Free and Premium Cisco 300-420 Dumps Questions Answers

Integrated Services is the QoS model that allows an application to signal its traffic requirements to the network and request specific service treatment. Cisco QoS guidance distinguishes IntServ from DiffServ by explaining that IntServ follows a signaled-QoS model, while DiffServ uses provisioned per-hop behavior based on markings. IntServ uses RSVP to reserve resources along the end-to-end path. That reservation process allows the network to admit or deny the flow based on available bandwidth and policy, which is why IntServ aligns with applications that require consistent and dedicated bandwidth. DiffServ is much more scalable and widely deployed in enterprise networks, but it does not provide per-flow resource reservation by itself. LLQ is a queuing mechanism commonly used inside a DiffServ design for delay-sensitive traffic such as voice. WRED is a congestion-avoidance technique, not an end-to-end reservation architecture. Because the question explicitly says that the application informs the network of its traffic profile and requests a service level, the correct QoS architecture is IntServ.

BGP Multipath Load Sharing is the feature used when a single router has two parallel BGP paths to the same ISP and the design goal is to install more than one eligible BGP path in the routing table. By default, BGP selects a single best path after evaluating path attributes such as weight, local preference, AS path, origin, MED, eBGP over iBGP, IGP metric to next hop, and tie breakers. When the competing paths are sufficiently equivalent and BGP multipath is enabled, Cisco IOS can install multiple BGP next hops for the same prefix and allow the forwarding plane to load share across both links. Multihop is used to establish BGP sessions to non-directly connected neighbors, not to load balance. Next-Hop Address Tracking improves convergence by tracking next-hop reachability, but it does not itself create load sharing. AS-path prepending intentionally makes a path less preferred for inbound traffic engineering. Therefore, the correct BGP feature for balancing outbound traffic across two links to the same ISP is Multipath Load Sharing.

An inbound IP prefix list is the correct tool because the routers must decide which prefixes to accept from the service provider based only on prefix length. Prefix lists are designed to match network prefixes and mask-length ranges using operators such as le and ge. Applying the prefix list inbound to the BGP neighbors prevents routes with masks longer than /24 from entering the local BGP table, regardless of what the service provider advertises. This conserves memory and ensures the customer routing policy is enforced locally. An access list is a poor fit because it does not natively express prefix-length logic as cleanly as a prefix list. Applying the policy outbound would filter routes the customer sends to the provider, which is the wrong direction; the requirement is about routes the customer learns. A route map could reference a prefix list, but the simplest and most exact answer is to use an IP prefix list inbound. Therefore, the design should apply an inbound prefix list to both BGP peers to block prefixes greater than /24. Reference topics: BGP route filtering, prefix lists, inbound policy, maximum accepted prefix length.

Explicit QoS trust should be configured at the network boundary points where markings first enter the managed DiffServ domain and are known to be reliable. In a DiffServ design, traffic classification and marking are typically performed at the access edge or at a controlled ingress boundary, and downstream devices then honor DSCP or CoS markings based on the trust boundary. Cisco QoS design stresses that the trust boundary must be intentionally placed; endpoints or unmanaged devices should not be trusted by default because they can mark traffic incorrectly and steal priority treatment. The exhibit answer identifies B and E as the correct trust points, meaning those are the controlled ingress locations where markings should be accepted. Options that trust uncontrolled endpoint-facing points or internal transit locations would either create a security problem or add no practical value. Once traffic is trusted and marked at the correct boundary, queuing, policing, and shaping policies can use the DSCP values consistently across the campus or WAN. Reference topics: DiffServ, QoS trust boundary, DSCP marking, classification, enterprise QoS design.

VRRP object tracking allows the effective priority of a VRRP router to change when a tracked object changes state. Cisco documentation states that VRRP object tracking ensures the best VRRP router is master by altering VRRP priorities according to tracked objects such as interface or IP route states. This directly supports answer A. It also supports answer D, because VRRP can track interfaces and routes through the tracking process. The priority does not have to remain fixed; object tracking is specifically designed so a router can lower its priority when an uplink, route, or critical dependency fails. A VRRP group is not limited to one tracked object in modern Cisco implementations, so option C is too restrictive. VRRP does not support only interface tracking; route tracking is also a common use case, especially when the LAN interface is still up but upstream reachability has failed. In a resilient campus or branch gateway design, object tracking prevents a router from remaining master when it no longer has a valid upstream path, improving deterministic failover.

The correct solution is a management VRF with SSH keys for device access. A management VRF creates a separate routing and forwarding table for management traffic, keeping administrative reachability isolated from production and overlay routes. That directly satisfies the requirement that the overlay network must not cause routing issues and makes troubleshooting easier for operations teams because management reachability can be validated independently. Cisco VRF design uses separate routing tables to isolate traffic and can support overlapping addresses or independent routing policy. For secure device access, SSH with key-based authentication provides encrypted administrative sessions and stronger authentication than clear-text or password-only methods. Private VLANs and ordinary VLANs provide Layer 2 separation but do not create independent routing tables. TACACS+ and RADIUS are AAA systems; they are useful but do not define the management transport architecture. Separate physical interfaces can be useful out-of-band, but the best match for overlay isolation and operational simplicity is management VRF plus SSH keys. Reference topics: management VRF, secure device access, SSH public-key authentication, routing-table isolation, enterprise management design.

The required BGP address family is L2VPN EVPN. The design calls for VXLAN over a Layer 3 IPv4 fabric while preserving Layer 2 adjacency and allowing workload mobility between sites. EVPN is the BGP control plane used with VXLAN overlays to advertise MAC reachability, IP host information, and Ethernet segment information in a scalable way. It separates the Layer 2 and Layer 3 overlay control plane from the underlay IGP, which in this case is OSPF. VPNv4 is used for MPLS Layer 3 VPN routes, not VXLAN Layer 2 adjacency. IPv4 unicast advertises ordinary IP prefixes and does not carry MAC mobility or Ethernet VPN information. L2VPN VPLS or VPWS address families are associated with MPLS-based Layer 2 VPN services and do not provide the VXLAN EVPN control-plane model required here. EVPN is therefore the correct family for VXLAN fabrics that need host mobility and scalable Layer 2 extension. Reference topics: BGP EVPN, VXLAN, L2VPN EVPN address family, MAC reachability, workload mobility.

The requirement for end-to-end path verification identifies the Integrated Services model with RSVP. IntServ uses per-flow resource reservation, and RSVP signals the path between sender and receiver so devices along that path can admit or reject the requested service based on available resources. This makes IntServ appropriate when the design requires explicit end-to-end path validation and reservation for application flows. DiffServ works differently. In a DiffServ design, traffic is marked, normally with DSCP or CoS at the edge, and each hop applies a configured per-hop behavior. DiffServ is scalable and common in enterprise WAN and campus QoS designs, but it does not perform per-flow signaling or verify that every device in the path can reserve the requested resources. Marking traffic at the access layer is an important QoS design practice, but marking alone is not path verification. Therefore, when the customer explicitly requires end-to-end path verification for business-critical traffic, Cisco QoS architecture points to IntServ with RSVP rather than a pure DiffServ marking model.

Affinity is the Cisco SD-WAN feature used to minimize TLOC and control connections and reduce strain on vSmart controllers. Cisco documentation explains that establishing affinity between controllers and edge devices allows the operator to control overlay scaling by limiting which controllers an edge device can establish control connections with. In large deployments, unrestricted connections between every WAN Edge and every controller can create unnecessary state and operational load. Affinity lets the design distribute edge connections across controllers and data centers while still preserving redundancy through primary and backup controller relationships. Color identifies the transport type or behavior associated with a TLOC, but it does not reduce controller connection scale by itself. Control-direction and control-connections are not the feature names that provide the scaling function described in the question. A well-designed SD-WAN control plane uses affinity, controller groups, and redundancy planning to keep the overlay scalable and predictable. Reference topics: Cisco SD-WAN affinity, vSmart controller scale, TLOC connections, control-plane redundancy, overlay scaling.

The Cisco SD-Access data plane is based on VXLAN. Cisco SD-Access separates the fabric into functional planes: the underlay provides IP reachability, the control plane uses LISP to map endpoints to locations, and the data plane uses VXLAN encapsulation to carry user traffic across the routed underlay. VXLAN allows the fabric edge node to encapsulate endpoint traffic and forward it through the fabric while preserving virtual network and segmentation information. This is what enables SD-Access to provide Layer 2 and Layer 3 overlay services over a Layer 3 routed transport. OMP is the control-plane protocol for Cisco SD-WAN, not SD-Access. NHRP is associated with DMVPN tunnel resolution. LISP is essential in SD-Access, but its role is endpoint ID to routing locator mapping, not packet encapsulation in the data plane. Therefore, VXLAN is the correct protocol for the SD-Access data plane. Reference topics: SD-Access fabric, VXLAN data plane, LISP control plane, overlay encapsulation, routed underlay.

Cisco SD-WAN WAN Edge devices can be brought into the overlay through automated zero-touch provisioning or through manual bootstrap configuration. Zero-touch provisioning allows a device to discover the SD-WAN controllers and receive the information needed to authenticate and join the overlay with minimal on-site work. This is a core operational benefit of Cisco SD-WAN because branch routers can be shipped to sites and onboarded without a specialist manually building the entire control-plane configuration locally. Manual configuration remains available when ZTP is not used, when the site has special connectivity constraints, or when the administrator needs to stage the router directly. DHCP options and DNS records can help devices learn controller information in some deployment models, but they are not the complete pair of bootstrap methods named for vEdge onboarding. vManage is the management system, not a bootstrap method by itself. Therefore, the correct methods are ZTP and manual configuration. The design should also validate certificates, organization name, system IP, site ID, and transport interface reachability during onboarding.

Route summarization and EIGRP stub routing are the two correct design techniques for a stable and scalable EIGRP deployment. Summarization reduces the number of prefixes advertised upstream, conserves bandwidth and memory, hides route flaps behind the summary boundary, and reduces the size of the EIGRP topology table. Stub routing prevents branch or access devices from being used as transit routers and limits the scope of EIGRP queries. This is critical because uncontrolled EIGRP query propagation can increase convergence time and processing load, especially in larger hierarchical networks. Prefix lists and distribute lists can filter routes, but filtering alone does not provide the same query-boundary and topology-hiding benefits as summarization and stubs. Static redistribution increases complexity and can create loop or policy risks if not controlled with tags and metrics. The question specifically asks to conserve bandwidth, memory, and CPU, prevent suboptimal routing, and avoid unnecessary queries; summarization and stub routing are the direct Cisco design answers. The architect should summarize at hierarchy boundaries and configure access or branch routers as EIGRP stubs where they should not provide transit. Reference topics: EIGRP summarization, EIGRP stub routing, query scope, hierarchical routing.

BFD is the correct design feature for detecting a link failure within 200 ms or less without materially increasing OSPF control-plane load. Cisco uses Bidirectional Forwarding Detection as a fast, lightweight failure-detection protocol that can be associated with routing protocols such as OSPF. Instead of relying on aggressive OSPF hello and dead timers, BFD performs rapid forwarding-path checks and notifies OSPF when the path fails. This allows fast convergence while avoiding the additional routing-protocol overhead and instability that can come from very low hello timers. UDLD detects unidirectional Layer 2 fiber failures, but it is not the routing adjacency failure-detection mechanism requested here. Carrier delay can adjust interface state transition timing, but it does not provide a routing-protocol independent liveness session. Fast hellos can reduce detection time, but they increase protocol traffic and can affect overall performance. BFD is therefore the proper design choice for fast and efficient OSPF convergence. Reference topics: BFD, OSPF convergence, fast failure detection, routed campus resiliency, control-plane efficiency.

An end-to-end QoS strategy with an SLA is the best fit for an application that cannot tolerate drops and requires very low latency across countries. The customer is asking for guaranteed service behavior, not just local classification on one router. A service line with an SLA defines the expected treatment across the provider network, including bandwidth, delay, jitter, and loss commitments. This is especially important for industrial or manufacturing applications that process large data chunks and are sensitive to packet loss. A purely domain-based PHB design can mark and forward traffic differently at each hop, but it does not by itself guarantee the business outcome unless backed by an end-to-end service agreement. A flow-based approach with per-flow queuing on every ISP node would consume more provider resources and scale poorly. FEC can help selected traffic but does not replace a QoS service model. Reference topics: QoS design, service-level agreements, end-to-end QoS, low-latency applications, loss-sensitive traffic, provider WAN services.

