Cisco 300-420 Designing Cisco Enterprise Networks (ENSLD) v1.1 Exam Practice Test

Traffic shaping is the correct QoS design for a 1-Gbps handoff with a 100-Mbps committed information rate when the provider aggressively drops traffic above the CIR. Cisco distinguishes shaping from policing: shaping buffers and delays excess packets so the sender transmits at a configured rate, while policing drops or remarks traffic that exceeds the configured rate. Because the customer wants to maximize bandwidth usage up to the 100-Mbps CIR and avoid excessive TCP retransmissions, shaping is the better fit. Policing at the customer edge would simply drop excess traffic locally, creating the same kind of loss problem. A markdown policer is useful when lower-priority traffic should be reclassified, but it does not smooth bursts into the provider’s CIR. Queuing helps during congestion, but without shaping the router can still send bursts at the 1-Gbps physical rate into a provider policer. The correct design is to shape outbound traffic to the CIR, then use child-policy queuing if class-based service guarantees are required. Reference topics: traffic shaping, policing, CIR, hierarchical QoS, TCP retransmission avoidance.

BFD with default BGP timers is the best design choice because it improves failure detection without forcing BGP itself to run aggressive keepalive processing. Cisco documentation describes BFD as providing fast forwarding-path failure detection and notes that BFD can be less CPU-intensive than reduced EIGRP, BGP, and OSPF timers because parts of BFD can be distributed to the data plane. Lowering BGP keepalive and hold timers makes the BGP process detect failure sooner, but it increases control-plane activity and can create instability at scale. Tuning the BFD multiplier to an extreme value such as 50 is also counterproductive because it lengthens detection rather than improving it, depending on the interval used. The correct approach is to leave normal BGP timers in place and bind BGP neighbor fall-over to BFD. When the forwarding path fails, BFD notifies BGP quickly, allowing the route to be withdrawn and an alternate provider path to be selected faster without unnecessary BGP timer churn.

IP directed broadcast must be enabled on the last Layer 3 device connected to the destination client subnet, which is R2 in the exhibit. Wake-on-LAN uses a magic packet that must reach sleeping hosts on the target LAN. Because sleeping clients often do not have an active IP stack or ARP entry, the WoL packet is commonly sent as a directed broadcast toward the target subnet. Routers forward the packet as a unicast until it reaches the destination subnet, where the last-hop router converts it into a Layer 2 broadcast if directed broadcasts are permitted. Cisco disables directed broadcasts by default on many platforms because of historical amplification-attack risks, so the design should enable it only where needed and protect it with ACLs. Spanning-tree UplinkFast is unrelated to delivering WoL packets; it improves STP convergence on access switches. Enabling directed broadcasts on the wrong router would not place the magic packet onto the client VLAN. Therefore, R2, the last-hop router toward the target WoL clients, is the correct location. Reference topics: Wake-on-LAN, IP directed broadcast, last-hop router behavior, subnet broadcast forwarding, ACL protection.

Single-topology IS-IS with the transition feature is the correct design when IPv6 is being added to an existing IPv4 IS-IS network and both topologies must match exactly. In single-topology mode, IS-IS calculates one topology and uses it for both IPv4 and IPv6, which fits the requirement that the IPv4 and IPv6 paths and router levels remain the same on each interface. Cisco documentation notes that single-topology IS-IS IPv6 requires routers to run the same set of address families for adjacency consistency; during migration, transition support allows the network to operate while IPv6 is introduced gradually. Multi-topology IS-IS is used when IPv4 and IPv6 should be allowed to follow different topologies or when not all routers support the same address families. The question explicitly says the topologies will match exactly, so multi-topology is unnecessary. Single topology without the transition feature is risky during phased migration because routers that do not yet run both address families may fail adjacency checks or create blackholing. Reference topics: IS-IS for IPv6, single-topology IS-IS, transition mode, address-family consistency, IPv6 migration.

Contracting an internet connection and deploying DMVPN is the most practical solution when the enterprise needs a fast, affordable, and reliable backup for a single MPLS provider. DMVPN can use broadband internet transport to build encrypted GRE/IPsec tunnels between sites, providing a backup WAN path without waiting for another private MPLS provider circuit. It supports dynamic routing and can be deployed incrementally, which makes it suitable after a recent outage when time and cost matter. BFD echo mode toward a provider PE can improve failure detection, but it does not create an alternate transport if the only MPLS provider has an outage. Adding a WAN router and a floating static route also fails unless another path exists. Contracting a second MPLS provider and deploying GETVPN may be robust, but it is slower and more expensive than the requested quick and affordable backup. Reference topics: DMVPN backup WAN, MPLS resiliency, internet VPN, IPsec, branch availability, rapid WAN deployment.

Reverse Path Forwarding prevents multicast loops and duplicate packet forwarding. Multicast routing is source-oriented, so a router must verify that multicast traffic arrives on the interface it would use to reach the source or rendezvous point, depending on the tree state. If the packet arrives on the expected reverse-path interface, the RPF check succeeds and the router can forward the packet to the outgoing interface list. If it arrives on the wrong interface, the packet is dropped because accepting it could create a loop or duplicate stream. Cisco multicast designs rely on RPF checks with PIM to maintain loop-free distribution trees across redundant routed topologies. RPF does not notify upstream routers by itself, does not eliminate overlapping multicast group addresses, and is not simply a prune-generation mechanism. Prune behavior can occur as part of PIM tree maintenance, but the function asked here is loop prevention. Reference topics: multicast RPF check, PIM forwarding, source tree, shared tree, outgoing interface list, duplicate suppression.

For streaming multimedia over a WAN using DiffServ per-hop behavior, the best answer is CBWFQ with DSCP AF3. Cisco QoS design separates real-time interactive voice from streaming multimedia. Voice bearer traffic commonly uses EF and a strict priority queue because it is extremely sensitive to delay and jitter. Streaming multimedia, however, is usually buffered and bandwidth-intensive; it should receive assured bandwidth and controlled drop behavior rather than strict priority treatment. The Assured Forwarding classes are designed for this kind of preferential forwarding within DiffServ. AF3 is commonly associated with multimedia streaming in Cisco QoS baseline models, while CBWFQ provides bandwidth guarantees without allowing the class to starve other traffic. LLQ with EF is too aggressive for streaming multimedia and should be reserved for voice bearer traffic or similarly strict real-time flows. AF2 is more commonly used for transactional data or lower-priority assured service, depending on the model. The correct marking and queuing design is therefore CBWFQ with DSCP AF3. Reference topics: DiffServ, per-hop behavior, CBWFQ, DSCP AF classes, multimedia streaming QoS.

A /22 subnet is the smallest IPv4 block in the answer set that closely fits a branch expected not to exceed roughly one thousand users while avoiding unnecessary address waste. A /22 contains 1024 total addresses and 1022 usable host addresses after the network and broadcast addresses are reserved. That aligns with the requirement to provide the maximum number of host addresses without selecting a larger block than necessary. A /21 provides 2048 total addresses and 2046 usable hosts, which is materially larger than the stated requirement and wastes address space. The specific 192.168.8.0/22 block also aligns on a valid /22 boundary because /22 networks increment by four in the third octet. A 192.168.16.0/22 is also mathematically valid, but the exhibit determines the available address range; the selected option uses the appropriate block from the displayed plan. Reference topics: IPv4 subnet sizing, CIDR, usable host calculation, branch address planning, VLSM.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

A dual-homed Internet design with a single edge router and site-to-site VPN topology best matches the stated cost and flexibility requirements. The customer needs redundant WAN links, has a limited budget, wants easy future bandwidth increases, and does not require consistent end-to-end QoS on the branch routers. Internet circuits are typically less expensive and easier to upgrade than MPLS access circuits, making them appropriate for small to medium-sized remote branches when strong QoS guarantees are not required. A single edge router also reduces hardware cost and operational complexity compared with dual edge routers. WAN MPLS designs can provide stronger service-level guarantees and QoS treatment, but they are more expensive and less flexible for rapid bandwidth upgrades. A design with dual edge routers improves device redundancy but conflicts with the limited-budget condition. Therefore, a dual-homed Internet solution using a site-to-site VPN overlay is the most appropriate option. The architect should still validate encryption requirements, failover behavior, routing preference, and whether the Internet underlay can meet application performance expectations. Reference topics: branch WAN design, dual Internet connectivity, site-to-site VPN, cost-driven WAN selection.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

The drag-and-drop answer follows the practical distinction between the YANG model families. IETF models are standards-based models intended to provide a common structure for widely implemented protocol and interface functions. OpenConfig models are vendor-neutral operational and configuration models developed for cross-vendor automation, with a strong focus on consistent telemetry and network state representation. Cisco native models expose Cisco platform-specific capabilities and usually provide the deepest coverage for IOS XE, IOS XR, or NX-OS features that are not fully represented in a common model. The selected mapping therefore assigns model elements according to origin, portability, and feature depth. In a production automation design, engineers should start with open models when interoperability and long-term portability matter, but they should choose Cisco native models when a required Cisco feature is not available or is incomplete in IETF or OpenConfig. The choice is not cosmetic; it affects payload structure, namespace, validation behavior, and operational consistency across device families. Reference topics: YANG model families, IETF YANG, OpenConfig, Cisco native YANG, model-driven configuration.

The company must configure a summary route on R1. The branch routers must remain normal EIGRP routers, and auto-summary is not allowed, so the scalable design choice is manual summarization at the hub. Cisco EIGRP documentation states that manual summarization can be configured on an interface using the ip summary-address eigrp command and can summarize routes on almost any bit boundary. In a DMVPN hub-and-spoke topology, a hub summary reduces the number of individual routes advertised to branches, limits routing-table growth, and helps contain EIGRP queries. It also keeps branch configuration simple because the branches do not need to be converted to stub routers to meet this specific requirement. Disabling split horizon is a common DMVPN Phase 2 consideration when the hub must advertise spoke routes back out the same multipoint tunnel interface, but it does not summarize HQ routes. A multipoint interface is already implied by DMVPN, and disabling the SIA timer is not a design solution. Reference topics: EIGRP manual summarization, DMVPN hub design, no auto-summary, query containment.

Dynamic NAT-PT is the correct selection when IPv6 hosts in an IPv6 island must access IPv4-only servers and services. NAT-PT translates between IPv6 and IPv4 packet headers and allows IPv6-only nodes to communicate with IPv4-only destinations by dynamically creating translation state. In this scenario, IPv6 hosts need access to file servers and DNS services in an IPv4 network, so a dynamic translation mechanism is required. Stateless NAT66 and stateful NAT66 are IPv6-to-IPv6 translation mechanisms and do not connect IPv6 hosts to IPv4-only resources. Static NAT-PT would be appropriate for fixed one-to-one mappings where specific hosts are permanently mapped, but the question describes general access from an IPv6 island to IPv4 services, making dynamic NAT-PT the better match. In modern designs, NAT64 and DNS64 are commonly preferred successors, but within the answer choices NAT-PT is the IPv6-to-IPv4 transition mechanism. Reference topics: IPv6 transition, NAT-PT, IPv6-to-IPv4 translation, DNS access, dual-protocol migration.

In multicast routing, a source tree is also called a shortest-path tree because it is rooted at the multicast source and follows the best unicast path from receivers back toward that source. Cisco PIM documentation describes source trees as shortest-path trees and contrasts them with shared trees, which are rooted at a rendezvous point. Because the tree is built directly toward the source, it provides an optimal forwarding path between source and receivers and generally gives the lowest latency path for multicast delivery. This is why statements A and B are correct. A shared tree, not a source tree, uses a single common root at a selected point in the network, normally the RP in PIM sparse mode. Shared trees can create suboptimal forwarding because traffic may travel through the RP before switching to the shortest-path tree. Source trees require per-source multicast state, so they may consume more control-plane resources, but they are the correct choice when optimal forwarding and minimum latency are the design priorities.

