Cisco 300-420 Dumps

Cisco SD-WAN uses Path MTU Discovery to avoid fragmentation problems across the overlay. SD-WAN traffic is encapsulated and encrypted, which adds overhead beyond the original packet size. If the effective path MTU is smaller than the encapsulated packet, fragmentation or packet loss can occur, especially when the DF bit is set or when intermediate devices block fragmentation-related ICMP messages. PMTUD allows devices to discover the largest packet size that can traverse the path without fragmentation and adjust forwarding behavior accordingly. Marking traffic with DF alone does not solve the issue; it may expose the problem by causing packets to be dropped when too large. Jumbo frames are not a universal WAN solution because service-provider, Internet, and broadband paths often do not support them consistently. Configuring every access circuit with a fixed 1600-byte MTU is not a reliable design assumption. The correct design is to rely on PMTUD and validate tunnel overhead, device MTU, TCP MSS adjustment where needed, and ICMP handling across transports. Reference topics: Cisco SD-WAN MTU, PMTUD, tunnel overhead, fragmentation avoidance, IPsec encapsulation.

IP directed broadcast must be enabled on the last Layer 3 device connected to the destination client subnet, which is R2 in the exhibit. Wake-on-LAN uses a magic packet that must reach sleeping hosts on the target LAN. Because sleeping clients often do not have an active IP stack or ARP entry, the WoL packet is commonly sent as a directed broadcast toward the target subnet. Routers forward the packet as a unicast until it reaches the destination subnet, where the last-hop router converts it into a Layer 2 broadcast if directed broadcasts are permitted. Cisco disables directed broadcasts by default on many platforms because of historical amplification-attack risks, so the design should enable it only where needed and protect it with ACLs. Spanning-tree UplinkFast is unrelated to delivering WoL packets; it improves STP convergence on access switches. Enabling directed broadcasts on the wrong router would not place the magic packet onto the client VLAN. Therefore, R2, the last-hop router toward the target WoL clients, is the correct location. Reference topics: Wake-on-LAN, IP directed broadcast, last-hop router behavior, subnet broadcast forwarding, ACL protection.

DMVPN is preferred over individually configured point-to-point IPsec tunnels when a company has many branches because it scales the overlay more efficiently. A traditional IPsec tunnel design requires manual or template-based tunnel definitions for every required site-to-site relationship. As branches increase, tunnel count, configuration complexity, and operational overhead grow quickly. Cisco DMVPN combines multipoint GRE, NHRP, and IPsec so spokes can register with the hub and dynamically discover next-hop information for other spokes. This supports a hub-and-spoke control model while allowing dynamic spoke-to-spoke data tunnels when branch-to-branch traffic is required. That is why greater scalability and dynamic spoke-to-spoke tunnel creation are the two design advantages. AES-256 encryption is not unique to DMVPN because normal IPsec can also use strong encryption. Anycast gateway is unrelated to DMVPN WAN overlay design. Lower traffic overhead is not the best answer because DMVPN adds mGRE, NHRP, and IPsec encapsulation overhead; its advantage is operational scalability and dynamic tunnel establishment.

Making R3 an L1/L2 router restores the required IS-IS hierarchy and prevents the outage caused by the failed R1-to-R2 link. In IS-IS, Level 1 routers have detailed topology only inside their own area, while Level 2 routers provide the interarea backbone. Routers that connect a Level 1 area to the Level 2 backbone must operate as Level 1/Level 2 devices so they can participate in both databases and provide an exit path for area traffic. If a path between areas depends on a router that is only Level 1 or only Level 2 in the wrong location, traffic can be blackholed when a key link fails. Configuring R3 as L1/L2 gives the topology an additional valid transition point between the local area and the backbone, improving continuity after the R1-to-R2 failure. Making unrelated routers L1 or L2 does not necessarily create the required interarea attachment. Reference topics: IS-IS Level 1, Level 2 backbone, L1/L2 routers, interarea reachability, hierarchical IGP design.

Because the wireless access points must remain in a common VLAN, the practical design is to align the HSRP active gateway with the spanning-tree root bridge for that VLAN. Unicast flooding commonly occurs when a Layer 2 domain is stretched between aggregation and access layers and the traffic path becomes asymmetric. If the HSRP active gateway is on one aggregation switch while STP forwards the Layer 2 path through a different aggregation switch, return traffic can be forced across inter-switch links and CAM table aging can create flooding conditions. Cisco campus design guidance emphasizes aligning Layer 2 and Layer 3 forwarding roles so the active default gateway and spanning-tree root are colocated for each VLAN. Migrating to routed access is usually the best long-term design, but it requires the APs to run on separate VLANs; the question states they use a common VLAN. Reducing ARP timers to match CAM timers can help some flooding cases, but it is not the core design fix offered here. Reference topics: HSRP and STP alignment, unicast flooding, Layer 2 campus design, wireless AP VLAN design.

The SD-Access control-plane node maintains the endpoint database and resolves mappings between endpoints and the fabric edge nodes where those endpoints are located. Cisco SD-Access uses LISP in the fabric control plane. Edge nodes register endpoint identifiers with the control-plane node, and other fabric nodes query the control plane when they need to locate a destination endpoint. This control-plane function is commonly described through LISP Map-Server and Map-Resolver behavior. Option B is not correct because endpoint detection occurs at the edge node, not at the control-plane node. The edge is the device connected to users, access points, or endpoint-facing networks, so it learns local endpoint presence and registers that information. Option C refers to authentication and identity, which is integrated with Cisco ISE. Option D describes the border-node role, because border nodes connect the fabric to external networks. The corrected answer is therefore A. A stable SD-Access design must provide redundant control-plane reachability and scale the control-plane role according to fabric size, mobility, and endpoint churn. Reference topics: SD-Access control plane, LISP Map-Server, LISP Map-Resolver, endpoint-to-location mapping.

Cisco SD-WAN uses the vSmart controller as the control-plane component that distributes the information needed for secure data-plane tunnel establishment. Before WAN Edge devices build full-mesh IPsec tunnels, they must learn reachability and security information through the SD-WAN control plane. Cisco documentation describes the vSmart controller as the centralized control-plane element that exchanges OMP routes, policy, TLOC information, and security parameters with WAN Edge routers. In the traditional SD-WAN key-exchange model, vSmart sends IPsec encryption keys to edge devices so the data plane can be secured without each edge independently negotiating IKEv2 with every other edge. vManage is the management platform and is not the key exchange point. vBond performs orchestration, authentication assistance, and NAT traversal during onboarding, but it is not the data-plane key server. IKEv2 may be used in specific newer or configured security models, but the typical Cisco SD-WAN overlay relies on vSmart for scalable key distribution. Reference topics: Cisco SD-WAN control plane, vSmart, OMP, IPsec key distribution, WAN Edge security.

The requirements point to a Layer 2 multipoint WAN service. VPLS provides an emulated Ethernet LAN across a provider network, allowing multiple sites to appear as if they are connected to the same Layer 2 domain. This supports full-mesh Layer 2 connectivity and preserves customer control over higher-layer services such as IPv6, multicast, routing protocols, and QoS markings. Because the provider delivers an Ethernet multipoint service, the enterprise can retain protocol independence rather than depending on the service provider to participate in IPv6 routing or multicast routing. CoS marking is also a Layer 2 QoS mechanism, so a Layer 2 VPN service is better aligned to the stated QoS requirement. VPWS is point-to-point rather than full-mesh multipoint, so it does not meet the topology requirement by itself. MPLS Layer 3 VPN is a provider-routed service and does not give the customer full Layer 2 mesh behavior. DMVPN is an overlay routed VPN and does not provide a native Layer 2 full-mesh service. Therefore, VPLS is the correct WAN connectivity option.

Dual DMVPN with EIGRP routing is the correct solution because the requirements call for secure public-internet connectivity, redundant paths, automatic path selection, multicast support, and minimal remote-site configuration. DMVPN builds dynamic multipoint GRE tunnels protected by IPsec, allowing spoke sites to communicate securely through the public internet while supporting routing protocols and multicast over GRE. A dual DMVPN design provides redundancy through separate hubs, transports, or tunnel clouds, so a spoke can continue operating if one path fails. EIGRP can calculate alternate paths and react to metric changes, supporting automatic path selection based on failure and quality when engineered correctly. MPLS with BGP does not meet the public-internet and encryption requirements by itself. A full mesh of IPsec tunnels with OSPF or IS-IS would increase configuration complexity at every remote site and does not scale as well. DMVPN is specifically built to simplify deployment of secure, scalable, multipoint branch VPNs. Reference topics: DMVPN, IPsec, mGRE, EIGRP over DMVPN, WAN redundancy, multicast over GRE.

The route-reflector design should make R2 a client of R1 and R4, and R5 a client of R3 and R4. The requirement states that the route reflector must have direct physical connections to the core routers R3 and R4, must avoid a single point of failure, and must account for high utilization on the R2-to-R1 link. In BGP route-reflector design, clients peer with redundant route reflectors so they can continue receiving reflected routes if one route reflector or path fails. Placing R5 as a client of R3 and R4 satisfies the direct-core requirement and provides redundant reflection through the core. Placing R2 as a client of R1 and R4 provides redundancy while reducing dependence on the heavily utilized R2-to-R1 link by including R4 as an alternate reflector. Making a router a client of two reflectors is a standard design technique for route-reflector high availability. The other combinations either fail the direct-core requirement, do not provide balanced redundancy, or keep traffic tied to the congested link. Reference topics: BGP route reflectors, client redundancy, iBGP scaling, route-reflector placement, core resiliency.

Wake on LAN commonly relies on a magic packet that must reach a sleeping endpoint on its local subnet. When the WoL server is in a different subnet from the sleeping clients, a unicast packet cannot always be delivered directly because the sleeping host may not have an active ARP entry or IP stack behavior suitable for normal unicast forwarding. Cisco campus designs therefore use IP directed broadcast on the Layer 3 interface for the target VLAN or subnet so a routed packet can be delivered to the subnet and then converted into a Layer 2 broadcast. This must be implemented carefully, with access control, because directed broadcasts can be abused if left unrestricted. Dynamic ARP Inspection and DHCP snooping are Layer 2 security controls; they do not provide the Layer 3 directed broadcast function required for WoL. Proxy ARP allows a router to answer ARP requests on behalf of another host, but it does not solve cross-subnet delivery of WoL magic packets. Therefore, the design must include directed broadcasts on the relevant Layer 3 devices.

TLOC extension is the Cisco SD-WAN mechanism that allows a WAN Edge router without direct access to a transport to reach that transport through another WAN Edge router at the same site. Cisco describes TLOC extension as a redundancy feature in SD-WAN networks. In the question, the WAN Edge router is connected to an MPLS transport link, but Internet access is available through another WAN Edge device. With TLOC extension, the MPLS-only edge can extend traffic through the peer router toward the Internet transport, allowing the site to use multiple transports without requiring every edge router to have a physical connection to every circuit. OMP can advertise routes and TLOCs, but OMP alone does not create physical Internet access for a router attached only to MPLS. Requiring a local 4G/5G or Internet circuit on the same router is not necessary when TLOC extension is part of the design. An MPLS extranet is also not the normal SD-WAN solution for Internet transport reachability. Therefore, TLOC extension is the correct design method.

Option B is retained because the subnetting task depends on the exhibit options and the chosen plan must divide 10.1.8.0/21 into nonoverlapping partner VPN subnets without allocating more address space than required. The design principle is variable-length subnet masking: allocate the smallest subnet that satisfies each partner requirement, then place the subnets on valid prefix boundaries inside the reserved aggregate. Cisco addressing design emphasizes conserving address space, avoiding overlap, and preserving summarization where possible. A /21 provides 2048 total addresses, so the designer can carve several smaller partner ranges while keeping the entire allocation summarizable as 10.1.8.0/21 toward the data-center core. Incorrect options would either waste addresses, overlap existing ranges, place subnets on invalid boundaries, or allocate blocks larger than necessary. Option B is the mapping that satisfies the exhibit constraints while keeping the design clean for routing, firewall policy, and VPN onboarding. Reference topics: IPv4 VLSM, subnet boundary alignment, partner VPN addressing, summarization, nonoverlapping address design.

IntServ with RSVP is the correct model when an application must request a specific service level and receive guaranteed bandwidth or delay treatment. Cisco describes the Integrated Services model as a flow-based QoS architecture in which applications signal their resource requirements to the network. RSVP is the signaling protocol used to reserve resources along the path. This differs from DiffServ, which marks packets and applies per-hop behavior without creating per-flow reservations. The question states that the application can request a particular type of service to support its delay requirements and that bandwidth must be guaranteed. Those are classic IntServ and RSVP characteristics. DiffServ with DSCP is scalable and widely used in enterprise networks, but it cannot guarantee resources end to end unless every hop is engineered and provisioned accordingly. IntServ with DSCP is not the standard model because RSVP is the reservation mechanism. Reference topics: Integrated Services, RSVP, resource reservation, guaranteed service, QoS architecture, delay-sensitive applications.

