300-420 Questions and Answers

EIGRP variance is the correct design because the requirement is to use the best two paths while all links are available and maintain forwarding if one path fails. EIGRP supports unequal-cost load balancing when feasible successors exist and the variance multiplier allows additional loop-free paths to be installed in the routing table. Cisco EIGRP design uses the feasible distance and reported distance conditions to ensure that unequal-cost alternatives are loop free before they are used. The maximum-paths command controls how many equal or eligible paths can be installed, but it does not make an unequal path eligible. Add-paths is a BGP feature, not an EIGRP mechanism. Changing metric weights is rarely recommended because it affects metric calculation globally and can create inconsistent routing if not deployed everywhere. Variance 2 allows EIGRP to include backup paths whose metric is within two times the successor metric, assuming they satisfy the feasibility condition. Reference topics: EIGRP variance, unequal-cost load balancing, feasible successor, DUAL, path resiliency.

Cisco weight is the Cisco-proprietary BGP path attribute used to influence outbound traffic selection on a local router. Weight is locally significant and is not advertised to BGP neighbors. A higher weight is preferred, and because weight is evaluated early in the Cisco BGP best-path algorithm, it is a direct way to make one exit path preferred over another on the router where the attribute is configured. Local preference also influences outbound traffic, but it is a well-known discretionary BGP attribute used inside an AS and is not Cisco proprietary. MED is primarily used to influence inbound path selection by suggesting to a neighboring AS which entry point should be preferred. AS-path prepending is also typically used for inbound traffic engineering by making a route appear less attractive to external peers. Communities can carry policy information, but they are not the Cisco-proprietary attribute in the list. Therefore, when the requirement specifically asks for the Cisco proprietary BGP path attribute that influences outbound traffic flow, the answer is weight.

Integrated Services is the QoS model that allows an application to signal its traffic requirements to the network and request specific service treatment. Cisco QoS guidance distinguishes IntServ from DiffServ by explaining that IntServ follows a signaled-QoS model, while DiffServ uses provisioned per-hop behavior based on markings. IntServ uses RSVP to reserve resources along the end-to-end path. That reservation process allows the network to admit or deny the flow based on available bandwidth and policy, which is why IntServ aligns with applications that require consistent and dedicated bandwidth. DiffServ is much more scalable and widely deployed in enterprise networks, but it does not provide per-flow resource reservation by itself. LLQ is a queuing mechanism commonly used inside a DiffServ design for delay-sensitive traffic such as voice. WRED is a congestion-avoidance technique, not an end-to-end reservation architecture. Because the question explicitly says that the application informs the network of its traffic profile and requests a service level, the correct QoS architecture is IntServ.

The Cisco SD-Access fabric data plane leverages VXLAN-style MAC-in-IP encapsulation to transport endpoint traffic across the Layer 3 fabric. In SD-Access, the underlay provides IP reachability between fabric nodes, while the overlay uses encapsulation to carry user traffic and policy context across that underlay. Cisco fabric edge nodes encapsulate traffic before forwarding it through intermediate nodes and decapsulate it when it reaches the destination edge or border. LISP is used by the control plane to resolve endpoint-to-location mappings, so option A describes the mapping function rather than the data plane. IS-IS provides underlay routing reachability and is not the overlay data-plane mechanism. BGP can be used outside the fabric or in other overlay designs, but it is not the SD-Access fabric data plane. The exam option describes the essential encapsulation function, even though VXLAN is technically MAC-in-UDP over IP. Reference topics: SD-Access data plane, VXLAN encapsulation, fabric edge forwarding, underlay and overlay separation, policy transport.

MSTP is the correct spanning-tree choice for a Layer 2 design with many logical ports, multiple trunked VLANs, and a subsecond convergence requirement. Rapid PVST+ provides rapid convergence, but it creates a separate spanning-tree instance for every VLAN. With 30 VLANs on trunks and hundreds of active ports, the number of logical STP ports can grow quickly and increase CPU and memory load. MSTP maps many VLANs into a smaller number of spanning-tree instances while still using rapid convergence behavior based on IEEE 802.1w principles. This makes it more scalable for large Layer 2 domains than PVST+ or Rapid PVST+ when many VLANs are present. CST provides a single instance but lacks the flexibility and convergence characteristics expected in modern enterprise designs. The design needs both scalability and fast convergence, and MSTP is the standards-based protocol that best satisfies both requirements. Reference topics: MSTP, Rapid STP, logical STP ports, VLAN-to-instance mapping, Layer 2 scalability, convergence.

NETCONF supports event notifications through a subscription model. The operation used to establish a notification subscription is create-subscription. When a client sends this operation, it can specify the stream and optional filters that determine which notifications are delivered to that NETCONF session. This is why create-subscription is the operation associated with session-specific notification filtering. The commit operation is used with the candidate configuration datastore to apply configuration changes to the running datastore; it does not create a telemetry or event subscription. The notification element is the message sent by the server after a subscription exists, not the operation used to create one. Logging is not a NETCONF operation in the protocol operation set. In Cisco model-driven management designs, NETCONF provides structured configuration and operational access using YANG data models, while notifications allow the management station to consume specific events without relying on repeated screen scraping or broad polling. Therefore, the correct operation for creating filtering specific to session notifications is create-subscription.

DMVPN is the correct overlay VPN solution for dynamic, secure, scalable branch-to-branch communication. Cisco Dynamic Multipoint VPN uses multipoint GRE, NHRP, and IPsec to support dynamic tunnel creation without manually defining a static tunnel between every branch pair. That design is well suited to a global organization where branches communicate frequently and more branches will be added later. DMVPN allows spokes to register with hubs and, depending on the phase design, establish dynamic spoke-to-spoke tunnels for direct traffic while maintaining encrypted protection with IPsec. EasyVPN is more oriented to remote-access or simplified client/server VPN deployments and is not the scalable branch mesh solution described. GETVPN is strong for private WAN encryption but does not build dynamic IPsec tunnels over an overlay in the same manner and assumes a trusted private routing core. L2TP is not the correct enterprise dynamic branch overlay. The architect should choose DMVPN and select the appropriate phase, routing protocol, summarization strategy, and IPsec profile based on branch scale and resource limits. Reference topics: DMVPN, NHRP, mGRE, IPsec protection, spoke-to-spoke dynamic tunnels.

Incremental SPF is the correct solution because the problem specifically states that Type 1 or Type 2 LSAs force the OSPF process to recompute the entire shortest path tree. Cisco OSPF documentation states that when changes to a Type 1 or Type 2 LSA occur, the entire SPT is normally recomputed, and that incremental SPF allows the system to recompute only the affected part of the tree. This improves convergence and reduces CPU use because the router does not have to run a full Dijkstra calculation for every topology change. BFD detects failures quickly, but it does not change how OSPF recalculates the SPT after the LSA arrives. Standard SPF is the default full calculation behavior and therefore does not solve the optimization requirement. PRC is associated with partial route calculation behavior in some link-state contexts, but for this OSPF question the Cisco feature name is iSPF. Reference topics: OSPF incremental SPF, Type 1 LSA, Type 2 LSA, SPF optimization, campus OSPF scaling.

The SD-Access overlay should reduce subnet sprawl and avoid overlapping IP subnets unless there is a specific operational requirement. Cisco SD-Access creates overlay virtual networks over an IP underlay and uses anycast gateway, VXLAN encapsulation, LISP control-plane mapping, and policy constructs to simplify endpoint mobility and segmentation. Reducing the number of subnets simplifies DHCP scope management, default-gateway placement, and operational troubleshooting. Avoiding overlapping address space across overlay networks is also a practical design recommendation because overlapping subnets complicate shared services, fusion routing, security logging, and policy troubleshooting. LAN automation and a dedicated IGP process are underlay deployment considerations, not overlay design choices. Layer 3 to the access design is also associated with routed underlay and campus fabric transport, not the overlay segmentation model. A clean overlay design should define virtual networks, scalable groups, IP pools, shared-services reachability, and external connectivity before deployment. Reference topics: Cisco SD-Access overlay design, anycast gateway, virtual networks, DHCP simplification, overlapping subnet avoidance.

LTE is the most appropriate backup WAN option for remote sites that already rely on microwave links. A backup transport should use a different failure domain from the primary service; LTE provides carrier wireless connectivity that is operationally separate from the customer’s microwave infrastructure. It is widely available, fast to deploy, and suitable as an out-of-band or secondary WAN path for branch continuity. WiMAX is an older metropolitan wireless technology and is not the preferred current enterprise backup choice. A laser link is another line-of-sight technology and can suffer from similar environmental and alignment constraints as microwave, so it is a weaker diversity option. Bluetooth is a short-range personal-area technology and is not a viable WAN backup for enterprise branches. LTE also integrates well with SD-WAN, IPsec VPN, and routing-based failover designs. In a resilient WAN architecture, the architect should validate signal quality, carrier coverage, data plan, antenna placement, NAT behavior, and whether the backup link must support dynamic routing, VPN encryption, and QoS for critical traffic during failover.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

The correct model is a 4-class QoS strategy with DiffServ. The traffic classes listed in the question are explicitly DiffServ per-hop behaviors: Expedited Forwarding for conversational traffic, Assured Forwarding class 2 for streaming, and Assured Forwarding class 3 for web or interactive traffic. Cisco QoS guidance uses DiffServ to classify and mark traffic with DSCP values, then apply per-hop behavior at each node along the path. This gives scalable end-to-end treatment across a provider backbone without maintaining per-flow reservations. The four service treatments implied are conversational, streaming, interactive/web, and background or best effort, which matches the stated service categories without unnecessary class expansion. IntServ is not appropriate for an ISP backbone because it uses RSVP-style per-flow signaling and state, which scales poorly compared with DiffServ PHB handling. The 8-class and 12-class options add complexity beyond the stated mappings. Reference topics: DiffServ, DSCP, EF, AF2, AF3, per-hop behavior, provider QoS design.

An out-of-band management network should be isolated from the production data network and protected with strict access control. Cisco SAFE design principles treat the management plane as a sensitive function because it provides administrative access to infrastructure devices. Isolation ensures that production outages, routing problems, or compromised user segments do not automatically remove the operator’s ability to manage routers, switches, firewalls, and controllers. Access control ensures that only authorized administrators and management systems can reach the management interfaces and protocols. The management network should not be treated as a backup data path, because that undermines separation and can expose management devices to production traffic risks. It should also not be used as a general-purpose data backup network. “Facilitate network integration” is too vague and can conflict with the isolation requirement. Therefore, the best practices are to enforce access control and ensure network isolation. In a mature design, this normally includes dedicated management interfaces or VRFs, jump hosts, AAA, logging, and tightly controlled management protocol access.

Manual underlay is the correct deployment approach for a brownfield SD-Access scenario. In a greenfield fabric, Cisco DNA Center LAN Automation can build the routed underlay by discovering devices, assigning addresses, and creating the required underlay adjacencies. Brownfield environments already have an installed campus network, addressing plan, routing policy, operational constraints, and production dependencies. Rebuilding that underlay automatically can introduce unnecessary disruption. Cisco SD-Access brownfield designs normally preserve and validate the existing routed underlay, then use Cisco DNA Center to discover devices and automate the fabric overlay, policy, and endpoint segmentation functions. Subnet stretching is not the required deployment model and can create operational complexity. Automated underlay and LAN automation are powerful when the physical network is being newly built, but they are not the safest default for an established production environment. A professional brownfield design should first confirm MTU, routing reachability, loopback advertisements, device support, and fabric readiness before onboarding nodes. Reference topics: SD-Access brownfield migration, manual underlay, Cisco DNA Center, LAN Automation, fabric readiness.

