CCNA Enterprise Network Design Questions

44 questions · Enterprise Network Design topic · All types, answers revealed

1
Drag & Dropmedium

Drag and drop the steps of hierarchical LAN design implementation phases into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Hierarchical LAN design starts with the access layer for endpoint connectivity, then the distribution layer for policy and aggregation, followed by the core layer for high-speed transport. After physical design, VLANs and trunking are configured, and finally routing protocols are deployed for inter-VLAN communication.

2
Multi-Selecthard

Which three statements about Cisco SD-Access design are true? (Choose three.)

Select 3 answers
A.VXLAN is used as the data plane encapsulation in SD-Access to create overlay tunnels.
B.The fabric border node is the access layer switch that connects end devices to the network.
C.LISP provides the control plane for SD-Access by managing endpoint identifiers and routing locators.
D.The border node provides connectivity between the SD-Access fabric and traditional networks or the WAN.
E.SD-Access requires a three-tier hierarchical design with core, distribution, and access layers.
AnswersA, C, D

Correct because VXLAN encapsulates Layer 2 frames in UDP packets, enabling overlay networks across the underlay.

Why this answer

Cisco SD-Access is a policy-based, intent-driven network architecture that uses VXLAN for overlay tunneling and LISP for control plane. It separates the network into fabric and non-fabric domains. The fabric uses a border node to connect to external networks.

Option A is correct because VXLAN provides the data plane encapsulation. Option C is correct because LISP is the control plane that maps endpoints to their locations. Option D is correct because the border node connects the fabric to outside networks (e.g., WAN, Internet).

Option B is incorrect because the fabric edge is the access layer switch that connects endpoints, not the border. Option E is incorrect because SD-Access typically uses a two-tier spine-leaf design, not a three-tier core-distribution-access.

3
Multi-Selectmedium

Which two statements about the Cisco Enterprise Campus Architecture are true? (Choose two.)

Select 2 answers
A.The distribution layer provides policy-based connectivity and controls traffic flow between access and core layers.
B.The access layer is responsible for routing between VLANs and providing high-speed switching for the campus backbone.
C.The core layer should be designed for high-speed transport and minimal latency, avoiding CPU-intensive features like ACLs.
D.A two-tier hierarchical design (collapsed core) is recommended for large campus networks with thousands of users.
E.The core layer should enforce security policies and perform packet inspection to protect the campus network.
AnswersA, C

Correct because the distribution layer is the policy enforcement boundary, implementing routing, QoS, and security policies.

Why this answer

The Cisco Enterprise Campus Architecture uses a hierarchical model to improve scalability, performance, and manageability. The access layer provides user and device connectivity, often with VLANs and PoE. The distribution layer aggregates access switches and provides policy enforcement, while the core layer provides high-speed transport.

The collapsed core design merges core and distribution for smaller networks. Option A is correct because the distribution layer is indeed the policy enforcement point. Option C is correct because the core layer should be optimized for high-speed switching without complex policies.

Option B is incorrect because the access layer typically does not perform routing between VLANs (that is a distribution layer function). Option D is incorrect because a two-tier design (collapsed core) is actually recommended for smaller campuses, not larger ones. Option E is incorrect because the core layer should not be used for security filtering, which is a distribution layer role.

4
MCQhard

An enterprise is migrating from a traditional three-tier campus design to a software-defined access (SD-Access) fabric. The engineer needs to ensure that the existing wireless infrastructure integrates seamlessly. Which component of SD-Access is responsible for integrating wireless and wired policies?

A.Fabric Edge node
B.Fabric Control node
C.Fabric Border node
D.Wireless LAN Controller (WLC)
AnswerA

Correct because the Fabric Edge node is the entry point for both wired and wireless users into the fabric, enforcing policies and providing connectivity.

Why this answer

The Fabric Edge node is the correct answer because it is the SD-Access component that serves as the attachment point for both wired and wireless endpoints. In an SD-Access fabric, the Fabric Edge node terminates the VXLAN tunnels from the wireless LAN controller (WLC) and applies consistent policy (e.g., SGT-based ACLs) to traffic from both wired and wireless users, ensuring seamless integration of the existing wireless infrastructure.

Exam trap

Cisco often tests the misconception that the WLC is responsible for policy integration, but in SD-Access, the WLC is merely a wireless controller that tunnels client traffic to the Fabric Edge node, which is the actual policy enforcement point.

How to eliminate wrong answers

Option B (Fabric Control node) is wrong because it handles LISP control-plane functions such as endpoint registration and mapping, not the integration of wireless policies. Option C (Fabric Border node) is wrong because it connects the fabric to external networks (e.g., WAN, data center) and performs NAT or route advertisement, but does not directly integrate wireless policies. Option D (Wireless LAN Controller) is wrong because while the WLC manages APs and wireless sessions, it is not the component responsible for integrating wireless and wired policies within the fabric; that role belongs to the Fabric Edge node, which applies consistent policy enforcement across both domains.

5
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.15
C.128
D.Unlimited
AnswerA

EIGRP uses a 1-byte hop count field, allowing a maximum of 255 hops.

Why this answer

EIGRP uses a maximum hop count of 255 to prevent routing loops, which is a hard limit enforced by the protocol. This value is configurable via the 'metric maximum-hops' command under the EIGRP process, but the absolute maximum is 255. Unlike distance-vector protocols like RIP, EIGRP is an advanced distance-vector protocol that uses the Diffusing Update Algorithm (DUAL) for loop avoidance, but the hop count serves as a final safety mechanism.

Exam trap

Cisco often tests the distinction between the default hop count (100) and the maximum hop count (255), leading candidates to mistakenly select 128 or 15 due to confusion with other protocols or default values.

How to eliminate wrong answers

Option B is wrong because 15 is the maximum hop count for RIP (Routing Information Protocol), not EIGRP; this is a common confusion between distance-vector protocols. Option C is wrong because 128 is the default hop count for EIGRP, not the maximum; the default is 100, but it can be increased up to 255. Option D is wrong because EIGRP does have a finite maximum hop count of 255; it is not unlimited, as the protocol must have a loop-prevention boundary.

6
MCQmedium

A data center architect is designing a virtualized environment to host critical applications. The design must maximize performance by allowing virtual machines (VMs) to directly access physical CPU cores and memory without hypervisor overhead for latency-sensitive workloads. Which hypervisor configuration should be used?

A.Enable hyper-threading and overcommit CPU resources
B.Use a Type 2 hypervisor (e.g., VMware Workstation) for better isolation
C.Configure NUMA pinning and CPU pinning for each VM to dedicated cores and memory nodes
D.Enable memory ballooning to reclaim unused memory from VMs
AnswerC

NUMA pinning and CPU pinning reduce latency by ensuring VMs use local memory and dedicated cores, avoiding hypervisor scheduling delays.

Why this answer

Option C is correct because CPU pinning and NUMA pinning allow virtual machines to directly access dedicated physical CPU cores and memory nodes, eliminating hypervisor scheduling overhead and ensuring low-latency access to local memory. This configuration is essential for latency-sensitive workloads in a virtualized data center, as it provides near-bare-metal performance by avoiding resource contention and cross-NUMA memory access penalties.

Exam trap

Cisco often tests the misconception that hyper-threading or memory ballooning can improve performance for latency-sensitive workloads, when in fact these features are designed for resource efficiency and can introduce unpredictability or overhead.