In Cisco SD-Access, an intermediate node is an underlay transit device. Its responsibility is to provide IP reachability between fabric edge nodes, border nodes, and other fabric infrastructure roles. Intermediate nodes forward routed underlay traffic and do not perform endpoint registration, endpoint lookup, or VXLAN encapsulation for user traffic. Endpoint-to-location mapping is handled through the fabric control plane, which is based on LISP map-server and map-resolver functions. Fabric edge nodes identify connected endpoints, apply policy, act as anycast gateways, and encapsulate user traffic into VXLAN. Border nodes connect the fabric to external networks and handle traffic entering or leaving the fabric. The intermediate node is therefore comparable to a routed distribution or core transport device in a traditional hierarchical campus, except it is participating in the SD-Access underlay. It must provide stable Layer 3 reachability and appropriate MTU for encapsulated traffic but does not maintain the host tracking database or add security group information to VXLAN headers. The correct function is transporting IP packets between edge and border nodes.

BGP outbound route filtering is the correct solution because the enterprise wants control over which routes it receives without waiting for a provider change cycle each time the prefix set changes. Cisco BGP prefix-based ORF allows a receiving BGP speaker to send an inbound prefix-list filter to the remote peer, which then applies that list as an outbound filter. This reduces unwanted routing updates before they cross the session and lets the enterprise update the desired prefixes locally when business requirements change. Requesting only fixed prefixes from the ISP would work initially but fails the flexibility requirement because the provider has a two-week change process. Requesting a full table and filtering inbound would provide flexibility but wastes memory and CPU on the customer router because all routes are still received before filtering. A maximum-prefix limit does not select the correct routes. ORF is therefore the scalable operational design for receiving a default route and selected prefixes with minimal provider involvement. Reference topics: BGP ORF, prefix-based filtering, inbound route control, ISP peering design, routing table scale.

The design must influence how EIGRP-learned routes are injected into the OSPF domain, so R2 should redistribute EIGRP into OSPF as metric-type E1 and R3 as metric-type E2. Cisco OSPF documentation distinguishes external Type 1 and Type 2 routes. An E1 route includes the external cost plus the internal OSPF cost to reach the ASBR, while an E2 route uses only the external metric. Cisco path selection prefers O E1 over O E2 for the same external destination. Therefore, making R2 advertise the EIGRP routes as E1 causes OSPF routers to prefer R2 as the exit toward the EIGRP domain. Option C adjusts OSPF-to-EIGRP redistribution, which is the wrong direction for traffic passing toward EIGRP from OSPF. Removing redistribution on R3 would reduce redundancy. Option D reverses the preference and would favor R3. Reference topics: OSPF external route types, EIGRP-to-OSPF redistribution, ASBR preference, E1 versus E2 metrics.

DMVPN Phase 3 hub-and-spoke is the best design for this requirement. The customer wants secure dynamic site-to-site VPN connectivity for voice, video, and FTP, and also wants branches to communicate directly instead of hairpinning all traffic through headquarters. DMVPN supports dynamic spoke-to-spoke tunnels using multipoint GRE, NHRP, and IPsec protection. Phase 3 is more scalable than Phase 2 because the hub can send NHRP redirect messages and spokes can install shortcut routes, reducing the need for every spoke to maintain detailed next-hop information for every other spoke. That is important because the branch routers have limited memory. Phase 1 is hub-and-spoke only and does not provide dynamic spoke-to-spoke forwarding. A hierarchical Phase 3 design can be useful at very large scale, but the question describes a headquarters and remote branch design rather than multiple tiers of hubs. Phase 3 hub-and-spoke satisfies direct branch communication, security, and scale. Reference topics: DMVPN Phase 3, NHRP redirect, spoke-to-spoke tunnels, IPsec encryption, branch WAN scalability.

DiffServ is the correct scalable QoS architecture for classifying traffic according to business requirements and using DSCP values as the priority descriptor. Cisco QoS design distinguishes DiffServ from IntServ. IntServ uses per-flow signaling with RSVP and can reserve resources, but that model is not operationally scalable across large enterprise networks. DiffServ is class-based. Traffic is classified and marked at the network edge, then each device applies per-hop behavior to those classes using local QoS policy. DSCP provides a six-bit field in the IP header, which supports more than ten classification values and allows standardized treatment classes such as EF, AF, class selector, and default. Best effort provides no differentiated treatment, and RSVP is a signaling mechanism associated with IntServ rather than the requested scalable class-based architecture. “Interserv” is not the correct Cisco QoS model term. Therefore, the engineer should design around DiffServ, with a clear trust boundary, marking policy, queuing model, and consistent treatment across WAN and campus boundaries. Reference topics: DiffServ, DSCP, per-hop behavior, class-based QoS, scalable QoS architecture.

For streaming multimedia over a WAN using DiffServ per-hop behavior, the best answer is CBWFQ with DSCP AF3. Cisco QoS design separates real-time interactive voice from streaming multimedia. Voice bearer traffic commonly uses EF and a strict priority queue because it is extremely sensitive to delay and jitter. Streaming multimedia, however, is usually buffered and bandwidth-intensive; it should receive assured bandwidth and controlled drop behavior rather than strict priority treatment. The Assured Forwarding classes are designed for this kind of preferential forwarding within DiffServ. AF3 is commonly associated with multimedia streaming in Cisco QoS baseline models, while CBWFQ provides bandwidth guarantees without allowing the class to starve other traffic. LLQ with EF is too aggressive for streaming multimedia and should be reserved for voice bearer traffic or similarly strict real-time flows. AF2 is more commonly used for transactional data or lower-priority assured service, depending on the model. The correct marking and queuing design is therefore CBWFQ with DSCP AF3. Reference topics: DiffServ, per-hop behavior, CBWFQ, DSCP AF classes, multimedia streaming QoS.

The selected command is correct because the port is already restricted to one manually learned MAC address, and the requirement is to let the switch dynamically learn the connected endpoint while retaining port-security control. In Cisco Catalyst port security, a static secure MAC address is manually configured, while a sticky secure MAC address is dynamically learned and then added to the running configuration. This design is useful on access ports where the administrator wants the operational convenience of dynamic learning but still wants the switch to enforce the maximum secure-address limit. Once the endpoint MAC is learned, subsequent frames from different source MAC addresses can trigger the configured violation action, such as protect, restrict, or shutdown. The command must therefore enable sticky learning on the secured interface rather than simply changing the maximum, disabling port security, or configuring a normal switching feature. This is an access-layer security function, not a routing or QoS function. Reference topics: Catalyst port security, secure MAC addresses, sticky learning, access port hardening, Layer 2 campus design.

Traffic shaping is required in the parent policy when hierarchical QoS uses CBWFQ in the child policy for low-bandwidth remote sites. In Cisco hierarchical QoS, the parent policy commonly shapes outbound traffic to the real available rate of the WAN service, especially when the physical interface speed is higher than the provider committed rate. The child policy then applies class-based queuing, such as CBWFQ and LLQ, inside the shaped rate. This structure creates an artificial congestion point on the router so the child queues can schedule packets predictably instead of allowing the provider to drop traffic after it exceeds the service rate. Policing in the child policy would drop excess packets and is not the normal prerequisite for nested CBWFQ. CBWFQ is supported in child policies within hierarchical designs, and parent shaping is the mechanism that makes the hierarchy effective. This is especially important on low-bandwidth WAN links where voice, video, and business-critical applications require deterministic treatment. Reference topics: hierarchical QoS, CBWFQ, parent shaping, child queuing, WAN QoS design.

The correct IS-IS design combines tuned SPF/PRC behavior with a proper Level 1 and Level 2 hierarchy. Reducing SPF and PRC intervals, within platform and stability limits, helps routers react more quickly to topology changes after a link failure. However, fast timers alone are not enough; the hierarchy must contain instability so physical link flaps in the access layer have limited impact on the rest of the network. Access routers should form Level 1 adjacencies inside their local area, while aggregation routers should operate as Level 1/Level 2 routers to connect the access area to the Level 2 backbone. This design gives access routers a simple local view and uses aggregation as the interarea boundary. Running all access and aggregation routers as L1/L2 across the network increases the size of the backbone and exposes more routers to wider flooding, which is the opposite of the requirement. Redistributing Internet routes into Level 1 is also poor design because it bloats the access area. Therefore, the right choices are C and E. Reference topics: IS-IS hierarchy, L1/L2 design, SPF and PRC tuning, access-layer convergence, fault containment.

The IPv4-compatible method is the closest match when the exhibit requires IPv6 connectivity between servers across an IPv4 portion of the network without using 6to4, 6rd, or ISATAP. IPv4-compatible IPv6 addressing represents an IPv4 address inside an IPv6 address format and was historically used for automatic IPv6-over-IPv4 tunneling between dual-stack nodes. Although this technique is now considered legacy and is not preferred for new designs, it matches the answer choice that directly embeds IPv4 reachability for host-to-host connectivity. ISATAP is normally used inside an enterprise IPv4 network to connect IPv6 hosts over an IPv4 intranet. 6to4 and 6rd are provider or site transition mechanisms that use specific IPv6 prefix behavior and are not simply a direct method between the depicted mail servers. For modern Cisco design, dual-stack or manually engineered tunnels would normally be preferred, but given these choices, IPv4-compatible addressing is the method aligned to the exhibit requirement. Reference topics: IPv6 transition mechanisms, IPv4-compatible addressing, tunneling, dual-stack migration, host connectivity.

The SD-WAN onboarding sequence follows the controller trust and overlay-establishment workflow. A WAN Edge device first obtains basic reachability information through manual bootstrap, ZTP, or PnP-style provisioning so it can reach the orchestration components. It then establishes secure control connectivity to the orchestrator and validates identity through the certificate and authorized serial number information. After orchestration, the device forms the required secure control connections to the management and control-plane components, receives its configuration, and participates in OMP route exchange. Finally, the WAN Edge builds encrypted data-plane tunnels to other WAN Edge devices based on the TLOC and policy information learned through the control plane. This order matters because the device cannot exchange overlay routes or build data-plane IPsec tunnels until it is authenticated and authorized in the SD-WAN fabric. Cisco SD-WAN designs rely on this sequence to support zero-touch deployment, centralized policy, and secure fabric admission. Reference topics: Cisco SD-WAN onboarding, vBond orchestration, certificate validation, OMP, TLOC exchange, data-plane tunnel establishment.

Cisco traffic policing evaluates packets against a configured traffic contract and classifies them into action states such as conforming, exceeding, and violating. The policy then applies configured actions to those states, such as transmit, drop, or remark. In a two-rate or three-color policing design, conforming traffic is within the committed rate, exceeding traffic is above the committed rate but may still be within an excess burst allowance, and violating traffic is outside the permitted profile. Therefore, conforming and violating are valid policing parameters or state/action categories in the context of the question. Shaping is not a policing parameter; it is a different QoS mechanism that buffers excess traffic and sends it later. Marking can be an action applied by policing, but the listed policing state that directly corresponds to Cisco class-based policing syntax is conform or violate. Bursting is related to token bucket sizing, but the answer choices specifically align to policing state categories. The correct pair is violating and conforming.

The Cisco SD-Access component mapping is based on the normal fabric roles. A fabric edge node is the access-facing fabric device that connects wired endpoints and fabric access points, acts as the anycast Layer 3 gateway, encapsulates endpoint traffic into VXLAN, and registers endpoint reachability with the control plane. A control-plane node supplies the LISP map-server and map-resolver functions, maintaining endpoint-to-location mappings. A border node connects the fabric to external Layer 3 domains, shared services, WAN, Internet, or another fabric/transit domain, and it de-encapsulates traffic as it leaves the fabric. Intermediate nodes provide routed IP transport inside the underlay and move packets between edge, border, and control-plane nodes without owning endpoint policy or registration. This role separation is important because a design failure often comes from assigning the wrong function to the wrong node. Access-facing policy and endpoint onboarding belong at the edge; external connectivity belongs at the border; location resolution belongs to the control plane; transport belongs to intermediate nodes. Reference topics: SD-Access fabric roles, edge node, border node, control-plane node, intermediate node.