Service routes in OMP updates identify services that are available for centralized service insertion. In Cisco Catalyst SD-WAN, OMP does more than advertise ordinary VPN prefixes. It also carries TLOC routes, which describe transport locators, and service routes, which allow the fabric to steer traffic toward network services such as firewalls, intrusion prevention systems, or other centralized service nodes. This is how the SD-WAN control plane distributes enough information for WAN Edge routers to make policy-driven forwarding decisions without requiring each device to learn service attachment through a separate routing protocol. A service route is not used to describe the underlay transport itself, because that function is handled by TLOC information. It is also not a route to the orchestration plane or a remote management definition. The design value is that service insertion can be centrally advertised and controlled through OMP, then applied consistently through SD-WAN policy. Reference topics: Cisco SD-WAN OMP, service routes, TLOC routes, service insertion, centralized data policy.

Configuring the remote router as an EIGRP stub is the correct action to stabilize the design and reduce Stuck-in-Active risk. A DUAL-3-SIA message indicates that EIGRP did not receive a reply to a query within the active timer. This is common in designs where low-speed or resource-constrained routers are queried for destinations they should never provide transit reachability for. EIGRP stub routing tells upstream neighbors that the router is not a transit device and limits which routes it advertises. As a result, upstream routers do not send unnecessary queries through the stub router, which reduces query scope, CPU load, and convergence delay. Poison reverse and split horizon adjustments are not the right design response to an SIA condition caused by excessive query range. A summary route can help reduce query scope in some places, but the branch or edge router in this scenario should also be explicitly marked as a stub. Reference topics: EIGRP DUAL, Stuck-in-Active, EIGRP stub routing, query scope, low-bandwidth links, convergence stability.

Route summarization should be planned from the aggregation layer toward both the core and the access layer. In hierarchical campus routing, aggregation or distribution devices are natural summarization boundaries because they sit between more specific access-layer networks and the core. Summarizing from aggregation toward the core prevents access-layer subnet churn from forcing unnecessary recomputation and route table growth in the core. Summarizing from aggregation toward access can also provide a concise upstream route, often a default or summary route, so access devices do not need the entire network routing table. The goal is to contain failures, reduce routing state, and preserve fast convergence at hierarchy boundaries. Summarizing from the core toward aggregation may hide useful topology details in the wrong direction, while summarizing directly from access toward aggregation is not always possible or efficient when access devices are numerous and have limited resources. The answer that places summarization at aggregation in both directions best matches Cisco hierarchical design principles. Reference topics: hierarchical campus design, route summarization, aggregation layer, core route scale, convergence containment.

Stateful NAT64 is the correct translation solution when IPv6-only corporate hosts need Internet connectivity to IPv4 resources using a limited IPv4 address pool. NAT64 translates IPv6 client addresses to IPv4 addresses and maintains state for each session, allowing many IPv6 hosts to share a smaller set of IPv4 addresses through port multiplexing. The design is restricted to the 172.16.168.0/22 subnet, which provides an IPv4 pool that can be used for stateful translation. Stateless NAT64 requires algorithmic one-to-one address mapping and normally needs enough IPv4 address space to represent IPv6 hosts deterministically; it is not suitable when many clients must share a restricted IPv4 block. NAT66 translates IPv6 to IPv6 and does not provide access to IPv4 Internet resources. In a production design, stateful NAT64 is often paired with DNS64 so IPv6-only clients can resolve IPv4-only destinations through synthesized AAAA records. Reference topics: stateful NAT64, DNS64, IPv6-to-IPv4 translation, address conservation, Internet access migration.

Dedicated control-plane nodes are advisable when frequent endpoint roaming across fabric edge nodes is expected. In Cisco SD-Access, the control-plane node maintains the host tracking database and resolves endpoint identifiers to routing locators. When endpoints move between fabric edge nodes, the fabric must update endpoint-to-location mappings quickly and consistently. In smaller deployments, the control-plane function can sometimes be colocated with border nodes, but larger or more mobile environments benefit from dedicated control-plane nodes to improve scale, resilience, and operational separation. The decision is not because Cisco DNA Center is absent; DNA Center is the management and automation platform for SD-Access. It is also not because edge nodes are unable to provide control-plane functionality, since that is not their fabric role. Frequent roaming creates more mapping updates and lookup activity, so dedicated control-plane resources help maintain stable endpoint registration and resolution performance. Reference topics: Cisco SD-Access control-plane node, host tracking database, endpoint mobility, LISP map server, fabric scale.

Dual stack is the migration topology that supports IPv6 while preserving existing IPv4 services during the transition. In a dual-stack design, hosts and network devices run IPv4 and IPv6 in parallel, allowing applications and services to move gradually from IPv4 to IPv6 without forcing an immediate cutover. That matches the customer’s plan: keep the current IPv4 topology and services, introduce IPv6 connectivity, migrate services, and eventually decommission the IPv4 topology. 6VPE is used to carry IPv6 VPN routes across an MPLS IPv4 provider core, which is a service-provider VPN use case rather than a general enterprise migration topology. 6to4 is an automatic tunneling mechanism and is not appropriate as a stable enterprise migration plan. NAT64 enables IPv6-only clients to reach IPv4 resources through translation, but it does not preserve the complete IPv4 topology while services migrate. Cisco migration guidance treats dual stack as the cleanest operational model when infrastructure supports both protocols, because it avoids translation side effects and allows DNS and application behavior to determine which protocol is used.

A policy-based IPsec tunnel with static routing is the simplest secure design for connecting two hosts in two companies when no additional future connectivity is planned. The requirement is narrow: one host in Company A must communicate with one host in Company B over a single encrypted Internet connection. Policy-based IPsec is straightforward for this type of point-to-point encryption because crypto ACLs define exactly which interesting traffic should be protected. Static routing is sufficient because there is no complex topology, no dynamic path selection requirement, and no anticipated expansion. A DMVPN design would add unnecessary NHRP, multipoint GRE, and dynamic routing complexity. A routed IPsec tunnel with OSPF is useful when many networks or dynamic route changes are expected, but it is more complex than needed. MPLS VPN with BGP would require provider service and does not meet the simple encrypted Internet connection requirement. Reference topics: site-to-site IPsec, policy-based VPN, static routing, point-to-point secure connectivity, WAN simplicity.

Route leaking on R13 and R9 is required so the Level 1 area can make a better exit decision toward the server. In an IS-IS hierarchy, Level 1 routers know detailed topology only inside their own area. For destinations outside the area, they normally follow the closest attached Level 1/Level 2 router, which can produce suboptimal latency when another exit has a better end-to-end path. Route leaking selectively injects more specific Level 2 reachability information into Level 1, allowing routers in the New Office area to evaluate a better path instead of blindly following the nearest attached-bit exit. Changing metric style on R8 alone does not import the external-area route information needed for better path selection. A static route could force a path but would not be a scalable dynamic IS-IS design. Making R8 Level 1/Level 2 does not solve the need to expose the relevant route through the correct area boundary. Reference topics: IS-IS Level 1 and Level 2, attached bit, route leaking, interarea optimization, latency-aware routing.

NBAR2 should be used to identify the affected cloud applications and then allocate bandwidth according to the measured application requirements. Modern collaboration suites often use dynamic ports, encrypted sessions, and multiple flows for voice, video, messaging, file sharing, and screen sharing. Classifying them only by static ports is unreliable and can misclassify traffic, especially when applications change transport behavior or use shared cloud endpoints. Cisco NBAR2 provides application recognition beyond basic port matching and can classify traffic by application signatures. Once the applications are identified, the QoS policy can be adjusted to give the required bandwidth, priority, or queue treatment. Reserving bandwidth only on perimeter routers is incomplete if congestion occurs elsewhere in the WAN path. Rate-limiting the applications would likely make the user experience worse. The key problem is that the existing policy works for other applications but not these cloud-based tools, so the first design step is accurate application visibility and classification. NBAR2 provides that visibility and supports a more precise QoS policy. Reference topics: NBAR2, application-aware QoS, cloud collaboration traffic, DSCP classification, bandwidth allocation.

Universal PoE is the appropriate power technology when endpoint requirements vary from 30 watts up to 60 watts. Cisco Universal Power over Ethernet extends the PoE+ model and can source up to 60 watts per port by using all four cable pairs. PoE Plus supports up to 30 watts and therefore does not satisfy the upper range in the requirement. Fast PoE is concerned with how quickly power is restored during switch startup, not the maximum supported wattage. Perpetual PoE is the feature that maintains power during a switch reload, but by itself it does not define the 60-watt power class. In a complete campus design, the architect should select UPOE-capable Catalyst access switches and enable perpetual PoE behavior on ports where endpoints must remain powered during reload events. Among the answer choices, Universal PoE is the required power delivery solution because the 30-to-60 watt budget is mandatory. Reference topics: Cisco UPOE, PoE Plus, Perpetual PoE, Fast PoE, Catalyst access-layer power design.

Controller redundancy is the only viable answer among the listed choices. In Cisco SD-WAN, production control-plane resiliency is achieved by deploying redundant controller infrastructure so WAN Edge routers can maintain control connectivity even if a controller instance fails. Strictly speaking, vSmart controllers are the primary SD-WAN control-plane components because they distribute OMP routes, TLOC information, service routes, and policy. vManage is the management plane, and clustering vManage improves management-plane availability. However, the provided options do not include redundant vSmart controllers. Of the available answers, using multiple controller instances in a cluster is the closest redundancy design concept, while the other options do not provide SD-WAN controller redundancy. BFD on WAN Edge routers detects data-plane path failure, not control-plane controller failure. Deploying controllers on UCS or CSP affects hosting, not redundancy by itself. OMP manages overlay routes; it is not an underlay management mechanism. A complete professional design should include redundant vSmart, vBond, and vManage components across failure domains. Reference topics: Cisco SD-WAN control plane, controller redundancy, vSmart, vManage clustering, OMP.

The primary HSRP device should use the preempt delay feature. When a failed primary distribution switch returns, HSRP preemption allows it to reclaim the active gateway role because it has the higher priority. However, routing protocols, trunks, line cards, FIB programming, or upstream convergence may not be fully ready at the instant HSRP becomes active again. If the device preempts too quickly, hosts forward traffic to a gateway that is not yet ready to forward all flows, causing temporary packet loss. Cisco HSRP preempt delay prevents immediate takeover by delaying preemption after reload or interface recovery, giving the switch time to rebuild control-plane and forwarding-plane state. Increasing hello timers slows failure detection and does not solve the premature takeover problem. Applying preempt delay to the backup device is not the issue because the returning primary is the device that reclaims active state. MAC refresh timers are not the primary mechanism for this condition. Therefore, the design should configure preempt delay on the primary HSRP device. Reference topics: HSRP preemption, preempt delay, gateway recovery, campus high availability, convergence coordination.

The correct solution is again a management VRF with SSH keys for device access. This duplicate item tests the same design principle: management traffic should be logically isolated from the overlay and production forwarding paths. A VRF gives the management plane its own routing table, so changes or failures in the overlay do not normally alter management reachability. That makes the network easier to operate because engineers can troubleshoot device access, routing, and overlay behavior as separate concerns. SSH keys satisfy the secure-access requirement by providing encrypted management sessions with public-key authentication. Private VLANs and standard VLANs can segment Layer 2 traffic, but they do not solve routing separation by themselves. TACACS+ and RADIUS provide authentication, authorization, and accounting, but they do not prevent overlay routing from interacting with management reachability. A separate physical interface can help in some designs, but option A is the cleanest answer because it combines routing isolation with secure access. Reference topics: management VRF, SSH, secure management plane, route isolation, overlay troubleshooting.

