300-540 Questions and Answers

Comprehensive and Detailed Explanation

AWSSecurity Groupsact as the primary stateful firewalls for EC2 instances.

To restrict SSH (TCP/22) to a single host (20.20.20.20/32), aSecurity Groupmust be configured with:

Inbound rule: TCP 22

Source: 20.20.20.20/32

ACLs operate at the subnet level but are not used for instance-specific SSH restrictions.

WAF controls HTTP/HTTPS traffic, not SSH.

Resource groups only organize cloud assets.

Thus,Bis the correct solution.

In a BGP EVPN VXLAN multi-homing design, Ethernet Segment Identifiers (ESIs) are used to represent a set of links from one or more leaf switches to the same downstream device (such as a CE, firewall, or aggregation switch). By default, when multiple leafs share the same ESI, the EVPN design supportsall-activeredundancy, where all participating leafs can forward traffic for that Ethernet segment simultaneously.

However, some use cases—like connecting to devices that do not support multipath forwarding or for strict active/standby redundancy—requiresingle-activemulti-homing. In single-active mode, only one leaf in the Ethernet segment forwards traffic at any time; the other leaf(s) act as standby and only take over if the active node fails. This behavior is explicitly controlled in the EVPN Ethernet-segment configuration.

On Cisco platforms for EVPN VXLAN fabrics, this is configured under thel2vpn evpn ethernet-segmentstanza using the command:

l2vpn evpn ethernet-segment 1

identifier type 0 01.01.01.10.10.10.10.10.10.10

redundancy single-active

identifier type 0 ... defines the ESI for the multi-homed connection.

redundancy single-active specifies that only one leaf in that ESI is allowed to be active at a time, thus enablingdual-homing with single-active redundancy.

The other options do not relate to Ethernet-segment redundancy mode:

B. default-gateway advertiseis used in EVPN anycast gateway configurations to advertise the default gateway MAC/IP, not for ESI redundancy.

C. replication-type staticis associated with multicast or ingress replication behavior for VXLAN VTEPs, not Ethernet-segment redundancy.

D. vlan configuration 101is a VLAN configuration context command and has no effect on EVPN ESI redundancy.

Comprehensive and Detailed Explanation From Cisco SP Core Optimization Knowledge

Cisco IOS supportsBGP Multipathfor installing multiple equal-cost BGP routes (both iBGP and eBGP) into the routing table. The correct global BGP command syntax to set the number of allowable parallel BGP paths is:

maximum-paths

For BGP specifically, the form is:

maximum-paths bgp

This enables the router to install up to the specified number of equal-cost BGP routes (iBGP and eBGP) into the RIB and then potentially into the FIB.

Setting:

maximum-paths bgp 6

allowssixparallel ECMP paths learned via BGP—this matches the requirement in the question.

Why the other options are incorrect

B. multipath eibgp 6Not a valid Cisco IOS command.

C. maximum paths bgp routers 6Invalid syntax.

D. maximum-paths eibgp 6The correct keyword isbgp, noteibgp.Cisco does not use “eibgp” in this context; IOS supports BGP multipath across iBGP/eBGP automatically when configured under maximum-paths bgp.

The attacker’s IP is:

10.10.10.2

The servers under attack are:

Web Server:10.20.10.2

Mail Server:10.30.10.2

We must denytraffic from attacker → servers.

Correct ACL format useshost wildcards (0.0.0.0):

deny ip 10.10.10.2 0.0.0.0 10.20.10.2 0.0.0.0

deny ip 10.10.10.2 0.0.0.0 10.30.10.2 0.0.0.0

These matchD and E.

Comprehensive and Detailed Explanation

For virtualization functions and operational reliability, the architecture must leverageCisco NSO (Network Services Orchestrator)capabilities. NSO provides:

Transactional service modeling

Automatic rollbackwhen any step of a transactional deployment fails

Real-time network-state visibilityvia NSO CLI and live device synchronization

End-to-end service lifecycle automation

Among the options:

Why B is correct

"Virtualization service modeling" fits NSO’s core design principle: model the service, not individual devices.

NSO’s CLI providesstate visibility, operational introspection, transaction logs, and commit details.

NSO’s transactional engine providesautomatic rollbackupon any device or service failure.

This option capturesfull lifecycle automation,real-time state visibility, andreliability, exactly as required.

