300-420 Sample Questions Answers

Summarization on routers A and C is the correct design because the requirement is to keep failures of the listed access networks from impacting the core while still supporting fast convergence in both access and core. Route summarization creates an aggregation boundary: more-specific access routes can flap behind the summary without causing the core to learn and withdraw every individual prefix. Cisco hierarchical routing design uses summarization at distribution or aggregation boundaries to reduce routing-table size, contain convergence events, and protect the core from access-layer instability. Adding another aggregation layer may be appropriate in some large designs, but it is not necessary when the question asks for the mechanism that stops specific prefix failures from impacting the core. Graceful restart protects forwarding during control-plane restart events, not ordinary access-prefix failures. FRR provides fast reroute for link or node failures but does not hide individual connected-network changes from the core. Summarizing at routers A and C directly addresses the stated networks and reduces the query, LSA, or update impact depending on the routing protocol used. Reference topics: route summarization, hierarchical routing, convergence containment, core protection, prefix aggregation.

The correct IS-IS design combines tuned SPF/PRC behavior with a proper Level 1 and Level 2 hierarchy. Reducing SPF and PRC intervals, within platform and stability limits, helps routers react more quickly to topology changes after a link failure. However, fast timers alone are not enough; the hierarchy must contain instability so physical link flaps in the access layer have limited impact on the rest of the network. Access routers should form Level 1 adjacencies inside their local area, while aggregation routers should operate as Level 1/Level 2 routers to connect the access area to the Level 2 backbone. This design gives access routers a simple local view and uses aggregation as the interarea boundary. Running all access and aggregation routers as L1/L2 across the network increases the size of the backbone and exposes more routers to wider flooding, which is the opposite of the requirement. Redistributing Internet routes into Level 1 is also poor design because it bloats the access area. Therefore, the right choices are C and E. Reference topics: IS-IS hierarchy, L1/L2 design, SPF and PRC tuning, access-layer convergence, fault containment.

Cisco Identity Services Engine is the SD-Access component that integrates with Cisco DNA Center to provide identity-based policy, Security Group Tags, and Security Group ACL policy enforcement. Cisco SD-Access uses Cisco TrustSec technology concepts for group-based policy, but ISE is the actual policy and identity services platform that integrates with Cisco DNA Center. DNA Center automates fabric deployment and policy orchestration, while ISE provides endpoint identity, group assignment, scalable group information, and policy authorization. SGACLs define permitted or denied communication between security groups, and SGTs classify users or endpoints into those groups. APIC-EM is not the SD-Access policy platform. Cisco Network Data Platform supports analytics and assurance functions, not identity policy enforcement. Cisco TrustSec is the underlying policy technology, but the question asks for the component that integrates with Cisco DNA Center. Therefore, the verified answer is Cisco Identity Services Engine. In design terms, ISE should be planned as a critical policy-plane dependency with redundancy, pxGrid integration, RADIUS services, and consistent scalable group policy design.

LFA FRR is the correct improvement because it gives OSPF a precomputed repair path instead of waiting for normal SPF reconvergence after a component failure. Cisco describes OSPF LFA Fast Reroute as using a precomputed alternate next hop to reduce failure reaction time when the primary next hop fails. The forwarding plane can move traffic to the alternate path while the control plane reconverges, which directly addresses the short outage described in the question. Incremental SPF reduces CPU impact by recomputing only the affected part of the SPF tree, but it still relies on the post-failure SPF process. BFD detects a failure quickly, but by itself it does not install a loop-free repair path. Aggressive timers also improve detection but increase control-plane sensitivity and do not provide local repair. In an enterprise OSPF design where the complaint is outage during recomputation, LFA FRR is the stronger availability mechanism. Reference topics: OSPF Loop-Free Alternate, IP Fast Reroute, SPF convergence, local repair paths, routed resiliency.

Without centralized policy, OMP allows all WAN Edge routers in the same VPN to communicate in a full-mesh overlay. Cisco Catalyst SD-WAN uses OMP as the control-plane protocol between WAN Edge routers and SD-WAN controllers. WAN Edge devices advertise OMP routes, TLOC routes, and service routes to the controllers, and the controllers distribute the reachable routes back to the relevant edge devices. Cisco policy documentation describes the default unpolicied behavior as permissive: routes are accepted and advertised so sites in the same VPN learn reachability to each other. That default route distribution produces a full-mesh data-plane capability, even though control connections remain hubbed through the controllers. Hub-and-spoke, regional isolation, point-to-point restriction, or service-chained topologies require centralized control or data policy to filter routes or steer traffic. Blocking all communication is the opposite of the default behavior. Reference topics: Cisco SD-WAN OMP, default route distribution, full-mesh overlay, centralized control policy, VPN segmentation.

When dual WAN Edge routers are deployed at a branch, first-hop redundancy and SD-WAN overlay path preference must be aligned. The correct design consideration is that HSRP priorities on the service side should match the OMP routing policy that determines which WAN Edge is preferred. If the LAN gateway points hosts to one WAN Edge while OMP policy prefers the other edge for return or remote-site traffic, traffic can become asymmetric or hairpinned through the wrong device. Proper alignment gives predictable active/standby or active/active behavior and avoids blackholing during failover. Option A describes traditional BGP path manipulation with AS-path prepending and MED; those are not the primary SD-WAN branch dual-edge design controls. Option C overstates symmetry as a universal requirement for DPI; Cisco SD-WAN can handle many traffic patterns, but gateway and OMP alignment remain the core branch design issue. Option D is wrong because SD-WAN already uses BFD across data-plane tunnels, not as a special direct adjacency between the two local WAN Edges for this purpose. Reference topics: Cisco SD-WAN branch redundancy, HSRP, OMP policy, WAN Edge preference, service-side high availability.

EIGRP with stub routing and variance is the best fit for Cisco-only DMVPN branches with unequal Internet link speeds and limited branch resources. EIGRP works well over DMVPN because it supports hub-and-spoke designs, unequal-cost load balancing, and simple branch optimization through stub routing. Stub branches limit query propagation and reduce CPU, memory, and bandwidth consumption on small routers. Variance allows EIGRP to use feasible unequal-cost paths, which is important when one Internet connection is 10 Mbps and the other is 100 Mbps. OSPF can run over DMVPN, but virtual links are not an appropriate branch design and OSPF is less efficient in this specific Cisco-only unequal-bandwidth scenario. IS-IS is not commonly selected for small DMVPN branch overlays. iBGP with route reflectors can scale, but it does not inherently use link utilization and unequal metric behavior as cleanly as EIGRP variance for this requirement. Reference topics: EIGRP over DMVPN, stub routing, variance, unequal-cost load balancing, branch resource optimization.

The branch subnets must each support up to 200 hosts, so /120 is the correct IPv6 prefix length from the available options. A /120 provides 256 IPv6 addresses, which satisfies the 200-host requirement. A /121 provides only 128 addresses, which is not enough. The parent block is 2a01:0c30:0016:7009::3800/118. A /118 has 10 host bits, so it contains 1024 addresses and spans from ::3800 through ::3bff. The valid /120 boundaries inside that parent are ::3800/120, ::3900/120, ::3a00/120, and ::3b00/120. From the listed choices, 2a01:0c30:0016:7009::3a00/120 and 2a01:0c30:0016:7009::3b00/120 both fall inside the parent allocation and provide enough address capacity. The /121 options are too small, and ::3c00/120 is outside the /118 parent range. This is a straightforward IPv6 prefix-boundary and capacity calculation. Reference topics: IPv6 subnetting, prefix length, address block boundaries, branch address planning.

A TLOC extension facilitates WAN Edge router redundancy within a site. In Cisco SD-WAN, a Transport Location identifies a WAN transport attachment using attributes such as system IP, color, and encapsulation. A TLOC extension allows one WAN Edge router to use a transport circuit physically connected to another WAN Edge router at the same site. This is valuable when a branch has two edge routers and two transports, but each transport is cabled to only one router. With TLOC extension, each router can still gain logical access to both transports, improving redundancy and allowing better path diversity without adding more service-provider circuits or handoffs. The feature does not simply identify the physical interface; that is part of TLOC definition. It does not increase the number of colors or create a port-channel-style aggregate. A sound design also accounts for failure domains, service-side routing, and whether the inter-router link has enough bandwidth for extended transport traffic. Reference topics: Cisco SD-WAN TLOC, TLOC extension, WAN Edge redundancy, transport color, branch resiliency.

Dual DMVPN with EIGRP routing is the correct solution because the requirements call for secure public-internet connectivity, redundant paths, automatic path selection, multicast support, and minimal remote-site configuration. DMVPN builds dynamic multipoint GRE tunnels protected by IPsec, allowing spoke sites to communicate securely through the public internet while supporting routing protocols and multicast over GRE. A dual DMVPN design provides redundancy through separate hubs, transports, or tunnel clouds, so a spoke can continue operating if one path fails. EIGRP can calculate alternate paths and react to metric changes, supporting automatic path selection based on failure and quality when engineered correctly. MPLS with BGP does not meet the public-internet and encryption requirements by itself. A full mesh of IPsec tunnels with OSPF or IS-IS would increase configuration complexity at every remote site and does not scale as well. DMVPN is specifically built to simplify deployment of secure, scalable, multipoint branch VPNs. Reference topics: DMVPN, IPsec, mGRE, EIGRP over DMVPN, WAN redundancy, multicast over GRE.

Native policy-based IPsec protects unicast IP traffic between defined proxy identities, but it does not inherently provide a multiprotocol tunnel interface that supports multicast routing protocol packets. Many enterprise VPN designs require multicast for applications, routing protocols, or service discovery. To support multicast across an encrypted VPN, the design commonly uses GRE over IPsec or a tunnel interface such as VTI where the tunnel provides a logical point-to-point or multipoint interface and IPsec secures the encapsulated traffic. GRE can encapsulate multicast and broadcast traffic, allowing dynamic routing protocols and multicast packets to traverse the VPN. IPsec then encrypts the GRE or tunnel traffic for confidentiality and integrity. Transport mode by itself does not solve multicast forwarding, and tunnel mode still requires suitable encapsulation or tunnel-interface behavior for multicast support. Additional headend bandwidth may be required in large VPN designs, but it is not the unique technical requirement for multicast. Therefore, when IPsec VPNs must support IP multicast, the design must include GRE or VTI-style encapsulation.

When multicast is included in a Cisco SD-Access architecture, the architect must account for multicast transport in the overlay for endpoint traffic. Cisco SD-Access separates the underlay, which provides IP connectivity between fabric nodes, from the overlay, which carries user endpoint traffic in the endpoint identifier space. For wired and wireless clients, multicast traffic is transported as part of the overlay service rather than treating clients as underlay participants. That is why the correct design element is that multicast traffic is transported in the overlay and EID space for both wired and wireless clients. PIM SSM does not have to run in the underlay for this purpose, and multicast clients do not simply reside in the underlay. The statement about RPs being required in an SSM deployment is also wrong because source-specific multicast is specifically designed to avoid the traditional RP model. In a fabric design, multicast requirements affect border behavior, receiver placement, replication mode, wireless integration, and policy boundaries. Reference topics: Cisco SD-Access multicast, overlay forwarding, EID space, wired and wireless fabric clients.

VPN 0 is the transport VPN in Cisco SD-WAN. It carries control traffic and provides connectivity from WAN Edge routers toward the transport networks, such as MPLS, Internet, LTE, or other WAN services. Control connections to Cisco SD-WAN controllers are established through transport interfaces that belong to VPN 0. Data VPNs carry service-side user traffic and are separate from the transport VPN. VPN 512 is commonly used for out-of-band management, not for carrying overlay control connections. VPN 128 and VPN 256 are not the reserved transport VPN identifiers. The design importance is that VPN 0 must have correct addressing, color assignment, routing reachability, NAT traversal considerations, and certificate-based controller connectivity. If VPN 0 is misdesigned, the WAN Edge cannot establish stable control connections, cannot receive OMP routes and policies, and cannot build the secure overlay properly. Therefore, VPN 0 is the correct transport VPN for underlay control traffic. Reference topics: Cisco SD-WAN VPN 0, transport VPN, control connections, WAN Edge onboarding, overlay formation.

