Cisco 300-540 Dumps

In the diagram, thePE and R2, R3, R4, R5belong toAS 100. The PE router runs BGP processAS 100, so its BGP configuration must start with:

router bgp 100

To performiBGP multipath load sharingacross three equal-cost internal BGP paths, BGP must be instructed to keep and use multiple iBGP paths in the routing table. This is done with:

router bgp 100

maximum-paths ibgp 3

maximum-paths ibgp 3 tells BGP to install up tothreeiBGP paths to the same prefix, enabling CEF to load-share across those paths.

router bgp 100 is required because the PE is inAS 100, not 101.

Other options:

ip load-sharing per-destination affects CEF behavior but does not enable BGP iBGP multipath by itself and is not specific to three iBGP paths.

ip load-sharing ibgp 3 is not a valid IOS BGP command.

router bgp 101 would configure the wrong AS and break the iBGP relationships shown in AS-100.

Thus, the correct commands on the PE to achieve iBGP multipath load sharing over the three internal paths aremaximum-paths ibgp 3androuter bgp 100, corresponding toA and E.

Comprehensive and Detailed Explanation

In Cisco NFVI security architecture, the primary defense againstlateral movement(an attacker moving from one compromised node to another) isnetwork segmentation.

Segmentation:

Separates workloads (compute, storage, management, tenant networks)

Prevents attackers from pivoting inside the NFVI

Reduces blast radius during breaches

Enforces micro-segmented virtual network boundaries

WPA protects Wi-Fi, not NFVI.

WAF protects web apps, not internal movement.

Data encryption protects confidentiality, not lateral movement control.

Thus,network segmentationis the correct solution.

Comprehensive and Detailed Explanation From Cisco SP Cloud Network Infrastructure Security Knowledge

Cloud security compliance frameworks (such as ISO 27001, PCI-DSS, GDPR, SOC 2, HIPAA) require:

Evidence of security events

Retention of logs for audit periods

Ability to generate compliance reports

Traceability and accountability

Incident investigation support

Effective log management enables:

Centralized collection of application, network, and system logs

Storage of logs for mandated retention periods

Generation ofaudit-ready reports

Documentation required for compliance assessments

Demonstration that monitoring and security controls are active and functioning

Therefore, the role of log management in regulatory compliance is primarily aboutdocumentation, traceability, auditing, and reporting, which aligns only with Option A.

The other options do not directly serve regulatory compliance requirements:

Brelates to resource optimization, not compliance.

Crefers to interoperability, which is unrelated to regulatory auditing.

Dimproves security but does not directly address compliance documentation.

NETCONF rules state:

A user cannot terminatetheir own active session.

Attempting to kill the same session returnsinvalid-valueerror.

The session continues running normally.

Thus:

No logout

No termination

No configuration impact

Therefore,Ais correct.

Comprehensive and Detailed Explanation

For virtualization functions and operational reliability, the architecture must leverageCisco NSO (Network Services Orchestrator)capabilities. NSO provides:

Transactional service modeling

Automatic rollbackwhen any step of a transactional deployment fails

Real-time network-state visibilityvia NSO CLI and live device synchronization

End-to-end service lifecycle automation

Among the options:

Why B is correct

"Virtualization service modeling" fits NSO’s core design principle: model the service, not individual devices.

NSO’s CLI providesstate visibility, operational introspection, transaction logs, and commit details.

NSO’s transactional engine providesautomatic rollbackupon any device or service failure.

This option capturesfull lifecycle automation,real-time state visibility, andreliability, exactly as required.

Why others are incorrect

A: CLI NED alone does not provide real-time state visibility or automated rollback; manual rollback contradicts requirements.

C: Only focuses on service modeling + CLI, but doesnotinclude rollback or lifecycle automation.

D: Templates alone do not ensure rollback or real-time operational state.

Comprehensive and Detailed Explanation From Cisco SP Security Knowledge

Cisco Always-On Cloud DDoS Protection is a cloud-based, carrier-grade security service used by service providers to protect customers from volumetric and application-layer DDoS attacks.

Its core protection mechanism is the use ofglobal scrubbing centers, which:

Receive diverted attack traffic

Scrub (clean) malicious packets

Forward clean traffic back to the customer

Use behavioral analysis and real-time detection

Protect against volumetric, TCP state-exhaustion, and application-layer attacks

Why other answers are incorrect:

Load balancing (A)doesnotmitigate DDoS attacks; it distributes traffic across servers.

