300-420 Designing Cisco Enterprise Networks (ENSLD) Questions and Answers

The configuration-protocol mapping distinguishes NETCONF and RESTCONF behavior in model-driven programmability. NETCONF is an XML-based network configuration protocol that runs over a secure transport such as SSH and supports structured operations such as get-config, edit-config, lock, unlock, commit, and datastore manipulation. It is well suited to transactional configuration workflows where candidate and running datastores are supported. RESTCONF exposes YANG-modeled data through a REST-style interface over HTTP or HTTPS, using familiar methods such as GET, POST, PUT, PATCH, and DELETE. It can encode data in XML or JSON depending on headers and implementation. Both protocols use YANG models to define the structure and semantics of configuration and operational data, but they differ in transport style, operation model, and tooling. The selected mapping therefore places NETCONF characteristics with the protocol that provides RPC-style operations and datastore handling, while RESTCONF receives HTTP method and URI-based characteristics. In design, the choice depends on controller support, device operating system, required transaction semantics, security policy, and developer tooling. Reference topics: NETCONF, RESTCONF, YANG, datastores, XML and JSON encoding.

Because the wireless access points must remain in a common VLAN, the practical design is to align the HSRP active gateway with the spanning-tree root bridge for that VLAN. Unicast flooding commonly occurs when a Layer 2 domain is stretched between aggregation and access layers and the traffic path becomes asymmetric. If the HSRP active gateway is on one aggregation switch while STP forwards the Layer 2 path through a different aggregation switch, return traffic can be forced across inter-switch links and CAM table aging can create flooding conditions. Cisco campus design guidance emphasizes aligning Layer 2 and Layer 3 forwarding roles so the active default gateway and spanning-tree root are colocated for each VLAN. Migrating to routed access is usually the best long-term design, but it requires the APs to run on separate VLANs; the question states they use a common VLAN. Reducing ARP timers to match CAM timers can help some flooding cases, but it is not the core design fix offered here. Reference topics: HSRP and STP alignment, unicast flooding, Layer 2 campus design, wireless AP VLAN design.

The company must prevent itself from advertising routes learned from one ISP to the other ISP. If it receives full Internet tables from both providers and then re-advertises those learned prefixes, it can unintentionally become a transit autonomous system. The proper BGP design is to apply outbound route policy so only the company’s own originated prefixes are advertised to the ISPs, while routes learned from ISP1 are never advertised to ISP2 and routes learned from ISP2 are never advertised to ISP1. A route map or equivalent prefix filtering policy applied outbound to the ISP neighbors achieves that goal. Local preference influences outbound path selection inside the company AS; it does not prevent transit advertisements. MED influences how a neighboring AS may enter the company network, but it does not stop the company from advertising third-party routes. Tagging incoming routes with no-export is not as deterministic as simply filtering what is advertised to each provider and may still allow undesirable routing behavior within the directly connected provider. Therefore, the design should include outbound route filtering with a route map.

Stateful NAT64 is the correct design because IPv6-only hosts must communicate with legacy IPv4 devices and only a small pool of IPv4 addresses is available for concurrent sessions. NAT64 translates IPv6 client traffic into IPv4 traffic, allowing IPv6-only endpoints to reach IPv4-only resources. A stateful implementation maintains translation state and can use a pool of IPv4 addresses for multiple IPv6 clients, which fits the requirement for up to 10 concurrent IPv6 hosts using 10 reserved IPv4 addresses. Static NAT- PT would require fixed one-to-one mappings and is less suitable for a pool-based concurrent access model. NAT66 translates between IPv6 prefixes and does not solve access to IPv4-only devices. Dynamic NAT-PT is an older transition mechanism and is not the preferred modern answer when NAT64 is available. The design should also include DNS64 when clients access IPv4-only services by name. Reference topics: IPv6 transition, stateful NAT64, DNS64, IPv6-only hosts, IPv4 legacy reachability.

The correct code snippet must use a secure HTTPS-based RESTCONF transaction with the YANG JSON media type. The requirement explicitly states that the content type is application/yang-data+json and that the connection to the network device must be secured. In Cisco IOS XE programmability, RESTCONF uses HTTP methods against YANG-modeled resources, and secure deployments use HTTPS rather than clear-text HTTP. A loopback interface with address 172.16.15.12/32 would be configured by sending a JSON payload that follows the selected YANG model structure, commonly an IETF or Cisco native interface model, with the correct content-type and authentication headers. The key security indicator in the option must therefore be HTTPS/TLS, not an insecure HTTP URL or a non-YANG content type. NETCONF over SSH would also be secure, but the stated content-type points to RESTCONF with JSON encoding. Option A is the valid snippet because it aligns the payload format with a secure transport. Reference topics: RESTCONF, YANG JSON encoding, application/yang-data+json, HTTPS, IOS XE programmability.

The action is to configure the EIGRP stub router in receive-only mode. Cisco EIGRP stub routing limits which routes a router advertises to neighbors, reducing query scope and improving stability in hub-and-spoke or WAN designs. The receive-only keyword is the most restrictive stub option: the router receives routes from neighbors but does not advertise any routes to them. That directly satisfies the requirement that WAN routes must not be advertised to the routers in the data center. Advertising only a default route still advertises routing information, so it does not meet the wording. Summarizing local subnets reduces the number of routes, but it still advertises reachability. The “distributed mode” option is not the correct EIGRP stub behavior for this requirement; redistributed stub mode would allow redistributed routes to be advertised. Receive-only is therefore the precise design control for stopping route advertisement from the stub router. Reference topics: EIGRP stub routing, receive-only mode, query scoping, route advertisement control, WAN-to-data-center design.

If the RPF check is successful in PIM sparse mode, the multicast packet is forwarded according to the outgoing interface list. The Reverse Path Forwarding check verifies that the packet arrived on the interface the router would use to reach the source, or the RP in the case of shared-tree state. This prevents loops and duplicate multicast forwarding. After the check passes, the router consults the multicast forwarding entry and sends the packet only out interfaces in the OIL where downstream receivers or PIM neighbors require the traffic. It is not automatically forwarded out every PIM-enabled interface, and it is not forwarded back out the receiving interface. If the RPF check fails, the packet is dropped to protect the multicast distribution tree. The OIL therefore represents the correct controlled forwarding behavior after a successful RPF validation. Reference topics: PIM sparse mode, RPF check, outgoing interface list, multicast forwarding state, loop prevention.

For model-driven telemetry with periodic updates, the architect must understand that each periodic update sends the subscribed data at the configured interval. Cisco telemetry guidance distinguishes periodic subscriptions from on-change subscriptions. A periodic subscription streams a full copy of the subscribed data element or table at each interval, even if the underlying state has not changed. That behavior is useful when the collector needs regular time-series samples, trending, or baseline monitoring, but it creates predictable bandwidth and collector-load requirements. On-change subscriptions are different: they publish updates when the subscribed state changes and are more efficient for state changes such as interface status, memory thresholds, or protocol adjacency m ovement. Empty subscription behavior and initial update timing may matter in specific implementations, but they are not the main design consideration in this question. Since the customer requires periodic updates, the design must size the transport, collector, retention system, and subscription intervals around repeated full data delivery. Reference topics: model-driven telemetry, periodic subscription, on-change subscription, YANG-modeled operational data, collector sizing.

The correct solution is a management VRF with SSH keys for device access. A management VRF creates a separate routing and forwarding table for management traffic, keeping administrative reachability isolated from production and overlay routes. That directly satisfies the requirement that the overlay network must not cause routing issues and makes troubleshooting easier for operations teams because management reachability can be validated independently. Cisco VRF design uses separate routing tables to isolate traffic and can support overlapping addresses or independent routing policy. For secure device access, SSH with key-based authentication provides encrypted administrative sessions and stronger authentication than clear-text or password-only methods. Private VLANs and ordinary VLANs provide Layer 2 separation but do not create independent routing tables. TACACS+ and RADIUS are AAA systems; they are useful but do not define the management transport architecture. Separate physical interfaces can be useful out-of-band, but the best match for overlay isolation and operational simplicity is management VRF plus SSH keys. Reference topics: management VRF, secure device access, SSH public-key authentication, routing-table isolation, enterprise management design.

The standards-based mechanism for dynamic rendezvous point distribution in a large PIM domain is Bootstrap Router. BSR allows candidate RPs and candidate BSRs to participate in a standards-based election and advertisement process so PIM routers can learn the RP set dynamically. This avoids configuring every router manually with static RP information and avoids depending on a Cisco-proprietary mechanism. Auto-RP can also distribute RP information dynamically, but Auto-RP is Cisco proprietary and therefore does not meet the nonproprietary requirement. Embedded RP is associated with IPv6 multicast group addressing and is not the general-purpose answer for automating RP discovery in a large IPv4 PIM domain. Static RP configuration is simple and deterministic, but it does not automate RP distribution and becomes operationally fragile as the multicast domain grows. In Cisco multicast design, BSR is the correct choice when the network requires dynamic RP discovery, vendor-neutral behavior, and scalable PIM-SM operation across a large domain.

Making R3 an L1/L2 router restores the required IS-IS hierarchy and prevents the outage caused by the failed R1-to-R2 link. In IS-IS, Level 1 routers have detailed topology only inside their own area, while Level 2 routers provide the interarea backbone. Routers that connect a Level 1 area to the Level 2 backbone must operate as Level 1/Level 2 devices so they can participate in both databases and provide an exit path for area traffic. If a path between areas depends on a router that is only Level 1 or only Level 2 in the wrong location, traffic can be blackholed when a key link fails. Configuring R3 as L1/L2 gives the topology an additional valid transition point between the local area and the backbone, improving continuity after the R1-to-R2 failure. Making unrelated routers L1 or L2 does not necessarily create the required interarea attachment. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

NBAR2 should be used to identify the affected cloud applications and then allocate bandwidth according to the measured application requirements. Modern collaboration suites often use dynamic ports, encrypted sessions, and multiple flows for voice, video, messaging, file sharing, and screen sharing. Classifying them only by static ports is unreliable and can misclassify traffic, especially when applications change transport behavior or use shared cloud endpoints. Cisco NBAR2 provides application recognition beyond basic port matching and can classify traffic by application signatures. Once the applications are identified, the QoS policy can be adjusted to give the required bandwidth, priority, or queue treatment. Reserving bandwidth only on perimeter routers is incomplete if congestion occurs elsewhere in the WAN path. Rate-limiting the applications would likely make the user experience worse. The key problem is that the existing policy works for other applications but not these cloud-based tools, so the first design step is accurate application visibility and classification. NBAR2 provides that visibility and supports a more precise QoS policy. Reference topics: NBAR2, application-aware QoS, cloud collaboration traffic, DSCP classification, bandwidth allocation.

Single-topology IS-IS with the transition feature is the correct design when IPv6 is being added to an existing IPv4 IS-IS network and both topologies must match exactly. In single-topology mode, IS-IS calculates one topology and uses it for both IPv4 and IPv6, which fits the requirement that the IPv4 and IPv6 paths and router levels remain the same on each interface. Cisco documentation notes that single-topology IS-IS IPv6 requires routers to run the same set of address families for adjacency consistency; during migration, transition support allows the network to operate while IPv6 is introduced gradually. Multi-topology IS-IS is used when IPv4 and IPv6 should be allowed to follow different topologies or when not all routers support the same address families. The question explicitly says the topologies will match exactly, so multi-topology is unnecessary. Single topology without the transition feature is risky during phased migration because routers that do not yet run both address families may fail adjacency checks or create blackholing. Reference topics: IS-IS for IPv6, single-topology IS-IS, transition mode, address-family consistency, IPv6 migration.