An MPLS WAN from two separate ISPs is the strongest fit when the enterprise requires an active/backup WAN design with guaranteed SLAs for applications on either connection. MPLS VPN services are typically delivered with provider-backed service-level commitments for latency, jitter, packet loss, and availability, which is why they are selected for predictable enterprise application transport. Using two separate MPLS providers improves resiliency against a provider failure while preserving SLA-backed behavior on the backup path. A hybrid MPLS and Internet VPN model can be cost effective, but the Internet path generally does not provide the same deterministic SLA unless enhanced by a specific managed service contract. Internet from two providers improves reachability diversity but does not inherently guarantee application SLA. A single ISP hybrid design creates a provider dependency and weakens availability. Therefore, dual-provider MPLS is the conservative design for guaranteed active/backup WAN service. Reference topics: MPLS WAN design, service-level agreements, active/backup WAN, provider diversity, application performance assurance.

DiffServ is the correct scalable QoS architecture for classifying traffic according to business requirements and using DSCP values as the priority descriptor. Cisco QoS design distinguishes DiffServ from IntServ. IntServ uses per-flow signaling with RSVP and can reserve resources, but that model is not operationally scalable across large enterprise networks. DiffServ is class-based. Traffic is classified and marked at the network edge, then each device applies per-hop behavior to those classes using local QoS policy. DSCP provides a six-bit field in the IP header, which supports more than ten classification values and allows standardized treatment classes such as EF, AF, class selector, and default. Best effort provides no differentiated treatment, and RSVP is a signaling mechanism associated with IntServ rather than the requested scalable class-based architecture. “Interserv” is not the correct Cisco QoS model term. Therefore, the engineer should design around DiffServ, with a clear trust boundary, marking policy, queuing model, and consistent treatment across WAN and campus boundaries. Reference topics: DiffServ, DSCP, per-hop behavior, class-based QoS, scalable QoS architecture.

The design combines Dual-Stack Lite from the devices toward the core MPLS network and NAT44/64 from the MPLS network toward the Internet gateway router. The requirements describe IPv6-facing clients that still need access to IPv4 services and DNS behavior that allows the same service name to be reached during migration. Dual-Stack Lite carries IPv4 customer traffic across an IPv6 access or provider network by tunneling IPv4 packets over IPv6 toward a provider translation point. NAT44/64 services then provide translation or address-family interworking for IPv4-only resources. This combination is used when customer-facing access moves to IPv6 while legacy IPv4 services remain reachable during transition. A simple IPv6 tunnel from devices to the MPLS core does not provide the required IPv4 service translation. Using only NAT44/64 from end devices also shifts complexity to clients rather than placing translation at the network edge. The selected choices match the staged migration model: IPv6 transport with encapsulation in the access/core side and translation at the provider or gateway boundary. Reference topics: IPv6 transition, DS-Lite, NAT64, DNS64, IPv4-over-IPv6 tunneling.

Interdomain multicast designs commonly use MP-BGP and MSDP together. MP-BGP carries multicast routing information between domains so routers can perform RPF checks based on the correct multicast topology rather than relying only on unicast routing. MSDP is used between rendezvous points in different PIM sparse-mode domains to exchange information about active sources. Cisco multicast documentation describes MSDP as a mechanism that connects multiple PIM-SM domains and allows RPs to discover multicast sources in other domains. Together, MP-BGP provides the reachability information and MSDP provides source discovery between RPs. IGMPv2 is a host-to-router group membership protocol inside a local subnet, not an interdomain multicast routing protocol. MLD provides the IPv6 equivalent of host group membership signaling. BIDIR-PIM is a multicast forwarding mode optimized for many-to-many traffic inside a domain, but it is not the pair of protocols used for interdomain source and receiver communication in this question. Therefore, the correct protocols are MP-BGP and MSDP.

MSDP should be enabled between the Anycast RP routers using separate unique loopback interfaces. In a PIM Anycast RP design, multiple RPs share the same RP address so multicast routers can reach the topologically closest RP through normal unicast routing. That shared RP address gives redundancy and load sharing, but it also creates a source-discovery problem: a source registered to RP1 must be known by RP2 so receivers using RP2 can join the same multicast stream. Cisco Anycast RP designs solve this by running MSDP between the RPs. The MSDP peerings should use unique loopback addresses, not the shared Anycast RP address, because each router must have an individually reachable identity for the MSDP session. Extending the RP subnet at Layer 2 between data centers is unnecessary and poor design. Using the configured Anycast RP address for MSDP creates ambiguity because both routers advertise the same address. Doing nothing would leave each RP aware only of locally registered sources. Reference topics: Anycast RP, MSDP, PIM sparse mode, source-active exchange, multicast RP redundancy.

The correct solution is IntServ with RSVP. The requirement says the application must be able to request a specific service level and receive guaranteed bandwidth with support for delay requirements. Cisco describes Integrated Services as a QoS model that uses Resource Reservation Protocol to signal per-flow resource requirements across the network. RSVP allows applications or endpoints to request bandwidth and delay treatment; each participating network device can admit or reject the reservation based on available resources. This is exactly the behavior needed when an application must explicitly request a service profile rather than simply inherit a class marking. DiffServ with DSCP is more scalable, but it only marks traffic and applies class-based per-hop behavior. It does not provide per-flow reservation or allow the application to explicitly reserve resources. DSCP by itself is a marking mechanism, not a reservation protocol. RSVP belongs with IntServ in the classic QoS model. Reference topics: Integrated Services, RSVP, resource reservation, QoS guarantees, delay-sensitive applications.

Cisco SD-WAN is the correct solution when the design must use internet circuits at each site while providing failover, load sharing, and QoS. Basic IPsec tunnels can encrypt traffic, but they do not by themselves provide a complete WAN architecture for path measurement, dynamic traffic steering, centralized policy, application-aware routing, or scalable operational control. Cisco SD-WAN builds secure overlay tunnels across available transports and continuously measures path characteristics such as loss, latency, and jitter. It can then steer applications according to SLA policy, use multiple circuits for active/active forwarding, and fail traffic over when a path degrades or fails. QoS can be applied consistently through templates and policy across the WAN Edge routers. GET VPN is best suited to private MPLS-style networks and does not address internet-circuit overlay orchestration in the same way. Traditional DMVPN is a valid dynamic VPN technology, but SD-WAN is the more complete resilient internet-WAN design for these requirements. Reference topics: Cisco SD-WAN, internet transport, application-aware routing, failover, load sharing, QoS.

GET VPN is the correct private WAN encryption technology when traffic must always be encrypted, multicast must be supported, forwarding overhead must be reduced, and security management must be centralized. Cisco Group Encrypted Transport VPN protects traffic over a private WAN without building traditional point-to-point or multipoint tunnel overlays. Because it preserves the original IP header, the provider or enterprise routing core can still make normal forwarding decisions, and multicast, QoS, and routing behavior are easier to preserve than with heavy tunnel overlays. GET VPN uses a key server model to centralize group policy and distribute encryption keys to group members. This reduces the operational burden of maintaining many permanent tunnels. DMVPN supports multicast through GRE and provides dynamic tunnels, but it adds tunnel encapsulation overhead and does not meet the reduced-overhead private WAN requirement as cleanly. Plain mGRE lacks the full centralized group encryption model. Reference topics: GET VPN, group encryption, private WAN security, multicast support, key server, tunnel-less IPsec.

Multichassis EtherChannel is the correct design when distribution switches support VSS and the campus needs fast Layer 2 convergence while using as much uplink bandwidth as possible. With VSS, two physical distribution switches operate as a single logical switching system from the perspective of the access layer. MEC allows an access switch to bundle links to both distribution chassis into one logical EtherChannel. This removes the normal spanning-tree blocking of redundant uplinks, uses both links actively, and provides fast convergence if one physical link or chassis fails. A plain EtherChannel normally terminates on one physical switch, so it does not provide the same chassis-level resiliency unless the distribution pair is virtualized. RSTP improves loop convergence but still blocks redundant Layer 2 paths in a traditional topology. ECMP requires Layer 3 routing, and the question notes routing protocol limitations. Therefore, MEC on VSS is the best solution for bandwidth utilization and fast Layer 2 recovery. Reference topics: VSS, Multichassis EtherChannel, Layer 2 campus resiliency, STP avoidance, access-to-distribution design.

The provider must activate the VPNv4 unicast address family between PE routers. In an MPLS Layer 3 VPN, customer routes learned from CE routers are placed into VRFs on the PE routers. To carry those customer routes across the provider backbone without overlap, MP-BGP advertises VPNv4 routes, which combine an IPv4 prefix with a route distinguisher. Route targets then control which receiving VRFs import the routes. Plain IPv4 unicast would not preserve customer VPN context and would not solve overlapping route separation. L2VPN EVPN is used for Ethernet VPN services and data center or Layer 2 VPN use cases, not classic MPLS L3VPN route exchange between PEs. Address-family multicast is unrelated to exchanging customer unicast routes between PE routers. Cisco MPLS VPN design relies on MP-BGP VPNv4 between provider edge routers, while PE-CE routing can be static, OSPF, EIGRP, BGP, or another supported method. Therefore, VPNv4 unicast is the correct PE-to-PE address family. Reference topics: MPLS Layer 3 VPN, MP-BGP, VPNv4 unicast, route distinguishers, route targets, PE-CE routing.

LISP is the control-plane protocol responsible for Endpoint Identifier to Routing Locator mapping in Cisco SD-Access. In the SD-Access architecture, an endpoint address is treated as an EID, and the fabric node location is represented by an RLOC. The fabric control-plane node performs LISP map-server and map-resolver functions so edge nodes can register local endpoints and resolve the current location of remote endpoints. This separation allows the overlay to support host mobility, anycast gateway behavior, and segmentation without depending only on traditional subnet-bound forwarding. VXLAN is the fabric data-plane encapsulation used to carry traffic across the fabric and preserve policy information, but it does not provide the EID-to-RLOC mapping function. CEF is the local forwarding mechanism inside Cisco devices, and GBAC is not the SD-Access mapping protocol. Therefore, LISP is the correct answer because it provides the SD-Access fabric control plane. Reference topics: Cisco SD-Access control plane, LISP, EID, RLOC, map-server, map-resolver.

The described SD-WAN security feature is Cisco Advanced Malware Protection. Cisco Catalyst SD-WAN security documentation identifies AMP as the component that uses global threat intelligence, file reputation, advanced sandboxing, real-time malware blocking, and continuous analysis of file activity across the extended network. That wording maps directly to the question. AMP focuses on detecting malicious files, analyzing unknown files, blocking threats, and performing retrospective analysis if a file is later determined to be malicious. An intrusion prevention system inspects traffic for exploit signatures and known attack behaviors; it does not primarily provide file sandboxing and retrospective malware analysis. Enterprise Firewall with Application Awareness delivers stateful firewall control and application visibility. DNS-layer security, commonly integrated through Cisco Umbrella, blocks threats based on DNS requests before connections are made. The feature that specifically combines global threat intelligence, sandboxing, and continuous file analysis is AMP. Reference topics: Cisco Catalyst SD-WAN security, Advanced Malware Protection, UTD, file reputation, file analysis, sandboxing.

IP directed broadcast must be enabled on the last Layer 3 device connected to the destination client subnet, which is R2 in the exhibit. Wake-on-LAN uses a magic packet that must reach sleeping hosts on the target LAN. Because sleeping clients often do not have an active IP stack or ARP entry, the WoL packet is commonly sent as a directed broadcast toward the target subnet. Routers forward the packet as a unicast until it reaches the destination subnet, where the last-hop router converts it into a Layer 2 broadcast if directed broadcasts are permitted. Cisco disables directed broadcasts by default on many platforms because of historical amplification-attack risks, so the design should enable it only where needed and protect it with ACLs. Spanning-tree UplinkFast is unrelated to delivering WoL packets; it improves STP convergence on access switches. Enabling directed broadcasts on the wrong router would not place the magic packet onto the client VLAN. Therefore, R2, the last-hop router toward the target WoL clients, is the correct location. Reference topics: Wake-on-LAN, IP directed broadcast, last-hop router behavior, subnet broadcast forwarding, ACL protection.

