CCNA SD-WAN Architecture Questions

58 questions · SD-WAN Architecture · All types, answers revealed

1
MCQmedium

A network architect is designing a Cisco SD-Access fabric for a university campus that requires segmentation between student, faculty, and guest traffic. The design must use Cisco TrustSec for scalable security group tags (SGTs) and integrate with Cisco ISE for policy enforcement. Which fabric component should the architect use to enforce SGT-based policies at the access layer?

A.Fabric border node
B.Fabric control plane node
C.Fabric edge node
D.Wireless LAN controller
AnswerC

The fabric edge switch enforces SGT-based policies by applying SGACLs based on the SGT assigned by ISE during authentication.

Why this answer

The fabric edge node is the correct component because it is the access-layer switch in Cisco SD-Access that performs SGT-based enforcement. It receives SGT-to-SGT policy from Cisco ISE via the control plane node and applies the corresponding security ACLs (SGACLs) at the port level, ensuring segmentation between student, faculty, and guest traffic at the point of entry.

Exam trap

Cisco often tests the misconception that the fabric border node or control plane node enforces policies, when in fact the fabric edge node is the only device that applies SGT-based access control at the access layer.

How to eliminate wrong answers

Option A is wrong because the fabric border node connects the SD-Access fabric to external networks (e.g., WAN, data center) and handles SGT propagation between fabrics or to non-fabric devices, but it does not enforce SGT policies at the access layer. Option B is wrong because the fabric control plane node manages LISP overlay mappings and distributes SGT-to-IP bindings, but it does not perform inline policy enforcement on user traffic. Option D is wrong because the Wireless LAN Controller (WLC) manages CAPWAP tunnels and wireless client mobility, but in SD-Access, SGT-based enforcement at the access layer is handled by the fabric edge node (wired or wireless via the fabric-enabled WLC acting as a wireless edge), not the standalone WLC.

2
Matchingmedium

Drag and drop each WAN transport type on the left to its matching SD-WAN characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides guaranteed SLA, low jitter, and private connectivity

Cost-effective transport with variable latency and potential packet loss

Cellular transport enabling mobility and rapid deployment with moderate bandwidth

High-bandwidth, low-latency cellular transport with network slicing capabilities

High-latency transport used for remote or maritime connectivity

Why these pairings

MPLS offers predictable performance; broadband Internet provides low-cost but variable quality; LTE offers mobility; 5G adds low latency and high bandwidth.

3
MCQeasy

Which component in Cisco SD-WAN is responsible for orchestrating the overlay network, including authentication and NAT traversal?

A.vBond orchestrator
B.vSmart controller
C.vManage NMS
D.vEdge router
AnswerA

vBond is the orchestrator that handles authentication, NAT traversal, and helps devices discover vSmart and vManage.

Why this answer

The vBond orchestrator is responsible for the initial authentication of all SD-WAN components (vSmart, vManage, vEdge/cEdge) into the overlay network. It also performs NAT traversal by discovering and distributing the public IP addresses and port numbers of vEdge routers behind NAT, enabling secure DTLS/TLS connections between them. Without vBond, new devices cannot securely join the fabric or establish control-plane connectivity.

Exam trap

Cisco often tests the misconception that vSmart handles all control-plane functions including authentication, but the trap here is that vSmart only manages OMP routes and policies, while vBond is the dedicated orchestrator for initial trust and NAT traversal.

How to eliminate wrong answers

Option B (vSmart controller) is wrong because the vSmart controller is responsible for distributing control-plane policies (e.g., routing, data policies) and managing the OMP (Overlay Management Protocol) sessions, not for initial authentication or NAT traversal. Option C (vManage NMS) is wrong because vManage is the network management system that provides a GUI for configuration, monitoring, and analytics, but it does not handle device authentication or NAT discovery. Option D (vEdge router) is wrong because vEdge routers are the data-plane devices that forward traffic and terminate tunnels; they do not orchestrate the overlay or authenticate other components.

4
Drag & Dropmedium

Drag and drop the steps of SD-WAN overlay routing protocol (OMP) route advertisement sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In OMP, the sequence starts with the edge device learning routes locally (connected, static, or dynamic), then redistributing them into OMP and sending to vSmart. vSmart processes and installs routes in its RIB, then advertises the best routes to other edge devices. The receiving edge device installs the route in its forwarding table and optionally redistributes into its local routing protocol.

