing table and FIB handle Layer 3 reachability. It is also not a Layer 1 function because physical signaling does not determine the next-hop rewrite. Layer 4 is unrelated to CEF adjacency resolution. In a campus or WAN design, CEF matters because it allows hardware or optimized software forwarding without process-switching every packet. Correct ARP, neighbor discovery, and adjacency formation are therefore essential to fast packet forwarding, especially when convergence or high-throughput forwarding is required.

The required BGP address family is L2VPN EVPN. The design calls for VXLAN over a Layer 3 IPv4 fabric while preserving Layer 2 adjacency and allowing workload mobility between sites. EVPN is the BGP control plane used with VXLAN overlays to advertise MAC reachability, IP host information, and Ethernet segment information in a scalable way. It separates the Layer 2 and Layer 3 overlay control plane from the underlay IGP, which in this case is OSPF. VPNv4 is used for MPLS Layer 3 VPN routes, not VXLAN Layer 2 adjacency. IPv4 unicast advertises ordinary IP prefixes and does not carry MAC mobility or Ethernet VPN information. L2VPN VPLS or VPWS address families are associated with MPLS-based Layer 2 VPN services and do not provide the VXLAN EVPN control-plane model required here. EVPN is therefore the correct family for VXLAN fabrics that need host mobility and scalable Layer 2 extension. Reference topics: BGP EVPN, VXLAN, L2VPN EVPN address family, MAC reachability, workload mobility.

The strict-priority queue should be limited to approximately 33 Mbps on a 100 Mbps Internet connection. Cisco QoS design guidance warns that strict priority traffic must be bounded, because excessive priority traffic can starve other queues and cause poor application performance for non-real-time traffic. For voice and interactive video, priority queuing is appropriate, but the priority class should normally be constrained to about one-third of the link capacity in a converged enterprise design. That makes 33 Mbps the best choice for a 100 Mbps link. A 75 Mbps strict-priority allocation is far too high and would leave inadequate bandwidth for routing, signaling, business data, and default traffic. A 50 Mbps allocation still gives real-time media excessive control of the interface. A 25 Mbps allocation may work in some environments but is not the standard upper-limit design answer for strict priority in this Cisco context. The architect should also classify TelePresence accurately, mark traffic consistently, and police the priority queue to protect the WAN. Reference topics: LLQ, CBWFQ, strict priority limits, TelePresence QoS, WAN congestion management.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

The correct solution is a management VRF with SSH keys for device access. A management VRF creates a separate routing and forwarding table for management traffic, keeping administrative reachability isolated from production and overlay routes. That directly satisfies the requirement that the overlay network must not cause routing issues and makes troubleshooting easier for operations teams because management reachability can be validated independently. Cisco VRF design uses separate routing tables to isolate traffic and can support overlapping addresses or independent routing policy. For secure device access, SSH with key-based authentication provides encrypted administrative sessions and stronger authentication than clear-text or password-only methods. Private VLANs and ordinary VLANs provide Layer 2 separation but do not create independent routing tables. TACACS+ and RADIUS are AAA systems; they are useful but do not define the management transport architecture. Separate physical interfaces can be useful out-of-band, but the best match for overlay isolation and operational simplicity is management VRF plus SSH keys. Reference topics: management VRF, secure device access, SSH public-key authentication, routing-table isolation, enterprise management design.

Easy Virtual Network is the best fit when a campus needs many Layer 3 virtual networks with separate addressing and routing tables but wants lower operational overhead than manually configuring VRF-Lite everywhere. EVN builds on VRF concepts and simplifies virtualization across a hop-by-hop campus design by reducing repetitive configuration and enabling consistent virtual network transport across participating devices. Each virtual network maintains its own routing context, which supports overlapping addressing and segmentation. Hop-by-hop VRF-Lite can provide similar forwarding separation, but it becomes operationally heavy as the number of VRFs grows because each trunk, routing process, and interface association must be configured and maintained manually. Multihop MPLS can scale, but it introduces provider-style complexity and may require features or skills beyond a typical campus requirement. Multihop IPsec tunneling is not an efficient campus segmentation solution for hundreds of virtual networks. Therefore, EVN is the recommended design for scalable Layer 3 virtualization with simpler configuration and management. Reference topics: campus virtualization, Easy Virtual Network, VRF separation, scalable virtual networks, route isolation.

TLOC extension is the Cisco SD-WAN mechanism that allows a WAN Edge router without direct access to a transport to reach that transport through another WAN Edge router at the same site. Cisco describes TLOC extension as a redundancy feature in SD-WAN networks. In the question, the WAN Edge router is connected to an MPLS transport link, but Internet access is available through another WAN Edge device. With TLOC extension, the MPLS-only edge can extend traffic through the peer router toward the Internet transport, allowing the site to use multiple transports without requiring every edge router to have a physical connection to every circuit. OMP can advertise routes and TLOCs, but OMP alone does not create physical Internet access for a router attached only to MPLS. Requiring a local 4G/5G or Internet circuit on the same router is not necessary when TLOC extension is part of the design. An MPLS extranet is also not the normal SD-WAN solution for Internet transport reachability. Therefore, TLOC extension is the correct design method.

Multiple Spanning Tree Protocol is the standards-based solution that allows many VLANs to be mapped into a smaller number of spanning-tree instances. MSTP is defined by IEEE 802.1s and incorporated into IEEE 802.1Q, making it suitable for a multivendor campus where proprietary per-VLAN behavior is not acceptable. The question states that all configured VLANs must be grouped into two STP instances. That is exactly the design purpose of MST: VLAN-to-instance mapping lets the architect reduce the number of active spanning-tree calculations while still supporting different forwarding topologies for selected VLAN groups. Traditional STP runs a single common spanning tree and cannot provide two separate VLAN instance groups. RSTP improves convergence but does not by itself group VLANs into multiple instances. Rapid PVST+ provides one rapid spanning-tree instance per VLAN, but it is Cisco-oriented and creates far more instances than required. For a vendor-neutral design with two spanning-tree instances, MSTP is the correct choice and also reduces CPU and memory pressure compared with running a separate instance per VLAN.

The RPF check is performed against the RP address when the PIM router has shared-tree state. In PIM sparse mode, multicast traffic initially flows through the rendezvous point using the shared tree, represented as (*,G) state. For shared-tree traffic, the router verifies that packets arrive from the direction of the RP, because the RP is the root of the shared distribution tree. When the router has source-tree state, represented as (S,G), the RPF check is performed against the multicast source address instead. Dense mode behavior and directly connected membership are not the determining conditions in this question. The key distinction is whether forwarding state is shared-tree or source-tree. Cisco multicast design relies on this behavior to keep PIM forwarding loop free as traffic transitions from shared-tree delivery to shortest-path tree delivery where applicable. Selecting the shared-tree state option correctly identifies when the RP address is used for the RPF calculation. Reference topics: PIM sparse mode, shared tree, source tree, RPF toward RP, (*,G) and (S,G) state.

MSDP is the correct solution for multicast across different autonomous systems when RPs must discover active sources outside their local domain. In PIM Sparse Mode, each multicast domain can have its own rendezvous point. Without a mechanism to exchange source information, receivers in one domain may not know about active sources registered with an RP in another domain. Multicast Source Discovery Protocol solves that problem by allowing RPs to establish peer relationships and exchange Source-Active information. Cisco multicast design uses MSDP with PIM-SM when separate domains need to share multicast source reachability while relying on the unicast routing table for connectivity between RPs. SSM does not use an RP and depends on receivers joining a specific source and group. PIM-SM by itself works inside a domain but does not provide interdomain source discovery between RPs. PIM-DM is flood-and-prune and is not suitable for this sparse, interdomain design. Therefore, the organization should deploy MSDP between the RP devices or RP domains. Reference topics: MSDP, PIM-SM, interdomain multicast, Source-Active messages, RP-to-RP source discovery.

Cisco SD-WAN WAN Edge devices can be brought into the overlay through automated zero-touch provisioning or through manual bootstrap configuration. Zero-touch provisioning allows a device to discover the SD-WAN controllers and receive the information needed to authenticate and join the overlay with minimal on-site work. This is a core operational benefit of Cisco SD-WAN because branch routers can be shipped to sites and onboarded without a specialist manually building the entire control-plane configuration locally. Manual configuration remains available when ZTP is not used, when the site has special connectivity constraints, or when the administrator needs to stage the router directly. DHCP options and DNS records can help devices learn controller information in some deployment models, but they are not the complete pair of bootstrap methods named for vEdge onboarding. vManage is the management system, not a bootstrap method by itself. Therefore, the correct methods are ZTP and manual configuration. The design should also validate certificates, organization name, system IP, site ID, and transport interface reachability during onboarding.

Nonstop Routing is the correct solution when the upstream router does not understand graceful restart messaging. Cisco NSF and graceful restart depend on helper behavior from neighboring routers. During a supervisor switchover, the restarting device asks neighbors to preserve forwarding and adjacency state while the control plane recovers. If the neighbor does not support or understand the graceful restart signaling, NSF cannot deliver the intended benefit and route recomputation may still occur. NSR is different because it synchronizes routing protocol state between the active and standby supervisor internally, allowing the switch to preserve routing operation during stateful switchover without requiring graceful restart support from the neighbor. Remote LFA FRR protects against data-plane failures by precomputing repair paths, but it does not address supervisor switchover route recomputation. Aggressive IS-IS timers may make failure detection faster, but they increase control-plane churn and do not solve the lack of graceful-restart helper support. Therefore, the Catalyst switch should use NSR for this design. Reference topics: IS-IS high availability, NSR, NSF, graceful restart helper support, stateful switchover.

Cisco SD-WAN detects subsecond transport failure by running BFD across the IPsec tunnels between WAN Edge routers. The WAN Edge devices form encrypted data-plane tunnels over each transport, and BFD probes those tunnels to measure liveliness, loss, latency, jitter, and path availability. When BFD detects a failed or degraded tunnel, the SD-WAN fabric can withdraw or avoid that path quickly, enabling application-aware routing and fast failover. Hellos between WAN Edge routers and vSmart controllers are control-plane mechanisms and do not directly detect data-plane transport failure between edge routers. BGP is not the SD-WAN overlay control protocol for this function; OMP is used with vSmart for overlay route and policy exchange. Link-state messages between vSmart controllers do not measure transport-path liveliness. Therefore, BFD on IPsec tunnels is the correct failure-detection mechanism. The design should ensure that BFD timers, tunnel scale, controller policy, and SLA classes are chosen to balance fast failover with platform resources and transport stability. Reference topics: Cisco SD-WAN BFD, IPsec tunnels, transport failure detection, application-aware routing, data-plane liveliness.

