Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsSD-WAN Architecture
Free · No Signup RequiredCisco · 350-401

350-401 SD-WAN Architecture Practice Questions

20+ practice questions focused on SD-WAN Architecture — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start SD-WAN Architecture Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample SD-WAN Architecture Questions

Practice all 20+ →
1.

A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?

A.The engineer configured the data policy under VPN 0 instead of the service VPN (e.g., VPN 10).
B.The branch router does not have a default route in its routing table for the service VPN.
C.The engineer used a localized data policy instead of a centralized data policy.
D.The OMP route redistribution is not enabled on the branch router.

Explanation: Option A is correct because in Cisco SD-WAN, data policies that control traffic forwarding (such as forcing local internet exit) must be applied to the service VPN (e.g., VPN 10) where the branch’s LAN and internet-bound traffic resides. Configuring the policy under VPN 0 (the transport VPN) only affects overlay tunnel traffic and control-plane packets, not user traffic. Since the engineer applied the policy to VPN 0, the policy did not match internet-bound traffic in the service VPN, causing it to follow the default route toward the regional hub.

2.

An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?

A.The vEdge routers have not been rebooted after the policy change.
B.The control policy is not attached to the appropriate site list or VPN list.
C.The OMP graceful restart timer has expired, causing the vEdge to ignore the policy.
D.The BFD sessions between vEdge and vSmart are flapping.

Explanation: In Cisco SD-WAN, centralized control policies must be explicitly attached to a site list or VPN list to define which devices or traffic the policy applies to. If the policy is not attached to the appropriate list, the vSmart controller will not push the policy to the targeted vEdge routers, causing them to continue using the default OMP best-path selection (based on administrative distance and cost). The fact that the vEdge routers are connected to the vSmart confirms the issue is with policy application, not reachability.

3.

A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?

A.The vManage IP address is not configured on the branch routers.
B.The vSmart IP address is not configured on the branch routers.
C.The vBond IP address is not configured on the branch routers.
D.The DTLS port 12346 is not open on the branch routers' firewall.

Explanation: In Cisco SD-WAN, branch routers use a two-phase discovery process: they first connect to the vBond controller to authenticate and receive the list of vSmart and vManage controllers. Since the engineer has already configured the vBond with a public IP and enabled NAT traversal, and the branch routers have the correct organization name and can reach the vBond, the missing piece is that the vBond IP address must be explicitly configured on each branch router (via the 'system vbond' CLI command or the equivalent in the device template). Without this, the branch routers have no initial target to contact for the bootstrap discovery process, so they cannot automatically learn the vSmart and vManage addresses.

4.

A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?

A.The vEdge routers have not rebooted after the policy was applied.
B.The data policy was applied on the vEdge instead of the vSmart.
C.The DSCP EF marking is not supported in SD-WAN data policies.
D.The policy does not include a match condition for the correct VPN or site list.

Explanation: Option D is correct because a centralized data policy on the vSmart must include match conditions for both the traffic (e.g., DSCP EF) and the scope of the policy (e.g., VPN list or site list). Without a site list or VPN list match, the policy may not apply to the specific branch-to-branch traffic, causing the vEdge to fall back to the default routing behavior (e.g., using the Internet link if it has lower latency). The vSmart distributes the policy to vEdges, but the vEdge only enforces it for matched traffic within the specified sites or VPNs.

5.

A network engineer is troubleshooting a Cisco SD-WAN deployment where a branch office has two WAN links: a primary MPLS link and a backup LTE link. The engineer wants to configure application-aware routing so that critical applications (e.g., Salesforce) always use the MPLS link as long as its loss is below 2% and latency below 150 ms. The engineer configures an app-route policy on the vSmart with the appropriate SLA requirements. After deployment, the engineer notices that Salesforce traffic is still using the LTE link even when the MPLS link meets the SLA. What is the most likely cause?

A.The app-route policy is not attached to the correct site list or VPN list.
B.The LTE link has a lower cost metric than the MPLS link.
C.The app-route policy was applied on the vEdge instead of the vSmart.
D.The SLA requirements are not configured correctly in the policy.

Explanation: Option A is correct because the app-route policy must be attached to the correct site list and VPN list to be applied to the traffic. If the policy is not properly associated with the site list containing the branch office or the VPN list that includes Salesforce traffic, the vSmart will not enforce the application-aware routing rules, allowing the LTE link to be used even when the MPLS link meets the SLA.

+15 more SD-WAN Architecture questions available

Practice all SD-WAN Architecture questions

How to master SD-WAN Architecture for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of SD-WAN Architecture. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

SD-WAN Architecture questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 SD-WAN Architecture questions are on the real exam?

The exact number varies per candidate. SD-WAN Architecture is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted SD-WAN Architecture questions ensures you can handle any format or difficulty that appears.

Are these 350-401 SD-WAN Architecture practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is SD-WAN Architecture one of the harder 350-401 topics?

Difficulty is subjective, but SD-WAN Architecture is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full SD-WAN Architecture practice session with instant scoring and detailed explanations.

Start SD-WAN Architecture Practice →

Topic Info

Topic

SD-WAN Architecture

Exam

350-401

Questions available

20+