How to eliminate wrong answers

Option A is wrong because enabling hyper-threading and overcommitting CPU resources increases contention for physical cores and introduces hypervisor scheduling overhead, which degrades performance for latency-sensitive workloads. Option B is wrong because a Type 2 hypervisor (e.g., VMware Workstation) runs on top of a host operating system, adding extra layers of abstraction and overhead that reduce performance and are unsuitable for data center critical applications. Option D is wrong because memory ballooning is a technique for reclaiming unused memory from VMs to allow overcommitment, but it does not provide direct memory access and can cause performance degradation due to balloon driver overhead and potential swapping.

7
Drag & Dropmedium

Drag and drop the steps of the PPDIOO network lifecycle into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The PPDIOO lifecycle defines six phases: Prepare, Plan, Design, Implement, Operate, and Optimize. This order ensures a structured approach from initial requirements gathering through ongoing improvement.

8
MCQmedium

A network engineer is designing a WAN connection for a branch office that requires high availability and bandwidth aggregation. The branch has two internet connections from different ISPs. The engineer wants to use both links actively for load balancing and failover. Which design approach should be used?

A.Deploy SD-WAN to actively use both links with policy-based load balancing.
B.Configure static routes with different metrics for each link and use HSRP for failover.
C.Use BGP with both ISPs and rely on BGP best path selection for load balancing.
D.Implement a VPN tunnel between the branch and headquarters using only one link.
AnswerA

Correct because SD-WAN is designed to utilize multiple WAN links simultaneously, providing load balancing and failover based on application policies.

Why this answer

SD-WAN is the correct design because it natively supports active/active utilization of multiple WAN links with policy-based load balancing, allowing traffic to be distributed across both ISP connections based on application policies, SLA metrics, or other criteria. It also provides seamless failover by dynamically rerouting traffic if one link fails, meeting the requirements for high availability and bandwidth aggregation without relying on a single active link.

Exam trap

Cisco often tests the misconception that BGP multipath or static routes with HSRP can achieve active/active load balancing, but these methods either require complex tuning or are inherently active/passive, failing to meet the policy-based and application-aware requirements that SD-WAN uniquely addresses.

How to eliminate wrong answers

Option B is wrong because static routes with different metrics and HSRP are designed for active/passive failover, not active/active load balancing; HSRP operates at Layer 2 for gateway redundancy and does not distribute traffic across multiple WAN links. Option C is wrong because BGP best path selection selects only a single best path per prefix by default, and while BGP can be tuned for load balancing with features like multipath, it does not inherently provide policy-based load balancing or application-aware traffic steering like SD-WAN. Option D is wrong because implementing a VPN tunnel using only one link defeats the purpose of using both links for load balancing and failover, leaving the branch dependent on a single connection.

9
MCQmedium

A service provider is deploying NFV to host virtual network functions (VNFs) such as firewalls, routers, and WAN optimizers on a single server. The design must support service chaining, where traffic flows through multiple VNFs in a specific order, and must allow dynamic insertion of new VNFs without re-cabling. Which technology should be used to implement the service chain?

A.VLAN trunking between VNFs on the same hypervisor
B.VXLAN overlay with policy-based forwarding to direct traffic through VNFs
C.Static routing between VNFs using dedicated interfaces
D.MPLS L3VPN between VNFs
AnswerB

VXLAN enables flexible, scalable service chaining by encapsulating traffic and steering it through VNFs based on policies.

Why this answer

VXLAN overlay with policy-based forwarding (PBF) is the correct choice because it enables service chaining by encapsulating traffic and steering it through a sequence of VNFs based on policies, without requiring physical re-cabling. This allows dynamic insertion of new VNFs by simply updating the forwarding policies in the overlay, which is essential for NFV environments where VNFs are hosted on the same server and must be chained flexibly.

Exam trap

The trap here is that candidates often confuse VLAN trunking (Option A) as sufficient for service chaining, but VLANs only provide segmentation, not the policy-based traffic steering required to enforce a specific ordered sequence of VNFs.

How to eliminate wrong answers

Option A is wrong because VLAN trunking between VNFs on the same hypervisor is limited to Layer 2 segmentation and cannot dynamically steer traffic through a specific ordered sequence of VNFs without manual reconfiguration or complex bridging. Option C is wrong because static routing between VNFs using dedicated interfaces requires physical or virtual interface changes and manual route updates, which does not support dynamic insertion of new VNFs without re-cabling or reconfiguration. Option D is wrong because MPLS L3VPN between VNFs is designed for site-to-site connectivity across a WAN, not for intra-server service chaining, and it lacks the policy-based traffic steering needed to enforce a specific VNF order on a single host.

10
Multi-Selecteasy

Which two statements about network design for high availability are true? (Choose two.)

Select 2 answers
A.HSRP allows two or more routers to share a virtual IP address, providing default gateway redundancy.
B.HSRP automatically load-balances traffic across all routers in the group.
C.StackWise Virtual allows two physical switches to operate as a single logical switch for redundancy.
D.A single uplink from an access switch to the distribution layer is sufficient for high availability.
E.Redundant links between switches do not require Spanning Tree Protocol to prevent loops.
AnswersA, C

Correct because HSRP enables a group of routers to present a single virtual gateway, with one active and one standby.

Why this answer

High availability design aims to minimize downtime through redundancy and fast convergence. First Hop Redundancy Protocols (FHRP) like HSRP, VRRP, or GLBP provide default gateway redundancy. StackWise Virtual allows switches to operate as a single logical device, improving redundancy and simplifying management.

Option A is correct because HSRP provides active/standby gateway redundancy. Option C is correct because StackWise Virtual virtualizes two switches into one, reducing complexity and improving resilience. Option B is incorrect because HSRP does not provide load balancing by default (GLBP does).

Option D is incorrect because a single uplink is a single point of failure; high availability requires redundant links. Option E is incorrect because redundant links without STP or loop prevention would cause broadcast storms; STP is essential.

11
MCQmedium

Consider the following configuration: router bgp 65000 bgp router-id 192.168.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 ebgp-multihop 2 neighbor 10.0.0.2 update-source Loopback0 ! interface Loopback0 ip address 192.168.0.1 255.255.255.255 What is missing for this BGP session to establish?

A.A route to reach 10.0.0.2 is missing; the neighbor must be reachable via the routing table.
B.The ebgp-multihop value should be 1 for a directly connected neighbor.
C.The remote-as must be the same as the local AS for EBGP.
D.The router-id must be the same as the update-source interface IP.
AnswerA

BGP requires TCP connectivity; without a route to the neighbor's IP, the session cannot form.

Why this answer

Option A is correct because for an eBGP session to establish, the neighbor IP address (10.0.0.2) must be reachable via the routing table. The configuration uses `ebgp-multihop 2` and an update-source of Loopback0, but there is no route (static or dynamic) to reach 10.0.0.2, so the TCP connection cannot be initiated. Without reachability, BGP will remain in the Idle state.

Exam trap

Cisco often tests the misconception that ebgp-multihop alone ensures connectivity, but the trap here is that candidates forget BGP requires IP reachability in the routing table for the neighbor address, not just a configured multihop value.