The primary advantage of an out-of-band management network is that devices remain reachable for administration even when the production data network is impaired or unavailable. In an out-of-band design, management access uses a separate physical or logical path, often through dedicated management interfaces, console servers, terminal servers, or isolated management switches. This separation is valuable during routing failures, control-plane problems, misconfigurations, or security incidents affecting the production network. It also improves security because access control, authentication, logging, and monitoring can be concentrated on a management plane that is not directly exposed to ordinary user traffic. The statement that there is no separation from production traffic describes in-band management, not out-of-band management. An out-of-band network should not be treated as a general backup data path for production applications because that would defeat the isolation goal. It is also not necessarily less expensive; dedicated circuits, management switches, console servers, and operational processes can increase cost. Therefore, the correct benefit is continued manageability during a production network outage.

When eBGP neighbors share the same autonomous system number, normal BGP loop-prevention behavior can block route acceptance because the receiving router sees its own AS in the AS_PATH. Two BGP features address this design condition. The allow-as-in feature permits a BGP router to accept routes even when its own AS appears in the AS_PATH a configured number of times. This is often used in dual-homed or migration designs where the same customer AS appears at multiple sites. The as-override feature is typically used by a provider edge router to replace the customer AS in the AS_PATH with the provider AS before advertising the route to another customer site that uses the same AS. Together, these features allow successful route exchange in same-AS eBGP scenarios while preserving loop-prevention intent through controlled policy. Advertise-best-external influences advertisement of best external paths and does not solve same-AS rejection. Bestpath as-path ignore affects path selection, not route acceptance. Client-to-client reflection is an iBGP route-reflector behavior, not an eBGP same-AS solution.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

The control-plane node in Cisco SD-Access acts as the map system that manages endpoint-to-device relationships. Cisco SD-Access documentation describes control-plane nodes as maintaining the host database that maps endpoint identifiers to the fabric edge devices where those endpoints are attached. This mapping function is based on LISP control-plane behavior. When an endpoint appears on an edge node, the edge registers the endpoint information with the control plane. When another fabric device needs to send traffic to that endpoint, it queries the control-plane node to resolve the endpoint location. A fabric edge node is the device that connects wired endpoints to the fabric, so option A describes an edge role. Wireless endpoints may attach through fabric AP and fabric WLC integration, but that is not the control-plane node’s role. External Layer 3 networks are connected through border nodes, not through the control-plane node. Therefore, the correct role is endpoint-to-device mapping. Accurate control-plane design is essential for fabric scale, endpoint mobility, and fast location resolution.

Hierarchical QoS with a parent shaping policy is the correct solution for a 1 Gbps physical handoff where the contracted provider rate is only 50 Mbps. The customer router can transmit at the physical interface speed, but the provider policer or service edge expects traffic to remain within the committed information rate. Without shaping, bursts leave the customer router at 1 Gbps and can be dropped by the provider, which is especially damaging to voice traffic because drops and jitter create choppy audio. Cisco QoS design commonly uses a parent shaper set to the provider CIR and then applies child queuing policies under that shaped rate. This allows voice and other critical classes to be prioritized before packets are transmitted into the constrained service. A parent policing policy would drop or mark excess traffic locally rather than smoothing bursts. Reducing physical bandwidth is not normally possible on a provider Ethernet handoff, and the interface bandwidth statement changes routing/QoS reference values but does not enforce the CIR. Therefore, parent shaping is required. Reference topics: hierarchical QoS, traffic shaping, CIR, LLQ, WAN edge QoS.

The primary HSRP device should use the preempt delay feature. When a failed primary distribution switch returns, HSRP preemption allows it to reclaim the active gateway role because it has the higher priority. However, routing protocols, trunks, line cards, FIB programming, or upstream convergence may not be fully ready at the instant HSRP becomes active again. If the device preempts too quickly, hosts forward traffic to a gateway that is not yet ready to forward all flows, causing temporary packet loss. Cisco HSRP preempt delay prevents immediate takeover by delaying preemption after reload or interface recovery, giving the switch time to rebuild control-plane and forwarding-plane state. Increasing hello timers slows failure detection and does not solve the premature takeover problem. Applying preempt delay to the backup device is not the issue because the returning primary is the device that reclaims active state. MAC refresh timers are not the primary mechanism for this condition. Therefore, the design should configure preempt delay on the primary HSRP device. Reference topics: HSRP preemption, preempt delay, gateway recovery, campus high availability, convergence coordination.

For multimedia conferencing over MPLS, Cisco QoS design normally classifies the traffic into the multimedia conferencing class and marks it with AF4, commonly AF41. This class is intended for interactive video conferencing and similar applications that need assured bandwidth and controlled loss, but that are not usually placed in the same strict-priority class as voice bearer traffic. A bandwidth queue provides a minimum bandwidth guarantee during congestion, while DSCP-based WRED can selectively manage congestion within the class by using the drop precedence encoded in the AF marking. AF3 is generally associated with multimedia streaming, not interactive conferencing. A simple bandwidth queue without WRED does not fully use per-hop behavior characteristics for congestion handling. LLQ is typically reserved for voice and sometimes very tightly controlled real-time classes, because overusing strict priority can starve other traffic. Therefore, bandwidth queuing with DSCP WRED using AF4 is the appropriate per-hop behavior design. Reference topics: Cisco QoS baseline, DiffServ, AF41, multimedia conferencing, MPLS QoS, WRED.

A policy-based IPsec tunnel with static routing is the simplest secure design for connecting two hosts in two companies when no additional future connectivity is planned. The requirement is narrow: one host in Company A must communicate with one host in Company B over a single encrypted Internet connection. Policy-based IPsec is straightforward for this type of point-to-point encryption because crypto ACLs define exactly which interesting traffic should be protected. Static routing is sufficient because there is no complex topology, no dynamic path selection requirement, and no anticipated expansion. A DMVPN design would add unnecessary NHRP, multipoint GRE, and dynamic routing complexity. A routed IPsec tunnel with OSPF is useful when many networks or dynamic route changes are expected, but it is more complex than needed. MPLS VPN with BGP would require provider service and does not meet the simple encrypted Internet connection requirement. Reference topics: site-to-site IPsec, policy-based VPN, static routing, point-to-point secure connectivity, WAN simplicity.

Implementing network summarization on the edge routers is the correct EIGRP design action to reduce query range and improve convergence. In EIGRP, when a route is lost and no feasible successor exists, DUAL sends queries to neighbors. If the network is large or poorly summarized, those queries can propagate widely and increase convergence time. Hierarchical addressing allows each office or edge block to advertise a summary instead of many specific prefixes. If a specific subnet inside an office fails, the summary can remain stable toward the rest of the network, preventing the failure from triggering unnecessary queries across the dark-fiber interoffice topology. Stub routing can also reduce query scope, but the option says to configure stub areas on non-edge routers, which is not the right EIGRP terminology or placement. Different EIGRP processes add redistribution complexity, and route filtering alone does not provide the same clean convergence boundary as summarization. Reference topics: EIGRP summarization, DUAL query scope, hierarchical addressing, convergence optimization, dark-fiber campus routing.

Dual-stack is the correct IPv6 migration strategy for this corporation. The requirements state that users need access to both IPv4 and IPv6 resources, content providers will migrate over the next two years, and users will move in phases. Dual-stack supports exactly that model because hosts, routers, and services can run IPv4 and IPv6 simultaneously. Applications can select IPv6 or IPv4 based on DNS responses and protocol availability, while the organization gradually enables IPv6 without breaking existing IPv4 connectivity. NAT64 is useful for IPv6-only clients reaching IPv4-only services, but it introduces translation state and does not provide native dual protocol operation. NAT46 is a specialized translation direction and not the broad migration strategy here. Tunneling can connect IPv6 islands across IPv4 infrastructure, but the customer already has IPv4 peering and needs a phased endpoint and application migration, not only island interconnection. Dual-stack is straightforward operationally and gives the longest coexistence window while providers and applications transition. Reference topics: IPv6 migration, dual-stack deployment, DNS-based protocol selection, IPv4 and IPv6 coexistence, phased migration.

Spanning-tree PortFast must be enabled on interfaces where Wake-on-LAN clients reside so the PCs become reachable immediately when they power on. WoL depends on a sleeping endpoint receiving a magic packet, and once the device wakes, it must be able to send and receive traffic without waiting through traditional STP listening and learning states. Cisco campus designs commonly enable PortFast on access ports connected to end hosts so those ports transition directly to forwarding. That reduces login, DHCP, and application delays after a host becomes active. The NIC and system firmware must support WoL, but the option stating that WoL should be disabled in BIOS is technically wrong. IP directed broadcast and UDP forwarding are relevant when WoL packets must cross routed boundaries, but the answer options here focus on a single action to prevent client-side delay. Disabling directed broadcast or forward protocol would work against remote WoL operation. Reference topics: Wake-on-LAN, PortFast, access-layer design, STP edge ports, client startup convergence.

Dial-In: collector initiates a session to the device; supports gRPC only. Dial-Out: device initiates a session to the collector; supports TCP, UDP, and gRPC.

Model-driven telemetry can be deployed in dial-in or dial-out mode, and the difference is which side initiates the session and where the subscription is controlled. In dial-in mode, the collector initiates the session to the network device and requests the telemetry subscription. This makes the collector responsible for establishing the session and asking for the data stream. In the context of the provided options, dial-in is paired with support for gRPC only. In dial-out mode, the network device initiates the session toward the collector according to a configured subscription. This is useful when devices sit behind NAT or when the operational model requires devices to push telemetry to a known collector. In the provided choices, dial-out is paired with support for TCP, UDP, and gRPC. The mapping is not arbitrary; it follows Cisco telemetry terminology, where dial-in is collector-initiated and dial-out is device-initiated. This distinction is important in network automation designs because firewall policy, collector scaling, and subscription lifecycle management differ between the two modes.

The drag-and-drop mapping is based on the standard Cisco Catalyst SD-WAN component roles. vManage, now Cisco Catalyst SD-WAN Manager, provides centralized management, configuration, monitoring, templates, and operational visibility. vSmart Controller provides the centralized control plane, distributes OMP routing information, and applies control policy to determine reachability and path selection. vBond Orchestrator supports initial authentication, orchestration, and NAT traversal so WAN Edge devices can join the overlay. WAN Edge routers provide the data plane at branches, campuses, data centers, and cloud edges; they forward user traffic, establish secure tunnels, and apply localized policies. Correctly separating these roles is critical in the design because management, control, orchestration, and forwarding scale independently. Misidentifying vBond as the data-plane element or vManage as the route controller would lead to an incorrect SD-WAN architecture. Reference topics: Cisco Catalyst SD-WAN components, vManage, vSmart, vBond, WAN Edge, OMP control plane. This role separation is also what lets large deployments scale without mixing troubleshooting, provisioning, and forwarding responsibilities on one system.

Cisco IS-IS supports Level 1, Level 2, and Level 1/Level 2 operation, and the design should restrict each link to the level it actually needs. Cisco documentation for the isis circuit-type command states that it “configures the type of adjacency that is required for neighbors on the specified interface.” In this case, the router is configured as L1/L2 and has both L1 and L2 neighbors, which causes unnecessary LSP flooding, SPF processing, and database maintenance on links that may not need both levels. Making the entire router only L1 or only L2 would be too blunt, because the router may legitimately need to participate in both domains on different interfaces. Making the router a DIS also does not solve the underlying issue; it only controls designated intermediate system behavior on broadcast networks. The best optimization is to configure each interface with the correct circuit type, such as level-1 for intra-area links and level-2-only for backbone links. This reduces control-plane load while preserving the intended two-level hierarchy.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

UplinkFast is the correct spanning-tree feature for faster convergence after an uplink failure in a classic STP access-layer design. UplinkFast is designed for access switches that have redundant uplinks toward the distribution layer. When the primary root port fails, UplinkFast allows an alternate blocked uplink to transition rapidly to forwarding, reducing the outage compared with standard 802.1D timer-based convergence. PortFast is used on edge ports connected to end hosts, not on switch-to-switch uplinks. Loop Guard protects against unidirectional failures or missing BPDUs on non-designated ports, but it does not accelerate recovery from an access uplink failure. BackboneFast helps when an indirect link failure is detected elsewhere in the topology, but the described failure is directly between SW1 and SW2. The design objective is the fastest possible convergence during that direct uplink loss, which matches UplinkFast in a traditional STP environment. Reference topics: Spanning Tree Protocol, UplinkFast, access-layer redundancy, root port failover, Layer 2 convergence.