Multiple Spanning Tree Protocol is the standards-based solution that allows many VLANs to be mapped into a smaller number of spanning-tree instances. MSTP is defined by IEEE 802.1s and incorporated into IEEE 802.1Q, making it suitable for a multivendor campus where proprietary per-VLAN behavior is not acceptable. The question states that all configured VLANs must be grouped into two STP instances. That is exactly the design purpose of MST: VLAN-to-instance mapping lets the architect reduce the number of active spanning-tree calculations while still supporting different forwarding topologies for selected VLAN groups. Traditional STP runs a single common spanning tree and cannot provide two separate VLAN instance groups. RSTP improves convergence but does not by itself group VLANs into multiple instances. Rapid PVST+ provides one rapid spanning-tree instance per VLAN, but it is Cisco-oriented and creates far more instances than required. For a vendor-neutral design with two spanning-tree instances, MSTP is the correct choice and also reduces CPU and memory pressure compared with running a separate instance per VLAN.

Lowering the OSPF cost on the direct R1-to-R2 link is the cleanest way to force traffic for 10.10.20.0/24 to prefer that link. OSPF calculates the shortest path using cumulative interface cost, and Cisco designs normally tune OSPF path selection by changing interface cost rather than administrative distance. Administrative distance determines preference between different routing protocols, not between OSPF paths inside the same OSPF process. Moving the link into another area or creating a multiarea adjacency adds design complexity and does not directly solve the requirement unless the resulting cost still becomes lower. The exhibit states that the architect must use the direct link for traffic from 10.10.10.0/24 toward 10.10.20.0/24. Therefore, the direct link must have a lower total OSPF metric than the alternate path. Configuring the link cost to a value below 30 makes OSPF choose it as the preferred intra-area route. This is deterministic, easy to validate with the OSPF database and routing table, and consistent with Cisco hierarchical IGP design practice. Reference topics: OSPF cost, SPF path selection, metric tuning, intra-area routing.

Affinity is the Cisco SD-WAN feature used to minimize TLOC and control connections and reduce strain on vSmart controllers. Cisco documentation explains that establishing affinity between controllers and edge devices allows the operator to control overlay scaling by limiting which controllers an edge device can establish control connections with. In large deployments, unrestricted connections between every WAN Edge and every controller can create unnecessary state and operational load. Affinity lets the design distribute edge connections across controllers and data centers while still preserving redundancy through primary and backup controller relationships. Color identifies the transport type or behavior associated with a TLOC, but it does not reduce controller connection scale by itself. Control-direction and control-connections are not the feature names that provide the scaling function described in the question. A well-designed SD-WAN control plane uses affinity, controller groups, and redundancy planning to keep the overlay scalable and predictable. Reference topics: Cisco SD-WAN affinity, vSmart controller scale, TLOC connections, control-plane redundancy, overlay scaling.

The selected IS-IS design must place the correct routers as Level 1/Level 2 boundary routers so that area failures stay local while traffic can still reach backbone application services. In a hierarchical IS-IS design, Level 1 routers exchange detailed topology only inside their own area. Level 2 routers form the backbone used for interarea connectivity. L1/L2 routers connect the local area to the backbone and advertise reachability between the two levels. Areas 20 and 30 are expected to double in size, and link flaps inside those areas must not impact the backbone. Therefore, the design should keep internal area routers at Level 1 and use only the boundary devices that connect those areas to the backbone as L1/L2. Option A matches that principle by selecting the appropriate boundary routers for interlevel connectivity while avoiding unnecessary L1/L2 adjacencies throughout the topology. The other options either place the wrong routers in Level 2 only or fail to provide a clean transition between local areas and the backbone. Reference topics: IS-IS hierarchy, L1/L2 boundary design, area containment, backbone stability, route leaking.

EIGRP and BGP are the two listed routing protocols that can support unequal-cost load balancing in Cisco enterprise designs. EIGRP performs unequal-cost load sharing by using the variance command. Feasible successor routes whose feasible distance falls within the variance multiplier can be installed alongside the successor route, provided they satisfy EIGRP loop-prevention rules. This allows traffic to use links with different composite metrics while still maintaining loop-free forwarding. BGP can also support unequal-cost distribution in specific designs, such as using BGP multipath features with additional bandwidth-based mechanisms or policy to influence traffic sharing across nonidentical paths. OSPF and IS-IS commonly support equal-cost multipath, but they do not natively perform EIGRP-style unequal-cost load balancing based on different path metrics. RIPng is also limited by hop-count behavior and is not used for unequal-cost multipath in this context. The correct design answer is therefore EIGRP and BGP. In production, the engineer must still validate hardware forwarding behavior, policy consistency, and whether the traffic-sharing method is per-flow or per-prefix.

The border node is part of the Cisco SD-Access overlay architecture. In the SD-Access fabric, the overlay consists of fabric roles and services that provide endpoint connectivity, segmentation, policy, and external reachability over the routed underlay. Border nodes connect the fabric overlay to external Layer 3 networks, shared services, WAN, Internet, or other fabric/transit domains. They perform the fabric boundary function, including routing between virtual networks and external routing domains as designed. Spine and leaf are generic data center or fabric topology terms and are not the named SD-Access fabric overlay roles in this question. Cisco DNA Center, now Cisco Catalyst Center, is central to management, automation, assurance, and policy deployment, but it is not itself an overlay forwarding component. The forwarding overlay is built from roles such as edge, border, control-plane, and intermediate nodes. Therefore, the correct component from the options is the border node. The design should select border placement based on external connectivity, scale, route control, redundancy, and whether the border is internal, external, or anywhere border. Reference topics: SD-Access overlay, border node, fabric roles, external connectivity, virtual networks.

The selected command is correct because the port is already restricted to one manually learned MAC address, and the requirement is to let the switch dynamically learn the connected endpoint while retaining port-security control. In Cisco Catalyst port security, a static secure MAC address is manually configured, while a sticky secure MAC address is dynamically learned and then added to the running configuration. This design is useful on access ports where the administrator wants the operational convenience of dynamic learning but still wants the switch to enforce the maximum secure-address limit. Once the endpoint MAC is learned, subsequent frames from different source MAC addresses can trigger the configured violation action, such as protect, restrict, or shutdown. The command must therefore enable sticky learning on the secured interface rather than simply changing the maximum, disabling port security, or configuring a normal switching feature. This is an access-layer security function, not a routing or QoS function. Reference topics: Catalyst port security, secure MAC addresses, sticky learning, access port hardening, Layer 2 campus design.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

When BFD echo mode contributes to high CPU utilization on lower-resource devices, the practical design response is to use slower BFD timers for those peers rather than continuing to run an overly aggressive failure-detection profile everywhere. Cisco BFD provides fast failure detection, but timer values must match platform capability, interface scale, and the operational value of subsecond detection. Echo mode can generate frequent packets, and in some environments the processing or punt behavior can create measurable CPU pressure. Slowing the timers reduces packet rate and control-plane stress while keeping BFD available for faster detection than traditional routing protocol dead timers. Moving to asynchronous mode may be appropriate in some designs, but the listed option says “BED” and does not directly address the requirement as cleanly as reducing timer aggressiveness. BFD multihop is used for non-directly connected peers and is not a CPU-relief mechanism. Carrier delay changes interface state notification behavior, but it does not solve BFD packet processing load. Therefore, implement slower timers on peers with limited resources. Reference topics: BFD design, echo mode, failure-detection timers, CPU utilization.

Wake-on-LAN across routed boundaries requires directed broadcast handling toward the client subnet and helper behavior to forward the magic packet correctly. A sleeping host normally does not maintain a normal IP session, so the WoL magic packet is commonly sent as a directed broadcast to the destination subnet. Cisco designs therefore enable IP directed broadcast on the routed interface or SVI for the client subnet where the sleeping endpoints reside, while controlling the feature carefully to avoid abuse. The ip forward-protocol behavior is also relevant because routers must forward the required UDP broadcast traffic rather than dropping it at the Layer 3 boundary. In addition, an IP helper address toward the WoL server or relay path may be needed on client-facing interfaces so the magic packet can be delivered from the management or server subnet to the client subnet. PortFast helps endpoints become reachable quickly at Layer 2, but it does not replace routed broadcast forwarding. Reference topics: Wake-on-LAN, directed broadcast, ip helper-address, UDP forwarding, PortFast, campus services.

An MPLS WAN from two separate ISPs is the strongest fit when the enterprise requires an active/backup WAN design with guaranteed SLAs for applications on either connection. MPLS VPN services are typically delivered with provider-backed service-level commitments for latency, jitter, packet loss, and availability, which is why they are selected for predictable enterprise application transport. Using two separate MPLS providers improves resiliency against a provider failure while preserving SLA-backed behavior on the backup path. A hybrid MPLS and Internet VPN model can be cost effective, but the Internet path generally does not provide the same deterministic SLA unless enhanced by a specific managed service contract. Internet from two providers improves reachability diversity but does not inherently guarantee application SLA. A single ISP hybrid design creates a provider dependency and weakens availability. Therefore, dual-provider MPLS is the conservative design for guaranteed active/backup WAN service. Reference topics: MPLS WAN design, service-level agreements, active/backup WAN, provider diversity, application performance assurance.

STP loop guard is the correct protection feature. Cisco defines loop guard as a spanning-tree enhancement that prevents alternate or root ports from incorrectly becoming designated forwarding ports when expected BPDUs are no longer received. That failure mode is exactly what the question describes: an alternate or root port intermittently transitions to a designated role and creates a Layer 2 loop. With loop guard enabled, the port is placed into a loop-inconsistent blocking state until BPDUs are received again, so the topology remains protected. PortFast BPDU guard is intended for edge ports connected to end hosts and shuts a PortFast port when BPDUs appear; it is not the correct uplink/root-port protection. UDLD can detect unidirectional links, but it does not specifically enforce STP role consistency. Root guard prevents superior BPDUs from changing root placement, which is a different problem. Reference topics: STP loop guard, alternate and root ports, BPDU loss, loop-inconsistent state, Layer 2 loop prevention.

The primary consideration is that the participating hosts must support dual stack. The pilot is contained within a single VLAN, so the application traffic remains inside the same Layer 2 broadcast domain across the dual-site data center environment. Layer 2 switches forward Ethernet frames and do not need to understand the IPv6 header to carry IPv6 traffic inside the VLAN. Layer 3 switches need IPv6 capability only where IPv6 routing, gateways, ACLs, or services are required. For this pilot, the essential requirement is that the servers and endpoints running the IPv6 application can operate with both IPv4 and IPv6 enabled while the existing environment continues to support IPv4. Dual stack allows IPv6 testing without removing IPv4 reachability or forcing translation. Requiring every Layer 2 and Layer 3 switch in both data centers to be dual-stack overstates the design requirement. The hosts participating in the pilot are the critical dependency. Reference topics: IPv6 migration, dual stack, Layer 2 VLAN transport, data-center pilot design, IPv4 and IPv6 coexistence.

The client edge can reach the Internet through ISP1 only if downstream routers inside the client network have a usable route toward the Internet. Since ISP1 provides full Internet connectivity and ISP2 is used for direct exchange with selected third parties, the edge design should advertise a default route into the client network. This gives internal routers a simple, scalable route for all Internet destinations while preserving specific routing where necessary. Running separate VRFs for each ISP may be a valid segmentation technique, but it does not by itself tell downstream routers how to reach the Internet. AS-path prepending toward ISP2 influences inbound path preference from external networks; it does not solve internal default routing. Filtering outbound advertisements so the client advertises only its own originated routes is important to avoid becoming a transit AS, but it is not the mechanism that enables internal users to reach the Internet through ISP1. The clean design is to receive or originate a default route at the edge and advertise that default to the client routing domain. Reference topics: BGP Internet edge design, default route advertisement, transit prevention, ISP peering policy.