Why others are incorrect

A: CLI NED alone does not provide real-time state visibility or automated rollback; manual rollback contradicts requirements.

C: Only focuses on service modeling + CLI, but doesnotinclude rollback or lifecycle automation.

D: Templates alone do not ensure rollback or real-time operational state.

In Cisco Catalyst SD-WAN cloud integration, when the requirement is:

Automatically discovering AWSVPCs

Automatically identifying AWSservices

Allowing the user to choose whichprivate SD-WAN networkconnects to the cloud

UsingAWS credentials(Access Key / Secret Key) for automatic provisioning

…the Cisco-supported mechanism is theCisco SD-WAN Transit VPC solution.

Why Transit VPC is the correct answer:

It is specifically designed to integrateCisco SD-WANwith AWS environments.

Uses AWS APIs and user credentials to automatically discover:

VPC IDs

Subnets

Regions

Routing tables

Automatically deploys and configures CSR1000v or Catalyst 8000V routers into the VPC.

Provides a centralized “hub” in AWS to interconnect multiple SD-WAN sites.

Enables the user to choose which SD-WAN segments connect to which VPCs.

This matches the requirement ofautomatic cloud resource identification based on user credentials.

Why the other options are incorrect

A. AWS Direct Connect

This is a physical/private Layer 2 cloud connection.

It doesnotauto-discover VPCs or integrate through credentials.

It does not provide automated SD-WAN service provisioning.

C. IPsec VPN

Works for connectivity but ismanual, not automated.

Does not identify AWS cloud resources via credentials.

D. Segment routing

A transport technology used inside SP networks, irrelevant to AWS API-based VPC discovery.

Thus, onlyTransit VPCprovides automatic AWS cloud discovery and integration with SD-WAN.

From the RAID controller output:

TheRAID1virtual drive is shown as“Dgrd” (degraded)with a note:“RAID 1 in degraded state.”

In thePD LIST, one disk (slot 2) is marked“UGood – active disk in slot 2 disconnected from drive group 0”, while the other (slot 3) is“Onln 0”(online and part of drive group 0).

This means:

In aRAID 1mirror, onlyone diskmay fail while the array remains available.

Here,one disk has failed/disconnected, the other is still online → the array isdegraded but operational.

Therefore:

B. One RAID 1 disk failed– correct.

C. The node is still functional– correct; RAID1 can tolerate a single disk failure.

The other options are incorrect:

A and Esuggest two disk failures, which is not indicated.

Dwould be true only if both disks failed; with one disk still online, the node continues to function, though in a degraded state.

Comprehensive and Detailed Explanation

Cisco Container Platform (CCP), built on Kubernetes orchestration, usesYAMLfiles for:

Cluster configuration

Pod definitions

Network settings

Storage mappings

YAML is the industry-standard declarative syntax for Kubernetes and container orchestration platforms.

HTML, XHTML, and XML are not used for CCP configuration.

Comprehensive and Detailed Explanation

In Cisco high-availability LAN gateway designs, the requirement is:

Multiple L3 gateways sharing avirtual MAC and virtual IP

Ability toload balanceacross multiple active gateways

Capability toseamlessly take overgateway forwarding during a failure

Among Cisco First Hop Redundancy Protocols (FHRPs):

HSRP→ Active/standby only

VRRP→ Active/standby only

GLBP (Gateway Load Balancing Protocol)→The only FHRP providing active/active load balancing

GLBP allows multiple routers to share:

Acommon virtual IP

Multiplevirtual MAC addresses

Multipleactive forwardersthat load-balance end hosts

Automatic failover if any gateway fails

Thus, GLBP is the only correct protocol matching the requirement forredundant default gateways with load balancing and shared MAC addressing.

Comprehensive and Detailed Explanation Based on Designing and Implementing Cisco Service Provider Cloud Network Infrastructure Knowledge

When connectingcarrier-neutral facilities (CNFs)ordata centerswithin the same metropolitan area, service providers typically usehigh-bandwidth, low-latency optical transport methods. The most appropriate and commonly deployed interconnection technology is:

DWDM (Dense Wavelength Division Multiplexing) ring, which provides:

High capacity (10G, 40G, 100G, 400G)

Low latency

Redundancy through ring or mesh topologies

Multi-wavelength multiplexing for cost efficiency

Carrier-grade reliability for metro interconnect services

This aligns with cloud interconnect and metro transport design used in service provider environments.