The correct XML/YANG data model set is the option that accurately represents the IOS XE interface hierarchy, assigns the IPv4 address to GigabitEthernet2/1/0, and uses the correct prefix length of 27. In model-driven programmability, the payload must match both the selected YANG model schema and the target platform’s interface naming conventions. For IOS XE native models, interface configuration is structured under the Cisco native namespace, with interface type and name represented in the schema before IPv4 address elements are applied. The address 10.10.10.10/27 must also support a directly connected host at 10.10.10.1/27, which places both addresses in the same 10.10.10.0/27 subnet. Options that place the address under the wrong interface type, use the wrong namespace, incorrectly represent the mask, or configure the host route rather than the interface are invalid. Option D is the only answer aligned to the IOS XE YANG structure and the requested addressing. Reference topics: IOS XE native YANG, NETCONF XML payloads, interface configuration, IPv4 prefix length, model-driven programmability.

When dual WAN Edge routers are deployed at a branch, first-hop redundancy and SD-WAN overlay path preference must be aligned. The correct design consideration is that HSRP priorities on the service side should match the OMP routing policy that determines which WAN Edge is preferred. If the LAN gateway points hosts to one WAN Edge while OMP policy prefers the other edge for return or remote-site traffic, traffic can become asymmetric or hairpinned through the wrong device. Proper alignment gives predictable active/standby or active/active behavior and avoids blackholing during failover. Option A describes traditional BGP path manipulation with AS-path prepending and MED; those are not the primary SD-WAN branch dual-edge design controls. Option C overstates symmetry as a universal requirement for DPI; Cisco SD-WAN can handle many traffic patterns, but gateway and OMP alignment remain the core branch design issue. Option D is wrong because SD-WAN already uses BFD across data-plane tunnels, not as a special direct adjacency between the two local WAN Edges for this purpose. Reference topics: Cisco SD-WAN branch redundancy, HSRP, OMP policy, WAN Edge preference, service-side high availability.

The Cisco SD-Access data plane is based on VXLAN. This duplicate item tests the same fabric-plane distinction: LISP handles endpoint-to-location mapping in the control plane, while VXLAN transports encapsulated user traffic in the data plane. Cisco describes SD-Access as using a routed underlay with an overlay in which VXLAN encapsulation carries endpoint traffic between fabric nodes. VXLAN supports the fabric’s virtual network separation and policy transport, allowing the enterprise to move beyond VLAN-only segmentation while keeping the underlay simple and routed. OMP is not part of SD-Access data-plane forwarding; it belongs to Cisco SD-WAN. NHRP is used in DMVPN to resolve next-hop tunnel addresses. LISP is not the answer here because it tells a fabric node where an endpoint is located, while VXLAN is the encapsulation method used to forward the traffic there. Reference topics: Cisco SD-Access architecture, VXLAN, LISP, data plane, control plane, endpoint mobility.

Enabling EIGRP stub routing on the spokes decreases convergence time in a hub-and-spoke design by reducing unnecessary queries and preventing spokes from being treated as transit routers. EIGRP convergence can be delayed when a router loses a route and must query many neighbors to determine whether an alternate path exists. In remote-site or spoke designs, a spoke normally has no useful alternate path for networks beyond itself, so querying it wastes time and can contribute to stuck-in-active conditions. Cisco EIGRP stub routing allows the spoke to advertise only permitted route types and informs upstream routers not to query the spoke for routes outside its scope. This creates a cleaner query boundary and accelerates convergence after link or route failures. Subsecond timers can detect neighbor loss more quickly, but they do not address the broader EIGRP query behavior shown in the design. Increasing hold or dead timers would slow detection, not improve convergence. Therefore, in the displayed hub-and-spoke EIGRP design, enabling stub routing on the spokes is the correct solution to decrease convergence time.

Stateful NAT64 is the correct design because IPv6-only hosts must communicate with legacy IPv4 devices and only a small pool of IPv4 addresses is available for concurrent sessions. NAT64 translates IPv6 client traffic into IPv4 traffic, allowing IPv6-only endpoints to reach IPv4-only resources. A stateful implementation maintains translation state and can use a pool of IPv4 addresses for multiple IPv6 clients, which fits the requirement for up to 10 concurrent IPv6 hosts using 10 reserved IPv4 addresses. Static NAT- PT would require fixed one-to-one mappings and is less suitable for a pool-based concurrent access model. NAT66 translates between IPv6 prefixes and does not solve access to IPv4-only devices. Dynamic NAT-PT is an older transition mechanism and is not the preferred modern answer when NAT64 is available. The design should also include DNS64 when clients access IPv4-only services by name. Reference topics: IPv6 transition, stateful NAT64, DNS64, IPv6-only hosts, IPv4 legacy reachability.

OpenConfig, IETF, and Cisco native YANG models differ mainly in scope and implementation focus. IETF models are standards-based and are intended to cover common protocol or interface functions across vendors. OpenConfig models are vendor-neutral operational and configuration models developed for broad network automation use cases and often provide a more detailed service or operational structure than the corresponding baseline IETF model. Cisco native models are device and operating-system specific, which means they usually expose the most complete Cisco feature coverage but are less portable across vendors. For the question wording, OpenConfig is more comprehensive than IETF when configuring the same general feature in a multivendor environment, because OpenConfig commonly defines richer operational and configuration containers beyond the minimum standards model. Option B is incorrect because Cisco native models are not generally less comprehensive than OpenConfig on Cisco devices. Option C is also incorrect for the same reason. Option D reverses the usual relationship. Reference topics: YANG model families, IETF models, OpenConfig models, Cisco native YANG models, model-driven programmability.

The primary consideration is that the participating hosts must support dual stack. The pilot is contained within a single VLAN, so the application traffic remains inside the same Layer 2 broadcast domain across the dual-site data center environment. Layer 2 switches forward Ethernet frames and do not need to understand the IPv6 header to carry IPv6 traffic inside the VLAN. Layer 3 switches need IPv6 capability only where IPv6 routing, gateways, ACLs, or services are required. For this pilot, the essential requirement is that the servers and endpoints running the IPv6 application can operate with both IPv4 and IPv6 enabled while the existing environment continues to support IPv4. Dual stack allows IPv6 testing without removing IPv4 reachability or forcing translation. Requiring every Layer 2 and Layer 3 switch in both data centers to be dual-stack overstates the design requirement. The hosts participating in the pilot are the critical dependency. Reference topics: IPv6 migration, dual stack, Layer 2 VLAN transport, data-center pilot design, IPv4 and IPv6 coexistence.

Redistributing OSPF process 1 into process 2 on both R1 and R4 provides the required backup routing behavior between the management network and the target routers. The design requirements are failure driven: if R1 fails, NMS traffic must use R4, and if the link between R5 and R6 fails, traffic to 10.6.6.6 must still route through R4. When separate OSPF processes or domains exist, controlled redistribution at both exit points allows reachability to be maintained through either redistribution point. Advertising a single address into OSPF with high cost on R1 does not solve both failure cases. Static routes with IP SLA on R2 and R3 would be more manual and less aligned with the dynamic OSPF design. Default-information originate would provide a default path but would not accurately advertise the specific internal reachability required for the NMS destinations. The redistribution design must also include route filtering or tagging in production to prevent feedback loops. Reference topics: OSPF redistribution, redundant redistribution points, management reachability, route control, failure-path design.

The correct model set is the one that configures the IOS XE interface GigabitEthernet2/1/0 with IPv4 address 10.10.10.10 and prefix length 27 using valid XML according to the selected YANG schema. The directly connected host address 10.10.10.1/27 confirms the subnet relationship; both addresses belong to 10.10.10.0/27, so the interface configuration must use that prefix length rather than a host mask or an unrelated network. YANG-based configuration is strict: the namespace, container hierarchy, interface type, interface name, and address fields must match the device model. If an option places GigabitEthernet under the wrong container, represents the mask incorrectly, or uses a schema from a different model family, the device will reject the payload or configure the wrong object. Option D correctly represents the IOS XE XML structure and the required addressing. In real operations, the engineer should follow this with a get-config readback against the running datastore to prove that the structured configuration committed as intended. Reference topics: IOS XE interface YANG, XML payload structure, NETCONF configuration, IPv4 subnet validation.

BGP community is the correct attribute because it can support both policy requirements through coordination with the service provider. Communities are route tags that an upstream provider can match to apply routing policy, such as adjusting local preference to influence which dual-homed provider link is preferred for inbound traffic. Communities also include well-known values used to constrain route propagation. Cisco documents no-export as a community that prevents a route from being advertised outside the receiving AS, and no-advertise as a community that prevents advertisement to any peer. This directly matches the requirement that several customer-advertised networks must propagate no further. MED can influence inbound path selection in some dual-link designs, but it does not provide the propagation-control function. AS-path prepending can influence inbound traffic but is less precise and again does not solve the no-further-advertisement requirement. Local preference is normally applied inside an AS, not directly by the customer to external peers. Reference topics: BGP communities, no-export, no-advertise, provider policy, inbound traffic engineering.

Advertising more-specific prefixes toward the preferred service provider is the correct way to influence inbound traffic to enter through a chosen CE interface. BGP inbound path control is indirect: the enterprise cannot set local preference inside remote autonomous systems, and MED is honored only under specific provider policies. The most deterministic option available to the customer is to advertise a longer-prefix route to the preferred provider because Internet and BGP route selection generally prefer the longest matching prefix before BGP path attributes are considered. If the aggregate is advertised to both providers but a more-specific route is advertised to the provider connected to gig0/0, return traffic for that more- specific destination is attracted through that interface. Lowering MED toward the less preferred provider is the opposite of the desired effect. AS-path prepending toward the preferred provider would make that path less attractive. Local preference affects outbound path selection inside the local AS, not inbound traffic from external networks. Reference topics: BGP inbound traffic engineering, longest-prefix match, route aggregation, AS-path prepending, MED, local preference.

The Cisco SD-Access edge node is equivalent to the access-layer switch in a traditional three-tier campus design. Edge nodes are the fabric devices to which wired endpoints, access points, and other user-facing connections attach. They provide the anycast Layer 3 gateway for connected subnets, classify endpoints into virtual networks, apply policy information, and register endpoint reachability with the SD-Access control-plane node. In traditional campus terminology, this is the role normally performed by access switches at the edge of the network. Border nodes connect the SD-Access fabric to external networks, such as the WAN, data center, internet edge, or shared services. Intermediate nodes provide underlay transport between fabric nodes but do not attach endpoints to the fabric overlay. Control-plane nodes maintain mapping information rather than serving as access-layer attachment points. Understanding the edge-node role is fundamental because SD-Access policy and host mobility begin where the endpoint enters the fabric. Reference topics: SD-Access edge node, access layer, anycast gateway, endpoint registration, fabric roles.

gRPC provides efficient integration by using protocol buffers to serialize and deserialize structured data over the network. In network programmability and telemetry designs, gRPC is commonly used as the transport framework for streaming model-driven telemetry or for remote procedure calls between collectors, controllers, and network devices. Protocol buffers define compact structured messages that are faster and less ambiguous than parsing text output. This makes gRPC suitable for high-volume telemetry and programmatic device interaction. LDAP is a directory and authentication-related protocol, not the integration mechanism provided by gRPC. XMPP is associated with messaging and presence systems, not gRPC data serialization. Graph API is not a gRPC feature. The operational value of gRPC is that it provides a modern RPC framework with efficient message encoding, service definitions, and support for secure transport through TLS when implemented by the platform. Reference topics: gRPC, protocol buffers, model-driven telemetry, network programmability, structured data serialization. It improves controller interoperability.