NETCONF: SSH-based; built to support candidate configuration. RESTCONF: HTTPS-based; lacks support for two-phase commit transactions.

NETCONF and RESTCONF both use YANG data models, but they use different transport and transaction behaviors. NETCONF is traditionally SSH-based and was designed as a network configuration protocol with datastore concepts such as running, startup, and candidate configuration where supported. The candidate datastore enables staged configuration changes and a commit workflow, which is useful for transactional network changes. RESTCONF exposes YANG-modeled resources through an HTTP-based REST interface, typically protected with HTTPS. It is simpler for web-style application integration because it uses familiar HTTP methods, URIs, and payload encodings such as XML or JSON. However, RESTCONF does not provide the same full two-phase commit transaction model associated with NETCONF candidate configuration workflows. Therefore, the correct mapping is that NETCONF is SSH-based and built to support candidate configuration, while RESTCONF is HTTPS-based and lacks support for two-phase commit transactions. In Cisco programmability design, NETCONF is often selected for robust configuration transactions, whereas RESTCONF is often selected for simpler API-driven integration.

Dual DMVPN with EIGRP routing is the correct solution because the requirements call for secure public-internet connectivity, redundant paths, automatic path selection, multicast support, and minimal remote-site configuration. DMVPN builds dynamic multipoint GRE tunnels protected by IPsec, allowing spoke sites to communicate securely through the public internet while supporting routing protocols and multicast over GRE. A dual DMVPN design provides redundancy through separate hubs, transports, or tunnel clouds, so a spoke can continue operating if one path fails. EIGRP can calculate alternate paths and react to metric changes, supporting automatic path selection based on failure and quality when engineered correctly. MPLS with BGP does not meet the public-internet and encryption requirements by itself. A full mesh of IPsec tunnels with OSPF or IS-IS would increase configuration complexity at every remote site and does not scale as well. DMVPN is specifically built to simplify deployment of secure, scalable, multipoint branch VPNs. Reference topics: DMVPN, IPsec, mGRE, EIGRP over DMVPN, WAN redundancy, multicast over GRE.

The SD-Access control-plane node performs the LISP Map-Server and Map-Resolver functions. Cisco SD-Access uses LISP in the control plane to maintain mappings between endpoint identifiers and routing locators. Fabric edge nodes discover local endpoints and register them with the control-plane node. When a destination endpoint is not known locally, a fabric node queries the control-plane node, which resolves the endpoint location and returns the locator information needed for VXLAN forwarding through the fabric. This is why the control-plane node is the correct answer. A fabric edge node connects endpoints, provides the anycast gateway, encapsulates and decapsulates user traffic, and registers endpoints. A border node connects the fabric to external networks. An intermediate node simply transports routed underlay traffic between fabric nodes and does not hold endpoint mappings. In design terms, control-plane placement and redundancy are critical because endpoint mobility, fabric forwarding lookup, and location resolution depend on stable Map-Server and Map-Resolver services. Reference topics: Cisco SD-Access control plane, LISP Map-Server, LISP Map-Resolver, EID-to-RLOC mapping, fabric edge registration.

This YANG mapping is based on how IETF, OpenConfig, and Cisco native models differ in portability and schema organization. IETF models are produced through the standards process and are appropriate when the same management structure is expected across vendors for common protocols. OpenConfig models are also vendor-neutral, but they are built around a consistent operational model used heavily for streaming telemetry and multivendor automation. Cisco native models mirror Cisco platform configuration more closely and expose device-specific capabilities that may not exist in common models. The selected answers keep those boundaries clear. This matters because a NETCONF or RESTCONF payload is validated against the YANG schema; a payload written for one model family cannot be assumed to work against another. In design terms, the model family should be selected after confirming device software release support, feature coverage, operational-state requirements, and vendor diversity. Open models give portability; native models give feature completeness. Reference topics: IETF YANG, OpenConfig YANG, Cisco native YANG, schema validation, automation model selection.

IntServ with RSVP is the correct model when an application must request a specific service level and receive guaranteed bandwidth or delay treatment. Cisco describes the Integrated Services model as a flow-based QoS architecture in which applications signal their resource requirements to the network. RSVP is the signaling protocol used to reserve resources along the path. This differs from DiffServ, which marks packets and applies per-hop behavior without creating per-flow reservations. The question states that the application can request a particular type of service to support its delay requirements and that bandwidth must be guaranteed. Those are classic IntServ and RSVP characteristics. DiffServ with DSCP is scalable and widely used in enterprise networks, but it cannot guarantee resources end to end unless every hop is engineered and provisioned accordingly. IntServ with DSCP is not the standard model because RSVP is the reservation mechanism. Reference topics: Integrated Services, RSVP, resource reservation, guaranteed service, QoS architecture, delay-sensitive applications.

GETVPN is the correct transport-encryption design for this environment. The company is using a private MPLS-based service and requires encryption without maintaining permanent point-to-point tunnels. GETVPN was designed for private WAN environments where routing remains native and packets are encrypted without adding GRE or IPsec tunnel overlays between every pair of sites. It uses group-based keying, typically with key servers that distribute security policy and rekey material to group members. That supports dynamic key rotation and spoke-to-spoke communication while avoiding the operational burden of building and maintaining individual tunnels. DMVPN also supports dynamic spoke-to-spoke tunnels, but it is still a tunnel overlay using mGRE, NHRP, and IPsec, and it is usually selected for Internet or mixed transport overlays. Standard IPsec VPN requires maintaining tunnel relationships, and GRE VPN alone does not provide encryption. GETVPN therefore best matches tunnel-less encryption across a private MPLS WAN with centralized security policy and direct site-to-site forwarding. Reference topics: GETVPN, group encrypted transport, tunnel-less IPsec, private MPLS WAN encryption, group keying.

A totally stubby OSPF area is the best choice for a small remote site with low-end routers and no requirement to carry transit traffic. A standard stub area blocks Type 5 external LSAs, but it still receives interarea Type 3 summary LSAs. A totally stubby area goes further by blocking external routes and most interarea summary routes, while allowing a default route to be injected by the ABR. That greatly reduces LSDB size, SPF processing, memory use, and routing-table entries on the low-end routers. The remote site still has full connectivity to the rest of the OSPF domain through the default route. NSSA and totally NSSA designs are useful when the area must inject external routes from an ASBR inside the area, but the question does not state that the remote site needs redistribution. A regular stub area is acceptable but does not minimize resources as much as a totally stubby area. Because there is no demand for traffic to pass through this area, the most efficient Cisco design is totally stubby. Reference topics: OSPF stub areas, totally stubby area, default routing, LSDB reduction, branch OSPF design.

Cisco Express Forwarding uses the adjacency table to store the Layer 2 rewrite information needed to forward packets efficiently. CEF separates forwarding decisions into the Forwarding Information Base and the adjacency table. The FIB identifies the best next hop based on routing information, while the adjacency table contains the directly connected next-hop details, including the MAC address and encapsulation rewrite string used on the outgoing interface. That is why the correct layer is Layer 2. CEF is not using the adjacency table to populate Layer 3 routes; the routing table and FIB handle Layer 3 reachability. It is also not a Layer 1 function because physical signaling does not determine the next-hop rewrite. Layer 4 is unrelated to CEF adjacency resolution. In a campus or WAN design, CEF matters because it allows hardware or optimized software forwarding without process-switching every packet. Correct ARP, neighbor discovery, and adjacency formation are therefore essential to fast packet forwarding, especially when convergence or high-throughput forwarding is required.

Running BFD between EIGRP neighbors is the appropriate design when the problem is traffic loss during link failure and the requirement is to reduce the impact of the failure. EIGRP can detect neighbor loss through its hello and hold timers, but those timers may not be fast enough for applications sensitive to packet loss. Bidirectional Forwarding Detection provides rapid failure detection independent of the routing protocol’s normal timer expiration. When BFD detects a failed forwarding path, it notifies EIGRP so the routing process can converge without waiting for the EIGRP hold timer. Summarization is still a valuable scaling technique, but it primarily reduces route table size and query scope; it does not directly accelerate failure detection on an individual inter-router link. Reducing EIGRP hello and hold timers can improve detection, but it increases control-plane load and is less efficient than BFD. The question emphasizes data loss when any one link fails, so fast failure detection is the best corrective design. Reference topics: EIGRP convergence, BFD, failure detection, hello and hold timers, routed-link resiliency.

The correct choice is to use a distribute list outbound under the RIP process to stop EIGRP-learned prefixes from being advertised back into the RIP domain. In multipoint two-way redistribution, the major risk is route feedback: a route learned from one protocol is redistributed into another protocol and then reintroduced back into the original domain through another redistribution point. RIPv1 is especially limited because it is classful and has no native route tagging, so filtering must be carefully placed when route tags are unavailable. By filtering outbound advertisements under the RIP process, the design prevents routes that originated in the EIGRP domain from being sent into RIP where they could be relearned elsewhere and create loops or suboptimal paths. Inbound filtering on only one process does not reliably stop feedback at all redistribution points. A stronger modern design would use route tags with protocols that support them, but given the answer choices, outbound filtering toward RIP is the appropriate loop-prevention method. Reference topics: route redistribution, distribute lists, route feedback, RIPv1 limitations, EIGRP integration.

The vSmart controller provides the centralized control plane in a Cisco SD-WAN deployment. It establishes secure control connections with WAN Edge routers and exchanges routing, topology, security, and policy information using OMP. The vSmart controller does not forward user data traffic; data-plane forwarding occurs directly between WAN Edge routers over IPsec or other supported encapsulations. Its function is to distribute reachability information, TLOC information, service routes, centralized policies, application-aware routing policies, and segmentation information that determines how the overlay operates. vBond orchestrates onboarding, authentication facilitation, and NAT traversal for control connections. vManage provides centralized management, monitoring, configuration templates, and operational GUI/API functions. vEdge or Cisco IOS XE SD-WAN routers provide the branch or site data plane and local routing functions. Therefore, among the choices, the vSmart controller is responsible for the centralized control plane of the SD-WAN network. Correctly separating orchestration, management, control, and data-plane roles is a core Cisco SD-WAN design principle.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

The correct design is to use the same anycast RP address on loopback interfaces so receivers and sources register with their nearest available rendezvous point. Cisco Anycast RP designs use a common RP address advertised from multiple RP routers, allowing unicast routing to direct PIM joins and registers to the closest RP. MSDP is then used between the RP routers so each RP can learn about active sources registered to the other RP. This provides resilience and local registration while keeping RP reachability consistent for the multicast domain. Option B captures the key behavior: the RP loopback is configured with the same /32 address, and normal routing sends traffic to the closest RP. Configuring a hash value, group range splitting, or equal priority alone does not provide the Anycast RP behavior required here. A professional design should also use unique loopbacks for MSDP peer sessions while keeping the shared anycast loopback as the RP address. Reference topics: Anycast RP, MSDP, PIM-SM rendezvous points, source registration, multicast high availability.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

The design must enable IPv6 multi-topology behavior at the appropriate edge routers and move metric handling toward transition support where the current IS-IS network still uses narrow metrics. Multi-topology IS-IS is important during IPv4-to-IPv6 migration because IPv4 and IPv6 reachability do not always exist on identical links at every stage of the migration. If IPv6 follows the IPv4 topology when some devices or paths are not IPv6-ready, traffic can be blackholed. Multi-topology allows independent IPv4 and IPv6 SPF calculations, which prevents IPv6 traffic from being forwarded through IPv4-only portions of the network. The metric-style transition setting is used when migrating from narrow to wide metrics, allowing interoperability while routers are upgraded and the design scales. Because the requirement says IPv6 areas will grow and the current network uses narrow metrics, the selected edge devices must support the IPv6 topology and metric transition behavior shown in the exhibit. Reference topics: IS-IS IPv6, multi-topology IS-IS, narrow metrics, wide metric transition, IPv6 migration, blackhole prevention.

The border node provides connectivity between the SD-Access fabric and networks external to the fabric. In Cisco SD-Access, fabric edge nodes connect endpoints, intermediate nodes provide underlay transport, and control-plane nodes maintain endpoint-to-location mappings. Border nodes sit at the boundary of the fabric and connect the overlay to external Layer 3 networks such as WAN, data center, Internet edge, shared services, or other fabrics. They de-encapsulate VXLAN traffic leaving the fabric and advertise or import reachability using VRFs and routing protocols. A border can be internal, external, or anywhere border depending on whether it connects to shared services, outside networks, or both. Intermediate nodes do not provide external fabric exit; they only transport traffic within the underlay. Edge nodes connect endpoints but are not normally the external gateway for the whole fabric. Control-plane nodes provide mapping services, not external connectivity. Reference topics: SD-Access border node, fabric exit, VRF mapping, external connectivity, overlay-to-underlay boundary.