IPv6 overlay tunnels should be treated as a transition mechanism, not as the final desired enterprise architecture. Cisco IPv6 migration guidance describes tunneling as a way to connect IPv6 islands across an IPv4 infrastructure or to carry one protocol over another while the network is being migrated. This is useful when parts of the infrastructure cannot yet run IPv6 natively, but it also adds encapsulation overhead, additional MTU considerations, troubleshooting complexity, and operational dependency on the underlay transport. A permanent IPv6 architecture should eventually support IPv6 natively, or support both IPv4 and IPv6 through dual stack where required. The statement that overlay tunnels are a final IPv6 architecture is therefore incorrect. Overlay tunnels are not limited only to border devices in every design, and they do not require only the IPv6 stack; they commonly encapsulate IPv6 traffic over IPv4 infrastructure. The option stating that IPv4 packets are encapsulated in IPv6 packets also reverses the common IPv6-over-IPv4 migration use case. Therefore, overlay tunneling should be designed as a temporary transition technique.

The branch router should advertise the local LAN with the EIGRP network command and make the LAN-facing interface passive. A passive interface allows the connected network to be included in EIGRP advertisements while suppressing EIGRP hello packets and neighbor formation on that interface. This is exactly what the engineer needs: remote EIGRP neighbors learn the LAN subnet, but unnecessary multicast EIGRP messages are not sent onto the user LAN where no EIGRP neighbors should exist. Replacing EIGRP with a static default route would not meet the requirement to advertise the local LAN through EIGRP. Redistributing connected routes can work, but it is less clean for a simple LAN interface and can introduce external-route behavior or policy complexity. Advertising the subnet as a stub network does not suppress multicast hellos on the LAN interface by itself. Cisco design best practice is to use passive interfaces on LAN-facing interfaces that should be advertised but should not form routing adjacencies. Reference topics: EIGRP passive interface, network statements, branch routing, unnecessary neighbor prevention, multicast control traffic.

Bandwidth percentage with policing is the correct QoS approach. The requirement has two separate parts: each subnet must receive a minimum share during congestion, and no subnet should introduce delay into download traffic. Bandwidth percentage is used to allocate a minimum bandwidth guarantee among classes during congestion while still allowing a class to use unused bandwidth when other classes are idle. Policing enforces a rate by dropping or remarking excess traffic rather than buffering it. That behavior is important because the question explicitly says download traffic must never experience delay. Shaping would be wrong because shaping buffers excess packets and transmits them later, which intentionally adds delay. Rate- limiting is a broad term, but when the design choice offers policing explicitly, policing is the precise mechanism that matches the no-delay requirement. A parent or class policy can reserve 25 percent per subnet on a 40 Mbps service, giving each subnet 10 Mbps during congestion while unused bandwidth remains available. Reference topics: CBWFQ bandwidth percent, traffic policing, shaping versus policing, Internet edge QoS, congestion management.

Redundancy for Cisco vBond Orchestrators is normally achieved by mapping the IP addresses of multiple vBond instances to a single DNS name. WAN Edge devices use the configured organization name and vBond DNS name during onboarding to resolve and contact an available orchestrator. This design allows several vBond nodes to be deployed across different locations or availability zones while giving the edge device a consistent bootstrap target. If one vBond is unavailable, DNS resolution can return another reachable vBond address, allowing control-connection orchestration to continue. Selecting only the closest vBond is not the redundancy mechanism described here, and deploying a single vBond creates an avoidable single point of failure. The answer that says WAN Edge routers are configured with all orchestrators by IP address and priority does not represent the common DNS-based design model. In production, the DNS record, certificates, firewall policy, NAT behavior, and controller reachability should all be validated so that WAN Edge devices can reach multiple vBond instances during onboarding and after failures. Reference topics: Cisco SD-WAN controller redundancy, vBond DNS, device onboarding, orchestration availability.

A totally stubby OSPF area is the best choice for a small remote site with low-end routers and no requirement to carry transit traffic. A standard stub area blocks Type 5 external LSAs, but it still receives interarea Type 3 summary LSAs. A totally stubby area goes further by blocking external routes and most interarea summary routes, while allowing a default route to be injected by the ABR. That greatly reduces LSDB size, SPF processing, memory use, and routing-table entries on the low-end routers. The remote site still has full connectivity to the rest of the OSPF domain through the default route. NSSA and totally NSSA designs are useful when the area must inject external routes from an ASBR inside the area, but the question does not state that the remote site needs redistribution. A regular stub area is acceptable but does not minimize resources as much as a totally stubby area. Because there is no demand for traffic to pass through this area, the most efficient Cisco design is totally stubby. Reference topics: OSPF stub areas, totally stubby area, default routing, LSDB reduction, branch OSPF design.

The EIGRP stub connected option is appropriate when the new circuit is intended to protect reachability to a connected subnet without turning the router into a broad transit point. EIGRP stub routing is used to limit the routes a router advertises to its neighbors and to constrain EIGRP query scope. A stub router can advertise connected routes, summary routes, redistributed routes, or combinations depending on the configured stub option. In this scenario, the new C-to-D circuit protects connectivity to 10.0.4.0/24 during a failure between B and D. Advertising the connected network through the stub behavior gives upstream routers a valid alternate route while still preventing unnecessary transit advertisements. Stub redistributed would be used for routes learned from another routing process, not for directly connected networks. Stub receive-only would prevent the router from advertising any routes, which would not protect reachability. Stub leak-map is used for controlled exceptions and is unnecessary if the required route is a connected subnet. Reference topics: EIGRP stub routing, connected route advertisement, query boundary design, DUAL stability.

NETCONF: SSH-based; built to support candidate configuration. RESTCONF: HTTPS-based; lacks support for two-phase commit transactions.

NETCONF and RESTCONF both use YANG data models, but they use different transport and transaction behaviors. NETCONF is traditionally SSH-based and was designed as a network configuration protocol with datastore concepts such as running, startup, and candidate configuration where supported. The candidate datastore enables staged configuration changes and a commit workflow, which is useful for transactional network changes. RESTCONF exposes YANG-modeled resources through an HTTP-based REST interface, typically protected with HTTPS. It is simpler for web-style application integration because it uses familiar HTTP methods, URIs, and payload encodings such as XML or JSON. However, RESTCONF does not provide the same full two-phase commit transaction model associated with NETCONF candidate configuration workflows. Therefore, the correct mapping is that NETCONF is SSH-based and built to support candidate configuration, while RESTCONF is HTTPS-based and lacks support for two-phase commit transactions. In Cisco programmability design, NETCONF is often selected for robust configuration transactions, whereas RESTCONF is often selected for simpler API-driven integration.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

Using multiple equal-cost links and an IGP maximizes utilization between the core and distribution layers in a Layer 3 campus design. When links are routed point-to-point links and have equal routing cost, the IGP can install equal-cost multipath routes in the forwarding table. Traffic can then be distributed across multiple uplinks, improving bandwidth utilization and resiliency without depending on spanning tree. HSRP provides first-hop gateway redundancy for end hosts, but it does not by itself load-share all core-to-distribution links. Rapid PVST+ improves Layer 2 convergence but still blocks redundant Layer 2 paths in a looped topology, so it does not maximize link use. Multiple unequal-cost links are not the normal design for maximum use unless a routing protocol and platform specifically support unequal-cost load sharing, and even then it adds complexity. Cisco enterprise campus design generally prefers routed links between distribution and core for predictable convergence and ECMP. Therefore, the correct pair is multiple equal-cost links and an IGP. Reference topics: routed campus design, ECMP, IGP path selection, core-distribution resiliency, Layer 3 campus.

The client edge can reach the Internet through ISP1 only if downstream routers inside the client network have a usable route toward the Internet. Since ISP1 provides full Internet connectivity and ISP2 is used for direct exchange with selected third parties, the edge design should advertise a default route into the client network. This gives internal routers a simple, scalable route for all Internet destinations while preserving specific routing where necessary. Running separate VRFs for each ISP may be a valid segmentation technique, but it does not by itself tell downstream routers how to reach the Internet. AS-path prepending toward ISP2 influences inbound path preference from external networks; it does not solve internal default routing. Filtering outbound advertisements so the client advertises only its own originated routes is important to avoid becoming a transit AS, but it is not the mechanism that enables internal users to reach the Internet through ISP1. The clean design is to receive or originate a default route at the edge and advertise that default to the client routing domain. Reference topics: BGP Internet edge design, default route advertisement, transit prevention, ISP peering policy.

Nonstop Routing is the correct solution when the upstream router does not understand graceful restart messaging. Cisco NSF and graceful restart depend on helper behavior from neighboring routers. During a supervisor switchover, the restarting device asks neighbors to preserve forwarding and adjacency state while the control plane recovers. If the neighbor does not support or understand the graceful restart signaling, NSF cannot deliver the intended benefit and route recomputation may still occur. NSR is different because it synchronizes routing protocol state between the active and standby supervisor internally, allowing the switch to preserve routing operation during stateful switchover without requiring graceful restart support from the neighbor. Remote LFA FRR protects against data-plane failures by precomputing repair paths, but it does not address supervisor switchover route recomputation. Aggressive IS-IS timers may make failure detection faster, but they increase control-plane churn and do not solve the lack of graceful-restart helper support. Therefore, the Catalyst switch should use NSR for this design. Reference topics: IS-IS high availability, NSR, NSF, graceful restart helper support, stateful switchover.

The telemetry-mode mapping distinguishes configured subscriptions from dynamic collector-initiated subscriptions. In dial-out telemetry, the network device initiates the connection to the collector according to a configured subscription. This model is useful when devices must proactively stream data to a known receiver, especially where firewall policy allows outbound sessions from the network device. In dial-in telemetry, the collector initiates the session to the device and subscribes to the desired data stream. This approach is useful for ad hoc collection, testing, or centralized collectors that can reach the devices directly. Cisco model-driven telemetry also distinguishes periodic and on-change behavior. Periodic subscriptions send data at configured intervals, while on-change subscriptions publish updates when subscribed state changes. These design choices affect firewall rules, collector reachability, device configuration, scale, and data volume. The architect should match telemetry mode to operational requirements: dial-out for stable production streams from many devices, dial-in for collector-driven access, periodic for baselines, and on-change for efficient state-change monitoring. Reference topics: model-driven telemetry, dial-in, dial-out, subscriptions, periodic and on-change streaming.

The correct action is to configure EIGRP stub behavior on R4. The DUAL-3-SIA message indicates a Stuck-in-Active condition, which occurs when EIGRP sends a query and does not receive a reply within the expected time. Cisco explains that EIGRP stub routing is used to improve stability and reduce resource usage by preventing unnecessary queries from being sent to remote or edge routers. In the described topology, R4 is connected over a limited 10 Mbps inter-router link and should not be treated as a transit router for the rest of the routing domain. Making R4 an EIGRP stub limits the query scope and reduces the chance of active routes waiting on a slow or constrained neighbor. Poison reverse and split-horizon changes address loop prevention and hub-and-spoke update behavior, but they do not directly solve the SIA instability. A summary on R2 may help scaling but does not identify the edge-router query boundary as precisely as EIGRP stub. Reference topics: EIGRP DUAL, Stuck-in-Active, EIGRP stub routing, query scoping, WAN edge stability.