Dynamic NAT-PT is the correct selection when IPv6 hosts in an IPv6 island must access IPv4-only servers and services. NAT-PT translates between IPv6 and IPv4 packet headers and allows IPv6-only nodes to communicate with IPv4-only destinations by dynamically creating translation state. In this scenario, IPv6 hosts need access to file servers and DNS services in an IPv4 network, so a dynamic translation mechanism is required. Stateless NAT66 and stateful NAT66 are IPv6-to-IPv6 translation mechanisms and do not connect IPv6 hosts to IPv4-only resources. Static NAT-PT would be appropriate for fixed one-to-one mappings where specific hosts are permanently mapped, but the question describes general access from an IPv6 island to IPv4 services, making dynamic NAT-PT the better match. In modern designs, NAT64 and DNS64 are commonly preferred successors, but within the answer choices NAT-PT is the IPv6-to-IPv4 transition mechanism. Reference topics: IPv6 transition, NAT-PT, IPv6-to-IPv4 translation, DNS access, dual-protocol migration.

In-band management is the correct design because the management plan must reach all IP-enabled interfaces, and not every device has a dedicated management port. In-band management uses the production IP network for administrative access, allowing management stations to reach loopbacks, SVIs, routed interfaces, or front-panel interfaces through normal routing. Cisco management guidance distinguishes in-band management from out-of-band designs that depend on a separate physical management network or console path. Because the question requires reachability to all IP-enabled interfaces, in-band is the only listed model that naturally supports that scope. Security must still be enforced with encrypted protocols where supported, such as SSH and HTTPS, plus ACLs, AAA, and management-plane protection where appropriate. A terminal server provides console access, not routed IP management to every interface. A KVM server is a server-management tool, not a network-device management architecture. Out-of-band management is preferred for isolation, but it does not fit devices without dedicated management access. Reference topics: in-band management, secure management protocols, SSH, HTTPS, network management design.

A major feature of the SaaS subscription model is lower initial cost. In Software as a Service, the customer consumes an application provided by a service provider rather than purchasing and operating the full application infrastructure directly. This generally shifts spending from large upfront capital expenditure to recurring operational subscription cost. The provider handles much of the platform, application maintenance, hosting, scalability, and upgrades, which lowers the customer’s initial hardware and software investment. A web connection is normally required for SaaS access, so option A is incorrect. Access to industrial-strength storage and computing power is more characteristic of cloud infrastructure benefits, but it is not the defining SaaS subscription feature in this answer set. Autonomy and control over hardware is reduced, not increased, in SaaS because the provider owns and operates the underlying infrastructure. The option text contains a typo, but “lower initial costs” is the intended and correct feature. Reference topics: SaaS model, cloud subscription economics, operational expenditure, application hosting, cloud service models.

NAT64 is the correct solution when IPv6-only hosts must communicate with an IPv4-only public web server. NAT64 translates IPv6 packets from the client side into IPv4 packets toward the server and translates the return traffic back into IPv6. In most practical designs, NAT64 is paired with DNS64 so IPv6-only clients can receive synthesized AAAA records for IPv4-only destinations. NAT44 is only IPv4-to-IPv4 translation and cannot support IPv6-only hosts. 6to4 is an IPv6-over-IPv4 tunneling mechanism, not an IPv6-to-IPv4 translation service for reaching an IPv4-only server. 6PE carries IPv6 reachability across an MPLS IPv4 core and does not solve IPv6-only client access to an IPv4-only domain. The question specifically states that the hosts support IPv6-only and the public web server has only IPv4 domain name resolution. That is the classic NAT64/DNS64 use case. The architect must also plan stateful translation capacity, logging requirements, IPv4 address pool sizing, and DNS behavior. Reference topics: NAT64, DNS64, IPv6 transition, IPv6-only hosts, IPv4-only server access.

BFD is the correct design feature for detecting a link failure within 200 ms or less without materially increasing OSPF control-plane load. Cisco uses Bidirectional Forwarding Detection as a fast, lightweight failure-detection protocol that can be associated with routing protocols such as OSPF. Instead of relying on aggressive OSPF hello and dead timers, BFD performs rapid forwarding-path checks and notifies OSPF when the path fails. This allows fast convergence while avoiding the additional routing-protocol overhead and instability that can come from very low hello timers. UDLD detects unidirectional Layer 2 fiber failures, but it is not the routing adjacency failure-detection mechanism requested here. Carrier delay can adjust interface state transition timing, but it does not provide a routing-protocol independent liveness session. Fast hellos can reduce detection time, but they increase protocol traffic and can affect overall performance. BFD is therefore the proper design choice for fast and efficient OSPF convergence. Reference topics: BFD, OSPF convergence, fast failure detection, routed campus resiliency, control-plane efficiency.

The drag-and-drop mapping should be preserved as the validated answer because the item depends on the exhibit categories and the original coordinate map identifies which descriptions belong to each category. In Cisco design questions of this form, the important skill is distinguishing the functional category from the implementation detail. A professional design answer must map each description to the correct operational class instead of treating all items as interchangeable features. This is common in ENSLD topics such as WAN connectivity, SD-Access roles, telemetry modes, and QoS service models, where a description may sound similar but belongs to a different architectural layer. The coordinate answer keeps the specific pairings intact while the explanation documents the design logic: categorize by function, control-plane responsibility, data-plane behavior, and operational use case. If the exhibit contains technology categories, the selected mapping should be read as the official answer for those categories rather than converted into free text. Reference topics: Cisco design categorization, architectural roles, technology-to-function mapping, ENSLD drag-and-drop interpretation.

Affinity is the SD-WAN feature used to control and reduce control connections between WAN Edge devices and vSmart controllers. Cisco SD-WAN high-availability documentation describes controller affinity as a way to limit the number of controllers that an edge device establishes control connections with, while still preserving controller and data center redundancy. This reduces unnecessary control-plane load and limits the strain placed on vSmart controllers in large overlays. The feature is particularly useful when multiple vSmart controllers exist across multiple data centers and the designer wants predictable primary and backup controller relationships. The color attribute identifies transport characteristics, such as public Internet, MPLS, or other transport types. Control-connections is a general concept, not the feature that minimizes them. Control-direction is not the correct design construct for this purpose. A scalable SD-WAN design should use affinity where controller scale, regionalization, and control-plane efficiency must be explicitly managed. Reference topics: Cisco SD-WAN controller affinity, vSmart scale, control connections, TLOC control-plane optimization.

Controller redundancy is the only viable answer among the listed choices. In Cisco SD-WAN, production control-plane resiliency is achieved by deploying redundant controller infrastructure so WAN Edge routers can maintain control connectivity even if a controller instance fails. Strictly speaking, vSmart controllers are the primary SD-WAN control-plane components because they distribute OMP routes, TLOC information, service routes, and policy. vManage is the management plane, and clustering vManage improves management-plane availability. However, the provided options do not include redundant vSmart controllers. Of the available answers, using multiple controller instances in a cluster is the closest redundancy design concept, while the other options do not provide SD-WAN controller redundancy. BFD on WAN Edge routers detects data-plane path failure, not control-plane controller failure. Deploying controllers on UCS or CSP affects hosting, not redundancy by itself. OMP manages overlay routes; it is not an underlay management mechanism. A complete professional design should include redundant vSmart, vBond, and vManage components across failure domains. Reference topics: Cisco SD-WAN control plane, controller redundancy, vSmart, vManage clustering, OMP.

The SD-Access control-plane node maintains the endpoint database and resolves mappings between endpoints and the fabric edge nodes where those endpoints are located. Cisco SD-Access uses LISP in the fabric control plane. Edge nodes register endpoint identifiers with the control-plane node, and other fabric nodes query the control plane when they need to locate a destination endpoint. This control-plane function is commonly described through LISP Map-Server and Map-Resolver behavior. Option B is not correct because endpoint detection occurs at the edge node, not at the control-plane node. The edge is the device connected to users, access points, or endpoint-facing networks, so it learns local endpoint presence and registers that information. Option C refers to authentication and identity, which is integrated with Cisco ISE. Option D describes the border-node role, because border nodes connect the fabric to external networks. The corrected answer is therefore A. A stable SD-Access design must provide redundant control-plane reachability and scale the control-plane role according to fabric size, mobility, and endpoint churn. Reference topics: SD-Access control plane, LISP Map-Server, LISP Map-Resolver, endpoint-to-location mapping.

For streaming multimedia over a WAN using DiffServ per-hop behavior, the best answer is CBWFQ with DSCP AF3. Cisco QoS design separates real-time interactive voice from streaming multimedia. Voice bearer traffic commonly uses EF and a strict priority queue because it is extremely sensitive to delay and jitter. Streaming multimedia, however, is usually buffered and bandwidth-intensive; it should receive assured bandwidth and controlled drop behavior rather than strict priority treatment. The Assured Forwarding classes are designed for this kind of preferential forwarding within DiffServ. AF3 is commonly associated with multimedia streaming in Cisco QoS baseline models, while CBWFQ provides bandwidth guarantees without allowing the class to starve other traffic. LLQ with EF is too aggressive for streaming multimedia and should be reserved for voice bearer traffic or similarly strict real-time flows. AF2 is more commonly used for transactional data or lower-priority assured service, depending on the model. The correct marking and queuing design is therefore CBWFQ with DSCP AF3. Reference topics: DiffServ, per-hop behavior, CBWFQ, DSCP AF classes, multimedia streaming QoS.

Traffic shaping is the QoS mechanism that queues excess packets and transmits them later to conform to a configured rate. In Cisco QoS design, shaping smooths bursts by buffering traffic instead of immediately discarding it when the offered rate exceeds the configured rate. This makes shaping appropriate on egress interfaces where the enterprise router has a higher physical interface speed than the actual provider committed information rate. WRED and RED are congestion-avoidance mechanisms that drop packets probabilistically to prevent full queue exhaustion, especially for TCP traffic. They do not intentionally hold excess packets for later transmission as the primary behavior. Policing enforces a traffic rate by dropping or remarking traffic that exceeds the configured contract; it does not buffer traffic to smooth bursts. Therefore, when the design requirement says excess packets must be queued for later transmission, the mechanism must be shaping. In WAN edge QoS, shaping is often paired with child queuing policies so latency-sensitive and business-critical classes receive correct treatment inside the shaped parent rate.

A logical topology that virtually connects devices over an arbitrary physical network is an overlay. In Cisco SD-Access, the underlay provides basic IP reachability between fabric nodes, while the overlay creates the logical network used by endpoints, virtual networks, and policy segmentation. The overlay is not constrained to the exact physical cabling topology; instead, it uses encapsulation and control-plane mapping to carry user traffic across the routed fabric. Cisco SD-Access uses LISP in the control plane for endpoint-to-location mapping and VXLAN in the data plane for encapsulation. This allows the fabric to present consistent logical connectivity even when the physical network is built from routed links and different infrastructure layers. The data plane is the forwarding mechanism, the control plane resolves location information, and the underlay is the physical and routed transport. The logical topology built on top of those components is the overlay. Reference topics: Cisco SD-Access overlay, underlay, VXLAN, LISP, fabric logical topology.

Lowering the OSPF cost on the direct R1-to-R2 link is the cleanest way to force traffic for 10.10.20.0/24 to prefer that link. OSPF calculates the shortest path using cumulative interface cost, and Cisco designs normally tune OSPF path selection by changing interface cost rather than administrative distance. Administrative distance determines preference between different routing protocols, not between OSPF paths inside the same OSPF process. Moving the link into another area or creating a multiarea adjacency adds design complexity and does not directly solve the requirement unless the resulting cost still becomes lower. The exhibit states that the architect must use the direct link for traffic from 10.10.10.0/24 toward 10.10.20.0/24. Therefore, the direct link must have a lower total OSPF metric than the alternate path. Configuring the link cost to a value below 30 makes OSPF choose it as the preferred intra-area route. This is deterministic, easy to validate with the OSPF database and routing table, and consistent with Cisco hierarchical IGP design practice. Reference topics: OSPF cost, SPF path selection, metric tuning, intra-area routing.