The design should use a scavenger queue for excessive or suspicious traffic and apply queuing on the access-to-distribution uplinks where congestion can occur. Cisco QoS campus design commonly uses a less-than-best-effort scavenger class to constrain traffic associated with worms, peer-to-peer applications, bulk background flows, or other nonbusiness traffic. Placing this traffic in a scavenger queue minimizes the bandwidth it can consume during congestion without harming real-time applications. Real-time voice or video traffic should be placed in a strict-priority queue so it receives low delay and low jitter treatment when links are congested. Applying queuing on access-to-distribution links is important because those uplinks are common campus congestion points, especially during bursts or abnormal traffic events. A shaping policy is not the right tool for campus LAN uplinks, and indiscriminate policing of real-time traffic can cause drops that damage voice and video quality. Reference topics: campus QoS, scavenger class, strict-priority queue, access uplink queuing, congestion management, worm mitigation.

When Cisco SD-WAN edge router redundancy is designed, VRRP is the supported first-hop redundancy protocol in the SD-WAN edge context. VRRP provides a virtual default gateway for LAN-side devices, allowing one WAN Edge router to act as the active gateway while another can take over if the active router or tracked condition fails. Cisco SD-WAN designs use VRRP with tracking and policy alignment so branch LAN traffic can fail over to the appropriate edge router while the SD-WAN overlay handles transport and tunnel selection. HSRP and GLBP are traditional campus first-hop redundancy protocols, but they are not the supported FHRP answer for vEdge router redundancy in this design context. OMP is the SD-WAN control-plane routing protocol used between WAN Edge routers and vSmart controllers; it is not a first-hop redundancy protocol for LAN hosts. Therefore, the correct FHRP for vEdge router redundancy is VRRP. The design should also ensure that VRRP priorities, tracking, and SD-WAN routing preferences align so traffic exits the intended edge during normal and failure conditions.

Graceful restart and nonstop forwarding designs depend on preserving forwarding continuity during a control-plane processor switchover. Cisco Stateful Switchover provides the mechanism for a standby route processor or supervisor to maintain synchronized state so it can assume control when the active processor fails. When SSO is combined with NSF or graceful restart capabilities in routing protocols, neighboring devices can continue forwarding traffic while the restarting device preserves or rebuilds control-plane adjacencies. Cisco Express Forwarding is required for fast data-plane forwarding, but CEF alone does not provide route processor state synchronization after processor failure. Virtual Switch System is a chassis or switching architecture that can provide high availability in certain campus designs, but it is not the required feature named by graceful restart recovery. Bidirectional Forwarding Detection is a failure-detection protocol used to detect path or neighbor failures quickly; it does not recover a failed processor. Therefore, the feature that must be incorporated for graceful restart recovery from processor failure is Stateful Switchover. In a resilient enterprise design, SSO, NSF, and protocol graceful restart are coordinated to reduce outage impact.

Bootstrap Router is the standards-based mechanism that supports dynamic RP discovery in a PIM sparse-mode domain. Cisco documentation distinguishes Auto-RP, which is Cisco-proprietary, from BSR, which is defined for standards-based RP distribution. With BSR, candidate RPs advertise their availability, and the elected bootstrap router distributes RP-set information throughout the PIM domain. This removes the operational burden of manually configuring the same static RP information on every multicast router. Anycast-RP provides RP redundancy and load sharing but does not by itself provide standards-based dynamic RP discovery across the domain. Static RP is simple but not dynamic. Auto-RP can dynamically distribute RP information, but it is not the standards-based answer. The design value of BSR is most visible in large multicast domains, where routers need consistent RP information and manual changes are risky. Therefore, when the question asks for a standards-based RP deployment that supports dynamic RP discovery, the correct answer is bootstrap router. Reference topics: PIM sparse mode, Bootstrap Router, candidate RP, RP-set distribution, dynamic RP discovery.

Ethernet Local Management Interface is used between the customer edge and provider edge to communicate service status information for Ethernet services. Under MEF Ethernet service operations, E-LMI provides the CE with information about Ethernet Virtual Connection status, including whether a configured EVC is available or unavailable. This allows the customer device to react to a provider-side service condition without relying only on physical link state. The CE-to-PE link can remain physically up even while the provider EVC is down; E-LMI closes that operational visibility gap by reporting the EVC state to the customer edge. It is not a routing protocol and does not broadcast multicast routes from the CE to the PE. It also does not broadcast to all subnets when an EVC is added. The key function defined by the MEF process is notifying the CE of EVC availability state and related service information. Reference topics: Metro Ethernet, E-LMI, Ethernet Virtual Connection, CE-to-PE signaling, MEF service operations.

PortFast is the correct functionality for the Gi1/0/1-10 interfaces when those ports are endpoint-facing access ports. Cisco spanning-tree design uses PortFast to allow edge ports to transition directly to the forwarding state, avoiding the normal listening and learning delay associated with traditional STP convergence. That improves user and endpoint connectivity after link-up events and is especially important for workstations, phones, printers, and access devices that should not participate in the Layer 2 topology. Root guard and BPDU guard are protection features, not the primary convergence optimization requested by the architect. UplinkFast was used in older STP designs to accelerate recovery for access switches with redundant uplinks, but it is not the edge-port functionality for interfaces Gi1/0/1-10. In a modern design, PortFast should be enabled only on true host-facing ports, normally together with BPDU guard to protect against accidental switch attachment. If the exhibit shows these interfaces as end-user access ports, PortFast is the feature that follows the recommendation to optimize STP convergence time. Reference topics: STP PortFast, edge-port convergence, BPDU guard, Layer 2 campus design.

Service routes in OMP updates identify services that are available for centralized service insertion. In Cisco Catalyst SD-WAN, OMP does more than advertise ordinary VPN prefixes. It also carries TLOC routes, which describe transport locators, and service routes, which allow the fabric to steer traffic toward network services such as firewalls, intrusion prevention systems, or other centralized service nodes. This is how the SD-WAN control plane distributes enough information for WAN Edge routers to make policy-driven forwarding decisions without requiring each device to learn service attachment through a separate routing protocol. A service route is not used to describe the underlay transport itself, because that function is handled by TLOC information. It is also not a route to the orchestration plane or a remote management definition. The design value is that service insertion can be centrally advertised and controlled through OMP, then applied consistently through SD-WAN policy. Reference topics: Cisco SD-WAN OMP, service routes, TLOC routes, service insertion, centralized data policy.

The selected design is correct because the requirement describes a resilient campus architecture that must support the same VXLAN at any access-layer switch while maintaining fast convergence and high availability. In Cisco campus and data-center-style fabric designs, VXLAN provides network virtualization by carrying Layer 2 adjacency over a routed or resilient transport. The correct design must avoid a fragile single spanning-tree domain and must provide redundant forwarding paths so that an access switch or uplink failure does not isolate the VLAN or VXLAN segment. The selected option represents the design that meets those conditions by allowing the overlay segment to be extended consistently across access switches while keeping the underlay resilient. Designs that rely on a traditional Layer 2 tree, a single aggregation point, or blocked redundant links would not meet the high availability and fast convergence objectives. The important design principle is that VXLAN should ride on a stable, redundant transport and should not depend on large Layer 2 failure domains. Reference topics: VXLAN campus design, overlay networking, fast convergence, access-layer resiliency, high availability.

Cisco Catalyst SD-WAN separates orchestration from management, control, and data forwarding. The orchestration-plane function is provided by vBond, which authenticates WAN Edge devices and helps establish secure connectivity between edges and controllers. In Cisco design terms, vBond is also the NAT traversal facilitator because it allows devices sitting behind NAT to discover reachable public and private address information and form the correct control connections. These two functions match the options for primary authentication point and NAT traversal facilitation. Centralized provisioning, troubleshooting, monitoring, and template-based configuration belong to vManage, the management plane. Route and policy distribution belongs to vSmart, the control plane, through OMP. Zero Touch Provisioning is part of the onboarding workflow, but the question asks for orchestration-plane functions, not the broader provisioning service. A sound SD-WAN design should deploy redundant vBond instances, ensure DNS reachability to them, and validate firewall rules so DTLS/TLS control connections can be established reliably across Internet and private transports. Reference topics: Cisco SD-WAN architecture, vBond orchestration, control connections, NAT traversal.

Contracting an internet connection and deploying DMVPN is the most practical solution when the enterprise needs a fast, affordable, and reliable backup for a single MPLS provider. DMVPN can use broadband internet transport to build encrypted GRE/IPsec tunnels between sites, providing a backup WAN path without waiting for another private MPLS provider circuit. It supports dynamic routing and can be deployed incrementally, which makes it suitable after a recent outage when time and cost matter. BFD echo mode toward a provider PE can improve failure detection, but it does not create an alternate transport if the only MPLS provider has an outage. Adding a WAN router and a floating static route also fails unless another path exists. Contracting a second MPLS provider and deploying GETVPN may be robust, but it is slower and more expensive than the requested quick and affordable backup. Reference topics: DMVPN backup WAN, MPLS resiliency, internet VPN, IPsec, branch availability, rapid WAN deployment.

A migration from traditional IP-VPN service to Cisco SD-WAN commonly increases security and scalability. Cisco SD-WAN builds encrypted data-plane tunnels across supported transports, so the enterprise can use Internet, MPLS, or hybrid connectivity while maintaining secure site-to-site communication. The architecture also scales better operationally because policy, templates, onboarding, and routing control are centralized through the SD-WAN controllers and management plane. Increased solution complexity is not a desired characteristic; one of the design goals is to simplify operations through automation and centralized policy. Centralized application policies are also a major SD-WAN benefit, but when only two choices are selected, the stored answer emphasizes the two broad migration outcomes of security and scale. Distributed control plane is not correct because Cisco SD-WAN uses centralized control-plane logic with vSmart controllers distributing OMP routes and policies. A professional migration plan should validate transport diversity, controller redundancy, encryption policy, application-aware routing, and operational readiness. Reference topics: Cisco SD-WAN migration, encrypted overlay, scalability, centralized control plane, IP-VPN replacement.

An MPLS WAN from two separate ISPs is the strongest fit when the enterprise requires an active/backup WAN design with guaranteed SLAs for applications on either connection. MPLS VPN services are typically delivered with provider-backed service-level commitments for latency, jitter, packet loss, and availability, which is why they are selected for predictable enterprise application transport. Using two separate MPLS providers improves resiliency against a provider failure while preserving SLA-backed behavior on the backup path. A hybrid MPLS and Internet VPN model can be cost effective, but the Internet path generally does not provide the same deterministic SLA unless enhanced by a specific managed service contract. Internet from two providers improves reachability diversity but does not inherently guarantee application SLA. A single ISP hybrid design creates a provider dependency and weakens availability. Therefore, dual-provider MPLS is the conservative design for guaranteed active/backup WAN service. Reference topics: MPLS WAN design, service-level agreements, active/backup WAN, provider diversity, application performance assurance.

BFD is not required for the specific failure described: a physical fiber break on point-to-point routed links. In a Layer 3 campus or routed-access design, a direct physical link failure is detected by the interface state change, so the routing protocol can react immediately without waiting for hello/dead timers. Cisco campus design guidance favors point-to-point routed links partly because they give rapid convergence and avoid STP delays. BFD is valuable when a forwarding-path failure is not reliably detected by Layer 1 or Layer 2, or when a protocol adjacency must detect loss faster than its native timers. It does not automatically create convergence by itself; it detects failure and notifies the routing protocol. For a clean fiber cut on a routed point-to-point link, link-down detection is already fast enough for sub-second failover in the design. OSPF timer tuning is also not the preferred design answer for this physical-failure case. Reference topics: routed access design, point-to-point links, link-failure detection, BFD, OSPF convergence.