Making R3 an L1/L2 router restores the required IS-IS hierarchy and prevents the outage caused by the failed R1-to-R2 link. In IS-IS, Level 1 routers have detailed topology only inside their own area, while Level 2 routers provide the interarea backbone. Routers that connect a Level 1 area to the Level 2 backbone must operate as Level 1/Level 2 devices so they can participate in both databases and provide an exit path for area traffic. If a path between areas depends on a router that is only Level 1 or only Level 2 in the wrong location, traffic can be blackholed when a key link fails. Configuring R3 as L1/L2 gives the topology an additional valid transition point between the local area and the backbone, improving continuity after the R1-to-R2 failure. Making unrelated routers L1 or L2 does not necessarily create the required interarea attachment. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

NBAR2 should be used to identify the affected cloud applications and then allocate bandwidth according to the measured application requirements. Modern collaboration suites often use dynamic ports, encrypted sessions, and multiple flows for voice, video, messaging, file sharing, and screen sharing. Classifying them only by static ports is unreliable and can misclassify traffic, especially when applications change transport behavior or use shared cloud endpoints. Cisco NBAR2 provides application recognition beyond basic port matching and can classify traffic by application signatures. Once the applications are identified, the QoS policy can be adjusted to give the required bandwidth, priority, or queue treatment. Reserving bandwidth only on perimeter routers is incomplete if congestion occurs elsewhere in the WAN path. Rate-limiting the applications would likely make the user experience worse. The key problem is that the existing policy works for other applications but not these cloud-based tools, so the first design step is accurate application visibility and classification. NBAR2 provides that visibility and supports a more precise QoS policy. Reference topics: NBAR2, application-aware QoS, cloud collaboration traffic, DSCP classification, bandwidth allocation.

VRF-Lite with OSPF satisfies the requirements because it creates multiple isolated Layer 3 routing tables without requiring a service-provider MPLS core or specialized hardware. Each VRF has its own forwarding table, interfaces, and route exchange process, so overlapping IP address space can exist in different virtual networks. When communication between segments is required, the design can use controlled route leaking, a firewall, or a shared-services VRF. OSPF can run per VRF to exchange routes within each isolated segment using widely supported routing technology. VSS, vPC, and plain 802.1Q with HSRP can improve Layer 2 or device redundancy, but they do not provide independent Layer 3 routing tables with overlapping addressing. A multihop MPLS design can also support many VPNs, but it is more complex and beyond the stated need for widely available technologies without specialized equipment. VRF-Lite is therefore the correct enterprise campus segmentation choice. Reference topics: VRF-Lite, virtual routing and forwarding, inter-VRF routing, overlapping IP address support, campus segmentation.

An additional Cisco SD-Access fabric site requires edge and border roles in addition to the control-plane function. Edge nodes connect wired endpoints, access-layer devices, and sometimes access points into the fabric. They perform endpoint detection, anycast gateway functions, and fabric encapsulation for user traffic. Border nodes provide connectivity between the fabric site and external networks such as the WAN, data center, internet edge, or shared services. Without edge nodes, the site has no practical access-layer fabric attachment for endpoints. Without border nodes, the site cannot properly exchange traffic with resources outside the local fabric. A wireless LAN controller may be needed when fabric wireless is part of the design, but it is not one of the mandatory fabric roles for every additional site. Leaf and cEdge are not Cisco SD-Access fabric roles in this context. Reference topics: Cisco SD-Access fabric roles, edge node, border node, control-plane node, fabric site expansion.

A distribute list is the correct method to filter routes exchanged between EIGRP neighbors within the same autonomous system. In Cisco EIGRP designs, distribute lists can be applied inbound or outbound under the EIGRP process to control which routes are accepted from or advertised to neighbors. The filter can reference an access list, prefix list, or route map depending on platform and configuration style. This allows the designer to limit route visibility without changing the forwarding behavior of packets that are already routed. Policy-based routing is a data-plane forwarding feature that changes next-hop selection for matching traffic; it does not filter EIGRP route advertisements between neighbors. Leak maps are used with route summarization to selectively advertise more specific routes through a summary, not as the general route-filtering method between EIGRP neighbors. Route tagging is valuable in redistribution designs to identify route origin and prevent feedback loops, but the tag alone does not filter routes unless a route map or distribute list uses it. Therefore, the correct route-filtering mechanism between EIGRP neighbors is a distribute list.

Advertising more-specific prefixes toward the preferred service provider is the correct way to influence inbound traffic to enter through a chosen CE interface. BGP inbound path control is indirect: the enterprise cannot set local preference inside remote autonomous systems, and MED is honored only under specific provider policies. The most deterministic option available to the customer is to advertise a longer-prefix route to the preferred provider because Internet and BGP route selection generally prefer the longest matching prefix before BGP path attributes are considered. If the aggregate is advertised to both providers but a more-specific route is advertised to the provider connected to gig0/0, return traffic for that more- specific destination is attracted through that interface. Lowering MED toward the less preferred provider is the opposite of the desired effect. AS-path prepending toward the preferred provider would make that path less attractive. Local preference affects outbound path selection inside the local AS, not inbound traffic from external networks. Reference topics: BGP inbound traffic engineering, longest-prefix match, route aggregation, AS-path prepending, MED, local preference.

The drag-and-drop mapping separates WAN connectivity technologies by the service characteristics they deliver. Cisco enterprise WAN designs distinguish private WAN options, such as MPLS Layer 3 VPN, Ethernet WAN, VPLS, and VPWS, from Internet-based options such as broadband, LTE, and VPN overlays. Layer 3 MPLS VPN gives the provider responsibility for routing between customer sites and is commonly used when private any-to-any routing, QoS treatment, and segmentation are required. Layer 2 services such as VPWS and VPLS extend customer Layer 2 adjacency across a provider network; VPWS is point-to-point, while VPLS is multipoint. Internet and cellular links are typically lower-cost and fast to deploy, but they require overlay security, such as IPsec, DMVPN, or SD-WAN encryption, when used for enterprise private traffic. The selected mapping therefore aligns each description with the WAN category that actually provides that behavior. In design work, the architect must compare latency, resiliency, SLA, QoS preservation, encryption requirements, routing control, and operational ownership before selecting the WAN type. Reference topics: enterprise WAN connectivity, MPLS VPN, VPLS, VPWS, Internet VPN, cellular backup.

Stateful NAT64 is the correct design because IPv6-only hosts must communicate with legacy IPv4 devices and only a small pool of IPv4 addresses is available for concurrent sessions. NAT64 translates IPv6 client traffic into IPv4 traffic, allowing IPv6-only endpoints to reach IPv4-only resources. A stateful implementation maintains translation state and can use a pool of IPv4 addresses for multiple IPv6 clients, which fits the requirement for up to 10 concurrent IPv6 hosts using 10 reserved IPv4 addresses. Static NAT- PT would require fixed one-to-one mappings and is less suitable for a pool-based concurrent access model. NAT66 translates between IPv6 prefixes and does not solve access to IPv4-only devices. Dynamic NAT-PT is an older transition mechanism and is not the preferred modern answer when NAT64 is available. The design should also include DNS64 when clients access IPv4-only services by name. Reference topics: IPv6 transition, stateful NAT64, DNS64, IPv6-only hosts, IPv4 legacy reachability.

The primary capability of IaaS in this question is elastic scaling: the ability to increase or decrease infrastructure resources based on demand. In Infrastructure as a Service, the provider offers compute, storage, and network resources as an on-demand service, while the customer deploys operating systems and applications on top of that infrastructure. Cisco cloud material describes this model as providing scalable IT capacity without requiring the organization to own all physical assets. Option C is the best answer because dynamic capacity adjustment is a fundamental cloud capability and a major reason enterprises choose IaaS for variable workloads. Option B is a valid business benefit because consumption-based billing can reduce cost, but the question asks for a primary capability, not the pricing model. Option D describes automation and orchestration, which support cloud operations but are not the specific capability being tested. Option A is closer to hybrid-cloud workload mobility and is not guaranteed by IaaS alone. Reference topics: cloud service models, IaaS, elasticity, scalable compute, on-demand resource provisioning.

MSDP is the correct technology when a large multicast design uses multiple PIM Sparse Mode domains and needs to exchange active source information between those domains. Cisco describes Multicast Source Discovery Protocol as the mechanism used by RPs in different PIM-SM domains to learn about multicast sources outside their own domain. When a source becomes active, the local RP can advertise Source-Active information to MSDP peers, allowing receivers in other domains to discover and join that source. This supports domain separation and can help balance multicast control-plane scope in large networks. DVMRP and MOSPF are legacy multicast routing approaches and are not the design mechanism for modern PIM-SM domain interconnection. IGMP is used between hosts and local multicast routers for receiver membership signaling; it does not exchange source information between multicast domains. Therefore, a design with more than 100 routers, several multicast domains, and PIM-SM traffic balancing should include MSDP. The architect should also design RP placement, Anycast RP behavior, peer mesh scaling, and source filtering. Reference topics: MSDP, PIM-SM domains, Source-Active messages, interdomain multicast.

EIGRP with branch routers configured as stubs and equal-cost multipath is the best fit for this hub-and-spoke DMVPN design. The branch routers have limited memory and CPU resources, so they should not be forced to maintain unnecessary topology information or answer broad queries from the rest of the network. EIGRP stub routing limits the routes a branch advertises and prevents it from being used as a transit path, which reduces query scope and improves stability. Because the two internet links are both 100 Mbps, equal-cost multipath can use both links for active forwarding during traffic spikes. OSPF can operate over DMVPN, but a single area or hub-and-spoke design may create more overhead and less efficient query containment for small branch routers. IS-IS is less common for this WAN overlay use case, and iBGP with route reflectors can scale but does not natively consider link utilization or provide the same simple branch stub behavior. Reference topics: EIGRP stub, DMVPN, ECMP, branch routing, query containment, WAN convergence.

When dual WAN Edge routers are deployed at a branch, first-hop redundancy and SD-WAN overlay path preference must be aligned. The correct design consideration is that HSRP priorities on the service side should match the OMP routing policy that determines which WAN Edge is preferred. If the LAN gateway points hosts to one WAN Edge while OMP policy prefers the other edge for return or remote-site traffic, traffic can become asymmetric or hairpinned through the wrong device. Proper alignment gives predictable active/standby or active/active behavior and avoids blackholing during failover. Option A describes traditional BGP path manipulation with AS-path prepending and MED; those are not the primary SD-WAN branch dual-edge design controls. Option C overstates symmetry as a universal requirement for DPI; Cisco SD-WAN can handle many traffic patterns, but gateway and OMP alignment remain the core branch design issue. Option D is wrong because SD-WAN already uses BFD across data-plane tunnels, not as a special direct adjacency between the two local WAN Edges for this purpose. Reference topics: Cisco SD-WAN branch redundancy, HSRP, OMP policy, WAN Edge preference, service-side high availability.

EIGRP with stub routing and variance is the best fit for Cisco-only DMVPN branches with unequal Internet link speeds and limited branch resources. EIGRP works well over DMVPN because it supports hub-and-spoke designs, unequal-cost load balancing, and simple branch optimization through stub routing. Stub branches limit query propagation and reduce CPU, memory, and bandwidth consumption on small routers. Variance allows EIGRP to use feasible unequal-cost paths, which is important when one Internet connection is 10 Mbps and the other is 100 Mbps. OSPF can run over DMVPN, but virtual links are not an appropriate branch design and OSPF is less efficient in this specific Cisco-only unequal-bandwidth scenario. IS-IS is not commonly selected for small DMVPN branch overlays. iBGP with route reflectors can scale, but it does not inherently use link utilization and unequal metric behavior as cleanly as EIGRP variance for this requirement. Reference topics: EIGRP over DMVPN, stub routing, variance, unequal-cost load balancing, branch resource optimization.

The main purpose of the Cisco SD-Access overlay design is to enable the virtualized fabric services that run over the physical underlay. Cisco describes the overlay as the logical network created on top of the routed underlay, using virtual networks to provide segmentation and policy separation. SD-Access uses LISP for endpoint-to-location mapping and VXLAN for data-plane encapsulation, allowing Layer 2 and Layer 3 services to be delivered across a stable Layer 3 transport. Option C is the best available answer because the overlay exists to integrate and carry SD-Access services such as virtual networks, endpoint mobility, macrosegmentation, and security group policy. Simplified troubleshooting and visibility are management and assurance outcomes, not the overlay’s main technical purpose. High availability depends on the underlay topology, node redundancy, and control-plane design, but it is not the primary definition of overlay design. Reference topics: SD-Access overlay, virtual networks, LISP, VXLAN, segmentation, fabric services.