The new BGP route-reflector design reduces the iBGP peerings by 27. A full-mesh iBGP design with 9 routers requires n times n minus 1 divided by 2 peerings, which equals 9 times 8 divided by 2, or 36 sessions. Route reflectors are used specifically to reduce this scaling burden. In the redesigned topology, each of the three clusters has one route reflector and two clients, which requires two client-to-reflector sessions per cluster, or six sessions total. The three route reflectors must still maintain iBGP sessions with one another as nonclient peers, which adds three more sessions. The redesigned total is therefore nine sessions. The reduction is 36 minus 9, which equals 27. This reflects the core scaling benefit of route reflectors: clients no longer need a full iBGP mesh with every other client in the autonomous system. Reference topics: BGP route reflectors, iBGP scaling, full-mesh formula, route-reflector clients, nonclient peering.

OSPF with the hub in area 0 and branch routers in stub areas with ECMP is the best fit because the customer has multivendor branch routers with limited memory and CPU. EIGRP is not suitable in this case because the branch environment is multivendor and EIGRP is not the safest open-standard design choice for broad interoperability. IS-IS can be efficient, but it is less common for small DMVPN branch deployments and the option does not address the requirement for resource-constrained branch routing. eBGP route reflection is not technically correct, because route reflectors are an iBGP scaling mechanism. OSPF provides an open-standard dynamic routing solution, and placing branches in stub areas limits the amount of external routing information that low-resource branch routers must process. ECMP allows both equal 10-Mbps DMVPN paths to be used when equal-cost paths exist. This design reduces operational overhead compared with static routing while respecting the platform constraints at the spokes. Reference topics: OSPF branch design, stub areas, ECMP, DMVPN routing, multivendor interoperability, branch resource optimization.

The valid get-config reply must show OSPF process ID 400 with network 192.168.128.128/25 enabled for Area 0. A /25 prefix has a block size of 128 addresses, so 192.168.128.128/25 is a valid network boundary and covers addresses from 192.168.128.128 through 192.168.128.255. Any reply that shows the wrong OSPF process, an incorrect network boundary, the wrong prefix length or wildcard equivalent, or a nonzero area does not verify the requested model set. In Cisco IOS XE model-driven configuration, the readback has to match the schema path and values used by the model, not simply produce an approximate CLI interpretation. Option B is the reply that confirms the intended OSPF object. This verification method is important because YANG automation can fail silently in operational workflows when the payload is syntactically valid but targets the wrong container or key. A get-config verification step confirms the running datastore contains the exact OSPF process and area membership required by the design. Reference topics: YANG OSPF configuration, NETCONF get-config, prefix validation, IOS XE native models.

Explicit QoS trust should be configured at the network boundary points where markings first enter the managed DiffServ domain and are known to be reliable. In a DiffServ design, traffic classification and marking are typically performed at the access edge or at a controlled ingress boundary, and downstream devices then honor DSCP or CoS markings based on the trust boundary. Cisco QoS design stresses that the trust boundary must be intentionally placed; endpoints or unmanaged devices should not be trusted by default because they can mark traffic incorrectly and steal priority treatment. The exhibit answer identifies B and E as the correct trust points, meaning those are the controlled ingress locations where markings should be accepted. Options that trust uncontrolled endpoint-facing points or internal transit locations would either create a security problem or add no practical value. Once traffic is trusted and marked at the correct boundary, queuing, policing, and shaping policies can use the DSCP values consistently across the campus or WAN. Reference topics: DiffServ, QoS trust boundary, DSCP marking, classification, enterprise QoS design.

VPN 0 is the transport VPN in Cisco SD-WAN. It carries control traffic and provides connectivity from WAN Edge routers toward the transport networks, such as MPLS, Internet, LTE, or other WAN services. Control connections to Cisco SD-WAN controllers are established through transport interfaces that belong to VPN 0. Data VPNs carry service-side user traffic and are separate from the transport VPN. VPN 512 is commonly used for out-of-band management, not for carrying overlay control connections. VPN 128 and VPN 256 are not the reserved transport VPN identifiers. The design importance is that VPN 0 must have correct addressing, color assignment, routing reachability, NAT traversal considerations, and certificate-based controller connectivity. If VPN 0 is misdesigned, the WAN Edge cannot establish stable control connections, cannot receive OMP routes and policies, and cannot build the secure overlay properly. Therefore, VPN 0 is the correct transport VPN for underlay control traffic. Reference topics: Cisco SD-WAN VPN 0, transport VPN, control connections, WAN Edge onboarding, overlay formation.

The expected port state follows Rapid Spanning Tree Protocol role selection on equal-speed point-to-point links. With 802.1w, each non-root switch selects one root port based on the lowest path cost to the root bridge. Where there are redundant Layer 2 paths of equal speed, one side of a redundant segment must remain blocked as an alternate port to maintain a loop-free topology. Because all links are 1 Gbps, path cost is equal unless bridge priority, bridge ID, or port ID breaks the tie. The selected option identifies the port pair that becomes alternate blocking based on the root placement and tie-breakers shown in the exhibit. RSTP improves convergence compared with classic 802.1D by using proposal and agreement handshakes on point-to-point links, but it still blocks redundant paths when a pure Layer 2 loop exists. A design requiring all links to forward would need a routed access design, MEC, StackWise Virtual, VSS, or another loop-free multipath technology. Reference topics: RSTP, root port, designated port, alternate port, point-to-point links, Layer 2 loop prevention.

The correct XML/YANG data model set is the option that accurately represents the IOS XE interface hierarchy, assigns the IPv4 address to GigabitEthernet2/1/0, and uses the correct prefix length of 27. In model-driven programmability, the payload must match both the selected YANG model schema and the target platform’s interface naming conventions. For IOS XE native models, interface configuration is structured under the Cisco native namespace, with interface type and name represented in the schema before IPv4 address elements are applied. The address 10.10.10.10/27 must also support a directly connected host at 10.10.10.1/27, which places both addresses in the same 10.10.10.0/27 subnet. Options that place the address under the wrong interface type, use the wrong namespace, incorrectly represent the mask, or configure the host route rather than the interface are invalid. Option D is the only answer aligned to the IOS XE YANG structure and the requested addressing. Reference topics: IOS XE native YANG, NETCONF XML payloads, interface configuration, IPv4 prefix length, model-driven programmability.

Cisco traffic policing evaluates packets against a configured traffic contract and classifies them into action states such as conforming, exceeding, and violating. The policy then applies configured actions to those states, such as transmit, drop, or remark. In a two-rate or three-color policing design, conforming traffic is within the committed rate, exceeding traffic is above the committed rate but may still be within an excess burst allowance, and violating traffic is outside the permitted profile. Therefore, conforming and violating are valid policing parameters or state/action categories in the context of the question. Shaping is not a policing parameter; it is a different QoS mechanism that buffers excess traffic and sends it later. Marking can be an action applied by policing, but the listed policing state that directly corresponds to Cisco class-based policing syntax is conform or violate. Bursting is related to token bucket sizing, but the answer choices specifically align to policing state categories. The correct pair is violating and conforming.

Cisco SD-WAN edge routers use a queuing model based on LLQ and WFQ concepts. Low Latency Queuing provides strict priority treatment for delay-sensitive traffic such as voice and real-time media, while Weighted Fair Queuing gives proportional service to other traffic classes based on bandwidth allocation. This combination aligns with SD-WAN requirements where business-critical and real-time traffic must be protected without starving normal data applications. FIFO is not appropriate for a multi-class WAN design because it does not distinguish application priority during congestion. A pure priority queue would risk starving lower-priority traffic if it were not controlled by policing or bandwidth limits. Hardware-specific campus queuing models such as 1P-4Q-2T describe certain switch egress queue structures, not the generic SD-WAN edge queuing architecture. In a professional SD-WAN QoS design, traffic is classified, marked, mapped to forwarding classes, and then scheduled using priority and weighted queues according to business intent. Reference topics: Cisco SD-WAN QoS, LLQ, WFQ, forwarding classes, application-aware WAN policy.

Route tagging with a route map is the correct redistribution loop-prevention method. In a design with mutual redistribution between OSPF and IS-IS, a route learned from one domain can be redistributed into the other domain and then fed back into the original domain at another redistribution point. This creates route feedback, suboptimal routing, or loops. Cisco routing design commonly prevents this by tagging routes at the point of redistribution and then filtering or denying routes with that tag when they are seen again at another redistribution boundary. A route map can set the tag during redistribution and match the tag on the reverse redistribution direction. Changing administrative distance may influence local route selection, but it does not reliably prevent feedback throughout the network. Stub areas reduce external LSA scope in OSPF, but they do not solve a multipoint redistribution loop between OSPF and IS-IS. Prefix filtering can work, but tagging scales better and preserves route identity across redistribution points. Reference topics: route redistribution, route tagging, route maps, OSPF, IS-IS, loop prevention.

Advertising more-specific prefixes toward the preferred service provider is the correct way to influence inbound traffic to enter through a chosen CE interface. BGP inbound path control is indirect: the enterprise cannot set local preference inside remote autonomous systems, and MED is honored only under specific provider policies. The most deterministic option available to the customer is to advertise a longer-prefix route to the preferred provider because Internet and BGP route selection generally prefer the longest matching prefix before BGP path attributes are considered. If the aggregate is advertised to both providers but a more-specific route is advertised to the provider connected to gig0/0, return traffic for that more- specific destination is attracted through that interface. Lowering MED toward the less preferred provider is the opposite of the desired effect. AS-path prepending toward the preferred provider would make that path less attractive. Local preference affects outbound path selection inside the local AS, not inbound traffic from external networks. Reference topics: BGP inbound traffic engineering, longest-prefix match, route aggregation, AS-path prepending, MED, local preference.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

The correct overlay considerations are that virtual networks provide data-plane isolation and that overlapping IP addresses should be avoided for operational simplicity. In Cisco SD-Access, virtual networks are used for macro segmentation and are commonly mapped to VRFs. This separates routing and forwarding tables between major groups such as corporate users, guests, IoT, and shared services. Security Group Tags provide finer policy control and microsegmentation, but they are not the primary mechanism for data-plane isolation between virtual networks. The phrase “virtual networks should be used for microsegmentation” is therefore inaccurate; microsegmentation is SGT and SGACL driven. Although overlapping IP addresses can technically exist in separate VRF-like contexts, Cisco design practice discourages unnecessary overlap because it complicates troubleshooting, service insertion, external connectivity, and inter-VN communication. A clean overlay address plan improves operations and reduces policy ambiguity. Reference topics: SD-Access overlay design, virtual networks, macro segmentation, SGTs, microsegmentation, overlapping IP avoidance. This also simplifies day-two operations.

In a Cisco SD-Access fabric, DHCP relay design must account for the fact that endpoints can attach to different fabric edge nodes while using consistent anycast gateway behavior. DHCP Option 82 is important because it inserts relay-agent information that allows the DHCP infrastructure to identify where the DHCP request originated. This enables the correct address scope and policy context to be selected for the endpoint even when the gateway address is anycast across multiple fabric edges. Cisco SD-Access DHCP guidance emphasizes the use of relay information so centralized DHCP services can assign the correct address based on fabric location and endpoint context. DHCP relay is not simply enabled on border nodes, and subnets should not be stretched across fabric edges by placing DHCP servers on borders. DHCP servers do not require a special proprietary SD-Access extension in the sense described by the incorrect option; they use standard relay information such as Option 82. Therefore, the key design consideration is enabling DHCP Option 82 so the circuit information maps the request to the fabric node where it originated.