Dual stack is the correct IPv6 migration strategy because the existing infrastructure already supports IPv6, the company wants low operational overhead, and applications should migrate naturally using DNS. Cisco describes dual stack as running IPv4 and IPv6 simultaneously on the same infrastructure, allowing hosts and applications to use either protocol during the migration period. It does not require additional tunneling equipment, avoids encapsulation overhead, supports native IPv6 multicast, and allows application preference to follow DNS responses. ISATAP and manual tunnels introduce overlay complexity and are primarily transition mechanisms for connecting IPv6 islands over IPv4 infrastructure. A service block model may be useful for specific service insertion, but it does not provide a whole-network migration strategy. Since every current infrastructure device supports IPv6, the cleanest and most operationally straightforward model is to enable IPv6 alongside IPv4 and migrate services gradually. Reference topics: IPv6 migration, dual-stack deployment, DNS-based protocol selection, native IPv6 multicast, transition strategy design.

When congestion is sustained and QoS has already been optimized, the correct design response is to add capacity rather than continue tuning packet treatment. QoS manages contention by prioritizing, queuing, shaping, or dropping traffic, but it does not create additional bandwidth. If access-to-distribution uplinks are persistently oversubscribed, business applications will still suffer because the offered load exceeds the available link capacity. Implementing higher-speed uplink interfaces increases the physical bandwidth available for aggregate traffic. Bundling additional uplinks into EtherChannels also increases usable capacity and improves resiliency while presenting a single logical link to the switching and routing design. Random early detection and selective packet discard can improve queue behavior under congestion, but the question states that QoS is already optimized and no longer effective. Reconfiguring QoS to IntServ would add complexity and is not a realistic campus fix. Therefore, the architect should increase uplink capacity through faster links and EtherChannel where the hardware and cabling support it. Reference topics: campus oversubscription, EtherChannel, uplink capacity planning, QoS limitations, congestion remediation.

For in-band management over the production WAN, the proper marking is DSCP CS2 mapped into the management or operations class with a minimum bandwidth guarantee. Cisco enterprise QoS guidance separates network control traffic from network management traffic. Routing protocol and control-plane traffic should not be diluted by ordinary management flows. CS6 is typically reserved for routing and network-control traffic; EF is reserved for low-latency voice bearer traffic; CS1 is commonly used for scavenger or low-priority traffic. Network management flows such as SSH, SNMP, NTP, FTP-based maintenance, and syslog require reliable delivery, but they should not starve business traffic or real-time services. Therefore, marking with CS2 and mapping the traffic into Class2 is the correct design choice. The bandwidth adjustment should come from a lower-priority class, not from the routing/control or real-time class. Because this is in-band management, the architect must also ensure access control, source restrictions, AAA, logging, and management-plane protection. QoS classification alone does not secure management access; it only gives the traffic an appropriate forwarding treatment over the MPLS WAN. Reference topics: in-band management, DSCP CS2, enterprise QoS classes, management-plane traffic.

AS-path prepending is the correct inbound path-control tool for this design. The objective is for traffic entering AS100 to use link 1 during normal operation and link 2 only after a failure. In BGP, the AS_PATH attribute is a primary path-selection attribute used by external autonomous systems; a shorter AS path is normally preferred over a longer path. By prepending AS100 multiple times on advertisements sent from R4 across link 2, AS100 makes the backup path look less attractive to upstream networks while leaving it available for failover. Modifying next-hop on R3 or R4 does not influence how external networks choose between two entry points into AS100. Prepending on R3 would make the preferred link less attractive, which is the opposite of the requirement. The design should also document provider policy because some providers local-preference routes before AS path, but within the choices, prepending on R4 is the appropriate inbound traffic-engineering method. Reference topics: BGP AS_PATH, inbound path control, multihoming, backup Internet edge design.

MSDP is required because the design connects separate PIM-SM multicast domains and needs multicast source discovery across domain boundaries. In each autonomous system, receivers join a multicast group through the local rendezvous point. Without MSDP, an RP in one domain does not automatically learn about active sources registered to an RP in another domain. MSDP allows RPs to exchange Source-Active information so that receivers in AS65773 can learn about VoD sources in AS5373 and build the required multicast forwarding state. Auto-RP and BSR are mechanisms for discovering or advertising rendezvous point information inside a PIM domain; they do not solve interdomain source discovery between separate multicast domains. PIM SSM can work for source-specific applications, but the question states that R2 has been selected as RP, which indicates an ASM/PIM-SM design. With BGP already established between offices, MSDP complements the interdomain routing design by exchanging multicast source reachability information. Reference topics: MSDP, PIM-SM, interdomain multicast, Source-Active messages, rendezvous point resilience.

Running BFD between EIGRP neighbors is the appropriate design when the problem is traffic loss during link failure and the requirement is to reduce the impact of the failure. EIGRP can detect neighbor loss through its hello and hold timers, but those timers may not be fast enough for applications sensitive to packet loss. Bidirectional Forwarding Detection provides rapid failure detection independent of the routing protocol’s normal timer expiration. When BFD detects a failed forwarding path, it notifies EIGRP so the routing process can converge without waiting for the EIGRP hold timer. Summarization is still a valuable scaling technique, but it primarily reduces route table size and query scope; it does not directly accelerate failure detection on an individual inter-router link. Reducing EIGRP hello and hold timers can improve detection, but it increases control-plane load and is less efficient than BFD. The question emphasizes data loss when any one link fails, so fast failure detection is the best corrective design. Reference topics: EIGRP convergence, BFD, failure detection, hello and hold timers, routed-link resiliency.

The design is an IPv6 overlay carried across an existing underlay, so the correct advantages are that multiple independent logical networks can run over a shared underlay and that unsupported protocols can be transported across that underlay. Cisco describes overlay tunnels as encapsulating one protocol inside another so traffic can cross infrastructure that does not natively support the passenger protocol. For an IPv6 migration, this permits IPv6 connectivity across an IPv4-only transport while the intermediate network remains unchanged. The same overlay concept also allows separate logical networks to be created over common physical transport, which is a fundamental design principle in SD-Access, SD-WAN, GRE, and other overlay technologies. The design does not eliminate fate-sharing; if the underlay fails, the overlay fails. It also does not reduce forwarding overhead, because encapsulation adds header bytes and may affect MTU. The number of devices joining the overlay still depends on addressing, routing, tunnel scale, and control-plane design. Reference topics: IPv6 overlay tunneling, shared underlay, encapsulation overhead, protocol transport, migration design.

A totally stubby OSPF area blocks Type 3, Type 4, and Type 5 LSAs while allowing a default summary route into the area. In OSPF, Type 3 LSAs are interarea summary LSAs, Type 4 LSAs describe reachability to ASBRs, and Type 5 LSAs carry external routes. A normal area accepts all of these LSA types. A standard stub area blocks Type 5 external LSAs and normally Type 4 ASBR summaries, but it still allows Type 3 interarea summaries. An NSSA blocks normal Type 5 external LSAs but allows Type 7 LSAs for locally redistributed external routes. A totally stubby area is more restrictive: the ABR suppresses interarea summaries and external routing detail, then injects a default route so routers inside the area still have reachability outside the area. This design reduces LSDB size, memory consumption, and SPF processing on low-end routers in remote areas. Therefore, the OSPF area type that blocks Type 3, 4, and 5 LSAs but allows a default summary route is a totally stubby area.

The ORF filter should be applied so the route reflector or upstream peer suppresses the unwanted Branch A prefix before sending updates toward the resource-constrained branch. Cisco BGP outbound route filtering lets a receiving router advertise a prefix-list filter to its peer, causing that peer to apply the filter outbound. This is useful when a router has limited CPU or memory because unwanted prefixes are never sent across the session. In the described design, HQ must prevent Branch A prefixes from reaching R4, while Branch B has limited resources. The answer using the 10.10.10.0/24 prefix list on R2 aligns with filtering the Branch A prefix at the point where HQ can control route reflection or advertisement toward the constrained branch path. Applying the filter on the wrong router or using the wrong prefix would still allow unnecessary updates. ORF is preferred over simple inbound filtering when the goal is to reduce received route volume. Reference topics: BGP ORF, prefix-list signaling, route-reflector filtering, branch route scale, outbound update suppression.

BIDIR-PIM is the correct multicast deployment model when redundant paths and active links may create RPF challenges for many-to-many multicast traffic. Bidirectional PIM builds a shared tree rooted at the rendezvous point and avoids maintaining separate source-specific shortest-path trees for every sender. This is valuable when sources and receivers are spread across a redundant branch design and traffic can enter the multicast domain from multiple directions. Because BIDIR-PIM uses the Designated Forwarder mechanism on each link, it helps control which router forwards traffic toward the RP and reduces duplicate forwarding in topologies where normal RPF behavior could be problematic. PIM-SM is widely used, but it normally moves to source trees for active sources unless specifically controlled. PIM-SSM requires receivers to know the source and is not designed for arbitrary many-to-many communication. PIM-BSR is a mechanism for dynamic RP discovery, not a multicast forwarding model. Reference topics: BIDIR-PIM, multicast RPF, many-to-many multicast, Designated Forwarder, branch multicast design.

Route tags are the correct loop-prevention mechanism when connecting another routing domain or redistributed network behind R3 into an EIGRP network. Redistribution can create route feedback: a route learned from one domain is redistributed into another, then later redistributed back into the original domain as if it were new information. That can produce routing loops or suboptimal path selection, especially in multipoint redistribution designs. Cisco route-map based redistribution commonly uses route tags to mark the origin of redistributed routes. Other redistribution points can then match those tags and prevent the same routes from being reintroduced into the source domain. Split horizon prevents advertisements back out the interface on which a route was learned, but it is not sufficient for multipoint redistribution loop prevention. Summarization reduces route detail and query scope but does not identify route origin. The OSPF down bit is used in MPLS VPN/OSPF PE-CE scenarios, not general EIGRP redistribution. Therefore, the design should use route tags. Reference topics: EIGRP redistribution, route tagging, routing-loop prevention, route maps, redistribution policy.

A Cisco native YANG model is the right choice when the engineer needs to configure a capability that is specific to Cisco NX-OS. YANG models fall broadly into open standards-based models and vendor-native models. IETF and OpenConfig models are useful for multivendor consistency, but they intentionally model common behavior and may not cover every platform-specific feature. Cisco native models are generated to represent Cisco operating system configuration and operational data more closely, including features that are unique to IOS XE, IOS XR, or NX-OS. Cisco developer guidance commonly positions native models as the model family to use when full platform feature coverage is required. IEEE is not the relevant model family for Cisco NX-OS feature-specific configuration in NETCONF. OpenConfig is useful when the design objective is common cross-vendor abstraction, but that is not the question’s requirement. Therefore, for an NX-OS-only feature that must be configured through NETCONF/YANG, the engineer should choose the Cisco native model for NX-OS.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

An open YANG model is the correct choice because the automation scope is multivendor and the workflow must be reusable across diverse routing and switching platforms. Native vendor models expose platform-specific details and are valuable when a feature is unique to one operating system, but they create code branching and operational inconsistency when many vendors and hardware families are in scope. The question also says the DR playbook will be adjusted in the future, which argues for a model that reduces redesign whenever a device vendor or platform changes. Open models, such as IETF or OpenConfig where supported, provide common schema structures for standard network functions and allow the microservice and controller integration to remain cleaner. A custom individualized model would increase development and maintenance burden, not reduce it, unless there is a very specific abstraction layer requirement. Using a single native vendor model cannot support the stated multivendor environment. The professional design is to use open models wherever coverage is sufficient, then fall back to native models only for unsupported platform-specific capabilities. Reference topics: YANG model selection, OpenConfig, IETF YANG, Cisco native YANG, multivendor automation.

GRE over IPsec is the correct secure tunneling choice when multicast traffic must cross a public network. Native IPsec protects unicast IP traffic, but it does not inherently carry multicast routing protocols or multicast application flows in the same way that GRE can. GRE creates a logical point-to-point tunnel that can encapsulate multicast, broadcast, and non-IP payloads; IPsec then encrypts the GRE packet for confidentiality and integrity across the untrusted transport. Cisco designs commonly use this combination when dynamic routing protocols, multicast applications, or other non-unicast traffic must be transported securely between sites. GRE by itself supports multicast, but it does not provide encryption, so it fails the secure tunneling requirement. PPTP is obsolete and not appropriate for modern enterprise design. Plain IPsec is secure, but it is not the complete answer when multicast support is explicitly required. Therefore, the design should use GRE over IPsec: GRE supplies the multicast-capable overlay, and IPsec supplies the cryptographic protection across the public network.

