Cisco 300-540 Designing and Implementing Cisco Service Provider Cloud Network Infrastructure (SPCNI v1.0) Exam Practice Test

Comprehensive and Detailed Explanation (Cisco NFVI / Virtualization Knowledge)

SR-IOV (Single Root I/O Virtualization)allows a VM to access the network interface hardwaredirectly, without going through the hypervisor’s virtual switch.

This is achieved by:

Assigning Virtual Functions (VFs) directly to VMs

Allowing high-performance, low-latency packet I/O

Bypassing the hypervisor datapath

Therefore, SR-IOV doesnotbypass the guest OS; it bypasses thehypervisor I/O virtualization layer, delivering near-native performance.

Thus the correct answer isC.

Comprehensive and Detailed Explanation

Cisco NFVIS logging levels (from lowest to highest):

critical

error

warning

info

debug←highest verbosity

To capture maximum diagnostic detail, engineers must enabledebuglogging on theoperational log type, which records system activity and runtime behavior.

Thus the correct command is:

system set-log logtype operational level debug

This provides the deepest troubleshooting visibility.

In a VXLAN BGP EVPN fabric, each VTEP (NVE interface) must useBGP EVPN as the host-reachability protocolso that MAC/IP information and VTEP reachability are exchanged through the control plane.

From the exhibit:

LEAF-SW-1 – interface nve1

source-interface loopback0

No host-reachability protocol bgp

Host Learning Mode: Data-Plane in show nve interface

LEAF-SW-2 – interface nve1

source-interface loopback0

host-reachability protocol bgp configured

This mismatch causes one VTEP to rely ondata-plane flood-and-learn, while the other usesEVPN BGP control-plane learning, leading to inconsistent and “corrupted” MAC/IP and ARP/ND information between the leaf switches.

The fix is to configure LEAF-SW-1 to also use BGP for host reachability:

interface nve1

host-reachability protocol bgp

Options B and D are incorrect because anycast VTEP designs intentionally share the sameprimaryloopback IP while usingdifferent secondary IPsandunique BGP router IDs. Option A (removing suppress-arp) does not correct the control-plane mismatch.

Therefore, enabling host-reachability protocol bgp on LEAF-SW-1 (OptionC) resolves the issue.

In Cisco Catalyst SD-WAN cloud integration, when the requirement is:

Automatically discovering AWSVPCs

Automatically identifying AWSservices

Allowing the user to choose whichprivate SD-WAN networkconnects to the cloud

UsingAWS credentials(Access Key / Secret Key) for automatic provisioning

…the Cisco-supported mechanism is theCisco SD-WAN Transit VPC solution.

Why Transit VPC is the correct answer:

It is specifically designed to integrateCisco SD-WANwith AWS environments.

Uses AWS APIs and user credentials to automatically discover:

VPC IDs

Subnets

Regions

Routing tables

Automatically deploys and configures CSR1000v or Catalyst 8000V routers into the VPC.

Provides a centralized “hub” in AWS to interconnect multiple SD-WAN sites.

Enables the user to choose which SD-WAN segments connect to which VPCs.

This matches the requirement ofautomatic cloud resource identification based on user credentials.

Why the other options are incorrect

A. AWS Direct Connect

This is a physical/private Layer 2 cloud connection.

It doesnotauto-discover VPCs or integrate through credentials.

It does not provide automated SD-WAN service provisioning.

C. IPsec VPN

Works for connectivity but ismanual, not automated.

Does not identify AWS cloud resources via credentials.

D. Segment routing

A transport technology used inside SP networks, irrelevant to AWS API-based VPC discovery.

Thus, onlyTransit VPCprovides automatic AWS cloud discovery and integration with SD-WAN.

Comprehensive and Detailed Explanation

BGP Flowspec allows routers to distributetraffic-filtering rulesusing BGP NLRI.