The drag-and-drop answer follows the practical distinction between the YANG model families. IETF models are standards-based models intended to provide a common structure for widely implemented protocol and interface functions. OpenConfig models are vendor-neutral operational and configuration models developed for cross-vendor automation, with a strong focus on consistent telemetry and network state representation. Cisco native models expose Cisco platform-specific capabilities and usually provide the deepest coverage for IOS XE, IOS XR, or NX-OS features that are not fully represented in a common model. The selected mapping therefore assigns model elements according to origin, portability, and feature depth. In a production automation design, engineers should start with open models when interoperability and long-term portability matter, but they should choose Cisco native models when a required Cisco feature is not available or is incomplete in IETF or OpenConfig. The choice is not cosmetic; it affects payload structure, namespace, validation behavior, and operational consistency across device families. Reference topics: YANG model families, IETF YANG, OpenConfig, Cisco native YANG, model-driven configuration.

A policy-based IPsec tunnel with static routing is the simplest secure design for connecting two hosts in two companies when no additional future connectivity is planned. The requirement is narrow: one host in Company A must communicate with one host in Company B over a single encrypted Internet connection. Policy-based IPsec is straightforward for this type of point-to-point encryption because crypto ACLs define exactly which interesting traffic should be protected. Static routing is sufficient because there is no complex topology, no dynamic path selection requirement, and no anticipated expansion. A DMVPN design would add unnecessary NHRP, multipoint GRE, and dynamic routing complexity. A routed IPsec tunnel with OSPF is useful when many networks or dynamic route changes are expected, but it is more complex than needed. MPLS VPN with BGP would require provider service and does not meet the simple encrypted Internet connection requirement. Reference topics: site-to-site IPsec, policy-based VPN, static routing, point-to-point secure connectivity, WAN simplicity.

The default MTU should be increased in the Cisco SD-Access fabric underlay. SD-Access data-plane traffic uses VXLAN encapsulation, and VXLAN adds overhead beyond the original endpoint frame. If the underlay remains at a standard 1500-byte MTU, encapsulated packets can fragment or be dropped, especially when applications set the DF bit. Cisco SD-Access design guidance therefore calls for an increased underlay MTU so the fabric can carry overlay-encapsulated traffic cleanly. Reducing subnets is an overlay simplification topic, not an underlay MTU consideration. The number of supported control-plane nodes is a scale and availability design consideration, not the key underlay requirement in this question. Unified policy is part of fabric policy and segmentation, not underlay transport readiness. A professional SD-Access underlay design validates routed reachability, loopback advertisements, IGP operation, redundant paths, and MTU end to end before enabling the overlay. The MTU setting is critical because a stable underlay must transport LISP control-plane traffic and VXLAN data-plane traffic without fragmentation. Reference topics: SD-Access underlay, VXLAN overhead, MTU design, fabric transport readiness.

An out-of-band management network best satisfies the requirement to grant and revoke administrative access, restrict management protocols, and limit exposure of management interfaces. Out-of-band management separates administrative traffic from the production data plane by using dedicated management interfaces, management switches, terminal infrastructure, or separate routing. This isolation improves security because a compromise or congestion event in the production network does not automatically provide access to device management planes. It also allows stronger access controls, protocol restrictions, logging, and administrative segmentation for SSH, NTP, FTP, and SNMP. In-band management uses the production network and is more exposed to outages or data-plane attacks. An enterprise internal private network is too vague and does not guarantee management-plane isolation. mGRE is a tunneling technique, not a complete management access architecture. A professional design should also include AAA, role-based authorization, ACLs, management VRFs where appropriate, logging, and monitoring. Reference topics: out-of-band management, management-plane security, AAA, access control, protocol restriction, network operations design.

An SD-Access intermediate node routes and transports IP traffic between fabric nodes. It is part of the underlay transport path, comparable to a routed distribution or core device that provides IP reachability between edge, border, and control-plane nodes. Intermediate nodes do not perform endpoint registration, VXLAN encapsulation for attached users, virtual-network mapping, or anycast gateway services. Those functions belong primarily to fabric edge nodes. They also do not act as LISP proxy tunnel routers, which is a border-node function used for communication between the fabric and external networks. The intermediate node’s role is deliberately simple: maintain underlay routing, provide resilient transport, and forward encapsulated traffic across the fabric infrastructure. This separation of roles is what lets Cisco SD-Access scale by keeping endpoint intelligence at the edge and mapping intelligence in the control plane while the intermediate layer remains a stable IP transport network. Reference topics: SD-Access intermediate node, routed underlay, IP transport, fabric roles, edge and border node separation.

Single-topology IS-IS with the transition feature is the correct design when IPv6 is being added to an existing IPv4 IS-IS network and both topologies must match exactly. In single-topology mode, IS-IS calculates one topology and uses it for both IPv4 and IPv6, which fits the requirement that the IPv4 and IPv6 paths and router levels remain the same on each interface. Cisco documentation notes that single-topology IS-IS IPv6 requires routers to run the same set of address families for adjacency consistency; during migration, transition support allows the network to operate while IPv6 is introduced gradually. Multi-topology IS-IS is used when IPv4 and IPv6 should be allowed to follow different topologies or when not all routers support the same address families. The question explicitly says the topologies will match exactly, so multi-topology is unnecessary. Single topology without the transition feature is risky during phased migration because routers that do not yet run both address families may fail adjacency checks or create blackholing. Reference topics: IS-IS for IPv6, single-topology IS-IS, transition mode, address-family consistency, IPv6 migration.

A single VPLS instance is the correct Layer 2 VPN design because the customer requires service-provider transparency and direct communication between CE routers attached to the same VLAN. Virtual Private LAN Service provides a multipoint Ethernet LAN service across a provider MPLS or IP backbone. To the customer, the provider network behaves like a transparent Layer 2 switching domain, allowing CE devices in the same VLAN to communicate directly at Layer 2. VPWS is point-to-point, so multiple VPWS circuits would be required to approximate multipoint connectivity, and the design would not provide the same transparent shared LAN behavior. Multiple VPLS instances are unnecessary when the requirement is a single VLAN or single broadcast domain. VPLS also hides provider devices from the customer Layer 2 service view while allowing MAC learning and forwarding across the provider edge. Reference topics: VPLS, Layer 2 VPN, multipoint Ethernet service, CE transparency, VLAN extension, service provider WAN design.

Multichassis EtherChannel is the correct design when distribution switches support VSS and the campus needs fast Layer 2 convergence while using as much uplink bandwidth as possible. With VSS, two physical distribution switches operate as a single logical switching system from the perspective of the access layer. MEC allows an access switch to bundle links to both distribution chassis into one logical EtherChannel. This removes the normal spanning-tree blocking of redundant uplinks, uses both links actively, and provides fast convergence if one physical link or chassis fails. A plain EtherChannel normally terminates on one physical switch, so it does not provide the same chassis-level resiliency unless the distribution pair is virtualized. RSTP improves loop convergence but still blocks redundant Layer 2 paths in a traditional topology. ECMP requires Layer 3 routing, and the question notes routing protocol limitations. Therefore, MEC on VSS is the best solution for bandwidth utilization and fast Layer 2 recovery. Reference topics: VSS, Multichassis EtherChannel, Layer 2 campus resiliency, STP avoidance, access-to-distribution design.

BIDIR-PIM is the correct multicast deployment model when redundant paths and active links may create RPF challenges for many-to-many multicast traffic. Bidirectional PIM builds a shared tree rooted at the rendezvous point and avoids maintaining separate source-specific shortest-path trees for every sender. This is valuable when sources and receivers are spread across a redundant branch design and traffic can enter the multicast domain from multiple directions. Because BIDIR-PIM uses the Designated Forwarder mechanism on each link, it helps control which router forwards traffic toward the RP and reduces duplicate forwarding in topologies where normal RPF behavior could be problematic. PIM-SM is widely used, but it normally moves to source trees for active sources unless specifically controlled. PIM-SSM requires receivers to know the source and is not designed for arbitrary many-to-many communication. PIM-BSR is a mechanism for dynamic RP discovery, not a multicast forwarding model. Reference topics: BIDIR-PIM, multicast RPF, many-to-many multicast, Designated Forwarder, branch multicast design.

The correct routing design is OSPF with multiple areas. The company is moving away from RIP because the network has grown and now requires segmentation, summarization, fast convergence, and scalability. Cisco positions OSPF as a link-state IGP suitable for larger enterprise networks, and OSPF areas are the standard mechanism for containing topology information and scaling the link-state database. Area Border Routers can summarize routes between areas, reducing routing table size and limiting the scope of link-state flooding and SPF recalculation. This directly satisfies the requirement to segregate departments while summarizing between segments. EIGRP can converge quickly and summarize, but “stub areas” are not an EIGRP construct; EIGRP uses stub routers. OSPF virtual links are not a primary segmentation design tool; they are used to repair backbone connectivity issues. Modifying EIGRP K values changes metric calculation but does not solve segmentation or summarization. Reference topics: OSPF multi-area design, ABR summarization, SPF scope control, enterprise IGP scalability.

Affinity is the SD-WAN feature used to control and reduce control connections between WAN Edge devices and vSmart controllers. Cisco SD-WAN high-availability documentation describes controller affinity as a way to limit the number of controllers that an edge device establishes control connections with, while still preserving controller and data center redundancy. This reduces unnecessary control-plane load and limits the strain placed on vSmart controllers in large overlays. The feature is particularly useful when multiple vSmart controllers exist across multiple data centers and the designer wants predictable primary and backup controller relationships. The color attribute identifies transport characteristics, such as public Internet, MPLS, or other transport types. Control-connections is a general concept, not the feature that minimizes them. Control-direction is not the correct design construct for this purpose. A scalable SD-WAN design should use affinity where controller scale, regionalization, and control-plane efficiency must be explicitly managed. Reference topics: Cisco SD-WAN controller affinity, vSmart scale, control connections, TLOC control-plane optimization.

VRRP object tracking allows the effective priority of a VRRP router to change when a tracked object changes state. Cisco documentation states that VRRP object tracking ensures the best VRRP router is master by altering VRRP priorities according to tracked objects such as interface or IP route states. This directly supports answer A. It also supports answer D, because VRRP can track interfaces and routes through the tracking process. The priority does not have to remain fixed; object tracking is specifically designed so a router can lower its priority when an uplink, route, or critical dependency fails. A VRRP group is not limited to one tracked object in modern Cisco implementations, so option C is too restrictive. VRRP does not support only interface tracking; route tracking is also a common use case, especially when the LAN interface is still up but upstream reachability has failed. In a resilient campus or branch gateway design, object tracking prevents a router from remaining master when it no longer has a valid upstream path, improving deterministic failover.