The correct QoS design is to shape outbound traffic and police inbound traffic. Traffic shaping buffers and schedules outbound packets so the customer does not send bursts beyond the 10 Mbps Internet connection rate. This is useful on egress because the local router controls the transmit queue and can smooth bursts before they reach the provider. Cisco QoS design distinguishes shaping from policing: shaping delays excess traffic, while policing drops or remarks excess traffic immediately. Inbound shaping is generally not effective because the traffic has already arrived on the interface; the device cannot delay packets before they consume the inbound circuit. Inbound policing can protect business-critical traffic by limiting or dropping lower-priority excess traffic as it enters the network. Policing outbound would enforce the rate but would cause avoidable drops during bursts, which is less desirable when the router can shape before transmission. Therefore, outbound shaping and inbound policing satisfy both rate-control and protection requirements. Reference topics: traffic shaping, traffic policing, QoS queuing, Internet edge QoS, congestion management.

The dial-out model-driven telemetry approach is initiated by the network device, not by the collector. Cisco IOS XE telemetry documentation describes configured subscriptions as dial-out because the publisher, meaning the router or switch, initiates the connection to the configured receiver. After the session is established, the device streams the subscribed YANG-modeled data at the configured cadence or when the configured on-change condition occurs. This model is useful when the telemetry collector is a fixed destination and the network operator wants the device to maintain the outbound session automatically. Option B describes dial-in telemetry, where the collector or subscriber connects to the device and requests the subscription. Option C is also dial-in oriented because the collector initiates the session. Option D is close in wording, but the key design point is that the session is based on an already configured subscription rather than a negotiation process. Reference topics: model-driven telemetry, configured subscriptions, dial-out telemetry, YANG-push, telemetry collectors.

Multichassis EtherChannel is the correct design when distribution switches support VSS and the campus needs fast Layer 2 convergence while using as much uplink bandwidth as possible. With VSS, two physical distribution switches operate as a single logical switching system from the perspective of the access layer. MEC allows an access switch to bundle links to both distribution chassis into one logical EtherChannel. This removes the normal spanning-tree blocking of redundant uplinks, uses both links actively, and provides fast convergence if one physical link or chassis fails. A plain EtherChannel normally terminates on one physical switch, so it does not provide the same chassis-level resiliency unless the distribution pair is virtualized. RSTP improves loop convergence but still blocks redundant Layer 2 paths in a traditional topology. ECMP requires Layer 3 routing, and the question notes routing protocol limitations. Therefore, MEC on VSS is the best solution for bandwidth utilization and fast Layer 2 recovery. Reference topics: VSS, Multichassis EtherChannel, Layer 2 campus resiliency, STP avoidance, access-to-distribution design.

The Cisco SD-Access component mapping is based on the normal fabric roles. A fabric edge node is the access-facing fabric device that connects wired endpoints and fabric access points, acts as the anycast Layer 3 gateway, encapsulates endpoint traffic into VXLAN, and registers endpoint reachability with the control plane. A control-plane node supplies the LISP map-server and map-resolver functions, maintaining endpoint-to-location mappings. A border node connects the fabric to external Layer 3 domains, shared services, WAN, Internet, or another fabric/transit domain, and it de-encapsulates traffic as it leaves the fabric. Intermediate nodes provide routed IP transport inside the underlay and move packets between edge, border, and control-plane nodes without owning endpoint policy or registration. This role separation is important because a design failure often comes from assigning the wrong function to the wrong node. Access-facing policy and endpoint onboarding belong at the edge; external connectivity belongs at the border; location resolution belongs to the control plane; transport belongs to intermediate nodes. Reference topics: SD-Access fabric roles, edge node, border node, control-plane node, intermediate node.

Bootstrap Router is the standards-based mechanism that supports dynamic RP discovery in a PIM sparse-mode domain. Cisco documentation distinguishes Auto-RP, which is Cisco-proprietary, from BSR, which is defined for standards-based RP distribution. With BSR, candidate RPs advertise their availability, and the elected bootstrap router distributes RP-set information throughout the PIM domain. This removes the operational burden of manually configuring the same static RP information on every multicast router. Anycast-RP provides RP redundancy and load sharing but does not by itself provide standards-based dynamic RP discovery across the domain. Static RP is simple but not dynamic. Auto-RP can dynamically distribute RP information, but it is not the standards-based answer. The design value of BSR is most visible in large multicast domains, where routers need consistent RP information and manual changes are risky. Therefore, when the question asks for a standards-based RP deployment that supports dynamic RP discovery, the correct answer is bootstrap router. Reference topics: PIM sparse mode, Bootstrap Router, candidate RP, RP-set distribution, dynamic RP discovery.

EIGRP with branch routers configured as stubs and equal-cost multipath is the best fit for this hub-and-spoke DMVPN design. The branch routers have limited memory and CPU resources, so they should not be forced to maintain unnecessary topology information or answer broad queries from the rest of the network. EIGRP stub routing limits the routes a branch advertises and prevents it from being used as a transit path, which reduces query scope and improves stability. Because the two internet links are both 100 Mbps, equal-cost multipath can use both links for active forwarding during traffic spikes. OSPF can operate over DMVPN, but a single area or hub-and-spoke design may create more overhead and less efficient query containment for small branch routers. IS-IS is less common for this WAN overlay use case, and iBGP with route reflectors can scale but does not natively consider link utilization or provide the same simple branch stub behavior. Reference topics: EIGRP stub, DMVPN, ECMP, branch routing, query containment, WAN convergence.

A totally stubby OSPF area is the best choice for a small remote site with low-end routers and no requirement to carry transit traffic. A standard stub area blocks Type 5 external LSAs, but it still receives interarea Type 3 summary LSAs. A totally stubby area goes further by blocking external routes and most interarea summary routes, while allowing a default route to be injected by the ABR. That greatly reduces LSDB size, SPF processing, memory use, and routing-table entries on the low-end routers. The remote site still has full connectivity to the rest of the OSPF domain through the default route. NSSA and totally NSSA designs are useful when the area must inject external routes from an ASBR inside the area, but the question does not state that the remote site needs redistribution. A regular stub area is acceptable but does not minimize resources as much as a totally stubby area. Because there is no demand for traffic to pass through this area, the most efficient Cisco design is totally stubby. Reference topics: OSPF stub areas, totally stubby area, default routing, LSDB reduction, branch OSPF design.

Scalable groups provide intra-VN traffic filtering and control in Cisco SD-Access. Within a virtual network, macro segmentation separates routing tables, but endpoints inside the same VN may still need policy control based on identity, role, or security posture. Cisco SD-Access uses scalable group tags and scalable group ACLs to implement group-based policy. This allows policy to be expressed as user or device group relationships instead of only subnet-based ACL entries. The result is microsegmentation inside the virtual network, where traffic between groups can be permitted or denied consistently across the fabric. MAC ACLs are limited Layer 2 filters and do not provide the identity-based policy model required for SD-Access. Prefix lists are route-filtering tools, not intra-VN access-control mechanisms. Service policies are used for QoS or traffic treatment and do not define group-based segmentation. Scalable groups are therefore the correct policy construct for intra-VN filtering in the fabric. Reference topics: Cisco SD-Access policy, scalable groups, SGT, SGACL, microsegmentation, intra-VN control.

BFD with tuned timers is the correct fault-detection solution when OSPF traffic must fail over in milliseconds and cannot wait for the OSPF dead interval. Cisco describes Bidirectional Forwarding Detection as a lightweight mechanism that detects forwarding-path failures rapidly and notifies the routing protocol. OSPF can then bring down the adjacency and switch to an alternate route without waiting for the normal hello and dead timer process. Tuning SPF delay or LSA timers improves the control-plane calculation phase after OSPF has learned about a failure, but it does not provide the fastest failure detection by itself. IP SLA tracking can detect reachability problems, but it is not the standard per-neighbor OSPF millisecond detection mechanism. Decreasing SPF timers alone does not solve the requirement to avoid waiting for the dead interval. Therefore, BFD with appropriate 100 ms timers is the correct design choice. Reference topics: OSPF high availability, BFD, fast failure detection, dead interval avoidance, subsecond convergence.

The multicast-replicator function is used to optimize multicast traffic distribution across Cisco SD-WAN. Cisco Catalyst SD-WAN multicast overlay design avoids forcing the ingress WAN Edge router to replicate every multicast packet to every remote receiver. Instead, multicast routes and receiver information are exchanged through OMP, and a WAN Edge can be designated as a multicast or OMP replicator. The replicator then distributes streams to interested receivers across the overlay, reducing bandwidth and processing pressure on the source-side edge. That is why multicast-replicator is the feature that optimizes WAN bandwidth for IGMP-driven multicast receiver traffic among WAN Edge routers in the same VPN. IGMPv2 is only the host-to-router group membership protocol and does not optimize overlay distribution by itself. A multicast RP is used in PIM sparse mode, but it is not the SD-WAN overlay replication feature. Multicast service routes advertise multicast service information, but the bandwidth-saving forwarding role is the replicator. Reference topics: Cisco SD-WAN multicast overlay, OMP multicast routes, multicast replicator, IGMP receiver joins.

Dynamic NAT-PT is the correct selection when IPv6 hosts in an IPv6 island must access IPv4-only servers and services. NAT-PT translates between IPv6 and IPv4 packet headers and allows IPv6-only nodes to communicate with IPv4-only destinations by dynamically creating translation state. In this scenario, IPv6 hosts need access to file servers and DNS services in an IPv4 network, so a dynamic translation mechanism is required. Stateless NAT66 and stateful NAT66 are IPv6-to-IPv6 translation mechanisms and do not connect IPv6 hosts to IPv4-only resources. Static NAT-PT would be appropriate for fixed one-to-one mappings where specific hosts are permanently mapped, but the question describes general access from an IPv6 island to IPv4 services, making dynamic NAT-PT the better match. In modern designs, NAT64 and DNS64 are commonly preferred successors, but within the answer choices NAT-PT is the IPv6-to-IPv4 transition mechanism. Reference topics: IPv6 transition, NAT-PT, IPv6-to-IPv4 translation, DNS access, dual-protocol migration.

NETCONF: SSH-based; built to support candidate configuration. RESTCONF: HTTPS-based; lacks support for two-phase commit transactions.

NETCONF and RESTCONF both use YANG data models, but they use different transport and transaction behaviors. NETCONF is traditionally SSH-based and was designed as a network configuration protocol with datastore concepts such as running, startup, and candidate configuration where supported. The candidate datastore enables staged configuration changes and a commit workflow, which is useful for transactional network changes. RESTCONF exposes YANG-modeled resources through an HTTP-based REST interface, typically protected with HTTPS. It is simpler for web-style application integration because it uses familiar HTTP methods, URIs, and payload encodings such as XML or JSON. However, RESTCONF does not provide the same full two-phase commit transaction model associated with NETCONF candidate configuration workflows. Therefore, the correct mapping is that NETCONF is SSH-based and built to support candidate configuration, while RESTCONF is HTTPS-based and lacks support for two-phase commit transactions. In Cisco programmability design, NETCONF is often selected for robust configuration transactions, whereas RESTCONF is often selected for simpler API-driven integration.

The VPN drag-and-drop answer distinguishes Layer 2 VPN, Layer 3 VPN, and encrypted overlay VPN behavior. VPWS provides a point-to-point Layer 2 service, while VPLS provides multipoint Layer 2 Ethernet service across a provider core. MPLS Layer 3 VPN provides routed private WAN connectivity with provider-managed VPN routing and forwarding separation. GRE and DMVPN are overlay technologies that can carry multicast and dynamic routing protocols; DMVPN adds NHRP and multipoint GRE to scale hub-and-spoke and spoke-to-spoke designs. IPsec provides encryption and integrity for traffic over untrusted transport, but native policy-based IPsec does not carry multicast without an additional overlay such as GRE. GET VPN encrypts traffic across a private routed WAN without building permanent point-to-point tunnels and is often used where multicast and dynamic routing should remain visible to the transport. The selected mapping aligns each VPN type with its forwarding model, scale characteristics, and encryption behavior. In design, the correct VPN choice depends on whether the requirement is Layer 2 extension, routed private connectivity, dynamic spoke-to-spoke tunnels, or private WAN encryption. Reference topics: VPN design, VPLS, VPWS, DMVPN, IPsec, GET VPN.