The best answer is to use a single IP address for a static NAT entry that represents the server with a nonoverlapping address. When two companies use overlapping private address space, routing directly between the networks can fail because each side may already have a local route for the same prefix. The requirement is narrow: users in the acquired company need access to one server in Company A, and the design must conserve address space. A static NAT mapping for the server solves the destination overlap problem with one translated address, giving remote users a unique reachable address for that server without renumbering either company. Overload NAT is normally used to translate many inside clients behind one address for outbound access; it is not the most precise solution for publishing one overlapping server. One-to-one NAT for every user wastes addresses and adds operational overhead. Readdressing the acquired company would solve the overlap permanently, but it does not conserve effort or address space. Therefore, a single static NAT entry for the server is the most efficient design.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

Area 1 should be configured as an NSSA when the design must allow selected external routes, such as EIGRP-originated routes, while controlling other external routes such as those from the RIP domain. A normal OSPF area receives Type 5 external LSAs, so it would not inherently block the unwanted RIP-originated external routes. A stub area blocks Type 5 external LSAs, but it also cannot contain an ASBR that injects external routes in the normal way. An NSSA is designed for this exact middle ground: it restricts external LSAs from the backbone while allowing external routes to be injected inside the area as Type 7 LSAs, which are translated by the ABR when needed. This allows Area 1 to receive the necessary internal and selected redistributed information while excluding external routes originated elsewhere. Making the routers part of area 0 would not solve the external-route filtering requirement and would weaken the intended area structure. Therefore, NSSA provides the required balance of route visibility and external-route control. Reference topics: OSPF NSSA, Type 5 LSAs, Type 7 LSAs, external route control, area design.

A distribute list is the correct method to filter routes exchanged between EIGRP neighbors within the same autonomous system. In Cisco EIGRP designs, distribute lists can be applied inbound or outbound under the EIGRP process to control which routes are accepted from or advertised to neighbors. The filter can reference an access list, prefix list, or route map depending on platform and configuration style. This allows the designer to limit route visibility without changing the forwarding behavior of packets that are already routed. Policy-based routing is a data-plane forwarding feature that changes next-hop selection for matching traffic; it does not filter EIGRP route advertisements between neighbors. Leak maps are used with route summarization to selectively advertise more specific routes through a summary, not as the general route-filtering method between EIGRP neighbors. Route tagging is valuable in redistribution designs to identify route origin and prevent feedback loops, but the tag alone does not filter routes unless a route map or distribute list uses it. Therefore, the correct route-filtering mechanism between EIGRP neighbors is a distribute list.

The SD-Access control-plane node performs the LISP Map-Server and Map-Resolver functions. Cisco SD-Access uses LISP in the control plane to maintain mappings between endpoint identifiers and routing locators. Fabric edge nodes discover local endpoints and register them with the control-plane node. When a destination endpoint is not known locally, a fabric node queries the control-plane node, which resolves the endpoint location and returns the locator information needed for VXLAN forwarding through the fabric. This is why the control-plane node is the correct answer. A fabric edge node connects endpoints, provides the anycast gateway, encapsulates and decapsulates user traffic, and registers endpoints. A border node connects the fabric to external networks. An intermediate node simply transports routed underlay traffic between fabric nodes and does not hold endpoint mappings. In design terms, control-plane placement and redundancy are critical because endpoint mobility, fabric forwarding lookup, and location resolution depend on stable Map-Server and Map-Resolver services. Reference topics: Cisco SD-Access control plane, LISP Map-Server, LISP Map-Resolver, EID-to-RLOC mapping, fabric edge registration.

Hierarchical QoS with a parent shaping policy is the correct solution for a 1 Gbps physical handoff where the contracted provider rate is only 50 Mbps. The customer router can transmit at the physical interface speed, but the provider policer or service edge expects traffic to remain within the committed information rate. Without shaping, bursts leave the customer router at 1 Gbps and can be dropped by the provider, which is especially damaging to voice traffic because drops and jitter create choppy audio. Cisco QoS design commonly uses a parent shaper set to the provider CIR and then applies child queuing policies under that shaped rate. This allows voice and other critical classes to be prioritized before packets are transmitted into the constrained service. A parent policing policy would drop or mark excess traffic locally rather than smoothing bursts. Reducing physical bandwidth is not normally possible on a provider Ethernet handoff, and the interface bandwidth statement changes routing/QoS reference values but does not enforce the CIR. Therefore, parent shaping is required. Reference topics: hierarchical QoS, traffic shaping, CIR, LLQ, WAN edge QoS.

The 8-class QoS model is the appropriate DiffServ design when an enterprise is adding voice and video to an existing data network and needs priority treatment for voice. Cisco enterprise QoS designs commonly evolve from a simple data-only model to a multi-class model that separates routing/control, voice bearer, video, signaling, transactional data, bulk data, scavenger traffic, and default traffic. This separation is important because voice requires strict low latency, low jitter, and minimal loss, while video usually requires guaranteed bandwidth but must not starve voice or network control traffic. A 4-class model can be too coarse when both VoIP and IP video are introduced because it often collapses distinct traffic types into broad queues. A 12-class model may be appropriate for very mature or complex environments, but it is more operationally demanding. The 6-class model can work in some cases, but the common Cisco campus and WAN baseline for mixed voice, video, and data is the 8-class model. Reference topics: DiffServ QoS, enterprise QoS class models, voice priority queue, video classification, DSCP design.

This YANG mapping is based on how IETF, OpenConfig, and Cisco native models differ in portability and schema organization. IETF models are produced through the standards process and are appropriate when the same management structure is expected across vendors for common protocols. OpenConfig models are also vendor-neutral, but they are built around a consistent operational model used heavily for streaming telemetry and multivendor automation. Cisco native models mirror Cisco platform configuration more closely and expose device-specific capabilities that may not exist in common models. The selected answers keep those boundaries clear. This matters because a NETCONF or RESTCONF payload is validated against the YANG schema; a payload written for one model family cannot be assumed to work against another. In design terms, the model family should be selected after confirming device software release support, feature coverage, operational-state requirements, and vendor diversity. Open models give portability; native models give feature completeness. Reference topics: IETF YANG, OpenConfig YANG, Cisco native YANG, schema validation, automation model selection.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

The correct model is a 4-class QoS strategy with DiffServ. The traffic classes listed in the question are explicitly DiffServ per-hop behaviors: Expedited Forwarding for conversational traffic, Assured Forwarding class 2 for streaming, and Assured Forwarding class 3 for web or interactive traffic. Cisco QoS guidance uses DiffServ to classify and mark traffic with DSCP values, then apply per-hop behavior at each node along the path. This gives scalable end-to-end treatment across a provider backbone without maintaining per-flow reservations. The four service treatments implied are conversational, streaming, interactive/web, and background or best effort, which matches the stated service categories without unnecessary class expansion. IntServ is not appropriate for an ISP backbone because it uses RSVP-style per-flow signaling and state, which scales poorly compared with DiffServ PHB handling. The 8-class and 12-class options add complexity beyond the stated mappings. Reference topics: DiffServ, DSCP, EF, AF2, AF3, per-hop behavior, provider QoS design.

The correct IS-IS design combines tuned SPF/PRC behavior with a proper Level 1 and Level 2 hierarchy. Reducing SPF and PRC intervals, within platform and stability limits, helps routers react more quickly to topology changes after a link failure. However, fast timers alone are not enough; the hierarchy must contain instability so physical link flaps in the access layer have limited impact on the rest of the network. Access routers should form Level 1 adjacencies inside their local area, while aggregation routers should operate as Level 1/Level 2 routers to connect the access area to the Level 2 backbone. This design gives access routers a simple local view and uses aggregation as the interarea boundary. Running all access and aggregation routers as L1/L2 across the network increases the size of the backbone and exposes more routers to wider flooding, which is the opposite of the requirement. Redistributing Internet routes into Level 1 is also poor design because it bloats the access area. Therefore, the right choices are C and E. Reference topics: IS-IS hierarchy, L1/L2 design, SPF and PRC tuning, access-layer convergence, fault containment.

In Cisco SD-Access, an intermediate node is an underlay transit device. Its responsibility is to provide IP reachability between fabric edge nodes, border nodes, and other fabric infrastructure roles. Intermediate nodes forward routed underlay traffic and do not perform endpoint registration, endpoint lookup, or VXLAN encapsulation for user traffic. Endpoint-to-location mapping is handled through the fabric control plane, which is based on LISP map-server and map-resolver functions. Fabric edge nodes identify connected endpoints, apply policy, act as anycast gateways, and encapsulate user traffic into VXLAN. Border nodes connect the fabric to external networks and handle traffic entering or leaving the fabric. The intermediate node is therefore comparable to a routed distribution or core transport device in a traditional hierarchical campus, except it is participating in the SD-Access underlay. It must provide stable Layer 3 reachability and appropriate MTU for encapsulated traffic but does not maintain the host tracking database or add security group information to VXLAN headers. The correct function is transporting IP packets between edge and border nodes.

Cisco Express Forwarding uses the adjacency table to store the Layer 2 rewrite information needed to forward packets efficiently. CEF separates forwarding decisions into the Forwarding Information Base and the adjacency table. The FIB identifies the best next hop based on routing information, while the adjacency table contains the directly connected next-hop details, including the MAC address and encapsulation rewrite string used on the outgoing interface. That is why the correct layer is Layer 2. CEF is not using the adjacency table to populate Layer 3 routes; the routing table and FIB handle Layer 3 reachability. It is also not a Layer 1 function because physical signaling does not determine the next-hop rewrite. Layer 4 is unrelated to CEF adjacency resolution. In a campus or WAN design, CEF matters because it allows hardware or optimized software forwarding without process-switching every packet. Correct ARP, neighbor discovery, and adjacency formation are therefore essential to fast packet forwarding, especially when convergence or high-throughput forwarding is required.

The active logical interface count for Switch A is 202 based on the spanning-tree scalability method used for logical ports. In STP design, a logical port is counted per active VLAN instance on each active trunk or access interface. A trunk carrying multiple VLANs therefore consumes multiple logical STP ports, while an access link normally consumes one logical STP port for its VLAN. Cisco campus design guidance uses logical-port counts to ensure that the selected STP mode and platform stay within supported scalability limits. The calculation in the exhibit produces 202 active logical interfaces for Switch A, not simply the number of physical links. Answer A counts only physical interfaces and ignores VLAN instances. Answer D is too low because it does not account for all active VLANs across the relevant links. Answer B overstates the count by including VLANs or links that are not active for Switch A. Reference topics: STP scalability, logical ports, VLAN instances, trunk design, Layer 2 campus sizing.

The design combines Dual-Stack Lite from the devices toward the core MPLS network and NAT44/64 from the MPLS network toward the Internet gateway router. The requirements describe IPv6-facing clients that still need access to IPv4 services and DNS behavior that allows the same service name to be reached during migration. Dual-Stack Lite carries IPv4 customer traffic across an IPv6 access or provider network by tunneling IPv4 packets over IPv6 toward a provider translation point. NAT44/64 services then provide translation or address-family interworking for IPv4-only resources. This combination is used when customer-facing access moves to IPv6 while legacy IPv4 services remain reachable during transition. A simple IPv6 tunnel from devices to the MPLS core does not provide the required IPv4 service translation. Using only NAT44/64 from end devices also shifts complexity to clients rather than placing translation at the network edge. The selected choices match the staged migration model: IPv6 transport with encapsulation in the access/core side and translation at the provider or gateway boundary. Reference topics: IPv6 transition, DS-Lite, NAT64, DNS64, IPv4-over-IPv6 tunneling.