To enable Flowspec, after neighbors are configured, the essential next step is:

✔Activate the Flowspec address-family under BGP

Example:

router bgp 65000

address-family ipv4 flowspec

neighbor X.X.X.X activate

exit-address-family

This enables:

FlowSpec NLRI exchange

Distribution of drop rules (rate-limit, redirect, null route, etc.)

Automatic ACL/class-map/policy-map generation on edge routers

Why the other options are incorrect:

B. Set BGP routing process→ already done when neighbors were configured

C. Activate neighbors→ only makes senseinsidean address-family; flowspec AF must be enabled first

D. Configure route reflector→ optional and not required for Flowspec to operate

Thus, the correct next step isA. Configure Flowspec for the BGP address-family.

In aCisco NFVI C-Series Pod, the Top-of-Rack (ToR) switches are almost always configured as avPC pair.

A vPC domain requiresthree mandatory components:

vPC domain ID

vPC peer-link

vPC peer-keepalive link←ensures dual-active detection

In the exhibit:

The management interfaces areTor-A Mgmt0: 10.10.10.1andTor-B Mgmt0: 10.10.10.2

These IPs are used commonly as thepeer-keepalive endpoints

The physical uplinks to NFVI nodes formPort-Channel110

Since the configuration snippet already includes:

feature vpc

feature lacp

channel-group 110 mode active

Thenext required stepin a Cisco NFVI + vPC configuration is to configure thepeer-keepalivefrom ToR-A toward ToR-B:

vpc domain 1

peer-keepalive destination 10.10.10.2

This ensures:

vPC roles sync

Dual-active prevention

Stable operation for the NFVI C-Series rack

Why the Other Options Are Incorrect

A. vpc peer-linkThis is required but must be configured on the dedicated peer-link interfaces, not on the server-facing port-channel.

C. channel-group 110 mode onThe correct mode is already configured: mode active for LACP. mode on disables LACP.

D. switchport mode accessNFVI ToR links usetrunking, not access mode, because servers carry multiple networks (control, compute, storage, management VLANs).

The attacker’s IP is:

10.10.10.2

The servers under attack are:

Web Server:10.20.10.2

Mail Server:10.30.10.2

We must denytraffic from attacker → servers.

Correct ACL format useshost wildcards (0.0.0.0):

deny ip 10.10.10.2 0.0.0.0 10.20.10.2 0.0.0.0

deny ip 10.10.10.2 0.0.0.0 10.30.10.2 0.0.0.0

These matchD and E.

Cisco Umbrella DNS-layer security:

Blocks malicious domains used inphishing,malware,C2 communications, andransomware

Stops threatsbeforeconnections are made

Uses DNS-based filtering and threat intelligence

It doesnotmitigate:

DDoS (needs scrubbing centers)

Brute force login attempts

Zero-day exploits directly

Thus,Ais correct.

On R1 the configuration (simplified) is:

ip domain lookup

ip domain name ccnp.test

ip host www.ccnp.test 10.1.1.1 10.2.1.1 10.3.1.1

The ip host command statically maps the hostname www.ccnp.test

to three IP addresses. By default, Cisco IOS will always return these IP addresses to DNS queries in the same order they are configured (10.1.1.1, then 10.2.1.1, then 10.3.1.1). This means that clients will always attempt 10.1.1.1 first and will not achieve per-query load balancing across all three servers.

To enable DNS-based load balancing so that each successive query rotates the order of the addresses, Cisco IOS provides the command:

ip domain round-robin

This command enables round-robin rotation of multiple A records associated with a single hostname defined by ip host. With this feature enabled:

1st query: response order 10.1.1.1, 10.2.1.1, 10.3.1.1

2nd query: response order 10.2.1.1, 10.3.1.1, 10.1.1.1

3rd query: response order 10.3.1.1, 10.1.1.1, 10.2.1.1

Clients will typically try the first IP address in the list and use the others if the first one fails, exactly matching the requirement.

Why other options are incorrect:

A. ip domain retry 3 controls how many times the router retries DNS queries to a server; it does not control the order of multiple A records.