Traffic shaping is the correct QoS design for a 1-Gbps handoff with a 100-Mbps committed information rate when the provider aggressively drops traffic above the CIR. Cisco distinguishes shaping from policing: shaping buffers and delays excess packets so the sender transmits at a configured rate, while policing drops or remarks traffic that exceeds the configured rate. Because the customer wants to maximize bandwidth usage up to the 100-Mbps CIR and avoid excessive TCP retransmissions, shaping is the better fit. Policing at the customer edge would simply drop excess traffic locally, creating the same kind of loss problem. A markdown policer is useful when lower-priority traffic should be reclassified, but it does not smooth bursts into the provider’s CIR. Queuing helps during congestion, but without shaping the router can still send bursts at the 1-Gbps physical rate into a provider policer. The correct design is to shape outbound traffic to the CIR, then use child-policy queuing if class-based service guarantees are required. Reference topics: traffic shaping, policing, CIR, hierarchical QoS, TCP retransmission avoidance.

Scalable groups provide intra-VN traffic filtering and control in Cisco SD-Access. Within a virtual network, macro segmentation separates routing tables, but endpoints inside the same VN may still need policy control based on identity, role, or security posture. Cisco SD-Access uses scalable group tags and scalable group ACLs to implement group-based policy. This allows policy to be expressed as user or device group relationships instead of only subnet-based ACL entries. The result is microsegmentation inside the virtual network, where traffic between groups can be permitted or denied consistently across the fabric. MAC ACLs are limited Layer 2 filters and do not provide the identity-based policy model required for SD-Access. Prefix lists are route-filtering tools, not intra-VN access-control mechanisms. Service policies are used for QoS or traffic treatment and do not define group-based segmentation. Scalable groups are therefore the correct policy construct for intra-VN filtering in the fabric. Reference topics: Cisco SD-Access policy, scalable groups, SGT, SGACL, microsegmentation, intra-VN control.

The requirement for end-to-end path verification identifies the Integrated Services model with RSVP. IntServ uses per-flow resource reservation, and RSVP signals the path between sender and receiver so devices along that path can admit or reject the requested service based on available resources. This makes IntServ appropriate when the design requires explicit end-to-end path validation and reservation for application flows. DiffServ works differently. In a DiffServ design, traffic is marked, normally with DSCP or CoS at the edge, and each hop applies a configured per-hop behavior. DiffServ is scalable and common in enterprise WAN and campus QoS designs, but it does not perform per-flow signaling or verify that every device in the path can reserve the requested resources. Marking traffic at the access layer is an important QoS design practice, but marking alone is not path verification. Therefore, when the customer explicitly requires end-to-end path verification for business-critical traffic, Cisco QoS architecture points to IntServ with RSVP rather than a pure DiffServ marking model.

Cisco SD-WAN uses the Overlay Management Protocol to exchange control-plane information between WAN Edge routers and vSmart controllers. OMP advertises three major categories of routing information: OMP routes, TLOC routes, and service routes. OMP routes represent reachability to prefixes in service VPNs, such as connected, static, OSPF, EIGRP, BGP, or other routes learned at the local site. TLOC routes describe transport locations, which bind a system IP, color, and encapsulation to a WAN transport attachment. Service routes indicate service insertion capabilities, such as firewalls or other network services that can be reached through a particular site. This separation allows Cisco SD-WAN to build a secure overlay over any public or private transport while keeping transport reachability, service-side prefixes, and inserted services distinct. The other answer choices use generic terms such as underlay, MPLS, Internet, backup, or primary routes, but those are not the formal OMP advertisement categories. Therefore, the correct answer is prefix, TLOC, and service.

The multicast Reverse Path Forwarding check is a loop-prevention mechanism. Cisco multicast forwarding does not forward traffic merely because the packet arrived on any multicast-enabled interface. Instead, the router checks whether the packet arrived on the interface that would be used to route traffic back toward the multicast source or, in shared-tree cases, back toward the rendezvous point. If the packet arrives on the expected reverse path, it passes the RPF check and can be replicated to the outgoing interface list. If it arrives on the wrong interface, it is dropped to prevent loops and duplicate packets. This supports a loop-free multicast distribution tree from sources to receivers. Auto-RP mapping agents, bootstrap messages, and RP-set discovery are separate rendezvous point distribution mechanisms; they are not the function of the RPF check. In enterprise designs with redundant links, asymmetric routing, or multiple equal paths, multicast RPF behavior must be reviewed carefully because unicast routing choices directly influence whether multicast packets are accepted or discarded. Reference topics: multicast RPF, PIM forwarding, loop prevention, outgoing interface list.

WAN Edge: traffic forwarding, security, encryption, QoS, and routing protocols; vSmart: distributes routes and policy information via OMP; vManage: centralized provisioning and simplified network changes; vBond: communication for devices behind NAT.

The Cisco SD-WAN component mapping follows the normal separation of management, control, orchestration, and data-plane roles. WAN Edge routers are the data-plane devices at branches, data centers, campuses, or cloud edges. They forward user traffic and apply routing, QoS, encryption, segmentation, and security services. vSmart controllers provide the centralized control plane and distribute reachability and policy information with OMP, including prefixes, TLOCs, and service routes. vManage is the management-plane system; it supplies centralized provisioning, device templates, policy configuration, software lifecycle functions, monitoring, and operational visibility. vBond operates as the orchestration-plane component, authenticating devices during onboarding and helping devices behind NAT discover and establish the correct secure control connections. This separation is critical in enterprise design because each component has different redundancy, reachability, and scale requirements. The architect should not blur vManage and vSmart roles: vManage configures and monitors, while vSmart computes and distributes control policy. Reference topics: Cisco Catalyst SD-WAN architecture, WAN Edge data plane, vSmart OMP, vManage management plane, vBond orchestration.

is responsible for traffic forwarding, security, encryption, QoS,and routing protocols

distributes routes and policy information via OMP

enables centralized provisioning and simplifies network changes

enables the communication of devices that sit behind NAT

Bidirectional PIM is the correct multicast protocol for this many-to-many financial application. The question states that most multicast sources also receive multicast traffic and that the design must not use source trees. Cisco describes BIDIR-PIM as a multicast mode built for many-to-many applications that use a shared tree rooted at the rendezvous point and avoid per-source shortest-path trees. This reduces multicast state because routers do not maintain separate source/group state for every active sender. PIM Sparse Mode can start with a shared tree, but it can switch to source trees, which violates the stated requirement. PIM-SSM is explicitly source-specific and requires receiver knowledge of the source, so it is not appropriate for a many-to-many model where source trees are disallowed. MSDP is not a multicast forwarding mode; it is used for source discovery between PIM-SM domains. The option text contains a spelling error, but the intended answer is BIDIR-PIM. The architect should verify RP placement, Designated Forwarder behavior, group ranges, and whether the application can tolerate shared-tree forwarding rather than shortest-path source trees. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, source-tree avoidance, multicast scaling.

An open YANG model is the correct choice because the automation scope is multivendor and the workflow must be reusable across diverse routing and switching platforms. Native vendor models expose platform-specific details and are valuable when a feature is unique to one operating system, but they create code branching and operational inconsistency when many vendors and hardware families are in scope. The question also says the DR playbook will be adjusted in the future, which argues for a model that reduces redesign whenever a device vendor or platform changes. Open models, such as IETF or OpenConfig where supported, provide common schema structures for standard network functions and allow the microservice and controller integration to remain cleaner. A custom individualized model would increase development and maintenance burden, not reduce it, unless there is a very specific abstraction layer requirement. Using a single native vendor model cannot support the stated multivendor environment. The professional design is to use open models wherever coverage is sufficient, then fall back to native models only for unsupported platform-specific capabilities. Reference topics: YANG model selection, OpenConfig, IETF YANG, Cisco native YANG, multivendor automation.

The expected port state follows Rapid Spanning Tree Protocol role selection on equal-speed point-to-point links. With 802.1w, each non-root switch selects one root port based on the lowest path cost to the root bridge. Where there are redundant Layer 2 paths of equal speed, one side of a redundant segment must remain blocked as an alternate port to maintain a loop-free topology. Because all links are 1 Gbps, path cost is equal unless bridge priority, bridge ID, or port ID breaks the tie. The selected option identifies the port pair that becomes alternate blocking based on the root placement and tie-breakers shown in the exhibit. RSTP improves convergence compared with classic 802.1D by using proposal and agreement handshakes on point-to-point links, but it still blocks redundant paths when a pure Layer 2 loop exists. A design requiring all links to forward would need a routed access design, MEC, StackWise Virtual, VSS, or another loop-free multipath technology. Reference topics: RSTP, root port, designated port, alternate port, point-to-point links, Layer 2 loop prevention.

A major SaaS challenge is the lack of direct application and infrastructure control. With Software as a Service, the provider operates the application stack, platform, upgrades, and supporting infrastructure. The customer benefits from reduced maintenance burden and lower initial deployment cost, but gives up much of the direct control normally available with on-premises applications. This affects troubleshooting, change windows, performance visibility, customization, data residency controls, and integration with existing enterprise systems. Higher initial costs are usually not a SaaS characteristic; SaaS commonly shifts spending toward subscription operating expense. Client computer upgrades are not normally required in the same way as thick-client enterprise software. Data and application integration can be complex, but the option that best captures the core architectural challenge is reduced control over the application and infrastructure. Network architects must account for this by designing secure direct internet access, cloud monitoring, identity integration, and reliable paths to SaaS providers. Reference topics: SaaS architecture, cloud application control, enterprise cloud access, operational visibility, SD-WAN SaaS design.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

StackWise is the correct solution because the company needs more access ports while reusing the existing access-switch uplink capacity. Cisco StackWise allows multiple compatible Catalyst switches to operate as a single logical switching system, increasing access-port density without requiring each added switch to consume new uplink ports on the distribution layer. This fits the design constraint that the distribution switches have no available ports for additional uplinks, while current uplink bandwidth is not a bottleneck. VSS is normally used to combine two chassis-class switches into one logical system at the distribution or core layer; it is not the practical answer for expanding one floor’s access-port count from an existing access switch. EtherChannel aggregates physical links for bandwidth and redundancy, but it does not create additional access ports when no distribution ports are available. VDC is a Nexus virtualization construct and does not solve Catalyst access-port expansion. The correct operational design is to add a stack member and use the existing uplink design. Reference topics: Cisco StackWise, access-layer scalability, uplink preservation, Catalyst campus switching.

In a Cisco SD-Access fabric, DHCP relay design must account for the fact that endpoints can attach to different fabric edge nodes while using consistent anycast gateway behavior. DHCP Option 82 is important because it inserts relay-agent information that allows the DHCP infrastructure to identify where the DHCP request originated. This enables the correct address scope and policy context to be selected for the endpoint even when the gateway address is anycast across multiple fabric edges. Cisco SD-Access DHCP guidance emphasizes the use of relay information so centralized DHCP services can assign the correct address based on fabric location and endpoint context. DHCP relay is not simply enabled on border nodes, and subnets should not be stretched across fabric edges by placing DHCP servers on borders. DHCP servers do not require a special proprietary SD-Access extension in the sense described by the incorrect option; they use standard relay information such as Option 82. Therefore, the key design consideration is enabling DHCP Option 82 so the circuit information maps the request to the fabric node where it originated.

NETCONF: SSH-based; built to support candidate configuration. RESTCONF: HTTPS-based; lacks support for two-phase commit transactions.

NETCONF and RESTCONF both use YANG data models, but they use different transport and transaction behaviors. NETCONF is traditionally SSH-based and was designed as a network configuration protocol with datastore concepts such as running, startup, and candidate configuration where supported. The candidate datastore enables staged configuration changes and a commit workflow, which is useful for transactional network changes. RESTCONF exposes YANG-modeled resources through an HTTP-based REST interface, typically protected with HTTPS. It is simpler for web-style application integration because it uses familiar HTTP methods, URIs, and payload encodings such as XML or JSON. However, RESTCONF does not provide the same full two-phase commit transaction model associated with NETCONF candidate configuration workflows. Therefore, the correct mapping is that NETCONF is SSH-based and built to support candidate configuration, while RESTCONF is HTTPS-based and lacks support for two-phase commit transactions. In Cisco programmability design, NETCONF is often selected for robust configuration transactions, whereas RESTCONF is often selected for simpler API-driven integration.