TLOC information is the OMP update that allows Cisco SD-WAN to build an overlay over any public or private transport without depending on the actual underlay link addressing. Cisco OMP advertises route reachability along with Transport Location mappings. A TLOC represents where and how a WAN Edge can be reached in the transport network, using attributes such as system IP, transport color, encapsulation, and next-hop information. Remote WAN Edge routers use this information to form secure data-plane tunnels to the correct transport attachment. RLOC is a LISP locator term associated with SD-Access and LISP designs, not the SD-WAN OMP construct. DTLS is the secure transport used for control connections, but it is not an OMP route information type. LISP PITR is unrelated to Cisco SD-WAN OMP. The secure overlay is built by combining OMP routes, TLOCs, policy, and encrypted tunnel establishment. Reference topics: Cisco SD-WAN OMP, TLOC routes, transport color, overlay routing, secure data-plane tunnels.

Human Resources: 10.1.1.112/29; Facilities: 10.1.1.64/27; Engineering: 10.1.1.0/26; Finance: 10.1.1.96/28.

The addressing plan must use VLSM and assign the smallest subnet that satisfies each department’s host requirement without overlapping inside the single /24 block. Engineering needs 32 hosts, so a /27 is not enough because it provides only 30 usable addresses. The smallest listed subnet that satisfies Engineering is 10.1.1.0/26, which provides 62 usable addresses. Facilities needs 18 hosts, so a /27 is appropriate; 10.1.1.64/27 provides 30 usable addresses. Finance needs 12 hosts, so a /28 is sufficient because it provides 14 usable addresses; the matching listed subnet is 10.1.1.96/28. Human Resources needs 5 hosts, so a /29 is sufficient because it provides 6 usable addresses; the matching listed subnet is 10.1.1.112/29. The unused options either overlap with selected ranges, provide too few hosts for the department, or waste address space unnecessarily. Cisco addressing design favors hierarchical, nonoverlapping, right-sized prefixes so the plan remains scalable and easy to summarize where possible.

LISP is the control-plane protocol responsible for Endpoint Identifier to Routing Locator mapping in Cisco SD-Access. In the SD-Access architecture, an endpoint address is treated as an EID, and the fabric node location is represented by an RLOC. The fabric control-plane node performs LISP map-server and map-resolver functions so edge nodes can register local endpoints and resolve the current location of remote endpoints. This separation allows the overlay to support host mobility, anycast gateway behavior, and segmentation without depending only on traditional subnet-bound forwarding. VXLAN is the fabric data-plane encapsulation used to carry traffic across the fabric and preserve policy information, but it does not provide the EID-to-RLOC mapping function. CEF is the local forwarding mechanism inside Cisco devices, and GBAC is not the SD-Access mapping protocol. Therefore, LISP is the correct answer because it provides the SD-Access fabric control plane. Reference topics: Cisco SD-Access control plane, LISP, EID, RLOC, map-server, map-resolver.

A logical topology that virtually connects devices over an arbitrary physical network is an overlay. In Cisco SD-Access, the underlay provides basic IP reachability between fabric nodes, while the overlay creates the logical network used by endpoints, virtual networks, and policy segmentation. The overlay is not constrained to the exact physical cabling topology; instead, it uses encapsulation and control-plane mapping to carry user traffic across the routed fabric. Cisco SD-Access uses LISP in the control plane for endpoint-to-location mapping and VXLAN in the data plane for encapsulation. This allows the fabric to present consistent logical connectivity even when the physical network is built from routed links and different infrastructure layers. The data plane is the forwarding mechanism, the control plane resolves location information, and the underlay is the physical and routed transport. The logical topology built on top of those components is the overlay. Reference topics: Cisco SD-Access overlay, underlay, VXLAN, LISP, fabric logical topology.

If the RPF check is successful in PIM sparse mode, the multicast packet is forwarded according to the outgoing interface list. The Reverse Path Forwarding check verifies that the packet arrived on the interface the router would use to reach the source, or the RP in the case of shared-tree state. This prevents loops and duplicate multicast forwarding. After the check passes, the router consults the multicast forwarding entry and sends the packet only out interfaces in the OIL where downstream receivers or PIM neighbors require the traffic. It is not automatically forwarded out every PIM-enabled interface, and it is not forwarded back out the receiving interface. If the RPF check fails, the packet is dropped to protect the multicast distribution tree. The OIL therefore represents the correct controlled forwarding behavior after a successful RPF validation. Reference topics: PIM sparse mode, RPF check, outgoing interface list, multicast forwarding state, loop prevention.

The correct BGP design is to attach the well-known No-Export community to the prefixes that should not be advertised beyond the service provider boundary. Cisco BGP communities are policy attributes that allow routes to carry instructions or classifications across BGP peers. The No-Export community tells a receiving BGP speaker not to advertise the route outside its confederation or autonomous system. That behavior is exactly what is needed when branch prefixes may be exchanged with the provider but must not be propagated to the public Internet. The No-Advertise community is stronger: it prevents the route from being advertised to any BGP peer, which may block reachability even where the provider still needs to know the route. NOPEER is used for route-server or peering policy control and is not the clean answer for excluding branch prefixes from Internet propagation. Setting a generic “Internet community” is not a standard solution by itself. The architect should also ensure that outbound prefix filters and provider-side community support are documented in the service agreement. Reference topics: BGP communities, No-Export, No-Advertise, provider edge filtering, Internet route policy.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

An MPLS Layer 3 VPN with separate VRFs for corporate and guest traffic is the correct WAN design. The customer has branch teams that must communicate with each other and access enterprise applications in the data center and cloud, while guest traffic must be isolated and allowed only to reach the Internet gateway in the data center. Cisco MPLS L3VPN designs use VRFs to create separate routing tables and isolate traffic over the shared provider backbone. A corporate VRF can carry interbranch and application traffic, while a guest VRF can be routed only toward the data-center Internet security stack. A separate service provider for guest users would increase cost and operational complexity without solving segmentation as cleanly. A firewall in the data center can enforce security, but it does not by itself provide routing separation across the WAN. A separate VRF for every branch would isolate branches from each other and would be unnecessary unless each branch required complete tenant separation. Reference topics: MPLS L3VPN, VRF segmentation, guest Internet access, enterprise WAN design, centralized Internet gateway.

MSDP should be enabled between the Anycast RP routers using separate unique loopback interfaces. In a PIM Anycast RP design, multiple RPs share the same RP address so multicast routers can reach the topologically closest RP through normal unicast routing. That shared RP address gives redundancy and load sharing, but it also creates a source-discovery problem: a source registered to RP1 must be known by RP2 so receivers using RP2 can join the same multicast stream. Cisco Anycast RP designs solve this by running MSDP between the RPs. The MSDP peerings should use unique loopback addresses, not the shared Anycast RP address, because each router must have an individually reachable identity for the MSDP session. Extending the RP subnet at Layer 2 between data centers is unnecessary and poor design. Using the configured Anycast RP address for MSDP creates ambiguity because both routers advertise the same address. Doing nothing would leave each RP aware only of locally registered sources. Reference topics: Anycast RP, MSDP, PIM sparse mode, source-active exchange, multicast RP redundancy.

The SD-Access overlay should reduce subnet sprawl and avoid overlapping IP subnets unless there is a specific operational requirement. Cisco SD-Access creates overlay virtual networks over an IP underlay and uses anycast gateway, VXLAN encapsulation, LISP control-plane mapping, and policy constructs to simplify endpoint mobility and segmentation. Reducing the number of subnets simplifies DHCP scope management, default-gateway placement, and operational troubleshooting. Avoiding overlapping address space across overlay networks is also a practical design recommendation because overlapping subnets complicate shared services, fusion routing, security logging, and policy troubleshooting. LAN automation and a dedicated IGP process are underlay deployment considerations, not overlay design choices. Layer 3 to the access design is also associated with routed underlay and campus fabric transport, not the overlay segmentation model. A clean overlay design should define virtual networks, scalable groups, IP pools, shared-services reachability, and external connectivity before deployment. Reference topics: Cisco SD-Access overlay design, anycast gateway, virtual networks, DHCP simplification, overlapping subnet avoidance.

The EIGRP stub connected option is appropriate when the new circuit is intended to protect reachability to a connected subnet without turning the router into a broad transit point. EIGRP stub routing is used to limit the routes a router advertises to its neighbors and to constrain EIGRP query scope. A stub router can advertise connected routes, summary routes, redistributed routes, or combinations depending on the configured stub option. In this scenario, the new C-to-D circuit protects connectivity to 10.0.4.0/24 during a failure between B and D. Advertising the connected network through the stub behavior gives upstream routers a valid alternate route while still preventing unnecessary transit advertisements. Stub redistributed would be used for routes learned from another routing process, not for directly connected networks. Stub receive-only would prevent the router from advertising any routes, which would not protect reachability. Stub leak-map is used for controlled exceptions and is unnecessary if the required route is a connected subnet. Reference topics: EIGRP stub routing, connected route advertisement, query boundary design, DUAL stability.

Traffic shaping is required in the parent policy when hierarchical QoS uses CBWFQ in the child policy for low-bandwidth remote sites. In Cisco hierarchical QoS, the parent policy commonly shapes outbound traffic to the real available rate of the WAN service, especially when the physical interface speed is higher than the provider committed rate. The child policy then applies class-based queuing, such as CBWFQ and LLQ, inside the shaped rate. This structure creates an artificial congestion point on the router so the child queues can schedule packets predictably instead of allowing the provider to drop traffic after it exceeds the service rate. Policing in the child policy would drop excess packets and is not the normal prerequisite for nested CBWFQ. CBWFQ is supported in child policies within hierarchical designs, and parent shaping is the mechanism that makes the hierarchy effective. This is especially important on low-bandwidth WAN links where voice, video, and business-critical applications require deterministic treatment. Reference topics: hierarchical QoS, CBWFQ, parent shaping, child queuing, WAN QoS design.

The company must configure a summary route on R1. The branch routers must remain normal EIGRP routers, and auto-summary is not allowed, so the scalable design choice is manual summarization at the hub. Cisco EIGRP documentation states that manual summarization can be configured on an interface using the ip summary-address eigrp command and can summarize routes on almost any bit boundary. In a DMVPN hub-and-spoke topology, a hub summary reduces the number of individual routes advertised to branches, limits routing-table growth, and helps contain EIGRP queries. It also keeps branch configuration simple because the branches do not need to be converted to stub routers to meet this specific requirement. Disabling split horizon is a common DMVPN Phase 2 consideration when the hub must advertise spoke routes back out the same multipoint tunnel interface, but it does not summarize HQ routes. A multipoint interface is already implied by DMVPN, and disabling the SIA timer is not a design solution. Reference topics: EIGRP manual summarization, DMVPN hub design, no auto-summary, query containment.

