Practice 350-401 SD-WAN Architecture questions with full explanations on every answer.
Start practicing
SD-WAN Architecture — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?
2An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?
3A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?
4A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?
5A network engineer is troubleshooting a Cisco SD-WAN deployment where a branch office has two WAN links: a primary MPLS link and a backup LTE link. The engineer wants to configure application-aware routing so that critical applications (e.g., Salesforce) always use the MPLS link as long as its loss is below 2% and latency below 150 ms. The engineer configures an app-route policy on the vSmart with the appropriate SLA requirements. After deployment, the engineer notices that Salesforce traffic is still using the LTE link even when the MPLS link meets the SLA. What is the most likely cause?
6An enterprise is deploying Cisco SD-WAN with a hub-and-spoke topology. The hub site has a vSmart controller and a vEdge router. The branch sites have vEdge routers. The engineer wants to ensure that all inter-branch traffic goes through the hub for security inspection. The engineer configures a centralized control policy on the vSmart to set the 'hub' as the preferred path for all routes. After the policy is applied, the engineer notices that branch-to-branch traffic is still going directly, bypassing the hub. The vEdge routers show that the control policy is received. What is the most likely issue?
7A network engineer is configuring a Cisco SD-WAN solution for a retail chain with hundreds of stores. The engineer wants to use a centralized data policy to steer all YouTube traffic to a specific WAN link (broadband) to save MPLS bandwidth. The engineer creates a policy that matches YouTube traffic by destination IP and sets the preferred color to 'biz-internet'. After applying the policy, the engineer tests and finds that YouTube traffic is still using the MPLS link. The vEdge routers show that the policy is received and active. What is the most likely reason?
8An enterprise is deploying Cisco SD-WAN with multiple vSmart controllers for redundancy. The engineer configures the vEdge routers to connect to two vSmart controllers. After deployment, the engineer notices that the vEdge routers are only connected to one vSmart, and the second vSmart is not being used. The vEdge routers show that the second vSmart is reachable. What is the most likely reason for this behavior?
9A network engineer is configuring a Cisco SD-WAN solution for a multinational corporation. The engineer wants to use a centralized data policy to steer all traffic from the Finance department (VPN 10) to a specific WAN link (MPLS) for security reasons. The engineer creates a policy that matches traffic from VPN 10 and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that traffic from VPN 10 is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason?
10A multinational enterprise is deploying Cisco SD-WAN to interconnect 500 branch sites with two data centers. The network architect must ensure that the control plane remains operational even if the vSmart controllers become unreachable. Which design approach should the architect choose to meet this requirement?
11An architect is designing an SD-Access fabric for a large campus network. The design must support wireless clients that roam across different access switches without requiring a centralized wireless LAN controller. Which fabric component and protocol combination should the architect use to enable this mobility?
12A service provider is deploying NFV to offer managed SD-WAN services to enterprise customers. The architect must place virtual network functions (VNFs) such as vEdge routers and firewalls in the provider's data center. Which VNF placement model allows the provider to chain these functions efficiently and scale per customer?
13A campus network architect is redesigning the LAN to support high availability and east-west traffic growth. The current design uses a traditional three-tier hierarchy with a collapsed core. The architect must choose a new design that provides predictable latency, simple scalability, and efficient use of uplinks. Which design should the architect select?
14An enterprise is deploying a virtualized network function (VNF) for a next-generation firewall on a KVM-based hypervisor. The architect must ensure that the VNF can handle high throughput without CPU bottlenecks. Which hypervisor configuration technique should the architect use to dedicate physical CPU cores to the VNF?
15A network architect is designing the QoS architecture for a Cisco SD-WAN deployment that carries voice, video, and data traffic across MPLS and Internet transports. The design must use a consistent DiffServ marking strategy across all transports and ensure that voice traffic is prioritized over video. Which QoS policy type and marking approach should the architect use?
16An enterprise is deploying Cisco SD-WAN with vManage, vSmart, vBond, and vEdge routers. The architect must design the control plane to securely onboard new vEdge routers and establish DTLS/TLS tunnels. Which component is responsible for the initial authentication and coordination of control plane connections?
17A network architect is designing a Cisco SD-Access fabric for a university campus that requires segmentation between student, faculty, and guest traffic. The design must use Cisco TrustSec for scalable security group tags (SGTs) and integrate with Cisco ISE for policy enforcement. Which fabric component should the architect use to enforce SGT-based policies at the access layer?