Bootstrap Router is the standards-based mechanism for dynamic Rendezvous Point discovery in PIM Sparse Mode. Cisco supports several RP discovery methods, but they are not equivalent from a standards perspective. Auto-RP is Cisco-developed and widely used in Cisco environments, but it is not the standards-based choice. Static RP configuration is simple and deterministic, but it does not provide dynamic discovery and requires every router to be configured consistently. Anycast RP is a redundancy and load-sharing design in which multiple RPs share the same RP address, usually with MSDP or another synchronization method, but it is not the RP discovery mechanism itself. BSR allows candidate RPs and candidate BSRs to advertise RP-set information through the PIM domain so routers can learn RP mappings dynamically. This makes BSR suitable for large PIM domains where manual static RP configuration becomes operationally risky. In design, the architect should also protect BSR/RP placement, scope group ranges, and validate convergence behavior during RP or BSR failure. Reference topics: PIM-SM, Bootstrap Router, RP discovery, Auto-RP comparison, multicast control-plane design.

The IS-IS hierarchy should place access or internal area routers at Level 1, boundary routers at Level 1/2, and backbone routers at Level 2. In this exhibit, users in areas 25 and 55 must send and receive traffic through both backbone areas, while link flaps in areas 35 and 45 must not affect other areas. Cisco IS-IS design uses Level 1 areas to contain local topology changes and Level 2 routing to interconnect areas through the backbone. Level 1/2 routers sit at the area boundary and leak or advertise reachability between the local Level 1 area and the Level 2 backbone. Option C matches that hierarchy by placing A-series routers as Level 1, B-series routers as Level 1/2, and C-series routers as Level 2. Making too many routers Level 1/2 would expand the impact of topology changes and reduce scaling benefits. Making backbone routers Level 1 would break interarea design. Reference topics: IS-IS hierarchy, Level 1, Level 2, Level 1/2 routers, failure-domain containment, enterprise scaling.

L2VPN is the correct technology because the requirement is for two remote offices to share a common broadcast domain across a private WAN with minimal overhead. A Layer 2 VPN service extends Ethernet or VLAN connectivity between customer sites while keeping the customer routing design independent of the provider core. From the customer perspective, the two sites can appear to be on the same Layer 2 segment, which satisfies the shared broadcast-domain requirement. GET VPN, IPsec, and GRE are Layer 3-oriented technologies. They can connect sites securely or provide tunneling, but they do not natively create a common Layer 2 broadcast domain between the offices. GRE also adds additional encapsulation overhead, and IPsec alone generally provides encrypted routed connectivity rather than an Ethernet service. For a simple direct logical path over a private WAN, an L2VPN service such as VPWS or VPLS is the appropriate design family. Reference topics: L2VPN, VPWS, VPLS, Ethernet WAN services, broadcast-domain extension, private WAN connectivity.

BIDIR-PIM is the correct multicast mode for a video conferencing environment with numerous dispersed senders and receivers. Bidirectional PIM is designed for many-to-many multicast applications where receivers may also transmit and where maintaining per-source trees would create unnecessary state and control-plane overhead. Instead of building a shortest-path tree for every source, BIDIR-PIM uses a shared tree rooted at the rendezvous point and forwards traffic bidirectionally. This makes it attractive for collaborative applications and conferencing scenarios with many active participants. MP-BGP can carry multicast VPN or multicast routing information in service-provider designs, but it is not itself the multicast forwarding mode for this requirement. MSDP is used to exchange source information between PIM-SM domains, not to optimize many-to-many forwarding within the multicast design. IGMPv2 handles host membership signaling on local segments and does not provide the routed multicast mode. Reference topics: BIDIR-PIM, many-to-many multicast, shared tree, video conferencing multicast, PIM design.

A logical topology that virtually connects devices over an arbitrary physical network is an overlay. In Cisco SD-Access, the underlay provides basic IP reachability between fabric nodes, while the overlay creates the logical network used by endpoints, virtual networks, and policy segmentation. The overlay is not constrained to the exact physical cabling topology; instead, it uses encapsulation and control-plane mapping to carry user traffic across the routed fabric. Cisco SD-Access uses LISP in the control plane for endpoint-to-location mapping and VXLAN in the data plane for encapsulation. This allows the fabric to present consistent logical connectivity even when the physical network is built from routed links and different infrastructure layers. The data plane is the forwarding mechanism, the control plane resolves location information, and the underlay is the physical and routed transport. The logical topology built on top of those components is the overlay. Reference topics: Cisco SD-Access overlay, underlay, VXLAN, LISP, fabric logical topology.

Forward error correction and quality of service are the two listed techniques that directly improve application experience in a Cisco SD-WAN design. Forward error correction protects selected application traffic by sending recovery information so packet loss can be corrected without waiting for retransmission. That is especially useful for real-time voice and video traffic, where retransmission delay can degrade quality. QoS improves application treatment by classifying, marking, queuing, shaping, and prioritizing traffic according to business intent and application sensitivity. Cisco SD-WAN designs commonly combine application-aware routing, QoS, and loss-mitigation features to keep critical traffic on the best path and preserve service quality during congestion or impairment. A stateful firewall, AMP, and Cisco Umbrella improve security posture, but they do not primarily improve application experience in the forwarding-quality sense asked by the question. They may protect applications, but they do not directly address loss, delay, jitter, and congestion treatment. Therefore, FEC and QoS are the best answers. Reference topics: Cisco SD-WAN application experience, FEC, QoS, loss mitigation, real-time traffic handling.

LISP is the control-plane protocol responsible for Endpoint Identifier to Routing Locator mapping in Cisco SD-Access. In the SD-Access architecture, an endpoint address is treated as an EID, and the fabric node location is represented by an RLOC. The fabric control-plane node performs LISP map-server and map-resolver functions so edge nodes can register local endpoints and resolve the current location of remote endpoints. This separation allows the overlay to support host mobility, anycast gateway behavior, and segmentation without depending only on traditional subnet-bound forwarding. VXLAN is the fabric data-plane encapsulation used to carry traffic across the fabric and preserve policy information, but it does not provide the EID-to-RLOC mapping function. CEF is the local forwarding mechanism inside Cisco devices, and GBAC is not the SD-Access mapping protocol. Therefore, LISP is the correct answer because it provides the SD-Access fabric control plane. Reference topics: Cisco SD-Access control plane, LISP, EID, RLOC, map-server, map-resolver.

Cisco SD-WAN detects subsecond transport failure by running BFD across the IPsec tunnels between WAN Edge routers. The WAN Edge devices form encrypted data-plane tunnels over each transport, and BFD probes those tunnels to measure liveliness, loss, latency, jitter, and path availability. When BFD detects a failed or degraded tunnel, the SD-WAN fabric can withdraw or avoid that path quickly, enabling application-aware routing and fast failover. Hellos between WAN Edge routers and vSmart controllers are control-plane mechanisms and do not directly detect data-plane transport failure between edge routers. BGP is not the SD-WAN overlay control protocol for this function; OMP is used with vSmart for overlay route and policy exchange. Link-state messages between vSmart controllers do not measure transport-path liveliness. Therefore, BFD on IPsec tunnels is the correct failure-detection mechanism. The design should ensure that BFD timers, tunnel scale, controller policy, and SLA classes are chosen to balance fast failover with platform resources and transport stability. Reference topics: Cisco SD-WAN BFD, IPsec tunnels, transport failure detection, application-aware routing, data-plane liveliness.

The fabric control plane in Cisco SD-Access creates and resolves endpoint-to-location mappings. SD-Access separates endpoint identity from physical topology by using LISP in the control plane. Endpoint addresses are treated as Endpoint Identifiers, and fabric node locations are represented by Routing Locators. When an endpoint appears on a fabric edge node, the edge registers that endpoint-to-edge binding with the control-plane node. When another edge needs to send traffic to that endpoint, it queries the control plane to resolve the current location and then uses the fabric data plane to encapsulate traffic toward the correct destination. Group-Based Access Control policy creation and enforcement involve Cisco ISE, security group tags, and policy components rather than the basic mapping purpose of the fabric control plane. BGP route reflection is not the SD-Access control-plane function, and extending multiple subnets to one RLOC is not the main purpose. Reference topics: SD-Access control plane, LISP, EID-to-RLOC mapping, endpoint registration, map resolution.

Route leaking on R13 and R9 is required so the Level 1 area can make a better exit decision toward the server. In an IS-IS hierarchy, Level 1 routers know detailed topology only inside their own area. For destinations outside the area, they normally follow the closest attached Level 1/Level 2 router, which can produce suboptimal latency when another exit has a better end-to-end path. Route leaking selectively injects more specific Level 2 reachability information into Level 1, allowing routers in the New Office area to evaluate a better path instead of blindly following the nearest attached-bit exit. Changing metric style on R8 alone does not import the external-area route information needed for better path selection. A static route could force a path but would not be a scalable dynamic IS-IS design. Making R8 Level 1/Level 2 does not solve the need to expose the relevant route through the correct area boundary. Reference topics: IS-IS Level 1 and Level 2, attached bit, route leaking, interarea optimization, latency-aware routing.

StackWise is the correct solution because the company needs more access ports while reusing the existing access-switch uplink capacity. Cisco StackWise allows multiple compatible Catalyst switches to operate as a single logical switching system, increasing access-port density without requiring each added switch to consume new uplink ports on the distribution layer. This fits the design constraint that the distribution switches have no available ports for additional uplinks, while current uplink bandwidth is not a bottleneck. VSS is normally used to combine two chassis-class switches into one logical system at the distribution or core layer; it is not the practical answer for expanding one floor’s access-port count from an existing access switch. EtherChannel aggregates physical links for bandwidth and redundancy, but it does not create additional access ports when no distribution ports are available. VDC is a Nexus virtualization construct and does not solve Catalyst access-port expansion. The correct operational design is to add a stack member and use the existing uplink design. Reference topics: Cisco StackWise, access-layer scalability, uplink preservation, Catalyst campus switching.

The primary HSRP device should use the preempt delay feature. When a failed primary distribution switch returns, HSRP preemption allows it to reclaim the active gateway role because it has the higher priority. However, routing protocols, trunks, line cards, FIB programming, or upstream convergence may not be fully ready at the instant HSRP becomes active again. If the device preempts too quickly, hosts forward traffic to a gateway that is not yet ready to forward all flows, causing temporary packet loss. Cisco HSRP preempt delay prevents immediate takeover by delaying preemption after reload or interface recovery, giving the switch time to rebuild control-plane and forwarding-plane state. Increasing hello timers slows failure detection and does not solve the premature takeover problem. Applying preempt delay to the backup device is not the issue because the returning primary is the device that reclaims active state. MAC refresh timers are not the primary mechanism for this condition. Therefore, the design should configure preempt delay on the primary HSRP device. Reference topics: HSRP preemption, preempt delay, gateway recovery, campus high availability, convergence coordination.

Bidirectional PIM is the best fit for this multicast design because the application is many-to-many and has a manageable but meaningful number of multicast sources. Cisco describes BIDIR-PIM as a multicast mode designed for many-to-many applications where sources and receivers can be widely distributed. Unlike classic PIM sparse mode, BIDIR-PIM does not build source-specific shortest-path trees for each active source. Instead, traffic uses a shared bidirectional tree rooted at the rendezvous point, which reduces multicast state in the network and improves scale when many sources may send to the same group. Source-Specific Multicast is optimized for one-to-many distribution where receivers know the source and join an (S,G) channel; it is not the natural many-to-many choice. Any Source Multicast can support many-to-many traffic but usually creates more state because source trees may be built. Multicast VPN is a transport/service architecture, not the specific multicast mode requested. Reference topics: BIDIR-PIM, many-to-many multicast, shared trees, RP-based forwarding, multicast state scaling.

BFD with default BGP timers is the best design choice because it improves failure detection without forcing BGP itself to run aggressive keepalive processing. Cisco documentation describes BFD as providing fast forwarding-path failure detection and notes that BFD can be less CPU-intensive than reduced EIGRP, BGP, and OSPF timers because parts of BFD can be distributed to the data plane. Lowering BGP keepalive and hold timers makes the BGP process detect failure sooner, but it increases control-plane activity and can create instability at scale. Tuning the BFD multiplier to an extreme value such as 50 is also counterproductive because it lengthens detection rather than improving it, depending on the interval used. The correct approach is to leave normal BGP timers in place and bind BGP neighbor fall-over to BFD. When the forwarding path fails, BFD notifies BGP quickly, allowing the route to be withdrawn and an alternate provider path to be selected faster without unnecessary BGP timer churn.