5
Multi-Selecteasy

Which three statements about Cisco SD-WAN architecture components and their roles are true? (Choose three.)

Select 3 answers
A.vManage provides a centralized dashboard for configuration, monitoring, and troubleshooting of the entire SD-WAN fabric.
B.vSmart controllers are responsible for distributing routing information and policies to all WAN Edge routers in the overlay.
C.vBond orchestrators authenticate WAN Edge routers and assist in NAT traversal for establishing tunnels.
D.vSmart controllers are responsible for NAT traversal and public IP discovery for WAN Edge routers behind NAT.
E.vManage distributes OMP routes to vEdge routers to populate the overlay routing table.
AnswersA, B, C

Correct because vManage is the management plane that offers a GUI and API for network administrators to manage all devices.

Why this answer

The vManage is the management plane for centralized configuration and monitoring. vSmart is the control plane for route and policy distribution. vBond orchestrates initial authentication and NAT traversal. vEdge routers are data plane devices that forward traffic. vSmart does not handle NAT traversal; that is vBond's role. vManage does not distribute routes; that is vSmart's role.

6
MCQmedium

A network engineer is troubleshooting a Cisco SD-WAN deployment where a branch office has two WAN links: a primary MPLS link and a backup LTE link. The engineer wants to configure application-aware routing so that critical applications (e.g., Salesforce) always use the MPLS link as long as its loss is below 2% and latency below 150 ms. The engineer configures an app-route policy on the vSmart with the appropriate SLA requirements. After deployment, the engineer notices that Salesforce traffic is still using the LTE link even when the MPLS link meets the SLA. What is the most likely cause?

A.The app-route policy is not attached to the correct site list or VPN list.
B.The LTE link has a lower cost metric than the MPLS link.
C.The app-route policy was applied on the vEdge instead of the vSmart.
D.The SLA requirements are not configured correctly in the policy.
AnswerA

Correct because the policy must be associated with the specific sites and VPNs to be applied.

Why this answer

Option A is correct because the app-route policy must be attached to the correct site list and VPN list to be applied to the traffic. If the policy is not properly associated with the site list containing the branch office or the VPN list that includes Salesforce traffic, the vSmart will not enforce the application-aware routing rules, allowing the LTE link to be used even when the MPLS link meets the SLA.

Exam trap

Cisco often tests the distinction between policy definition and policy attachment, leading candidates to overlook that a correctly defined policy is ineffective if not attached to the appropriate site list or VPN list.

How to eliminate wrong answers

Option B is wrong because cost metric is used for OMP route preference, not for application-aware routing decisions; app-route policies override cost-based path selection based on SLA. Option C is wrong because app-route policies are centralized and must be configured on the vSmart controller, not on the vEdge; applying on the vEdge would have no effect in a Cisco SD-WAN architecture. Option D is wrong because the question states the SLA requirements (loss < 2%, latency < 150 ms) are configured correctly, so the issue lies in policy attachment, not the SLA definition.

7
MCQmedium

A campus network architect is redesigning the LAN to support high availability and east-west traffic growth. The current design uses a traditional three-tier hierarchy with a collapsed core. The architect must choose a new design that provides predictable latency, simple scalability, and efficient use of uplinks. Which design should the architect select?

A.Collapsed core design with redundant core switches and distribution layers.
B.Leaf-spine design with all leaf switches connected to all spine switches.
C.Mesh design where every switch connects to every other switch.
D.Traditional three-tier design with access, distribution, and core layers.
AnswerB

Leaf-spine provides non-blocking, low-latency paths between any two leaf switches, and scales horizontally by adding more spines.

Why this answer

The leaf-spine design (option B) provides predictable latency because every leaf switch is exactly one hop away from any other leaf switch via the spine, regardless of traffic path. This design also scales simply by adding more leaf or spine switches without reconfiguring existing connections, and it uses uplinks efficiently through equal-cost multipath (ECMP) load balancing, making it ideal for east-west traffic growth in a modern data center or campus LAN.