Policing is the correct mechanism for managing traffic that exceeds the configured threshold. The application is UDP-based, inelastic, and sensitive to delay and jitter, so excess traffic should not be buffered and transmitted later. Cisco defines traffic policing as measuring traffic against a configured rate and applying an action such as transmit, drop, or remark when traffic conforms, exceeds, or violates the policy. In contrast, shaping buffers excess traffic and releases it later to smooth the output rate. That behavior is useful for TCP or provider handoff control, but it can add delay and jitter, which is harmful for inelastic real-time UDP flows. Scheduling has already been addressed by allocating bandwidth and assigning queues; it decides how queues are serviced, not how excess flows are constrained. Remarking changes packet markings but does not by itself enforce a traffic threshold. Therefore, policing is the appropriate QoS conditioning action for traffic above the configured limit. Reference topics: traffic policing, QoS conditioning, shaping versus policing, UDP real-time applications, delay and jitter control.

A single-homed enterprise that runs BGP with one ISP should advertise its assigned public prefix to the ISP and receive a default route from the ISP. Because there is only one upstream provider, the customer does not need the full Internet table to make path-selection decisions; all Internet destinations exit the same provider path. Receiving only a default route conserves memory and CPU on the CE router and simplifies operations. The customer must still originate its public prefix toward the ISP so the provider can advertise reachability to the Internet. The ISP should not be the originator of the customer-owned ARIN prefix toward the customer; it may advertise that prefix to the Internet after receiving it from the customer. Requesting the full BGP table or even a partial table adds unnecessary scale for a single-homed site. Advertising a default route to the ISP is also wrong because the ISP already owns upstream Internet reachability. Reference topics: single-homed BGP, CE-PE peering, default route, public prefix advertisement, Internet edge design.

DMVPN Phase 3 hub-and-spoke is the best design for this requirement. The customer wants secure dynamic site-to-site VPN connectivity for voice, video, and FTP, and also wants branches to communicate directly instead of hairpinning all traffic through headquarters. DMVPN supports dynamic spoke-to-spoke tunnels using multipoint GRE, NHRP, and IPsec protection. Phase 3 is more scalable than Phase 2 because the hub can send NHRP redirect messages and spokes can install shortcut routes, reducing the need for every spoke to maintain detailed next-hop information for every other spoke. That is important because the branch routers have limited memory. Phase 1 is hub-and-spoke only and does not provide dynamic spoke-to-spoke forwarding. A hierarchical Phase 3 design can be useful at very large scale, but the question describes a headquarters and remote branch design rather than multiple tiers of hubs. Phase 3 hub-and-spoke satisfies direct branch communication, security, and scale. Reference topics: DMVPN Phase 3, NHRP redirect, spoke-to-spoke tunnels, IPsec encryption, branch WAN scalability.

The required BGP address family is L2VPN EVPN. The design calls for VXLAN over a Layer 3 IPv4 fabric while preserving Layer 2 adjacency and allowing workload mobility between sites. EVPN is the BGP control plane used with VXLAN overlays to advertise MAC reachability, IP host information, and Ethernet segment information in a scalable way. It separates the Layer 2 and Layer 3 overlay control plane from the underlay IGP, which in this case is OSPF. VPNv4 is used for MPLS Layer 3 VPN routes, not VXLAN Layer 2 adjacency. IPv4 unicast advertises ordinary IP prefixes and does not carry MAC mobility or Ethernet VPN information. L2VPN VPLS or VPWS address families are associated with MPLS-based Layer 2 VPN services and do not provide the VXLAN EVPN control-plane model required here. EVPN is therefore the correct family for VXLAN fabrics that need host mobility and scalable Layer 2 extension. Reference topics: BGP EVPN, VXLAN, L2VPN EVPN address family, MAC reachability, workload mobility.

The drag-and-drop mapping is based on how Cisco differentiates YANG model families used for model-driven programmability. IETF models are standards-based and are intended for broad interoperability across vendors. They are the usual choice when the design priority is a consistent baseline for multivendor configuration or operational state. OpenConfig models are also vendor-neutral, but they are developed by the OpenConfig community and often provide an operationally consistent structure for telemetry and configuration across platforms. Cisco native models are vendor-specific models that expose detailed Cisco IOS XE, IOS XR, or NX-OS features, including capabilities that may not be represented in IETF or OpenConfig models. The design choice is therefore not simply “one model is always best.” It depends on whether the requirement prioritizes portability, abstraction, or complete Cisco feature coverage. For a standards-driven multivendor design, use IETF or OpenConfig where sufficient. For Cisco-specific device features, use Cisco native models. Reference topics: YANG models, IETF models, OpenConfig, Cisco native models, NETCONF/RESTCONF programmability.

The best design is the option that prefers ISP-1 for both outbound and inbound traffic while keeping ISP-2 available as a backup. For outbound traffic from the enterprise, local preference is the correct BGP attribute because it is evaluated inside the local AS and higher local preference wins. R1 should assign a high local preference to routes learned from ISP-1, while R2 should assign a low local preference to routes learned from ISP-2. For inbound traffic from the Internet toward the enterprise, AS-path prepending is the practical signal sent to external networks. Advertising routes to ISP-1 with no prepending and routes to ISP-2 with five prepends makes the ISP-1 path look shorter and therefore more attractive. The R1-to-R2 internal advertisements should not be blocked by NO-ADVERTISE because each edge router must still share reachability internally for failover. Option B matches these controls without unnecessarily suppressing routes between the edge routers. Reference topics: BGP local preference, AS-path prepending, active/backup Internet design, inbound and outbound path control.

Redundancy for Cisco vBond Orchestrators is normally achieved by mapping the IP addresses of multiple vBond instances to a single DNS name. WAN Edge devices use the configured organization name and vBond DNS name during onboarding to resolve and contact an available orchestrator. This design allows several vBond nodes to be deployed across different locations or availability zones while giving the edge device a consistent bootstrap target. If one vBond is unavailable, DNS resolution can return another reachable vBond address, allowing control-connection orchestration to continue. Selecting only the closest vBond is not the redundancy mechanism described here, and deploying a single vBond creates an avoidable single point of failure. The answer that says WAN Edge routers are configured with all orchestrators by IP address and priority does not represent the common DNS-based design model. In production, the DNS record, certificates, firewall policy, NAT behavior, and controller reachability should all be validated so that WAN Edge devices can reach multiple vBond instances during onboarding and after failures. Reference topics: Cisco SD-WAN controller redundancy, vBond DNS, device onboarding, orchestration availability.

DMVPN is preferred over individually configured point-to-point IPsec tunnels when a company has many branches because it scales the overlay more efficiently. A traditional IPsec tunnel design requires manual or template-based tunnel definitions for every required site-to-site relationship. As branches increase, tunnel count, configuration complexity, and operational overhead grow quickly. Cisco DMVPN combines multipoint GRE, NHRP, and IPsec so spokes can register with the hub and dynamically discover next-hop information for other spokes. This supports a hub-and-spoke control model while allowing dynamic spoke-to-spoke data tunnels when branch-to-branch traffic is required. That is why greater scalability and dynamic spoke-to-spoke tunnel creation are the two design advantages. AES-256 encryption is not unique to DMVPN because normal IPsec can also use strong encryption. Anycast gateway is unrelated to DMVPN WAN overlay design. Lower traffic overhead is not the best answer because DMVPN adds mGRE, NHRP, and IPsec encapsulation overhead; its advantage is operational scalability and dynamic tunnel establishment.

STP loop guard is the correct protection feature. Cisco defines loop guard as a spanning-tree enhancement that prevents alternate or root ports from incorrectly becoming designated forwarding ports when expected BPDUs are no longer received. That failure mode is exactly what the question describes: an alternate or root port intermittently transitions to a designated role and creates a Layer 2 loop. With loop guard enabled, the port is placed into a loop-inconsistent blocking state until BPDUs are received again, so the topology remains protected. PortFast BPDU guard is intended for edge ports connected to end hosts and shuts a PortFast port when BPDUs appear; it is not the correct uplink/root-port protection. UDLD can detect unidirectional links, but it does not specifically enforce STP role consistency. Root guard prevents superior BPDUs from changing root placement, which is a different problem. Reference topics: STP loop guard, alternate and root ports, BPDU loss, loop-inconsistent state, Layer 2 loop prevention.

The strict-priority queue should be limited to approximately 33 Mbps on a 100 Mbps Internet connection. Cisco QoS design guidance warns that strict priority traffic must be bounded, because excessive priority traffic can starve other queues and cause poor application performance for non-real-time traffic. For voice and interactive video, priority queuing is appropriate, but the priority class should normally be constrained to about one-third of the link capacity in a converged enterprise design. That makes 33 Mbps the best choice for a 100 Mbps link. A 75 Mbps strict-priority allocation is far too high and would leave inadequate bandwidth for routing, signaling, business data, and default traffic. A 50 Mbps allocation still gives real-time media excessive control of the interface. A 25 Mbps allocation may work in some environments but is not the standard upper-limit design answer for strict priority in this Cisco context. The architect should also classify TelePresence accurately, mark traffic consistently, and police the priority queue to protect the WAN. Reference topics: LLQ, CBWFQ, strict priority limits, TelePresence QoS, WAN congestion management.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

For point-to-point telepresence, asymmetric routing can create delay variation, packet reordering, and troubleshooting complexity. The design requirement is to make egress and ingress flows follow the same path. In the topology, the best way to steer traffic away from the less desirable return path is to configure a higher metric on the router in area 4 so OSPF path selection favors the symmetric path. OSPF chooses paths based on cumulative cost, and increasing the cost on the unwanted path makes the preferred path more attractive without removing redundancy. Route leaking on the routers in area 1 or area 2 would introduce additional interarea route visibility but would not necessarily solve the asymmetric flow problem. A route filter in area 4 could remove reachability or create suboptimal failure behavior rather than simply preferring the right path. Raising the metric is a cleaner design technique because it preserves backup reachability while influencing normal forwarding. Reference topics: OSPF cost design, symmetric routing, telepresence traffic, interarea path optimization, metric engineering.

The drag-and-drop answer follows the practical distinction between the YANG model families. IETF models are standards-based models intended to provide a common structure for widely implemented protocol and interface functions. OpenConfig models are vendor-neutral operational and configuration models developed for cross-vendor automation, with a strong focus on consistent telemetry and network state representation. Cisco native models expose Cisco platform-specific capabilities and usually provide the deepest coverage for IOS XE, IOS XR, or NX-OS features that are not fully represented in a common model. The selected mapping therefore assigns model elements according to origin, portability, and feature depth. In a production automation design, engineers should start with open models when interoperability and long-term portability matter, but they should choose Cisco native models when a required Cisco feature is not available or is incomplete in IETF or OpenConfig. The choice is not cosmetic; it affects payload structure, namespace, validation behavior, and operational consistency across device families. Reference topics: YANG model families, IETF YANG, OpenConfig, Cisco native YANG, model-driven configuration.