MSDP is the correct technology when a large multicast design uses multiple PIM Sparse Mode domains and needs to exchange active source information between those domains. Cisco describes Multicast Source Discovery Protocol as the mechanism used by RPs in different PIM-SM domains to learn about multicast sources outside their own domain. When a source becomes active, the local RP can advertise Source-Active information to MSDP peers, allowing receivers in other domains to discover and join that source. This supports domain separation and can help balance multicast control-plane scope in large networks. DVMRP and MOSPF are legacy multicast routing approaches and are not the design mechanism for modern PIM-SM domain interconnection. IGMP is used between hosts and local multicast routers for receiver membership signaling; it does not exchange source information between multicast domains. Therefore, a design with more than 100 routers, several multicast domains, and PIM-SM traffic balancing should include MSDP. The architect should also design RP placement, Anycast RP behavior, peer mesh scaling, and source filtering. Reference topics: MSDP, PIM-SM domains, Source-Active messages, interdomain multicast.

Dual stack is the correct migration strategy when the application chooses IPv6 or IPv4 based on DNS resolution. In a dual-stack deployment, hosts and network devices run IPv4 and IPv6 at the same time. Applications can query DNS and then select the protocol based on the returned records, such as using an AAAA record for IPv6 or an A record for IPv4. This gives the organization a controlled migration path because IPv6-capable applications and services can move to IPv6 while legacy IPv4 services remain reachable during the transition. Address-family translation for public web presence is useful when IPv6-only and IPv4-only endpoints must communicate through a translation boundary, but it does not provide native application choice between the protocols. Host-initiated tunnels and site-to-site IPv6-over-IPv4 tunnels encapsulate one protocol over another and add operational overhead. The question’s key phrase is that the application chooses between IPv6 and IPv4 based on DNS; that is the normal dual-stack behavior. Reference topics: IPv6 migration, dual stack, DNS A and AAAA records, transition strategy, application protocol selection.

The telemetry mapping separates dial-in and dial-out behavior. In dial-in telemetry, the collector initiates the session toward the network device and subscribes to the data that it wants streamed. This model gives the collector direct control over the subscription lifecycle, but it requires the collector to reach the device and manage each session. In dial-out telemetry, the network device initiates the session toward the collector based on a configured subscription. This is useful when devices must stream telemetry to a centralized destination through firewalls or controlled management paths. Cisco model-driven telemetry can stream structured data from YANG models using subscription behavior rather than relying on repeated CLI polling. The selected drag-and-drop answer matches each consideration to the mode that owns the connection initiation and subscription handling. In design work, the architect must consider reachability direction, security policy, NAT traversal, collector scale, subscription persistence, and whether subscriptions should be configured on the device or created by the collector. Reference topics: model-driven telemetry, dial-in mode, dial-out mode, YANG subscriptions, gRPC telemetry, operational data streaming.

EIGRP stub routing is designed to prevent remote or spoke routers from being used as transit routers. In a hub-and-spoke or dual-homed remote design, a stub router advertises only the route types permitted by its stub configuration, such as connected or summary routes, and it is not queried for routes that it cannot reasonably provide. This reduces EIGRP query scope and helps avoid stuck-in-active conditions. The tradeoff is that the network must not depend on a stub site to carry transit traffic between other parts of the topology. In this scenario, the spoke nodes are configured as EIGRP stubs. When the direct R1-to-R2 link fails, R1 cannot use the alternate path through the other spoke-side topology as a transit path to reach a subnet attached to R2. The EIGRP stub design prevents the route from being advertised in a way that would make the spoke act as a transit router. As a result, R1 has no valid route to R2 ' s attached subnet and drops the traffic. This behavior is consistent with the purpose of EIGRP stub routing.

DiffServ is the correct QoS model for a business-critical, delay-sensitive, high-bandwidth application across DMVPN tunnels protected with IPsec. Differentiated Services classifies and marks traffic, usually with DSCP, and then applies per-hop behavior at each network device. This model scales well across enterprise WANs because routers do not need to maintain per-flow reservation state. DMVPN and IPsec overlays can carry marked traffic, and the WAN design can apply queuing, shaping, and congestion avoidance based on those markings. IntServ with RSVP can provide explicit resource reservation, but it is stateful and does not scale well across many branch tunnels. RSVP also becomes operationally difficult across encrypted overlay environments. WRED is only a congestion avoidance mechanism, not a complete QoS architecture. Because the application needs differentiated treatment but the WAN must remain scalable, DiffServ is the practical Cisco enterprise design model. Reference topics: DiffServ, DSCP marking, DMVPN QoS, IPsec QoS pre-classify, per-hop behavior, enterprise WAN QoS.

The design is an IPv6 overlay carried across an existing underlay, so the correct advantages are that multiple independent logical networks can run over a shared underlay and that unsupported protocols can be transported across that underlay. Cisco describes overlay tunnels as encapsulating one protocol inside another so traffic can cross infrastructure that does not natively support the passenger protocol. For an IPv6 migration, this permits IPv6 connectivity across an IPv4-only transport while the intermediate network remains unchanged. The same overlay concept also allows separate logical networks to be created over common physical transport, which is a fundamental design principle in SD-Access, SD-WAN, GRE, and other overlay technologies. The design does not eliminate fate-sharing; if the underlay fails, the overlay fails. It also does not reduce forwarding overhead, because encapsulation adds header bytes and may affect MTU. The number of devices joining the overlay still depends on addressing, routing, tunnel scale, and control-plane design. Reference topics: IPv6 overlay tunneling, shared underlay, encapsulation overhead, protocol transport, migration design.

Lowering the OSPF cost on the direct R1-to-R2 link is the cleanest way to force traffic for 10.10.20.0/24 to prefer that link. OSPF calculates the shortest path using cumulative interface cost, and Cisco designs normally tune OSPF path selection by changing interface cost rather than administrative distance. Administrative distance determines preference between different routing protocols, not between OSPF paths inside the same OSPF process. Moving the link into another area or creating a multiarea adjacency adds design complexity and does not directly solve the requirement unless the resulting cost still becomes lower. The exhibit states that the architect must use the direct link for traffic from 10.10.10.0/24 toward 10.10.20.0/24. Therefore, the direct link must have a lower total OSPF metric than the alternate path. Configuring the link cost to a value below 30 makes OSPF choose it as the preferred intra-area route. This is deterministic, easy to validate with the OSPF database and routing table, and consistent with Cisco hierarchical IGP design practice. Reference topics: OSPF cost, SPF path selection, metric tuning, intra-area routing.

Integrated Services is the QoS model that allows an application to signal its traffic requirements to the network and request specific service treatment. Cisco QoS guidance distinguishes IntServ from DiffServ by explaining that IntServ follows a signaled-QoS model, while DiffServ uses provisioned per-hop behavior based on markings. IntServ uses RSVP to reserve resources along the end-to-end path. That reservation process allows the network to admit or deny the flow based on available bandwidth and policy, which is why IntServ aligns with applications that require consistent and dedicated bandwidth. DiffServ is much more scalable and widely deployed in enterprise networks, but it does not provide per-flow resource reservation by itself. LLQ is a queuing mechanism commonly used inside a DiffServ design for delay-sensitive traffic such as voice. WRED is a congestion-avoidance technique, not an end-to-end reservation architecture. Because the question explicitly says that the application informs the network of its traffic profile and requests a service level, the correct QoS architecture is IntServ.

Enabling EIGRP stub routing on the spokes decreases convergence time in a hub-and-spoke design by reducing unnecessary queries and preventing spokes from being treated as transit routers. EIGRP convergence can be delayed when a router loses a route and must query many neighbors to determine whether an alternate path exists. In remote-site or spoke designs, a spoke normally has no useful alternate path for networks beyond itself, so querying it wastes time and can contribute to stuck-in-active conditions. Cisco EIGRP stub routing allows the spoke to advertise only permitted route types and informs upstream routers not to query the spoke for routes outside its scope. This creates a cleaner query boundary and accelerates convergence after link or route failures. Subsecond timers can detect neighbor loss more quickly, but they do not address the broader EIGRP query behavior shown in the design. Increasing hold or dead timers would slow detection, not improve convergence. Therefore, in the displayed hub-and-spoke EIGRP design, enabling stub routing on the spokes is the correct solution to decrease convergence time.

Wireless endpoints in Cisco SD-Access are registered through the fabric wireless integration process, and the fabric WLC is the component that updates endpoint information as clients join the wireless network. The Host Tracking Database stores endpoint identifier and location information used by the SD-Access control plane. For wired endpoints, the fabric edge detects the endpoint and registers the binding. For wireless endpoints, the fabric WLC is integrated with the fabric and has the client session context, so it provides the endpoint information needed for HTDB updates. Border nodes do not first register ordinary wireless endpoints; their role is to connect the fabric to external networks and other domains. Fabric APs also do not own the complete EID-to-RLOC registration function in the way the controller does. The design implication is that fabric wireless requires correct WLC integration with Cisco Catalyst Center, fabric site configuration, control-plane reachability, and policy integration through Cisco ISE. Client registration, mobility, and policy enforcement depend on this controller-to-fabric relationship being stable. Reference topics: SD-Access wireless, fabric WLC, Host Tracking Database, endpoint registration, LISP control plane.

OpenConfig, IETF, and Cisco native YANG models differ mainly in scope and implementation focus. IETF models are standards-based and are intended to cover common protocol or interface functions across vendors. OpenConfig models are vendor-neutral operational and configuration models developed for broad network automation use cases and often provide a more detailed service or operational structure than the corresponding baseline IETF model. Cisco native models are device and operating-system specific, which means they usually expose the most complete Cisco feature coverage but are less portable across vendors. For the question wording, OpenConfig is more comprehensive than IETF when configuring the same general feature in a multivendor environment, because OpenConfig commonly defines richer operational and configuration containers beyond the minimum standards model. Option B is incorrect because Cisco native models are not generally less comprehensive than OpenConfig on Cisco devices. Option C is also incorrect for the same reason. Option D reverses the usual relationship. Reference topics: YANG model families, IETF models, OpenConfig models, Cisco native YANG models, model-driven programmability.