Explicit QoS trust should be configured at the network boundary points where markings first enter the managed DiffServ domain and are known to be reliable. In a DiffServ design, traffic classification and marking are typically performed at the access edge or at a controlled ingress boundary, and downstream devices then honor DSCP or CoS markings based on the trust boundary. Cisco QoS design stresses that the trust boundary must be intentionally placed; endpoints or unmanaged devices should not be trusted by default because they can mark traffic incorrectly and steal priority treatment. The exhibit answer identifies B and E as the correct trust points, meaning those are the controlled ingress locations where markings should be accepted. Options that trust uncontrolled endpoint-facing points or internal transit locations would either create a security problem or add no practical value. Once traffic is trusted and marked at the correct boundary, queuing, policing, and shaping policies can use the DSCP values consistently across the campus or WAN. Reference topics: DiffServ, QoS trust boundary, DSCP marking, classification, enterprise QoS design.

The best design is the option that prefers ISP-1 for both outbound and inbound traffic while keeping ISP-2 available as a backup. For outbound traffic from the enterprise, local preference is the correct BGP attribute because it is evaluated inside the local AS and higher local preference wins. R1 should assign a high local preference to routes learned from ISP-1, while R2 should assign a low local preference to routes learned from ISP-2. For inbound traffic from the Internet toward the enterprise, AS-path prepending is the practical signal sent to external networks. Advertising routes to ISP-1 with no prepending and routes to ISP-2 with five prepends makes the ISP-1 path look shorter and therefore more attractive. The R1-to-R2 internal advertisements should not be blocked by NO-ADVERTISE because each edge router must still share reachability internally for failover. Option B matches these controls without unnecessarily suppressing routes between the edge routers. Reference topics: BGP local preference, AS-path prepending, active/backup Internet design, inbound and outbound path control.

A dual-homed Internet design with a single edge router and site-to-site VPN topology best matches the stated cost and flexibility requirements. The customer needs redundant WAN links, has a limited budget, wants easy future bandwidth increases, and does not require consistent end-to-end QoS on the branch routers. Internet circuits are typically less expensive and easier to upgrade than MPLS access circuits, making them appropriate for small to medium-sized remote branches when strong QoS guarantees are not required. A single edge router also reduces hardware cost and operational complexity compared with dual edge routers. WAN MPLS designs can provide stronger service-level guarantees and QoS treatment, but they are more expensive and less flexible for rapid bandwidth upgrades. A design with dual edge routers improves device redundancy but conflicts with the limited-budget condition. Therefore, a dual-homed Internet solution using a site-to-site VPN overlay is the most appropriate option. The architect should still validate encryption requirements, failover behavior, routing preference, and whether the Internet underlay can meet application performance expectations. Reference topics: branch WAN design, dual Internet connectivity, site-to-site VPN, cost-driven WAN selection.

Switch D should be the VLAN 10 primary root, Switch C should be the VLAN 10 secondary root, and link A should remain a Layer 2 trunk. The requirements say VLANs span multiple access switches and all VLANs are trunked on all uplinks. In that design, the distribution interswitch link must remain Layer 2 so the VLAN can exist consistently across the access layer. For fastest and most deterministic Rapid PVST+ convergence, the spanning-tree root bridge should align with the active first-hop gateway for the VLAN. In the exhibit, Switch D is the active gateway for VLAN 10, so making Switch D the primary STP root avoids unnecessary traffic tromboning and keeps the forwarding path optimal. Switch C becomes the secondary root for resiliency. A Layer 3 routed interdistribution link is a best practice when VLANs are not stretched, but it contradicts the stated requirement that VLANs span access switches. Reference topics: Rapid PVST+, STP root placement, FHRP alignment, Layer 2 campus distribution, VLAN spanning design.

Cisco SD-WAN uses the Overlay Management Protocol to exchange control-plane information between WAN Edge routers and vSmart controllers. OMP advertises three major categories of routing information: OMP routes, TLOC routes, and service routes. OMP routes represent reachability to prefixes in service VPNs, such as connected, static, OSPF, EIGRP, BGP, or other routes learned at the local site. TLOC routes describe transport locations, which bind a system IP, color, and encapsulation to a WAN transport attachment. Service routes indicate service insertion capabilities, such as firewalls or other network services that can be reached through a particular site. This separation allows Cisco SD-WAN to build a secure overlay over any public or private transport while keeping transport reachability, service-side prefixes, and inserted services distinct. The other answer choices use generic terms such as underlay, MPLS, Internet, backup, or primary routes, but those are not the formal OMP advertisement categories. Therefore, the correct answer is prefix, TLOC, and service.

The No-Export community is the appropriate filtering mechanism when a design must prevent an autonomous system from becoming an unintended transit path. In a multihomed BGP design, a customer AS can accidentally advertise routes learned from one provider to another provider. If that happens, external traffic may cross the customer network to reach destinations beyond it, making the customer a transit AS. Applying No-Export to the appropriate learned or advertised routes instructs the receiving AS not to advertise those routes outside its own AS boundary. This helps contain route propagation and prevents third parties from learning paths through AS64512. Maximum-prefix protects a router from receiving too many routes; it is not a transit-prevention policy. No-advertise is more restrictive and prevents advertisement to all peers, which may break required internal or provider reachability. Next-hop is a path attribute used for reachability and path selection, not a route-leak prevention mechanism. In production, No-Export should be combined with explicit prefix filters so policy does not depend on community handling alone. Reference topics: BGP No-Export, transit AS prevention, route-leak control, BGP communities, multihoming.

EIGRP stub routing is designed to prevent remote or spoke routers from being used as transit routers. In a hub-and-spoke or dual-homed remote design, a stub router advertises only the route types permitted by its stub configuration, such as connected or summary routes, and it is not queried for routes that it cannot reasonably provide. This reduces EIGRP query scope and helps avoid stuck-in-active conditions. The tradeoff is that the network must not depend on a stub site to carry transit traffic between other parts of the topology. In this scenario, the spoke nodes are configured as EIGRP stubs. When the direct R1-to-R2 link fails, R1 cannot use the alternate path through the other spoke-side topology as a transit path to reach a subnet attached to R2. The EIGRP stub design prevents the route from being advertised in a way that would make the spoke act as a transit router. As a result, R1 has no valid route to R2 ' s attached subnet and drops the traffic. This behavior is consistent with the purpose of EIGRP stub routing.

MSTP is the correct spanning-tree choice for a Layer 2 design with many logical ports, multiple trunked VLANs, and a subsecond convergence requirement. Rapid PVST+ provides rapid convergence, but it creates a separate spanning-tree instance for every VLAN. With 30 VLANs on trunks and hundreds of active ports, the number of logical STP ports can grow quickly and increase CPU and memory load. MSTP maps many VLANs into a smaller number of spanning-tree instances while still using rapid convergence behavior based on IEEE 802.1w principles. This makes it more scalable for large Layer 2 domains than PVST+ or Rapid PVST+ when many VLANs are present. CST provides a single instance but lacks the flexibility and convergence characteristics expected in modern enterprise designs. The design needs both scalability and fast convergence, and MSTP is the standards-based protocol that best satisfies both requirements. Reference topics: MSTP, Rapid STP, logical STP ports, VLAN-to-instance mapping, Layer 2 scalability, convergence.

An SD-Access intermediate node routes and transports IP traffic between fabric nodes. It is part of the underlay transport path, comparable to a routed distribution or core device that provides IP reachability between edge, border, and control-plane nodes. Intermediate nodes do not perform endpoint registration, VXLAN encapsulation for attached users, virtual-network mapping, or anycast gateway services. Those functions belong primarily to fabric edge nodes. They also do not act as LISP proxy tunnel routers, which is a border-node function used for communication between the fabric and external networks. The intermediate node’s role is deliberately simple: maintain underlay routing, provide resilient transport, and forward encapsulated traffic across the fabric infrastructure. This separation of roles is what lets Cisco SD-Access scale by keeping endpoint intelligence at the edge and mapping intelligence in the control plane while the intermediate layer remains a stable IP transport network. Reference topics: SD-Access intermediate node, routed underlay, IP transport, fabric roles, edge and border node separation.

Dual stack is the migration topology that supports IPv6 while preserving existing IPv4 services during the transition. In a dual-stack design, hosts and network devices run IPv4 and IPv6 in parallel, allowing applications and services to move gradually from IPv4 to IPv6 without forcing an immediate cutover. That matches the customer’s plan: keep the current IPv4 topology and services, introduce IPv6 connectivity, migrate services, and eventually decommission the IPv4 topology. 6VPE is used to carry IPv6 VPN routes across an MPLS IPv4 provider core, which is a service-provider VPN use case rather than a general enterprise migration topology. 6to4 is an automatic tunneling mechanism and is not appropriate as a stable enterprise migration plan. NAT64 enables IPv6-only clients to reach IPv4 resources through translation, but it does not preserve the complete IPv4 topology while services migrate. Cisco migration guidance treats dual stack as the cleanest operational model when infrastructure supports both protocols, because it avoids translation side effects and allows DNS and application behavior to determine which protocol is used.

Ethernet Local Management Interface is used between the customer edge and provider edge to communicate service status information for Ethernet services. Under MEF Ethernet service operations, E-LMI provides the CE with information about Ethernet Virtual Connection status, including whether a configured EVC is available or unavailable. This allows the customer device to react to a provider-side service condition without relying only on physical link state. The CE-to-PE link can remain physically up even while the provider EVC is down; E-LMI closes that operational visibility gap by reporting the EVC state to the customer edge. It is not a routing protocol and does not broadcast multicast routes from the CE to the PE. It also does not broadcast to all subnets when an EVC is added. The key function defined by the MEF process is notifying the CE of EVC availability state and related service information. Reference topics: Metro Ethernet, E-LMI, Ethernet Virtual Connection, CE-to-PE signaling, MEF service operations.

The selected command pair is appropriate because the issue is that GigabitEthernet0/2 on SW2 is not becoming the root port as expected. In spanning-tree design, the root port is selected based on the lowest root path cost, then upstream bridge ID, then port ID when necessary. If the wrong port is selected, the engineer must adjust the local spanning-tree parameters on SW2 so that the intended interface has the best path toward the root bridge. Typical corrective commands lower the spanning-tree cost or set the port priority on the desired interface or VLAN instance. The correct answer pair is therefore the combination that changes the STP decision variables for Gig0/2 rather than changing unrelated features such as PortFast, BPDU Guard, or VLAN trunking. PortFast is unsafe on switch-to-switch links, and protection features do not make an interface more attractive as a root port. The fix must influence STP path selection while keeping the topology loop-free. Reference topics: STP root port election, path cost, port priority, root bridge path selection, Catalyst Layer 2 troubleshooting.

The correct overlay considerations are that virtual networks provide data-plane isolation and that overlapping IP addresses should be avoided for operational simplicity. In Cisco SD-Access, virtual networks are used for macro segmentation and are commonly mapped to VRFs. This separates routing and forwarding tables between major groups such as corporate users, guests, IoT, and shared services. Security Group Tags provide finer policy control and microsegmentation, but they are not the primary mechanism for data-plane isolation between virtual networks. The phrase “virtual networks should be used for microsegmentation” is therefore inaccurate; microsegmentation is SGT and SGACL driven. Although overlapping IP addresses can technically exist in separate VRF-like contexts, Cisco design practice discourages unnecessary overlap because it complicates troubleshooting, service insertion, external connectivity, and inter-VN communication. A clean overlay address plan improves operations and reduces policy ambiguity. Reference topics: SD-Access overlay design, virtual networks, macro segmentation, SGTs, microsegmentation, overlapping IP avoidance. This also simplifies day-two operations.

The correct BGP design is to attach the well-known No-Export community to the prefixes that should not be advertised beyond the service provider boundary. Cisco BGP communities are policy attributes that allow routes to carry instructions or classifications across BGP peers. The No-Export community tells a receiving BGP speaker not to advertise the route outside its confederation or autonomous system. That behavior is exactly what is needed when branch prefixes may be exchanged with the provider but must not be propagated to the public Internet. The No-Advertise community is stronger: it prevents the route from being advertised to any BGP peer, which may block reachability even where the provider still needs to know the route. NOPEER is used for route-server or peering policy control and is not the clean answer for excluding branch prefixes from Internet propagation. Setting a generic “Internet community” is not a standard solution by itself. The architect should also ensure that outbound prefix filters and provider-side community support are documented in the service agreement. Reference topics: BGP communities, No-Export, No-Advertise, provider edge filtering, Internet route policy.

A single VPLS instance is the correct Layer 2 VPN design because the customer requires service-provider transparency and direct communication between CE routers attached to the same VLAN. Virtual Private LAN Service provides a multipoint Ethernet LAN service across a provider MPLS or IP backbone. To the customer, the provider network behaves like a transparent Layer 2 switching domain, allowing CE devices in the same VLAN to communicate directly at Layer 2. VPWS is point-to-point, so multiple VPWS circuits would be required to approximate multipoint connectivity, and the design would not provide the same transparent shared LAN behavior. Multiple VPLS instances are unnecessary when the requirement is a single VLAN or single broadcast domain. VPLS also hides provider devices from the customer Layer 2 service view while allowing MAC learning and forwarding across the provider edge. Reference topics: VPLS, Layer 2 VPN, multipoint Ethernet service, CE transparency, VLAN extension, service provider WAN design.