The correct subnet choice is 192.168.32.0/27. The design must support at least five subnets and at least 25 usable hosts per subnet from a /24 allocation. A /27 leaves five host bits, giving 32 total addresses and 30 usable host addresses after excluding the subnet and broadcast addresses. It also borrows three bits from the /24 host field, creating eight equal /27 subnets, which satisfies the requirement for at least five departmental networks. A /26 provides 62 usable hosts, but only four subnets inside a /24, so it fails the subnet-count requirement. A /25 provides only two subnets. A /28 provides enough subnets but only 14 usable host addresses, which fails the host requirement. Cisco subnetting guidance uses exactly this host-bit and prefix-length calculation model when selecting VLSM blocks. Reference topics: IPv4 subnetting, CIDR prefix length, host-bit calculation, VLSM design, private IPv4 addressing.

gRPC provides efficient integration by using protocol buffers to serialize and deserialize structured data over the network. In network programmability and telemetry designs, gRPC is commonly used as the transport framework for streaming model-driven telemetry or for remote procedure calls between collectors, controllers, and network devices. Protocol buffers define compact structured messages that are faster and less ambiguous than parsing text output. This makes gRPC suitable for high-volume telemetry and programmatic device interaction. LDAP is a directory and authentication-related protocol, not the integration mechanism provided by gRPC. XMPP is associated with messaging and presence systems, not gRPC data serialization. Graph API is not a gRPC feature. The operational value of gRPC is that it provides a modern RPC framework with efficient message encoding, service definitions, and support for secure transport through TLS when implemented by the platform. Reference topics: gRPC, protocol buffers, model-driven telemetry, network programmability, structured data serialization. It improves controller interoperability.

BFD is the correct design feature for detecting a link failure within 200 ms or less without materially increasing OSPF control-plane load. Cisco uses Bidirectional Forwarding Detection as a fast, lightweight failure-detection protocol that can be associated with routing protocols such as OSPF. Instead of relying on aggressive OSPF hello and dead timers, BFD performs rapid forwarding-path checks and notifies OSPF when the path fails. This allows fast convergence while avoiding the additional routing-protocol overhead and instability that can come from very low hello timers. UDLD detects unidirectional Layer 2 fiber failures, but it is not the routing adjacency failure-detection mechanism requested here. Carrier delay can adjust interface state transition timing, but it does not provide a routing-protocol independent liveness session. Fast hellos can reduce detection time, but they increase protocol traffic and can affect overall performance. BFD is therefore the proper design choice for fast and efficient OSPF convergence. Reference topics: BFD, OSPF convergence, fast failure detection, routed campus resiliency, control-plane efficiency.

A logical topology that virtually connects devices over an arbitrary physical network is an overlay. In Cisco SD-Access, the underlay provides basic IP reachability between fabric nodes, while the overlay creates the logical network used by endpoints, virtual networks, and policy segmentation. The overlay is not constrained to the exact physical cabling topology; instead, it uses encapsulation and control-plane mapping to carry user traffic across the routed fabric. Cisco SD-Access uses LISP in the control plane for endpoint-to-location mapping and VXLAN in the data plane for encapsulation. This allows the fabric to present consistent logical connectivity even when the physical network is built from routed links and different infrastructure layers. The data plane is the forwarding mechanism, the control plane resolves location information, and the underlay is the physical and routed transport. The logical topology built on top of those components is the overlay. Reference topics: Cisco SD-Access overlay, underlay, VXLAN, LISP, fabric logical topology.

Bootstrap Router is the standards-based mechanism that supports dynamic RP discovery in a PIM sparse-mode domain. Cisco documentation distinguishes Auto-RP, which is Cisco-proprietary, from BSR, which is defined for standards-based RP distribution. With BSR, candidate RPs advertise their availability, and the elected bootstrap router distributes RP-set information throughout the PIM domain. This removes the operational burden of manually configuring the same static RP information on every multicast router. Anycast-RP provides RP redundancy and load sharing but does not by itself provide standards-based dynamic RP discovery across the domain. Static RP is simple but not dynamic. Auto-RP can dynamically distribute RP information, but it is not the standards-based answer. The design value of BSR is most visible in large multicast domains, where routers need consistent RP information and manual changes are risky. Therefore, when the question asks for a standards-based RP deployment that supports dynamic RP discovery, the correct answer is bootstrap router. Reference topics: PIM sparse mode, Bootstrap Router, candidate RP, RP-set distribution, dynamic RP discovery.

The OSPF design should include LSA/SPF timer tuning and summarization with appropriate stub-area design. Cisco OSPF convergence is affected by failure detection, LSA generation, flooding, SPF scheduling, and routing-table installation. Tuning LSA and SPF throttling timers helps the network react quickly to genuine failures while avoiding excessive CPU churn during repeated flaps. This is especially important when voice and video traffic are sensitive to convergence delay. Manual route summarization at area boundaries reduces the number of detailed routes advertised between areas and limits the blast radius of link failures. Configuring nonbackbone areas as stub networks where appropriate also reduces external LSA propagation and lowers router resource use. Reducing DR and BDR election frequency is not a primary design tool for convergence, and increasing hello and hold timers would slow failure detection rather than improve it. Advertising default routes can be useful, but it does not by itself contain link flap impact. Reference topics: OSPF area design, LSA throttling, SPF throttling, route summarization, stub areas, convergence optimization.

The control-plane node in Cisco SD-Access acts as the map system that manages endpoint-to-device relationships. Cisco SD-Access documentation describes control-plane nodes as maintaining the host database that maps endpoint identifiers to the fabric edge devices where those endpoints are attached. This mapping function is based on LISP control-plane behavior. When an endpoint appears on an edge node, the edge registers the endpoint information with the control plane. When another fabric device needs to send traffic to that endpoint, it queries the control-plane node to resolve the endpoint location. A fabric edge node is the device that connects wired endpoints to the fabric, so option A describes an edge role. Wireless endpoints may attach through fabric AP and fabric WLC integration, but that is not the control-plane node’s role. External Layer 3 networks are connected through border nodes, not through the control-plane node. Therefore, the correct role is endpoint-to-device mapping. Accurate control-plane design is essential for fabric scale, endpoint mobility, and fast location resolution.

The drag-and-drop mapping separates WAN connectivity technologies by the service characteristics they deliver. Cisco enterprise WAN designs distinguish private WAN options, such as MPLS Layer 3 VPN, Ethernet WAN, VPLS, and VPWS, from Internet-based options such as broadband, LTE, and VPN overlays. Layer 3 MPLS VPN gives the provider responsibility for routing between customer sites and is commonly used when private any-to-any routing, QoS treatment, and segmentation are required. Layer 2 services such as VPWS and VPLS extend customer Layer 2 adjacency across a provider network; VPWS is point-to-point, while VPLS is multipoint. Internet and cellular links are typically lower-cost and fast to deploy, but they require overlay security, such as IPsec, DMVPN, or SD-WAN encryption, when used for enterprise private traffic. The selected mapping therefore aligns each description with the WAN category that actually provides that behavior. In design work, the architect must compare latency, resiliency, SLA, QoS preservation, encryption requirements, routing control, and operational ownership before selecting the WAN type. Reference topics: enterprise WAN connectivity, MPLS VPN, VPLS, VPWS, Internet VPN, cellular backup.

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

In Cisco SD-Access, an intermediate node is an underlay transit device. Its responsibility is to provide IP reachability between fabric edge nodes, border nodes, and other fabric infrastructure roles. Intermediate nodes forward routed underlay traffic and do not perform endpoint registration, endpoint lookup, or VXLAN encapsulation for user traffic. Endpoint-to-location mapping is handled through the fabric control plane, which is based on LISP map-server and map-resolver functions. Fabric edge nodes identify connected endpoints, apply policy, act as anycast gateways, and encapsulate user traffic into VXLAN. Border nodes connect the fabric to external networks and handle traffic entering or leaving the fabric. The intermediate node is therefore comparable to a routed distribution or core transport device in a traditional hierarchical campus, except it is participating in the SD-Access underlay. It must provide stable Layer 3 reachability and appropriate MTU for encapsulated traffic but does not maintain the host tracking database or add security group information to VXLAN headers. The correct function is transporting IP packets between edge and border nodes.

GRE over IPsec is required when the backup connection is an Internet circuit, encryption is mandatory, and multicast applications must cross the tunnel. GRE provides the logical tunnel interface and can encapsulate multicast traffic and routing protocol packets. IPsec then encrypts the GRE packets across the public Internet, satisfying the security requirement. This combination is widely used in enterprise WAN designs where dynamic routing, multicast video, or other non-unicast traffic must be transported securely between sites. Direct IPsec encapsulation protects unicast IP traffic, but it does not natively provide a multicast-capable tunnel interface for routing and multicast services. GETVPN is designed for private WAN environments where the provider network can carry the routed addresses and where tunnel-less group encryption is desired; it is not the usual choice for Internet backup. DMVPN could also use GRE and IPsec, but for a simple backup connection between two sites, GRE over IPsec is the direct answer. Reference topics: GRE tunneling, IPsec encryption, multicast over VPN, Internet backup WAN design.

Controller redundancy is the only viable answer among the listed choices. In Cisco SD-WAN, production control-plane resiliency is achieved by deploying redundant controller infrastructure so WAN Edge routers can maintain control connectivity even if a controller instance fails. Strictly speaking, vSmart controllers are the primary SD-WAN control-plane components because they distribute OMP routes, TLOC information, service routes, and policy. vManage is the management plane, and clustering vManage improves management-plane availability. However, the provided options do not include redundant vSmart controllers. Of the available answers, using multiple controller instances in a cluster is the closest redundancy design concept, while the other options do not provide SD-WAN controller redundancy. BFD on WAN Edge routers detects data-plane path failure, not control-plane controller failure. Deploying controllers on UCS or CSP affects hosting, not redundancy by itself. OMP manages overlay routes; it is not an underlay management mechanism. A complete professional design should include redundant vSmart, vBond, and vManage components across failure domains. Reference topics: Cisco SD-WAN control plane, controller redundancy, vSmart, vManage clustering, OMP.

The correct solution is IntServ with RSVP. The requirement says the application must be able to request a specific service level and receive guaranteed bandwidth with support for delay requirements. Cisco describes Integrated Services as a QoS model that uses Resource Reservation Protocol to signal per-flow resource requirements across the network. RSVP allows applications or endpoints to request bandwidth and delay treatment; each participating network device can admit or reject the reservation based on available resources. This is exactly the behavior needed when an application must explicitly request a service profile rather than simply inherit a class marking. DiffServ with DSCP is more scalable, but it only marks traffic and applies class-based per-hop behavior. It does not provide per-flow reservation or allow the application to explicitly reserve resources. DSCP by itself is a marking mechanism, not a reservation protocol. RSVP belongs with IntServ in the classic QoS model. Reference topics: Integrated Services, RSVP, resource reservation, QoS guarantees, delay-sensitive applications.

Route tags are the correct loop-prevention mechanism when connecting another routing domain or redistributed network behind R3 into an EIGRP network. Redistribution can create route feedback: a route learned from one domain is redistributed into another, then later redistributed back into the original domain as if it were new information. That can produce routing loops or suboptimal path selection, especially in multipoint redistribution designs. Cisco route-map based redistribution commonly uses route tags to mark the origin of redistributed routes. Other redistribution points can then match those tags and prevent the same routes from being reintroduced into the source domain. Split horizon prevents advertisements back out the interface on which a route was learned, but it is not sufficient for multipoint redistribution loop prevention. Summarization reduces route detail and query scope but does not identify route origin. The OSPF down bit is used in MPLS VPN/OSPF PE-CE scenarios, not general EIGRP redistribution. Therefore, the design should use route tags. Reference topics: EIGRP redistribution, route tagging, routing-loop prevention, route maps, redistribution policy.