AS-path prepending is the correct inbound path-control tool for this design. The objective is for traffic entering AS100 to use link 1 during normal operation and link 2 only after a failure. In BGP, the AS_PATH attribute is a primary path-selection attribute used by external autonomous systems; a shorter AS path is normally preferred over a longer path. By prepending AS100 multiple times on advertisements sent from R4 across link 2, AS100 makes the backup path look less attractive to upstream networks while leaving it available for failover. Modifying next-hop on R3 or R4 does not influence how external networks choose between two entry points into AS100. Prepending on R3 would make the preferred link less attractive, which is the opposite of the requirement. The design should also document provider policy because some providers local-preference routes before AS path, but within the choices, prepending on R4 is the appropriate inbound traffic-engineering method. Reference topics: BGP AS_PATH, inbound path control, multihoming, backup Internet edge design.

The primary capability of IaaS in this question is elastic scaling: the ability to increase or decrease infrastructure resources based on demand. In Infrastructure as a Service, the provider offers compute, storage, and network resources as an on-demand service, while the customer deploys operating systems and applications on top of that infrastructure. Cisco cloud material describes this model as providing scalable IT capacity without requiring the organization to own all physical assets. Option C is the best answer because dynamic capacity adjustment is a fundamental cloud capability and a major reason enterprises choose IaaS for variable workloads. Option B is a valid business benefit because consumption-based billing can reduce cost, but the question asks for a primary capability, not the pricing model. Option D describes automation and orchestration, which support cloud operations but are not the specific capability being tested. Option A is closer to hybrid-cloud workload mobility and is not guaranteed by IaaS alone. Reference topics: cloud service models, IaaS, elasticity, scalable compute, on-demand resource provisioning.

The selected configuration sets are correct because the addressing plan must use VLSM to maximize subnets and minimize wasted addresses. Customer A requires 125 hosts, so it needs a /25 subnet, which provides 126 usable host addresses. Customer D requires 62 hosts, so it needs a /26 subnet, which provides 62 usable addresses exactly. Point-to-point or small WAN links B, C, and E should use the smallest appropriate link subnets shown in the exhibit, typically /30 for IPv4 point-to-point links when two usable addresses are required. A correct plan must allocate the largest blocks first, align every subnet on the proper boundary, avoid overlap, and avoid assigning a larger-than-needed subnet to any customer or link. Options A and C are the two valid combinations that satisfy those rules in the exhibit. Any option that places a /25 or /26 on the wrong boundary, overlaps with another block, or wastes larger subnets on links would fail the design objective. Reference topics: IPv4 VLSM, subnet boundary alignment, host capacity planning, point-to-point addressing, route summarization readiness.

4G/5G connectivity is the best fit among the choices for edge-computing use cases because it can place network access close to users and endpoints while providing high bandwidth and low latency relative to many traditional WAN options. Edge computing is valuable when application processing, storage, or content delivery is moved closer to the point of consumption. Mobile broadband and 5G designs can support rapid deployment, local breakout, and low-latency access for distributed sites, sensors, and mobile users. MPLS Layer 3 VPN services provide predictable private WAN separation and mature QoS, but they are generally tied to provider POPs and data center-oriented connectivity rather than the closest edge location. DWDM is high-bandwidth optical transport but is primarily a metro or data center interconnect technology, not a flexible edge access service. Metro Ethernet can be strong in metropolitan areas but does not offer the broad mobile edge characteristics of 4G/5G. Reference topics: edge computing, 4G/5G WAN, low-latency access, distributed applications, WAN technology selection.

Cisco IS-IS supports Level 1, Level 2, and Level 1/Level 2 operation, and the design should restrict each link to the level it actually needs. Cisco documentation for the isis circuit-type command states that it “configures the type of adjacency that is required for neighbors on the specified interface.” In this case, the router is configured as L1/L2 and has both L1 and L2 neighbors, which causes unnecessary LSP flooding, SPF processing, and database maintenance on links that may not need both levels. Making the entire router only L1 or only L2 would be too blunt, because the router may legitimately need to participate in both domains on different interfaces. Making the router a DIS also does not solve the underlying issue; it only controls designated intermediate system behavior on broadcast networks. The best optimization is to configure each interface with the correct circuit type, such as level-1 for intra-area links and level-2-only for backbone links. This reduces control-plane load while preserving the intended two-level hierarchy.

The selected command pair is appropriate because the issue is that GigabitEthernet0/2 on SW2 is not becoming the root port as expected. In spanning-tree design, the root port is selected based on the lowest root path cost, then upstream bridge ID, then port ID when necessary. If the wrong port is selected, the engineer must adjust the local spanning-tree parameters on SW2 so that the intended interface has the best path toward the root bridge. Typical corrective commands lower the spanning-tree cost or set the port priority on the desired interface or VLAN instance. The correct answer pair is therefore the combination that changes the STP decision variables for Gig0/2 rather than changing unrelated features such as PortFast, BPDU Guard, or VLAN trunking. PortFast is unsafe on switch-to-switch links, and protection features do not make an interface more attractive as a root port. The fix must influence STP path selection while keeping the topology loop-free. Reference topics: STP root port election, path cost, port priority, root bridge path selection, Catalyst Layer 2 troubleshooting.

DiffServ is the correct QoS model for a business-critical, delay-sensitive, high-bandwidth application across DMVPN tunnels protected with IPsec. Differentiated Services classifies and marks traffic, usually with DSCP, and then applies per-hop behavior at each network device. This model scales well across enterprise WANs because routers do not need to maintain per-flow reservation state. DMVPN and IPsec overlays can carry marked traffic, and the WAN design can apply queuing, shaping, and congestion avoidance based on those markings. IntServ with RSVP can provide explicit resource reservation, but it is stateful and does not scale well across many branch tunnels. RSVP also becomes operationally difficult across encrypted overlay environments. WRED is only a congestion avoidance mechanism, not a complete QoS architecture. Because the application needs differentiated treatment but the WAN must remain scalable, DiffServ is the practical Cisco enterprise design model. Reference topics: DiffServ, DSCP marking, DMVPN QoS, IPsec QoS pre-classify, per-hop behavior, enterprise WAN QoS.

Affinity is the Cisco SD-WAN feature used to minimize TLOC and control connections and reduce strain on vSmart controllers. Cisco documentation explains that establishing affinity between controllers and edge devices allows the operator to control overlay scaling by limiting which controllers an edge device can establish control connections with. In large deployments, unrestricted connections between every WAN Edge and every controller can create unnecessary state and operational load. Affinity lets the design distribute edge connections across controllers and data centers while still preserving redundancy through primary and backup controller relationships. Color identifies the transport type or behavior associated with a TLOC, but it does not reduce controller connection scale by itself. Control-direction and control-connections are not the feature names that provide the scaling function described in the question. A well-designed SD-WAN control plane uses affinity, controller groups, and redundancy planning to keep the overlay scalable and predictable. Reference topics: Cisco SD-WAN affinity, vSmart controller scale, TLOC connections, control-plane redundancy, overlay scaling.

Root guard is the correct feature when the design must allow switches to be attached for testing but prevent those switches from influencing the spanning-tree root placement. Cisco root guard protects the intended STP root by placing a port into a root-inconsistent state if superior BPDUs are received on a port where the root should never appear. This directly addresses the risk created by rogue or lab switches connected by end users: if a user switch advertises a better bridge priority, the production access topology is not allowed to reconverge around that unauthorized device. BPDU guard is usually used on PortFast edge ports to err-disable a port that receives any BPDU, which is excellent for strict host-only ports but less aligned with the wording that users may connect their own switches for testing. Loop guard protects root or alternate ports from losing BPDUs and accidentally forwarding. BPDU skew detection is a diagnostic feature, not the correct design control. Therefore, root guard is the appropriate protection against rogue switches affecting STP topology. Reference topics: STP root placement, root guard, superior BPDUs, campus Layer 2 protection.

VRRP advertisements are sent by the current master router and include priority information used by the backup routers to evaluate mastership. In VRRP, the master is the router actively forwarding for the virtual IP address. Backups listen for advertisements; if advertisements stop, the backup with the highest effective priority can become master. This is why the statement that advertisements are sent only from the master router is correct. The advertisement also carries priority information, which is used in election behavior and failover decisions. Standby or backup routers do not normally send VRRP advertisements while a master is active, so option A is incorrect. The default advertisement interval is not three seconds in standard VRRP behavior; three seconds is commonly associated with other first-hop redundancy defaults such as HSRP hellos. Although timer fields exist in protocol operation, the exam focus here is the master-only advertisement behavior and the priority carried in those advertisements. In campus gateway redundancy design, VRRP advertisements must be protected from loss or filtering because missed advertisements can cause unnecessary master transitions.

The main purpose of the Cisco SD-Access underlay is to provide a stable routed transport that carries the overlay efficiently between fabric nodes. Among the available choices, optimizing network traffic routing and load-balancing is closest to that function. The underlay is not the security segmentation layer; segmentation is created in the overlay through virtual networks, SGTs, and policy enforcement. The underlay also is not primarily responsible for firewall or IPS services. While LAN automation can help build the underlay, automation is a deployment method rather than the underlay design purpose. A good underlay provides IP reachability, fast convergence, consistent MTU, and resilient routing so that VXLAN-encapsulated overlay traffic can move between edge, border, intermediate, and control-plane nodes. If the underlay is unstable, the overlay will inherit packet loss, convergence problems, and poor application performance. Reference topics: Cisco SD-Access underlay, routed access, IP reachability, fabric transport, underlay resilience, overlay support. This preserves stable fabric forwarding.

The telemetry mapping separates dial-in and dial-out behavior. In dial-in telemetry, the collector initiates the session toward the network device and subscribes to the data that it wants streamed. This model gives the collector direct control over the subscription lifecycle, but it requires the collector to reach the device and manage each session. In dial-out telemetry, the network device initiates the session toward the collector based on a configured subscription. This is useful when devices must stream telemetry to a centralized destination through firewalls or controlled management paths. Cisco model-driven telemetry can stream structured data from YANG models using subscription behavior rather than relying on repeated CLI polling. The selected drag-and-drop answer matches each consideration to the mode that owns the connection initiation and subscription handling. In design work, the architect must consider reachability direction, security policy, NAT traversal, collector scale, subscription persistence, and whether subscriptions should be configured on the device or created by the collector. Reference topics: model-driven telemetry, dial-in mode, dial-out mode, YANG subscriptions, gRPC telemetry, operational data streaming.

OSPF requires all nonbackbone areas to connect logically to Area 0. In the original design, HQ is Area 0 and the existing branch is Area 1, which is valid because Area 1 has connectivity to the backbone. The newly acquired branch is assigned Area 2 but is temporarily connected through the existing branch instead of directly to HQ. That means Area 2 does not have a direct logical connection to Area 0, violating the OSPF backbone requirement. The proper OSPF design mechanism for this temporary topology is a virtual link. An OSPF virtual link is configured through a transit area to logically connect a disconnected area or ABR back to the backbone. Making the existing branch a stub area does not solve the lack of Area 0 connectivity. A sham link is used in MPLS VPN OSPF designs to prefer backdoor links or preserve intra-area behavior across the provider core, not for this generic backbone disconnection. Making Area 2 a stub area also does not establish backbone reachability. Therefore, a virtual link between the new branch and HQ is required.