Exam trap

Cisco often tests the misconception that a collapsed core design is sufficient for high availability and east-west traffic, but the trap here is that candidates overlook the predictable latency and linear scalability benefits of leaf-spine, which are explicitly required by the question's criteria.

How to eliminate wrong answers

Option A is wrong because a collapsed core design with redundant core switches and distribution layers still introduces variable hop counts and potential bottlenecks for east-west traffic, as traffic between distribution switches must traverse the core, increasing latency and reducing predictability. Option C is wrong because a full mesh design does not scale efficiently; the number of connections grows quadratically (n*(n-1)/2), leading to excessive cabling and port usage, and it lacks the structured, predictable latency of leaf-spine. Option D is wrong because the traditional three-tier design (access, distribution, core) introduces multiple hops and oversubscription at the distribution layer, which increases latency and complicates scaling for east-west traffic patterns.

8
MCQhard

A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?

A.The vManage IP address is not configured on the branch routers.
B.The vSmart IP address is not configured on the branch routers.
C.The vBond IP address is not configured on the branch routers.
D.The DTLS port 12346 is not open on the branch routers' firewall.
AnswerC

Correct because the branch routers need the vBond IP to initiate the initial contact and receive the list of controllers.

Why this answer

In Cisco SD-WAN, branch routers use a two-phase discovery process: they first connect to the vBond controller to authenticate and receive the list of vSmart and vManage controllers. Since the engineer has already configured the vBond with a public IP and enabled NAT traversal, and the branch routers have the correct organization name and can reach the vBond, the missing piece is that the vBond IP address must be explicitly configured on each branch router (via the 'system vbond' CLI command or the equivalent in the device template). Without this, the branch routers have no initial target to contact for the bootstrap discovery process, so they cannot automatically learn the vSmart and vManage addresses.

Exam trap

Cisco often tests the misconception that branch routers need the vSmart or vManage IP configured directly, when in fact the vBond is the single mandatory bootstrap address for automatic discovery.

How to eliminate wrong answers

Option A is wrong because the vManage IP address is not required on branch routers for initial control connection establishment; vManage is used for management and monitoring, and its address is learned from vBond during the discovery phase. Option B is wrong because the vSmart IP address is also not statically configured on branch routers; it is dynamically provided by vBond after the branch router successfully authenticates with vBond. Option D is wrong because DTLS port 12346 is the default port used by vBond for control connections, and the engineer has already enabled NAT traversal and verified reachability; if the port were blocked, the branch routers would not be able to reach vBond at all, but the scenario states vBond is reachable, so the firewall is not the issue.

9
Drag & Dropmedium

Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BFD session establishment starts with the vEdge sending a BFD hello packet, the remote vEdge responds with a BFD echo, then both agree on the BFD timer values, the session moves to the Up state, and finally the session is used for path liveliness detection.

10
MCQhard

A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?

A.The vEdge routers have not rebooted after the policy was applied.
B.The data policy was applied on the vEdge instead of the vSmart.
C.The DSCP EF marking is not supported in SD-WAN data policies.
D.The policy does not include a match condition for the correct VPN or site list.
AnswerD

Correct because the policy must be associated with the specific VPN and site list to apply to the traffic.

Why this answer

Option D is correct because a centralized data policy on the vSmart must include match conditions for both the traffic (e.g., DSCP EF) and the scope of the policy (e.g., VPN list or site list). Without a site list or VPN list match, the policy may not apply to the specific branch-to-branch traffic, causing the vEdge to fall back to the default routing behavior (e.g., using the Internet link if it has lower latency). The vSmart distributes the policy to vEdges, but the vEdge only enforces it for matched traffic within the specified sites or VPNs.

Exam trap

Cisco often tests the misconception that a centralized data policy with only traffic match conditions (like DSCP) will automatically apply to all traffic, when in reality the policy must also include a site list or VPN list to define the scope of enforcement.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for data policies to take effect; they are applied dynamically via the vSmart. Option B is wrong because the engineer explicitly created a centralized data policy on the vSmart, and applying it on the vEdge would be a localized policy, which is not the described scenario. Option C is wrong because DSCP EF (46) is fully supported in Cisco SD-WAN data policies for matching voice traffic; the issue is not a lack of support but missing scope conditions.