Dedicated control-plane nodes are advisable when frequent endpoint roaming across fabric edge nodes is expected. In Cisco SD-Access, the control-plane node maintains the host tracking database and resolves endpoint identifiers to routing locators. When endpoints move between fabric edge nodes, the fabric must update endpoint-to-location mappings quickly and consistently. In smaller deployments, the control-plane function can sometimes be colocated with border nodes, but larger or more mobile environments benefit from dedicated control-plane nodes to improve scale, resilience, and operational separation. The decision is not because Cisco DNA Center is absent; DNA Center is the management and automation platform for SD-Access. It is also not because edge nodes are unable to provide control-plane functionality, since that is not their fabric role. Frequent roaming creates more mapping updates and lookup activity, so dedicated control-plane resources help maintain stable endpoint registration and resolution performance. Reference topics: Cisco SD-Access control-plane node, host tracking database, endpoint mobility, LISP map server, fabric scale.

The two practical OSPF convergence improvements are enabling Bidirectional Forwarding Detection and tuning OSPF timers and throttling behavior. Cisco describes BFD as a protocol designed to provide fast forwarding-path failure detection across media, encapsulations, topologies, and routing protocols. With OSPF, BFD allows a neighbor failure to be detected rapidly without depending only on the OSPF dead interval. OSPF parameters can also be tuned, including SPF scheduling, LSA generation, and LSA arrival throttling, so the control plane reacts quickly but not recklessly during instability. Merging all areas into one backbone area is not a convergence improvement; it usually increases the size of the link-state database and the impact of topology changes. Making every nonbackbone area stub may reduce external LSA scope, but it is not universally valid and does not directly solve failure detection. Spanning the same IP network across multiple OSPF areas is a poor design and can create operational ambiguity. Therefore, BFD plus careful OSPF parameter tuning are the appropriate convergence-focused design actions.

Multichassis EtherChannel is the correct design when distribution switches support VSS and the campus needs fast Layer 2 convergence while using as much uplink bandwidth as possible. With VSS, two physical distribution switches operate as a single logical switching system from the perspective of the access layer. MEC allows an access switch to bundle links to both distribution chassis into one logical EtherChannel. This removes the normal spanning-tree blocking of redundant uplinks, uses both links actively, and provides fast convergence if one physical link or chassis fails. A plain EtherChannel normally terminates on one physical switch, so it does not provide the same chassis-level resiliency unless the distribution pair is virtualized. RSTP improves loop convergence but still blocks redundant Layer 2 paths in a traditional topology. ECMP requires Layer 3 routing, and the question notes routing protocol limitations. Therefore, MEC on VSS is the best solution for bandwidth utilization and fast Layer 2 recovery. Reference topics: VSS, Multichassis EtherChannel, Layer 2 campus resiliency, STP avoidance, access-to-distribution design.

A single-homed WAN design is appropriate for two small branch offices when cost is the main concern, routing overload must be avoided, and occasional downtime is acceptable. Single-homed connectivity uses one WAN connection from the branch to the provider or headquarters. It is the simplest and least expensive model because it minimizes circuits, routers, routing adjacencies, and failover complexity. Dual-homed or multihomed designs improve availability, but they add cost and operational overhead through additional links, devices, routing policy, and monitoring. Dual multihomed designs are the most resilient but clearly exceed the requirement for a small cost-sensitive branch. A single multihomed design provides some provider or link diversity, but it is still more complex than necessary if the customer accepts some downtime. In Cisco WAN design, the correct topology must match the business availability requirement; not every site justifies redundant circuits. Reference topics: WAN topology selection, single-homed branch design, cost versus availability, routing simplicity, branch connectivity.

Traffic shaping is the correct QoS design for a 1-Gbps handoff with a 100-Mbps committed information rate when the provider aggressively drops traffic above the CIR. Cisco distinguishes shaping from policing: shaping buffers and delays excess packets so the sender transmits at a configured rate, while policing drops or remarks traffic that exceeds the configured rate. Because the customer wants to maximize bandwidth usage up to the 100-Mbps CIR and avoid excessive TCP retransmissions, shaping is the better fit. Policing at the customer edge would simply drop excess traffic locally, creating the same kind of loss problem. A markdown policer is useful when lower-priority traffic should be reclassified, but it does not smooth bursts into the provider’s CIR. Queuing helps during congestion, but without shaping the router can still send bursts at the 1-Gbps physical rate into a provider policer. The correct design is to shape outbound traffic to the CIR, then use child-policy queuing if class-based service guarantees are required. Reference topics: traffic shaping, policing, CIR, hierarchical QoS, TCP retransmission avoidance.

Cisco SD-WAN uses the vSmart controller as the control-plane component that distributes the information needed for secure data-plane tunnel establishment. Before WAN Edge devices build full-mesh IPsec tunnels, they must learn reachability and security information through the SD-WAN control plane. Cisco documentation describes the vSmart controller as the centralized control-plane element that exchanges OMP routes, policy, TLOC information, and security parameters with WAN Edge routers. In the traditional SD-WAN key-exchange model, vSmart sends IPsec encryption keys to edge devices so the data plane can be secured without each edge independently negotiating IKEv2 with every other edge. vManage is the management platform and is not the key exchange point. vBond performs orchestration, authentication assistance, and NAT traversal during onboarding, but it is not the data-plane key server. IKEv2 may be used in specific newer or configured security models, but the typical Cisco SD-WAN overlay relies on vSmart for scalable key distribution. Reference topics: Cisco SD-WAN control plane, vSmart, OMP, IPsec key distribution, WAN Edge security.

The drag-and-drop answer follows the practical distinction between the YANG model families. IETF models are standards-based models intended to provide a common structure for widely implemented protocol and interface functions. OpenConfig models are vendor-neutral operational and configuration models developed for cross-vendor automation, with a strong focus on consistent telemetry and network state representation. Cisco native models expose Cisco platform-specific capabilities and usually provide the deepest coverage for IOS XE, IOS XR, or NX-OS features that are not fully represented in a common model. The selected mapping therefore assigns model elements according to origin, portability, and feature depth. In a production automation design, engineers should start with open models when interoperability and long-term portability matter, but they should choose Cisco native models when a required Cisco feature is not available or is incomplete in IETF or OpenConfig. The choice is not cosmetic; it affects payload structure, namespace, validation behavior, and operational consistency across device families. Reference topics: YANG model families, IETF YANG, OpenConfig, Cisco native YANG, model-driven configuration.

OSPF requires all nonbackbone areas to connect logically to Area 0. In the original design, HQ is Area 0 and the existing branch is Area 1, which is valid because Area 1 has connectivity to the backbone. The newly acquired branch is assigned Area 2 but is temporarily connected through the existing branch instead of directly to HQ. That means Area 2 does not have a direct logical connection to Area 0, violating the OSPF backbone requirement. The proper OSPF design mechanism for this temporary topology is a virtual link. An OSPF virtual link is configured through a transit area to logically connect a disconnected area or ABR back to the backbone. Making the existing branch a stub area does not solve the lack of Area 0 connectivity. A sham link is used in MPLS VPN OSPF designs to prefer backdoor links or preserve intra-area behavior across the provider core, not for this generic backbone disconnection. Making Area 2 a stub area also does not establish backbone reachability. Therefore, a virtual link between the new branch and HQ is required.

The valid get-config reply must show OSPF process ID 400 with network 192.168.128.128/25 enabled for Area 0. A /25 prefix has a block size of 128 addresses, so 192.168.128.128/25 is a valid network boundary and covers addresses from 192.168.128.128 through 192.168.128.255. Any reply that shows the wrong OSPF process, an incorrect network boundary, the wrong prefix length or wildcard equivalent, or a nonzero area does not verify the requested model set. In Cisco IOS XE model-driven configuration, the readback has to match the schema path and values used by the model, not simply produce an approximate CLI interpretation. Option B is the reply that confirms the intended OSPF object. This verification method is important because YANG automation can fail silently in operational workflows when the payload is syntactically valid but targets the wrong container or key. A get-config verification step confirms the running datastore contains the exact OSPF process and area membership required by the design. Reference topics: YANG OSPF configuration, NETCONF get-config, prefix validation, IOS XE native models.

When Cisco SD-WAN edge router redundancy is designed, VRRP is the supported first-hop redundancy protocol in the SD-WAN edge context. VRRP provides a virtual default gateway for LAN-side devices, allowing one WAN Edge router to act as the active gateway while another can take over if the active router or tracked condition fails. Cisco SD-WAN designs use VRRP with tracking and policy alignment so branch LAN traffic can fail over to the appropriate edge router while the SD-WAN overlay handles transport and tunnel selection. HSRP and GLBP are traditional campus first-hop redundancy protocols, but they are not the supported FHRP answer for vEdge router redundancy in this design context. OMP is the SD-WAN control-plane routing protocol used between WAN Edge routers and vSmart controllers; it is not a first-hop redundancy protocol for LAN hosts. Therefore, the correct FHRP for vEdge router redundancy is VRRP. The design should also ensure that VRRP priorities, tracking, and SD-WAN routing preferences align so traffic exits the intended edge during normal and failure conditions.

The selected IPv6 summary must be the smallest prefix that covers all of the site subnets in the exhibit while not including unnecessary additional networks. IPv6 route summarization works by identifying the common high-order bits shared by the component prefixes and advertising the shortest aggregate that contains them all. Cisco routing design uses summarization at WAN or aggregation boundaries to reduce routing-table size, contain convergence events, and simplify policy. Option C is retained because it represents the aggregate identified by the exhibit answer set. Option A is a different /60 boundary and would be correct only if all component subnets fell under that exact nibble range. Option B is not a usable summary route in normal IPv6 prefix notation as written. Option D is too broad or malformed for a precise site summary. The professional design rule is to summarize on valid nibble or bit boundaries and verify that every component prefix is included without accidentally absorbing unrelated site networks. Reference topics: IPv6 summarization, prefix aggregation, route boundary calculation, WAN route scale, convergence containment.

BFD is not required for the specific failure described: a physical fiber break on point-to-point routed links. In a Layer 3 campus or routed-access design, a direct physical link failure is detected by the interface state change, so the routing protocol can react immediately without waiting for hello/dead timers. Cisco campus design guidance favors point-to-point routed links partly because they give rapid convergence and avoid STP delays. BFD is valuable when a forwarding-path failure is not reliably detected by Layer 1 or Layer 2, or when a protocol adjacency must detect loss faster than its native timers. It does not automatically create convergence by itself; it detects failure and notifies the routing protocol. For a clean fiber cut on a routed point-to-point link, link-down detection is already fast enough for sub-second failover in the design. OSPF timer tuning is also not the preferred design answer for this physical-failure case. Reference topics: routed access design, point-to-point links, link-failure detection, BFD, OSPF convergence.

The multicast-replicator function is used to optimize multicast traffic distribution across Cisco SD-WAN. Cisco Catalyst SD-WAN multicast overlay design avoids forcing the ingress WAN Edge router to replicate every multicast packet to every remote receiver. Instead, multicast routes and receiver information are exchanged through OMP, and a WAN Edge can be designated as a multicast or OMP replicator. The replicator then distributes streams to interested receivers across the overlay, reducing bandwidth and processing pressure on the source-side edge. That is why multicast-replicator is the feature that optimizes WAN bandwidth for IGMP-driven multicast receiver traffic among WAN Edge routers in the same VPN. IGMPv2 is only the host-to-router group membership protocol and does not optimize overlay distribution by itself. A multicast RP is used in PIM sparse mode, but it is not the SD-WAN overlay replication feature. Multicast service routes advertise multicast service information, but the bandwidth-saving forwarding role is the replicator. Reference topics: Cisco SD-WAN multicast overlay, OMP multicast routes, multicast replicator, IGMP receiver joins.