How to eliminate wrong answers

Option B is wrong because ebgp-multihop 2 is correctly used when the neighbor is not directly connected (e.g., using loopback interfaces); setting it to 1 would assume a directly connected interface, which is not the case here. Option C is wrong because for eBGP, the remote-as must be different from the local AS (65000 vs 65001), so stating it must be the same is incorrect. Option D is wrong because the router-id does not need to match the update-source interface IP; the router-id is used for BGP identifier purposes and can be any unique IP, while the update-source specifies which interface's IP to use for the TCP connection.

12
MCQeasy

What is the default OSPF hello interval on an Ethernet broadcast network?

A.10 seconds
B.30 seconds
C.5 seconds
D.20 seconds
AnswerA

The default hello interval for OSPF on broadcast and point-to-point networks is 10 seconds.

Why this answer

On Ethernet broadcast networks, OSPF defaults to a hello interval of 10 seconds, as specified in RFC 2328. This interval is used to maintain neighbor relationships and detect failures quickly on high-speed multi-access links.

Exam trap

Cisco often tests the OSPF hello interval default by mixing up broadcast and NBMA values, leading candidates to mistakenly choose 30 seconds for Ethernet networks.

How to eliminate wrong answers

Option B is wrong because 30 seconds is the default hello interval for OSPF on non-broadcast multi-access (NBMA) networks, such as Frame Relay, not on Ethernet broadcast networks. Option C is wrong because 5 seconds is not a standard OSPF hello interval; it is sometimes used in proprietary or tuned configurations but not the default. Option D is wrong because 20 seconds is not a default OSPF hello interval; it might be confused with the default dead interval multiplier (4 times the hello interval) which would be 40 seconds for a 10-second hello, not 20.

13
MCQmedium

Consider this configuration: interface GigabitEthernet0/2 switchport mode trunk switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 Which statement is true about this configuration?

A.The native VLAN 10 cannot be used as a routed interface because it is the native VLAN.
B.The trunk will only allow VLANs 10, 20, and 30, and VLAN 10 is the native VLAN.
C.The SVI for VLAN 10 will not come up because the native VLAN must be untagged.
D.The configuration is invalid because the native VLAN must be the same as the management VLAN.
AnswerB

The 'allowed vlan' command restricts the trunk to VLANs 10, 20, and 30, and 'native vlan 10' sets VLAN 10 as the native VLAN.

Why this answer

Option B is correct because the configuration explicitly permits VLANs 10, 20, and 30 on the trunk using the 'switchport trunk allowed vlan' command, and VLAN 10 is set as the native VLAN with the 'switchport trunk native vlan 10' command. The native VLAN carries untagged traffic on the trunk, but it is still a valid VLAN that can be included in the allowed list and can have an SVI for routing. The SVI for VLAN 10 will come up as long as the VLAN exists and there is at least one active switchport in that VLAN, which is satisfied by the trunk port.

Exam trap

Cisco often tests the misconception that the native VLAN cannot be used for routing or that it must be excluded from the allowed VLAN list, but in reality, the native VLAN is simply the VLAN that carries untagged frames and can be included in the allowed list and have an SVI.

How to eliminate wrong answers

Option A is wrong because the native VLAN can absolutely be used as a routed interface; the SVI for VLAN 10 will function normally, and there is no restriction that prevents a native VLAN from having an IP address. Option C is wrong because the native VLAN being untagged on the trunk does not prevent the SVI from coming up; the SVI is a Layer 3 interface that is independent of whether the VLAN traffic is tagged or untagged on the physical port. Option D is wrong because there is no requirement that the native VLAN must match the management VLAN; the management VLAN is typically used for out-of-band management traffic and can be any VLAN, while the native VLAN is a trunk-specific concept for untagged frames.

14
MCQmedium

Given the following configuration: router eigrp TEST network 10.0.0.0 0.255.255.255 network 192.168.1.0 ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip summary-address eigrp TEST 10.0.0.0 255.0.0.0 5 What is the effect of the ip summary-address command?

A.It creates a summary route 10.0.0.0/8 with a metric of 5, advertised out GigabitEthernet0/0.
B.It creates a summary route 10.0.0.0/8 with a metric of 5, but only for the EIGRP process named TEST.
C.It creates a summary route 10.0.0.0/8 with a hop count of 5.
D.The command is invalid because the summary address must match the network statement exactly.
AnswerA

The summary address is 10.0.0.0/8, and the value 5 is the administrative distance for the summary route.

Why this answer

The `ip summary-address eigrp TEST 10.0.0.0 255.0.0.0 5` command creates a summary route of 10.0.0.0/8 with an administrative distance of 5, which is advertised out of GigabitEthernet0/0. The EIGRP process name TEST matches the router eigrp configuration, and the summary is generated regardless of the network statements, as long as the router has a more specific route within the summarized range.

Exam trap

Cisco often tests the misconception that the number after the summary address is a metric or hop count, when in fact it is the administrative distance for the summary route.

How to eliminate wrong answers

Option B is wrong because the summary route is advertised out of the specific interface (GigabitEthernet0/0), not for the entire EIGRP process; the process name only identifies which EIGRP instance the summary belongs to. Option C is wrong because the number 5 in the command sets the administrative distance for the summary route, not a hop count or metric; EIGRP uses metric (composite) values, not hop counts. Option D is wrong because the summary address does not need to match a network statement exactly; the `ip summary-address` command can summarize any range that includes subnets learned via EIGRP, even if the network statement is broader or different.

15
MCQmedium

Examine this configuration: policy-map QOS_POLICY class VOICE priority percent 10 class VIDEO bandwidth percent 30 class class-default fair-queue ! interface GigabitEthernet0/0 service-policy output QOS_POLICY What is the effect of this policy-map?

A.Voice traffic gets strict priority up to 10% of interface bandwidth, video gets at least 30%, and all other traffic is fair-queued.
B.Voice and video both get priority queuing, with voice at 10% and video at 30%.
C.The policy-map is invalid because you cannot use both priority and bandwidth in the same policy-map.
D.The policy-map will only shape traffic, not prioritize it.
AnswerA

This is the correct interpretation of the policy-map.

Why this answer

Option A is correct because the policy-map uses the 'priority percent 10' command under class VOICE, which provides strict priority queuing for voice traffic, guaranteeing it is serviced first up to 10% of the interface bandwidth. The 'bandwidth percent 30' command under class VIDEO allocates a minimum bandwidth guarantee of 30% for video traffic, while the 'fair-queue' command under class-default ensures all other traffic shares the remaining bandwidth fairly using Cisco's Class-Based Weighted Fair Queuing (CBWFQ). This configuration is valid and commonly used in enterprise QoS designs to prioritize real-time traffic while still providing bandwidth guarantees for other critical traffic.

Exam trap

Cisco often tests the misconception that 'priority' and 'bandwidth' cannot coexist in the same policy-map, or that 'bandwidth' implies priority queuing, when in fact they serve different roles (strict priority vs. guaranteed minimum bandwidth) and are commonly used together in enterprise QoS designs.

How to eliminate wrong answers

Option B is wrong because it incorrectly states that both voice and video get priority queuing; in this configuration, only the VOICE class uses the 'priority' command, while the VIDEO class uses 'bandwidth', which provides a minimum bandwidth guarantee, not strict priority. Option C is wrong because it claims the policy-map is invalid; Cisco IOS allows the use of both 'priority' and 'bandwidth' commands in the same policy-map, as long as the priority class is configured first and the total bandwidth allocations do not exceed 100%. Option D is wrong because the policy-map does not include any 'shape' command; it applies queuing and scheduling policies (priority, bandwidth, and fair-queue) on output, not traffic shaping.