Spanning-tree PortFast must be enabled on interfaces where Wake-on-LAN clients reside so the PCs become reachable immediately when they power on. WoL depends on a sleeping endpoint receiving a magic packet, and once the device wakes, it must be able to send and receive traffic without waiting through traditional STP listening and learning states. Cisco campus designs commonly enable PortFast on access ports connected to end hosts so those ports transition directly to forwarding. That reduces login, DHCP, and application delays after a host becomes active. The NIC and system firmware must support WoL, but the option stating that WoL should be disabled in BIOS is technically wrong. IP directed broadcast and UDP forwarding are relevant when WoL packets must cross routed boundaries, but the answer options here focus on a single action to prevent client-side delay. Disabling directed broadcast or forward protocol would work against remote WoL operation. Reference topics: Wake-on-LAN, PortFast, access-layer design, STP edge ports, client startup convergence.

The correct code snippet must use a secure HTTPS-based RESTCONF transaction with the YANG JSON media type. The requirement explicitly states that the content type is application/yang-data+json and that the connection to the network device must be secured. In Cisco IOS XE programmability, RESTCONF uses HTTP methods against YANG-modeled resources, and secure deployments use HTTPS rather than clear-text HTTP. A loopback interface with address 172.16.15.12/32 would be configured by sending a JSON payload that follows the selected YANG model structure, commonly an IETF or Cisco native interface model, with the correct content-type and authentication headers. The key security indicator in the option must therefore be HTTPS/TLS, not an insecure HTTP URL or a non-YANG content type. NETCONF over SSH would also be secure, but the stated content-type points to RESTCONF with JSON encoding. Option A is the valid snippet because it aligns the payload format with a secure transport. Reference topics: RESTCONF, YANG JSON encoding, application/yang-data+json, HTTPS, IOS XE programmability.

The configuration-protocol mapping distinguishes NETCONF and RESTCONF behavior in model-driven programmability. NETCONF is an XML-based network configuration protocol that runs over a secure transport such as SSH and supports structured operations such as get-config, edit-config, lock, unlock, commit, and datastore manipulation. It is well suited to transactional configuration workflows where candidate and running datastores are supported. RESTCONF exposes YANG-modeled data through a REST-style interface over HTTP or HTTPS, using familiar methods such as GET, POST, PUT, PATCH, and DELETE. It can encode data in XML or JSON depending on headers and implementation. Both protocols use YANG models to define the structure and semantics of configuration and operational data, but they differ in transport style, operation model, and tooling. The selected mapping therefore places NETCONF characteristics with the protocol that provides RPC-style operations and datastore handling, while RESTCONF receives HTTP method and URI-based characteristics. In design, the choice depends on controller support, device operating system, required transaction semantics, security policy, and developer tooling. Reference topics: NETCONF, RESTCONF, YANG, datastores, XML and JSON encoding.

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

Dual stack is the correct migration strategy when the application chooses IPv6 or IPv4 based on DNS resolution. In a dual-stack deployment, hosts and network devices run IPv4 and IPv6 at the same time. Applications can query DNS and then select the protocol based on the returned records, such as using an AAAA record for IPv6 or an A record for IPv4. This gives the organization a controlled migration path because IPv6-capable applications and services can move to IPv6 while legacy IPv4 services remain reachable during the transition. Address-family translation for public web presence is useful when IPv6-only and IPv4-only endpoints must communicate through a translation boundary, but it does not provide native application choice between the protocols. Host-initiated tunnels and site-to-site IPv6-over-IPv4 tunnels encapsulate one protocol over another and add operational overhead. The question’s key phrase is that the application chooses between IPv6 and IPv4 based on DNS; that is the normal dual-stack behavior. Reference topics: IPv6 migration, dual stack, DNS A and AAAA records, transition strategy, application protocol selection.

Implementing network summarization on the edge routers is the correct EIGRP design action to reduce query range and improve convergence. In EIGRP, when a route is lost and no feasible successor exists, DUAL sends queries to neighbors. If the network is large or poorly summarized, those queries can propagate widely and increase convergence time. Hierarchical addressing allows each office or edge block to advertise a summary instead of many specific prefixes. If a specific subnet inside an office fails, the summary can remain stable toward the rest of the network, preventing the failure from triggering unnecessary queries across the dark-fiber interoffice topology. Stub routing can also reduce query scope, but the option says to configure stub areas on non-edge routers, which is not the right EIGRP terminology or placement. Different EIGRP processes add redistribution complexity, and route filtering alone does not provide the same clean convergence boundary as summarization. Reference topics: EIGRP summarization, DUAL query scope, hierarchical addressing, convergence optimization, dark-fiber campus routing.

The best answer is to use a single IP address for a static NAT entry that represents the server with a nonoverlapping address. When two companies use overlapping private address space, routing directly between the networks can fail because each side may already have a local route for the same prefix. The requirement is narrow: users in the acquired company need access to one server in Company A, and the design must conserve address space. A static NAT mapping for the server solves the destination overlap problem with one translated address, giving remote users a unique reachable address for that server without renumbering either company. Overload NAT is normally used to translate many inside clients behind one address for outbound access; it is not the most precise solution for publishing one overlapping server. One-to-one NAT for every user wastes addresses and adds operational overhead. Readdressing the acquired company would solve the overlap permanently, but it does not conserve effort or address space. Therefore, a single static NAT entry for the server is the most efficient design.

The border node is part of the Cisco SD-Access overlay architecture. In the SD-Access fabric, the overlay consists of fabric roles and services that provide endpoint connectivity, segmentation, policy, and external reachability over the routed underlay. Border nodes connect the fabric overlay to external Layer 3 networks, shared services, WAN, Internet, or other fabric/transit domains. They perform the fabric boundary function, including routing between virtual networks and external routing domains as designed. Spine and leaf are generic data center or fabric topology terms and are not the named SD-Access fabric overlay roles in this question. Cisco DNA Center, now Cisco Catalyst Center, is central to management, automation, assurance, and policy deployment, but it is not itself an overlay forwarding component. The forwarding overlay is built from roles such as edge, border, control-plane, and intermediate nodes. Therefore, the correct component from the options is the border node. The design should select border placement based on external connectivity, scale, route control, redundancy, and whether the border is internal, external, or anywhere border. Reference topics: SD-Access overlay, border node, fabric roles, external connectivity, virtual networks.

BIDIR-PIM is the correct multicast solution for interactive many-to-many communication with many sources when source trees must not be used. Bidirectional PIM is specifically designed for applications where receivers can also be senders and where the number of sources can grow without creating per-source multicast state throughout the network. Instead of building shortest-path trees for each source, BIDIR-PIM uses a shared tree rooted at the rendezvous point and forwards traffic bidirectionally along that tree. This reduces multicast routing-table growth and control-plane churn in environments with many active sources. PIM dense mode is not appropriate because it floods and prunes traffic and is inefficient at scale. Any-source multicast with PIM-SM may create source trees, which violates the requirement. MSDP is used to exchange source information between PIM-SM domains and is not itself the forwarding mode for this campus or WAN multicast design. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, multicast source scaling, PIM design.

As a STUN server, Cisco vBond allows Cisco Catalyst SD-WAN routers to discover their public mapped IP addresses and ports when they sit behind NAT. This function is essential during overlay bring-up because many WAN Edge devices are deployed behind internet circuits, firewalls, or provider NAT devices. vBond helps devices understand how they are seen from the public transport side and facilitates the formation of secure control connections to the SD-WAN controllers. vBond also participates in orchestration and Zero-Touch Provisioning workflows, but the question specifically asks about its purpose as a Session Traversal Utilities for NAT server. That wording points directly to NAT discovery, not general ZTP. vBond does not secure user data traffic between edge routers; data-plane encryption is established between WAN Edge devices. It also has no role in integrating SD-Access wireless into a fabric. Reference topics: Cisco SD-WAN vBond, STUN, NAT traversal, orchestration, WAN Edge onboarding. This is fundamental for internet transports.

NETCONF supports XML, while RESTCONF supports both XML and JSON. Cisco programmability documentation describes NETCONF as an XML-based protocol that exchanges RPC requests and replies such as get, get-config, and edit-config using XML encoding. NETCONF is tightly aligned with YANG-modeled data, but the protocol message format itself is XML. RESTCONF exposes YANG-modeled data through an HTTP or HTTPS API and can represent payloads in XML or JSON. Cisco DevNet material commonly summarizes the comparison as NETCONF equals XML, while RESTCONF equals XML or JSON. That is why option D is accurate. Option A is wrong because NETCONF does not use JSON in the same way RESTCONF does. Option B is incomplete because RESTCONF is not limited to JSON. Option C reverses the protocol encodings. This distinction matters in automation design because tool selection, content type, parsing, and API workflows differ by protocol. Reference topics: NETCONF, RESTCONF, YANG, XML encoding, JSON encoding, model-driven programmability.

Out-of-band Ethernet is the correct management design for a large data center when the customer wants device grouping, management-plane isolation, and reduced blast radius from compromise. In an out-of-band design, management traffic uses a physically or logically separate management network instead of traversing the production data plane. This allows different device classes to be placed into management zones, protected by access control, authentication, logging, and rate-limiting policies. If one managed device is compromised, the attacker should not automatically gain production network reachability through the management interface. In-band Ethernet would share the production infrastructure and therefore would not provide the same isolation. Dial-up out-of-band access can be useful for emergency console access, but it is not appropriate as the primary management architecture for a large data center. Out-of-band Ethernet provides scale, speed, and segmentation while still allowing centralized management systems to reach routers, switches, controllers, and appliances. Reference topics: out-of-band management, management-plane security, data-center operations, isolation, access control, DoS mitigation.

A major SaaS challenge is the lack of direct application and infrastructure control. With Software as a Service, the provider operates the application stack, platform, upgrades, and supporting infrastructure. The customer benefits from reduced maintenance burden and lower initial deployment cost, but gives up much of the direct control normally available with on-premises applications. This affects troubleshooting, change windows, performance visibility, customization, data residency controls, and integration with existing enterprise systems. Higher initial costs are usually not a SaaS characteristic; SaaS commonly shifts spending toward subscription operating expense. Client computer upgrades are not normally required in the same way as thick-client enterprise software. Data and application integration can be complex, but the option that best captures the core architectural challenge is reduced control over the application and infrastructure. Network architects must account for this by designing secure direct internet access, cloud monitoring, identity integration, and reliable paths to SaaS providers. Reference topics: SaaS architecture, cloud application control, enterprise cloud access, operational visibility, SD-WAN SaaS design.

Option B is retained because the subnetting task depends on the exhibit options and the chosen plan must divide 10.1.8.0/21 into nonoverlapping partner VPN subnets without allocating more address space than required. The design principle is variable-length subnet masking: allocate the smallest subnet that satisfies each partner requirement, then place the subnets on valid prefix boundaries inside the reserved aggregate. Cisco addressing design emphasizes conserving address space, avoiding overlap, and preserving summarization where possible. A /21 provides 2048 total addresses, so the designer can carve several smaller partner ranges while keeping the entire allocation summarizable as 10.1.8.0/21 toward the data-center core. Incorrect options would either waste addresses, overlap existing ranges, place subnets on invalid boundaries, or allocate blocks larger than necessary. Option B is the mapping that satisfies the exhibit constraints while keeping the design clean for routing, firewall policy, and VPN onboarding. Reference topics: IPv4 VLSM, subnet boundary alignment, partner VPN addressing, summarization, nonoverlapping address design.

R3 must be made an L1/L2 router so that it can connect the Level 1 area to the Level 2 backbone. IS-IS uses a two-level hierarchy. Level 1 routers know the topology inside their local area, Level 2 routers form the backbone between areas, and Level 1/Level 2 routers provide the boundary between the two. A proper IS-IS backbone cannot have isolated Level 1-only routers positioned between L1/L2 routers that need to exchange interarea reachability. If the link failure exposed an area-continuity problem, converting R3 to L1/L2 gives the area an appropriate attachment point to the backbone and restores interarea forwarding behavior. Making an unrelated router Level 1 or Level 2 only would not necessarily create the required boundary function. Simply making Area 0 L2-only is also not the focused fix if the topology still lacks a correct L1/L2 transition point. The design principle is straightforward: every Level 1 area must have a dependable L1/L2 router through which traffic can reach destinations outside the area. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

Scalable groups provide intra-VN traffic filtering and control in Cisco SD-Access. Within a virtual network, macro segmentation separates routing tables, but endpoints inside the same VN may still need policy control based on identity, role, or security posture. Cisco SD-Access uses scalable group tags and scalable group ACLs to implement group-based policy. This allows policy to be expressed as user or device group relationships instead of only subnet-based ACL entries. The result is microsegmentation inside the virtual network, where traffic between groups can be permitted or denied consistently across the fabric. MAC ACLs are limited Layer 2 filters and do not provide the identity-based policy model required for SD-Access. Prefix lists are route-filtering tools, not intra-VN access-control mechanisms. Service policies are used for QoS or traffic treatment and do not define group-based segmentation. Scalable groups are therefore the correct policy construct for intra-VN filtering in the fabric. Reference topics: Cisco SD-Access policy, scalable groups, SGT, SGACL, microsegmentation, intra-VN control.