18A company is deploying a virtualized network function (VNF) for a Cisco CSR1000v router on a VMware vSphere hypervisor. The architect must choose the hypervisor type to ensure the best performance for the VNF. Which hypervisor type is VMware vSphere classified as, and why is it suitable for VNF deployment?
19Consider the following SD-WAN configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0 tunnel-interface encapsulation ipsec color biz-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp ! What is the effect of this configuration?
20Given the following SD-WAN configuration on a Cisco IOS-XE router: router ospf 1 redistribute bgp 65000 subnets network 192.168.1.0 0.0.0.255 area 0 ! interface GigabitEthernet0/0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ! Which statement is true?
21Examine the following SD-WAN policy configuration on a Cisco vSmart controller: policy control-policy CONTROL_POLICY sequence 10 match route prefix-list PL_10 action accept set community 100:10 ! prefix-list PL_10 sequence 10 match ip-address 10.0.0.0/24 ! What is the effect of this control policy?
22Consider the following SD-WAN device configuration on a Cisco IOS-XE router: sdwan interface GigabitEthernet0/0/1 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface GigabitEthernet0/0/2 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement about this configuration is true?
23Given the following SD-WAN CLI output on a Cisco IOS-XE router: show sdwan omp routes 10.1.1.0/24, received, admin-distance: 250 via 10.0.0.1, interface GigabitEthernet0/0/1, color biz-internet, loss: 0, latency: 10 via 10.0.0.2, interface GigabitEthernet0/0/2, color 3g, loss: 1, latency: 50 Which statement is true?
24Examine the following SD-WAN configuration on a Cisco vEdge router: vpn 0 interface ge0/0 ip address 10.0.0.1/24 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface ge0/1 ip address 10.0.0.2/24 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement is correct?
25In Cisco SD-WAN, what is the default OMP hello interval (in seconds) between a vEdge router and a vSmart controller?
26Which component in Cisco SD-WAN is responsible for orchestrating the overlay network, including authentication and NAT traversal?
27In Cisco SD-WAN, what is the maximum number of TLOCs that can be associated with a single OMP route?
28Drag and drop the steps of SD-WAN edge device (vEdge/cEdge) bring-up sequence into the correct order, from first to last.
29Drag and drop the steps of SD-WAN overlay routing protocol (OMP) route advertisement sequence into the correct order, from first to last.
30Drag and drop the steps of Cisco SD-WAN control plane establishment sequence into the correct order, from first to last.
31Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.
32Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.
33Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.
34Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.
35Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.
36Drag and drop each SD-WAN controller on the left to its matching function on the right.
37Drag and drop each SD-WAN plane on the left to its matching function on the right.
38Drag and drop each OMP attribute on the left to its matching behavior on the right.
39Drag and drop each SD-WAN policy type on the left to its matching application point on the right.
40Drag and drop each WAN transport type on the left to its matching SD-WAN characteristic on the right.
41Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.
42Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.
43Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.
44Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.
45Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.
46Drag and drop each SD-WAN controller on the left to its matching function on the right.
47Drag and drop each SD-WAN plane on the left to its matching function on the right.
48Drag and drop each OMP attribute on the left to its matching behavior on the right.
49Drag and drop each SD-WAN policy type on the left to its matching application point on the right.
50Drag and drop each WAN transport type on the left to its matching SD-WAN characteristic on the right.
51Which two statements about SD-WAN control plane components are true? (Choose two.)
52Which three statements about SD-WAN overlay tunnels and transport are true? (Choose three.)
53Which two statements about SD-WAN policy architecture are true? (Choose two.)
54Which three statements about SD-WAN segmentation and multi-tenancy are true? (Choose three.)
55Which two statements about Cisco SD-WAN control plane components are true? (Choose two.)
56Which two statements about Cisco SD-WAN overlay routing and OMP are true? (Choose two.)
57Which three statements about Cisco SD-WAN security and segmentation are true? (Choose three.)
58Which three statements about Cisco SD-WAN architecture components and their roles are true? (Choose three.)
The SD-WAN Architecture domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.
The Courseiva 350-401 question bank contains 58 questions in the SD-WAN Architecture domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the SD-WAN Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included