PIM-SSM with IGMPv3 is the correct multicast design. Source-Specific Multicast requires receivers to identify both the multicast group and the permitted source, normally through IGMPv3 membership reports. That source-specific join model prevents unauthorized or spoofed sources from injecting traffic into the group because receivers do not simply accept traffic from any source for a group address. It also improves bandwidth efficiency because the network builds forwarding state only for the requested source and group pair, without requiring shared trees or rendezvous point discovery. PIM-SM with MSDP can interconnect multicast domains, but it is built around Any-Source Multicast behavior and does not provide the same source-specific anti-spoofing property. IGMPv2 cannot signal source-specific joins, which is why IGMPv3 is required for SSM. Since the network may merge with another multicast domain later, SSM also reduces integration complexity by avoiding RP and MSDP dependencies. Therefore, PIM-SSM and IGMPv3 meet both the security and efficiency requirements. Reference topics: PIM-SSM, IGMPv3, source-specific joins, multicast security, bandwidth efficiency.

The Cisco SD-Access control-plane node provides the host tracking database and map-server function. SD-Access uses LISP-based control-plane behavior to separate endpoint identity from endpoint location. Fabric edge nodes register endpoints with the control-plane node, and the control-plane node maintains the endpoint-to-location database. When a fabric node needs to forward traffic to an endpoint, it queries the control-plane node so the destination endpoint can be resolved to the correct fabric location. In LISP terminology, this maps to the map-server and map-resolver role, while the SD-Access design discussion often refers to the endpoint database or host tracking database. The control-plane node does not enforce policy mapping by itself; policy is integrated with Cisco ISE and applied through scalable group policy in the fabric. It also does not function as a proxy ETR in this option set. Endpoint registration is initiated by the edge nodes, which detect local endpoints and inform the control plane. Therefore, host tracking database and map server are the correct functions. Reference topics: SD-Access control plane, LISP map server, host tracking database, EID-to-RLOC mapping.

OpenConfig separates intended configuration from operational state by using separate config and state containers, while many IETF and Cisco native models use a single hierarchy for configuration and operational data or expose operational data differently. This distinction is important in automation because the client must know whether it is writing desired configuration or reading actual device state. OpenConfig’s structure was designed to provide consistent multivendor modeling, with configuration data placed under config containers and observed state under state containers. Cisco native models tend to mirror the Cisco device CLI and feature hierarchy more closely, while IETF models focus on standards-based interoperability. Option B correctly states the contrast presented in the question. Option A reverses the relationship. Option C incorrectly assigns split containers to IETF and native models. Option D incorrectly isolates Cisco native models as the only split-container style. Reference topics: YANG model structure, OpenConfig config and state containers, IETF YANG, Cisco native models, network automation data modeling.

EIGRP with stub routing and variance is the best fit for Cisco-only DMVPN branches with unequal Internet link speeds and limited branch resources. EIGRP works well over DMVPN because it supports hub-and-spoke designs, unequal-cost load balancing, and simple branch optimization through stub routing. Stub branches limit query propagation and reduce CPU, memory, and bandwidth consumption on small routers. Variance allows EIGRP to use feasible unequal-cost paths, which is important when one Internet connection is 10 Mbps and the other is 100 Mbps. OSPF can run over DMVPN, but virtual links are not an appropriate branch design and OSPF is less efficient in this specific Cisco-only unequal-bandwidth scenario. IS-IS is not commonly selected for small DMVPN branch overlays. iBGP with route reflectors can scale, but it does not inherently use link utilization and unequal metric behavior as cleanly as EIGRP variance for this requirement. Reference topics: EIGRP over DMVPN, stub routing, variance, unequal-cost load balancing, branch resource optimization.

The IPv4 network 172.16.10.0/24 maps to 2001:db8:abcd::ac10:a00/120 when the IPv4 address is placed into the lowest significant bits of the IPv6 address. The calculation converts each IPv4 octet into hexadecimal: 172 is AC, 16 is 10, 10 is 0A, and 0 is 00. Combining those bytes gives AC10:0A00, displayed in IPv6 notation as ac10:a00. Because a /24 IPv4 network has 8 host bits, the mapped IPv6 network leaves the same 8 host bits, resulting in a /120 IPv6 prefix. Option B incorrectly places decimal IPv4 octets into separate IPv6 hextets and uses /96, which represents a much larger mapping block than the /24 network. Option C does not represent 172.16.10.0 in hexadecimal. Option D changes the higher-order IPv6 prefix and does not match the supplied address plan. The correct address therefore preserves the planned IPv6 prefix and embeds the IPv4 network in the low-order bits. Reference topics: IPv4-to-IPv6 address mapping, hexadecimal conversion, IPv6 prefix length, migration addressing plans.

The correct design is to deploy the application in both data centers, advertise the application prefix from DC1 as a /32, and advertise a broader /24 from DC2. This uses longest-prefix-match behavior to create deterministic primary and backup routing. Cisco routing logic prefers the most specific matching route in the routing table, regardless of administrative distance or metric comparisons among less specific covering routes. As long as the DC1 /32 is present, traffic for that exact application address follows DC1. If DC1, its edge path, or the /32 advertisement fails, the /32 is withdrawn and the remaining /24 covering route from DC2 provides backup reachability. Advertising the same prefix from both locations may result in load sharing or provider-dependent selection, which does not guarantee DC1 primary behavior. IP SLA could be used in some route-tracking designs, but the clean routing solution tested here is prefix specificity. Reference topics: longest-prefix match, BGP advertisement, active/standby data center routing, covering routes, route failover.

The Cisco SD-Access underlay provides the physical and IP transport foundation that allows fabric nodes to reach each other. In plain terms, it is the routed connectivity built from the switches, routers, links, and loopback reachability that the overlay depends on. Cisco SD-Access then uses the overlay to provide virtualization, segmentation, policy, and endpoint mobility on top of that transport. This is why the underlay is best described as establishing the connectivity between the switches and routers that form the fabric. Option A describes the abstraction performed by the overlay, not the underlay. Option B is closer to a Layer 2 tunneling description and is not the main purpose of the SD-Access underlay. Option D describes encapsulated overlay behavior, especially VXLAN-based data-plane transport, not the physical/routed foundation itself. A good SD-Access design validates underlay reachability, routing adjacencies, MTU, loopback advertisement, and redundancy before onboarding the overlay services. Without a stable underlay, LISP control-plane mappings and VXLAN data-plane forwarding cannot operate predictably. Reference topics: SD-Access underlay, routed campus foundation, fabric node reachability, overlay dependency.

Cisco SD-WAN uses the vSmart controller as the control-plane component that distributes the information needed for secure data-plane tunnel establishment. Before WAN Edge devices build full-mesh IPsec tunnels, they must learn reachability and security information through the SD-WAN control plane. Cisco documentation describes the vSmart controller as the centralized control-plane element that exchanges OMP routes, policy, TLOC information, and security parameters with WAN Edge routers. In the traditional SD-WAN key-exchange model, vSmart sends IPsec encryption keys to edge devices so the data plane can be secured without each edge independently negotiating IKEv2 with every other edge. vManage is the management platform and is not the key exchange point. vBond performs orchestration, authentication assistance, and NAT traversal during onboarding, but it is not the data-plane key server. IKEv2 may be used in specific newer or configured security models, but the typical Cisco SD-WAN overlay relies on vSmart for scalable key distribution. Reference topics: Cisco SD-WAN control plane, vSmart, OMP, IPsec key distribution, WAN Edge security.

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

An SD-Access intermediate node routes and transports IP traffic between fabric nodes. It is part of the underlay transport path, comparable to a routed distribution or core device that provides IP reachability between edge, border, and control-plane nodes. Intermediate nodes do not perform endpoint registration, VXLAN encapsulation for attached users, virtual-network mapping, or anycast gateway services. Those functions belong primarily to fabric edge nodes. They also do not act as LISP proxy tunnel routers, which is a border-node function used for communication between the fabric and external networks. The intermediate node’s role is deliberately simple: maintain underlay routing, provide resilient transport, and forward encapsulated traffic across the fabric infrastructure. This separation of roles is what lets Cisco SD-Access scale by keeping endpoint intelligence at the edge and mapping intelligence in the control plane while the intermediate layer remains a stable IP transport network. Reference topics: SD-Access intermediate node, routed underlay, IP transport, fabric roles, edge and border node separation.

GRE over IPsec is the correct secure tunneling choice when multicast traffic must cross a public network. Native IPsec protects unicast IP traffic, but it does not inherently carry multicast routing protocols or multicast application flows in the same way that GRE can. GRE creates a logical point-to-point tunnel that can encapsulate multicast, broadcast, and non-IP payloads; IPsec then encrypts the GRE packet for confidentiality and integrity across the untrusted transport. Cisco designs commonly use this combination when dynamic routing protocols, multicast applications, or other non-unicast traffic must be transported securely between sites. GRE by itself supports multicast, but it does not provide encryption, so it fails the secure tunneling requirement. PPTP is obsolete and not appropriate for modern enterprise design. Plain IPsec is secure, but it is not the complete answer when multicast support is explicitly required. Therefore, the design should use GRE over IPsec: GRE supplies the multicast-capable overlay, and IPsec supplies the cryptographic protection across the public network.

The VRF receive feature is the mechanism that fits the constraint when the customer does not want BGP, VRF-Lite links, or static routing for the inter-VRF requirement. Inter-VRF connectivity is normally achieved through route leaking with MP-BGP, static routes, firewall interfaces in each VRF, or VRF-Lite handoff links. The question explicitly excludes those common approaches and asks for a mechanism on the core network layer. The VRF receive capability allows selected traffic received on a global routing interface to be associated with a VRF context for locally configured addresses, supporting limited interaction without building a full routing exchange between the global table and the VRF. Policy-based routing with a global set statement can solve some forwarding cases, but it is not the specific mechanism described by the option set. A route map with import features would typically depend on route leaking behavior. Therefore, the best answer is the VRF receive feature under the global routing interfaces. Reference topics: VRF, inter-VRF routing, VRF receive, route leaking alternatives, core-layer segmentation.

The most efficient campus design aligns the active first-hop gateway with the Layer 2 forwarding path. In a traditional access-distribution topology using STP and HSRP, traffic should not cross the distribution-to-distribution link simply because the HSRP active gateway is on the opposite distribution switch from the STP forwarding path. Cisco campus design guidance stresses aligning the STP root bridge with the active FHRP gateway so hosts forward northbound traffic directly to the distribution switch that owns the optimal Layer 2 path. Reconfiguring distribution switch A to become the HSRP active device fixes the asymmetric and inefficient traffic flow in the exhibit. Adding a link between access switches would extend the Layer 2 domain and increase loop-prevention complexity, not improve the northbound default-gateway path. Changing the distribution interconnect to a routed link may be valid in a routed-access redesign, but it is not the targeted correction for this Layer 2/FHRP misalignment. An EtherChannel between distribution switches only increases interswitch capacity; it does not remove the unnecessary hairpin path caused by the wrong active gateway.

The VPN drag-and-drop answer distinguishes Layer 2 VPN, Layer 3 VPN, and encrypted overlay VPN behavior. VPWS provides a point-to-point Layer 2 service, while VPLS provides multipoint Layer 2 Ethernet service across a provider core. MPLS Layer 3 VPN provides routed private WAN connectivity with provider-managed VPN routing and forwarding separation. GRE and DMVPN are overlay technologies that can carry multicast and dynamic routing protocols; DMVPN adds NHRP and multipoint GRE to scale hub-and-spoke and spoke-to-spoke designs. IPsec provides encryption and integrity for traffic over untrusted transport, but native policy-based IPsec does not carry multicast without an additional overlay such as GRE. GET VPN encrypts traffic across a private routed WAN without building permanent point-to-point tunnels and is often used where multicast and dynamic routing should remain visible to the transport. The selected mapping aligns each VPN type with its forwarding model, scale characteristics, and encryption behavior. In design, the correct VPN choice depends on whether the requirement is Layer 2 extension, routed private connectivity, dynamic spoke-to-spoke tunnels, or private WAN encryption. Reference topics: VPN design, VPLS, VPWS, DMVPN, IPsec, GET VPN.