Botnet zombies (B)aresourcesof DDoS attacks, not protection.

Traffic mirroring (C)is used for analysis and monitoring, not active DDoS protection.

In a VXLAN BGP EVPNMulti-Siteenvironment:

DCI trackingmonitors the health of the DCI links. If all DCI-tracking interfaces go down, the leaf can incorrectly keep advertising or learning remote MAC/IP reachability, leading to packet loss and sub-optimal forwarding for servers in that VLAN/L2VNI.

For proper operation, eachDCI-facing interfacemust be enabled with evpn multisite dci-tracking so that the Multi-Site border leaf tracks reachability over that link.

When using EVPN Multi-Site, BUM (broadcast, unknown unicast, multicast) traffic toward remote sites is typically handled viaingress replication, not multicast groups, for each L2VNI participating in Multi-Site. The configuration snippet shows an L2VNI (vn-segment 16535) still mapped to mcast-group 239.1.1.0, which is inconsistent with Multi-Site recommendations and contributes to packet loss.

Therefore, to fix the problem:

Enable DCI tracking on the uplink:

interface Ethernet1/1

evpn multisite dci-tracking

This restores proper DCI-link state monitoring for Multi-Site. →Option C

Change the L2VNI behavior from multicast to Multi-Site ingress replication:

Under the VNI for VLAN 11, configure:

evpn

vni 16535 l2

multisite ingress-replication

or the equivalent command for the specific NX-OS release, thereby aligning the L2VNI with EVPN Multi-Site design and eliminating packet loss. →Option D

Options A and B are ELAM (embedded logic analyzer) filters used only for packet capture and do not resolve the forwarding issue.

Option E is an ACL line unrelated to EVPN VXLAN or DCI tracking and does not address the underlying problem.

Comprehensive and Detailed Explanation From Cisco SP Cloud Network Infrastructure Security Knowledge

Cloud security compliance frameworks (such as ISO 27001, PCI-DSS, GDPR, SOC 2, HIPAA) require:

Evidence of security events

Retention of logs for audit periods

Ability to generate compliance reports

Traceability and accountability

Incident investigation support

Effective log management enables:

Centralized collection of application, network, and system logs

Storage of logs for mandated retention periods

Generation ofaudit-ready reports

Documentation required for compliance assessments

Demonstration that monitoring and security controls are active and functioning

Therefore, the role of log management in regulatory compliance is primarily aboutdocumentation, traceability, auditing, and reporting, which aligns only with Option A.

The other options do not directly serve regulatory compliance requirements:

Brelates to resource optimization, not compliance.

Crefers to interoperability, which is unrelated to regulatory auditing.

Dimproves security but does not directly address compliance documentation.

Comprehensive and Detailed Explanation From Cisco SP Core Optimization Knowledge

Cisco IOS supportsBGP Multipathfor installing multiple equal-cost BGP routes (both iBGP and eBGP) into the routing table. The correct global BGP command syntax to set the number of allowable parallel BGP paths is:

maximum-paths

For BGP specifically, the form is:

maximum-paths bgp

This enables the router to install up to the specified number of equal-cost BGP routes (iBGP and eBGP) into the RIB and then potentially into the FIB.

Setting:

maximum-paths bgp 6

allowssixparallel ECMP paths learned via BGP—this matches the requirement in the question.

Why the other options are incorrect

B. multipath eibgp 6Not a valid Cisco IOS command.

C. maximum paths bgp routers 6Invalid syntax.

D. maximum-paths eibgp 6The correct keyword isbgp, noteibgp.Cisco does not use “eibgp” in this context; IOS supports BGP multipath across iBGP/eBGP automatically when configured under maximum-paths bgp.

Comprehensive and Detailed Explanation

BGP Flowspec allows routers to distributetraffic-filtering rulesusing BGP NLRI.

To enable Flowspec, after neighbors are configured, the essential next step is:

✔Activate the Flowspec address-family under BGP

Example:

router bgp 65000

address-family ipv4 flowspec

neighbor X.X.X.X activate

exit-address-family

This enables:

FlowSpec NLRI exchange

Distribution of drop rules (rate-limit, redirect, null route, etc.)