11
MCQmedium

Examine the following SD-WAN configuration on a Cisco vEdge router: vpn 0 interface ge0/0 ip address 10.0.0.1/24 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface ge0/1 ip address 10.0.0.2/24 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement is correct?

A.Both interfaces are in VPN 0, which is the transport VPN, and they will establish tunnels with the vSmart controller.
B.The interfaces are in VPN 0, which is the service VPN, and they will be used for customer traffic.
C.The configuration is invalid because tunnel interfaces cannot have IP addresses in the same VPN.
D.The 'allow-service all' command is not supported on vEdge routers.
AnswerA

VPN 0 is the transport VPN in SD-WAN. Tunnel interfaces in VPN 0 are used to establish connections to the vSmart and vBond controllers.

Why this answer

VPN 0 is the transport VPN in Cisco SD-WAN, used exclusively for underlay network connectivity and control plane traffic. The two interfaces ge0/0 and ge0/1 are configured as tunnel interfaces with IPsec encapsulation and different colors (public-internet and 3g), which allows them to establish secure DTLS/TLS tunnels to the vSmart controller for orchestration and policy distribution. This is correct because transport VPN interfaces are designed to carry overlay control traffic, not customer data.

Exam trap

Cisco often tests the misconception that VPN 0 is a service VPN or that multiple tunnel interfaces in the same VPN are invalid, but the key is remembering that VPN 0 is strictly the transport underlay and supports multiple colored interfaces for control-plane connectivity.

How to eliminate wrong answers

Option B is wrong because VPN 0 is the transport VPN, not the service VPN; service VPNs are VPN 1-512 and are used for customer traffic. Option C is wrong because the configuration is valid; multiple tunnel interfaces can exist in the same transport VPN with different IP addresses and colors to provide path diversity and redundancy. Option D is wrong because 'allow-service all' is fully supported on vEdge routers to permit all control-plane services (e.g., OMP, BFD, SSH) over the tunnel interface.

12
MCQmedium

In Cisco SD-WAN, what is the maximum number of TLOCs that can be associated with a single OMP route?

A.8
B.4
C.16
D.Unlimited
AnswerA

The maximum number of TLOCs per OMP route is 8, allowing for up to 8 paths for load balancing.

Why this answer

In Cisco SD-WAN, a single OMP route can have up to 8 TLOCs (Transport Locations) associated with it. This limit is enforced by the OMP protocol to balance path diversity and control-plane scalability, ensuring that the vSmart controller does not advertise an excessive number of next-hop paths for a single prefix.

Exam trap

Cisco often tests the 8-TLOC limit to catch candidates who confuse OMP's TLOC-per-route limit with the 16-path limit common in BGP or with the default 4-path limit in some IGP protocols.

How to eliminate wrong answers

Option B (4) is wrong because the maximum is 8, not 4; this misconception may arise from the default number of TLOCs per OMP route in some older configurations, but the hard limit is 8. Option C (16) is wrong because 16 is the maximum number of OMP paths per prefix in some other routing protocols (e.g., BGP), but Cisco SD-WAN OMP specifically caps TLOCs per route at 8. Option D (Unlimited) is wrong because OMP has a fixed limit of 8 TLOCs per route to prevent control-plane overload; unlimited TLOCs would allow unbounded route churn and memory consumption on vSmart and vEdge/cEdge devices.

13
Matchingmedium

Drag and drop each SD-WAN controller on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management, monitoring, and configuration of the SD-WAN fabric

Control plane distribution of OMP routes, TLOCs, and policies

Orchestration of initial authentication and NAT traversal for WAN edge devices

WAN edge router that forwards data plane traffic and terminates overlay tunnels

Historical and real-time analytics for network visibility and troubleshooting

Why these pairings

vManage provides centralized management and monitoring; vSmart is the control plane controller that distributes routing and policy; vBond handles authentication and orchestration of the overlay network.

14
Drag & Dropmedium

Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OMP route advertisement begins with the vEdge learning a route locally, then originating an OMP route and sending it to vSmart, which processes and installs it in the route table, then advertises it to other vEdge routers, and finally the receiving vEdge installs the OMP route into its forwarding table.