The verifying get-config reply must reflect the same YANG model hierarchy and configured values that were pushed by the Postman request. In model-driven automation, a successful transport response is not enough; the engineer must confirm that the intended datastore contains the exact interface, routing, or protocol objects described by the model. Option D is the selected reply because it matches the expected YANG structure for the configuration operation shown in the exhibit. The key principle is that get-config returns configuration data from a specified datastore, such as running or candidate, using the schema-defined XML hierarchy. If the returned XML uses the wrong container, wrong namespace, incorrect key value, or an unexpected leaf, the model set was not designed or addressed correctly. Cisco NETCONF/YANG workflows rely on strict namespace and path accuracy, so even a small mismatch can result in configuration being placed in the wrong subtree or not applied. A clean validation checks the model namespace, parent containers, list keys, leaf names, and actual configured value. Reference topics: NETCONF get-config, YANG XML encoding, datastore validation, Postman automation workflow.

OSPF with stub areas is the correct implementation. The reference to RFC 5340 points to OSPFv3, which Cisco documents as the OSPF version used for IPv6 and also capable of carrying IPv4 unicast address families in modern implementations. OSPF is a link-state routing protocol that provides loop-free convergence through SPF calculation, making it a stronger fit than static routing or RIP for a growing WAN. Stub areas reduce routing information inside branch or regional areas by blocking external LSAs and allowing the ABR to inject a default route. That reduces route-table size and limits update propagation, which matches the requirement to optimize routing tables and reduce routing updates between routers. EIGRP with multiple autonomous systems is not aligned with RFC 5340. BGP address families are useful in provider and MPLS VPN designs but are not the best internal route-optimization answer here. OMP is specific to Cisco SD-WAN, not a generic RFC 5340 routing design. Reference topics: OSPFv3, RFC 5340, stub areas, LSA reduction, SPF convergence.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

The correct choice is to use a distribute list outbound under the RIP process to stop EIGRP-learned prefixes from being advertised back into the RIP domain. In multipoint two-way redistribution, the major risk is route feedback: a route learned from one protocol is redistributed into another protocol and then reintroduced back into the original domain through another redistribution point. RIPv1 is especially limited because it is classful and has no native route tagging, so filtering must be carefully placed when route tags are unavailable. By filtering outbound advertisements under the RIP process, the design prevents routes that originated in the EIGRP domain from being sent into RIP where they could be relearned elsewhere and create loops or suboptimal paths. Inbound filtering on only one process does not reliably stop feedback at all redistribution points. A stronger modern design would use route tags with protocols that support them, but given the answer choices, outbound filtering toward RIP is the appropriate loop-prevention method. Reference topics: route redistribution, distribute lists, route feedback, RIPv1 limitations, EIGRP integration.

Enabling EIGRP stub routing on the spokes decreases convergence time in a hub-and-spoke design by reducing unnecessary queries and preventing spokes from being treated as transit routers. EIGRP convergence can be delayed when a router loses a route and must query many neighbors to determine whether an alternate path exists. In remote-site or spoke designs, a spoke normally has no useful alternate path for networks beyond itself, so querying it wastes time and can contribute to stuck-in-active conditions. Cisco EIGRP stub routing allows the spoke to advertise only permitted route types and informs upstream routers not to query the spoke for routes outside its scope. This creates a cleaner query boundary and accelerates convergence after link or route failures. Subsecond timers can detect neighbor loss more quickly, but they do not address the broader EIGRP query behavior shown in the design. Increasing hold or dead timers would slow detection, not improve convergence. Therefore, in the displayed hub-and-spoke EIGRP design, enabling stub routing on the spokes is the correct solution to decrease convergence time.

Making R2 active for half of the VLANs improves utilization by distributing first-hop gateway forwarding across both core routers. HSRP provides default-gateway redundancy by making one router active and another standby for a VLAN. If the same router is active for every VLAN, traffic from all downstream VLANs is forwarded through the same core path, which can leave some interfaces congested while parallel links on the standby side remain underused. Cisco campus designs commonly tune HSRP priorities per VLAN and align the active HSRP gateway with the spanning-tree root for that VLAN. This creates a deterministic load-sharing model while preserving gateway redundancy. Adding more interfaces may help capacity, but the question states that some downstream interfaces are already underutilized, so the issue is load distribution rather than absolute port count. A port channel is useful only when the topology supports bundling the specific links and does not by itself move gateway activity. RSTP improves convergence, not HSRP forwarding balance. Reference topics: HSRP load sharing, per-VLAN gateway placement, STP root alignment, campus capacity design.

VRRP advertisements are sent by the current master router and include priority information used by the backup routers to evaluate mastership. In VRRP, the master is the router actively forwarding for the virtual IP address. Backups listen for advertisements; if advertisements stop, the backup with the highest effective priority can become master. This is why the statement that advertisements are sent only from the master router is correct. The advertisement also carries priority information, which is used in election behavior and failover decisions. Standby or backup routers do not normally send VRRP advertisements while a master is active, so option A is incorrect. The default advertisement interval is not three seconds in standard VRRP behavior; three seconds is commonly associated with other first-hop redundancy defaults such as HSRP hellos. Although timer fields exist in protocol operation, the exam focus here is the master-only advertisement behavior and the priority carried in those advertisements. In campus gateway redundancy design, VRRP advertisements must be protected from loss or filtering because missed advertisements can cause unnecessary master transitions.

In-band management is the correct design because the management plan must reach all IP-enabled interfaces, and not every device has a dedicated management port. In-band management uses the production IP network for administrative access, allowing management stations to reach loopbacks, SVIs, routed interfaces, or front-panel interfaces through normal routing. Cisco management guidance distinguishes in-band management from out-of-band designs that depend on a separate physical management network or console path. Because the question requires reachability to all IP-enabled interfaces, in-band is the only listed model that naturally supports that scope. Security must still be enforced with encrypted protocols where supported, such as SSH and HTTPS, plus ACLs, AAA, and management-plane protection where appropriate. A terminal server provides console access, not routed IP management to every interface. A KVM server is a server-management tool, not a network-device management architecture. Out-of-band management is preferred for isolation, but it does not fit devices without dedicated management access. Reference topics: in-band management, secure management protocols, SSH, HTTPS, network management design.

MSTP is the correct spanning-tree choice for a Layer 2 design with many logical ports, multiple trunked VLANs, and a subsecond convergence requirement. Rapid PVST+ provides rapid convergence, but it creates a separate spanning-tree instance for every VLAN. With 30 VLANs on trunks and hundreds of active ports, the number of logical STP ports can grow quickly and increase CPU and memory load. MSTP maps many VLANs into a smaller number of spanning-tree instances while still using rapid convergence behavior based on IEEE 802.1w principles. This makes it more scalable for large Layer 2 domains than PVST+ or Rapid PVST+ when many VLANs are present. CST provides a single instance but lacks the flexibility and convergence characteristics expected in modern enterprise designs. The design needs both scalability and fast convergence, and MSTP is the standards-based protocol that best satisfies both requirements. Reference topics: MSTP, Rapid STP, logical STP ports, VLAN-to-instance mapping, Layer 2 scalability, convergence.

A scalable two-level IS-IS design uses Level 1 areas for internal campus routing and Level 2 for the interarea backbone. Each campus should have a unique IS-IS NET area value so the internal routers belong to that campus’s Level 1 area. Internal campus routers should be configured as Level 1 routers, which keeps detailed campus prefixes inside the local area and prevents unnecessary propagation of more-specific routes to other campuses. At the edge of each campus, routers that connect the campus to the backbone should operate as Level 1/Level 2 routers. These routers connect the local Level 1 area to the Level 2 backbone and can summarize or control routing information between levels. IS-IS does not use BDR routers; that is an OSPF term, so option A is invalid. Assigning the same NET value everywhere collapses the hierarchy and defeats the segregation goal. MTU differences are not a hierarchy or route-segmentation tool. Therefore, the design should use unique NET values per campus with Level 1 internal routers and Level 1/Level 2 routers at the campus edge.

OSPF with the hub in area 0 and branch routers in stub areas with ECMP is the best fit because the customer has multivendor branch routers with limited memory and CPU. EIGRP is not suitable in this case because the branch environment is multivendor and EIGRP is not the safest open-standard design choice for broad interoperability. IS-IS can be efficient, but it is less common for small DMVPN branch deployments and the option does not address the requirement for resource-constrained branch routing. eBGP route reflection is not technically correct, because route reflectors are an iBGP scaling mechanism. OSPF provides an open-standard dynamic routing solution, and placing branches in stub areas limits the amount of external routing information that low-resource branch routers must process. ECMP allows both equal 10-Mbps DMVPN paths to be used when equal-cost paths exist. This design reduces operational overhead compared with static routing while respecting the platform constraints at the spokes. Reference topics: OSPF branch design, stub areas, ECMP, DMVPN routing, multivendor interoperability, branch resource optimization.

When eBGP neighbors share the same autonomous system number, normal BGP loop-prevention behavior can block route acceptance because the receiving router sees its own AS in the AS_PATH. Two BGP features address this design condition. The allow-as-in feature permits a BGP router to accept routes even when its own AS appears in the AS_PATH a configured number of times. This is often used in dual-homed or migration designs where the same customer AS appears at multiple sites. The as-override feature is typically used by a provider edge router to replace the customer AS in the AS_PATH with the provider AS before advertising the route to another customer site that uses the same AS. Together, these features allow successful route exchange in same-AS eBGP scenarios while preserving loop-prevention intent through controlled policy. Advertise-best-external influences advertisement of best external paths and does not solve same-AS rejection. Bestpath as-path ignore affects path selection, not route acceptance. Client-to-client reflection is an iBGP route-reflector behavior, not an eBGP same-AS solution.

Network management traffic should be marked and treated as a dedicated operations class, not mixed into voice signaling or real-time queues. Cisco enterprise QoS design guidance commonly reserves DSCP CS2 for operations, administration, and management traffic such as SNMP, SSH, syslog, NTP, and other management flows. The question states that all eight queuing classes are already used, so the design should integrate management traffic into the closest existing class and validate that the queue has enough bandwidth. Option D is the best fit because it uses CS2 and requires baselining before allocating more bandwidth. CS6 is normally used for network control and routing protocols; using it for ordinary management traffic would compete with routing adjacencies and control-plane stability. CS5 and CS4 are also unsuitable because they are normally associated with video/signaling-related classes in many enterprise QoS models. The professional design action is to classify management traffic explicitly, mark it CS2 at the trust boundary, map it to the existing class, and then measure queue utilization before changing bandwidth allocations. Reference topics: Cisco QoS baseline, DSCP CS2, network management traffic, queue bandwidth design.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

Cisco SD-WAN is the correct solution when the design must use internet circuits at each site while providing failover, load sharing, and QoS. Basic IPsec tunnels can encrypt traffic, but they do not by themselves provide a complete WAN architecture for path measurement, dynamic traffic steering, centralized policy, application-aware routing, or scalable operational control. Cisco SD-WAN builds secure overlay tunnels across available transports and continuously measures path characteristics such as loss, latency, and jitter. It can then steer applications according to SLA policy, use multiple circuits for active/active forwarding, and fail traffic over when a path degrades or fails. QoS can be applied consistently through templates and policy across the WAN Edge routers. GET VPN is best suited to private MPLS-style networks and does not address internet-circuit overlay orchestration in the same way. Traditional DMVPN is a valid dynamic VPN technology, but SD-WAN is the more complete resilient internet-WAN design for these requirements. Reference topics: Cisco SD-WAN, internet transport, application-aware routing, failover, load sharing, QoS.