Automatic ACL/class-map/policy-map generation on edge routers

Why the other options are incorrect:

B. Set BGP routing process→ already done when neighbors were configured

C. Activate neighbors→ only makes senseinsidean address-family; flowspec AF must be enabled first

D. Configure route reflector→ optional and not required for Flowspec to operate

Thus, the correct next step isA. Configure Flowspec for the BGP address-family.

Comprehensive and Detailed Explanation From Cisco NFVI + VIM Architecture

Cisco VIM (Virtual Infrastructure Manager) operates as part of Cisco NFVI and requiresspecific mandatory network segmentsto deploy OpenStack-based NFVI environments.

The essential required networks for Cisco VIM include:

✔Provisioning network

Used during bare-metal install of compute and controller nodes

Handles PXE boot, image deployment, and VIM’s management reachability

✔Storage network

Used for Cinder, Swift, Ceph, and Glance back-end storage replication

Ensures predictable latency and bandwidth for NFVI workloads

Other networks exist in VIM (Management, API, Tenant, External), but the question asks for the required foundational segments.

Why the other options are incorrect:

Data plane(B) – used inside NFV workloads but not a required VIM infrastructure network.

Heartbeat(C) – not a defined VIM network segment.

Host network(D) – not a Cisco VIM terminology; provisioning network handles host onboarding.

Comprehensive and Detailed Explanation

SNMP traps in Cisco NFVIS (and in SNMP generally):

Areunsolicited notifications

Sent from the NFVIS deviceto the SNMP manager

Indicate alarms, changes, or significant operational events

Donotrequire polling

Examples:

Disk failures

VM crashes

Host status changes

Resource alarms

Why the others are wrong:

Adescribes SNMP monitoring (done by the manager with GET requests)

BSNMP cannotcontrolhost activities

DSNMP GET retrieves a variable, but traps sendunsolicitednotifications

Thus, the correct answer isC.

Comprehensive and Detailed Explanation

In Cisco NFV Infrastructure (NFVI) Assurance and Monitoring, enabling gRPC activates the device’s ability to support model-driven telemetry streaming.

Key points from Cisco SP Cloud/NFVI design principles:

gRPC is used as the transport protocol for model-driven telemetry.

Telemetry replaces traditional polling methods (SNMP, CLI scraping) with continuous, push-based updates.

It allows NFVI components to stream real-time operational data (CPU, memory, interfaces, VM metrics, fabric state) to collectors such as Cisco Crosswork, InfluxDB, Prometheus, or other analytic systems.

gRPC does not provide NetFlow/IPFIX export or syslog itself; those are separate subsystems.

Evaluation of options:

A. telemetry streaming — Correct. gRPC enables model-driven streaming telemetry.

B. IPFIX monitoring — Incorrect; IPFIX uses UDP exports, not gRPC.

C. Cisco IOS NetFlow monitoring — Incorrect; uses NetFlow export protocols.

D. system logging — Incorrect; syslog uses UDP/TCP, not gRPC.

Comprehensive and Detailed Explanation

AWSSecurity Groupsact as the primary stateful firewalls for EC2 instances.

To restrict SSH (TCP/22) to a single host (20.20.20.20/32), aSecurity Groupmust be configured with:

Inbound rule: TCP 22

Source: 20.20.20.20/32

ACLs operate at the subnet level but are not used for instance-specific SSH restrictions.

WAF controls HTTP/HTTPS traffic, not SSH.

Resource groups only organize cloud assets.

Thus,Bis the correct solution.

Comprehensive and Detailed Explanation

SNMP traps in Cisco NFVIS (and in SNMP generally):

Areunsolicited notifications

Sent from the NFVIS deviceto the SNMP manager

Indicate alarms, changes, or significant operational events

Donotrequire polling

Examples:

Disk failures

VM crashes

Host status changes

Resource alarms

Why the others are wrong:

Adescribes SNMP monitoring (done by the manager with GET requests)

BSNMP cannotcontrolhost activities

DSNMP GET retrieves a variable, but traps sendunsolicitednotifications

Thus, the correct answer isC.

Overlay Transport Virtualization (OTV) allows Layer 2 extension across Layer 3 infrastructures. To operate, OTV requires three fundamental components on the overlay interface:

Join interface – used to reach the OTV control plane over L3 (already configured: otv join-interface g1/0).