15
MCQeasy

A company is deploying a virtualized network function (VNF) for a Cisco CSR1000v router on a VMware vSphere hypervisor. The architect must choose the hypervisor type to ensure the best performance for the VNF. Which hypervisor type is VMware vSphere classified as, and why is it suitable for VNF deployment?

A.Type 2 hypervisor; it runs on top of an operating system, providing flexibility for VNF management.
B.Type 1 hypervisor; it runs directly on the hardware, offering near-native performance for VNFs.
C.Type 1 hypervisor; it requires a host OS for management, adding overhead.
D.Type 2 hypervisor; it is embedded in the hardware firmware.
AnswerB

Type 1 hypervisors like vSphere provide direct access to hardware resources, minimizing latency and maximizing throughput for VNFs.

Why this answer

VMware vSphere is a Type 1 (bare-metal) hypervisor because it installs directly onto the physical server hardware without requiring a host operating system. This architecture eliminates OS overhead, allowing the Cisco CSR1000v VNF to achieve near-native performance for packet processing and routing functions, which is critical for meeting throughput and latency requirements in SD-WAN deployments.

Exam trap

Cisco often tests the distinction between Type 1 and Type 2 hypervisors by pairing the correct classification with a misleading justification (e.g., 'requires a host OS' for Type 1), so candidates must remember that Type 1 hypervisors run directly on hardware and do not rely on a general-purpose OS for core operations.

How to eliminate wrong answers

Option A is wrong because VMware vSphere is not a Type 2 hypervisor; Type 2 hypervisors (e.g., VMware Workstation) run on top of a host OS, which adds latency and resource contention unsuitable for production VNFs. Option C is wrong because Type 1 hypervisors like vSphere do not require a host OS for management—they include a built-in management partition (e.g., VMkernel) that handles resource scheduling and I/O directly, minimizing overhead. Option D is wrong because Type 2 hypervisors are not embedded in hardware firmware; that describes a hypervisor integrated into the system firmware (e.g., some embedded hypervisors), and vSphere is a software-installed Type 1 hypervisor, not firmware-based.

16
Matchinghard

Drag and drop each SD-WAN policy type on the left to its matching application point on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Applied on vSmart to influence OMP route and TLOC propagation

Applied on WAN edge routers to modify forwarding behavior (e.g., NAT, QoS)

Applied on WAN edge routers to steer traffic based on application and SLA

Applied on WAN edge routers to export NetFlow v9/IPFIX flow records

Applied on vSmart to control which VPNs are advertised to specific sites

Why these pairings

Control policies affect routing decisions; data policies affect forwarding; app-route policies affect per-tunnel path selection; cflowd policies enable traffic flow monitoring.

17
Drag & Dropmedium

Drag and drop the steps of Cisco SD-WAN control plane establishment sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The control plane setup begins with vBond orchestrating initial authentication and directing devices to vManage and vSmart. Then each device establishes a DTLS/TLS connection to vManage for management. Next, devices establish DTLS/TLS connections to vSmart for control.

After that, OMP peering is set up between edges and vSmart. Finally, BFD sessions are established between edge devices for data plane liveliness detection.

18
Drag & Dropmedium

Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ZTP starts with the device contacting the DHCP server for an IP address, then resolving the vManage hostname via DNS, establishing a DTLS connection to vManage, downloading the full configuration, and finally applying the configuration to become operational.

19
Matchinghard

Drag and drop each OMP attribute on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indicates whether the route was learned from OMP, connected, static, or BGP/OSPF

Uniquely identifies the WAN edge site within the overlay

Defines the transport tunnel type (e.g., mpls, public-internet, biz-internet)

Used for path selection; higher preference is preferred over lower

Administrative label that can be used for policy matching and route filtering

Why these pairings

OMP uses attributes like origin, site-id, color, and preference to influence route selection and TLOC reachability.

20
Matchingmedium

Drag and drop each SD-WAN controller on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management, monitoring, and GUI dashboard

Control plane policy distribution and OMP route propagation

First point of contact for device authentication and NAT discovery

WAN edge router running Viptela OS

WAN edge router running IOS-XE with SD-WAN features

Why these pairings

vManage provides centralized management and monitoring; vSmart distributes control plane policies and OMP routes; vBond authenticates and orchestrates initial device onboarding and NAT traversal.

21
Multi-Selecthard

Which two statements about Cisco SD-WAN overlay routing and OMP are true? (Choose two.)