The SD-Access control-plane node maintains the endpoint database and resolves mappings between endpoints and the fabric edge nodes where those endpoints are located. Cisco SD-Access uses LISP in the fabric control plane. Edge nodes register endpoint identifiers with the control-plane node, and other fabric nodes query the control plane when they need to locate a destination endpoint. This control-plane function is commonly described through LISP Map-Server and Map-Resolver behavior. Option B is not correct because endpoint detection occurs at the edge node, not at the control-plane node. The edge is the device connected to users, access points, or endpoint-facing networks, so it learns local endpoint presence and registers that information. Option C refers to authentication and identity, which is integrated with Cisco ISE. Option D describes the border-node role, because border nodes connect the fabric to external networks. The corrected answer is therefore A. A stable SD-Access design must provide redundant control-plane reachability and scale the control-plane role according to fabric size, mobility, and endpoint churn. Reference topics: SD-Access control plane, LISP Map-Server, LISP Map-Resolver, endpoint-to-location mapping.

Network management traffic should be marked and treated as a dedicated operations class, not mixed into voice signaling or real-time queues. Cisco enterprise QoS design guidance commonly reserves DSCP CS2 for operations, administration, and management traffic such as SNMP, SSH, syslog, NTP, and other management flows. The question states that all eight queuing classes are already used, so the design should integrate management traffic into the closest existing class and validate that the queue has enough bandwidth. Option D is the best fit because it uses CS2 and requires baselining before allocating more bandwidth. CS6 is normally used for network control and routing protocols; using it for ordinary management traffic would compete with routing adjacencies and control-plane stability. CS5 and CS4 are also unsuitable because they are normally associated with video/signaling-related classes in many enterprise QoS models. The professional design action is to classify management traffic explicitly, mark it CS2 at the trust boundary, map it to the existing class, and then measure queue utilization before changing bandwidth allocations. Reference topics: Cisco QoS baseline, DSCP CS2, network management traffic, queue bandwidth design.

Bidirectional PIM is the multicast protocol mode designed for many-to-many applications where many receivers may also act as sources. In traditional PIM Sparse Mode, multicast forwarding can use shared trees through an RP and source-specific shortest-path trees. As the number of sources grows, maintaining source-specific state can increase routing table and control-plane scale requirements. BIDIR-PIM avoids source trees by using a shared bidirectional tree rooted at the rendezvous point address. Traffic from sources and traffic toward receivers uses the shared tree, which allows the multicast group to scale to a large number of sources without creating per-source state in the network. This aligns directly with the requirement that most multicast sources also receive multicast traffic and that source trees must not be used. PIM-SSM explicitly uses source-specific forwarding and requires receivers to know the source. PIM-SM may switch to source trees depending on behavior and policy. MSDP is used to exchange source information between PIM-SM domains, not to replace source trees inside one domain. Therefore, BIDIR-PIM is the correct design choice.

For a standards-driven YANG model in a multivendor environment, the engineer should choose IETF models. IETF YANG models are produced through the Internet Engineering Task Force standards process and define vendor-neutral data structures for common network functions. This makes them the best answer when the requirement emphasizes standards-based operation across multiple vendors. OpenConfig models are also vendor-neutral and widely used for operational consistency, but OpenConfig is an operator-driven model set rather than an IETF standards body output. Cisco native models expose platform-specific Cisco IOS XE, NX-OS, or IOS XR features and often provide the most complete coverage for Cisco-specific capabilities, but they are not intended as the primary multivendor standard model. IEEE NETCONF is not the correct model category; NETCONF is a protocol, and IEEE is not the YANG model set normally selected for general device configuration in this context. In Cisco automation design, the model choice should match the use case: IETF for standards-driven multivendor workflows, OpenConfig for operator-neutral abstractions, and native models for vendor-specific feature completeness.

The correct IS-IS hierarchy places area 49.000 as Level 2 and areas 49.001, 49.002, and 49.003 as Level 1. In IS-IS, Level 2 forms the interarea backbone, while Level 1 areas contain local topology details. This design supports growth in the backbone because Level 2 routers exchange interarea reachability without carrying every local topology change from every access area. Areas 49.002 and 49.003 can perform summarization and route leaking at their Level 1/Level 2 boundaries, allowing routers such as A1 and A2 to avoid suboptimal routing by learning selected more-specific routes from the backbone when necessary. If the nonbackbone areas were made Level 2, the design would flatten the hierarchy and expose more of the network to topology changes. If the backbone were Level 1, interarea routing would be broken or badly constrained. The selected hierarchy preserves scaling, allows route control, and avoids unnecessary propagation of local link flaps. Reference topics: IS-IS hierarchy, Level 1 areas, Level 2 backbone, route leaking, summarization, scaling.

MSDP is the correct feature when multicast receivers in one autonomous system must be able to learn and receive content from sources in another autonomous system. The scenario describes separate multicast frameworks close to the receivers in each AS and requires source resiliency across AS boundaries. In PIM Sparse Mode, a local RP learns about sources registered in its own domain. MSDP allows RPs in different domains to exchange Source-Active information, enabling receivers in one domain to discover and join toward sources that exist in another domain. Anycast RP is primarily a redundancy and load-sharing technique for RPs, often inside a multicast domain, but it does not by itself provide interdomain source discovery for independent ASs. SSM can be efficient when receivers know the source, but the question emphasizes RP-based framework placement and source availability between ASs. BIDIR-PIM is for scalable many-to-many shared-tree forwarding, not interdomain source discovery. Therefore, the design should include MSDP. Reference topics: MSDP, interdomain multicast, PIM-SM, Source-Active exchange, RP resilience across autonomous systems.

The Cisco SD-Access data plane is based on VXLAN. Cisco SD-Access separates the fabric into functional planes: the underlay provides IP reachability, the control plane uses LISP to map endpoints to locations, and the data plane uses VXLAN encapsulation to carry user traffic across the routed underlay. VXLAN allows the fabric edge node to encapsulate endpoint traffic and forward it through the fabric while preserving virtual network and segmentation information. This is what enables SD-Access to provide Layer 2 and Layer 3 overlay services over a Layer 3 routed transport. OMP is the control-plane protocol for Cisco SD-WAN, not SD-Access. NHRP is associated with DMVPN tunnel resolution. LISP is essential in SD-Access, but its role is endpoint ID to routing locator mapping, not packet encapsulation in the data plane. Therefore, VXLAN is the correct protocol for the SD-Access data plane. Reference topics: SD-Access fabric, VXLAN data plane, LISP control plane, overlay encapsulation, routed underlay.

Bandwidth percentage with policing is the correct QoS approach. The requirement has two separate parts: each subnet must receive a minimum share during congestion, and no subnet should introduce delay into download traffic. Bandwidth percentage is used to allocate a minimum bandwidth guarantee among classes during congestion while still allowing a class to use unused bandwidth when other classes are idle. Policing enforces a rate by dropping or remarking excess traffic rather than buffering it. That behavior is important because the question explicitly says download traffic must never experience delay. Shaping would be wrong because shaping buffers excess packets and transmits them later, which intentionally adds delay. Rate- limiting is a broad term, but when the design choice offers policing explicitly, policing is the precise mechanism that matches the no-delay requirement. A parent or class policy can reserve 25 percent per subnet on a 40 Mbps service, giving each subnet 10 Mbps during congestion while unused bandwidth remains available. Reference topics: CBWFQ bandwidth percent, traffic policing, shaping versus policing, Internet edge QoS, congestion management.

For in-band management over the production WAN, the proper marking is DSCP CS2 mapped into the management or operations class with a minimum bandwidth guarantee. Cisco enterprise QoS guidance separates network control traffic from network management traffic. Routing protocol and control-plane traffic should not be diluted by ordinary management flows. CS6 is typically reserved for routing and network-control traffic; EF is reserved for low-latency voice bearer traffic; CS1 is commonly used for scavenger or low-priority traffic. Network management flows such as SSH, SNMP, NTP, FTP-based maintenance, and syslog require reliable delivery, but they should not starve business traffic or real-time services. Therefore, marking with CS2 and mapping the traffic into Class2 is the correct design choice. The bandwidth adjustment should come from a lower-priority class, not from the routing/control or real-time class. Because this is in-band management, the architect must also ensure access control, source restrictions, AAA, logging, and management-plane protection. QoS classification alone does not secure management access; it only gives the traffic an appropriate forwarding treatment over the MPLS WAN. Reference topics: in-band management, DSCP CS2, enterprise QoS classes, management-plane traffic.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

The scalable EIGRP hub-and-spoke design should make each spoke a stub router and summarize routes from the spokes toward the hubs. Cisco EIGRP documentation states that stub routing improves network stability, reduces resource utilization, and simplifies branch or edge router configuration. Stub spokes limit the routes they advertise and prevent the hub routers from sending unnecessary queries through remote sites. Summarizing spoke routes toward the hubs further reduces routing-table size and contains convergence events when a subnet fails behind a spoke. Exchanging all routes between every location would increase memory, CPU, and query scope, which is the opposite of good EIGRP scale design. Summarizing only between the hubs may be useful in a dual-data-center design, but it does not solve the spoke scaling requirement. Splitting the network into two autonomous systems is unnecessary when the requirement states that all locations belong to a single AS. Reference topics: EIGRP hub-and-spoke design, stub routing, route summarization, query scope reduction, branch scale.

VRRP advertisements are sent by the current master router and include priority information used by the backup routers to evaluate mastership. In VRRP, the master is the router actively forwarding for the virtual IP address. Backups listen for advertisements; if advertisements stop, the backup with the highest effective priority can become master. This is why the statement that advertisements are sent only from the master router is correct. The advertisement also carries priority information, which is used in election behavior and failover decisions. Standby or backup routers do not normally send VRRP advertisements while a master is active, so option A is incorrect. The default advertisement interval is not three seconds in standard VRRP behavior; three seconds is commonly associated with other first-hop redundancy defaults such as HSRP hellos. Although timer fields exist in protocol operation, the exam focus here is the master-only advertisement behavior and the priority carried in those advertisements. In campus gateway redundancy design, VRRP advertisements must be protected from loss or filtering because missed advertisements can cause unnecessary master transitions.

When eBGP neighbors share the same autonomous system number, normal BGP loop-prevention behavior can block route acceptance because the receiving router sees its own AS in the AS_PATH. Two BGP features address this design condition. The allow-as-in feature permits a BGP router to accept routes even when its own AS appears in the AS_PATH a configured number of times. This is often used in dual-homed or migration designs where the same customer AS appears at multiple sites. The as-override feature is typically used by a provider edge router to replace the customer AS in the AS_PATH with the provider AS before advertising the route to another customer site that uses the same AS. Together, these features allow successful route exchange in same-AS eBGP scenarios while preserving loop-prevention intent through controlled policy. Advertise-best-external influences advertisement of best external paths and does not solve same-AS rejection. Bestpath as-path ignore affects path selection, not route acceptance. Client-to-client reflection is an iBGP route-reflector behavior, not an eBGP same-AS solution.

Summarization on routers A and C is the correct design because the requirement is to keep failures of the listed access networks from impacting the core while still supporting fast convergence in both access and core. Route summarization creates an aggregation boundary: more-specific access routes can flap behind the summary without causing the core to learn and withdraw every individual prefix. Cisco hierarchical routing design uses summarization at distribution or aggregation boundaries to reduce routing-table size, contain convergence events, and protect the core from access-layer instability. Adding another aggregation layer may be appropriate in some large designs, but it is not necessary when the question asks for the mechanism that stops specific prefix failures from impacting the core. Graceful restart protects forwarding during control-plane restart events, not ordinary access-prefix failures. FRR provides fast reroute for link or node failures but does not hide individual connected-network changes from the core. Summarizing at routers A and C directly addresses the stated networks and reduces the query, LSA, or update impact depending on the routing protocol used. Reference topics: route summarization, hierarchical routing, convergence containment, core protection, prefix aggregation.