16
MCQmedium

Which BGP attribute is preferred when the local preference is equal?

A.AS-path length (shorter is better)
B.MED (lower is better)
C.Origin code (IGP is preferred over EGP)
D.Next-hop IP address (lowest is preferred)
AnswerA

After local preference, BGP compares AS-path length; shorter paths are preferred.

Why this answer

When the local preference is equal, BGP selects the path with the shortest AS-path length. This is because AS-path length is the second tiebreaker in the BGP best path selection algorithm (after highest weight, then highest local preference). A shorter AS-path implies fewer autonomous system hops, which is generally preferred for routing efficiency.

Exam trap

Cisco often tests the order of BGP path selection tiebreakers, and the trap here is that candidates mistakenly think MED is compared before AS-path length, or that next-hop IP address is a valid tiebreaker.

How to eliminate wrong answers

Option B is wrong because MED (Multi-Exit Discriminator) is compared only when the paths come from the same neighboring AS; it is not the next tiebreaker after local preference — AS-path length is evaluated first. Option C is wrong because origin code (IGP < EGP < incomplete) is compared after AS-path length, not before. Option D is wrong because the next-hop IP address is never a tiebreaker in BGP path selection; BGP uses the IGP metric to the next-hop, not the IP address value.

17
Drag & Dropmedium

Drag and drop the steps of network audit and gap analysis steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The audit starts with inventory collection, then performance baselining. Security and configuration compliance are checked, gaps are identified, and finally a remediation plan is created.

18
Multi-Selecthard

Which three statements about the Cisco Enterprise WAN design principles are true? (Choose three.)

Select 3 answers
A.SD-WAN architecture separates the control plane and data plane, allowing centralized policy management.
B.Dual-homing a branch office to two different service provider routers increases WAN availability.
C.DMVPN requires a full mesh of static IPsec tunnels between all spoke routers.
D.MPLS Layer 3 VPNs use Virtual Routing and Forwarding (VRF) instances to provide customer isolation.
E.DMVPN requires a full mesh of IPsec tunnels between all spoke routers.
AnswersA, B, D

Correct because SD-WAN uses a controller-based approach where the control plane is centralized, simplifying policy deployment.

Why this answer

Enterprise WAN design focuses on connecting remote sites reliably and efficiently. SD-WAN decouples control and data planes for centralized management. Dual-homing provides redundancy.

MPLS VPNs offer any-to-any connectivity but with a full mesh of VRFs. Option A is correct because SD-WAN's centralized controller manages policies and path selection. Option B is correct because dual-homing to different provider routers improves availability.

Option D is correct because MPLS VPNs use VRFs to isolate customer routing, allowing overlapping addresses. Option C is incorrect because DMVPN uses dynamic tunnels (mGRE/NHRP), not static IPsec tunnels. Option E is incorrect because DMVPN does not require a full mesh; it uses a hub-and-spoke or partial mesh topology.

19
MCQeasy

An enterprise network uses OSPF in the core and EIGRP in the campus distribution layer. The engineer needs to redistribute routes between the two protocols. Which design consideration is most important to prevent routing loops?

A.Set appropriate administrative distance values for redistributed routes.
B.Use route maps to filter all redistributed routes.
C.Enable OSPF on all EIGRP interfaces.
D.Use a single routing protocol throughout the network.
AnswerA

Correct because AD controls route preference; if not set correctly, a redistributed route could be preferred over the original, causing loops.

Why this answer

Setting appropriate administrative distance values for redistributed routes is crucial to prevent routing loops when redistributing between OSPF and EIGRP. By default, EIGRP has an administrative distance of 170 for external routes and 90 for internal routes, while OSPF uses 110. If redistributed routes are not assigned a higher administrative distance, a router might prefer a redistributed route over a directly learned route, creating a feedback loop where routes are re-injected into the original protocol.

Adjusting the administrative distance ensures that redistributed routes are less preferred than native routes, breaking the loop.

Exam trap

Cisco often tests the misconception that route filtering (option B) is the primary loop-prevention mechanism, but the real trap is that administrative distance must be adjusted to prevent the redistribution feedback loop, especially when multiple routers perform mutual redistribution.

How to eliminate wrong answers

Option B is wrong because using route maps to filter all redistributed routes is overly restrictive and can prevent necessary route propagation, but it does not directly address the root cause of routing loops, which is the preference for redistributed routes over native ones. Option C is wrong because enabling OSPF on all EIGRP interfaces would merge the two routing domains, defeating the purpose of redistribution and potentially causing instability, but it does not prevent loops in a multi-protocol environment. Option D is wrong because using a single routing protocol throughout the network is a valid design choice but is not a consideration for preventing loops during redistribution; the question specifically asks about redistributing between two protocols, so this option avoids the problem rather than solving it.

20
Matchingmedium

Drag and drop each network design tier on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides Layer 2/Layer 3 access for end devices and users

Aggregates access switches and enforces routing policies

Provides high-speed, resilient backbone between distribution blocks

Combines core and distribution functions into a single layer

Provides leaf-to-leaf connectivity in a leaf-spine fabric

Why these pairings

The access layer provides user connectivity; the distribution layer aggregates and applies policies; the core layer provides high-speed transport.

21
MCQmedium

A company is deploying a new data center and needs to choose between a three-tier (core, aggregation, access) and a spine-leaf architecture. The network engineer is concerned about east-west traffic patterns for server virtualization. Which architecture is most suitable and why?

A.Spine-leaf, because it provides equal-cost multipath (ECMP) for all leaf-to-leaf traffic.
B.Three-tier, because it offers more redundancy with multiple aggregation layers.
C.Spine-leaf, because it supports legacy spanning tree protocols.
D.Three-tier, because it is easier to manage with traditional VLANs.
AnswerA

Correct because spine-leaf uses ECMP to forward traffic between any two leaf switches with predictable latency, supporting east-west traffic efficiently.

Why this answer

Spine-leaf architecture is most suitable for east-west traffic patterns because it provides a full mesh of connections between leaf switches and spine switches, enabling equal-cost multipath (ECMP) routing. This allows all leaf-to-leaf traffic to traverse multiple parallel paths with equal cost, maximizing bandwidth utilization and minimizing latency, which is critical for server virtualization traffic that often moves between hypervisors.

Exam trap

Cisco often tests the misconception that three-tier architecture is more redundant or easier to manage, but the key trap here is that candidates may overlook how east-west traffic patterns require non-blocking, low-latency paths that only a spine-leaf design with ECMP can provide.

How to eliminate wrong answers

Option B is wrong because three-tier architecture introduces a bottleneck at the aggregation layer for east-west traffic, as traffic between access switches must traverse the aggregation layer, which does not provide the same level of ECMP as spine-leaf. Option C is wrong because spine-leaf architecture does not support legacy spanning tree protocols; in fact, it relies on routing protocols like OSPF or BGP to avoid STP, and STP would block redundant links in a spine-leaf design. Option D is wrong because three-tier architecture is not easier to manage with traditional VLANs for east-west traffic; VLANs in a three-tier design often require complex STP configurations and can lead to suboptimal traffic flows, whereas spine-leaf simplifies VLAN management with VXLAN or EVPN overlays.