Dual-stack is the correct IPv6 migration technique because the DWDM devices provide Layer 2 transport between routers that already support both IPv4 and IPv6. Layer 2 transport is generally transparent to IPv6 because it forwards Ethernet frames rather than participating in Layer 3 routing. The routers at the ends of the DWDM circuit can peer directly over the Layer 2 service and run IPv6 in parallel with IPv4, while mail servers can also retain IPv4 reachability during the migration. Cisco dual-stack migration guidance uses simultaneous IPv4 and IPv6 operation to support phased application and host transition with minimal tunneling overhead. 6to4, ISATAP, and 6rd are tunneling or transition mechanisms used when IPv6 islands must cross IPv4-only routed infrastructure. In this case, the limiting devices are in the transport layer and do not need to route IPv6. Deploying dual-stack on the capable routers and servers is simpler, more transparent, and avoids unnecessary encapsulation. Reference topics: IPv6 dual-stack migration, Layer 2 transparency, IPv6 over Ethernet, tunneling avoidance, phased migration.

Advertising more-specific prefixes toward the preferred service provider is the correct way to influence inbound traffic to enter through a chosen CE interface. BGP inbound path control is indirect: the enterprise cannot set local preference inside remote autonomous systems, and MED is honored only under specific provider policies. The most deterministic option available to the customer is to advertise a longer-prefix route to the preferred provider because Internet and BGP route selection generally prefer the longest matching prefix before BGP path attributes are considered. If the aggregate is advertised to both providers but a more-specific route is advertised to the provider connected to gig0/0, return traffic for that more- specific destination is attracted through that interface. Lowering MED toward the less preferred provider is the opposite of the desired effect. AS-path prepending toward the preferred provider would make that path less attractive. Local preference affects outbound path selection inside the local AS, not inbound traffic from external networks. Reference topics: BGP inbound traffic engineering, longest-prefix match, route aggregation, AS-path prepending, MED, local preference.

The design combines Dual-Stack Lite from the devices toward the core MPLS network and NAT44/64 from the MPLS network toward the Internet gateway router. The requirements describe IPv6-facing clients that still need access to IPv4 services and DNS behavior that allows the same service name to be reached during migration. Dual-Stack Lite carries IPv4 customer traffic across an IPv6 access or provider network by tunneling IPv4 packets over IPv6 toward a provider translation point. NAT44/64 services then provide translation or address-family interworking for IPv4-only resources. This combination is used when customer-facing access moves to IPv6 while legacy IPv4 services remain reachable during transition. A simple IPv6 tunnel from devices to the MPLS core does not provide the required IPv4 service translation. Using only NAT44/64 from end devices also shifts complexity to clients rather than placing translation at the network edge. The selected choices match the staged migration model: IPv6 transport with encapsulation in the access/core side and translation at the provider or gateway boundary. Reference topics: IPv6 transition, DS-Lite, NAT64, DNS64, IPv4-over-IPv6 tunneling.

PortFast is the correct functionality for the Gi1/0/1-10 interfaces when those ports are endpoint-facing access ports. Cisco spanning-tree design uses PortFast to allow edge ports to transition directly to the forwarding state, avoiding the normal listening and learning delay associated with traditional STP convergence. That improves user and endpoint connectivity after link-up events and is especially important for workstations, phones, printers, and access devices that should not participate in the Layer 2 topology. Root guard and BPDU guard are protection features, not the primary convergence optimization requested by the architect. UplinkFast was used in older STP designs to accelerate recovery for access switches with redundant uplinks, but it is not the edge-port functionality for interfaces Gi1/0/1-10. In a modern design, PortFast should be enabled only on true host-facing ports, normally together with BPDU guard to protect against accidental switch attachment. If the exhibit shows these interfaces as end-user access ports, PortFast is the feature that follows the recommendation to optimize STP convergence time. Reference topics: STP PortFast, edge-port convergence, BPDU guard, Layer 2 campus design.

Integrated Services is the QoS model that allows an application to signal its traffic requirements to the network and request specific service treatment. Cisco QoS guidance distinguishes IntServ from DiffServ by explaining that IntServ follows a signaled-QoS model, while DiffServ uses provisioned per-hop behavior based on markings. IntServ uses RSVP to reserve resources along the end-to-end path. That reservation process allows the network to admit or deny the flow based on available bandwidth and policy, which is why IntServ aligns with applications that require consistent and dedicated bandwidth. DiffServ is much more scalable and widely deployed in enterprise networks, but it does not provide per-flow resource reservation by itself. LLQ is a queuing mechanism commonly used inside a DiffServ design for delay-sensitive traffic such as voice. WRED is a congestion-avoidance technique, not an end-to-end reservation architecture. Because the question explicitly says that the application informs the network of its traffic profile and requests a service level, the correct QoS architecture is IntServ.

The default MTU should be increased in the Cisco SD-Access fabric underlay. SD-Access data-plane traffic uses VXLAN encapsulation, and VXLAN adds overhead beyond the original endpoint frame. If the underlay remains at a standard 1500-byte MTU, encapsulated packets can fragment or be dropped, especially when applications set the DF bit. Cisco SD-Access design guidance therefore calls for an increased underlay MTU so the fabric can carry overlay-encapsulated traffic cleanly. Reducing subnets is an overlay simplification topic, not an underlay MTU consideration. The number of supported control-plane nodes is a scale and availability design consideration, not the key underlay requirement in this question. Unified policy is part of fabric policy and segmentation, not underlay transport readiness. A professional SD-Access underlay design validates routed reachability, loopback advertisements, IGP operation, redundant paths, and MTU end to end before enabling the overlay. The MTU setting is critical because a stable underlay must transport LISP control-plane traffic and VXLAN data-plane traffic without fragmentation. Reference topics: SD-Access underlay, VXLAN overhead, MTU design, fabric transport readiness.

Gateway Load Balancing Protocol is the first-hop redundancy protocol that provides load balancing while presenting a single default gateway IP address to hosts. Cisco’s GLBP documentation states that GLBP “provides load balancing over multiple routers using a single virtual IP address and multiple virtual MAC addresses.” That wording directly matches the requirement in the question. In a GLBP group, the active virtual gateway answers ARP requests for the virtual IP address and can return different virtual MAC addresses associated with active virtual forwarders. As a result, multiple routers forward traffic for the same subnet rather than leaving one router idle during normal operation. HSRP and VRRP provide first-hop redundancy, but their basic operation uses one active or master forwarding device for a virtual IP at a time unless multiple groups are manually engineered per VLAN. IRDP is not the Cisco campus FHRP used for this design. Therefore, when the requirement is automatic load balancing across multiple routers using one virtual IP and multiple virtual MAC addresses, GLBP is the correct protocol.

BFD with tuned timers is the correct fault-detection solution when OSPF traffic must fail over in milliseconds and cannot wait for the OSPF dead interval. Cisco describes Bidirectional Forwarding Detection as a lightweight mechanism that detects forwarding-path failures rapidly and notifies the routing protocol. OSPF can then bring down the adjacency and switch to an alternate route without waiting for the normal hello and dead timer process. Tuning SPF delay or LSA timers improves the control-plane calculation phase after OSPF has learned about a failure, but it does not provide the fastest failure detection by itself. IP SLA tracking can detect reachability problems, but it is not the standard per-neighbor OSPF millisecond detection mechanism. Decreasing SPF timers alone does not solve the requirement to avoid waiting for the dead interval. Therefore, BFD with appropriate 100 ms timers is the correct design choice. Reference topics: OSPF high availability, BFD, fast failure detection, dead interval avoidance, subsecond convergence.

LTE is the most appropriate backup WAN option for remote sites that already rely on microwave links. A backup transport should use a different failure domain from the primary service; LTE provides carrier wireless connectivity that is operationally separate from the customer’s microwave infrastructure. It is widely available, fast to deploy, and suitable as an out-of-band or secondary WAN path for branch continuity. WiMAX is an older metropolitan wireless technology and is not the preferred current enterprise backup choice. A laser link is another line-of-sight technology and can suffer from similar environmental and alignment constraints as microwave, so it is a weaker diversity option. Bluetooth is a short-range personal-area technology and is not a viable WAN backup for enterprise branches. LTE also integrates well with SD-WAN, IPsec VPN, and routing-based failover designs. In a resilient WAN architecture, the architect should validate signal quality, carrier coverage, data plan, antenna placement, NAT behavior, and whether the backup link must support dynamic routing, VPN encryption, and QoS for critical traffic during failover.

Implementing direct Internet access at every Cisco SD-WAN site improves application experience and reduces unnecessary backhaul. Many modern business applications are hosted in SaaS or public cloud environments. If branch Internet traffic must hairpin through a central data center before reaching those applications, latency increases and central WAN or security stacks can become bottlenecks. SD-WAN DIA allows selected cloud and Internet-bound traffic to exit locally while still applying policy, segmentation, and security controls. This decreases latency to applications hosted by public cloud providers and improves user experience. It also alleviates traffic on MPLS circuits because Internet and cloud traffic no longer needs to consume private WAN bandwidth back to a centralized egress point. DIA does not inherently reduce the physical latency of an Internet circuit, and it does not increase the provisioned circuit bandwidth. Zero-touch provisioning may accelerate site deployment, but that is a separate SD-WAN onboarding benefit rather than a specific benefit of deploying DIA at every site. Therefore, the two correct benefits are reduced latency to public cloud applications and reduced load on MPLS circuits.

GETVPN is the correct transport-encryption design for this environment. The company is using a private MPLS-based service and requires encryption without maintaining permanent point-to-point tunnels. GETVPN was designed for private WAN environments where routing remains native and packets are encrypted without adding GRE or IPsec tunnel overlays between every pair of sites. It uses group-based keying, typically with key servers that distribute security policy and rekey material to group members. That supports dynamic key rotation and spoke-to-spoke communication while avoiding the operational burden of building and maintaining individual tunnels. DMVPN also supports dynamic spoke-to-spoke tunnels, but it is still a tunnel overlay using mGRE, NHRP, and IPsec, and it is usually selected for Internet or mixed transport overlays. Standard IPsec VPN requires maintaining tunnel relationships, and GRE VPN alone does not provide encryption. GETVPN therefore best matches tunnel-less encryption across a private MPLS WAN with centralized security policy and direct site-to-site forwarding. Reference topics: GETVPN, group encrypted transport, tunnel-less IPsec, private MPLS WAN encryption, group keying.

The company must prevent itself from advertising routes learned from one ISP to the other ISP. If it receives full Internet tables from both providers and then re-advertises those learned prefixes, it can unintentionally become a transit autonomous system. The proper BGP design is to apply outbound route policy so only the company’s own originated prefixes are advertised to the ISPs, while routes learned from ISP1 are never advertised to ISP2 and routes learned from ISP2 are never advertised to ISP1. A route map or equivalent prefix filtering policy applied outbound to the ISP neighbors achieves that goal. Local preference influences outbound path selection inside the company AS; it does not prevent transit advertisements. MED influences how a neighboring AS may enter the company network, but it does not stop the company from advertising third-party routes. Tagging incoming routes with no-export is not as deterministic as simply filtering what is advertised to each provider and may still allow undesirable routing behavior within the directly connected provider. Therefore, the design should include outbound route filtering with a route map.

The correct answer is bidirectional PIM. Cisco describes bidirectional PIM as a multicast mode designed for many-to-many applications where traffic is forwarded only along a shared tree rooted at the rendezvous point. Unlike traditional PIM Sparse Mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. That design reduces multicast state in the network because routers maintain group state rather than separate source and group state for every sender. PIM Sparse Mode initially uses a shared tree through the RP, but it can switch to source trees after receivers and routers learn the active source. Dense mode floods and prunes and is not a shared-tree-only model. Source-specific multicast explicitly uses source-specific joins and does not use an RP-based shared tree. The wording “shared tree only” is the key distinction: BIDIR-PIM is built for scalable many-to-many multicast, accepts some non-shortest-path forwarding tradeoff, and avoids per-source state growth. Therefore, the stored answer must be corrected to bidirectional. Reference topics: BIDIR-PIM, shared trees, rendezvous points, many-to-many multicast scaling, PIM-SM source-tree behavior.

