300-420 Premium Exam Questions

Cisco SD-WAN uses the vSmart controller as the control-plane component that distributes the information needed for secure data-plane tunnel establishment. Before WAN Edge devices build full-mesh IPsec tunnels, they must learn reachability and security information through the SD-WAN control plane. Cisco documentation describes the vSmart controller as the centralized control-plane element that exchanges OMP routes, policy, TLOC information, and security parameters with WAN Edge routers. In the traditional SD-WAN key-exchange model, vSmart sends IPsec encryption keys to edge devices so the data plane can be secured without each edge independently negotiating IKEv2 with every other edge. vManage is the management platform and is not the key exchange point. vBond performs orchestration, authentication assistance, and NAT traversal during onboarding, but it is not the data-plane key server. IKEv2 may be used in specific newer or configured security models, but the typical Cisco SD-WAN overlay relies on vSmart for scalable key distribution. Reference topics: Cisco SD-WAN control plane, vSmart, OMP, IPsec key distribution, WAN Edge security.

Cisco SD-WAN components map to distinct control, management, orchestration, and forwarding roles. vManage is the centralized management plane used for configuration templates, monitoring, software management, and operational visibility. vSmart is the centralized control-plane component that distributes OMP routes, TLOC information, security parameters, and centralized policy to WAN Edge devices. vBond is the orchestration component used during onboarding; it authenticates devices, helps them discover controllers, and assists with NAT traversal. The WAN Edge router, whether physical or virtual, forms the data plane at the branch, campus, or data center and forwards user traffic through secure overlay tunnels. Correctly identifying these roles is essential because SD-WAN scale and resiliency depend on separating management, control, orchestration, and forwarding responsibilities. A design that confuses vManage with vSmart or vBond will misplace policy, onboarding, and forwarding functions. Reference topics: Cisco SD-WAN architecture, vManage, vSmart, vBond, WAN Edge, OMP, overlay control plane.

A scalable two-level IS-IS design uses Level 1 areas for internal campus routing and Level 2 for the interarea backbone. Each campus should have a unique IS-IS NET area value so the internal routers belong to that campus’s Level 1 area. Internal campus routers should be configured as Level 1 routers, which keeps detailed campus prefixes inside the local area and prevents unnecessary propagation of more-specific routes to other campuses. At the edge of each campus, routers that connect the campus to the backbone should operate as Level 1/Level 2 routers. These routers connect the local Level 1 area to the Level 2 backbone and can summarize or control routing information between levels. IS-IS does not use BDR routers; that is an OSPF term, so option A is invalid. Assigning the same NET value everywhere collapses the hierarchy and defeats the segregation goal. MTU differences are not a hierarchy or route-segmentation tool. Therefore, the design should use unique NET values per campus with Level 1 internal routers and Level 1/Level 2 routers at the campus edge.

The correct overlay considerations are that virtual networks provide data-plane isolation and that overlapping IP addresses should be avoided for operational simplicity. In Cisco SD-Access, virtual networks are used for macro segmentation and are commonly mapped to VRFs. This separates routing and forwarding tables between major groups such as corporate users, guests, IoT, and shared services. Security Group Tags provide finer policy control and microsegmentation, but they are not the primary mechanism for data-plane isolation between virtual networks. The phrase “virtual networks should be used for microsegmentation” is therefore inaccurate; microsegmentation is SGT and SGACL driven. Although overlapping IP addresses can technically exist in separate VRF-like contexts, Cisco design practice discourages unnecessary overlap because it complicates troubleshooting, service insertion, external connectivity, and inter-VN communication. A clean overlay address plan improves operations and reduces policy ambiguity. Reference topics: SD-Access overlay design, virtual networks, macro segmentation, SGTs, microsegmentation, overlapping IP avoidance. This also simplifies day-two operations.