22
Matchingmedium

Drag and drop each PPDIOO phase on the left to its matching activity on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish organizational requirements and high-level architecture

Assess existing network and identify gaps for new requirements

Create detailed network design and configuration templates

Deploy the design using change management and verification

Maintain network health through monitoring and troubleshooting

Why these pairings

Prepare establishes requirements; Plan identifies network needs; Design creates the detailed design; Implement deploys the design; Operate manages day-to-day; Optimize improves performance.

23
Drag & Dropmedium

Drag and drop the steps of the SD-Access fabric deployment sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SD-Access deployment begins with underlay configuration for physical connectivity, then overlay setup with LISP/VXLAN, followed by policy definition and integration with DNA Center for automation and assurance.

24
MCQeasy

A company is deploying a new branch office with 50 users. The branch needs to connect to the headquarters via a WAN link. The engineer wants to use a design that minimizes the need for routing protocol configuration at the branch while still providing redundancy. Which design is most appropriate?

A.Use a hub-and-spoke design with static routes on the branch router and a single WAN link.
B.Use a full mesh design with OSPF on all routers.
C.Use a point-to-point design with BGP on the branch router.
D.Use a spine-leaf design with multiple WAN links.
AnswerA

Correct because hub-and-spoke with static routes is simple and requires minimal configuration; a second link with floating static routes can be added for redundancy.

Why this answer

Option A is correct because a hub-and-spoke design with static routes on the branch router minimizes routing protocol configuration (no dynamic routing protocol needed) while still providing redundancy if the single WAN link is backed by a secondary path (e.g., a backup link or dual-homed connection) that can be handled via floating static routes. This approach keeps the branch router simple and avoids the complexity of running OSPF or BGP, which is unnecessary for a small branch with 50 users.

Exam trap

Cisco often tests the misconception that redundancy always requires a dynamic routing protocol, but static routes with floating static routes can provide simple, effective redundancy without the configuration overhead of OSPF or BGP.

How to eliminate wrong answers

Option B is wrong because a full mesh design with OSPF on all routers requires extensive routing protocol configuration on every router, including the branch, which contradicts the goal of minimizing configuration. Option C is wrong because using BGP on the branch router adds significant configuration and operational overhead (e.g., AS numbers, neighbor statements, prefix advertisement) that is not needed for a simple branch connection. Option D is wrong because a spine-leaf design is intended for data center networks with high east-west traffic and multiple paths, not for a small branch office with a single WAN link; it would introduce unnecessary complexity and cost.

25
MCQmedium

Given this configuration: interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode ! interface GigabitEthernet0/1 ip address 172.16.2.1 255.255.255.0 ip pim sparse-mode ! ip pim rp-address 172.16.1.1 What is the effect of this configuration?

A.The router uses 172.16.1.1 as the RP for all multicast groups, and PIM sparse-mode is enabled on both interfaces.
B.The router will automatically elect an RP using BSR because no RP is configured.
C.PIM dense-mode is used because sparse-mode is not fully configured.
D.The configuration is invalid because the RP address must be a loopback interface.
AnswerA

The 'ip pim rp-address' command statically assigns the RP, and sparse-mode is enabled on the interfaces.

Why this answer

The configuration statically assigns 172.16.1.1 as the RP for all multicast groups using the 'ip pim rp-address' command, and both interfaces are explicitly configured with 'ip pim sparse-mode'. This ensures that PIM sparse-mode is operational on the interfaces and that the router uses the specified RP for group-to-RP mapping, making option A correct.

Exam trap

Cisco often tests the misconception that the RP must be a loopback interface for stability, but the command accepts any reachable IP address, including a physical interface, as long as it is configured with 'ip pim sparse-mode' or 'ip pim sparse-dense-mode'.

How to eliminate wrong answers

Option B is wrong because an RP is explicitly configured with 'ip pim rp-address 172.16.1.1', so the router will not use BSR for automatic RP election. Option C is wrong because PIM sparse-mode is fully configured on both interfaces and an RP is defined; PIM dense-mode is not used. Option D is wrong because the RP address does not need to be a loopback interface; it can be any IP address reachable by the router, including a physical interface address like 172.16.1.1.

26
MCQmedium

An enterprise is redesigning its WAN QoS architecture to support real-time voice, video, and critical data applications over a limited bandwidth link. The architect must ensure that voice traffic receives strict priority queuing and that video traffic is guaranteed a minimum bandwidth, while allowing best-effort traffic to use remaining capacity. Which queuing strategy should be deployed on the WAN edge routers?

A.FIFO (First In, First Out) with tail drop
B.CBWFQ (Class-Based Weighted Fair Queuing) without a priority queue
C.LLQ (Low Latency Queuing) with a strict priority queue for voice and CBWFQ for video and data
D.WRED (Weighted Random Early Detection) with DSCP-based drop probabilities
AnswerC

LLQ combines a strict priority queue (for voice) with CBWFQ classes (for video and data), meeting both latency and bandwidth requirements.

Why this answer

LLQ combines a strict priority queue for delay-sensitive voice traffic with CBWFQ for other classes, guaranteeing minimum bandwidth for video while allowing best-effort traffic to share remaining capacity. This satisfies the requirement for strict priority queuing for voice and bandwidth guarantees for video, which CBWFQ alone cannot provide because it lacks a priority queue.

Exam trap

Cisco often tests the distinction between CBWFQ and LLQ, trapping candidates who think CBWFQ alone can provide strict priority queuing, when in fact only LLQ adds the 'priority' keyword to create a low-latency queue.

How to eliminate wrong answers

Option A is wrong because FIFO with tail drop provides no differentiation between traffic types, causing voice and video to suffer delay and drops alongside best-effort data. Option B is wrong because CBWFQ without a priority queue cannot offer strict priority queuing for voice, which is essential for low-latency real-time traffic. Option D is wrong because WRED is a congestion avoidance mechanism that manages drop probabilities based on DSCP, not a queuing strategy, and it cannot guarantee minimum bandwidth or strict priority for voice.

27
MCQmedium

A network architect is designing a campus network for a large university with 10,000+ users. The design must provide high availability, minimize failure domains, and allow for easy scaling of the access layer. The core layer should be resilient and support fast convergence. Which hierarchical design model best meets these requirements?

A.Three-tier hierarchical design with access, distribution, and core layers, using redundant links and VRRP for gateway redundancy
B.Collapsed core design with core and distribution combined into one layer
C.Flat Layer 2 design with all switches in a single VLAN
D.Leaf-spine design with all switches acting as leafs and spines
AnswerA

This design separates failure domains, provides high availability via redundancy, and scales by adding distribution or access switches.

Why this answer

The three-tier hierarchical design (access, distribution, core) is the correct choice because it provides clear separation of failure domains, allows easy scaling by adding access switches, and supports high availability through redundant links and VRRP (or HSRP/GLBP) for first-hop gateway redundancy. The core layer can be designed with fast-converging protocols like ECMP and BFD to meet the resilience and convergence requirements for a large campus with 10,000+ users.

Exam trap

Cisco often tests the misconception that a collapsed core design is always more efficient for small-to-medium networks, but for a large campus with 10,000+ users, the three-tier model is required to minimize failure domains and allow independent scaling of the access layer.