The Cisco SD-Access edge node is equivalent to the access-layer switch in a traditional three-tier campus design. Edge nodes are the fabric devices to which wired endpoints, access points, and other user-facing connections attach. They provide the anycast Layer 3 gateway for connected subnets, classify endpoints into virtual networks, apply policy information, and register endpoint reachability with the SD-Access control-plane node. In traditional campus terminology, this is the role normally performed by access switches at the edge of the network. Border nodes connect the SD-Access fabric to external networks, such as the WAN, data center, internet edge, or shared services. Intermediate nodes provide underlay transport between fabric nodes but do not attach endpoints to the fabric overlay. Control-plane nodes maintain mapping information rather than serving as access-layer attachment points. Understanding the edge-node role is fundamental because SD-Access policy and host mobility begin where the endpoint enters the fabric. Reference topics: SD-Access edge node, access layer, anycast gateway, endpoint registration, fabric roles.

BFD for EIGRP is the strongest design option for improving convergence after access-layer switch or uplink failure on Layer 3 links. EIGRP hello and hold timers can detect failures, but aggressive timer reduction increases control-plane chatter and still may not provide consistent subsecond detection across platforms. Cisco BFD is specifically designed to provide rapid forwarding-path failure detection for routing protocols, including EIGRP, independent of the routing protocol hello mechanism. On point-to-point Layer 3 uplinks, BFD can notify EIGRP quickly when a neighbor path fails, allowing DUAL to react without waiting for the EIGRP hold timer. Summarization from access to aggregation is useful for query scoping and stability, but it does not directly detect an access switch failure faster. Summarization from core to aggregation has even less relevance to access uplink failure detection. Therefore, the design should enable BFD for EIGRP on the access-layer uplinks, with timer values chosen carefully according to platform capability and operational stability. Reference topics: EIGRP convergence, BFD, routed access, failure detection, DUAL.

The selected design is correct because the requirement describes a resilient campus architecture that must support the same VXLAN at any access-layer switch while maintaining fast convergence and high availability. In Cisco campus and data-center-style fabric designs, VXLAN provides network virtualization by carrying Layer 2 adjacency over a routed or resilient transport. The correct design must avoid a fragile single spanning-tree domain and must provide redundant forwarding paths so that an access switch or uplink failure does not isolate the VLAN or VXLAN segment. The selected option represents the design that meets those conditions by allowing the overlay segment to be extended consistently across access switches while keeping the underlay resilient. Designs that rely on a traditional Layer 2 tree, a single aggregation point, or blocked redundant links would not meet the high availability and fast convergence objectives. The important design principle is that VXLAN should ride on a stable, redundant transport and should not depend on large Layer 2 failure domains. Reference topics: VXLAN campus design, overlay networking, fast convergence, access-layer resiliency, high availability.

Rapid PVST+ and VTP address the stated redesign goals. Moving from IEEE 802.1D STP to Rapid PVST+ reduces the impact of topology changes because rapid spanning tree provides faster convergence through proposal/agreement behavior and faster port-role transitions. That improves availability compared with classic STP timers. VTP reduces administrative effort and manual configuration errors by centrally propagating VLAN information across switches in the same VTP domain. It can also support pruning so unused VLAN traffic is not unnecessarily carried across trunks. MST could reduce spanning-tree instance count, but the question emphasizes reducing topology-change impact and reducing manual VLAN configuration work; Rapid PVST+ plus VTP addresses both directly. Storm control helps limit broadcast and multicast traffic but does not solve STP convergence or VLAN administration. Dynamic Trunking Protocol negotiates trunk state; it does not propagate VLAN information and is often avoided in deterministic campus designs. In production, VTP should be used carefully with version control, domain/password discipline, and change governance because incorrect VTP configuration can have broad impact. Reference topics: Rapid PVST+, STP convergence, VTP, VLAN pruning, campus Layer 2 operations.

VRF-Lite with OSPF satisfies the requirements because it creates multiple isolated Layer 3 routing tables without requiring a service-provider MPLS core or specialized hardware. Each VRF has its own forwarding table, interfaces, and route exchange process, so overlapping IP address space can exist in different virtual networks. When communication between segments is required, the design can use controlled route leaking, a firewall, or a shared-services VRF. OSPF can run per VRF to exchange routes within each isolated segment using widely supported routing technology. VSS, vPC, and plain 802.1Q with HSRP can improve Layer 2 or device redundancy, but they do not provide independent Layer 3 routing tables with overlapping addressing. A multihop MPLS design can also support many VPNs, but it is more complex and beyond the stated need for widely available technologies without specialized equipment. VRF-Lite is therefore the correct enterprise campus segmentation choice. Reference topics: VRF-Lite, virtual routing and forwarding, inter-VRF routing, overlapping IP address support, campus segmentation.

VRRPv3 improves protocol applicability by supporting both IPv4 and IPv6 address families. VRRPv2 is associated with IPv4 virtual router redundancy, while VRRPv3 extends the protocol so the same first-hop redundancy concept can be used for IPv6 default gateways as well. In campus and branch designs, this matters because IPv6 deployments should not require a separate redundancy design from IPv4 when a standards-based FHRP is preferred. Preemption is not a unique VRRPv3 advantage because VRRP has long supported priority-based master election and preemption behavior. Authentication is also not the correct differentiator in this comparison; VRRPv3 removed the simple protocol authentication field from the base protocol and expects security to be provided by the underlying network or IPsec where required. Stateful switchover is a platform high-availability capability, not a VRRPv3 protocol feature. Therefore, the key benefit of VRRPv3 over VRRPv2 for enterprise design is IPv4 and IPv6 support under the same redundancy protocol model.

The correct design is to use the same anycast RP address on loopback interfaces so receivers and sources register with their nearest available rendezvous point. Cisco Anycast RP designs use a common RP address advertised from multiple RP routers, allowing unicast routing to direct PIM joins and registers to the closest RP. MSDP is then used between the RP routers so each RP can learn about active sources registered to the other RP. This provides resilience and local registration while keeping RP reachability consistent for the multicast domain. Option B captures the key behavior: the RP loopback is configured with the same /32 address, and normal routing sends traffic to the closest RP. Configuring a hash value, group range splitting, or equal priority alone does not provide the Anycast RP behavior required here. A professional design should also use unique loopbacks for MSDP peer sessions while keeping the shared anycast loopback as the RP address. Reference topics: Anycast RP, MSDP, PIM-SM rendezvous points, source registration, multicast high availability.

Dial-In: collector initiates a session to the device; supports gRPC only. Dial-Out: device initiates a session to the collector; supports TCP, UDP, and gRPC.

Model-driven telemetry can operate in dial-in or dial-out mode, and the distinction is based on which side initiates the session and how the subscription is established. In dial-in telemetry, the collector initiates a session to the network device and dynamically subscribes to the required sensor paths. This is useful when the collector wants direct control over the subscription lifecycle. Cisco telemetry documentation commonly associates dial-in with gRPC-based dynamic subscriptions on supported platforms. In dial-out telemetry, the device initiates the session toward the collector based on a configured subscription. The subscription exists in the device configuration, and the device streams telemetry data to the configured destination without requiring the collector to start the connection. This design is useful when devices are behind NAT, firewalls, or operational models where the network device should push telemetry to a known collector. Therefore, the mapping is: dial-in equals collector-initiated and gRPC-only in this context; dial-out equals device-initiated and supports the listed transport options. This distinction is central to Cisco model-driven telemetry design.

UplinkFast is the correct spanning-tree feature for faster convergence after an uplink failure in a classic STP access-layer design. UplinkFast is designed for access switches that have redundant uplinks toward the distribution layer. When the primary root port fails, UplinkFast allows an alternate blocked uplink to transition rapidly to forwarding, reducing the outage compared with standard 802.1D timer-based convergence. PortFast is used on edge ports connected to end hosts, not on switch-to-switch uplinks. Loop Guard protects against unidirectional failures or missing BPDUs on non-designated ports, but it does not accelerate recovery from an access uplink failure. BackboneFast helps when an indirect link failure is detected elsewhere in the topology, but the described failure is directly between SW1 and SW2. The design objective is the fastest possible convergence during that direct uplink loss, which matches UplinkFast in a traditional STP environment. Reference topics: Spanning Tree Protocol, UplinkFast, access-layer redundancy, root port failover, Layer 2 convergence.

The correct answer is bidirectional PIM. Cisco describes bidirectional PIM as a multicast mode designed for many-to-many applications where traffic is forwarded only along a shared tree rooted at the rendezvous point. Unlike traditional PIM Sparse Mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. That design reduces multicast state in the network because routers maintain group state rather than separate source and group state for every sender. PIM Sparse Mode initially uses a shared tree through the RP, but it can switch to source trees after receivers and routers learn the active source. Dense mode floods and prunes and is not a shared-tree-only model. Source-specific multicast explicitly uses source-specific joins and does not use an RP-based shared tree. The wording “shared tree only” is the key distinction: BIDIR-PIM is built for scalable many-to-many multicast, accepts some non-shortest-path forwarding tradeoff, and avoids per-source state growth. Therefore, the stored answer must be corrected to bidirectional. Reference topics: BIDIR-PIM, shared trees, rendezvous points, many-to-many multicast scaling, PIM-SM source-tree behavior.

TLOC information is the OMP update that allows Cisco SD-WAN to build an overlay over any public or private transport without depending on the actual underlay link addressing. Cisco OMP advertises route reachability along with Transport Location mappings. A TLOC represents where and how a WAN Edge can be reached in the transport network, using attributes such as system IP, transport color, encapsulation, and next-hop information. Remote WAN Edge routers use this information to form secure data-plane tunnels to the correct transport attachment. RLOC is a LISP locator term associated with SD-Access and LISP designs, not the SD-WAN OMP construct. DTLS is the secure transport used for control connections, but it is not an OMP route information type. LISP PITR is unrelated to Cisco SD-WAN OMP. The secure overlay is built by combining OMP routes, TLOCs, policy, and encrypted tunnel establishment. Reference topics: Cisco SD-WAN OMP, TLOC routes, transport color, overlay routing, secure data-plane tunnels.

Loop guard should be used on SW2 to reduce the chance of Layer 2 forwarding loops caused by a unidirectional fiber failure. In spanning-tree operation, a root or alternate port expects to receive BPDUs from the designated bridge. If BPDUs stop arriving because the fiber becomes unidirectional, the port may incorrectly assume that the path is no longer receiving a superior BPDU and transition toward forwarding. Cisco loop guard prevents this by moving the port into a loop-inconsistent state when BPDUs are unexpectedly lost on a non-designated port. That behavior protects the topology from a port role change that could create a Layer 2 loop. BPDU filter is dangerous in this context because it can suppress BPDUs and hide the control-plane signal STP needs. BPDU guard is mainly for PortFast edge ports that should never receive BPDUs. Root guard prevents superior BPDUs from changing root placement, but it does not address unidirectional loss of expected BPDUs. Therefore, loop guard on SW2 is the proper design control. Reference topics: STP loop guard, unidirectional fiber failure, BPDU loss, loop-inconsistent state, Layer 2 resiliency.

The requirements point to a Layer 2 multipoint WAN service. VPLS provides an emulated Ethernet LAN across a provider network, allowing multiple sites to appear as if they are connected to the same Layer 2 domain. This supports full-mesh Layer 2 connectivity and preserves customer control over higher-layer services such as IPv6, multicast, routing protocols, and QoS markings. Because the provider delivers an Ethernet multipoint service, the enterprise can retain protocol independence rather than depending on the service provider to participate in IPv6 routing or multicast routing. CoS marking is also a Layer 2 QoS mechanism, so a Layer 2 VPN service is better aligned to the stated QoS requirement. VPWS is point-to-point rather than full-mesh multipoint, so it does not meet the topology requirement by itself. MPLS Layer 3 VPN is a provider-routed service and does not give the customer full Layer 2 mesh behavior. DMVPN is an overlay routed VPN and does not provide a native Layer 2 full-mesh service. Therefore, VPLS is the correct WAN connectivity option.

