Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsSD-Access Architecture
Free · No Signup RequiredCisco · 350-401

350-401 SD-Access Architecture Practice Questions

20+ practice questions focused on SD-Access Architecture — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start SD-Access Architecture Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample SD-Access Architecture Questions

Practice all 20+ →
1.

A network engineer is deploying Cisco SD-Access in a large enterprise campus. The design requires that all user traffic be segmented by Virtual Network (VN) and that the fabric edge nodes perform SGT-based enforcement. The engineer notices that traffic between two endpoints in the same IP subnet but different VNs is being forwarded directly at the fabric edge without any SGT inspection. What is the most likely cause?

A.The fabric edge nodes have not been configured with the proper SGT mappings.
B.The endpoints are in the same IP subnet, so they must be in the same Virtual Network; SGT enforcement only applies to inter-VN traffic.
C.The fabric edge nodes are operating in Layer 2 mode and do not support SGT enforcement.
D.The control plane node has not been configured with the correct IP-SGT mappings.

Explanation: In Cisco SD-Access, Virtual Networks (VNs) provide Layer 3 segmentation. Traffic between endpoints in the same IP subnet but different VNs is inherently Layer 2 traffic and cannot be routed or inspected by SGT-based enforcement, which only applies to inter-VN (Layer 3) traffic. Since the endpoints are in the same subnet, the fabric edge node forwards the traffic at Layer 2 without SGT inspection, making option B correct.

2.

An enterprise is migrating from a traditional three-tier campus network to Cisco SD-Access. The network engineer has deployed a fabric with a single fabric edge node and a single control plane node. Users in VLAN 10 report that they cannot reach the default gateway, which is a virtual IP on the fabric edge. The fabric edge is configured with a VLAN 10 SVI and the anycast gateway feature is enabled. What is the most likely cause of the problem?

A.The fabric edge node is not configured with the VLAN 10 SVI or the anycast gateway feature is disabled.
B.The control plane node is not reachable from the fabric edge, causing the fabric edge to drop traffic.
C.The endpoints are not configured with the correct IP address for the default gateway.
D.The fabric edge node is in Layer 2 mode and cannot route traffic.

Explanation: Option A is correct because the question states that the fabric edge is configured with a VLAN 10 SVI and anycast gateway is enabled, yet users cannot reach the default gateway. The most likely cause is a misconfiguration: either the SVI is missing or anycast gateway is disabled on the fabric edge. In Cisco SD-Access, the anycast gateway feature must be explicitly enabled under the SVI using the command 'ip virtual-reassembly in' and 'ip local-proxy-arp' along with the 'anycast-gateway' configuration; without it, the fabric edge cannot respond to ARP requests or route traffic for the virtual IP, breaking connectivity to the default gateway.

3.

A network architect is designing an SD-Access fabric for a large enterprise campus. The design must support segmentation at Layer 2 and Layer 3 across the fabric, using a centralized control plane and policy enforcement. Which two protocols are essential for the SD-Access overlay to meet these requirements?

A.LISP and VXLAN
B.MP-BGP and MPLS
C.OSPF and GRE
D.IS-IS and NVGRE

Explanation: LISP (Locator/ID Separation Protocol) provides the centralized control plane for endpoint identity-to-location mapping and policy-based forwarding, while VXLAN (Virtual Extensible LAN) supplies the data-plane encapsulation needed for Layer 2 and Layer 3 segmentation across the underlay. Together, they enable scalable overlay segmentation with a centralized policy enforcement point in SD-Access.

4.

An architect is planning a Cisco SD-Access fabric deployment. The design must support host mobility across multiple fabric edge nodes while ensuring consistent policy enforcement. Which fabric component is responsible for tracking endpoint locations and mapping them to the fabric?

A.Fabric control plane node
B.Fabric border node
C.Fabric edge node
D.Fabric wireless controller

Explanation: In Cisco SD-Access, the fabric control plane node (based on LISP) is responsible for maintaining the endpoint database (EID-to-RLOC mappings). When a host moves between fabric edge nodes, the control plane node updates the mapping, ensuring consistent policy enforcement by providing the correct location information to all edge nodes.

5.

A company is deploying an SD-Access fabric with multiple sites connected via a WAN. The design must allow inter-site traffic to be forwarded without requiring a full mesh of VXLAN tunnels between all edge nodes. Which fabric role should be used to interconnect the sites?

A.Fabric border node
B.Fabric control plane node
C.Fabric edge node
D.Fabric WAN controller

Explanation: A Fabric Border Node is the correct role because it acts as the gateway between the SD-Access fabric and external networks, including WAN connections. It performs Network-to-Network Interconnection (NNI) by translating VXLAN-encapsulated traffic into the appropriate WAN transport (e.g., IPsec, MPLS) and handles inter-site routing without requiring a full mesh of VXLAN tunnels between all Edge Nodes. This design leverages the Border Node to aggregate traffic and forward it over the WAN, reducing tunnel overhead and simplifying the fabric architecture.

+15 more SD-Access Architecture questions available

Practice all SD-Access Architecture questions

How to master SD-Access Architecture for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of SD-Access Architecture. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

SD-Access Architecture questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 SD-Access Architecture questions are on the real exam?

The exact number varies per candidate. SD-Access Architecture is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted SD-Access Architecture questions ensures you can handle any format or difficulty that appears.

Are these 350-401 SD-Access Architecture practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is SD-Access Architecture one of the harder 350-401 topics?

Difficulty is subjective, but SD-Access Architecture is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full SD-Access Architecture practice session with instant scoring and detailed explanations.

Start SD-Access Architecture Practice →

Topic Info

Topic

SD-Access Architecture

Exam

350-401

Questions available

20+