UplinkFast is the correct spanning-tree feature for faster convergence after an uplink failure in a classic STP access-layer design. UplinkFast is designed for access switches that have redundant uplinks toward the distribution layer. When the primary root port fails, UplinkFast allows an alternate blocked uplink to transition rapidly to forwarding, reducing the outage compared with standard 802.1D timer-based convergence. PortFast is used on edge ports connected to end hosts, not on switch-to-switch uplinks. Loop Guard protects against unidirectional failures or missing BPDUs on non-designated ports, but it does not accelerate recovery from an access uplink failure. BackboneFast helps when an indirect link failure is detected elsewhere in the topology, but the described failure is directly between SW1 and SW2. The design objective is the fastest possible convergence during that direct uplink loss, which matches UplinkFast in a traditional STP environment. Reference topics: Spanning Tree Protocol, UplinkFast, access-layer redundancy, root port failover, Layer 2 convergence.

Hierarchical QoS with a parent shaping policy is the correct solution for a 1 Gbps physical handoff where the contracted provider rate is only 50 Mbps. The customer router can transmit at the physical interface speed, but the provider policer or service edge expects traffic to remain within the committed information rate. Without shaping, bursts leave the customer router at 1 Gbps and can be dropped by the provider, which is especially damaging to voice traffic because drops and jitter create choppy audio. Cisco QoS design commonly uses a parent shaper set to the provider CIR and then applies child queuing policies under that shaped rate. This allows voice and other critical classes to be prioritized before packets are transmitted into the constrained service. A parent policing policy would drop or mark excess traffic locally rather than smoothing bursts. Reducing physical bandwidth is not normally possible on a provider Ethernet handoff, and the interface bandwidth statement changes routing/QoS reference values but does not enforce the CIR. Therefore, parent shaping is required. Reference topics: hierarchical QoS, traffic shaping, CIR, LLQ, WAN edge QoS.

GET VPN is the correct private WAN encryption technology when traffic must always be encrypted, multicast must be supported, forwarding overhead must be reduced, and security management must be centralized. Cisco Group Encrypted Transport VPN protects traffic over a private WAN without building traditional point-to-point or multipoint tunnel overlays. Because it preserves the original IP header, the provider or enterprise routing core can still make normal forwarding decisions, and multicast, QoS, and routing behavior are easier to preserve than with heavy tunnel overlays. GET VPN uses a key server model to centralize group policy and distribute encryption keys to group members. This reduces the operational burden of maintaining many permanent tunnels. DMVPN supports multicast through GRE and provides dynamic tunnels, but it adds tunnel encapsulation overhead and does not meet the reduced-overhead private WAN requirement as cleanly. Plain mGRE lacks the full centralized group encryption model. Reference topics: GET VPN, group encryption, private WAN security, multicast support, key server, tunnel-less IPsec.

A totally stubby OSPF area is the best choice for a small remote site with low-end routers and no requirement to carry transit traffic. A standard stub area blocks Type 5 external LSAs, but it still receives interarea Type 3 summary LSAs. A totally stubby area goes further by blocking external routes and most interarea summary routes, while allowing a default route to be injected by the ABR. That greatly reduces LSDB size, SPF processing, memory use, and routing-table entries on the low-end routers. The remote site still has full connectivity to the rest of the OSPF domain through the default route. NSSA and totally NSSA designs are useful when the area must inject external routes from an ASBR inside the area, but the question does not state that the remote site needs redistribution. A regular stub area is acceptable but does not minimize resources as much as a totally stubby area. Because there is no demand for traffic to pass through this area, the most efficient Cisco design is totally stubby. Reference topics: OSPF stub areas, totally stubby area, default routing, LSDB reduction, branch OSPF design.

DMVPN is preferred over individually configured point-to-point IPsec tunnels when a company has many branches because it scales the overlay more efficiently. A traditional IPsec tunnel design requires manual or template-based tunnel definitions for every required site-to-site relationship. As branches increase, tunnel count, configuration complexity, and operational overhead grow quickly. Cisco DMVPN combines multipoint GRE, NHRP, and IPsec so spokes can register with the hub and dynamically discover next-hop information for other spokes. This supports a hub-and-spoke control model while allowing dynamic spoke-to-spoke data tunnels when branch-to-branch traffic is required. That is why greater scalability and dynamic spoke-to-spoke tunnel creation are the two design advantages. AES-256 encryption is not unique to DMVPN because normal IPsec can also use strong encryption. Anycast gateway is unrelated to DMVPN WAN overlay design. Lower traffic overhead is not the best answer because DMVPN adds mGRE, NHRP, and IPsec encapsulation overhead; its advantage is operational scalability and dynamic tunnel establishment.

In a Cisco SD-Access fabric, DHCP relay design must account for the fact that endpoints can attach to different fabric edge nodes while using consistent anycast gateway behavior. DHCP Option 82 is important because it inserts relay-agent information that allows the DHCP infrastructure to identify where the DHCP request originated. This enables the correct address scope and policy context to be selected for the endpoint even when the gateway address is anycast across multiple fabric edges. Cisco SD-Access DHCP guidance emphasizes the use of relay information so centralized DHCP services can assign the correct address based on fabric location and endpoint context. DHCP relay is not simply enabled on border nodes, and subnets should not be stretched across fabric edges by placing DHCP servers on borders. DHCP servers do not require a special proprietary SD-Access extension in the sense described by the incorrect option; they use standard relay information such as Option 82. Therefore, the key design consideration is enabling DHCP Option 82 so the circuit information maps the request to the fabric node where it originated.

EIGRP with branch routers configured as stubs and equal-cost multipath is the best fit for this hub-and-spoke DMVPN design. The branch routers have limited memory and CPU resources, so they should not be forced to maintain unnecessary topology information or answer broad queries from the rest of the network. EIGRP stub routing limits the routes a branch advertises and prevents it from being used as a transit path, which reduces query scope and improves stability. Because the two internet links are both 100 Mbps, equal-cost multipath can use both links for active forwarding during traffic spikes. OSPF can operate over DMVPN, but a single area or hub-and-spoke design may create more overhead and less efficient query containment for small branch routers. IS-IS is less common for this WAN overlay use case, and iBGP with route reflectors can scale but does not natively consider link utilization or provide the same simple branch stub behavior. Reference topics: EIGRP stub, DMVPN, ECMP, branch routing, query containment, WAN convergence.

VRRP object tracking allows the effective priority of a VRRP router to change when a tracked object changes state. Cisco documentation states that VRRP object tracking ensures the best VRRP router is master by altering VRRP priorities according to tracked objects such as interface or IP route states. This directly supports answer A. It also supports answer D, because VRRP can track interfaces and routes through the tracking process. The priority does not have to remain fixed; object tracking is specifically designed so a router can lower its priority when an uplink, route, or critical dependency fails. A VRRP group is not limited to one tracked object in modern Cisco implementations, so option C is too restrictive. VRRP does not support only interface tracking; route tracking is also a common use case, especially when the LAN interface is still up but upstream reachability has failed. In a resilient campus or branch gateway design, object tracking prevents a router from remaining master when it no longer has a valid upstream path, improving deterministic failover.

Easy Virtual Network is the best fit when a campus needs many Layer 3 virtual networks with separate addressing and routing tables but wants lower operational overhead than manually configuring VRF-Lite everywhere. EVN builds on VRF concepts and simplifies virtualization across a hop-by-hop campus design by reducing repetitive configuration and enabling consistent virtual network transport across participating devices. Each virtual network maintains its own routing context, which supports overlapping addressing and segmentation. Hop-by-hop VRF-Lite can provide similar forwarding separation, but it becomes operationally heavy as the number of VRFs grows because each trunk, routing process, and interface association must be configured and maintained manually. Multihop MPLS can scale, but it introduces provider-style complexity and may require features or skills beyond a typical campus requirement. Multihop IPsec tunneling is not an efficient campus segmentation solution for hundreds of virtual networks. Therefore, EVN is the recommended design for scalable Layer 3 virtualization with simpler configuration and management. Reference topics: campus virtualization, Easy Virtual Network, VRF separation, scalable virtual networks, route isolation.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

The correct code snippet must use a secure HTTPS-based RESTCONF transaction with the YANG JSON media type. The requirement explicitly states that the content type is application/yang-data+json and that the connection to the network device must be secured. In Cisco IOS XE programmability, RESTCONF uses HTTP methods against YANG-modeled resources, and secure deployments use HTTPS rather than clear-text HTTP. A loopback interface with address 172.16.15.12/32 would be configured by sending a JSON payload that follows the selected YANG model structure, commonly an IETF or Cisco native interface model, with the correct content-type and authentication headers. The key security indicator in the option must therefore be HTTPS/TLS, not an insecure HTTP URL or a non-YANG content type. NETCONF over SSH would also be secure, but the stated content-type points to RESTCONF with JSON encoding. Option A is the valid snippet because it aligns the payload format with a secure transport. Reference topics: RESTCONF, YANG JSON encoding, application/yang-data+json, HTTPS, IOS XE programmability.

NETCONF: SSH-based; built to support candidate configuration. RESTCONF: HTTPS-based; lacks support for two-phase commit transactions.

NETCONF and RESTCONF both use YANG data models, but they use different transport and transaction behaviors. NETCONF is traditionally SSH-based and was designed as a network configuration protocol with datastore concepts such as running, startup, and candidate configuration where supported. The candidate datastore enables staged configuration changes and a commit workflow, which is useful for transactional network changes. RESTCONF exposes YANG-modeled resources through an HTTP-based REST interface, typically protected with HTTPS. It is simpler for web-style application integration because it uses familiar HTTP methods, URIs, and payload encodings such as XML or JSON. However, RESTCONF does not provide the same full two-phase commit transaction model associated with NETCONF candidate configuration workflows. Therefore, the correct mapping is that NETCONF is SSH-based and built to support candidate configuration, while RESTCONF is HTTPS-based and lacks support for two-phase commit transactions. In Cisco programmability design, NETCONF is often selected for robust configuration transactions, whereas RESTCONF is often selected for simpler API-driven integration.

Loop guard should be used on SW2 to reduce the chance of Layer 2 forwarding loops caused by a unidirectional fiber failure. In spanning-tree operation, a root or alternate port expects to receive BPDUs from the designated bridge. If BPDUs stop arriving because the fiber becomes unidirectional, the port may incorrectly assume that the path is no longer receiving a superior BPDU and transition toward forwarding. Cisco loop guard prevents this by moving the port into a loop-inconsistent state when BPDUs are unexpectedly lost on a non-designated port. That behavior protects the topology from a port role change that could create a Layer 2 loop. BPDU filter is dangerous in this context because it can suppress BPDUs and hide the control-plane signal STP needs. BPDU guard is mainly for PortFast edge ports that should never receive BPDUs. Root guard prevents superior BPDUs from changing root placement, but it does not address unidirectional loss of expected BPDUs. Therefore, loop guard on SW2 is the proper design control. Reference topics: STP loop guard, unidirectional fiber failure, BPDU loss, loop-inconsistent state, Layer 2 resiliency.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

Intermittent DMVPN tunnel flaps are commonly caused by reachability problems between routing neighbors or between the tunnel endpoints that support those neighbors. DMVPN depends on several layers working correctly: the underlay transport, GRE tunnel interface, NHRP registration and resolution, IPsec protection if used, and the routing protocol running across the tunnel. If the routing neighbor cannot remain reachable, the tunnel may appear to flap even though the encryption profile itself is not the root cause. A suboptimal routing table can produce poor forwarding or asymmetric traffic, but it is not the most common direct cause of repeated tunnel up/down events. Bandwidth congestion can degrade performance, but a correctly designed tunnel does not flap merely because utilization is high unless keepalives, NHRP, or routing packets are being lost. The fact that a GRE tunnel is not encrypted is a security design problem, not a tunnel-flap cause. The right troubleshooting posture is to verify stable underlay reachability, tunnel interface state, NHRP mappings, and routing adjacency stability before assuming an IPsec encryption failure.