Evaluation of the Options

A. OSPF backbone area adjacency

This is a routing protocol adjacency, not a physical connection method. It requires a transport link underneath but does not represent the physical interconnect itself.

B. Private wireless connection

Not suitable for CNF or metro DC interconnect because it lacks the bandwidth, reliability, and deterministic performance required for large-scale carrier-grade interconnects.

C. DWDM ring

This is the correct method. DWDM-based metro fiber rings are the standard for connecting carrier-neutral facilities in the same metro region.

D. CAT6e connection

This is limited to short-distance copper Ethernet (tens of meters). It is not used for metro-scale interconnects or between CNFs.

In a VXLAN BGP EVPN fabric, each VTEP (NVE interface) must useBGP EVPN as the host-reachability protocolso that MAC/IP information and VTEP reachability are exchanged through the control plane.

From the exhibit:

LEAF-SW-1 – interface nve1

source-interface loopback0

No host-reachability protocol bgp

Host Learning Mode: Data-Plane in show nve interface

LEAF-SW-2 – interface nve1

source-interface loopback0

host-reachability protocol bgp configured

This mismatch causes one VTEP to rely ondata-plane flood-and-learn, while the other usesEVPN BGP control-plane learning, leading to inconsistent and “corrupted” MAC/IP and ARP/ND information between the leaf switches.

The fix is to configure LEAF-SW-1 to also use BGP for host reachability:

interface nve1

host-reachability protocol bgp

Options B and D are incorrect because anycast VTEP designs intentionally share the sameprimaryloopback IP while usingdifferent secondary IPsandunique BGP router IDs. Option A (removing suppress-arp) does not correct the control-plane mismatch.

Therefore, enabling host-reachability protocol bgp on LEAF-SW-1 (OptionC) resolves the issue.

Comprehensive and Detailed Explanation From Exact Extract from my knowledge of Designing and Implementing Cisco Service Provider Cloud Network Infrastructure Outlines without Any External URL or Links:

Container orchestration is the automated management of container lifecycle tasks such as deployment, scaling, failover, and updates. In Cisco cloud and NFV design guidance, typical orchestration platforms includeDocker (with Swarm)andKubernetes, which integrate with Cisco networking and security for cloud-native workloads.

Dockerprovides the container runtime and can also perform basic orchestration through Docker Swarm mode, managing multi-container, multi-host deployments.

Kubernetesis a full-featured orchestration system that automates deployment, scaling, and operations of application containers across clusters. It is the de-facto standard used with Cisco Container Platform and other Cisco cloud solutions.

VMware vCenter, Cisco vManage, and Cisco vSmart focus on virtual machines or SD-WAN control, not container orchestration. Therefore, the correct tools areDocker and Kubernetes (A, D).

In a VXLAN BGP EVPNMulti-Siteenvironment:

DCI trackingmonitors the health of the DCI links. If all DCI-tracking interfaces go down, the leaf can incorrectly keep advertising or learning remote MAC/IP reachability, leading to packet loss and sub-optimal forwarding for servers in that VLAN/L2VNI.

For proper operation, eachDCI-facing interfacemust be enabled with evpn multisite dci-tracking so that the Multi-Site border leaf tracks reachability over that link.

When using EVPN Multi-Site, BUM (broadcast, unknown unicast, multicast) traffic toward remote sites is typically handled viaingress replication, not multicast groups, for each L2VNI participating in Multi-Site. The configuration snippet shows an L2VNI (vn-segment 16535) still mapped to mcast-group 239.1.1.0, which is inconsistent with Multi-Site recommendations and contributes to packet loss.

Therefore, to fix the problem:

Enable DCI tracking on the uplink:

interface Ethernet1/1

evpn multisite dci-tracking

This restores proper DCI-link state monitoring for Multi-Site. →Option C

Change the L2VNI behavior from multicast to Multi-Site ingress replication:

Under the VNI for VLAN 11, configure:

evpn

vni 16535 l2

multisite ingress-replication

or the equivalent command for the specific NX-OS release, thereby aligning the L2VNI with EVPN Multi-Site design and eliminating packet loss. →Option D

Options A and B are ELAM (embedded logic analyzer) filters used only for packet capture and do not resolve the forwarding issue.

Option E is an ACL line unrelated to EVPN VXLAN or DCI tracking and does not address the underlying problem.