C. ip dns server turns the router into a DNS server but does not itself provide round-robin behavior for statically defined hosts.

D. maximum-paths 3 is a routing (IP forwarding) parameter for equal-cost multipath, unrelated to DNS resolution.

Comprehensive and Detailed Explanation From Cisco NFVI + VIM Architecture

Cisco VIM (Virtual Infrastructure Manager) operates as part of Cisco NFVI and requiresspecific mandatory network segmentsto deploy OpenStack-based NFVI environments.

The essential required networks for Cisco VIM include:

✔Provisioning network

Used during bare-metal install of compute and controller nodes

Handles PXE boot, image deployment, and VIM’s management reachability

✔Storage network

Used for Cinder, Swift, Ceph, and Glance back-end storage replication

Ensures predictable latency and bandwidth for NFVI workloads

Other networks exist in VIM (Management, API, Tenant, External), but the question asks for the required foundational segments.

Why the other options are incorrect:

Data plane(B) – used inside NFV workloads but not a required VIM infrastructure network.

Heartbeat(C) – not a defined VIM network segment.

Host network(D) – not a Cisco VIM terminology; provisioning network handles host onboarding.

In Cisco NFVI, themanagement noderelies heavily on Docker containers for:

NFVIS management functions

VIM services

Orchestration components

If the management node fails to start and the system shows:

docker.service: inactive (dead)

…then all Docker-based platform services also fail to start.

The correct recovery action is torestart the Docker engine:

systemctl restart docker

This brings up:

All NFVI-required Docker containers

Management services

REST APIs and cluster components

Why other answers are incorrect:

docker-kibana→ Only affects Kibana logging container

docker-cobbler→ Used for provisioning, not core NFVI management

kube-apiserver→ Part of Kubernetes cluster, but relies on Docker; restarting it won’t help until Docker is running

Thus, the correct answer isB. docker.

Comprehensive and Detailed Explanation From Cisco SP Core Optimization Knowledge

Cisco IOS supportsBGP Multipathfor installing multiple equal-cost BGP routes (both iBGP and eBGP) into the routing table. The correct global BGP command syntax to set the number of allowable parallel BGP paths is:

maximum-paths

For BGP specifically, the form is:

maximum-paths bgp

This enables the router to install up to the specified number of equal-cost BGP routes (iBGP and eBGP) into the RIB and then potentially into the FIB.

Setting:

maximum-paths bgp 6

allowssixparallel ECMP paths learned via BGP—this matches the requirement in the question.

Why the other options are incorrect

B. multipath eibgp 6Not a valid Cisco IOS command.

C. maximum paths bgp routers 6Invalid syntax.

D. maximum-paths eibgp 6The correct keyword isbgp, noteibgp.Cisco does not use “eibgp” in this context; IOS supports BGP multipath across iBGP/eBGP automatically when configured under maximum-paths bgp.

Comprehensive and Detailed Explanation

For distancesgreater than 20 miles, valid inter-facility transport options must support:

Metro-scale connectivity

High bandwidth

Low latency

Carrier-grade reliability

Acarrier access Ethernet ring (MEN / Metro Ethernet)is designed for:

Interconnecting data centers or meet-me rooms

Distances far exceeding 20 miles

High-availability layer-2 or layer-3 transport

Why the others are invalid:

CAT6e→ maximum ~100 meters

Multimode fiber→ typically <2 km (~1.25 miles)

Private wireless→ not used for high-capacity DC interconnects, unreliable for core transport

Thus, the only correct carrier-grade method isCarrier access Ethernet ring.

Overlay Transport Virtualization (OTV) allows Layer 2 extension across Layer 3 infrastructures. To operate, OTV requires three fundamental components on the overlay interface:

Join interface – used to reach the OTV control plane over L3 (already configured: otv join-interface g1/0).

Control-group multicast address – for control-plane advertisement (already configured: otv control-group 224.1.1.1).

Extended VLAN list – specifies which VLANs will be transported through the OTV overlay.