An on-change telemetry subscription is the best solution when the team needs device state data while limiting impact on the device. With periodic telemetry, the device sends subscribed data at a configured interval regardless of whether the value has changed. For state such as shared memory utilization, aggressive periodic polling or streaming can create unnecessary CPU, memory, and bandwidth overhead, especially at scale. On-change telemetry sends an update only when the subscribed data changes, or when a relevant event occurs according to the model and platform behavior. This reduces needless data transmission while still providing timely visibility into meaningful state changes. IPFIX is designed for flow information and traffic accounting rather than detailed device state telemetry. Static telemetry is not the best characterization of the efficient event-driven behavior required here. A periodic subscription can provide the data, but it continuously streams updates and therefore has greater device and collector impact. Cisco model-driven telemetry design favors on-change subscriptions when the operational requirement is state awareness with minimal repeated polling.

A dedicated management VRF is the correct feature when management protocols must traverse the production network but remain logically separated. The question describes in-band management because SSH, NTP, FTP, and SNMP are carried over the production network rather than over a separate physical console or out-of-band network. The design still requires routers and switches across different networks to be managed securely. A management VRF gives the management plane its own routing table, allowing the engineer to restrict management reachability, apply separate routing, and keep management traffic from leaking into user or service forwarding paths. Management Plane Protection can restrict which interfaces accept management-plane traffic, but it does not by itself provide separate routing across different networks. A terminal server or dedicated console connection is an out-of-band operational tool, not the production-network management design requested here. A dedicated management VRF per device is therefore the correct feature. Reference topics: in-band management, management VRF, SNMP and SSH reachability, management-plane segmentation, enterprise operations design.

Making R2 active for half of the VLANs improves utilization by distributing first-hop gateway forwarding across both core routers. HSRP provides default-gateway redundancy by making one router active and another standby for a VLAN. If the same router is active for every VLAN, traffic from all downstream VLANs is forwarded through the same core path, which can leave some interfaces congested while parallel links on the standby side remain underused. Cisco campus designs commonly tune HSRP priorities per VLAN and align the active HSRP gateway with the spanning-tree root for that VLAN. This creates a deterministic load-sharing model while preserving gateway redundancy. Adding more interfaces may help capacity, but the question states that some downstream interfaces are already underutilized, so the issue is load distribution rather than absolute port count. A port channel is useful only when the topology supports bundling the specific links and does not by itself move gateway activity. RSTP improves convergence, not HSRP forwarding balance. Reference topics: HSRP load sharing, per-VLAN gateway placement, STP root alignment, campus capacity design.

The SD-WAN onboarding sequence follows the controller trust and overlay-establishment workflow. A WAN Edge device first obtains basic reachability information through manual bootstrap, ZTP, or PnP-style provisioning so it can reach the orchestration components. It then establishes secure control connectivity to the orchestrator and validates identity through the certificate and authorized serial number information. After orchestration, the device forms the required secure control connections to the management and control-plane components, receives its configuration, and participates in OMP route exchange. Finally, the WAN Edge builds encrypted data-plane tunnels to other WAN Edge devices based on the TLOC and policy information learned through the control plane. This order matters because the device cannot exchange overlay routes or build data-plane IPsec tunnels until it is authenticated and authorized in the SD-WAN fabric. Cisco SD-WAN designs rely on this sequence to support zero-touch deployment, centralized policy, and secure fabric admission. Reference topics: Cisco SD-WAN onboarding, vBond orchestration, certificate validation, OMP, TLOC exchange, data-plane tunnel establishment.

The correct get-config reply is the one that shows OSPF process ID 200 and the network 172.16.10.128/26 assigned to Area 0 in the same YANG model hierarchy that was used for configuration. In model-driven configuration, verification is not based on visual similarity to CLI output; it is based on whether the operational or running datastore contains the intended structured objects at the correct schema paths. For IOS XE native OSPF configuration, the process identifier, network statement, wildcard or prefix representation, and area association must be represented exactly as the model requires. A /26 network beginning at 172.16.10.128 covers addresses 172.16.10.128 through 172.16.10.191, so replies showing a different base network, wrong process ID, wrong area, or invalid mask cannot verify the design. Option A is the matching reply. The professional validation workflow is to send the configuration, read back the intended datastore using get-config, and confirm the model fields rather than relying only on CLI screen output. Reference topics: NETCONF get-config, IOS XE native OSPF YANG, datastore verification, OSPF area configuration.

LFA FRR is the correct improvement because it gives OSPF a precomputed repair path instead of waiting for normal SPF reconvergence after a component failure. Cisco describes OSPF LFA Fast Reroute as using a precomputed alternate next hop to reduce failure reaction time when the primary next hop fails. The forwarding plane can move traffic to the alternate path while the control plane reconverges, which directly addresses the short outage described in the question. Incremental SPF reduces CPU impact by recomputing only the affected part of the SPF tree, but it still relies on the post-failure SPF process. BFD detects a failure quickly, but by itself it does not install a loop-free repair path. Aggressive timers also improve detection but increase control-plane sensitivity and do not provide local repair. In an enterprise OSPF design where the complaint is outage during recomputation, LFA FRR is the stronger availability mechanism. Reference topics: OSPF Loop-Free Alternate, IP Fast Reroute, SPF convergence, local repair paths, routed resiliency.

The correct code snippet must use a secure HTTPS-based RESTCONF transaction with the YANG JSON media type. The requirement explicitly states that the content type is application/yang-data+json and that the connection to the network device must be secured. In Cisco IOS XE programmability, RESTCONF uses HTTP methods against YANG-modeled resources, and secure deployments use HTTPS rather than clear-text HTTP. A loopback interface with address 172.16.15.12/32 would be configured by sending a JSON payload that follows the selected YANG model structure, commonly an IETF or Cisco native interface model, with the correct content-type and authentication headers. The key security indicator in the option must therefore be HTTPS/TLS, not an insecure HTTP URL or a non-YANG content type. NETCONF over SSH would also be secure, but the stated content-type points to RESTCONF with JSON encoding. Option A is the valid snippet because it aligns the payload format with a secure transport. Reference topics: RESTCONF, YANG JSON encoding, application/yang-data+json, HTTPS, IOS XE programmability.

Implementing network summarization on the edge routers is the correct EIGRP design action to reduce query range and improve convergence. In EIGRP, when a route is lost and no feasible successor exists, DUAL sends queries to neighbors. If the network is large or poorly summarized, those queries can propagate widely and increase convergence time. Hierarchical addressing allows each office or edge block to advertise a summary instead of many specific prefixes. If a specific subnet inside an office fails, the summary can remain stable toward the rest of the network, preventing the failure from triggering unnecessary queries across the dark-fiber interoffice topology. Stub routing can also reduce query scope, but the option says to configure stub areas on non-edge routers, which is not the right EIGRP terminology or placement. Different EIGRP processes add redistribution complexity, and route filtering alone does not provide the same clean convergence boundary as summarization. Reference topics: EIGRP summarization, DUAL query scope, hierarchical addressing, convergence optimization, dark-fiber campus routing.

StackWise Virtual is the correct technology for Cisco Catalyst 9500 aggregation switches when the design requires nonblocking Layer 2 multichassis EtherChannel from aggregation to access. The question specifically describes Catalyst 9500 switches located on different floors for availability, with access switches dual-homed through a Layer 2 MEC design. Traditional VSS was used on older Catalyst platforms such as Catalyst 4500 and 6500 families. For Catalyst 9000 platforms, Cisco uses StackWise Virtual to virtualize two physical switches into a single logical switching system. This enables multichassis EtherChannel, removes the need for STP to block one uplink, improves convergence, and provides device-level redundancy. vPC is a Nexus data-center technology, not a Catalyst campus aggregation technology. StackWise-180 refers to physical stack bandwidth behavior on specific access platforms and does not provide the same distributed campus aggregation function. Therefore, the design should use StackWise Virtual on the Catalyst 9500 aggregation pair. Reference topics: Catalyst 9500, StackWise Virtual, multichassis EtherChannel, campus aggregation, Layer 2 resiliency.

Class selector code points provide backward compatibility between IP Precedence and DiffServ. IP Precedence uses the three most significant bits of the former Type of Service field. DiffServ expands QoS marking by using the six-bit DSCP field, but class selector values preserve compatibility by setting the three high-order bits to match the corresponding IP Precedence value while leaving the lower bits as zeros. For example, CS3 corresponds to the old precedence value 3, and CS6 corresponds to precedence 6. This allows devices that still interpret IP Precedence to provide broadly consistent treatment while newer DiffServ-aware devices can use DSCP-based policy. Expedited forwarding is used for low-loss, low-latency traffic such as voice. Assured forwarding provides drop precedence within classes. Default per-hop behavior represents best-effort treatment. None of those are specifically the backward-compatibility mechanism for migration from IP Precedence. Therefore, the design should include class selector code points during the transition to DiffServ. Reference topics: DiffServ, DSCP, class selector, IP Precedence compatibility, QoS marking migration.

The main purpose of the Cisco SD-Access overlay design is to enable the virtualized fabric services that run over the physical underlay. Cisco describes the overlay as the logical network created on top of the routed underlay, using virtual networks to provide segmentation and policy separation. SD-Access uses LISP for endpoint-to-location mapping and VXLAN for data-plane encapsulation, allowing Layer 2 and Layer 3 services to be delivered across a stable Layer 3 transport. Option C is the best available answer because the overlay exists to integrate and carry SD-Access services such as virtual networks, endpoint mobility, macrosegmentation, and security group policy. Simplified troubleshooting and visibility are management and assurance outcomes, not the overlay’s main technical purpose. High availability depends on the underlay topology, node redundancy, and control-plane design, but it is not the primary definition of overlay design. Reference topics: SD-Access overlay, virtual networks, LISP, VXLAN, segmentation, fabric services.

The design must influence how EIGRP-learned routes are injected into the OSPF domain, so R2 should redistribute EIGRP into OSPF as metric-type E1 and R3 as metric-type E2. Cisco OSPF documentation distinguishes external Type 1 and Type 2 routes. An E1 route includes the external cost plus the internal OSPF cost to reach the ASBR, while an E2 route uses only the external metric. Cisco path selection prefers O E1 over O E2 for the same external destination. Therefore, making R2 advertise the EIGRP routes as E1 causes OSPF routers to prefer R2 as the exit toward the EIGRP domain. Option C adjusts OSPF-to-EIGRP redistribution, which is the wrong direction for traffic passing toward EIGRP from OSPF. Removing redistribution on R3 would reduce redundancy. Option D reverses the preference and would favor R3. Reference topics: OSPF external route types, EIGRP-to-OSPF redistribution, ASBR preference, E1 versus E2 metrics.

The company must prevent itself from advertising routes learned from one ISP to the other ISP. If it receives full Internet tables from both providers and then re-advertises those learned prefixes, it can unintentionally become a transit autonomous system. The proper BGP design is to apply outbound route policy so only the company’s own originated prefixes are advertised to the ISPs, while routes learned from ISP1 are never advertised to ISP2 and routes learned from ISP2 are never advertised to ISP1. A route map or equivalent prefix filtering policy applied outbound to the ISP neighbors achieves that goal. Local preference influences outbound path selection inside the company AS; it does not prevent transit advertisements. MED influences how a neighboring AS may enter the company network, but it does not stop the company from advertising third-party routes. Tagging incoming routes with no-export is not as deterministic as simply filtering what is advertised to each provider and may still allow undesirable routing behavior within the directly connected provider. Therefore, the design should include outbound route filtering with a route map.

VPN 0 is the transport VPN in Cisco SD-WAN. It carries control traffic and provides connectivity from WAN Edge routers toward the transport networks, such as MPLS, Internet, LTE, or other WAN services. Control connections to Cisco SD-WAN controllers are established through transport interfaces that belong to VPN 0. Data VPNs carry service-side user traffic and are separate from the transport VPN. VPN 512 is commonly used for out-of-band management, not for carrying overlay control connections. VPN 128 and VPN 256 are not the reserved transport VPN identifiers. The design importance is that VPN 0 must have correct addressing, color assignment, routing reachability, NAT traversal considerations, and certificate-based controller connectivity. If VPN 0 is misdesigned, the WAN Edge cannot establish stable control connections, cannot receive OMP routes and policies, and cannot build the secure overlay properly. Therefore, VPN 0 is the correct transport VPN for underlay control traffic. Reference topics: Cisco SD-WAN VPN 0, transport VPN, control connections, WAN Edge onboarding, overlay formation.