Weighted Random Early Detection is the QoS congestion-avoidance feature that responds to early congestion by selectively dropping packets before a queue becomes completely full. WRED can use packet markings, such as IP precedence or DSCP, to determine drop probability, so lower-priority traffic can be dropped earlier than higher-priority traffic. This helps TCP-based applications slow down before tail drop causes large synchronized retransmissions. CBWFQ is a queuing and bandwidth-allocation mechanism; it classifies traffic into queues and assigns bandwidth, but it is not specifically the feature that randomly drops lower-priority packets during congestion. Tail drop drops packets only when the queue is full and does not intelligently prefer lower-priority traffic. Strict priority queuing protects delay-sensitive traffic by servicing a priority queue first, but it does not provide weighted random early discard behavior. In Cisco QoS design, WRED is used as a congestion-avoidance mechanism, especially for TCP traffic classes where early packet drops can reduce global synchronization and protect higher-priority classes.

The design must influence how EIGRP-learned routes are injected into the OSPF domain, so R2 should redistribute EIGRP into OSPF as metric-type E1 and R3 as metric-type E2. Cisco OSPF documentation distinguishes external Type 1 and Type 2 routes. An E1 route includes the external cost plus the internal OSPF cost to reach the ASBR, while an E2 route uses only the external metric. Cisco path selection prefers O E1 over O E2 for the same external destination. Therefore, making R2 advertise the EIGRP routes as E1 causes OSPF routers to prefer R2 as the exit toward the EIGRP domain. Option C adjusts OSPF-to-EIGRP redistribution, which is the wrong direction for traffic passing toward EIGRP from OSPF. Removing redistribution on R3 would reduce redundancy. Option D reverses the preference and would favor R3. Reference topics: OSPF external route types, EIGRP-to-OSPF redistribution, ASBR preference, E1 versus E2 metrics.

The most efficient campus design aligns the active first-hop gateway with the Layer 2 forwarding path. In a traditional access-distribution topology using STP and HSRP, traffic should not cross the distribution-to-distribution link simply because the HSRP active gateway is on the opposite distribution switch from the STP forwarding path. Cisco campus design guidance stresses aligning the STP root bridge with the active FHRP gateway so hosts forward northbound traffic directly to the distribution switch that owns the optimal Layer 2 path. Reconfiguring distribution switch A to become the HSRP active device fixes the asymmetric and inefficient traffic flow in the exhibit. Adding a link between access switches would extend the Layer 2 domain and increase loop-prevention complexity, not improve the northbound default-gateway path. Changing the distribution interconnect to a routed link may be valid in a routed-access redesign, but it is not the targeted correction for this Layer 2/FHRP misalignment. An EtherChannel between distribution switches only increases interswitch capacity; it does not remove the unnecessary hairpin path caused by the wrong active gateway.

The YANG module mapping follows the distinction between standards-based, vendor-neutral, and vendor-native data models. IETF YANG models are standards-driven and are appropriate when the design goal is protocol-level interoperability across vendors for common network functions. OpenConfig models are also vendor-neutral, but they are developed by the OpenConfig community and commonly use a structured separation between intended configuration and operational state. Cisco native models expose platform-specific Cisco IOS XE, IOS XR, or NX-OS capabilities and are often the most complete option when a feature is unique to a Cisco operating system. The selected drag-and-drop answer aligns each characteristic with the model family that owns that behavior. In a professional automation design, the engineer should not choose a model only because it is familiar. The correct choice depends on feature coverage, device support, platform release, schema stability, and whether the workflow must operate consistently across vendors. For multivendor intent, choose IETF or OpenConfig first; for Cisco-specific feature depth, use Cisco native models. Reference topics: YANG, IETF models, OpenConfig, Cisco native models, NETCONF and RESTCONF automation.

NBAR2 should be used to identify the affected cloud applications and then allocate bandwidth according to the measured application requirements. Modern collaboration suites often use dynamic ports, encrypted sessions, and multiple flows for voice, video, messaging, file sharing, and screen sharing. Classifying them only by static ports is unreliable and can misclassify traffic, especially when applications change transport behavior or use shared cloud endpoints. Cisco NBAR2 provides application recognition beyond basic port matching and can classify traffic by application signatures. Once the applications are identified, the QoS policy can be adjusted to give the required bandwidth, priority, or queue treatment. Reserving bandwidth only on perimeter routers is incomplete if congestion occurs elsewhere in the WAN path. Rate-limiting the applications would likely make the user experience worse. The key problem is that the existing policy works for other applications but not these cloud-based tools, so the first design step is accurate application visibility and classification. NBAR2 provides that visibility and supports a more precise QoS policy. Reference topics: NBAR2, application-aware QoS, cloud collaboration traffic, DSCP classification, bandwidth allocation.

The VPN drag-and-drop answer distinguishes Layer 2 VPN, Layer 3 VPN, and encrypted overlay VPN behavior. VPWS provides a point-to-point Layer 2 service, while VPLS provides multipoint Layer 2 Ethernet service across a provider core. MPLS Layer 3 VPN provides routed private WAN connectivity with provider-managed VPN routing and forwarding separation. GRE and DMVPN are overlay technologies that can carry multicast and dynamic routing protocols; DMVPN adds NHRP and multipoint GRE to scale hub-and-spoke and spoke-to-spoke designs. IPsec provides encryption and integrity for traffic over untrusted transport, but native policy-based IPsec does not carry multicast without an additional overlay such as GRE. GET VPN encrypts traffic across a private routed WAN without building permanent point-to-point tunnels and is often used where multicast and dynamic routing should remain visible to the transport. The selected mapping aligns each VPN type with its forwarding model, scale characteristics, and encryption behavior. In design, the correct VPN choice depends on whether the requirement is Layer 2 extension, routed private connectivity, dynamic spoke-to-spoke tunnels, or private WAN encryption. Reference topics: VPN design, VPLS, VPWS, DMVPN, IPsec, GET VPN.

VPLS is the appropriate design model when multiple remote sites must appear to share the same Layer 2 segment. Because all sites use the same IP subnet, the solution must preserve a common broadcast domain rather than require Layer 3 route exchange between unique subnets. Cisco VPLS provides multipoint Layer 2 VPN service across a provider network, allowing customer edge devices at different sites to communicate as though they were attached to the same Ethernet LAN. Including 802.1Q connectivity on the LAN-facing side of the CE is the practical requirement because the CE must carry the relevant VLAN toward the provider-delivered VPLS service. Route exchange with the provider is not the main mechanism because VPLS is a Layer 2 service. NAT would hide overlapping addressing, but it would defeat the requirement to keep the same subnet operational across the sites. Placing each site in a different VLAN would also break the shared-subnet design. The correct design is therefore VPLS with VLAN tagging on the CE LAN side. Reference topics: VPLS, Layer 2 VPN, 802.1Q trunking, shared subnet extension, Ethernet WAN design.

MSDP is the correct technology when a large multicast design uses multiple PIM Sparse Mode domains and needs to exchange active source information between those domains. Cisco describes Multicast Source Discovery Protocol as the mechanism used by RPs in different PIM-SM domains to learn about multicast sources outside their own domain. When a source becomes active, the local RP can advertise Source-Active information to MSDP peers, allowing receivers in other domains to discover and join that source. This supports domain separation and can help balance multicast control-plane scope in large networks. DVMRP and MOSPF are legacy multicast routing approaches and are not the design mechanism for modern PIM-SM domain interconnection. IGMP is used between hosts and local multicast routers for receiver membership signaling; it does not exchange source information between multicast domains. Therefore, a design with more than 100 routers, several multicast domains, and PIM-SM traffic balancing should include MSDP. The architect should also design RP placement, Anycast RP behavior, peer mesh scaling, and source filtering. Reference topics: MSDP, PIM-SM domains, Source-Active messages, interdomain multicast.

An out-of-band management network should be isolated from the production data network and protected with strict access control. Cisco SAFE design principles treat the management plane as a sensitive function because it provides administrative access to infrastructure devices. Isolation ensures that production outages, routing problems, or compromised user segments do not automatically remove the operator’s ability to manage routers, switches, firewalls, and controllers. Access control ensures that only authorized administrators and management systems can reach the management interfaces and protocols. The management network should not be treated as a backup data path, because that undermines separation and can expose management devices to production traffic risks. It should also not be used as a general-purpose data backup network. “Facilitate network integration” is too vague and can conflict with the isolation requirement. Therefore, the best practices are to enforce access control and ensure network isolation. In a mature design, this normally includes dedicated management interfaces or VRFs, jump hosts, AAA, logging, and tightly controlled management protocol access.

OpenConfig separates intended configuration from operational state by using separate config and state containers, while many IETF and Cisco native models use a single hierarchy for configuration and operational data or expose operational data differently. This distinction is important in automation because the client must know whether it is writing desired configuration or reading actual device state. OpenConfig’s structure was designed to provide consistent multivendor modeling, with configuration data placed under config containers and observed state under state containers. Cisco native models tend to mirror the Cisco device CLI and feature hierarchy more closely, while IETF models focus on standards-based interoperability. Option B correctly states the contrast presented in the question. Option A reverses the relationship. Option C incorrectly assigns split containers to IETF and native models. Option D incorrectly isolates Cisco native models as the only split-container style. Reference topics: YANG model structure, OpenConfig config and state containers, IETF YANG, Cisco native models, network automation data modeling.

For model-driven telemetry with periodic updates, the architect must understand that each periodic update sends the subscribed data at the configured interval. Cisco telemetry guidance distinguishes periodic subscriptions from on-change subscriptions. A periodic subscription streams a full copy of the subscribed data element or table at each interval, even if the underlying state has not changed. That behavior is useful when the collector needs regular time-series samples, trending, or baseline monitoring, but it creates predictable bandwidth and collector-load requirements. On-change subscriptions are different: they publish updates when the subscribed state changes and are more efficient for state changes such as interface status, memory thresholds, or protocol adjacency m ovement. Empty subscription behavior and initial update timing may matter in specific implementations, but they are not the main design consideration in this question. Since the customer requires periodic updates, the design must size the transport, collector, retention system, and subscription intervals around repeated full data delivery. Reference topics: model-driven telemetry, periodic subscription, on-change subscription, YANG-modeled operational data, collector sizing.

As a STUN server, Cisco vBond allows Cisco Catalyst SD-WAN routers to discover their public mapped IP addresses and ports when they sit behind NAT. This function is essential during overlay bring-up because many WAN Edge devices are deployed behind internet circuits, firewalls, or provider NAT devices. vBond helps devices understand how they are seen from the public transport side and facilitates the formation of secure control connections to the SD-WAN controllers. vBond also participates in orchestration and Zero-Touch Provisioning workflows, but the question specifically asks about its purpose as a Session Traversal Utilities for NAT server. That wording points directly to NAT discovery, not general ZTP. vBond does not secure user data traffic between edge routers; data-plane encryption is established between WAN Edge devices. It also has no role in integrating SD-Access wireless into a fabric. Reference topics: Cisco SD-WAN vBond, STUN, NAT traversal, orchestration, WAN Edge onboarding. This is fundamental for internet transports.

The selected design is correct because the requirement describes a resilient campus architecture that must support the same VXLAN at any access-layer switch while maintaining fast convergence and high availability. In Cisco campus and data-center-style fabric designs, VXLAN provides network virtualization by carrying Layer 2 adjacency over a routed or resilient transport. The correct design must avoid a fragile single spanning-tree domain and must provide redundant forwarding paths so that an access switch or uplink failure does not isolate the VLAN or VXLAN segment. The selected option represents the design that meets those conditions by allowing the overlay segment to be extended consistently across access switches while keeping the underlay resilient. Designs that rely on a traditional Layer 2 tree, a single aggregation point, or blocked redundant links would not meet the high availability and fast convergence objectives. The important design principle is that VXLAN should ride on a stable, redundant transport and should not depend on large Layer 2 failure domains. Reference topics: VXLAN campus design, overlay networking, fast convergence, access-layer resiliency, high availability.