The RPF check is performed against the RP address when the PIM router has shared-tree state. In PIM sparse mode, multicast traffic initially flows through the rendezvous point using the shared tree, represented as (*,G) state. For shared-tree traffic, the router verifies that packets arrive from the direction of the RP, because the RP is the root of the shared distribution tree. When the router has source-tree state, represented as (S,G), the RPF check is performed against the multicast source address instead. Dense mode behavior and directly connected membership are not the determining conditions in this question. The key distinction is whether forwarding state is shared-tree or source-tree. Cisco multicast design relies on this behavior to keep PIM forwarding loop free as traffic transitions from shared-tree delivery to shortest-path tree delivery where applicable. Selecting the shared-tree state option correctly identifies when the RP address is used for the RPF calculation. Reference topics: PIM sparse mode, shared tree, source tree, RPF toward RP, (*,G) and (S,G) state.

BFD is the correct mechanism for sub-second failure detection. The question describes unequal failover behavior when an interface on an ISP router toward the campus fails. In many WAN and Internet edge designs, BGP timers or next-hop tracking may not react fast enough when the physical failure is not directly visible to the customer router. Cisco defines Bidirectional Forwarding Detection as a lightweight protocol that provides rapid forwarding-path failure detection independent of the routing protocol timers. When BFD is associated with BGP, OSPF, EIGRP, or static routing, the routing process receives failure notification quickly and can withdraw or replace the route without waiting for longer protocol hold timers. Aggressive timers can improve reaction time but increase session churn and CPU load. Next-hop address tracking improves BGP response when next-hop reachability changes, but it is not the most precise sub-second detection tool. Graceful restart is intended to preserve forwarding during control-plane restart, not detect failures faster. Reference topics: BFD, WAN edge resiliency, BGP failure detection, sub-second convergence.

The primary consideration is that the participating hosts must support dual stack. The pilot is contained within a single VLAN, so the application traffic remains inside the same Layer 2 broadcast domain across the dual-site data center environment. Layer 2 switches forward Ethernet frames and do not need to understand the IPv6 header to carry IPv6 traffic inside the VLAN. Layer 3 switches need IPv6 capability only where IPv6 routing, gateways, ACLs, or services are required. For this pilot, the essential requirement is that the servers and endpoints running the IPv6 application can operate with both IPv4 and IPv6 enabled while the existing environment continues to support IPv4. Dual stack allows IPv6 testing without removing IPv4 reachability or forcing translation. Requiring every Layer 2 and Layer 3 switch in both data centers to be dual-stack overstates the design requirement. The hosts participating in the pilot are the critical dependency. Reference topics: IPv6 migration, dual stack, Layer 2 VLAN transport, data-center pilot design, IPv4 and IPv6 coexistence.

Moving the link between routers C and D into area 10 provides the most direct OSPF design correction for optimal routing between the internal networks after the C-E link fails. OSPF requires careful area design because intra-area routes are preferred over interarea routes, and traffic between two routers in the same regular area should not be forced through a less optimal backbone or interarea path when a better local path exists. If the C-D link remains outside area 10, the failure of C-E can cause traffic between 10.1.1.0/24 and 172.16.1.0/24 to take a suboptimal interarea route. Placing the C-D link in area 10 keeps the alternate path within the same area and allows OSPF to calculate the best intra-area route when the primary link fails. A virtual link is used to connect a disconnected area to area 0, not to optimize this intra-area failure case. A tunnel adds unnecessary overlay complexity, and making area 10 NSSA changes external LSA behavior, not internal path optimization. Reference topics: OSPF area design, intra-area preference, failure-path optimization, link placement.

An on-change telemetry subscription is the best solution when the team needs device state data while limiting impact on the device. With periodic telemetry, the device sends subscribed data at a configured interval regardless of whether the value has changed. For state such as shared memory utilization, aggressive periodic polling or streaming can create unnecessary CPU, memory, and bandwidth overhead, especially at scale. On-change telemetry sends an update only when the subscribed data changes, or when a relevant event occurs according to the model and platform behavior. This reduces needless data transmission while still providing timely visibility into meaningful state changes. IPFIX is designed for flow information and traffic accounting rather than detailed device state telemetry. Static telemetry is not the best characterization of the efficient event-driven behavior required here. A periodic subscription can provide the data, but it continuously streams updates and therefore has greater device and collector impact. Cisco model-driven telemetry design favors on-change subscriptions when the operational requirement is state awareness with minimal repeated polling.

A migration from traditional IP-VPN service to Cisco SD-WAN commonly increases security and scalability. Cisco SD-WAN builds encrypted data-plane tunnels across supported transports, so the enterprise can use Internet, MPLS, or hybrid connectivity while maintaining secure site-to-site communication. The architecture also scales better operationally because policy, templates, onboarding, and routing control are centralized through the SD-WAN controllers and management plane. Increased solution complexity is not a desired characteristic; one of the design goals is to simplify operations through automation and centralized policy. Centralized application policies are also a major SD-WAN benefit, but when only two choices are selected, the stored answer emphasizes the two broad migration outcomes of security and scale. Distributed control plane is not correct because Cisco SD-WAN uses centralized control-plane logic with vSmart controllers distributing OMP routes and policies. A professional migration plan should validate transport diversity, controller redundancy, encryption policy, application-aware routing, and operational readiness. Reference topics: Cisco SD-WAN migration, encrypted overlay, scalability, centralized control plane, IP-VPN replacement.

The correct IPv6 address type is anycast. Cisco defines an IPv6 anycast address as an address assigned to a set of interfaces, typically on different nodes, where a packet sent to the address is delivered to the nearest interface according to the routing protocol. This makes anycast useful for distributing client requests across multiple servers or service nodes that provide the same function. In a request/response application, each server can advertise the same anycast address, and routing selects the closest or best path based on the current topology and metrics. If a server or path fails, routing can withdraw or change the route and send new requests to another service instance. Unique local addresses are private unicast addresses; they do not provide service distribution. Aggregatable global addresses are routable unicast prefixes, not a multi-instance service mechanism. Multicast sends one stream to multiple receivers and is not appropriate for selecting one server to respond to an individual request. Reference topics: IPv6 anycast, service distribution, routing-based server selection, IPv6 address types.

Network management traffic should be marked and treated as a dedicated operations class, not mixed into voice signaling or real-time queues. Cisco enterprise QoS design guidance commonly reserves DSCP CS2 for operations, administration, and management traffic such as SNMP, SSH, syslog, NTP, and other management flows. The question states that all eight queuing classes are already used, so the design should integrate management traffic into the closest existing class and validate that the queue has enough bandwidth. Option D is the best fit because it uses CS2 and requires baselining before allocating more bandwidth. CS6 is normally used for network control and routing protocols; using it for ordinary management traffic would compete with routing adjacencies and control-plane stability. CS5 and CS4 are also unsuitable because they are normally associated with video/signaling-related classes in many enterprise QoS models. The professional design action is to classify management traffic explicitly, mark it CS2 at the trust boundary, map it to the existing class, and then measure queue utilization before changing bandwidth allocations. Reference topics: Cisco QoS baseline, DSCP CS2, network management traffic, queue bandwidth design.

Without centralized policy, OMP allows all WAN Edge routers in the same VPN to communicate in a full-mesh overlay. Cisco Catalyst SD-WAN uses OMP as the control-plane protocol between WAN Edge routers and SD-WAN controllers. WAN Edge devices advertise OMP routes, TLOC routes, and service routes to the controllers, and the controllers distribute the reachable routes back to the relevant edge devices. Cisco policy documentation describes the default unpolicied behavior as permissive: routes are accepted and advertised so sites in the same VPN learn reachability to each other. That default route distribution produces a full-mesh data-plane capability, even though control connections remain hubbed through the controllers. Hub-and-spoke, regional isolation, point-to-point restriction, or service-chained topologies require centralized control or data policy to filter routes or steer traffic. Blocking all communication is the opposite of the default behavior. Reference topics: Cisco SD-WAN OMP, default route distribution, full-mesh overlay, centralized control policy, VPN segmentation.

The vSmart controller is the Cisco SD-WAN control-plane element that maintains centralized routing and policy information. WAN Edge routers form secure control connections to vSmart, and vSmart distributes OMP routes, TLOC information, service routes, and policy information across the overlay. It does not forward user traffic in the data plane; forwarding is performed by the WAN Edge routers. It also does not provide the primary management GUI, because that role belongs to vManage. vBond handles orchestration, authentication facilitation, and NAT traversal during control-plane bring-up, not the centralized routing table. The importance of vSmart in the design is that it removes the need for every WAN Edge router to maintain complex direct control-plane relationships with every other edge. It also enforces centralized control policy, which determines which routes and paths are available to which sites. Reference topics: Cisco SD-WAN architecture, vSmart controller, OMP, centralized route table, control policy, WAN Edge. This preserves scalable WAN control-plane behavior.

Cisco Express Forwarding uses the adjacency table to store the Layer 2 rewrite information needed to forward packets efficiently. CEF separates forwarding decisions into the Forwarding Information Base and the adjacency table. The FIB identifies the best next hop based on routing information, while the adjacency table contains the directly connected next-hop details, including the MAC address and encapsulation rewrite string used on the outgoing interface. That is why the correct layer is Layer 2. CEF is not using the adjacency table to populate Layer 3 routes; the routing table and FIB handle Layer 3 reachability. It is also not a Layer 1 function because physical signaling does not determine the next-hop rewrite. Layer 4 is unrelated to CEF adjacency resolution. In a campus or WAN design, CEF matters because it allows hardware or optimized software forwarding without process-switching every packet. Correct ARP, neighbor discovery, and adjacency formation are therefore essential to fast packet forwarding, especially when convergence or high-throughput forwarding is required.

The required BGP address family is L2VPN EVPN. The design calls for VXLAN over a Layer 3 IPv4 fabric while preserving Layer 2 adjacency and allowing workload mobility between sites. EVPN is the BGP control plane used with VXLAN overlays to advertise MAC reachability, IP host information, and Ethernet segment information in a scalable way. It separates the Layer 2 and Layer 3 overlay control plane from the underlay IGP, which in this case is OSPF. VPNv4 is used for MPLS Layer 3 VPN routes, not VXLAN Layer 2 adjacency. IPv4 unicast advertises ordinary IP prefixes and does not carry MAC mobility or Ethernet VPN information. L2VPN VPLS or VPWS address families are associated with MPLS-based Layer 2 VPN services and do not provide the VXLAN EVPN control-plane model required here. EVPN is therefore the correct family for VXLAN fabrics that need host mobility and scalable Layer 2 extension. Reference topics: BGP EVPN, VXLAN, L2VPN EVPN address family, MAC reachability, workload mobility.

The best allocation is to give each branch adjacent /24 prefixes from the 10.0.0.0/8 private range, using one /24 for data and the next contiguous /24 for voice. Each /24 provides 254 usable host addresses, which satisfies the requirement for up to 128 hosts. More importantly, pairing two contiguous /24s creates a clean /23 summary per branch. For example, 10.0.0.0/24 for data and 10.0.1.0/24 for voice summarize as 10.0.0.0/23; the next branch can use 10.0.2.0/24 and 10.0.3.0/24 summarized as 10.0.2.0/23. This pattern supports aggregation and keeps the security team’s identification simple because voice prefixes can consistently use the odd-numbered third octet. Option C uses /25 prefixes, but /25 provides only 126 usable addresses, which fails a strict requirement for up to 128 hosts if the subnet and broadcast addresses are excluded. Separate 172.16 ranges reduce per-site summarization clarity. Reference topics: RFC 1918 addressing, VLSM, route summarization, branch addressing design, data and voice prefix allocation.

An end-to-end QoS strategy with an SLA is the best fit for an application that cannot tolerate drops and requires very low latency across countries. The customer is asking for guaranteed service behavior, not just local classification on one router. A service line with an SLA defines the expected treatment across the provider network, including bandwidth, delay, jitter, and loss commitments. This is especially important for industrial or manufacturing applications that process large data chunks and are sensitive to packet loss. A purely domain-based PHB design can mark and forward traffic differently at each hop, but it does not by itself guarantee the business outcome unless backed by an end-to-end service agreement. A flow-based approach with per-flow queuing on every ISP node would consume more provider resources and scale poorly. FEC can help selected traffic but does not replace a QoS service model. Reference topics: QoS design, service-level agreements, end-to-end QoS, low-latency applications, loss-sensitive traffic, provider WAN services.