How to eliminate wrong answers

Option B is wrong because a collapsed core design combines the core and distribution layers, which reduces the number of devices but creates a larger failure domain and limits scalability at the access layer, making it unsuitable for a large university campus. Option C is wrong because a flat Layer 2 design with all switches in a single VLAN creates a massive broadcast domain, leading to poor convergence, security risks, and no fault isolation, which violates the requirement to minimize failure domains. Option D is wrong because leaf-spine design is optimized for data center east-west traffic patterns and does not align with the north-south traffic flow typical of a campus network; it also does not provide the same level of gateway redundancy and access-layer scaling as a three-tier design.

28
MCQmedium

A network team is designing an SD-WAN overlay for a multinational enterprise with 500+ branch sites. The design must ensure that control plane traffic (e.g., OMP updates) is encrypted and authenticated between all vSmart controllers and vEdge routers, while allowing data plane traffic to use IPsec tunnels between branch sites directly. Which architectural element is responsible for orchestrating the initial authentication and certificate enrollment of all SD-WAN devices?

A.vManage
B.vSmart
C.vBond
D.vEdge
AnswerC

vBond acts as the orchestrator, authenticating devices and enabling them to join the SD-WAN overlay securely.

Why this answer

C is correct because the vBond orchestrator is the sole component responsible for initial authentication and certificate enrollment in Cisco SD-WAN. It acts as a trusted certificate authority (CA) proxy, validating the serial numbers and certificates of all vSmart controllers and vEdge routers before they join the overlay network. Without vBond, devices cannot establish trust or receive the authorized list of vSmart and vManage IP addresses.

Exam trap

Cisco often tests the misconception that vManage handles all management functions including authentication, but the trap here is that vBond is the dedicated orchestrator for initial trust and certificate enrollment, while vManage only manages the devices after they have been authenticated.

How to eliminate wrong answers

Option A is wrong because vManage is the management and monitoring plane, handling configuration templates, policies, and analytics, but it does not perform initial authentication or certificate enrollment. Option B is wrong because vSmart is the control plane controller that distributes OMP routes and policies, but it relies on vBond for initial trust and does not handle certificate issuance. Option D is wrong because vEdge is a data plane router that terminates IPsec tunnels and forwards traffic; it is a client in the authentication process, not the orchestrator of it.

29
MCQmedium

An architect is designing an SD-Access fabric for a campus network that must support dynamic endpoint grouping based on user identity and device type. The design must minimize manual policy configuration and allow the fabric to enforce access policies at the edge. Which combination of components and protocols is required to meet these requirements?

A.Cisco ISE for policy management, LISP for control plane, VXLAN for data plane, and Cisco TrustSec for SGT-based enforcement
B.Cisco ISE for policy management, OSPF for control plane, GRE for data plane, and ACLs for enforcement
C.Cisco ISE for policy management, BGP for control plane, MPLS for data plane, and VLANs for enforcement
D.Cisco ISE for policy management, LISP for data plane, VXLAN for control plane, and 802.1X for enforcement
AnswerA

This combination provides identity-based policy, scalable overlay, and dynamic group-based enforcement at the edge.

Why this answer

Option A is correct because SD-Access uses Cisco ISE as the policy engine to define user/device-based policies, LISP as the control plane for endpoint-to-location mapping and mobility, VXLAN as the data plane for overlay encapsulation, and Cisco TrustSec for SGT-based enforcement at the edge. This combination enables dynamic endpoint grouping without manual ACLs, as SGTs are propagated via VXLAN Group Policy Option (GPO) and enforced by the fabric edge switches.

Exam trap

Cisco often tests the specific roles of LISP (control plane) and VXLAN (data plane) in SD-Access, and the trap here is confusing their functions or assuming that traditional protocols like OSPF/BGP or ACLs/VLANs can replace the overlay control and policy enforcement mechanisms.

How to eliminate wrong answers

Option B is wrong because OSPF is a routing protocol used in the underlay, not the SD-Access control plane; GRE lacks the scalability and group-based policy support of VXLAN, and ACLs require manual configuration, contradicting the requirement to minimize manual policy. Option C is wrong because BGP is not the SD-Access control plane (LISP is), MPLS is not used as the data plane in SD-Access (VXLAN is), and VLANs enforce segmentation at Layer 2, not dynamic SGT-based policies. Option D is wrong because LISP is the control plane, not the data plane; VXLAN is the data plane, not the control plane; and 802.1X provides authentication but not the enforcement mechanism for SGT-based policies—TrustSec or SGT tagging is required for enforcement.

30
MCQmedium

An enterprise is migrating its data center to a leaf-spine architecture to support high east-west traffic between servers. The design must provide non-blocking forwarding and allow for easy scaling by adding more spines. Which characteristic is essential for the spine switches in this design?

A.Spine switches must run Spanning Tree Protocol (STP) to prevent loops
B.Spine switches must support high port density and high forwarding capacity, and act as Layer 3 routers
C.Spine switches must be connected to each other to provide redundancy
D.Spine switches must perform NAT to translate between VLANs
AnswerB

Spine switches are the backbone, forwarding traffic between leaf switches using Layer 3 routing and ECMP for load balancing.

Why this answer

In a leaf-spine architecture designed for non-blocking forwarding and high east-west traffic, spine switches must act as Layer 3 routers with high port density and forwarding capacity. This allows them to perform Equal-Cost Multi-Path (ECMP) routing, which distributes traffic across all available uplinks without blocking, ensuring that any leaf can reach any other leaf with predictable latency and full bandwidth utilization.

Exam trap

Cisco often tests the misconception that STP is needed in all redundant switch designs, but in a Layer 3 leaf-spine architecture, STP is not used because routing protocols inherently prevent loops and allow all links to be active.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) is a Layer 2 loop-prevention mechanism that actively blocks redundant links, which would defeat the purpose of a non-blocking leaf-spine design where all links must be active and forwarding. Option C is wrong because spine switches are never directly connected to each other in a valid leaf-spine topology; doing so would create a Layer 3 routing loop or a Layer 2 loop, and redundancy is achieved by having multiple spine switches, not by interconnecting them. Option D is wrong because NAT is used for translating between private and public IP addresses, not for inter-VLAN routing; in a leaf-spine design, inter-VLAN routing is performed by the spine switches using Layer 3 forwarding (e.g., OSPF or BGP), not NAT.

31
MCQhard

An enterprise network is experiencing high CPU utilization on the distribution layer switches. The design uses VLANs with SVIs for inter-VLAN routing, and HSRP for first-hop redundancy. The engineer notices that the standby switch is also experiencing high CPU. What is the most likely cause?

A.The standby switch is processing HSRP hellos for all VLANs, causing CPU spikes.
B.The standby switch is forwarding all broadcast traffic due to a misconfigured STP root.
C.The standby switch is performing routing for all VLANs because the active switch failed.
D.The standby switch is processing VTP updates from the distribution layer.
AnswerA

Correct because HSRP hellos are sent every 3 seconds per group; with many VLANs (e.g., 500), the CPU must process all hellos, leading to high utilization.

Why this answer

In an HSRP setup, both the active and standby routers process incoming Hello messages for every VLAN on which HSRP is configured. Even though the standby switch does not forward inter-VLAN traffic, it must still receive and process periodic HSRP hellos (default every 3 seconds) to maintain its role and detect active failures. With a large number of VLANs, the cumulative CPU overhead from processing these hellos can cause high utilization on both switches.