Control-group multicast address – for control-plane advertisement (already configured: otv control-group 224.1.1.1).

Extended VLAN list – specifies which VLANs will be transported through the OTV overlay.

The configuration shown in the exhibit includes the join-interface, control-group, and data-group, but it does NOT specify which VLANs should be extended. Without the otv extend-vlan command, OTV will form the overlay interface but will not forward any Layer 2 information, preventing adjacency and MAC distribution between sites.

In OTV, the command required to activate VLANs for transport is:

otv extend-vlan

This enables the VLANs (such as 101–111) to be carried across the OTV overlay, completing the configuration and establishing connectivity.

Why the Other Options Are Incorrect

B. otv isis authentication-type md5

This is optional and only required if ISIS authentication is enabled on both edges. It does not resolve the absence of VLAN extension.

C. otv isis authentication-check

This command enforces authentication verification but does not fix connectivity when VLANs are not extended.

D. otv join-interface vlan 101-111

This is not a valid OTV command. The join-interface must be a routed interface, not a VLAN list.

In a cloud-scale or data center–scale environment,Virtual Extensible LAN (VXLAN)is used as anoverlay technologyto transportLayer 2 segments over a Layer 3 underlay network. VXLAN encapsulates Layer 2 Ethernet frames inside UDP/IP packets, allowing broadcast, unknown unicast, and multicast (BUM) traffic and tenant Layer 2 domains to be extended across a routed IP fabric.

Key points aligned with Cisco Service Provider Cloud Infrastructure design principles:

VXLAN creates aLayer 2 overlay on top of a Layer 3 underlay.

TheVXLAN Network Identifier (VNI)provides a much larger segmentation space than traditional VLANs, enabling multi-tenancy at cloud scale.

Because the underlay is pure Layer 3 (IP routed fabric), VXLAN allows you tointerconnect Layer 2 segments between leaf switches or data centers over an IP/MPLS backbonewithout relying on large Layer 2 domains in the physical network.

Why the options evaluate as follows:

Option A: extends Layer 2 segments across the underlying Layer 3 infrastructure✅This is the core benefit of VXLAN in cloud-scale designs. VXLAN encapsulates Layer 2 frames intoIP/UDP headers, allowing isolated Layer 2 segments (per VNI) to be stretched across a routed IP network. This enables:

Multi-tenant Layer 2 connectivity across a distributed cloud fabric

Mobility of virtual machines or containers while keeping same IP/MAC addressing

Use of an IP-based leaf–spine or service provider underlay for scalability and resiliency

Option B: extends Layer 3 segments across the underlying Layer 2 infrastructure❌This is the opposite of what VXLAN does. VXLAN is explicitlyL2-over-L3, not L3-over-L2. Extending pure Layer 3 segments over Layer 2 is not the VXLAN use case.

Option C: reduces spanning-tree complexity across the Layer 2 infrastructure⚠️(Partially related but not the primary or direct benefit)In modern designs, the underlay isLayer 3 routed, and VXLAN overlays provide logical Layer 2 segments. This designavoids dependence on spanning tree in the fabric, whichindirectlyreduces STP complexity. However, the fundamental, exam-relevant benefit isL2 extension over L3, so C is not the best or most accurate answer compared to A.

Option D: eliminates the need for a Layer 3 underlay in the service provider infrastructure❌VXLAN absolutelyrequiresan IP (Layer 3) underlay for transport. VXLAN tunnels are built over a routed infrastructure (leaf–spine, MPLS/IP core, etc.). It does not remove the need for Layer 3; it depends on it.

Comprehensive and Detailed Explanation

For distancesgreater than 20 miles, valid inter-facility transport options must support:

Metro-scale connectivity

High bandwidth

Low latency

Carrier-grade reliability

Acarrier access Ethernet ring (MEN / Metro Ethernet)is designed for:

Interconnecting data centers or meet-me rooms

Distances far exceeding 20 miles

High-availability layer-2 or layer-3 transport

Why the others are invalid:

CAT6e→ maximum ~100 meters

Multimode fiber→ typically <2 km (~1.25 miles)

Private wireless→ not used for high-capacity DC interconnects, unreliable for core transport

Thus, the only correct carrier-grade method isCarrier access Ethernet ring.