Select 2 answers
A.OMP (Overlay Management Protocol) is used to exchange routing, policy, and service information between vSmart controllers and vEdge routers.
B.OMP supports both IPv4 and IPv6 prefix advertisements within the SD-WAN overlay.
C.OMP runs directly between vEdge routers to establish a full mesh of routing adjacencies.
D.OMP routes are automatically redistributed into the local BGP process on the vEdge router.
E.OMP uses UDP port 12346 for communication between vSmart and vEdge devices.
AnswersA, B

Correct because OMP is the protocol that carries routes, TLOCs, and service chaining information between the control plane (vSmart) and data plane (vEdge).

Why this answer

OMP is the protocol used to exchange routing and service information between vSmart and vEdge devices. It supports both IPv4 and IPv6 prefixes. OMP does not run between vEdge routers directly; it is a client-server protocol with vSmart as the server.

OMP routes are not redistributed into BGP by default; redistribution must be configured. OMP uses TCP port 12346, not UDP.

22
Drag & Dropmedium

Drag and drop the steps of SD-WAN edge device (vEdge/cEdge) bring-up sequence into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the Cisco SD-WAN device bootstrapping process: first the device obtains an IP address via DHCP, then it discovers the vManage using DNS or a redirect server, establishes a DTLS/TLS control connection to vManage, downloads its configuration, and finally establishes OMP sessions with vSmart controllers.

23
Multi-Selectmedium

Which two statements about Cisco SD-WAN control plane components are true? (Choose two.)

Select 2 answers
A.vSmart controllers are responsible for distributing OMP routes and policies to vEdge routers.
B.vBond orchestrators authenticate and onboard vEdge routers into the SD-WAN fabric.
C.vEdge routers function as the control plane devices that maintain the routing table for the entire SD-WAN domain.
D.vManage is the control plane component that distributes BGP routes to all WAN Edge routers.
E.TLOCs are used by vSmart controllers to redistribute routes between different OMP instances.
AnswersA, B

Correct because vSmart controllers act as the central control plane, disseminating Overlay Management Protocol (OMP) information and policy to all WAN Edge devices.

Why this answer

The Cisco SD-WAN control plane consists of vSmart controllers that distribute OMP routes and vBond orchestrators that authenticate and onboard devices. vEdge routers are data plane devices, not control plane. vManage is a management plane component. TLOCs are used for transport location identification, not for route redistribution.

24
MCQeasy

In Cisco SD-WAN, what is the default OMP hello interval (in seconds) between a vEdge router and a vSmart controller?

A.10 seconds
B.30 seconds
C.60 seconds
D.5 seconds
AnswerA

The default OMP hello interval is 10 seconds.

Why this answer

The default OMP hello interval between a vEdge router and a vSmart controller in Cisco SD-WAN is 10 seconds. OMP (Overlay Management Protocol) uses these periodic hello messages to maintain adjacency and detect failures, with a default dead interval of 60 seconds (6 times the hello interval).

Exam trap

Cisco often tests the distinction between the OMP hello interval (10 seconds) and the OMP dead interval (60 seconds), and candidates frequently confuse the two or mistakenly apply BGP or OSPF default timers to OMP.

How to eliminate wrong answers

Option B (30 seconds) is wrong because it is the default OMP hello interval for vBond controllers, not for vEdge-to-vSmart communication. Option C (60 seconds) is wrong because that is the default OMP dead interval, not the hello interval. Option D (5 seconds) is wrong because it is the default hello interval for BGP or OSPF in some contexts, but not for OMP in Cisco SD-WAN.

25
Matchinghard

Drag and drop each OMP attribute on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifies the site from which the route was originated

Indicates the vSmart that injected the route into OMP

Numeric value used to influence route selection (higher is preferred)

32-bit value used for route filtering and policy matching

Transport location (system-ip, color, encapsulation) for reachability

Why these pairings

OMP attributes control route preference, TLOC mapping, and path selection. Site ID identifies the origin site; Originator identifies the vSmart that originated the route; Preference influences route selection; Tag is used for policy matching; TLOC carries the transport location endpoint.