Exam trap

Cisco often tests the misconception that the standby switch is idle or only processes traffic during failover, when in reality it must continuously process HSRP hellos for every configured group, which can become a significant CPU burden in large VLAN deployments.

How to eliminate wrong answers

Option B is wrong because broadcast traffic is forwarded based on the VLAN's STP topology, not the HSRP role; a misconfigured STP root could cause suboptimal forwarding but would not specifically cause high CPU on the standby switch. Option C is wrong because if the active switch had failed, the standby would transition to active and begin routing, but the question states both switches are experiencing high CPU simultaneously, not that a failover occurred. Option D is wrong because VTP updates are processed by all switches in the same VTP domain regardless of HSRP state, and VTP processing is typically minimal unless large topology changes occur; it would not selectively cause high CPU on the standby.

32
MCQmedium

An enterprise is deploying Cisco SD-WAN and must ensure that data plane traffic between branch sites is encrypted and authenticated. The design must also allow the use of application-aware routing to steer traffic based on real-time performance metrics. Which component is responsible for establishing and managing the IPsec tunnels between branch routers?

A.vSmart controllers
B.vEdge/cEdge routers
C.vManage
D.vBond
AnswerB

vEdge/cEdge routers are the data plane devices that establish and terminate IPsec tunnels between branches, encrypting traffic and applying application-aware routing.

Why this answer

The vEdge/cEdge routers are the correct answer because they are the SD-WAN edge devices that terminate IPsec tunnels for data plane traffic. In Cisco SD-WAN, the data plane is fully distributed: each vEdge or cEdge router establishes and manages its own IPsec tunnels (using DTLS/TLS for control and IPsec for data) directly with other branch routers. This allows the routers to apply application-aware routing by monitoring real-time performance metrics (e.g., loss, latency, jitter) and steering traffic across the encrypted tunnels accordingly.

Exam trap

Cisco often tests the misconception that vSmart controllers handle all tunnel management, but in SD-WAN, vSmart only distributes policies and OMP routes, while the actual IPsec tunnel establishment and data plane forwarding is a function of the vEdge/cEdge routers.

How to eliminate wrong answers

Option A is wrong because vSmart controllers are responsible for the control plane—they distribute routing policies, OMP routes, and TLOCs to vEdge/cEdge routers, but they do not establish or manage IPsec data plane tunnels. Option C is wrong because vManage is the management and orchestration plane; it provides a GUI for configuration, monitoring, and troubleshooting but does not participate in IPsec tunnel establishment. Option D is wrong because vBond is the orchestrator that handles initial authentication, NAT traversal, and vSmart/vManage discovery; it does not terminate or manage IPsec data plane tunnels.

33
Drag & Dropmedium

Drag and drop the steps of IP addressing scheme design and subnetting steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IP addressing design starts with gathering requirements, then choosing a private address space. Subnetting is applied to create subnets, which are assigned to specific network segments, and finally summarized to reduce routing table size.

34
MCQmedium

A network architect is designing QoS for a converged network carrying voice, video, and data. The design must use the DiffServ model and ensure that voice traffic is marked with the highest priority and that video traffic is marked with a lower priority but still above data. Which DSCP markings should be assigned to voice and video traffic, respectively, to comply with the standard Per-Hop Behavior (PHB) definitions?

A.Voice: DSCP 46 (EF); Video: DSCP 34 (AF41)
B.Voice: DSCP 56 (CS7); Video: DSCP 48 (CS6)
C.Voice: DSCP 40 (AF41); Video: DSCP 46 (EF)
D.Voice: DSCP 26 (AF31); Video: DSCP 18 (AF21)
AnswerA

EF (DSCP 46) provides strict priority for voice; AF41 (DSCP 34) provides assured forwarding for video with lower priority than voice.

Why this answer

Option A is correct because the DiffServ model defines specific Per-Hop Behaviors (PHBs) for different traffic types. Voice traffic requires low latency, jitter, and loss, which is best served by the Expedited Forwarding (EF) PHB, assigned DSCP 46. Video traffic, while still delay-sensitive, can tolerate some loss and is typically marked with Assured Forwarding (AF41, DSCP 34), which provides a lower priority queue than EF but higher than best-effort data.

Exam trap

Cisco often tests the specific DSCP values for EF (46) and AF41 (34) and the fact that voice must use EF (not AF or CS) to ensure strict priority queuing, while video uses the highest AF class (AF41) to differentiate it from data without breaking the EF queue.

How to eliminate wrong answers

Option B is wrong because DSCP 56 (CS7) and DSCP 48 (CS6) are Class Selector codepoints used for network control traffic (e.g., routing protocols), not for voice or video; they would starve other traffic and violate the standard PHB definitions. Option C is wrong because it reverses the priority: DSCP 40 (AF41) is for video, not voice, and DSCP 46 (EF) is for voice, not video; this would incorrectly prioritize video over voice. Option D is wrong because DSCP 26 (AF31) and DSCP 18 (AF21) are Assured Forwarding classes with lower drop precedence, typically used for mission-critical data or streaming video, not for real-time voice; they do not provide the strict priority queuing required for voice traffic.

35
Drag & Dropmedium

Drag and drop the steps of the hierarchical campus network design process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The hierarchical design process starts with access layer connectivity, then moves to distribution layer aggregation, core layer transport, and finally WAN edge integration. This layered approach optimizes scalability and performance.

36
Matchingmedium

Drag and drop each WAN topology type on the left to its matching characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Simple dedicated link between two sites

Central site connects to multiple remote sites

Every site directly connected to every other site

Some sites directly connected, others through intermediate

Service provider network providing any-to-any Layer 3 connectivity

Why these pairings

Point-to-point is simple and dedicated; hub-and-spoke centralizes traffic; full mesh provides high redundancy; partial mesh balances cost and redundancy; MPLS VPN offers any-to-any connectivity.

37
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ip ospf hello-interval 10 ip ospf dead-interval 40 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 What is the effect of this configuration?

A.OSPF adjacency will form with a neighbor using hello/dead intervals of 10/40 seconds.
B.OSPF adjacency will not form because the hello interval is too low for point-to-point.
C.The network command under router ospf will be ignored because the interface has an explicit network type.
D.OSPF will use the default broadcast network type because the point-to-point keyword is misspelled.
AnswerA

The point-to-point network type with explicit hello/dead intervals of 10/40 matches the default for point-to-point, so adjacency forms normally.

Why this answer

The configuration sets the OSPF network type to point-to-point on the interface, which allows OSPF to form an adjacency with a neighbor using the configured hello interval of 10 seconds and dead interval of 40 seconds. These intervals are valid for point-to-point networks, and the network command under router ospf correctly enables OSPF on the interface. Therefore, an adjacency will form as long as the neighbor's intervals match.

Exam trap

Cisco often tests the misconception that the network command is ignored when an explicit ip ospf network type is configured, but in reality both work together—the network command enables OSPF on the interface, and the ip ospf network command only changes the OSPF network type.