EIGRP and BGP are the two listed routing protocols that can support unequal-cost load balancing in Cisco enterprise designs. EIGRP performs unequal-cost load sharing by using the variance command. Feasible successor routes whose feasible distance falls within the variance multiplier can be installed alongside the successor route, provided they satisfy EIGRP loop-prevention rules. This allows traffic to use links with different composite metrics while still maintaining loop-free forwarding. BGP can also support unequal-cost distribution in specific designs, such as using BGP multipath features with additional bandwidth-based mechanisms or policy to influence traffic sharing across nonidentical paths. OSPF and IS-IS commonly support equal-cost multipath, but they do not natively perform EIGRP-style unequal-cost load balancing based on different path metrics. RIPng is also limited by hop-count behavior and is not used for unequal-cost multipath in this context. The correct design answer is therefore EIGRP and BGP. In production, the engineer must still validate hardware forwarding behavior, policy consistency, and whether the traffic-sharing method is per-flow or per-prefix.

MSTP is the correct spanning-tree choice for a Layer 2 design with many logical ports, multiple trunked VLANs, and a subsecond convergence requirement. Rapid PVST+ provides rapid convergence, but it creates a separate spanning-tree instance for every VLAN. With 30 VLANs on trunks and hundreds of active ports, the number of logical STP ports can grow quickly and increase CPU and memory load. MSTP maps many VLANs into a smaller number of spanning-tree instances while still using rapid convergence behavior based on IEEE 802.1w principles. This makes it more scalable for large Layer 2 domains than PVST+ or Rapid PVST+ when many VLANs are present. CST provides a single instance but lacks the flexibility and convergence characteristics expected in modern enterprise designs. The design needs both scalability and fast convergence, and MSTP is the standards-based protocol that best satisfies both requirements. Reference topics: MSTP, Rapid STP, logical STP ports, VLAN-to-instance mapping, Layer 2 scalability, convergence.

The correct solution is IntServ with RSVP. The requirement says the application must be able to request a specific service level and receive guaranteed bandwidth with support for delay requirements. Cisco describes Integrated Services as a QoS model that uses Resource Reservation Protocol to signal per-flow resource requirements across the network. RSVP allows applications or endpoints to request bandwidth and delay treatment; each participating network device can admit or reject the reservation based on available resources. This is exactly the behavior needed when an application must explicitly request a service profile rather than simply inherit a class marking. DiffServ with DSCP is more scalable, but it only marks traffic and applies class-based per-hop behavior. It does not provide per-flow reservation or allow the application to explicitly reserve resources. DSCP by itself is a marking mechanism, not a reservation protocol. RSVP belongs with IntServ in the classic QoS model. Reference topics: Integrated Services, RSVP, resource reservation, QoS guarantees, delay-sensitive applications.

Policing is the correct mechanism for managing traffic that exceeds the configured threshold. The application is UDP-based, inelastic, and sensitive to delay and jitter, so excess traffic should not be buffered and transmitted later. Cisco defines traffic policing as measuring traffic against a configured rate and applying an action such as transmit, drop, or remark when traffic conforms, exceeds, or violates the policy. In contrast, shaping buffers excess traffic and releases it later to smooth the output rate. That behavior is useful for TCP or provider handoff control, but it can add delay and jitter, which is harmful for inelastic real-time UDP flows. Scheduling has already been addressed by allocating bandwidth and assigning queues; it decides how queues are serviced, not how excess flows are constrained. Remarking changes packet markings but does not by itself enforce a traffic threshold. Therefore, policing is the appropriate QoS conditioning action for traffic above the configured limit. Reference topics: traffic policing, QoS conditioning, shaping versus policing, UDP real-time applications, delay and jitter control.

The required BGP address family is L2VPN EVPN. The design calls for VXLAN over a Layer 3 IPv4 fabric while preserving Layer 2 adjacency and allowing workload mobility between sites. EVPN is the BGP control plane used with VXLAN overlays to advertise MAC reachability, IP host information, and Ethernet segment information in a scalable way. It separates the Layer 2 and Layer 3 overlay control plane from the underlay IGP, which in this case is OSPF. VPNv4 is used for MPLS Layer 3 VPN routes, not VXLAN Layer 2 adjacency. IPv4 unicast advertises ordinary IP prefixes and does not carry MAC mobility or Ethernet VPN information. L2VPN VPLS or VPWS address families are associated with MPLS-based Layer 2 VPN services and do not provide the VXLAN EVPN control-plane model required here. EVPN is therefore the correct family for VXLAN fabrics that need host mobility and scalable Layer 2 extension. Reference topics: BGP EVPN, VXLAN, L2VPN EVPN address family, MAC reachability, workload mobility.

Incremental SPF is the correct solution because the problem specifically states that Type 1 or Type 2 LSAs force the OSPF process to recompute the entire shortest path tree. Cisco OSPF documentation states that when changes to a Type 1 or Type 2 LSA occur, the entire SPT is normally recomputed, and that incremental SPF allows the system to recompute only the affected part of the tree. This improves convergence and reduces CPU use because the router does not have to run a full Dijkstra calculation for every topology change. BFD detects failures quickly, but it does not change how OSPF recalculates the SPT after the LSA arrives. Standard SPF is the default full calculation behavior and therefore does not solve the optimization requirement. PRC is associated with partial route calculation behavior in some link-state contexts, but for this OSPF question the Cisco feature name is iSPF. Reference topics: OSPF incremental SPF, Type 1 LSA, Type 2 LSA, SPF optimization, campus OSPF scaling.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

Cisco SD-WAN detects subsecond transport failure by running BFD across the IPsec tunnels between WAN Edge routers. The WAN Edge devices form encrypted data-plane tunnels over each transport, and BFD probes those tunnels to measure liveliness, loss, latency, jitter, and path availability. When BFD detects a failed or degraded tunnel, the SD-WAN fabric can withdraw or avoid that path quickly, enabling application-aware routing and fast failover. Hellos between WAN Edge routers and vSmart controllers are control-plane mechanisms and do not directly detect data-plane transport failure between edge routers. BGP is not the SD-WAN overlay control protocol for this function; OMP is used with vSmart for overlay route and policy exchange. Link-state messages between vSmart controllers do not measure transport-path liveliness. Therefore, BFD on IPsec tunnels is the correct failure-detection mechanism. The design should ensure that BFD timers, tunnel scale, controller policy, and SLA classes are chosen to balance fast failover with platform resources and transport stability. Reference topics: Cisco SD-WAN BFD, IPsec tunnels, transport failure detection, application-aware routing, data-plane liveliness.

DMVPN is the correct design because it satisfies all of the stated branch requirements without requiring manually built static tunnels for every store. Cisco DMVPN uses multipoint GRE with NHRP and IPsec to create a scalable hub-and-spoke overlay, and later phases allow dynamic spoke-to-spoke tunnels when branch-to-branch traffic is required. GRE supports multicast and dynamic routing protocols, while IPsec supplies encryption across the lower-cost WAN transport. This fits the requirement to deliver multicast training, use dynamic routing, preserve QoS markings and policy behavior, and simplify future branch additions because new spokes can register dynamically with the hub. VPLS would provide Layer 2 multipoint service, but it is typically a provider-delivered service and does not meet the secure dynamic VPN requirement as directly. GET VPN is efficient for private MPLS environments, but it does not create dynamic GRE tunnels from the hub for new stores. Static IPsec is secure but operationally poor at scale and does not natively carry multicast without an overlay. Therefore, the design should include DMVPN. Reference topics: DMVPN, mGRE, NHRP, IPsec protection, multicast over VPN.

Dual stack is the correct migration strategy when the application chooses IPv6 or IPv4 based on DNS resolution. In a dual-stack deployment, hosts and network devices run IPv4 and IPv6 at the same time. Applications can query DNS and then select the protocol based on the returned records, such as using an AAAA record for IPv6 or an A record for IPv4. This gives the organization a controlled migration path because IPv6-capable applications and services can move to IPv6 while legacy IPv4 services remain reachable during the transition. Address-family translation for public web presence is useful when IPv6-only and IPv4-only endpoints must communicate through a translation boundary, but it does not provide native application choice between the protocols. Host-initiated tunnels and site-to-site IPv6-over-IPv4 tunnels encapsulate one protocol over another and add operational overhead. The question’s key phrase is that the application chooses between IPv6 and IPv4 based on DNS; that is the normal dual-stack behavior. Reference topics: IPv6 migration, dual stack, DNS A and AAAA records, transition strategy, application protocol selection.

The correct action is to configure EIGRP stub behavior on R4. The DUAL-3-SIA message indicates a Stuck-in-Active condition, which occurs when EIGRP sends a query and does not receive a reply within the expected time. Cisco explains that EIGRP stub routing is used to improve stability and reduce resource usage by preventing unnecessary queries from being sent to remote or edge routers. In the described topology, R4 is connected over a limited 10 Mbps inter-router link and should not be treated as a transit router for the rest of the routing domain. Making R4 an EIGRP stub limits the query scope and reduces the chance of active routes waiting on a slow or constrained neighbor. Poison reverse and split-horizon changes address loop prevention and hub-and-spoke update behavior, but they do not directly solve the SIA instability. A summary on R2 may help scaling but does not identify the edge-router query boundary as precisely as EIGRP stub. Reference topics: EIGRP DUAL, Stuck-in-Active, EIGRP stub routing, query scoping, WAN edge stability.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

The SD-WAN onboarding sequence follows the controller trust and overlay-establishment workflow. A WAN Edge device first obtains basic reachability information through manual bootstrap, ZTP, or PnP-style provisioning so it can reach the orchestration components. It then establishes secure control connectivity to the orchestrator and validates identity through the certificate and authorized serial number information. After orchestration, the device forms the required secure control connections to the management and control-plane components, receives its configuration, and participates in OMP route exchange. Finally, the WAN Edge builds encrypted data-plane tunnels to other WAN Edge devices based on the TLOC and policy information learned through the control plane. This order matters because the device cannot exchange overlay routes or build data-plane IPsec tunnels until it is authenticated and authorized in the SD-WAN fabric. Cisco SD-WAN designs rely on this sequence to support zero-touch deployment, centralized policy, and secure fabric admission. Reference topics: Cisco SD-WAN onboarding, vBond orchestration, certificate validation, OMP, TLOC exchange, data-plane tunnel establishment.

Bootstrap Router is the standards-based mechanism that supports dynamic RP discovery in a PIM sparse-mode domain. Cisco documentation distinguishes Auto-RP, which is Cisco-proprietary, from BSR, which is defined for standards-based RP distribution. With BSR, candidate RPs advertise their availability, and the elected bootstrap router distributes RP-set information throughout the PIM domain. This removes the operational burden of manually configuring the same static RP information on every multicast router. Anycast-RP provides RP redundancy and load sharing but does not by itself provide standards-based dynamic RP discovery across the domain. Static RP is simple but not dynamic. Auto-RP can dynamically distribute RP information, but it is not the standards-based answer. The design value of BSR is most visible in large multicast domains, where routers need consistent RP information and manual changes are risky. Therefore, when the question asks for a standards-based RP deployment that supports dynamic RP discovery, the correct answer is bootstrap router. Reference topics: PIM sparse mode, Bootstrap Router, candidate RP, RP-set distribution, dynamic RP discovery.