Redundancy for Cisco vBond Orchestrators is normally achieved by mapping the IP addresses of multiple vBond instances to a single DNS name. WAN Edge devices use the configured organization name and vBond DNS name during onboarding to resolve and contact an available orchestrator. This design allows several vBond nodes to be deployed across different locations or availability zones while giving the edge device a consistent bootstrap target. If one vBond is unavailable, DNS resolution can return another reachable vBond address, allowing control-connection orchestration to continue. Selecting only the closest vBond is not the redundancy mechanism described here, and deploying a single vBond creates an avoidable single point of failure. The answer that says WAN Edge routers are configured with all orchestrators by IP address and priority does not represent the common DNS-based design model. In production, the DNS record, certificates, firewall policy, NAT behavior, and controller reachability should all be validated so that WAN Edge devices can reach multiple vBond instances during onboarding and after failures. Reference topics: Cisco SD-WAN controller redundancy, vBond DNS, device onboarding, orchestration availability.

The IPv4 network 172.16.10.0/24 maps to 2001:db8:abcd::ac10:a00/120 when the IPv4 address is placed into the lowest significant bits of the IPv6 address. The calculation converts each IPv4 octet into hexadecimal: 172 is AC, 16 is 10, 10 is 0A, and 0 is 00. Combining those bytes gives AC10:0A00, displayed in IPv6 notation as ac10:a00. Because a /24 IPv4 network has 8 host bits, the mapped IPv6 network leaves the same 8 host bits, resulting in a /120 IPv6 prefix. Option B incorrectly places decimal IPv4 octets into separate IPv6 hextets and uses /96, which represents a much larger mapping block than the /24 network. Option C does not represent 172.16.10.0 in hexadecimal. Option D changes the higher-order IPv6 prefix and does not match the supplied address plan. The correct address therefore preserves the planned IPv6 prefix and embeds the IPv4 network in the low-order bits. Reference topics: IPv4-to-IPv6 address mapping, hexadecimal conversion, IPv6 prefix length, migration addressing plans.

The most efficient campus design aligns the active first-hop gateway with the Layer 2 forwarding path. In a traditional access-distribution topology using STP and HSRP, traffic should not cross the distribution-to-distribution link simply because the HSRP active gateway is on the opposite distribution switch from the STP forwarding path. Cisco campus design guidance stresses aligning the STP root bridge with the active FHRP gateway so hosts forward northbound traffic directly to the distribution switch that owns the optimal Layer 2 path. Reconfiguring distribution switch A to become the HSRP active device fixes the asymmetric and inefficient traffic flow in the exhibit. Adding a link between access switches would extend the Layer 2 domain and increase loop-prevention complexity, not improve the northbound default-gateway path. Changing the distribution interconnect to a routed link may be valid in a routed-access redesign, but it is not the targeted correction for this Layer 2/FHRP misalignment. An EtherChannel between distribution switches only increases interswitch capacity; it does not remove the unnecessary hairpin path caused by the wrong active gateway.

TLOC extension is the Cisco SD-WAN mechanism that allows a WAN Edge router without direct access to a transport to reach that transport through another WAN Edge router at the same site. Cisco describes TLOC extension as a redundancy feature in SD-WAN networks. In the question, the WAN Edge router is connected to an MPLS transport link, but Internet access is available through another WAN Edge device. With TLOC extension, the MPLS-only edge can extend traffic through the peer router toward the Internet transport, allowing the site to use multiple transports without requiring every edge router to have a physical connection to every circuit. OMP can advertise routes and TLOCs, but OMP alone does not create physical Internet access for a router attached only to MPLS. Requiring a local 4G/5G or Internet circuit on the same router is not necessary when TLOC extension is part of the design. An MPLS extranet is also not the normal SD-WAN solution for Internet transport reachability. Therefore, TLOC extension is the correct design method.

Forward error correction and quality of service are the two listed techniques that directly improve application experience in a Cisco SD-WAN design. Forward error correction protects selected application traffic by sending recovery information so packet loss can be corrected without waiting for retransmission. That is especially useful for real-time voice and video traffic, where retransmission delay can degrade quality. QoS improves application treatment by classifying, marking, queuing, shaping, and prioritizing traffic according to business intent and application sensitivity. Cisco SD-WAN designs commonly combine application-aware routing, QoS, and loss-mitigation features to keep critical traffic on the best path and preserve service quality during congestion or impairment. A stateful firewall, AMP, and Cisco Umbrella improve security posture, but they do not primarily improve application experience in the forwarding-quality sense asked by the question. They may protect applications, but they do not directly address loss, delay, jitter, and congestion treatment. Therefore, FEC and QoS are the best answers. Reference topics: Cisco SD-WAN application experience, FEC, QoS, loss mitigation, real-time traffic handling.

Root guard is the correct feature when the design must allow switches to be attached for testing but prevent those switches from influencing the spanning-tree root placement. Cisco root guard protects the intended STP root by placing a port into a root-inconsistent state if superior BPDUs are received on a port where the root should never appear. This directly addresses the risk created by rogue or lab switches connected by end users: if a user switch advertises a better bridge priority, the production access topology is not allowed to reconverge around that unauthorized device. BPDU guard is usually used on PortFast edge ports to err-disable a port that receives any BPDU, which is excellent for strict host-only ports but less aligned with the wording that users may connect their own switches for testing. Loop guard protects root or alternate ports from losing BPDUs and accidentally forwarding. BPDU skew detection is a diagnostic feature, not the correct design control. Therefore, root guard is the appropriate protection against rogue switches affecting STP topology. Reference topics: STP root placement, root guard, superior BPDUs, campus Layer 2 protection.

The BGP maximum-paths feature should be included when the design goal is to install multiple eligible BGP paths in the routing table and use them for load sharing. By default, BGP selects a single best path after comparing attributes such as weight, local preference, AS path, origin, MED, eBGP over iBGP, IGP metric to next hop, and other tie breakers. If two links between autonomous systems should both carry traffic, the router must be allowed to retain more than one equal or eligible path for forwarding. The maximum-paths command enables BGP multipath installation so the data plane can load share across the available links. Update-source is used to source a BGP session from a loopback or specific interface, not to perform load sharing. Next-hop-self influences recursive reachability and next-hop handling but does not install multiple paths by itself. eBGP multihop changes TTL behavior for non-directly connected eBGP neighbors and is unrelated to load sharing over the two links. Reference topics: BGP multipath, maximum-paths, eBGP load sharing, BGP path selection, route installation.

The multicast Reverse Path Forwarding check is a loop-prevention mechanism. Cisco multicast forwarding does not forward traffic merely because the packet arrived on any multicast-enabled interface. Instead, the router checks whether the packet arrived on the interface that would be used to route traffic back toward the multicast source or, in shared-tree cases, back toward the rendezvous point. If the packet arrives on the expected reverse path, it passes the RPF check and can be replicated to the outgoing interface list. If it arrives on the wrong interface, it is dropped to prevent loops and duplicate packets. This supports a loop-free multicast distribution tree from sources to receivers. Auto-RP mapping agents, bootstrap messages, and RP-set discovery are separate rendezvous point distribution mechanisms; they are not the function of the RPF check. In enterprise designs with redundant links, asymmetric routing, or multiple equal paths, multicast RPF behavior must be reviewed carefully because unicast routing choices directly influence whether multicast packets are accepted or discarded. Reference topics: multicast RPF, PIM forwarding, loop prevention, outgoing interface list.

The correct XML/YANG data model set is the option that accurately represents the IOS XE interface hierarchy, assigns the IPv4 address to GigabitEthernet2/1/0, and uses the correct prefix length of 27. In model-driven programmability, the payload must match both the selected YANG model schema and the target platform’s interface naming conventions. For IOS XE native models, interface configuration is structured under the Cisco native namespace, with interface type and name represented in the schema before IPv4 address elements are applied. The address 10.10.10.10/27 must also support a directly connected host at 10.10.10.1/27, which places both addresses in the same 10.10.10.0/27 subnet. Options that place the address under the wrong interface type, use the wrong namespace, incorrectly represent the mask, or configure the host route rather than the interface are invalid. Option D is the only answer aligned to the IOS XE YANG structure and the requested addressing. Reference topics: IOS XE native YANG, NETCONF XML payloads, interface configuration, IPv4 prefix length, model-driven programmability.

The selected configuration sets are correct because the addressing plan must use VLSM to maximize subnets and minimize wasted addresses. Customer A requires 125 hosts, so it needs a /25 subnet, which provides 126 usable host addresses. Customer D requires 62 hosts, so it needs a /26 subnet, which provides 62 usable addresses exactly. Point-to-point or small WAN links B, C, and E should use the smallest appropriate link subnets shown in the exhibit, typically /30 for IPv4 point-to-point links when two usable addresses are required. A correct plan must allocate the largest blocks first, align every subnet on the proper boundary, avoid overlap, and avoid assigning a larger-than-needed subnet to any customer or link. Options A and C are the two valid combinations that satisfy those rules in the exhibit. Any option that places a /25 or /26 on the wrong boundary, overlaps with another block, or wastes larger subnets on links would fail the design objective. Reference topics: IPv4 VLSM, subnet boundary alignment, host capacity planning, point-to-point addressing, route summarization readiness.

The company must configure a summary route on R1. The branch routers must remain normal EIGRP routers, and auto-summary is not allowed, so the scalable design choice is manual summarization at the hub. Cisco EIGRP documentation states that manual summarization can be configured on an interface using the ip summary-address eigrp command and can summarize routes on almost any bit boundary. In a DMVPN hub-and-spoke topology, a hub summary reduces the number of individual routes advertised to branches, limits routing-table growth, and helps contain EIGRP queries. It also keeps branch configuration simple because the branches do not need to be converted to stub routers to meet this specific requirement. Disabling split horizon is a common DMVPN Phase 2 consideration when the hub must advertise spoke routes back out the same multipoint tunnel interface, but it does not summarize HQ routes. A multipoint interface is already implied by DMVPN, and disabling the SIA timer is not a design solution. Reference topics: EIGRP manual summarization, DMVPN hub design, no auto-summary, query containment.

Bidirectional PIM is the correct multicast protocol for this many-to-many financial application. The question states that most multicast sources also receive multicast traffic and that the design must not use source trees. Cisco describes BIDIR-PIM as a multicast mode built for many-to-many applications that use a shared tree rooted at the rendezvous point and avoid per-source shortest-path trees. This reduces multicast state because routers do not maintain separate source/group state for every active sender. PIM Sparse Mode can start with a shared tree, but it can switch to source trees, which violates the stated requirement. PIM-SSM is explicitly source-specific and requires receiver knowledge of the source, so it is not appropriate for a many-to-many model where source trees are disallowed. MSDP is not a multicast forwarding mode; it is used for source discovery between PIM-SM domains. The option text contains a spelling error, but the intended answer is BIDIR-PIM. The architect should verify RP placement, Designated Forwarder behavior, group ranges, and whether the application can tolerate shared-tree forwarding rather than shortest-path source trees. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, source-tree avoidance, multicast scaling.