How to eliminate wrong answers

Option B is wrong because a hello interval of 10 seconds is not too low for point-to-point; the default hello interval for point-to-point is 10 seconds, and it can be set lower (e.g., 1 second) without preventing adjacency formation as long as the neighbor matches. Option C is wrong because the network command under router ospf is not ignored; it is still used to determine which interfaces participate in OSPF, and the explicit network type on the interface only overrides the default network type, not the network command. Option D is wrong because the keyword 'point-to-point' is correctly spelled in the configuration snippet, and OSPF will use the point-to-point network type, not the default broadcast type.

38
MCQmedium

A campus network uses a collapsed core design with two distribution switches and multiple access switches. The engineer wants to ensure that if one distribution switch fails, the access switches can still reach the core. The access switches are connected to both distribution switches. What additional configuration is required on the access switches?

A.Configure the access switches with VPC (Virtual Port Channel) to the distribution switches.
B.Enable STP on the access switches and set the root bridge priority to 0.
C.Configure the access switches with HSRP to the distribution switches.
D.Use static routing with equal-cost paths from the access switches to the distribution switches.
AnswerA

Correct because VPC allows both uplinks to be active simultaneously, providing redundancy and load balancing without STP blocking.

Why this answer

Option A is correct because VPC allows the access switches to form a single logical link to the pair of distribution switches, enabling active-active forwarding and seamless failover. If one distribution switch fails, the access switch continues to reach the core through the surviving distribution switch without requiring STP convergence or routing protocol changes.

Exam trap

Cisco often tests the misconception that STP or FHRP alone can solve distribution switch failure scenarios, but the key is that VPC provides active-active Layer 2 uplinks with fast failover, whereas STP blocks one link and FHRP only handles gateway redundancy, not uplink connectivity.

How to eliminate wrong answers

Option B is wrong because enabling STP and setting root bridge priority to 0 only influences the Layer 2 spanning-tree topology, but it does not provide active-active uplink utilization or fast failover; STP would still block one uplink, and convergence delays would occur. Option C is wrong because HSRP is a First Hop Redundancy Protocol (FHRP) used for default gateway redundancy on the distribution switches themselves, not on the access switches; configuring HSRP on access switches does not solve the uplink failure scenario. Option D is wrong because static routing with equal-cost paths requires Layer 3 connectivity between the access and distribution switches, but in a typical collapsed core design, access switches are Layer 2 devices; even if they were Layer 3, static routes would not provide the fast, deterministic failover that VPC offers at Layer 2.

39
Drag & Dropmedium

Drag and drop the steps of disaster recovery failover process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Failover begins with detecting the primary failure, then activating the backup path. Traffic is redirected to the secondary site, and after the primary is restored, operations are switched back in a controlled manner.

40
Matchingmedium

Drag and drop each Cisco campus design model component on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides port density and PoE for end devices

Aggregates access switches and provides routing

Provides high-speed, non-blocking backbone

Provides Layer 3 gateway for VLANs

Combines two physical switches into one logical switch

Why these pairings

The campus design uses a hierarchical model with access, distribution, core layers; SVI provides Layer 3 gateway; VSS virtualizes switches; StackWise combines physical switches; PoE powers endpoints.

41
Drag & Dropmedium

Drag and drop the steps of network documentation and change management workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Change management begins with a request and impact assessment, followed by approval. After implementation, verification ensures success, and finally the documentation is updated to reflect the change.

42
MCQmedium

A large enterprise is redesigning its campus network to support 5000 users across three buildings. The design must provide high availability and fast convergence in case of a link failure. The network engineer is considering using Spanning Tree Protocol (STP) in the access layer. What is the primary design concern with using STP in this scenario?

A.STP will cause slow convergence and inefficient use of redundant links.
B.STP requires all switches to be in the same VLAN to function correctly.
C.STP cannot be used with 5000 users due to MAC address table limitations.
D.STP will cause broadcast storms in a three-building design.
AnswerA

Correct because STP blocks redundant links and convergence can take 30-50 seconds, which is not suitable for high-availability designs.

Why this answer

STP (802.1D) converges slowly, typically taking 30-50 seconds (listening + learning states) after a topology change. In a large campus network with 5000 users, this delay causes unacceptable downtime. Additionally, STP blocks redundant links to prevent loops, wasting bandwidth that could be used for load balancing.

Modern alternatives like Rapid PVST+ (802.1w) or MST (802.1s) offer sub-second convergence, making classic STP a poor choice for high-availability designs.

Exam trap

Cisco often tests the misconception that STP is a suitable high-availability solution, when in fact its slow convergence and blocked link inefficiency make it a poor choice for modern campus networks; candidates may overlook the need for RSTP or MST in the design.

How to eliminate wrong answers

Option B is wrong because STP does not require all switches to be in the same VLAN; it operates per VLAN (PVST/PVST+) or per instance (MST), and switches in different VLANs can still participate in STP. Option C is wrong because STP does not impose MAC address table limitations based on user count; MAC table size is a hardware limitation of the switch ASIC, not a protocol constraint, and 5000 users is well within typical switch capacities. Option D is wrong because STP is designed to prevent broadcast storms by blocking redundant paths; broadcast storms are caused by loops, which STP actively eliminates, not creates.

43
Matchingmedium

Drag and drop each First Hop Redundancy Protocol on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco-proprietary active/standby gateway redundancy with one virtual IP

Open standard with master/backup election and one virtual IP

Cisco-proprietary load-balancing across multiple gateways using AVF/AVG

Adds support for IPv6 and increased group numbers

Supports IPv4 and IPv6 with improved timers

Why these pairings

HSRP uses an active/standby model with one virtual MAC; VRRP uses an election process with a single virtual MAC; GLBP load-balances across multiple gateways.

44
MCQhard

A network engineer is designing a data center network using Cisco ACI. The design must support multiple tenants with isolated policies. The engineer needs to ensure that traffic between endpoints in different tenants is blocked by default. Which ACI construct provides this isolation?

A.Tenant
B.VRF
C.Bridge Domain
D.Contract
AnswerA

Correct because tenants in ACI provide administrative and policy isolation; endpoints in different tenants cannot communicate unless a contract is created between them.

Why this answer

In Cisco ACI, a Tenant is the top-level logical container that provides administrative and policy isolation. By default, endpoints in different tenants cannot communicate because each tenant has its own separate policy domain, and no contracts exist between them. This makes the Tenant the correct construct for ensuring traffic between different tenants is blocked by default.

Exam trap

Cisco often tests the misconception that VRFs or Bridge Domains provide cross-tenant isolation, but the trap here is that VRFs and BDs are scoped within a single tenant and do not inherently block traffic between different tenants—only the Tenant construct enforces default isolation.

How to eliminate wrong answers

Option B is wrong because a VRF (Virtual Routing and Forwarding) provides Layer 3 network segmentation within a tenant, but it does not enforce policy isolation between tenants; multiple VRFs can exist within the same tenant and inter-VRF traffic can be allowed via contracts. Option C is wrong because a Bridge Domain (BD) is a Layer 2 forwarding construct within a tenant that defines a subnet and associated VRF, but it does not provide cross-tenant isolation; BDs are scoped to a single tenant. Option D is wrong because a Contract defines the rules for allowed communication between endpoint groups (EPGs) within or across tenants, but it is not the default isolation mechanism; contracts are used to explicitly permit traffic, whereas isolation between tenants is inherent to the Tenant construct itself.

Ready to test yourself?

Try a timed practice session using only Enterprise Network Design questions.