Graceful restart is the correct high-availability design when the routing process on an intermediate OSPF router must undergo maintenance while the data plane remains available. Cisco describes graceful restart as a mechanism that allows a restarting router to continue forwarding traffic while neighbors temporarily preserve adjacency and route information. In OSPF, helper-capable neighbors assist the restarting router by maintaining forwarding state during the restart interval, preventing unnecessary route withdrawal and reconvergence. BFD is a failure-detection mechanism, so it would actually accelerate detection of a failure rather than preserve the forwarding path during planned process maintenance. Nonstop forwarding must be enabled on the device performing the control-plane restart and supported by neighbors, but the broad answer choice that captures the required routing-protocol behavior across the design is graceful restart on the participating routers. Configuring it only on R1 and R3 or only on R3 would not support the R2 process maintenance scenario. Reference topics: OSPF graceful restart, NSF, helper mode, control-plane maintenance, data-plane availability.

AES Galois/Counter Mode is the appropriate AES mode for Cisco SD-WAN environments that include multicast applications. In SD-WAN data-plane security, encryption must protect traffic efficiently while supporting high-throughput forwarding and modern integrity protection. AES-GCM is an authenticated encryption mode, which means it provides confidentiality and integrity in a single efficient operation. It is well suited to modern IPsec designs and avoids the older requirement to combine a confidentiality mode with a separate authentication algorithm. Cipher Block Chaining and Cipher Feedback are older modes and are not preferred for this design requirement. Electronic Code Book is unsuitable because it exposes patterns in plaintext and is not considered secure for network transport encryption. Multicast support also requires a data-plane security model that can scale without per-flow negotiation overhead. AES-GCM is therefore the correct selection for a secure, efficient Cisco SD-WAN deployment that must carry multicast traffic. Reference topics: Cisco SD-WAN encryption, AES-GCM, IPsec data-plane security, multicast transport, authenticated encryption.

The valid get-config reply must show OSPF process ID 400 with network 192.168.128.128/25 enabled for Area 0. A /25 prefix has a block size of 128 addresses, so 192.168.128.128/25 is a valid network boundary and covers addresses from 192.168.128.128 through 192.168.128.255. Any reply that shows the wrong OSPF process, an incorrect network boundary, the wrong prefix length or wildcard equivalent, or a nonzero area does not verify the requested model set. In Cisco IOS XE model-driven configuration, the readback has to match the schema path and values used by the model, not simply produce an approximate CLI interpretation. Option B is the reply that confirms the intended OSPF object. This verification method is important because YANG automation can fail silently in operational workflows when the payload is syntactically valid but targets the wrong container or key. A get-config verification step confirms the running datastore contains the exact OSPF process and area membership required by the design. Reference topics: YANG OSPF configuration, NETCONF get-config, prefix validation, IOS XE native models.

Cisco SD-WAN uses the Overlay Management Protocol to exchange control-plane information between WAN Edge routers and vSmart controllers. OMP advertises three major categories of routing information: OMP routes, TLOC routes, and service routes. OMP routes represent reachability to prefixes in service VPNs, such as connected, static, OSPF, EIGRP, BGP, or other routes learned at the local site. TLOC routes describe transport locations, which bind a system IP, color, and encapsulation to a WAN transport attachment. Service routes indicate service insertion capabilities, such as firewalls or other network services that can be reached through a particular site. This separation allows Cisco SD-WAN to build a secure overlay over any public or private transport while keeping transport reachability, service-side prefixes, and inserted services distinct. The other answer choices use generic terms such as underlay, MPLS, Internet, backup, or primary routes, but those are not the formal OMP advertisement categories. Therefore, the correct answer is prefix, TLOC, and service.

Route tags are the correct loop-prevention mechanism when connecting another routing domain or redistributed network behind R3 into an EIGRP network. Redistribution can create route feedback: a route learned from one domain is redistributed into another, then later redistributed back into the original domain as if it were new information. That can produce routing loops or suboptimal path selection, especially in multipoint redistribution designs. Cisco route-map based redistribution commonly uses route tags to mark the origin of redistributed routes. Other redistribution points can then match those tags and prevent the same routes from being reintroduced into the source domain. Split horizon prevents advertisements back out the interface on which a route was learned, but it is not sufficient for multipoint redistribution loop prevention. Summarization reduces route detail and query scope but does not identify route origin. The OSPF down bit is used in MPLS VPN/OSPF PE-CE scenarios, not general EIGRP redistribution. Therefore, the design should use route tags. Reference topics: EIGRP redistribution, route tagging, routing-loop prevention, route maps, redistribution policy.

NETCONF supports event notifications through a subscription model. The operation used to establish a notification subscription is create-subscription. When a client sends this operation, it can specify the stream and optional filters that determine which notifications are delivered to that NETCONF session. This is why create-subscription is the operation associated with session-specific notification filtering. The commit operation is used with the candidate configuration datastore to apply configuration changes to the running datastore; it does not create a telemetry or event subscription. The notification element is the message sent by the server after a subscription exists, not the operation used to create one. Logging is not a NETCONF operation in the protocol operation set. In Cisco model-driven management designs, NETCONF provides structured configuration and operational access using YANG data models, while notifications allow the management station to consume specific events without relying on repeated screen scraping or broad polling. Therefore, the correct operation for creating filtering specific to session notifications is create-subscription.

NETCONF supports XML, while RESTCONF supports both XML and JSON. Cisco programmability documentation describes NETCONF as an XML-based protocol that exchanges RPC requests and replies such as get, get-config, and edit-config using XML encoding. NETCONF is tightly aligned with YANG-modeled data, but the protocol message format itself is XML. RESTCONF exposes YANG-modeled data through an HTTP or HTTPS API and can represent payloads in XML or JSON. Cisco DevNet material commonly summarizes the comparison as NETCONF equals XML, while RESTCONF equals XML or JSON. That is why option D is accurate. Option A is wrong because NETCONF does not use JSON in the same way RESTCONF does. Option B is incomplete because RESTCONF is not limited to JSON. Option C reverses the protocol encodings. This distinction matters in automation design because tool selection, content type, parsing, and API workflows differ by protocol. Reference topics: NETCONF, RESTCONF, YANG, XML encoding, JSON encoding, model-driven programmability.

The design must enable IPv6 multi-topology behavior at the appropriate edge routers and move metric handling toward transition support where the current IS-IS network still uses narrow metrics. Multi-topology IS-IS is important during IPv4-to-IPv6 migration because IPv4 and IPv6 reachability do not always exist on identical links at every stage of the migration. If IPv6 follows the IPv4 topology when some devices or paths are not IPv6-ready, traffic can be blackholed. Multi-topology allows independent IPv4 and IPv6 SPF calculations, which prevents IPv6 traffic from being forwarded through IPv4-only portions of the network. The metric-style transition setting is used when migrating from narrow to wide metrics, allowing interoperability while routers are upgraded and the design scales. Because the requirement says IPv6 areas will grow and the current network uses narrow metrics, the selected edge devices must support the IPv6 topology and metric transition behavior shown in the exhibit. Reference topics: IS-IS IPv6, multi-topology IS-IS, narrow metrics, wide metric transition, IPv6 migration, blackhole prevention.

Route summarization and EIGRP stub routing are the two correct design techniques for a stable and scalable EIGRP deployment. Summarization reduces the number of prefixes advertised upstream, conserves bandwidth and memory, hides route flaps behind the summary boundary, and reduces the size of the EIGRP topology table. Stub routing prevents branch or access devices from being used as transit routers and limits the scope of EIGRP queries. This is critical because uncontrolled EIGRP query propagation can increase convergence time and processing load, especially in larger hierarchical networks. Prefix lists and distribute lists can filter routes, but filtering alone does not provide the same query-boundary and topology-hiding benefits as summarization and stubs. Static redistribution increases complexity and can create loop or policy risks if not controlled with tags and metrics. The question specifically asks to conserve bandwidth, memory, and CPU, prevent suboptimal routing, and avoid unnecessary queries; summarization and stub routing are the direct Cisco design answers. The architect should summarize at hierarchy boundaries and configure access or branch routers as EIGRP stubs where they should not provide transit. Reference topics: EIGRP summarization, EIGRP stub routing, query scope, hierarchical routing.

EIGRP with stub routing and variance is the best fit for Cisco-only DMVPN branches with unequal Internet link speeds and limited branch resources. EIGRP works well over DMVPN because it supports hub-and-spoke designs, unequal-cost load balancing, and simple branch optimization through stub routing. Stub branches limit query propagation and reduce CPU, memory, and bandwidth consumption on small routers. Variance allows EIGRP to use feasible unequal-cost paths, which is important when one Internet connection is 10 Mbps and the other is 100 Mbps. OSPF can run over DMVPN, but virtual links are not an appropriate branch design and OSPF is less efficient in this specific Cisco-only unequal-bandwidth scenario. IS-IS is not commonly selected for small DMVPN branch overlays. iBGP with route reflectors can scale, but it does not inherently use link utilization and unequal metric behavior as cleanly as EIGRP variance for this requirement. Reference topics: EIGRP over DMVPN, stub routing, variance, unequal-cost load balancing, branch resource optimization.

Traffic shaping is the correct QoS design for a 1-Gbps handoff with a 100-Mbps committed information rate when the provider aggressively drops traffic above the CIR. Cisco distinguishes shaping from policing: shaping buffers and delays excess packets so the sender transmits at a configured rate, while policing drops or remarks traffic that exceeds the configured rate. Because the customer wants to maximize bandwidth usage up to the 100-Mbps CIR and avoid excessive TCP retransmissions, shaping is the better fit. Policing at the customer edge would simply drop excess traffic locally, creating the same kind of loss problem. A markdown policer is useful when lower-priority traffic should be reclassified, but it does not smooth bursts into the provider’s CIR. Queuing helps during congestion, but without shaping the router can still send bursts at the 1-Gbps physical rate into a provider policer. The correct design is to shape outbound traffic to the CIR, then use child-policy queuing if class-based service guarantees are required. Reference topics: traffic shaping, policing, CIR, hierarchical QoS, TCP retransmission avoidance.

A major SaaS challenge is the lack of direct application and infrastructure control. With Software as a Service, the provider operates the application stack, platform, upgrades, and supporting infrastructure. The customer benefits from reduced maintenance burden and lower initial deployment cost, but gives up much of the direct control normally available with on-premises applications. This affects troubleshooting, change windows, performance visibility, customization, data residency controls, and integration with existing enterprise systems. Higher initial costs are usually not a SaaS characteristic; SaaS commonly shifts spending toward subscription operating expense. Client computer upgrades are not normally required in the same way as thick-client enterprise software. Data and application integration can be complex, but the option that best captures the core architectural challenge is reduced control over the application and infrastructure. Network architects must account for this by designing secure direct internet access, cloud monitoring, identity integration, and reliable paths to SaaS providers. Reference topics: SaaS architecture, cloud application control, enterprise cloud access, operational visibility, SD-WAN SaaS design.

Static routes tied to IP SLA with a floating static backup route provide the cleanest active/standby design for this requirement. The MPLS L3VPN path is the primary connection and should carry traffic while it is available. IP SLA can actively test reachability across the primary path, and object tracking can remove the primary static route if the test fails. The backup IPsec VPN route is configured with a higher administrative distance, so it remains inactive until the primary route is withdrawn. This design is deterministic and prevents traffic from using the backup tunnel during normal operation. Running EIGRP across both paths could allow dynamic path selection, but it would require careful metric manipulation and could still introduce unintended failover behavior. BGP multipath is the opposite of the requirement because it is designed to install multiple paths simultaneously for load sharing. OSPF passive-interface on the backup connection would prevent neighbor formation rather than provide reliable backup routing. For a branch with one primary MPLS path and one backup IPsec path, tracked static routing with IP SLA is the appropriate design.