Cisco SD-WAN uses the vSmart controller as the control-plane component that distributes the information needed for secure data-plane tunnel establishment. Before WAN Edge devices build full-mesh IPsec tunnels, they must learn reachability and security information through the SD-WAN control plane. Cisco documentation describes the vSmart controller as the centralized control-plane element that exchanges OMP routes, policy, TLOC information, and security parameters with WAN Edge routers. In the traditional SD-WAN key-exchange model, vSmart sends IPsec encryption keys to edge devices so the data plane can be secured without each edge independently negotiating IKEv2 with every other edge. vManage is the management platform and is not the key exchange point. vBond performs orchestration, authentication assistance, and NAT traversal during onboarding, but it is not the data-plane key server. IKEv2 may be used in specific newer or configured security models, but the typical Cisco SD-WAN overlay relies on vSmart for scalable key distribution. Reference topics: Cisco SD-WAN control plane, vSmart, OMP, IPsec key distribution, WAN Edge security.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

A scalable two-level IS-IS design uses Level 1 areas for internal campus routing and Level 2 for the interarea backbone. Each campus should have a unique IS-IS NET area value so the internal routers belong to that campus’s Level 1 area. Internal campus routers should be configured as Level 1 routers, which keeps detailed campus prefixes inside the local area and prevents unnecessary propagation of more-specific routes to other campuses. At the edge of each campus, routers that connect the campus to the backbone should operate as Level 1/Level 2 routers. These routers connect the local Level 1 area to the Level 2 backbone and can summarize or control routing information between levels. IS-IS does not use BDR routers; that is an OSPF term, so option A is invalid. Assigning the same NET value everywhere collapses the hierarchy and defeats the segregation goal. MTU differences are not a hierarchy or route-segmentation tool. Therefore, the design should use unique NET values per campus with Level 1 internal routers and Level 1/Level 2 routers at the campus edge.

The correct overlay considerations are that virtual networks provide data-plane isolation and that overlapping IP addresses should be avoided for operational simplicity. In Cisco SD-Access, virtual networks are used for macro segmentation and are commonly mapped to VRFs. This separates routing and forwarding tables between major groups such as corporate users, guests, IoT, and shared services. Security Group Tags provide finer policy control and microsegmentation, but they are not the primary mechanism for data-plane isolation between virtual networks. The phrase “virtual networks should be used for microsegmentation” is therefore inaccurate; microsegmentation is SGT and SGACL driven. Although overlapping IP addresses can technically exist in separate VRF-like contexts, Cisco design practice discourages unnecessary overlap because it complicates troubleshooting, service insertion, external connectivity, and inter-VN communication. A clean overlay address plan improves operations and reduces policy ambiguity. Reference topics: SD-Access overlay design, virtual networks, macro segmentation, SGTs, microsegmentation, overlapping IP avoidance. This also simplifies day-two operations.

The correct model set is the one that configures the IOS XE interface GigabitEthernet2/1/0 with IPv4 address 10.10.10.10 and prefix length 27 using valid XML according to the selected YANG schema. The directly connected host address 10.10.10.1/27 confirms the subnet relationship; both addresses belong to 10.10.10.0/27, so the interface configuration must use that prefix length rather than a host mask or an unrelated network. YANG-based configuration is strict: the namespace, container hierarchy, interface type, interface name, and address fields must match the device model. If an option places GigabitEthernet under the wrong container, represents the mask incorrectly, or uses a schema from a different model family, the device will reject the payload or configure the wrong object. Option D correctly represents the IOS XE XML structure and the required addressing. In real operations, the engineer should follow this with a get-config readback against the running datastore to prove that the structured configuration committed as intended. Reference topics: IOS XE interface YANG, XML payload structure, NETCONF configuration, IPv4 subnet validation.

The valid get-config reply must show OSPF process ID 400 with network 192.168.128.128/25 enabled for Area 0. A /25 prefix has a block size of 128 addresses, so 192.168.128.128/25 is a valid network boundary and covers addresses from 192.168.128.128 through 192.168.128.255. Any reply that shows the wrong OSPF process, an incorrect network boundary, the wrong prefix length or wildcard equivalent, or a nonzero area does not verify the requested model set. In Cisco IOS XE model-driven configuration, the readback has to match the schema path and values used by the model, not simply produce an approximate CLI interpretation. Option B is the reply that confirms the intended OSPF object. This verification method is important because YANG automation can fail silently in operational workflows when the payload is syntactically valid but targets the wrong container or key. A get-config verification step confirms the running datastore contains the exact OSPF process and area membership required by the design. Reference topics: YANG OSPF configuration, NETCONF get-config, prefix validation, IOS XE native models.

Advertising more-specific prefixes toward the preferred service provider is the correct way to influence inbound traffic to enter through a chosen CE interface. BGP inbound path control is indirect: the enterprise cannot set local preference inside remote autonomous systems, and MED is honored only under specific provider policies. The most deterministic option available to the customer is to advertise a longer-prefix route to the preferred provider because Internet and BGP route selection generally prefer the longest matching prefix before BGP path attributes are considered. If the aggregate is advertised to both providers but a more-specific route is advertised to the provider connected to gig0/0, return traffic for that more- specific destination is attracted through that interface. Lowering MED toward the less preferred provider is the opposite of the desired effect. AS-path prepending toward the preferred provider would make that path less attractive. Local preference affects outbound path selection inside the local AS, not inbound traffic from external networks. Reference topics: BGP inbound traffic engineering, longest-prefix match, route aggregation, AS-path prepending, MED, local preference.

The correct design is to advertise a default route from the aggregation layer toward the access layer and summarize the VLAN subnets at the aggregation layer toward the core. Cisco hierarchical campus design places summarization at aggregation or distribution boundaries because that is where access-layer routes are collected before entering the core. Summarizing the VLAN ranges into 10.0.0.0/16 hides individual access VLAN instability from the core, reducing routing table entries, protocol churn, and memory consumption on core devices. Sending a default route from aggregation to access also keeps access switches simple and prevents them from carrying unnecessary campus routing detail. This design contains failures and convergence events inside the appropriate block. Summarizing at the access layer is less practical when multiple VLANs aggregate at distribution. Advertising a default toward the core is backwards, because the core must know the summarized access block. Reference topics: hierarchical campus routing, aggregation-layer summarization, default routing to access, route-table reduction, convergence containment.

The SD-Access overlay should reduce subnet sprawl and avoid overlapping IP subnets unless there is a specific operational requirement. Cisco SD-Access creates overlay virtual networks over an IP underlay and uses anycast gateway, VXLAN encapsulation, LISP control-plane mapping, and policy constructs to simplify endpoint mobility and segmentation. Reducing the number of subnets simplifies DHCP scope management, default-gateway placement, and operational troubleshooting. Avoiding overlapping address space across overlay networks is also a practical design recommendation because overlapping subnets complicate shared services, fusion routing, security logging, and policy troubleshooting. LAN automation and a dedicated IGP process are underlay deployment considerations, not overlay design choices. Layer 3 to the access design is also associated with routed underlay and campus fabric transport, not the overlay segmentation model. A clean overlay design should define virtual networks, scalable groups, IP pools, shared-services reachability, and external connectivity before deployment. Reference topics: Cisco SD-Access overlay design, anycast gateway, virtual networks, DHCP simplification, overlapping subnet avoidance.

The correct BGP design is to attach the well-known No-Export community to the prefixes that should not be advertised beyond the service provider boundary. Cisco BGP communities are policy attributes that allow routes to carry instructions or classifications across BGP peers. The No-Export community tells a receiving BGP speaker not to advertise the route outside its confederation or autonomous system. That behavior is exactly what is needed when branch prefixes may be exchanged with the provider but must not be propagated to the public Internet. The No-Advertise community is stronger: it prevents the route from being advertised to any BGP peer, which may block reachability even where the provider still needs to know the route. NOPEER is used for route-server or peering policy control and is not the clean answer for excluding branch prefixes from Internet propagation. Setting a generic “Internet community” is not a standard solution by itself. The architect should also ensure that outbound prefix filters and provider-side community support are documented in the service agreement. Reference topics: BGP communities, No-Export, No-Advertise, provider edge filtering, Internet route policy.

Route leaking on R13 and R9 is required so the Level 1 area can make a better exit decision toward the server. In an IS-IS hierarchy, Level 1 routers know detailed topology only inside their own area. For destinations outside the area, they normally follow the closest attached Level 1/Level 2 router, which can produce suboptimal latency when another exit has a better end-to-end path. Route leaking selectively injects more specific Level 2 reachability information into Level 1, allowing routers in the New Office area to evaluate a better path instead of blindly following the nearest attached-bit exit. Changing metric style on R8 alone does not import the external-area route information needed for better path selection. A static route could force a path but would not be a scalable dynamic IS-IS design. Making R8 Level 1/Level 2 does not solve the need to expose the relevant route through the correct area boundary. Reference topics: IS-IS Level 1 and Level 2, attached bit, route leaking, interarea optimization, latency-aware routing.

Loop guard should be used on SW2 to reduce the chance of Layer 2 forwarding loops caused by a unidirectional fiber failure. In spanning-tree operation, a root or alternate port expects to receive BPDUs from the designated bridge. If BPDUs stop arriving because the fiber becomes unidirectional, the port may incorrectly assume that the path is no longer receiving a superior BPDU and transition toward forwarding. Cisco loop guard prevents this by moving the port into a loop-inconsistent state when BPDUs are unexpectedly lost on a non-designated port. That behavior protects the topology from a port role change that could create a Layer 2 loop. BPDU filter is dangerous in this context because it can suppress BPDUs and hide the control-plane signal STP needs. BPDU guard is mainly for PortFast edge ports that should never receive BPDUs. Root guard prevents superior BPDUs from changing root placement, but it does not address unidirectional loss of expected BPDUs. Therefore, loop guard on SW2 is the proper design control. Reference topics: STP loop guard, unidirectional fiber failure, BPDU loss, loop-inconsistent state, Layer 2 resiliency.

Cisco SD-Access uses virtual networks as macro-segmentation boundaries, and those VNs are represented as VRF instances in the fabric. By design, separate VNs do not communicate directly inside the overlay unless the design introduces controlled inter-VN routing. Cisco SD-Access designs commonly use an external fusion router, firewall, or shared-services device to map fabric VNs to external VRFs and selectively exchange routes between them. That is the correct design because it preserves segmentation while allowing policy-controlled access to shared resources or selected networks. GRE tunnels between fabric edges are not the normal SD-Access inter-VN communication method and would bypass the intended fabric policy model. Security Group Tags provide microsegmentation within or across policy domains, but SGTs do not by themselves leak routes between separate virtual networks. Route leaking on fabric border nodes is not the recommended standalone answer here because inter-VN communication is normally provided through a fusion device or firewall outside the fabric. Therefore, the correct solution is external fusion routing with controlled VRF route exchange.

For model-driven telemetry with periodic updates, the architect must understand that each periodic update sends the subscribed data at the configured interval. Cisco telemetry guidance distinguishes periodic subscriptions from on-change subscriptions. A periodic subscription streams a full copy of the subscribed data element or table at each interval, even if the underlying state has not changed. That behavior is useful when the collector needs regular time-series samples, trending, or baseline monitoring, but it creates predictable bandwidth and collector-load requirements. On-change subscriptions are different: they publish updates when the subscribed state changes and are more efficient for state changes such as interface status, memory thresholds, or protocol adjacency m ovement. Empty subscription behavior and initial update timing may matter in specific implementations, but they are not the main design consideration in this question. Since the customer requires periodic updates, the design must size the transport, collector, retention system, and subscription intervals around repeated full data delivery. Reference topics: model-driven telemetry, periodic subscription, on-change subscription, YANG-modeled operational data, collector sizing.

The primary capability of IaaS in this question is elastic scaling: the ability to increase or decrease infrastructure resources based on demand. In Infrastructure as a Service, the provider offers compute, storage, and network resources as an on-demand service, while the customer deploys operating systems and applications on top of that infrastructure. Cisco cloud material describes this model as providing scalable IT capacity without requiring the organization to own all physical assets. Option C is the best answer because dynamic capacity adjustment is a fundamental cloud capability and a major reason enterprises choose IaaS for variable workloads. Option B is a valid business benefit because consumption-based billing can reduce cost, but the question asks for a primary capability, not the pricing model. Option D describes automation and orchestration, which support cloud operations but are not the specific capability being tested. Option A is closer to hybrid-cloud workload mobility and is not guaranteed by IaaS alone. Reference topics: cloud service models, IaaS, elasticity, scalable compute, on-demand resource provisioning.