BGP community is the correct attribute because it can support both policy requirements through coordination with the service provider. Communities are route tags that an upstream provider can match to apply routing policy, such as adjusting local preference to influence which dual-homed provider link is preferred for inbound traffic. Communities also include well-known values used to constrain route propagation. Cisco documents no-export as a community that prevents a route from being advertised outside the receiving AS, and no-advertise as a community that prevents advertisement to any peer. This directly matches the requirement that several customer-advertised networks must propagate no further. MED can influence inbound path selection in some dual-link designs, but it does not provide the propagation-control function. AS-path prepending can influence inbound traffic but is less precise and again does not solve the no-further-advertisement requirement. Local preference is normally applied inside an AS, not directly by the customer to external peers. Reference topics: BGP communities, no-export, no-advertise, provider policy, inbound traffic engineering.

Route summarization should be planned from the aggregation layer toward both the core and the access layer. In hierarchical campus routing, aggregation or distribution devices are natural summarization boundaries because they sit between more specific access-layer networks and the core. Summarizing from aggregation toward the core prevents access-layer subnet churn from forcing unnecessary recomputation and route table growth in the core. Summarizing from aggregation toward access can also provide a concise upstream route, often a default or summary route, so access devices do not need the entire network routing table. The goal is to contain failures, reduce routing state, and preserve fast convergence at hierarchy boundaries. Summarizing from the core toward aggregation may hide useful topology details in the wrong direction, while summarizing directly from access toward aggregation is not always possible or efficient when access devices are numerous and have limited resources. The answer that places summarization at aggregation in both directions best matches Cisco hierarchical design principles. Reference topics: hierarchical campus design, route summarization, aggregation layer, core route scale, convergence containment.

The correct IS-IS hierarchy places area 49.000 as Level 2 and areas 49.001, 49.002, and 49.003 as Level 1. In IS-IS, Level 2 forms the interarea backbone, while Level 1 areas contain local topology details. This design supports growth in the backbone because Level 2 routers exchange interarea reachability without carrying every local topology change from every access area. Areas 49.002 and 49.003 can perform summarization and route leaking at their Level 1/Level 2 boundaries, allowing routers such as A1 and A2 to avoid suboptimal routing by learning selected more-specific routes from the backbone when necessary. If the nonbackbone areas were made Level 2, the design would flatten the hierarchy and expose more of the network to topology changes. If the backbone were Level 1, interarea routing would be broken or badly constrained. The selected hierarchy preserves scaling, allows route control, and avoids unnecessary propagation of local link flaps. Reference topics: IS-IS hierarchy, Level 1 areas, Level 2 backbone, route leaking, summarization, scaling.

Scalable groups provide intra-VN traffic filtering and control in Cisco SD-Access. Within a virtual network, macro segmentation separates routing tables, but endpoints inside the same VN may still need policy control based on identity, role, or security posture. Cisco SD-Access uses scalable group tags and scalable group ACLs to implement group-based policy. This allows policy to be expressed as user or device group relationships instead of only subnet-based ACL entries. The result is microsegmentation inside the virtual network, where traffic between groups can be permitted or denied consistently across the fabric. MAC ACLs are limited Layer 2 filters and do not provide the identity-based policy model required for SD-Access. Prefix lists are route-filtering tools, not intra-VN access-control mechanisms. Service policies are used for QoS or traffic treatment and do not define group-based segmentation. Scalable groups are therefore the correct policy construct for intra-VN filtering in the fabric. Reference topics: Cisco SD-Access policy, scalable groups, SGT, SGACL, microsegmentation, intra-VN control.

Human Resources: 10.1.1.112/29; Facilities: 10.1.1.64/27; Engineering: 10.1.1.0/26; Finance: 10.1.1.96/28.

The addressing plan must use VLSM and assign the smallest subnet that satisfies each department’s host requirement without overlapping inside the single /24 block. Engineering needs 32 hosts, so a /27 is not enough because it provides only 30 usable addresses. The smallest listed subnet that satisfies Engineering is 10.1.1.0/26, which provides 62 usable addresses. Facilities needs 18 hosts, so a /27 is appropriate; 10.1.1.64/27 provides 30 usable addresses. Finance needs 12 hosts, so a /28 is sufficient because it provides 14 usable addresses; the matching listed subnet is 10.1.1.96/28. Human Resources needs 5 hosts, so a /29 is sufficient because it provides 6 usable addresses; the matching listed subnet is 10.1.1.112/29. The unused options either overlap with selected ranges, provide too few hosts for the department, or waste address space unnecessarily. Cisco addressing design favors hierarchical, nonoverlapping, right-sized prefixes so the plan remains scalable and easy to summarize where possible.

VSS is the best choice because it provides distribution-layer redundancy with a simplified operational model and fast failover. Cisco Virtual Switching System combines two physical Catalyst switches into one logical switch from the perspective of neighboring devices. This allows the access layer to use Multichassis EtherChannel toward the distribution pair, creating a loop-free Layer 2 topology without relying on STP blocking for normal forwarding. Cisco also describes VSS as using Stateful Switchover and Nonstop Forwarding so the standby chassis can preserve forwarding during supervisor or chassis events. That meets the requirement for very fast convergence while simplifying deployment for a small IT team. GLBP, VRRP, and HSRP are first-hop redundancy protocols. They provide default-gateway resiliency, but they do not merge the distribution layer into a single logical control plane or simplify dual-uplink forwarding the way VSS with MEC does. Reference topics: VSS, Multichassis EtherChannel, distribution-layer redundancy, SSO, NSF, campus high availability.

Implementing direct Internet access at every Cisco SD-WAN site improves application experience and reduces unnecessary backhaul. Many modern business applications are hosted in SaaS or public cloud environments. If branch Internet traffic must hairpin through a central data center before reaching those applications, latency increases and central WAN or security stacks can become bottlenecks. SD-WAN DIA allows selected cloud and Internet-bound traffic to exit locally while still applying policy, segmentation, and security controls. This decreases latency to applications hosted by public cloud providers and improves user experience. It also alleviates traffic on MPLS circuits because Internet and cloud traffic no longer needs to consume private WAN bandwidth back to a centralized egress point. DIA does not inherently reduce the physical latency of an Internet circuit, and it does not increase the provisioned circuit bandwidth. Zero-touch provisioning may accelerate site deployment, but that is a separate SD-WAN onboarding benefit rather than a specific benefit of deploying DIA at every site. Therefore, the two correct benefits are reduced latency to public cloud applications and reduced load on MPLS circuits.

The Cisco SD-Access data plane is based on VXLAN. Cisco SD-Access separates the fabric into functional planes: the underlay provides IP reachability, the control plane uses LISP to map endpoints to locations, and the data plane uses VXLAN encapsulation to carry user traffic across the routed underlay. VXLAN allows the fabric edge node to encapsulate endpoint traffic and forward it through the fabric while preserving virtual network and segmentation information. This is what enables SD-Access to provide Layer 2 and Layer 3 overlay services over a Layer 3 routed transport. OMP is the control-plane protocol for Cisco SD-WAN, not SD-Access. NHRP is associated with DMVPN tunnel resolution. LISP is essential in SD-Access, but its role is endpoint ID to routing locator mapping, not packet encapsulation in the data plane. Therefore, VXLAN is the correct protocol for the SD-Access data plane. Reference topics: SD-Access fabric, VXLAN data plane, LISP control plane, overlay encapsulation, routed underlay.

HSRP version 2 with MD5 authentication is the correct resilient gateway choice because the design requires IPv6 support and protection against false hello packets. HSRPv2 supports both IPv4 and IPv6 gateway redundancy and improves group scaling compared with the original version. MD5 authentication protects the HSRP control exchange by ensuring that only authorized routers participate in the redundancy group, reducing the risk of a rogue or misconfigured device sending false hello messages and influencing active gateway selection. GLBP provides load balancing but does not satisfy the same IPv6 and authenticated hello requirement in this option set. VRRP version 2 is IPv4-focused and therefore does not meet the IPv6 requirement; VRRPv3 would be the relevant standards-based IPv6-capable version, but it is not offered. Object tracking helps adjust gateway priority after link failure, but it does not protect against false hello packets by itself. Reference topics: HSRPv2, first-hop redundancy, IPv6 gateway redundancy, MD5 authentication, campus high availability.

The requirement for end-to-end path verification identifies the Integrated Services model with RSVP. IntServ uses per-flow resource reservation, and RSVP signals the path between sender and receiver so devices along that path can admit or reject the requested service based on available resources. This makes IntServ appropriate when the design requires explicit end-to-end path validation and reservation for application flows. DiffServ works differently. In a DiffServ design, traffic is marked, normally with DSCP or CoS at the edge, and each hop applies a configured per-hop behavior. DiffServ is scalable and common in enterprise WAN and campus QoS designs, but it does not perform per-flow signaling or verify that every device in the path can reserve the requested resources. Marking traffic at the access layer is an important QoS design practice, but marking alone is not path verification. Therefore, when the customer explicitly requires end-to-end path verification for business-critical traffic, Cisco QoS architecture points to IntServ with RSVP rather than a pure DiffServ marking model.

gRPC provides efficient integration by using protocol buffers to serialize and deserialize structured data over the network. In network programmability and telemetry designs, gRPC is commonly used as the transport framework for streaming model-driven telemetry or for remote procedure calls between collectors, controllers, and network devices. Protocol buffers define compact structured messages that are faster and less ambiguous than parsing text output. This makes gRPC suitable for high-volume telemetry and programmatic device interaction. LDAP is a directory and authentication-related protocol, not the integration mechanism provided by gRPC. XMPP is associated with messaging and presence systems, not gRPC data serialization. Graph API is not a gRPC feature. The operational value of gRPC is that it provides a modern RPC framework with efficient message encoding, service definitions, and support for secure transport through TLS when implemented by the platform. Reference topics: gRPC, protocol buffers, model-driven telemetry, network programmability, structured data serialization. It improves controller interoperability.

OSPF with stub areas is the correct implementation. The reference to RFC 5340 points to OSPFv3, which Cisco documents as the OSPF version used for IPv6 and also capable of carrying IPv4 unicast address families in modern implementations. OSPF is a link-state routing protocol that provides loop-free convergence through SPF calculation, making it a stronger fit than static routing or RIP for a growing WAN. Stub areas reduce routing information inside branch or regional areas by blocking external LSAs and allowing the ABR to inject a default route. That reduces route-table size and limits update propagation, which matches the requirement to optimize routing tables and reduce routing updates between routers. EIGRP with multiple autonomous systems is not aligned with RFC 5340. BGP address families are useful in provider and MPLS VPN designs but are not the best internal route-optimization answer here. OMP is specific to Cisco SD-WAN, not a generic RFC 5340 routing design. Reference topics: OSPFv3, RFC 5340, stub areas, LSA reduction, SPF convergence.

Dual stack is the correct IPv6 migration strategy because the existing infrastructure already supports IPv6, the company wants low operational overhead, and applications should migrate naturally using DNS. Cisco describes dual stack as running IPv4 and IPv6 simultaneously on the same infrastructure, allowing hosts and applications to use either protocol during the migration period. It does not require additional tunneling equipment, avoids encapsulation overhead, supports native IPv6 multicast, and allows application preference to follow DNS responses. ISATAP and manual tunnels introduce overlay complexity and are primarily transition mechanisms for connecting IPv6 islands over IPv4 infrastructure. A service block model may be useful for specific service insertion, but it does not provide a whole-network migration strategy. Since every current infrastructure device supports IPv6, the cleanest and most operationally straightforward model is to enable IPv6 alongside IPv4 and migrate services gradually. Reference topics: IPv6 migration, dual-stack deployment, DNS-based protocol selection, native IPv6 multicast, transition strategy design.

An inbound IP prefix list is the correct tool because the routers must decide which prefixes to accept from the service provider based only on prefix length. Prefix lists are designed to match network prefixes and mask-length ranges using operators such as le and ge. Applying the prefix list inbound to the BGP neighbors prevents routes with masks longer than /24 from entering the local BGP table, regardless of what the service provider advertises. This conserves memory and ensures the customer routing policy is enforced locally. An access list is a poor fit because it does not natively express prefix-length logic as cleanly as a prefix list. Applying the policy outbound would filter routes the customer sends to the provider, which is the wrong direction; the requirement is about routes the customer learns. A route map could reference a prefix list, but the simplest and most exact answer is to use an IP prefix list inbound. Therefore, the design should apply an inbound prefix list to both BGP peers to block prefixes greater than /24. Reference topics: BGP route filtering, prefix lists, inbound policy, maximum accepted prefix length.