26
MCQmedium

Given the following SD-WAN configuration on a Cisco IOS-XE router: router ospf 1 redistribute bgp 65000 subnets network 192.168.1.0 0.0.0.255 area 0 ! interface GigabitEthernet0/0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ! Which statement is true?

A.The OSPF network type is point-to-point, so the hello interval defaults to 10 seconds on this interface.
B.The OSPF network type is point-to-point, so the dead interval defaults to 120 seconds.
C.The redistribution of BGP into OSPF will cause OSPF to advertise all BGP routes, including those learned via SD-WAN overlay.
D.The configuration is incomplete because OSPF requires a router-id to be manually configured.
AnswerA

On a point-to-point network type, the default OSPF hello interval is 10 seconds (same as broadcast). This is correct.

Why this answer

Option A is correct because on a Cisco IOS-XE router, when the OSPF network type is set to point-to-point, the default hello interval is 10 seconds (not 30 seconds as on broadcast networks). The dead interval defaults to 40 seconds (four times the hello interval), not 120 seconds. This configuration is valid and does not require a manually configured router-id, as OSPF can dynamically select one.

The redistribution of BGP into OSPF only injects routes that are in the BGP table; it does not automatically include all SD-WAN overlay routes unless they are present in BGP.

Exam trap

Cisco often tests the default OSPF timer values for different network types, specifically tricking candidates into thinking point-to-point uses 30-second hello or 120-second dead intervals, which are actually defaults for NBMA networks.

How to eliminate wrong answers

Option B is wrong because the OSPF dead interval for a point-to-point network defaults to 40 seconds (4 × hello interval of 10 seconds), not 120 seconds. Option C is wrong because the 'redistribute bgp 65000 subnets' command only redistributes BGP routes that are in the BGP routing table; it does not automatically advertise all SD-WAN overlay routes unless they are learned via BGP and meet redistribution criteria (e.g., subnets keyword includes classless prefixes). Option D is wrong because OSPF does not require a manually configured router-id; if none is configured, OSPF automatically selects the highest IP address on a loopback interface or the highest IP address on any active physical interface.

27
Drag & Dropmedium

Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

App-aware routing begins with classifying traffic by application, then measuring path performance (loss, latency, jitter), comparing against SLA requirements, selecting the best path, and finally steering traffic over that path.

28
MCQeasy

An enterprise is deploying Cisco SD-WAN with vManage, vSmart, vBond, and vEdge routers. The architect must design the control plane to securely onboard new vEdge routers and establish DTLS/TLS tunnels. Which component is responsible for the initial authentication and coordination of control plane connections?

A.vManage
B.vSmart
C.vBond
D.vEdge
AnswerC

vBond authenticates vEdge routers and orchestrates the control plane connections, acting as the initial contact point.

Why this answer

In Cisco SD-WAN, vBond is the orchestrator responsible for the initial authentication and coordination of control plane connections. When a new vEdge router attempts to join the fabric, it first contacts vBond, which authenticates the device using its serial number and certificate, then provides the IP addresses of the vSmart controllers and vManage. This establishes the DTLS/TLS tunnels for the control plane.

Exam trap

Cisco often tests the misconception that vManage handles all initial authentication because it is the central management interface, but vBond is specifically designed for orchestrating the initial control plane connections.

How to eliminate wrong answers

Option A is wrong because vManage is the management and monitoring plane, handling configuration, policy, and analytics, but it does not perform initial authentication or coordinate control plane connections. Option B is wrong because vSmart is the control plane controller that distributes routing and policy information via OMP, but it relies on vBond for initial device onboarding and authentication. Option D is wrong because vEdge is the data plane router that initiates connections to vBond, vSmart, and vManage, but it is not responsible for authenticating or coordinating other components.

29
Drag & Dropmedium

Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The ZTP flow begins with the device obtaining an IP address via DHCP, then contacting the cloud portal to authenticate and receive the vManage list, followed by establishing a DTLS connection to vManage, downloading the full configuration, and finally joining the control plane.

30
Multi-Selectmedium

Which two statements about SD-WAN policy architecture are true? (Choose two.)