The correct policy is to prepend the AS path on the nonpreferred advertisement for each prefix. For inbound BGP traffic engineering, the enterprise normally influences remote autonomous systems by changing attributes that those systems see when selecting a path. AS-path prepending makes a route appear less attractive by adding repeated instances of the local AS number to the AS path. In this design, network 10.1.1.0/24 should enter through R3-R1, so R2 must advertise that prefix with a prepended AS path to make the R4-R2 path less preferred unless the primary path fails. Conversely, network 10.1.2.0/24 should enter through R4-R2, so R1 must advertise that prefix with prepending to make the R3-R1 path less preferred. This creates inbound load sharing while preserving failover because the prepended route remains available as a backup. Local preference affects outbound path selection inside the local AS, not inbound selection by the provider. Reference topics: BGP traffic engineering, AS-path prepending, inbound path control, prefix-specific policy, multihomed WAN design.

The border node provides connectivity between the SD-Access fabric and networks external to the fabric. In Cisco SD-Access, fabric edge nodes connect endpoints, intermediate nodes provide underlay transport, and control-plane nodes maintain endpoint-to-location mappings. Border nodes sit at the boundary of the fabric and connect the overlay to external Layer 3 networks such as WAN, data center, Internet edge, shared services, or other fabrics. They de-encapsulate VXLAN traffic leaving the fabric and advertise or import reachability using VRFs and routing protocols. A border can be internal, external, or anywhere border depending on whether it connects to shared services, outside networks, or both. Intermediate nodes do not provide external fabric exit; they only transport traffic within the underlay. Edge nodes connect endpoints but are not normally the external gateway for the whole fabric. Control-plane nodes provide mapping services, not external connectivity. Reference topics: SD-Access border node, fabric exit, VRF mapping, external connectivity, overlay-to-underlay boundary.

BFD is the correct mechanism for sub-second failure detection. The question describes unequal failover behavior when an interface on an ISP router toward the campus fails. In many WAN and Internet edge designs, BGP timers or next-hop tracking may not react fast enough when the physical failure is not directly visible to the customer router. Cisco defines Bidirectional Forwarding Detection as a lightweight protocol that provides rapid forwarding-path failure detection independent of the routing protocol timers. When BFD is associated with BGP, OSPF, EIGRP, or static routing, the routing process receives failure notification quickly and can withdraw or replace the route without waiting for longer protocol hold timers. Aggressive timers can improve reaction time but increase session churn and CPU load. Next-hop address tracking improves BGP response when next-hop reachability changes, but it is not the most precise sub-second detection tool. Graceful restart is intended to preserve forwarding during control-plane restart, not detect failures faster. Reference topics: BFD, WAN edge resiliency, BGP failure detection, sub-second convergence.

The drag-and-drop mapping identifies which elements belong to each model-driven protocol or data-modeling mechanism. Cisco programmability designs distinguish the data model, the encoding, and the transport protocol. YANG defines the structure of configuration and operational data. NETCONF commonly uses XML encoding and provides transactional operations such as get-config, edit-config, lock, and commit-like workflow depending on platform support. RESTCONF exposes YANG-modeled data through HTTP methods and typically uses URI-based resources with XML or JSON encoding. gRPC and gNMI are commonly used for efficient telemetry or operational data streaming, with protocol buffers often used for serialization. The selected mapping follows those protocol boundaries rather than mixing model structure with transport behavior. In design work, this matters because the same network feature can be represented by a YANG model but accessed through different protocols, each with different capabilities, security requirements, and operational semantics. Correctly matching elements to protocols avoids invalid payloads and broken automation workflows. Reference topics: YANG, NETCONF, RESTCONF, gRPC, gNMI, XML and JSON encoding, model-driven telemetry.

Both WAN routers should run OSPFv2. The requirement explicitly says that the routing protocol must be open standard, provide high availability, and offer fast convergence. OSPF is an open-standard link-state routing protocol and is broadly supported across vendors. It builds a link-state database, calculates best paths with SPF, supports equal-cost multipath, and can be tuned with BFD, SPF throttling, LSA throttling, and hierarchical areas for resilient enterprise WAN designs. EIGRP is fast and operationally efficient in Cisco-only environments, but it is not the best answer when the requirement emphasizes an open-standard routing protocol. Running OSPFv2 on one router and OSPFv3 on another is invalid for a single IPv4 routing design because they would not form the intended common routing domain. Mixing IS-IS and OSPFv3 also fails the requirement for a unified design between the redundant routers. Therefore, both routers should run OSPFv2. Reference topics: OSPFv2, open-standard routing, WAN routing high availability, link-state convergence, ECMP and BFD integration.

VRRP advertisements are sent by the current master router and include priority information used by the backup routers to evaluate mastership. In VRRP, the master is the router actively forwarding for the virtual IP address. Backups listen for advertisements; if advertisements stop, the backup with the highest effective priority can become master. This is why the statement that advertisements are sent only from the master router is correct. The advertisement also carries priority information, which is used in election behavior and failover decisions. Standby or backup routers do not normally send VRRP advertisements while a master is active, so option A is incorrect. The default advertisement interval is not three seconds in standard VRRP behavior; three seconds is commonly associated with other first-hop redundancy defaults such as HSRP hellos. Although timer fields exist in protocol operation, the exam focus here is the master-only advertisement behavior and the priority carried in those advertisements. In campus gateway redundancy design, VRRP advertisements must be protected from loss or filtering because missed advertisements can cause unnecessary master transitions.

The correct subnet choice is 192.168.32.0/27. The design must support at least five subnets and at least 25 usable hosts per subnet from a /24 allocation. A /27 leaves five host bits, giving 32 total addresses and 30 usable host addresses after excluding the subnet and broadcast addresses. It also borrows three bits from the /24 host field, creating eight equal /27 subnets, which satisfies the requirement for at least five departmental networks. A /26 provides 62 usable hosts, but only four subnets inside a /24, so it fails the subnet-count requirement. A /25 provides only two subnets. A /28 provides enough subnets but only 14 usable host addresses, which fails the host requirement. Cisco subnetting guidance uses exactly this host-bit and prefix-length calculation model when selecting VLSM blocks. Reference topics: IPv4 subnetting, CIDR prefix length, host-bit calculation, VLSM design, private IPv4 addressing.

Manual underlay is the correct deployment approach for a brownfield SD-Access scenario. In a greenfield fabric, Cisco DNA Center LAN Automation can build the routed underlay by discovering devices, assigning addresses, and creating the required underlay adjacencies. Brownfield environments already have an installed campus network, addressing plan, routing policy, operational constraints, and production dependencies. Rebuilding that underlay automatically can introduce unnecessary disruption. Cisco SD-Access brownfield designs normally preserve and validate the existing routed underlay, then use Cisco DNA Center to discover devices and automate the fabric overlay, policy, and endpoint segmentation functions. Subnet stretching is not the required deployment model and can create operational complexity. Automated underlay and LAN automation are powerful when the physical network is being newly built, but they are not the safest default for an established production environment. A professional brownfield design should first confirm MTU, routing reachability, loopback advertisements, device support, and fabric readiness before onboarding nodes. Reference topics: SD-Access brownfield migration, manual underlay, Cisco DNA Center, LAN Automation, fabric readiness.

EIGRP and BGP are the two listed routing protocols that can support unequal-cost load balancing in Cisco enterprise designs. EIGRP performs unequal-cost load sharing by using the variance command. Feasible successor routes whose feasible distance falls within the variance multiplier can be installed alongside the successor route, provided they satisfy EIGRP loop-prevention rules. This allows traffic to use links with different composite metrics while still maintaining loop-free forwarding. BGP can also support unequal-cost distribution in specific designs, such as using BGP multipath features with additional bandwidth-based mechanisms or policy to influence traffic sharing across nonidentical paths. OSPF and IS-IS commonly support equal-cost multipath, but they do not natively perform EIGRP-style unequal-cost load balancing based on different path metrics. RIPng is also limited by hop-count behavior and is not used for unequal-cost multipath in this context. The correct design answer is therefore EIGRP and BGP. In production, the engineer must still validate hardware forwarding behavior, policy consistency, and whether the traffic-sharing method is per-flow or per-prefix.

An out-of-band management network best satisfies the requirement to grant and revoke administrative access, restrict management protocols, and limit exposure of management interfaces. Out-of-band management separates administrative traffic from the production data plane by using dedicated management interfaces, management switches, terminal infrastructure, or separate routing. This isolation improves security because a compromise or congestion event in the production network does not automatically provide access to device management planes. It also allows stronger access controls, protocol restrictions, logging, and administrative segmentation for SSH, NTP, FTP, and SNMP. In-band management uses the production network and is more exposed to outages or data-plane attacks. An enterprise internal private network is too vague and does not guarantee management-plane isolation. mGRE is a tunneling technique, not a complete management access architecture. A professional design should also include AAA, role-based authorization, ACLs, management VRFs where appropriate, logging, and monitoring. Reference topics: out-of-band management, management-plane security, AAA, access control, protocol restriction, network operations design.

L2VPN is the correct solution because the customer requires point-to-point connectivity while preserving existing VLAN infrastructure. Cisco describes Layer 2 VPN services as emulating Layer 2 connectivity across a provider IP or MPLS backbone, commonly through Ethernet pseudowires or VPWS. This allows sites such as dispersed data centers and a colocation facility to exchange Ethernet frames as if they were directly connected at Layer 2. The design is especially useful when data center synchronization, backup workflows, or application dependencies require VLAN continuity or minimal changes to existing addressing and routing. L3VPN would provide routed connectivity and VRF separation, but it would not preserve the VLAN-based service model. GRE would add an overlay tunnel but would not natively provide provider-managed Layer 2 service. DMVPN is designed for scalable Layer 3 IPsec/GRE overlays between branches, not for VLAN extension or point-to-point data center interconnect. Reference topics: L2VPN, VPWS, Ethernet pseudowire, VLAN extension, data center interconnect, WAN service design.

The correct solution is a management VRF with SSH keys for device access. A management VRF creates a separate routing and forwarding table for management traffic, keeping administrative reachability isolated from production and overlay routes. That directly satisfies the requirement that the overlay network must not cause routing issues and makes troubleshooting easier for operations teams because management reachability can be validated independently. Cisco VRF design uses separate routing tables to isolate traffic and can support overlapping addresses or independent routing policy. For secure device access, SSH with key-based authentication provides encrypted administrative sessions and stronger authentication than clear-text or password-only methods. Private VLANs and ordinary VLANs provide Layer 2 separation but do not create independent routing tables. TACACS+ and RADIUS are AAA systems; they are useful but do not define the management transport architecture. Separate physical interfaces can be useful out-of-band, but the best match for overlay isolation and operational simplicity is management VRF plus SSH keys. Reference topics: management VRF, secure device access, SSH public-key authentication, routing-table isolation, enterprise management design.

When eBGP neighbors share the same autonomous system number, normal BGP loop-prevention behavior can block route acceptance because the receiving router sees its own AS in the AS_PATH. Two BGP features address this design condition. The allow-as-in feature permits a BGP router to accept routes even when its own AS appears in the AS_PATH a configured number of times. This is often used in dual-homed or migration designs where the same customer AS appears at multiple sites. The as-override feature is typically used by a provider edge router to replace the customer AS in the AS_PATH with the provider AS before advertising the route to another customer site that uses the same AS. Together, these features allow successful route exchange in same-AS eBGP scenarios while preserving loop-prevention intent through controlled policy. Advertise-best-external influences advertisement of best external paths and does not solve same-AS rejection. Bestpath as-path ignore affects path selection, not route acceptance. Client-to-client reflection is an iBGP route-reflector behavior, not an eBGP same-AS solution.

The border node is part of the Cisco SD-Access overlay architecture. In the SD-Access fabric, the overlay consists of fabric roles and services that provide endpoint connectivity, segmentation, policy, and external reachability over the routed underlay. Border nodes connect the fabric overlay to external Layer 3 networks, shared services, WAN, Internet, or other fabric/transit domains. They perform the fabric boundary function, including routing between virtual networks and external routing domains as designed. Spine and leaf are generic data center or fabric topology terms and are not the named SD-Access fabric overlay roles in this question. Cisco DNA Center, now Cisco Catalyst Center, is central to management, automation, assurance, and policy deployment, but it is not itself an overlay forwarding component. The forwarding overlay is built from roles such as edge, border, control-plane, and intermediate nodes. Therefore, the correct component from the options is the border node. The design should select border placement based on external connectivity, scale, route control, redundancy, and whether the border is internal, external, or anywhere border. Reference topics: SD-Access overlay, border node, fabric roles, external connectivity, virtual networks.