The scalable BGP design should use VPNv4 on the PE routers for L3VPN site routes and BGP IPv4 unicast on ABRs to connect multiple IGP/LDP domains. VPNv4 is the correct MP-BGP address family for carrying customer VPN routes across a provider MPLS Layer 3 VPN core because it combines route distinguishers and VPN labels with customer prefixes. This lets the provider scale many customer routes while maintaining separation between VPNs. When the provider network spans multiple IGP or LDP domains, BGP IPv4 unicast can be used at ABRs to carry infrastructure reachability and avoid trying to flood a single IGP domain across the entire provider backbone. Full-mesh iBGP among all routers in different IGP domains is not scalable and conflicts with the requirement that thousands of routes will be added. Redistributing all IGP routes into a single BGP IPv4 instance without VPNv4 does not preserve customer VPN separation. Filtering loopbacks everywhere is not the core scaling solution. Reference topics: MP-BGP VPNv4, MPLS L3VPN, ABR design, interdomain provider routing, route scale.

The branch subnets must each support up to 200 hosts, so /120 is the correct IPv6 prefix length from the available options. A /120 provides 256 IPv6 addresses, which satisfies the 200-host requirement. A /121 provides only 128 addresses, which is not enough. The parent block is 2a01:0c30:0016:7009::3800/118. A /118 has 10 host bits, so it contains 1024 addresses and spans from ::3800 through ::3bff. The valid /120 boundaries inside that parent are ::3800/120, ::3900/120, ::3a00/120, and ::3b00/120. From the listed choices, 2a01:0c30:0016:7009::3a00/120 and 2a01:0c30:0016:7009::3b00/120 both fall inside the parent allocation and provide enough address capacity. The /121 options are too small, and ::3c00/120 is outside the /118 parent range. This is a straightforward IPv6 prefix-boundary and capacity calculation. Reference topics: IPv6 subnetting, prefix length, address block boundaries, branch address planning.

A higher local preference on R3 for the relevant routes is the correct method to influence outbound traffic inside the autonomous system. Local preference is a well-known discretionary BGP attribute used within an AS to choose the preferred exit path. A higher local preference is preferred over a lower one, and the attribute is propagated to iBGP peers so routers in the AS make a consistent outbound decision. The requirement says all traffic originating from AS100 must pass through AS200 toward the NTP and DHCP server, and if the R3-to-R4 link fails, the path must move to the R2-to-R9 link. Applying local preference on R3 toward the routers that need to reach the data center establishes R3 as the primary exit while preserving the alternate path through R2 and R9. AS-path prepending is mainly used to influence inbound traffic from other autonomous systems, not the local AS exit choice. Redistributing IGP metrics into BGP is less deterministic and not the right policy control. Reference topics: BGP local preference, outbound traffic engineering, iBGP policy propagation, primary and backup path design.

StackWise Virtual is the correct technology for Cisco Catalyst 9500 aggregation switches when the design requires nonblocking Layer 2 multichassis EtherChannel from aggregation to access. The question specifically describes Catalyst 9500 switches located on different floors for availability, with access switches dual-homed through a Layer 2 MEC design. Traditional VSS was used on older Catalyst platforms such as Catalyst 4500 and 6500 families. For Catalyst 9000 platforms, Cisco uses StackWise Virtual to virtualize two physical switches into a single logical switching system. This enables multichassis EtherChannel, removes the need for STP to block one uplink, improves convergence, and provides device-level redundancy. vPC is a Nexus data-center technology, not a Catalyst campus aggregation technology. StackWise-180 refers to physical stack bandwidth behavior on specific access platforms and does not provide the same distributed campus aggregation function. Therefore, the design should use StackWise Virtual on the Catalyst 9500 aggregation pair. Reference topics: Catalyst 9500, StackWise Virtual, multichassis EtherChannel, campus aggregation, Layer 2 resiliency.

GET VPN is the correct private WAN encryption technology when traffic must always be encrypted, multicast must be supported, forwarding overhead must be reduced, and security management must be centralized. Cisco Group Encrypted Transport VPN protects traffic over a private WAN without building traditional point-to-point or multipoint tunnel overlays. Because it preserves the original IP header, the provider or enterprise routing core can still make normal forwarding decisions, and multicast, QoS, and routing behavior are easier to preserve than with heavy tunnel overlays. GET VPN uses a key server model to centralize group policy and distribute encryption keys to group members. This reduces the operational burden of maintaining many permanent tunnels. DMVPN supports multicast through GRE and provides dynamic tunnels, but it adds tunnel encapsulation overhead and does not meet the reduced-overhead private WAN requirement as cleanly. Plain mGRE lacks the full centralized group encryption model. Reference topics: GET VPN, group encryption, private WAN security, multicast support, key server, tunnel-less IPsec.

The correct XML/YANG data model set is the option that accurately represents the IOS XE interface hierarchy, assigns the IPv4 address to GigabitEthernet2/1/0, and uses the correct prefix length of 27. In model-driven programmability, the payload must match both the selected YANG model schema and the target platform’s interface naming conventions. For IOS XE native models, interface configuration is structured under the Cisco native namespace, with interface type and name represented in the schema before IPv4 address elements are applied. The address 10.10.10.10/27 must also support a directly connected host at 10.10.10.1/27, which places both addresses in the same 10.10.10.0/27 subnet. Options that place the address under the wrong interface type, use the wrong namespace, incorrectly represent the mask, or configure the host route rather than the interface are invalid. Option D is the only answer aligned to the IOS XE YANG structure and the requested addressing. Reference topics: IOS XE native YANG, NETCONF XML payloads, interface configuration, IPv4 prefix length, model-driven programmability.

Making R2 active for half of the VLANs improves utilization by distributing first-hop gateway forwarding across both core routers. HSRP provides default-gateway redundancy by making one router active and another standby for a VLAN. If the same router is active for every VLAN, traffic from all downstream VLANs is forwarded through the same core path, which can leave some interfaces congested while parallel links on the standby side remain underused. Cisco campus designs commonly tune HSRP priorities per VLAN and align the active HSRP gateway with the spanning-tree root for that VLAN. This creates a deterministic load-sharing model while preserving gateway redundancy. Adding more interfaces may help capacity, but the question states that some downstream interfaces are already underutilized, so the issue is load distribution rather than absolute port count. A port channel is useful only when the topology supports bundling the specific links and does not by itself move gateway activity. RSTP improves convergence, not HSRP forwarding balance. Reference topics: HSRP load sharing, per-VLAN gateway placement, STP root alignment, campus capacity design.

The SD-Access control-plane node maintains the endpoint database and resolves mappings between endpoints and the fabric edge nodes where those endpoints are located. Cisco SD-Access uses LISP in the fabric control plane. Edge nodes register endpoint identifiers with the control-plane node, and other fabric nodes query the control plane when they need to locate a destination endpoint. This control-plane function is commonly described through LISP Map-Server and Map-Resolver behavior. Option B is not correct because endpoint detection occurs at the edge node, not at the control-plane node. The edge is the device connected to users, access points, or endpoint-facing networks, so it learns local endpoint presence and registers that information. Option C refers to authentication and identity, which is integrated with Cisco ISE. Option D describes the border-node role, because border nodes connect the fabric to external networks. The corrected answer is therefore A. A stable SD-Access design must provide redundant control-plane reachability and scale the control-plane role according to fabric size, mobility, and endpoint churn. Reference topics: SD-Access control plane, LISP Map-Server, LISP Map-Resolver, endpoint-to-location mapping.

The correct IS-IS design combines tuned SPF/PRC behavior with a proper Level 1 and Level 2 hierarchy. Reducing SPF and PRC intervals, within platform and stability limits, helps routers react more quickly to topology changes after a link failure. However, fast timers alone are not enough; the hierarchy must contain instability so physical link flaps in the access layer have limited impact on the rest of the network. Access routers should form Level 1 adjacencies inside their local area, while aggregation routers should operate as Level 1/Level 2 routers to connect the access area to the Level 2 backbone. This design gives access routers a simple local view and uses aggregation as the interarea boundary. Running all access and aggregation routers as L1/L2 across the network increases the size of the backbone and exposes more routers to wider flooding, which is the opposite of the requirement. Redistributing Internet routes into Level 1 is also poor design because it bloats the access area. Therefore, the right choices are C and E. Reference topics: IS-IS hierarchy, L1/L2 design, SPF and PRC tuning, access-layer convergence, fault containment.

For model-driven telemetry with periodic updates, the architect must understand that each periodic update sends the subscribed data at the configured interval. Cisco telemetry guidance distinguishes periodic subscriptions from on-change subscriptions. A periodic subscription streams a full copy of the subscribed data element or table at each interval, even if the underlying state has not changed. That behavior is useful when the collector needs regular time-series samples, trending, or baseline monitoring, but it creates predictable bandwidth and collector-load requirements. On-change subscriptions are different: they publish updates when the subscribed state changes and are more efficient for state changes such as interface status, memory thresholds, or protocol adjacency m ovement. Empty subscription behavior and initial update timing may matter in specific implementations, but they are not the main design consideration in this question. Since the customer requires periodic updates, the design must size the transport, collector, retention system, and subscription intervals around repeated full data delivery. Reference topics: model-driven telemetry, periodic subscription, on-change subscription, YANG-modeled operational data, collector sizing.

The design must influence how EIGRP-learned routes are injected into the OSPF domain, so R2 should redistribute EIGRP into OSPF as metric-type E1 and R3 as metric-type E2. Cisco OSPF documentation distinguishes external Type 1 and Type 2 routes. An E1 route includes the external cost plus the internal OSPF cost to reach the ASBR, while an E2 route uses only the external metric. Cisco path selection prefers O E1 over O E2 for the same external destination. Therefore, making R2 advertise the EIGRP routes as E1 causes OSPF routers to prefer R2 as the exit toward the EIGRP domain. Option C adjusts OSPF-to-EIGRP redistribution, which is the wrong direction for traffic passing toward EIGRP from OSPF. Removing redistribution on R3 would reduce redundancy. Option D reverses the preference and would favor R3. Reference topics: OSPF external route types, EIGRP-to-OSPF redistribution, ASBR preference, E1 versus E2 metrics.

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

DiffServ is the correct QoS model for a business-critical, delay-sensitive, high-bandwidth application across DMVPN tunnels protected with IPsec. Differentiated Services classifies and marks traffic, usually with DSCP, and then applies per-hop behavior at each network device. This model scales well across enterprise WANs because routers do not need to maintain per-flow reservation state. DMVPN and IPsec overlays can carry marked traffic, and the WAN design can apply queuing, shaping, and congestion avoidance based on those markings. IntServ with RSVP can provide explicit resource reservation, but it is stateful and does not scale well across many branch tunnels. RSVP also becomes operationally difficult across encrypted overlay environments. WRED is only a congestion avoidance mechanism, not a complete QoS architecture. Because the application needs differentiated treatment but the WAN must remain scalable, DiffServ is the practical Cisco enterprise design model. Reference topics: DiffServ, DSCP marking, DMVPN QoS, IPsec QoS pre-classify, per-hop behavior, enterprise WAN QoS.

TLOC extension is the Cisco SD-WAN mechanism that allows a WAN Edge router without direct access to a transport to reach that transport through another WAN Edge router at the same site. Cisco describes TLOC extension as a redundancy feature in SD-WAN networks. In the question, the WAN Edge router is connected to an MPLS transport link, but Internet access is available through another WAN Edge device. With TLOC extension, the MPLS-only edge can extend traffic through the peer router toward the Internet transport, allowing the site to use multiple transports without requiring every edge router to have a physical connection to every circuit. OMP can advertise routes and TLOCs, but OMP alone does not create physical Internet access for a router attached only to MPLS. Requiring a local 4G/5G or Internet circuit on the same router is not necessary when TLOC extension is part of the design. An MPLS extranet is also not the normal SD-WAN solution for Internet transport reachability. Therefore, TLOC extension is the correct design method.