The VPN drag-and-drop answer distinguishes Layer 2 VPN, Layer 3 VPN, and encrypted overlay VPN behavior. VPWS provides a point-to-point Layer 2 service, while VPLS provides multipoint Layer 2 Ethernet service across a provider core. MPLS Layer 3 VPN provides routed private WAN connectivity with provider-managed VPN routing and forwarding separation. GRE and DMVPN are overlay technologies that can carry multicast and dynamic routing protocols; DMVPN adds NHRP and multipoint GRE to scale hub-and-spoke and spoke-to-spoke designs. IPsec provides encryption and integrity for traffic over untrusted transport, but native policy-based IPsec does not carry multicast without an additional overlay such as GRE. GET VPN encrypts traffic across a private routed WAN without building permanent point-to-point tunnels and is often used where multicast and dynamic routing should remain visible to the transport. The selected mapping aligns each VPN type with its forwarding model, scale characteristics, and encryption behavior. In design, the correct VPN choice depends on whether the requirement is Layer 2 extension, routed private connectivity, dynamic spoke-to-spoke tunnels, or private WAN encryption. Reference topics: VPN design, VPLS, VPWS, DMVPN, IPsec, GET VPN.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

StackWise Virtual is the correct technology for Cisco Catalyst 9500 aggregation switches when the design requires nonblocking Layer 2 multichassis EtherChannel from aggregation to access. The question specifically describes Catalyst 9500 switches located on different floors for availability, with access switches dual-homed through a Layer 2 MEC design. Traditional VSS was used on older Catalyst platforms such as Catalyst 4500 and 6500 families. For Catalyst 9000 platforms, Cisco uses StackWise Virtual to virtualize two physical switches into a single logical switching system. This enables multichassis EtherChannel, removes the need for STP to block one uplink, improves convergence, and provides device-level redundancy. vPC is a Nexus data-center technology, not a Catalyst campus aggregation technology. StackWise-180 refers to physical stack bandwidth behavior on specific access platforms and does not provide the same distributed campus aggregation function. Therefore, the design should use StackWise Virtual on the Catalyst 9500 aggregation pair. Reference topics: Catalyst 9500, StackWise Virtual, multichassis EtherChannel, campus aggregation, Layer 2 resiliency.

UplinkFast is the correct spanning-tree feature for faster convergence after an uplink failure in a classic STP access-layer design. UplinkFast is designed for access switches that have redundant uplinks toward the distribution layer. When the primary root port fails, UplinkFast allows an alternate blocked uplink to transition rapidly to forwarding, reducing the outage compared with standard 802.1D timer-based convergence. PortFast is used on edge ports connected to end hosts, not on switch-to-switch uplinks. Loop Guard protects against unidirectional failures or missing BPDUs on non-designated ports, but it does not accelerate recovery from an access uplink failure. BackboneFast helps when an indirect link failure is detected elsewhere in the topology, but the described failure is directly between SW1 and SW2. The design objective is the fastest possible convergence during that direct uplink loss, which matches UplinkFast in a traditional STP environment. Reference topics: Spanning Tree Protocol, UplinkFast, access-layer redundancy, root port failover, Layer 2 convergence.

A migration from traditional IP-VPN service to Cisco SD-WAN commonly increases security and scalability. Cisco SD-WAN builds encrypted data-plane tunnels across supported transports, so the enterprise can use Internet, MPLS, or hybrid connectivity while maintaining secure site-to-site communication. The architecture also scales better operationally because policy, templates, onboarding, and routing control are centralized through the SD-WAN controllers and management plane. Increased solution complexity is not a desired characteristic; one of the design goals is to simplify operations through automation and centralized policy. Centralized application policies are also a major SD-WAN benefit, but when only two choices are selected, the stored answer emphasizes the two broad migration outcomes of security and scale. Distributed control plane is not correct because Cisco SD-WAN uses centralized control-plane logic with vSmart controllers distributing OMP routes and policies. A professional migration plan should validate transport diversity, controller redundancy, encryption policy, application-aware routing, and operational readiness. Reference topics: Cisco SD-WAN migration, encrypted overlay, scalability, centralized control plane, IP-VPN replacement.

The RPF check verifies that multicast traffic arrives on the interface the router would use to reach the source or RP, and it prevents forwarding when traffic arrives from the wrong direction. Cisco multicast forwarding is intentionally different from unicast forwarding because a multicast packet may need to be replicated toward many receivers. Without Reverse Path Forwarding, multicast loops and duplicate packets could occur. Option A captures the forwarding condition: the packet is accepted when it arrives on the interface used to route back toward the source address. Option D is the closest available drop condition in the answer set, expressing that packets not aligned with the correct reverse path are discarded rather than forwarded. Option B incorrectly checks the route toward the destination group, because multicast groups are not reached through ordinary unicast destination routing. Option C would flood traffic and create loops. Option E reverses the correct logic by dropping packets that arrive on the proper reverse-path interface. Reference topics: multicast RPF, loop prevention, source-tree forwarding, shared-tree forwarding, PIM.

The verifying get-config reply must reflect the same YANG model hierarchy and configured values that were pushed by the Postman request. In model-driven automation, a successful transport response is not enough; the engineer must confirm that the intended datastore contains the exact interface, routing, or protocol objects described by the model. Option D is the selected reply because it matches the expected YANG structure for the configuration operation shown in the exhibit. The key principle is that get-config returns configuration data from a specified datastore, such as running or candidate, using the schema-defined XML hierarchy. If the returned XML uses the wrong container, wrong namespace, incorrect key value, or an unexpected leaf, the model set was not designed or addressed correctly. Cisco NETCONF/YANG workflows rely on strict namespace and path accuracy, so even a small mismatch can result in configuration being placed in the wrong subtree or not applied. A clean validation checks the model namespace, parent containers, list keys, leaf names, and actual configured value. Reference topics: NETCONF get-config, YANG XML encoding, datastore validation, Postman automation workflow.

gRPC provides secure communication between network devices and control systems by supporting TLS. In Cisco programmability and model-driven telemetry designs, gRPC is commonly used as a high-performance remote procedure call framework that carries structured data encoded with Protocol Buffers. Security is provided through TLS so that the client and server can authenticate and protect the session in transit. The question asks for security functionality, so TLS support is the correct selection. The other options describe incorrect or misleading cryptographic behavior. gRPC does not implement generic RSA tunnel encryption as described in option A, and it does not provide mandatory encryption of data at rest. RC6 with CRC is not the security model used for Cisco gRPC telemetry or programmability. In a secure management design, gRPC should be deployed with certificates, TLS verification, controlled access lists, and appropriate AAA integration so only authorized collectors or controllers can communicate with infrastructure devices. Reference topics: gRPC, TLS, model-driven telemetry, Protocol Buffers, secure automation transport.

The load balancers should be co-located in area 0 because the design is using the same /32 application address from multiple OSPF-enabled devices. This is an anycast-style design: several load balancers advertise the same host route, and the routing protocol sends clients to the topologically best available instance. In OSPF, route preference is strongly affected by route type. Intra-area routes are preferred over interarea routes, and interarea summarization can also hide useful path details. If identical anycast host routes are originated from different nonbackbone areas, hosts may not always select the closest or most resilient load balancer, and failure behavior can become inconsistent. Placing the load-balancer anycast advertisements in area 0 keeps the routing decision consistent and avoids unnecessary interarea preference complications. Configuring X, Y, and Z as different areas would make the problem worse, and placing only one load balancer in area 0 does not provide uniform resilience. Reference topics: OSPF area design, anycast host routes, intra-area preference, backbone area, application load-balancer resilience.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

The requirement for end-to-end path verification identifies the Integrated Services model with RSVP. IntServ uses per-flow resource reservation, and RSVP signals the path between sender and receiver so devices along that path can admit or reject the requested service based on available resources. This makes IntServ appropriate when the design requires explicit end-to-end path validation and reservation for application flows. DiffServ works differently. In a DiffServ design, traffic is marked, normally with DSCP or CoS at the edge, and each hop applies a configured per-hop behavior. DiffServ is scalable and common in enterprise WAN and campus QoS designs, but it does not perform per-flow signaling or verify that every device in the path can reserve the requested resources. Marking traffic at the access layer is an important QoS design practice, but marking alone is not path verification. Therefore, when the customer explicitly requires end-to-end path verification for business-critical traffic, Cisco QoS architecture points to IntServ with RSVP rather than a pure DiffServ marking model.

In multicast routing, a source tree is also called a shortest-path tree because it is rooted at the multicast source and follows the best unicast path from receivers back toward that source. Cisco PIM documentation describes source trees as shortest-path trees and contrasts them with shared trees, which are rooted at a rendezvous point. Because the tree is built directly toward the source, it provides an optimal forwarding path between source and receivers and generally gives the lowest latency path for multicast delivery. This is why statements A and B are correct. A shared tree, not a source tree, uses a single common root at a selected point in the network, normally the RP in PIM sparse mode. Shared trees can create suboptimal forwarding because traffic may travel through the RP before switching to the shortest-path tree. Source trees require per-source multicast state, so they may consume more control-plane resources, but they are the correct choice when optimal forwarding and minimum latency are the design priorities.

Bidirectional PIM is the best fit for this multicast design because the application is many-to-many and has a manageable but meaningful number of multicast sources. Cisco describes BIDIR-PIM as a multicast mode designed for many-to-many applications where sources and receivers can be widely distributed. Unlike classic PIM sparse mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. Instead, traffic uses a shared bidirectional tree rooted at the rendezvous point, which reduces multicast state in the network and improves scale when many sources may send to the same group. Source-Specific Multicast is optimized for one-to-many distribution where receivers know the source and join an (S,G) channel; it is not the natural many-to-many choice. Any Source Multicast can support many-to-many traffic but usually creates more state because source trees may be built. Multicast VPN is a transport/service architecture, not the specific multicast mode requested. Reference topics: BIDIR-PIM, many-to-many multicast, shared trees, RP-based forwarding, multicast state scaling.

For in-band management over the production WAN, the proper marking is DSCP CS2 mapped into the management or operations class with a minimum bandwidth guarantee. Cisco enterprise QoS guidance separates network control traffic from network management traffic. Routing protocol and control-plane traffic should not be diluted by ordinary management flows. CS6 is typically reserved for routing and network-control traffic; EF is reserved for low-latency voice bearer traffic; CS1 is commonly used for scavenger or low-priority traffic. Network management flows such as SSH, SNMP, NTP, FTP-based maintenance, and syslog require reliable delivery, but they should not starve business traffic or real-time services. Therefore, marking with CS2 and mapping the traffic into Class2 is the correct design choice. The bandwidth adjustment should come from a lower-priority class, not from the routing/control or real-time class. Because this is in-band management, the architect must also ensure access control, source restrictions, AAA, logging, and management-plane protection. QoS classification alone does not secure management access; it only gives the traffic an appropriate forwarding treatment over the MPLS WAN. Reference topics: in-band management, DSCP CS2, enterprise QoS classes, management-plane traffic.