Secure segmentation is the Cisco SD-WAN Secure Direct Cloud Access function that separates user traffic into different zones and VPNs or VRFs. In Cisco SD-WAN, VPNs provide logical segmentation that is comparable to VRF separation in traditional routing. Secure Direct Cloud Access extends this segmentation model when users access internet and cloud applications directly from the branch. The design can keep corporate, guest, payment, voice, IoT, and other traffic classes isolated, with policy and security controls applied per segment or zone. Centralized data policy controls forwarding behavior, but the feature that divides traffic into separate zones and VPN or VRF contexts is secure segmentation. Perimeter control and application-aware routing are useful security and performance functions, but they do not describe the core segmentation mechanism. Segmentation is a fundamental SD-WAN design requirement because direct cloud access must not collapse trust boundaries simply because traffic no longer hairpins through a central data center. Reference topics: Cisco SD-WAN secure segmentation, VPNs, VRFs, direct cloud access, zone-based policy.

The branch subnets must each support up to 200 hosts, so /120 is the correct IPv6 prefix length from the available options. A /120 provides 256 IPv6 addresses, which satisfies the 200-host requirement. A /121 provides only 128 addresses, which is not enough. The parent block is 2a01:0c30:0016:7009::3800/118. A /118 has 10 host bits, so it contains 1024 addresses and spans from ::3800 through ::3bff. The valid /120 boundaries inside that parent are ::3800/120, ::3900/120, ::3a00/120, and ::3b00/120. From the listed choices, 2a01:0c30:0016:7009::3a00/120 and 2a01:0c30:0016:7009::3b00/120 both fall inside the parent allocation and provide enough address capacity. The /121 options are too small, and ::3c00/120 is outside the /118 parent range. This is a straightforward IPv6 prefix-boundary and capacity calculation. Reference topics: IPv6 subnetting, prefix length, address block boundaries, branch address planning.

A TLOC extension facilitates WAN Edge router redundancy within a site. In Cisco SD-WAN, a Transport Location identifies a WAN transport attachment using attributes such as system IP, color, and encapsulation. A TLOC extension allows one WAN Edge router to use a transport circuit physically connected to another WAN Edge router at the same site. This is valuable when a branch has two edge routers and two transports, but each transport is cabled to only one router. With TLOC extension, each router can still gain logical access to both transports, improving redundancy and allowing better path diversity without adding more service-provider circuits or handoffs. The feature does not simply identify the physical interface; that is part of TLOC definition. It does not increase the number of colors or create a port-channel-style aggregate. A sound design also accounts for failure domains, service-side routing, and whether the inter-router link has enough bandwidth for extended transport traffic. Reference topics: Cisco SD-WAN TLOC, TLOC extension, WAN Edge redundancy, transport color, branch resiliency.

Route summarization should be planned from the aggregation layer toward both the core and the access layer. In hierarchical campus routing, aggregation or distribution devices are natural summarization boundaries because they sit between more specific access-layer networks and the core. Summarizing from aggregation toward the core prevents access-layer subnet churn from forcing unnecessary recomputation and route table growth in the core. Summarizing from aggregation toward access can also provide a concise upstream route, often a default or summary route, so access devices do not need the entire network routing table. The goal is to contain failures, reduce routing state, and preserve fast convergence at hierarchy boundaries. Summarizing from the core toward aggregation may hide useful topology details in the wrong direction, while summarizing directly from access toward aggregation is not always possible or efficient when access devices are numerous and have limited resources. The answer that places summarization at aggregation in both directions best matches Cisco hierarchical design principles. Reference topics: hierarchical campus design, route summarization, aggregation layer, core route scale, convergence containment.

The multicast-replicator function is used to optimize multicast traffic distribution across Cisco SD-WAN. Cisco Catalyst SD-WAN multicast overlay design avoids forcing the ingress WAN Edge router to replicate every multicast packet to every remote receiver. Instead, multicast routes and receiver information are exchanged through OMP, and a WAN Edge can be designated as a multicast or OMP replicator. The replicator then distributes streams to interested receivers across the overlay, reducing bandwidth and processing pressure on the source-side edge. That is why multicast-replicator is the feature that optimizes WAN bandwidth for IGMP-driven multicast receiver traffic among WAN Edge routers in the same VPN. IGMPv2 is only the host-to-router group membership protocol and does not optimize overlay distribution by itself. A multicast RP is used in PIM sparse mode, but it is not the SD-WAN overlay replication feature. Multicast service routes advertise multicast service information, but the bandwidth-saving forwarding role is the replicator. Reference topics: Cisco SD-WAN multicast overlay, OMP multicast routes, multicast replicator, IGMP receiver joins.

StackWise is the correct solution because the company needs more access ports while reusing the existing access-switch uplink capacity. Cisco StackWise allows multiple compatible Catalyst switches to operate as a single logical switching system, increasing access-port density without requiring each added switch to consume new uplink ports on the distribution layer. This fits the design constraint that the distribution switches have no available ports for additional uplinks, while current uplink bandwidth is not a bottleneck. VSS is normally used to combine two chassis-class switches into one logical system at the distribution or core layer; it is not the practical answer for expanding one floor’s access-port count from an existing access switch. EtherChannel aggregates physical links for bandwidth and redundancy, but it does not create additional access ports when no distribution ports are available. VDC is a Nexus virtualization construct and does not solve Catalyst access-port expansion. The correct operational design is to add a stack member and use the existing uplink design. Reference topics: Cisco StackWise, access-layer scalability, uplink preservation, Catalyst campus switching.

In a Cisco SD-Access fabric, DHCP relay design must account for the fact that endpoints can attach to different fabric edge nodes while using consistent anycast gateway behavior. DHCP Option 82 is important because it inserts relay-agent information that allows the DHCP infrastructure to identify where the DHCP request originated. This enables the correct address scope and policy context to be selected for the endpoint even when the gateway address is anycast across multiple fabric edges. Cisco SD-Access DHCP guidance emphasizes the use of relay information so centralized DHCP services can assign the correct address based on fabric location and endpoint context. DHCP relay is not simply enabled on border nodes, and subnets should not be stretched across fabric edges by placing DHCP servers on borders. DHCP servers do not require a special proprietary SD-Access extension in the sense described by the incorrect option; they use standard relay information such as Option 82. Therefore, the key design consideration is enabling DHCP Option 82 so the circuit information maps the request to the fabric node where it originated.

Nonstop Routing is the correct solution when the upstream router does not understand graceful restart messaging. Cisco NSF and graceful restart depend on helper behavior from neighboring routers. During a supervisor switchover, the restarting device asks neighbors to preserve forwarding and adjacency state while the control plane recovers. If the neighbor does not support or understand the graceful restart signaling, NSF cannot deliver the intended benefit and route recomputation may still occur. NSR is different because it synchronizes routing protocol state between the active and standby supervisor internally, allowing the switch to preserve routing operation during stateful switchover without requiring graceful restart support from the neighbor. Remote LFA FRR protects against data-plane failures by precomputing repair paths, but it does not address supervisor switchover route recomputation. Aggressive IS-IS timers may make failure detection faster, but they increase control-plane churn and do not solve the lack of graceful-restart helper support. Therefore, the Catalyst switch should use NSR for this design. Reference topics: IS-IS high availability, NSR, NSF, graceful restart helper support, stateful switchover.

The correct design is to deploy the application in both data centers, advertise the application prefix from DC1 as a /32, and advertise a broader /24 from DC2. This uses longest-prefix-match behavior to create deterministic primary and backup routing. Cisco routing logic prefers the most specific matching route in the routing table, regardless of administrative distance or metric comparisons among less specific covering routes. As long as the DC1 /32 is present, traffic for that exact application address follows DC1. If DC1, its edge path, or the /32 advertisement fails, the /32 is withdrawn and the remaining /24 covering route from DC2 provides backup reachability. Advertising the same prefix from both locations may result in load sharing or provider-dependent selection, which does not guarantee DC1 primary behavior. IP SLA could be used in some route-tracking designs, but the clean routing solution tested here is prefix specificity. Reference topics: longest-prefix match, BGP advertisement, active/standby data center routing, covering routes, route failover.

A /22 subnet is the smallest IPv4 block in the answer set that closely fits a branch expected not to exceed roughly one thousand users while avoiding unnecessary address waste. A /22 contains 1024 total addresses and 1022 usable host addresses after the network and broadcast addresses are reserved. That aligns with the requirement to provide the maximum number of host addresses without selecting a larger block than necessary. A /21 provides 2048 total addresses and 2046 usable hosts, which is materially larger than the stated requirement and wastes address space. The specific 192.168.8.0/22 block also aligns on a valid /22 boundary because /22 networks increment by four in the third octet. A 192.168.16.0/22 is also mathematically valid, but the exhibit determines the available address range; the selected option uses the appropriate block from the displayed plan. Reference topics: IPv4 subnet sizing, CIDR, usable host calculation, branch address planning, VLSM.

Bandwidth percentage with policing is the correct QoS approach. The requirement has two separate parts: each subnet must receive a minimum share during congestion, and no subnet should introduce delay into download traffic. Bandwidth percentage is used to allocate a minimum bandwidth guarantee among classes during congestion while still allowing a class to use unused bandwidth when other classes are idle. Policing enforces a rate by dropping or remarking excess traffic rather than buffering it. That behavior is important because the question explicitly says download traffic must never experience delay. Shaping would be wrong because shaping buffers excess packets and transmits them later, which intentionally adds delay. Rate- limiting is a broad term, but when the design choice offers policing explicitly, policing is the precise mechanism that matches the no-delay requirement. A parent or class policy can reserve 25 percent per subnet on a 40 Mbps service, giving each subnet 10 Mbps during congestion while unused bandwidth remains available. Reference topics: CBWFQ bandwidth percent, traffic policing, shaping versus policing, Internet edge QoS, congestion management.

MSTP is the correct spanning-tree choice for a Layer 2 design with many logical ports, multiple trunked VLANs, and a subsecond convergence requirement. Rapid PVST+ provides rapid convergence, but it creates a separate spanning-tree instance for every VLAN. With 30 VLANs on trunks and hundreds of active ports, the number of logical STP ports can grow quickly and increase CPU and memory load. MSTP maps many VLANs into a smaller number of spanning-tree instances while still using rapid convergence behavior based on IEEE 802.1w principles. This makes it more scalable for large Layer 2 domains than PVST+ or Rapid PVST+ when many VLANs are present. CST provides a single instance but lacks the flexibility and convergence characteristics expected in modern enterprise designs. The design needs both scalability and fast convergence, and MSTP is the standards-based protocol that best satisfies both requirements. Reference topics: MSTP, Rapid STP, logical STP ports, VLAN-to-instance mapping, Layer 2 scalability, convergence.

Dual-stack is the correct IPv6 migration technique because the DWDM devices provide Layer 2 transport between routers that already support both IPv4 and IPv6. Layer 2 transport is generally transparent to IPv6 because it forwards Ethernet frames rather than participating in Layer 3 routing. The routers at the ends of the DWDM circuit can peer directly over the Layer 2 service and run IPv6 in parallel with IPv4, while mail servers can also retain IPv4 reachability during the migration. Cisco dual-stack migration guidance uses simultaneous IPv4 and IPv6 operation to support phased application and host transition with minimal tunneling overhead. 6to4, ISATAP, and 6rd are tunneling or transition mechanisms used when IPv6 islands must cross IPv4-only routed infrastructure. In this case, the limiting devices are in the transport layer and do not need to route IPv6. Deploying dual-stack on the capable routers and servers is simpler, more transparent, and avoids unnecessary encapsulation. Reference topics: IPv6 dual-stack migration, Layer 2 transparency, IPv6 over Ethernet, tunneling avoidance, phased migration.

Dual multihomed is the only listed WAN design that satisfies all failure conditions: CE, PE, ISP, and link failure. A single-homed design has one provider attachment and cannot survive most of those events. A single multihomed design uses more than one provider or provider connection, but if it still has only one customer edge device, a CE failure remains a single point of failure. A dual-homed design can provide multiple links to one provider, but it may not protect against a complete ISP failure. Dual multihoming combines redundant customer edge devices with connections to multiple provider edge devices and, typically, multiple providers. Cisco WAN and BGP design guidance uses multihoming to increase availability, control inbound and outbound path selection, and avoid dependence on a single provider path. This design gives the architect the necessary device, link, and provider diversity. Reference topics: WAN edge redundancy, BGP multihoming, dual-provider design, CE and PE resiliency, internet edge high availability.