The multicast Reverse Path Forwarding check is a loop-prevention mechanism. Cisco multicast forwarding does not forward traffic merely because the packet arrived on any multicast-enabled interface. Instead, the router checks whether the packet arrived on the interface that would be used to route traffic back toward the multicast source or, in shared-tree cases, back toward the rendezvous point. If the packet arrives on the expected reverse path, it passes the RPF check and can be replicated to the outgoing interface list. If it arrives on the wrong interface, it is dropped to prevent loops and duplicate packets. This supports a loop-free multicast distribution tree from sources to receivers. Auto-RP mapping agents, bootstrap messages, and RP-set discovery are separate rendezvous point distribution mechanisms; they are not the function of the RPF check. In enterprise designs with redundant links, asymmetric routing, or multiple equal paths, multicast RPF behavior must be reviewed carefully because unicast routing choices directly influence whether multicast packets are accepted or discarded. Reference topics: multicast RPF, PIM forwarding, loop prevention, outgoing interface list.

The drag-and-drop mapping is based on how Cisco differentiates YANG model families used for model-driven programmability. IETF models are standards-based and are intended for broad interoperability across vendors. They are the usual choice when the design priority is a consistent baseline for multivendor configuration or operational state. OpenConfig models are also vendor-neutral, but they are developed by the OpenConfig community and often provide an operationally consistent structure for telemetry and configuration across platforms. Cisco native models are vendor-specific models that expose detailed Cisco IOS XE, IOS XR, or NX-OS features, including capabilities that may not be represented in IETF or OpenConfig models. The design choice is therefore not simply “one model is always best.” It depends on whether the requirement prioritizes portability, abstraction, or complete Cisco feature coverage. For a standards-driven multivendor design, use IETF or OpenConfig where sufficient. For Cisco-specific device features, use Cisco native models. Reference topics: YANG models, IETF models, OpenConfig, Cisco native models, NETCONF/RESTCONF programmability.

Large EIGRP networks require careful hierarchy and query-boundary design. A structured hierarchical topology with route summarization is one of the most important scaling techniques because summarization reduces routing table size, hides topology changes, and limits the EIGRP query scope when failures occur. This improves convergence and reduces CPU and bandwidth consumption on routers that do not need detailed route visibility. Implementing multiple EIGRP autonomous systems can also be used as a scaling technique in very large designs because it creates administrative and query boundaries, although it introduces redistribution and policy complexity that must be controlled. Sub-second timers are not a primary scaling method; aggressive timers can increase control-plane load and do not reduce the size of the routing domain. Distribute lists can filter routes, but broad filtering alone is not the core scaling architecture for a network with more than 1000 routers. Modifying delay values influences metric calculation and path selection, not EIGRP domain scale. Therefore, the valid scaling techniques are structured hierarchy with summarization and, where justified, multiple EIGRP autonomous systems.

In-band management is the correct design because the management plan must reach all IP-enabled interfaces, and not every device has a dedicated management port. In-band management uses the production IP network for administrative access, allowing management stations to reach loopbacks, SVIs, routed interfaces, or front-panel interfaces through normal routing. Cisco management guidance distinguishes in-band management from out-of-band designs that depend on a separate physical management network or console path. Because the question requires reachability to all IP-enabled interfaces, in-band is the only listed model that naturally supports that scope. Security must still be enforced with encrypted protocols where supported, such as SSH and HTTPS, plus ACLs, AAA, and management-plane protection where appropriate. A terminal server provides console access, not routed IP management to every interface. A KVM server is a server-management tool, not a network-device management architecture. Out-of-band management is preferred for isolation, but it does not fit devices without dedicated management access. Reference topics: in-band management, secure management protocols, SSH, HTTPS, network management design.

The selected design is correct because the requirement describes a resilient campus architecture that must support the same VXLAN at any access-layer switch while maintaining fast convergence and high availability. In Cisco campus and data-center-style fabric designs, VXLAN provides network virtualization by carrying Layer 2 adjacency over a routed or resilient transport. The correct design must avoid a fragile single spanning-tree domain and must provide redundant forwarding paths so that an access switch or uplink failure does not isolate the VLAN or VXLAN segment. The selected option represents the design that meets those conditions by allowing the overlay segment to be extended consistently across access switches while keeping the underlay resilient. Designs that rely on a traditional Layer 2 tree, a single aggregation point, or blocked redundant links would not meet the high availability and fast convergence objectives. The important design principle is that VXLAN should ride on a stable, redundant transport and should not depend on large Layer 2 failure domains. Reference topics: VXLAN campus design, overlay networking, fast convergence, access-layer resiliency, high availability.

Graceful restart and nonstop forwarding designs depend on preserving forwarding continuity during a control-plane processor switchover. Cisco Stateful Switchover provides the mechanism for a standby route processor or supervisor to maintain synchronized state so it can assume control when the active processor fails. When SSO is combined with NSF or graceful restart capabilities in routing protocols, neighboring devices can continue forwarding traffic while the restarting device preserves or rebuilds control-plane adjacencies. Cisco Express Forwarding is required for fast data-plane forwarding, but CEF alone does not provide route processor state synchronization after processor failure. Virtual Switch System is a chassis or switching architecture that can provide high availability in certain campus designs, but it is not the required feature named by graceful restart recovery. Bidirectional Forwarding Detection is a failure-detection protocol used to detect path or neighbor failures quickly; it does not recover a failed processor. Therefore, the feature that must be incorporated for graceful restart recovery from processor failure is Stateful Switchover. In a resilient enterprise design, SSO, NSF, and protocol graceful restart are coordinated to reduce outage impact.

VRF-Lite with OSPF satisfies the requirements because it creates multiple isolated Layer 3 routing tables without requiring a service-provider MPLS core or specialized hardware. Each VRF has its own forwarding table, interfaces, and route exchange process, so overlapping IP address space can exist in different virtual networks. When communication between segments is required, the design can use controlled route leaking, a firewall, or a shared-services VRF. OSPF can run per VRF to exchange routes within each isolated segment using widely supported routing technology. VSS, vPC, and plain 802.1Q with HSRP can improve Layer 2 or device redundancy, but they do not provide independent Layer 3 routing tables with overlapping addressing. A multihop MPLS design can also support many VPNs, but it is more complex and beyond the stated need for widely available technologies without specialized equipment. VRF-Lite is therefore the correct enterprise campus segmentation choice. Reference topics: VRF-Lite, virtual routing and forwarding, inter-VRF routing, overlapping IP address support, campus segmentation.

A full-mesh topology best satisfies the requirement that devices make informed forwarding decisions, backup paths always exist, and suboptimal paths are used only after a failure. In a full mesh, each site or WAN node has direct connectivity to every other relevant node. This gives the routing protocol complete path visibility and allows traffic to use direct optimal paths under normal conditions. If a direct link fails, alternate paths remain available through other nodes, so the network can reroute without depending on a single hub. A hub-and-spoke design is simpler and less expensive, but spoke-to-spoke traffic must traverse the hub, which is suboptimal even during normal operation. A partial mesh can reduce cost but may still force some traffic over indirect paths when no direct connection exists. Clos is a data center fabric topology concept and is not the typical WAN topology answer here. The full mesh is the most resource-intensive design, but it best matches the stated forwarding and backup requirements. Reference topics: WAN topology, full mesh, path optimality, backup paths, routing convergence.

Dual stack is the correct IPv4 and IPv6 deployment strategy when the customer wants a straightforward design with no information hiding and no tunnel forwarding overhead. In a dual-stack deployment, routers, switches, servers, and clients run IPv4 and IPv6 simultaneously. Applications can select IPv4 or IPv6, typically based on DNS response and protocol availability, while the network forwards each protocol natively. This avoids the translation behavior of NAT64, where address information is hidden or converted between protocols. It also avoids GRE or other tunneling mechanisms, which add encapsulation overhead and operational complexity. LISP can provide location/identity separation and mobility, but it is not the simplest migration approach for native IPv4 and IPv6 coexistence. Dual stack is often the cleanest transition model when the infrastructure supports both protocols, because it permits gradual application migration without forcing all services through translators or tunnels. Reference topics: IPv6 migration, dual-stack deployment, NAT64, tunneling overhead, native IPv4 and IPv6 forwarding.

The design should use a scavenger queue for excessive or suspicious traffic and apply queuing on the access-to-distribution uplinks where congestion can occur. Cisco QoS campus design commonly uses a less-than-best-effort scavenger class to constrain traffic associated with worms, peer-to-peer applications, bulk background flows, or other nonbusiness traffic. Placing this traffic in a scavenger queue minimizes the bandwidth it can consume during congestion without harming real-time applications. Real-time voice or video traffic should be placed in a strict-priority queue so it receives low delay and low jitter treatment when links are congested. Applying queuing on access-to-distribution links is important because those uplinks are common campus congestion points, especially during bursts or abnormal traffic events. A shaping policy is not the right tool for campus LAN uplinks, and indiscriminate policing of real-time traffic can cause drops that damage voice and video quality. Reference topics: campus QoS, scavenger class, strict-priority queue, access uplink queuing, congestion management, worm mitigation.

Cisco SD-WAN WAN Edge devices can be brought into the overlay through automated zero-touch provisioning or through manual bootstrap configuration. Zero-touch provisioning allows a device to discover the SD-WAN controllers and receive the information needed to authenticate and join the overlay with minimal on-site work. This is a core operational benefit of Cisco SD-WAN because branch routers can be shipped to sites and onboarded without a specialist manually building the entire control-plane configuration locally. Manual configuration remains available when ZTP is not used, when the site has special connectivity constraints, or when the administrator needs to stage the router directly. DHCP options and DNS records can help devices learn controller information in some deployment models, but they are not the complete pair of bootstrap methods named for vEdge onboarding. vManage is the management system, not a bootstrap method by itself. Therefore, the correct methods are ZTP and manual configuration. The design should also validate certificates, organization name, system IP, site ID, and transport interface reachability during onboarding.

PortFast is the correct functionality for the Gi1/0/1-10 interfaces when those ports are endpoint-facing access ports. Cisco spanning-tree design uses PortFast to allow edge ports to transition directly to the forwarding state, avoiding the normal listening and learning delay associated with traditional STP convergence. That improves user and endpoint connectivity after link-up events and is especially important for workstations, phones, printers, and access devices that should not participate in the Layer 2 topology. Root guard and BPDU guard are protection features, not the primary convergence optimization requested by the architect. UplinkFast was used in older STP designs to accelerate recovery for access switches with redundant uplinks, but it is not the edge-port functionality for interfaces Gi1/0/1-10. In a modern design, PortFast should be enabled only on true host-facing ports, normally together with BPDU guard to protect against accidental switch attachment. If the exhibit shows these interfaces as end-user access ports, PortFast is the feature that follows the recommendation to optimize STP convergence time. Reference topics: STP PortFast, edge-port convergence, BPDU guard, Layer 2 campus design.

GRE over IPsec is required when the backup connection is an Internet circuit, encryption is mandatory, and multicast applications must cross the tunnel. GRE provides the logical tunnel interface and can encapsulate multicast traffic and routing protocol packets. IPsec then encrypts the GRE packets across the public Internet, satisfying the security requirement. This combination is widely used in enterprise WAN designs where dynamic routing, multicast video, or other non-unicast traffic must be transported securely between sites. Direct IPsec encapsulation protects unicast IP traffic, but it does not natively provide a multicast-capable tunnel interface for routing and multicast services. GETVPN is designed for private WAN environments where the provider network can carry the routed addresses and where tunnel-less group encryption is desired; it is not the usual choice for Internet backup. DMVPN could also use GRE and IPsec, but for a simple backup connection between two sites, GRE over IPsec is the direct answer. Reference topics: GRE tunneling, IPsec encryption, multicast over VPN, Internet backup WAN design.

A higher local preference on R3 for the relevant routes is the correct method to influence outbound traffic inside the autonomous system. Local preference is a well-known discretionary BGP attribute used within an AS to choose the preferred exit path. A higher local preference is preferred over a lower one, and the attribute is propagated to iBGP peers so routers in the AS make a consistent outbound decision. The requirement says all traffic originating from AS100 must pass through AS200 toward the NTP and DHCP server, and if the R3-to-R4 link fails, the path must move to the R2-to-R9 link. Applying local preference on R3 toward the routers that need to reach the data center establishes R3 as the primary exit while preserving the alternate path through R2 and R9. AS-path prepending is mainly used to influence inbound traffic from other autonomous systems, not the local AS exit choice. Redistributing IGP metrics into BGP is less deterministic and not the right policy control. Reference topics: BGP local preference, outbound traffic engineering, iBGP policy propagation, primary and backup path design.