Making R3 an L1/L2 router restores the required IS-IS hierarchy and prevents the outage caused by the failed R1-to-R2 link. In IS-IS, Level 1 routers have detailed topology only inside their own area, while Level 2 routers provide the interarea backbone. Routers that connect a Level 1 area to the Level 2 backbone must operate as Level 1/Level 2 devices so they can participate in both databases and provide an exit path for area traffic. If a path between areas depends on a router that is only Level 1 or only Level 2 in the wrong location, traffic can be blackholed when a key link fails. Configuring R3 as L1/L2 gives the topology an additional valid transition point between the local area and the backbone, improving continuity after the R1-to-R2 failure. Making unrelated routers L1 or L2 does not necessarily create the required interarea attachment. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

Cisco SD-WAN is the correct solution when the design must use internet circuits at each site while providing failover, load sharing, and QoS. Basic IPsec tunnels can encrypt traffic, but they do not by themselves provide a complete WAN architecture for path measurement, dynamic traffic steering, centralized policy, application-aware routing, or scalable operational control. Cisco SD-WAN builds secure overlay tunnels across available transports and continuously measures path characteristics such as loss, latency, and jitter. It can then steer applications according to SLA policy, use multiple circuits for active/active forwarding, and fail traffic over when a path degrades or fails. QoS can be applied consistently through templates and policy across the WAN Edge routers. GET VPN is best suited to private MPLS-style networks and does not address internet-circuit overlay orchestration in the same way. Traditional DMVPN is a valid dynamic VPN technology, but SD-WAN is the more complete resilient internet-WAN design for these requirements. Reference topics: Cisco SD-WAN, internet transport, application-aware routing, failover, load sharing, QoS.

The VRF receive feature is the mechanism that fits the constraint when the customer does not want BGP, VRF-Lite links, or static routing for the inter-VRF requirement. Inter-VRF connectivity is normally achieved through route leaking with MP-BGP, static routes, firewall interfaces in each VRF, or VRF-Lite handoff links. The question explicitly excludes those common approaches and asks for a mechanism on the core network layer. The VRF receive capability allows selected traffic received on a global routing interface to be associated with a VRF context for locally configured addresses, supporting limited interaction without building a full routing exchange between the global table and the VRF. Policy-based routing with a global set statement can solve some forwarding cases, but it is not the specific mechanism described by the option set. A route map with import features would typically depend on route leaking behavior. Therefore, the best answer is the VRF receive feature under the global routing interfaces. Reference topics: VRF, inter-VRF routing, VRF receive, route leaking alternatives, core-layer segmentation.

When BFD echo mode contributes to high CPU utilization on lower-resource devices, the practical design response is to use slower BFD timers for those peers rather than continuing to run an overly aggressive failure-detection profile everywhere. Cisco BFD provides fast failure detection, but timer values must match platform capability, interface scale, and the operational value of subsecond detection. Echo mode can generate frequent packets, and in some environments the processing or punt behavior can create measurable CPU pressure. Slowing the timers reduces packet rate and control-plane stress while keeping BFD available for faster detection than traditional routing protocol dead timers. Moving to asynchronous mode may be appropriate in some designs, but the listed option says “BED” and does not directly address the requirement as cleanly as reducing timer aggressiveness. BFD multihop is used for non-directly connected peers and is not a CPU-relief mechanism. Carrier delay changes interface state notification behavior, but it does not solve BFD packet processing load. Therefore, implement slower timers on peers with limited resources. Reference topics: BFD design, echo mode, failure-detection timers, CPU utilization.

The validated answer is Option D because this item depends on the exhibit containing configuration or model fragments. In Cisco programmability questions, the correct option is determined by whether the selected YANG or API payload accurately represents the intended configuration hierarchy, data types, and device-specific path. The answer must match the complete model structure, not merely contain the right-looking address, interface name, or protocol value. Option D should therefore be retained as the verified selection because it is the only option that aligns with the expected data model structure shown in the exhibit. For these items, the professional review must avoid inventing a replacement payload when the answer choices are embedded as images. The proper explanation is that YANG-based configuration validation requires the namespace, container path, list keys, and leaf values to match the model used by the target platform. Reference topics: YANG configuration validation, RESTCONF or NETCONF payload structure, model hierarchy, Cisco IOS XE programmability, exhibit-based option verification.

Locator/ID Separation Protocol is the control-plane technology that allows endpoint identity to be separated from endpoint location. In Cisco SD-Access, LISP is used by the fabric control plane to map endpoint identifiers to routing locators, so an endpoint subnet can remain logically consistent even when endpoint reachability is provided from different network locations. This is why LISP is associated with host mobility and with designs where the same subnet or endpoint identity can exist across multiple places without forcing the physical topology to be a single stretched Layer 2 domain. VXLAN is the data-plane encapsulation used to carry overlay traffic, but VXLAN itself is not the mapping control plane. FabricPath is a Cisco Layer 2 multipath technology and does not provide LISP-style endpoint-location mapping. ISE mobility services are identity and policy functions, not a routing locator mapping system. Therefore, the correct control-plane technology is LISP. Cisco SD-Access design material describes the control plane as the mapping system that maintains endpoint-to-device relationships.

A TLOC extension facilitates WAN Edge router redundancy within a site. In Cisco SD-WAN, a Transport Location identifies a WAN transport attachment using attributes such as system IP, color, and encapsulation. A TLOC extension allows one WAN Edge router to use a transport circuit physically connected to another WAN Edge router at the same site. This is valuable when a branch has two edge routers and two transports, but each transport is cabled to only one router. With TLOC extension, each router can still gain logical access to both transports, improving redundancy and allowing better path diversity without adding more service-provider circuits or handoffs. The feature does not simply identify the physical interface; that is part of TLOC definition. It does not increase the number of colors or create a port-channel-style aggregate. A sound design also accounts for failure domains, service-side routing, and whether the inter-router link has enough bandwidth for extended transport traffic. Reference topics: Cisco SD-WAN TLOC, TLOC extension, WAN Edge redundancy, transport color, branch resiliency.

The valid EIGRP stub options listed are receive-only and summary. Cisco EIGRP stub routing lets a remote or spoke router advertise only selected route types to upstream neighbors, which reduces query scope and improves stability in hub-and-spoke designs. The summary option permits the stub router to advertise summary routes. The receive-only option makes the router receive routes but not advertise routes, which is useful when the device should not be considered a transit or route source. “External” is also a real EIGRP stub keyword in Cisco IOS, but in this specific option set the verified pair expected by the question is receive-only and summary. “Summary-only” is not the correct EIGRP stub keyword. “Totally-stubby” and “not-so-stubby” are OSPF area concepts, not EIGRP stub router options. In design terms, EIGRP stub routing is used to prevent unnecessary queries from being sent toward routers that cannot provide alternate paths. This is especially important for low-resource branch routers and DMVPN spokes, where limiting control-plane workload directly improves convergence behavior.

Dual-stack is the correct IPv6 migration strategy for this corporation. The requirements state that users need access to both IPv4 and IPv6 resources, content providers will migrate over the next two years, and users will move in phases. Dual-stack supports exactly that model because hosts, routers, and services can run IPv4 and IPv6 simultaneously. Applications can select IPv6 or IPv4 based on DNS responses and protocol availability, while the organization gradually enables IPv6 without breaking existing IPv4 connectivity. NAT64 is useful for IPv6-only clients reaching IPv4-only services, but it introduces translation state and does not provide native dual protocol operation. NAT46 is a specialized translation direction and not the broad migration strategy here. Tunneling can connect IPv6 islands across IPv4 infrastructure, but the customer already has IPv4 peering and needs a phased endpoint and application migration, not only island interconnection. Dual-stack is straightforward operationally and gives the longest coexistence window while providers and applications transition. Reference topics: IPv6 migration, dual-stack deployment, DNS-based protocol selection, IPv4 and IPv6 coexistence, phased migration.

The correct model is a 4-class QoS strategy with DiffServ. The traffic classes listed in the question are explicitly DiffServ per-hop behaviors: Expedited Forwarding for conversational traffic, Assured Forwarding class 2 for streaming, and Assured Forwarding class 3 for web or interactive traffic. Cisco QoS guidance uses DiffServ to classify and mark traffic with DSCP values, then apply per-hop behavior at each node along the path. This gives scalable end-to-end treatment across a provider backbone without maintaining per-flow reservations. The four service treatments implied are conversational, streaming, interactive/web, and background or best effort, which matches the stated service categories without unnecessary class expansion. IntServ is not appropriate for an ISP backbone because it uses RSVP-style per-flow signaling and state, which scales poorly compared with DiffServ PHB handling. The 8-class and 12-class options add complexity beyond the stated mappings. Reference topics: DiffServ, DSCP, EF, AF2, AF3, per-hop behavior, provider QoS design.

The correct policy is to prepend the AS path on the nonpreferred advertisement for each prefix. For inbound BGP traffic engineering, the enterprise normally influences remote autonomous systems by changing attributes that those systems see when selecting a path. AS-path prepending makes a route appear less attractive by adding repeated instances of the local AS number to the AS path. In this design, network 10.1.1.0/24 should enter through R3-R1, so R2 must advertise that prefix with a prepended AS path to make the R4-R2 path less preferred unless the primary path fails. Conversely, network 10.1.2.0/24 should enter through R4-R2, so R1 must advertise that prefix with prepending to make the R3-R1 path less preferred. This creates inbound load sharing while preserving failover because the prepended route remains available as a backup. Local preference affects outbound path selection inside the local AS, not inbound selection by the provider. Reference topics: BGP traffic engineering, AS-path prepending, inbound path control, prefix-specific policy, multihomed WAN design.

Reverse Path Forwarding prevents multicast loops and duplicate packet forwarding. Multicast routing is source-oriented, so a router must verify that multicast traffic arrives on the interface it would use to reach the source or rendezvous point, depending on the tree state. If the packet arrives on the expected reverse-path interface, the RPF check succeeds and the router can forward the packet to the outgoing interface list. If it arrives on the wrong interface, the packet is dropped because accepting it could create a loop or duplicate stream. Cisco multicast designs rely on RPF checks with PIM to maintain loop-free distribution trees across redundant routed topologies. RPF does not notify upstream routers by itself, does not eliminate overlapping multicast group addresses, and is not simply a prune-generation mechanism. Prune behavior can occur as part of PIM tree maintenance, but the function asked here is loop prevention. Reference topics: multicast RPF check, PIM forwarding, source tree, shared tree, outgoing interface list, duplicate suppression.

When Cisco SD-WAN edge router redundancy is designed, VRRP is the supported first-hop redundancy protocol in the SD-WAN edge context. VRRP provides a virtual default gateway for LAN-side devices, allowing one WAN Edge router to act as the active gateway while another can take over if the active router or tracked condition fails. Cisco SD-WAN designs use VRRP with tracking and policy alignment so branch LAN traffic can fail over to the appropriate edge router while the SD-WAN overlay handles transport and tunnel selection. HSRP and GLBP are traditional campus first-hop redundancy protocols, but they are not the supported FHRP answer for vEdge router redundancy in this design context. OMP is the SD-WAN control-plane routing protocol used between WAN Edge routers and vSmart controllers; it is not a first-hop redundancy protocol for LAN hosts. Therefore, the correct FHRP for vEdge router redundancy is VRRP. The design should also ensure that VRRP priorities, tracking, and SD-WAN routing preferences align so traffic exits the intended edge during normal and failure conditions.