Cisco Catalyst SD-WAN separates orchestration from management, control, and data forwarding. The orchestration-plane function is provided by vBond, which authenticates WAN Edge devices and helps establish secure connectivity between edges and controllers. In Cisco design terms, vBond is also the NAT traversal facilitator because it allows devices sitting behind NAT to discover reachable public and private address information and form the correct control connections. These two functions match the options for primary authentication point and NAT traversal facilitation. Centralized provisioning, troubleshooting, monitoring, and template-based configuration belong to vManage, the management plane. Route and policy distribution belongs to vSmart, the control plane, through OMP. Zero Touch Provisioning is part of the onboarding workflow, but the question asks for orchestration-plane functions, not the broader provisioning service. A sound SD-WAN design should deploy redundant vBond instances, ensure DNS reachability to them, and validate firewall rules so DTLS/TLS control connections can be established reliably across Internet and private transports. Reference topics: Cisco SD-WAN architecture, vBond orchestration, control connections, NAT traversal.

Bootstrap Router is the standards-based mechanism that supports dynamic RP discovery in a PIM sparse-mode domain. Cisco documentation distinguishes Auto-RP, which is Cisco-proprietary, from BSR, which is defined for standards-based RP distribution. With BSR, candidate RPs advertise their availability, and the elected bootstrap router distributes RP-set information throughout the PIM domain. This removes the operational burden of manually configuring the same static RP information on every multicast router. Anycast-RP provides RP redundancy and load sharing but does not by itself provide standards-based dynamic RP discovery across the domain. Static RP is simple but not dynamic. Auto-RP can dynamically distribute RP information, but it is not the standards-based answer. The design value of BSR is most visible in large multicast domains, where routers need consistent RP information and manual changes are risky. Therefore, when the question asks for a standards-based RP deployment that supports dynamic RP discovery, the correct answer is bootstrap router. Reference topics: PIM sparse mode, Bootstrap Router, candidate RP, RP-set distribution, dynamic RP discovery.

BIDIR-PIM is the correct multicast mode for a video conferencing environment with numerous dispersed senders and receivers. Bidirectional PIM is designed for many-to-many multicast applications where receivers may also transmit and where maintaining per-source trees would create unnecessary state and control-plane overhead. Instead of building a shortest-path tree for every source, BIDIR-PIM uses a shared tree rooted at the rendezvous point and forwards traffic bidirectionally. This makes it attractive for collaborative applications and conferencing scenarios with many active participants. MP-BGP can carry multicast VPN or multicast routing information in service-provider designs, but it is not itself the multicast forwarding mode for this requirement. MSDP is used to exchange source information between PIM-SM domains, not to optimize many-to-many forwarding within the multicast design. IGMPv2 handles host membership signaling on local segments and does not provide the routed multicast mode. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, video conferencing multicast, PIM design.

The multicast Reverse Path Forwarding check is a loop-prevention mechanism. Cisco multicast forwarding does not forward traffic merely because the packet arrived on any multicast-enabled interface. Instead, the router checks whether the packet arrived on the interface that would be used to route traffic back toward the multicast source or, in shared-tree cases, back toward the rendezvous point. If the packet arrives on the expected reverse path, it passes the RPF check and can be replicated to the outgoing interface list. If it arrives on the wrong interface, it is dropped to prevent loops and duplicate packets. This supports a loop-free multicast distribution tree from sources to receivers. Auto-RP mapping agents, bootstrap messages, and RP-set discovery are separate rendezvous point distribution mechanisms; they are not the function of the RPF check. In enterprise designs with redundant links, asymmetric routing, or multiple equal paths, multicast RPF behavior must be reviewed carefully because unicast routing choices directly influence whether multicast packets are accepted or discarded. Reference topics: multicast RPF, PIM forwarding, loop prevention, outgoing interface list.

The SD-WAN onboarding sequence follows the controller trust and overlay-establishment workflow. A WAN Edge device first obtains basic reachability information through manual bootstrap, ZTP, or PnP-style provisioning so it can reach the orchestration components. It then establishes secure control connectivity to the orchestrator and validates identity through the certificate and authorized serial number information. After orchestration, the device forms the required secure control connections to the management and control-plane components, receives its configuration, and participates in OMP route exchange. Finally, the WAN Edge builds encrypted data-plane tunnels to other WAN Edge devices based on the TLOC and policy information learned through the control plane. This order matters because the device cannot exchange overlay routes or build data-plane IPsec tunnels until it is authenticated and authorized in the SD-WAN fabric. Cisco SD-WAN designs rely on this sequence to support zero-touch deployment, centralized policy, and secure fabric admission. Reference topics: Cisco SD-WAN onboarding, vBond orchestration, certificate validation, OMP, TLOC exchange, data-plane tunnel establishment.

Policing is the correct mechanism for managing traffic that exceeds the configured threshold. The application is UDP-based, inelastic, and sensitive to delay and jitter, so excess traffic should not be buffered and transmitted later. Cisco defines traffic policing as measuring traffic against a configured rate and applying an action such as transmit, drop, or remark when traffic conforms, exceeds, or violates the policy. In contrast, shaping buffers excess traffic and releases it later to smooth the output rate. That behavior is useful for TCP or provider handoff control, but it can add delay and jitter, which is harmful for inelastic real-time UDP flows. Scheduling has already been addressed by allocating bandwidth and assigning queues; it decides how queues are serviced, not how excess flows are constrained. Remarking changes packet markings but does not by itself enforce a traffic threshold. Therefore, policing is the appropriate QoS conditioning action for traffic above the configured limit. Reference topics: traffic policing, QoS conditioning, shaping versus policing, UDP real-time applications, delay and jitter control.

The multicast-replicator function is used to optimize multicast traffic distribution across Cisco SD-WAN. Cisco Catalyst SD-WAN multicast overlay design avoids forcing the ingress WAN Edge router to replicate every multicast packet to every remote receiver. Instead, multicast routes and receiver information are exchanged through OMP, and a WAN Edge can be designated as a multicast or OMP replicator. The replicator then distributes streams to interested receivers across the overlay, reducing bandwidth and processing pressure on the source-side edge. That is why multicast-replicator is the feature that optimizes WAN bandwidth for IGMP-driven multicast receiver traffic among WAN Edge routers in the same VPN. IGMPv2 is only the host-to-router group membership protocol and does not optimize overlay distribution by itself. A multicast RP is used in PIM sparse mode, but it is not the SD-WAN overlay replication feature. Multicast service routes advertise multicast service information, but the bandwidth-saving forwarding role is the replicator. Reference topics: Cisco SD-WAN multicast overlay, OMP multicast routes, multicast replicator, IGMP receiver joins.

LTE is the most appropriate backup WAN option for remote sites that already rely on microwave links. A backup transport should use a different failure domain from the primary service; LTE provides carrier wireless connectivity that is operationally separate from the customer’s microwave infrastructure. It is widely available, fast to deploy, and suitable as an out-of-band or secondary WAN path for branch continuity. WiMAX is an older metropolitan wireless technology and is not the preferred current enterprise backup choice. A laser link is another line-of-sight technology and can suffer from similar environmental and alignment constraints as microwave, so it is a weaker diversity option. Bluetooth is a short-range personal-area technology and is not a viable WAN backup for enterprise branches. LTE also integrates well with SD-WAN, IPsec VPN, and routing-based failover designs. In a resilient WAN architecture, the architect should validate signal quality, carrier coverage, data plan, antenna placement, NAT behavior, and whether the backup link must support dynamic routing, VPN encryption, and QoS for critical traffic during failover.

The Cisco SD-Access underlay provides the physical and IP transport foundation that allows fabric nodes to reach each other. In plain terms, it is the routed connectivity built from the switches, routers, links, and loopback reachability that the overlay depends on. Cisco SD-Access then uses the overlay to provide virtualization, segmentation, policy, and endpoint mobility on top of that transport. This is why the underlay is best described as establishing the connectivity between the switches and routers that form the fabric. Option A describes the abstraction performed by the overlay, not the underlay. Option B is closer to a Layer 2 tunneling description and is not the main purpose of the SD-Access underlay. Option D describes encapsulated overlay behavior, especially VXLAN-based data-plane transport, not the physical/routed foundation itself. A good SD-Access design validates underlay reachability, routing adjacencies, MTU, loopback advertisement, and redundancy before onboarding the overlay services. Without a stable underlay, LISP control-plane mappings and VXLAN data-plane forwarding cannot operate predictably. Reference topics: SD-Access underlay, routed campus foundation, fabric node reachability, overlay dependency.

A routed access topology is the underlay design that removes the normal need for first-hop redundancy protocols. In a traditional Layer 2 access design, end hosts usually rely on HSRP, VRRP, or GLBP at the distribution layer because the default gateway is shared across redundant distribution switches. In a routed access design, the Layer 3 boundary is pushed down to the access layer. The access switch routes toward the distribution layer using point-to-point routed links, so uplink failures are handled by the routing protocol instead of spanning tree and first-hop redundancy. Cisco campus design guidance highlights routed access as a way to improve convergence, avoid Layer 2 loop exposure across uplinks, and simplify resiliency by using equal-cost routed paths. Virtualized topology is too broad and does not inherently remove FHRP. A Layer 2 topology normally increases dependence on STP and gateway redundancy. A logical fabric topology is not the generic underlay topology described by the question. The correct choice is therefore routed access. Reference topics: routed access campus, Layer 3 access, FHRP elimination, routed underlay resiliency.

The ORF filter should be applied so the route reflector or upstream peer suppresses the unwanted Branch A prefix before sending updates toward the resource-constrained branch. Cisco BGP outbound route filtering lets a receiving router advertise a prefix-list filter to its peer, causing that peer to apply the filter outbound. This is useful when a router has limited CPU or memory because unwanted prefixes are never sent across the session. In the described design, HQ must prevent Branch A prefixes from reaching R4, while Branch B has limited resources. The answer using the 10.10.10.0/24 prefix list on R2 aligns with filtering the Branch A prefix at the point where HQ can control route reflection or advertisement toward the constrained branch path. Applying the filter on the wrong router or using the wrong prefix would still allow unnecessary updates. ORF is preferred over simple inbound filtering when the goal is to reduce received route volume. Reference topics: BGP ORF, prefix-list signaling, route-reflector filtering, branch route scale, outbound update suppression.

Bidirectional PIM is the best fit for this multicast design because the application is many-to-many and has a manageable but meaningful number of multicast sources. Cisco describes BIDIR-PIM as a multicast mode designed for many-to-many applications where sources and receivers can be widely distributed. Unlike classic PIM sparse mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. Instead, traffic uses a shared bidirectional tree rooted at the rendezvous point, which reduces multicast state in the network and improves scale when many sources may send to the same group. Source-Specific Multicast is optimized for one-to-many distribution where receivers know the source and join an (S,G) channel; it is not the natural many-to-many choice. Any Source Multicast can support many-to-many traffic but usually creates more state because source trees may be built. Multicast VPN is a transport/service architecture, not the specific multicast mode requested. Reference topics: BIDIR-PIM, many-to-many multicast, shared trees, RP-based forwarding, multicast state scaling.

Cisco SD-WAN WAN Edge devices can be brought into the overlay through automated zero-touch provisioning or through manual bootstrap configuration. Zero-touch provisioning allows a device to discover the SD-WAN controllers and receive the information needed to authenticate and join the overlay with minimal on-site work. This is a core operational benefit of Cisco SD-WAN because branch routers can be shipped to sites and onboarded without a specialist manually building the entire control-plane configuration locally. Manual configuration remains available when ZTP is not used, when the site has special connectivity constraints, or when the administrator needs to stage the router directly. DHCP options and DNS records can help devices learn controller information in some deployment models, but they are not the complete pair of bootstrap methods named for vEdge onboarding. vManage is the management system, not a bootstrap method by itself. Therefore, the correct methods are ZTP and manual configuration. The design should also validate certificates, organization name, system IP, site ID, and transport interface reachability during onboarding.