The configuration shown in the exhibit includes the join-interface, control-group, and data-group, but it does NOT specify which VLANs should be extended. Without the otv extend-vlan command, OTV will form the overlay interface but will not forward any Layer 2 information, preventing adjacency and MAC distribution between sites.

In OTV, the command required to activate VLANs for transport is:

otv extend-vlan

This enables the VLANs (such as 101–111) to be carried across the OTV overlay, completing the configuration and establishing connectivity.

Why the Other Options Are Incorrect

B. otv isis authentication-type md5

This is optional and only required if ISIS authentication is enabled on both edges. It does not resolve the absence of VLAN extension.

C. otv isis authentication-check

This command enforces authentication verification but does not fix connectivity when VLANs are not extended.

D. otv join-interface vlan 101-111

This is not a valid OTV command. The join-interface must be a routed interface, not a VLAN list.

Comprehensive and Detailed Explanation

In Cisco NFV Infrastructure (NFVI) Assurance and Monitoring, enabling gRPC activates the device’s ability to support model-driven telemetry streaming.

Key points from Cisco SP Cloud/NFVI design principles:

gRPC is used as the transport protocol for model-driven telemetry.

Telemetry replaces traditional polling methods (SNMP, CLI scraping) with continuous, push-based updates.

It allows NFVI components to stream real-time operational data (CPU, memory, interfaces, VM metrics, fabric state) to collectors such as Cisco Crosswork, InfluxDB, Prometheus, or other analytic systems.

gRPC does not provide NetFlow/IPFIX export or syslog itself; those are separate subsystems.

Evaluation of options:

A. telemetry streaming — Correct. gRPC enables model-driven streaming telemetry.

B. IPFIX monitoring — Incorrect; IPFIX uses UDP exports, not gRPC.

C. Cisco IOS NetFlow monitoring — Incorrect; uses NetFlow export protocols.

D. system logging — Incorrect; syslog uses UDP/TCP, not gRPC.

Comprehensive and Detailed Explanation Based on Designing and Implementing Cisco Service Provider Cloud Network Infrastructure Knowledge

When connectingcarrier-neutral facilities (CNFs)ordata centerswithin the same metropolitan area, service providers typically usehigh-bandwidth, low-latency optical transport methods. The most appropriate and commonly deployed interconnection technology is:

DWDM (Dense Wavelength Division Multiplexing) ring, which provides:

High capacity (10G, 40G, 100G, 400G)

Low latency

Redundancy through ring or mesh topologies

Multi-wavelength multiplexing for cost efficiency

Carrier-grade reliability for metro interconnect services

This aligns with cloud interconnect and metro transport design used in service provider environments.

Evaluation of the Options

A. OSPF backbone area adjacency

This is a routing protocol adjacency, not a physical connection method. It requires a transport link underneath but does not represent the physical interconnect itself.

B. Private wireless connection

Not suitable for CNF or metro DC interconnect because it lacks the bandwidth, reliability, and deterministic performance required for large-scale carrier-grade interconnects.

C. DWDM ring

This is the correct method. DWDM-based metro fiber rings are the standard for connecting carrier-neutral facilities in the same metro region.

D. CAT6e connection

This is limited to short-distance copper Ethernet (tens of meters). It is not used for metro-scale interconnects or between CNFs.

Comprehensive and Detailed Explanation

AWSSecurity Groupsact as the primary stateful firewalls for EC2 instances.

To restrict SSH (TCP/22) to a single host (20.20.20.20/32), aSecurity Groupmust be configured with:

Inbound rule: TCP 22

Source: 20.20.20.20/32

ACLs operate at the subnet level but are not used for instance-specific SSH restrictions.

WAF controls HTTP/HTTPS traffic, not SSH.

Resource groups only organize cloud assets.

Thus,Bis the correct solution.

NETCONF rules state:

A user cannot terminatetheir own active session.

Attempting to kill the same session returnsinvalid-valueerror.

The session continues running normally.

Thus:

No logout

No termination

No configuration impact

Therefore,Ais correct.