OSPF with the hub in area 0 and branch routers in stub areas with ECMP is the best fit because the customer has multivendor branch routers with limited memory and CPU. EIGRP is not suitable in this case because the branch environment is multivendor and EIGRP is not the safest open-standard design choice for broad interoperability. IS-IS can be efficient, but it is less common for small DMVPN branch deployments and the option does not address the requirement for resource-constrained branch routing. eBGP route reflection is not technically correct, because route reflectors are an iBGP scaling mechanism. OSPF provides an open-standard dynamic routing solution, and placing branches in stub areas limits the amount of external routing information that low-resource branch routers must process. ECMP allows both equal 10-Mbps DMVPN paths to be used when equal-cost paths exist. This design reduces operational overhead compared with static routing while respecting the platform constraints at the spokes. Reference topics: OSPF branch design, stub areas, ECMP, DMVPN routing, multivendor interoperability, branch resource optimization.

GET VPN is the correct technology for this private WAN requirement. Cisco Group Encrypted Transport VPN secures unicast and multicast traffic over a private WAN using IPsec encryption and group key management. Its key advantage is that it preserves the original packet header instead of building permanent point-to-point tunnels, which reduces forwarding overhead compared with GRE/IPsec or DMVPN overlays. Cisco describes GET VPN as using a centralized key server to distribute group keys and security policy to group members, satisfying the requirement for centralized security management. It also supports multicast efficiently because the core or provider network can perform multicast replication while the traffic remains encrypted. IPsec point-to-point would not scale well across many remote sites and lacks group key management. mGRE alone does not encrypt traffic. DMVPN Phase 3 supports dynamic encrypted tunnels and spoke-to-spoke communication, but it still relies on tunnel encapsulation and does not reduce overhead the way GET VPN does on a private WAN. Reference topics: GET VPN, GDOI, IPsec group encryption, private WAN, multicast encryption.

Service routes in OMP updates identify services that are available for centralized service insertion. In Cisco Catalyst SD-WAN, OMP does more than advertise ordinary VPN prefixes. It also carries TLOC routes, which describe transport locators, and service routes, which allow the fabric to steer traffic toward network services such as firewalls, intrusion prevention systems, or other centralized service nodes. This is how the SD-WAN control plane distributes enough information for WAN Edge routers to make policy-driven forwarding decisions without requiring each device to learn service attachment through a separate routing protocol. A service route is not used to describe the underlay transport itself, because that function is handled by TLOC information. It is also not a route to the orchestration plane or a remote management definition. The design value is that service insertion can be centrally advertised and controlled through OMP, then applied consistently through SD-WAN policy. Reference topics: Cisco SD-WAN OMP, service routes, TLOC routes, service insertion, centralized data policy.

An OSPF sham link is the correct MPLS VPN design when backdoor links exist between customer sites and should be used only if the MPLS core is unavailable. In MPLS Layer 3 VPN designs that run OSPF between CE and PE routers, the MPLS VPN path can appear as an interarea route, while a direct dark-fiber backdoor link may appear as an intra-area route. OSPF prefers intra-area routes over interarea routes, so traffic could incorrectly prefer the dark-fiber path during normal operation. Cisco sham links solve this by creating an intra-area logical link across the MPLS VPN backbone between PE routers, making the MPLS path competitive or preferred according to OSPF cost. A virtual link connects disconnected OSPF area 0 sections and is not the right MPLS VPN tool. Stub and NSSA area types control external LSA behavior, not MPLS-backdoor path preference. The sham link preserves the desired routing hierarchy while keeping the direct dark fiber as backup. Reference topics: OSPF sham link, MPLS L3VPN, PE-CE routing, backdoor links, route preference.

When dual WAN Edge routers are deployed at a branch, first-hop redundancy and SD-WAN overlay path preference must be aligned. The correct design consideration is that HSRP priorities on the service side should match the OMP routing policy that determines which WAN Edge is preferred. If the LAN gateway points hosts to one WAN Edge while OMP policy prefers the other edge for return or remote-site traffic, traffic can become asymmetric or hairpinned through the wrong device. Proper alignment gives predictable active/standby or active/active behavior and avoids blackholing during failover. Option A describes traditional BGP path manipulation with AS-path prepending and MED; those are not the primary SD-WAN branch dual-edge design controls. Option C overstates symmetry as a universal requirement for DPI; Cisco SD-WAN can handle many traffic patterns, but gateway and OMP alignment remain the core branch design issue. Option D is wrong because SD-WAN already uses BFD across data-plane tunnels, not as a special direct adjacency between the two local WAN Edges for this purpose. Reference topics: Cisco SD-WAN branch redundancy, HSRP, OMP policy, WAN Edge preference, service-side high availability.

The border node is part of the Cisco SD-Access overlay architecture. In the SD-Access fabric, the overlay consists of fabric roles and services that provide endpoint connectivity, segmentation, policy, and external reachability over the routed underlay. Border nodes connect the fabric overlay to external Layer 3 networks, shared services, WAN, Internet, or other fabric/transit domains. They perform the fabric boundary function, including routing between virtual networks and external routing domains as designed. Spine and leaf are generic data center or fabric topology terms and are not the named SD-Access fabric overlay roles in this question. Cisco DNA Center, now Cisco Catalyst Center, is central to management, automation, assurance, and policy deployment, but it is not itself an overlay forwarding component. The forwarding overlay is built from roles such as edge, border, control-plane, and intermediate nodes. Therefore, the correct component from the options is the border node. The design should select border placement based on external connectivity, scale, route control, redundancy, and whether the border is internal, external, or anywhere border. Reference topics: SD-Access overlay, border node, fabric roles, external connectivity, virtual networks.

Virtual networks in Cisco SD-Access provide macro segmentation. Macro segmentation separates major user, device, or service groups into distinct virtual networks, each with its own routing and forwarding context. This is comparable to VRF-based separation in traditional enterprise designs. For example, corporate users, guests, building systems, and IoT devices can be placed into separate virtual networks so their routing domains remain isolated unless controlled inter-VN communication is explicitly provided. Microsegmentation is different; it is normally enforced inside or across virtual networks using Security Group Tags and Security Group ACLs, allowing policy decisions based on group identity rather than only IP subnets or VLANs. Inter-VN describes communication between virtual networks, not the segmentation type itself. Stretched segmentation is not the standard SD-Access term. Therefore, the separation created by virtual networks is macro segmentation, while SGT-based policy provides finer-grained microsegmentation. Reference topics: Cisco SD-Access virtual networks, macro segmentation, VRF, SGT, microsegmentation, policy enforcement.

The drag-and-drop mapping separates WAN connectivity technologies by the service characteristics they deliver. Cisco enterprise WAN designs distinguish private WAN options, such as MPLS Layer 3 VPN, Ethernet WAN, VPLS, and VPWS, from Internet-based options such as broadband, LTE, and VPN overlays. Layer 3 MPLS VPN gives the provider responsibility for routing between customer sites and is commonly used when private any-to-any routing, QoS treatment, and segmentation are required. Layer 2 services such as VPWS and VPLS extend customer Layer 2 adjacency across a provider network; VPWS is point-to-point, while VPLS is multipoint. Internet and cellular links are typically lower-cost and fast to deploy, but they require overlay security, such as IPsec, DMVPN, or SD-WAN encryption, when used for enterprise private traffic. The selected mapping therefore aligns each description with the WAN category that actually provides that behavior. In design work, the architect must compare latency, resiliency, SLA, QoS preservation, encryption requirements, routing control, and operational ownership before selecting the WAN type. Reference topics: enterprise WAN connectivity, MPLS VPN, VPLS, VPWS, Internet VPN, cellular backup.

The correct design is to deploy the application in both data centers, advertise the application prefix from DC1 as a /32, and advertise a broader /24 from DC2. This uses longest-prefix-match behavior to create deterministic primary and backup routing. Cisco routing logic prefers the most specific matching route in the routing table, regardless of administrative distance or metric comparisons among less specific covering routes. As long as the DC1 /32 is present, traffic for that exact application address follows DC1. If DC1, its edge path, or the /32 advertisement fails, the /32 is withdrawn and the remaining /24 covering route from DC2 provides backup reachability. Advertising the same prefix from both locations may result in load sharing or provider-dependent selection, which does not guarantee DC1 primary behavior. IP SLA could be used in some route-tracking designs, but the clean routing solution tested here is prefix specificity. Reference topics: longest-prefix match, BGP advertisement, active/standby data center routing, covering routes, route failover.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

Route tagging with a route map is the correct redistribution loop-prevention method. In a design with mutual redistribution between OSPF and IS-IS, a route learned from one domain can be redistributed into the other domain and then fed back into the original domain at another redistribution point. This creates route feedback, suboptimal routing, or loops. Cisco routing design commonly prevents this by tagging routes at the point of redistribution and then filtering or denying routes with that tag when they are seen again at another redistribution boundary. A route map can set the tag during redistribution and match the tag on the reverse redistribution direction. Changing administrative distance may influence local route selection, but it does not reliably prevent feedback throughout the network. Stub areas reduce external LSA scope in OSPF, but they do not solve a multipoint redistribution loop between OSPF and IS-IS. Prefix filtering can work, but tagging scales better and preserves route identity across redistribution points. Reference topics: route redistribution, route tagging, route maps, OSPF, IS-IS, loop prevention.

Stateful NAT64 is the correct translation solution when IPv6-only corporate hosts need Internet connectivity to IPv4 resources using a limited IPv4 address pool. NAT64 translates IPv6 client addresses to IPv4 addresses and maintains state for each session, allowing many IPv6 hosts to share a smaller set of IPv4 addresses through port multiplexing. The design is restricted to the 172.16.168.0/22 subnet, which provides an IPv4 pool that can be used for stateful translation. Stateless NAT64 requires algorithmic one-to-one address mapping and normally needs enough IPv4 address space to represent IPv6 hosts deterministically; it is not suitable when many clients must share a restricted IPv4 block. NAT66 translates IPv6 to IPv6 and does not provide access to IPv4 Internet resources. In a production design, stateful NAT64 is often paired with DNS64 so IPv6-only clients can resolve IPv4-only destinations through synthesized AAAA records. Reference topics: stateful NAT64, DNS64, IPv6-to-IPv4 translation, address conservation, Internet access migration.

OpenConfig, IETF, and Cisco native YANG models differ mainly in scope and implementation focus. IETF models are standards-based and are intended to cover common protocol or interface functions across vendors. OpenConfig models are vendor-neutral operational and configuration models developed for broad network automation use cases and often provide a more detailed service or operational structure than the corresponding baseline IETF model. Cisco native models are device and operating-system specific, which means they usually expose the most complete Cisco feature coverage but are less portable across vendors. For the question wording, OpenConfig is more comprehensive than IETF when configuring the same general feature in a multivendor environment, because OpenConfig commonly defines richer operational and configuration containers beyond the minimum standards model. Option B is incorrect because Cisco native models are not generally less comprehensive than OpenConfig on Cisco devices. Option C is also incorrect for the same reason. Option D reverses the usual relationship. Reference topics: YANG model families, IETF models, OpenConfig models, Cisco native YANG models, model-driven programmability.

The branch subnets must each support up to 200 hosts, so /120 is the correct IPv6 prefix length from the available options. A /120 provides 256 IPv6 addresses, which satisfies the 200-host requirement. A /121 provides only 128 addresses, which is not enough. The parent block is 2a01:0c30:0016:7009::3800/118. A /118 has 10 host bits, so it contains 1024 addresses and spans from ::3800 through ::3bff. The valid /120 boundaries inside that parent are ::3800/120, ::3900/120, ::3a00/120, and ::3b00/120. From the listed choices, 2a01:0c30:0016:7009::3a00/120 and 2a01:0c30:0016:7009::3b00/120 both fall inside the parent allocation and provide enough address capacity. The /121 options are too small, and ::3c00/120 is outside the /118 parent range. This is a straightforward IPv6 prefix-boundary and capacity calculation. Reference topics: IPv6 subnetting, prefix length, address block boundaries, branch address planning.