OSPF requires all nonbackbone areas to connect logically to Area 0. In the original design, HQ is Area 0 and the existing branch is Area 1, which is valid because Area 1 has connectivity to the backbone. The newly acquired branch is assigned Area 2 but is temporarily connected through the existing branch instead of directly to HQ. That means Area 2 does not have a direct logical connection to Area 0, violating the OSPF backbone requirement. The proper OSPF design mechanism for this temporary topology is a virtual link. An OSPF virtual link is configured through a transit area to logically connect a disconnected area or ABR back to the backbone. Making the existing branch a stub area does not solve the lack of Area 0 connectivity. A sham link is used in MPLS VPN OSPF designs to prefer backdoor links or preserve intra-area behavior across the provider core, not for this generic backbone disconnection. Making Area 2 a stub area also does not establish backbone reachability. Therefore, a virtual link between the new branch and HQ is required.

The SD-WAN onboarding sequence follows the controller trust and overlay-establishment workflow. A WAN Edge device first obtains basic reachability information through manual bootstrap, ZTP, or PnP-style provisioning so it can reach the orchestration components. It then establishes secure control connectivity to the orchestrator and validates identity through the certificate and authorized serial number information. After orchestration, the device forms the required secure control connections to the management and control-plane components, receives its configuration, and participates in OMP route exchange. Finally, the WAN Edge builds encrypted data-plane tunnels to other WAN Edge devices based on the TLOC and policy information learned through the control plane. This order matters because the device cannot exchange overlay routes or build data-plane IPsec tunnels until it is authenticated and authorized in the SD-WAN fabric. Cisco SD-WAN designs rely on this sequence to support zero-touch deployment, centralized policy, and secure fabric admission. Reference topics: Cisco SD-WAN onboarding, vBond orchestration, certificate validation, OMP, TLOC exchange, data-plane tunnel establishment.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

A totally stubby OSPF area blocks Type 3, Type 4, and Type 5 LSAs while allowing a default summary route into the area. In OSPF, Type 3 LSAs are interarea summary LSAs, Type 4 LSAs describe reachability to ASBRs, and Type 5 LSAs carry external routes. A normal area accepts all of these LSA types. A standard stub area blocks Type 5 external LSAs and normally Type 4 ASBR summaries, but it still allows Type 3 interarea summaries. An NSSA blocks normal Type 5 external LSAs but allows Type 7 LSAs for locally redistributed external routes. A totally stubby area is more restrictive: the ABR suppresses interarea summaries and external routing detail, then injects a default route so routers inside the area still have reachability outside the area. This design reduces LSDB size, memory consumption, and SPF processing on low-end routers in remote areas. Therefore, the OSPF area type that blocks Type 3, 4, and 5 LSAs but allows a default summary route is a totally stubby area.

IPv6 overlay tunnels should be treated as a transition mechanism, not as the final desired enterprise architecture. Cisco IPv6 migration guidance describes tunneling as a way to connect IPv6 islands across an IPv4 infrastructure or to carry one protocol over another while the network is being migrated. This is useful when parts of the infrastructure cannot yet run IPv6 natively, but it also adds encapsulation overhead, additional MTU considerations, troubleshooting complexity, and operational dependency on the underlay transport. A permanent IPv6 architecture should eventually support IPv6 natively, or support both IPv4 and IPv6 through dual stack where required. The statement that overlay tunnels are a final IPv6 architecture is therefore incorrect. Overlay tunnels are not limited only to border devices in every design, and they do not require only the IPv6 stack; they commonly encapsulate IPv6 traffic over IPv4 infrastructure. The option stating that IPv4 packets are encapsulated in IPv6 packets also reverses the common IPv6-over-IPv4 migration use case. Therefore, overlay tunneling should be designed as a temporary transition technique.

End-to-end microsegmentation in Cisco SD-Access is enforced with Security Group Tags and Security Group ACLs. Virtual networks provide macrosegmentation by separating routing tables and address spaces, but SGTs provide more granular group-based policy inside or across those virtual networks. Cisco SD-Access segmentation guidance explains that users or endpoints are assigned to security groups through SGTs and that SGACLs control communication between those groups. This avoids building large numbers of VLANs or IP ACLs tied to topology. VLANs alone provide Layer 2 separation but do not deliver identity-based end-to-end microsegmentation. Five-tuple ACLs can filter traffic, but they are more operationally complex and less policy-oriented than group-based access control. VRFs are useful for macrosegmentation, not microsegmentation within a virtual network. Therefore, SGTs and SGACLs are the correct enforcement method. In a professional design, the architect should define scalable groups according to business roles and application access needs, then use Cisco DNA Center and ISE integration to automate consistent policy deployment across the fabric.

The correct choice is to use a distribute list outbound under the RIP process to stop EIGRP-learned prefixes from being advertised back into the RIP domain. In multipoint two-way redistribution, the major risk is route feedback: a route learned from one protocol is redistributed into another protocol and then reintroduced back into the original domain through another redistribution point. RIPv1 is especially limited because it is classful and has no native route tagging, so filtering must be carefully placed when route tags are unavailable. By filtering outbound advertisements under the RIP process, the design prevents routes that originated in the EIGRP domain from being sent into RIP where they could be relearned elsewhere and create loops or suboptimal paths. Inbound filtering on only one process does not reliably stop feedback at all redistribution points. A stronger modern design would use route tags with protocols that support them, but given the answer choices, outbound filtering toward RIP is the appropriate loop-prevention method. Reference topics: route redistribution, distribute lists, route feedback, RIPv1 limitations, EIGRP integration.

VRF-Lite with OSPF satisfies the requirements because it creates multiple isolated Layer 3 routing tables without requiring a service-provider MPLS core or specialized hardware. Each VRF has its own forwarding table, interfaces, and route exchange process, so overlapping IP address space can exist in different virtual networks. When communication between segments is required, the design can use controlled route leaking, a firewall, or a shared-services VRF. OSPF can run per VRF to exchange routes within each isolated segment using widely supported routing technology. VSS, vPC, and plain 802.1Q with HSRP can improve Layer 2 or device redundancy, but they do not provide independent Layer 3 routing tables with overlapping addressing. A multihop MPLS design can also support many VPNs, but it is more complex and beyond the stated need for widely available technologies without specialized equipment. VRF-Lite is therefore the correct enterprise campus segmentation choice. Reference topics: VRF-Lite, virtual routing and forwarding, inter-VRF routing, overlapping IP address support, campus segmentation.

MSDP is the correct feature when multicast receivers in one autonomous system must be able to learn and receive content from sources in another autonomous system. The scenario describes separate multicast frameworks close to the receivers in each AS and requires source resiliency across AS boundaries. In PIM Sparse Mode, a local RP learns about sources registered in its own domain. MSDP allows RPs in different domains to exchange Source-Active information, enabling receivers in one domain to discover and join toward sources that exist in another domain. Anycast RP is primarily a redundancy and load-sharing technique for RPs, often inside a multicast domain, but it does not by itself provide interdomain source discovery for independent ASs. SSM can be efficient when receivers know the source, but the question emphasizes RP-based framework placement and source availability between ASs. BIDIR-PIM is for scalable many-to-many shared-tree forwarding, not interdomain source discovery. Therefore, the design should include MSDP. Reference topics: MSDP, interdomain multicast, PIM-SM, Source-Active exchange, RP resilience across autonomous systems.

The correct model set is the one that configures the IOS XE interface GigabitEthernet2/1/0 with IPv4 address 10.10.10.10 and prefix length 27 using valid XML according to the selected YANG schema. The directly connected host address 10.10.10.1/27 confirms the subnet relationship; both addresses belong to 10.10.10.0/27, so the interface configuration must use that prefix length rather than a host mask or an unrelated network. YANG-based configuration is strict: the namespace, container hierarchy, interface type, interface name, and address fields must match the device model. If an option places GigabitEthernet under the wrong container, represents the mask incorrectly, or uses a schema from a different model family, the device will reject the payload or configure the wrong object. Option D correctly represents the IOS XE XML structure and the required addressing. In real operations, the engineer should follow this with a get-config readback against the running datastore to prove that the structured configuration committed as intended. Reference topics: IOS XE interface YANG, XML payload structure, NETCONF configuration, IPv4 subnet validation.

IS-IS supports two fundamental circuit types: broadcast multiaccess and point-to-point. A broadcast or multiaccess circuit is used on media such as Ethernet where multiple routers can share the same Layer 2 segment. In that case, IS-IS elects a designated intermediate system to simplify database synchronization on the shared network. A point-to-point circuit is used where exactly two IS-IS routers form an adjacency across a direct link, which is common in modern routed campus, data center, and WAN designs. IS-IS does not use the same nonbroadcast multiaccess and point-to-multipoint network-type model that is familiar from OSPF. When IS-IS must run across technologies that do not naturally behave like Ethernet broadcast media, the design is typically adapted with point-to-point subinterfaces or appropriate Layer 2 treatment rather than selecting an IS-IS NBMA circuit type. Therefore, from the listed choices, the supported IS-IS circuit types are multiaccess and point-to-point.

The IPv4-compatible method is the closest match when the exhibit requires IPv6 connectivity between servers across an IPv4 portion of the network without using 6to4, 6rd, or ISATAP. IPv4-compatible IPv6 addressing represents an IPv4 address inside an IPv6 address format and was historically used for automatic IPv6-over-IPv4 tunneling between dual-stack nodes. Although this technique is now considered legacy and is not preferred for new designs, it matches the answer choice that directly embeds IPv4 reachability for host-to-host connectivity. ISATAP is normally used inside an enterprise IPv4 network to connect IPv6 hosts over an IPv4 intranet. 6to4 and 6rd are provider or site transition mechanisms that use specific IPv6 prefix behavior and are not simply a direct method between the depicted mail servers. For modern Cisco design, dual-stack or manually engineered tunnels would normally be preferred, but given these choices, IPv4-compatible addressing is the method aligned to the exhibit requirement. Reference topics: IPv6 transition mechanisms, IPv4-compatible addressing, tunneling, dual-stack migration, host connectivity.

Option A is the best addressing design because it gives each site enough capacity while avoiding excessive address waste and supporting summarization. A campus requiring 12,000 devices needs at least 14 host bits because 2^13 minus two is only 8190 usable addresses, while a /18 provides 16,382 usable addresses. That leaves room for growth without assigning an unnecessarily huge block. Each branch requiring 1,000 devices needs at least 10 host bits; a /22 provides 1,022 usable addresses, but /21 provides 2,046 usable addresses and additional growth capacity. The selected branch blocks, 10.0.192.0/21 and 10.0.200.0/21, are contiguous on valid /21 boundaries and can be summarized cleanly where appropriate. Option D fails because a /20 supports only 4094 usable addresses and cannot accommodate the 12,000-device campus. Option B overallocates a /16 to the campus and /20s to branches, wasting resources. Option C is grossly oversized and operationally poor. Reference topics: hierarchical IPv4 addressing, route summarization, VLSM, host-capacity planning, convergence containment.