Select 2 answers
A.Centralized control policies are configured on the vSmart controller and affect route advertisement and path selection.
B.Localized data policies, such as QoS and ACL, are configured on vEdge or cEdge routers and affect traffic forwarding.
C.Application-aware routing policies are a type of localized control policy that steers traffic based on application performance.
D.Centralized data policies are applied on the edge devices to enforce per-tunnel QoS and ACL rules.
E.vManage is the primary device where all SD-WAN policies are enforced and processed in real time.
AnswersA, B

Correct because control policies on vSmart manipulate OMP routes and TLOCs to influence routing decisions.

Why this answer

Centralized control policies are applied on vSmart to influence routing (e.g., path selection), while localized data policies are applied on edge devices for QoS, ACL, and forwarding. App-route policies are a type of centralized data policy. vManage is for configuration, not policy enforcement. Centralized data policies are applied on vSmart, not edge devices.

31
Matchingmedium

Drag and drop each SD-WAN plane on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OMP route exchange and BGP/OSPF peering

IPsec tunnel encapsulation and packet forwarding

CLI, REST API, and web-based administration

vBond-based device authentication and onboarding

Telemetry collection and application visibility

Why these pairings

The control plane handles OMP and routing protocols; the data plane forwards traffic using IPsec tunnels; the management plane provides CLI/GUI and APIs; the orchestration plane handles zero-touch provisioning and authentication.

32
Multi-Selecthard

Which three statements about SD-WAN segmentation and multi-tenancy are true? (Choose three.)

Select 3 answers
A.Each VPN in SD-WAN corresponds to a separate VRF on the edge device, providing Layer 3 isolation.
B.OMP advertises VPN membership information so that edge devices know which VPNs are reachable via each TLOC.
C.Extranet VPN configuration allows selected routes to be shared between different VPNs on the same edge device.
D.VPN 0 is used for service-side connectivity, such as connecting to a corporate LAN or data center.
E.Multi-tenancy in SD-WAN requires separate physical edge devices for each tenant to ensure isolation.
AnswersA, B, C

Correct because VPN IDs map to VRFs, isolating routing and forwarding domains.

Why this answer

VPN segmentation in SD-WAN uses VRFs (VPN IDs) to isolate traffic. Service-side routing uses VRFs, and transport-side uses TLOCs. OMP carries VPN membership information.

Extranet allows controlled sharing between VPNs. VPN 0 is for transport, not service. Multiple VRFs can be used to support multi-tenancy.

33
Drag & Dropmedium

Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Policy creation begins with defining the policy in vManage, then attaching it to a group of devices, after which vManage pushes the policy to vSmart, vSmart translates it into OMP updates, and finally the edge devices receive and enforce the policy.

34
MCQmedium

A network engineer is configuring a Cisco SD-WAN solution for a retail chain with hundreds of stores. The engineer wants to use a centralized data policy to steer all YouTube traffic to a specific WAN link (broadband) to save MPLS bandwidth. The engineer creates a policy that matches YouTube traffic by destination IP and sets the preferred color to 'biz-internet'. After applying the policy, the engineer tests and finds that YouTube traffic is still using the MPLS link. The vEdge routers show that the policy is received and active. What is the most likely reason?

A.The vEdge routers have not rebooted after the policy was applied.
B.The data policy was applied on the vEdge instead of the vSmart.
C.The policy does not include a match condition for the correct VPN or site list.
D.YouTube traffic is encrypted and cannot be matched by destination IP.
AnswerC

Correct because the policy must be associated with the specific VPN and site list to apply to the traffic.

Why this answer

Option C is correct because a centralized data policy in Cisco SD-WAN must include match conditions for both the VPN (service-side VRF) and the site list to which the policy applies. Without specifying the correct VPN or site list, the policy may be received and active on the vEdge but will not match the traffic flows, causing them to fall through to the default routing behavior (e.g., MPLS). The policy matches destination IPs, but if the VPN or site scope is missing or incorrect, the vEdge will not apply the policy to the relevant traffic.

Exam trap

Cisco often tests the misconception that a data policy only needs a destination IP match to steer traffic, but the trap here is that the policy must also specify the correct VPN (or service-side VRF) and site list to scope the policy to the intended traffic flows.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for data policies to take effect; policies are applied dynamically via the OMP (Overlay Management Protocol) and become active immediately upon receipt from vSmart. Option B is wrong because centralized data policies are designed to be configured on the vSmart controller and pushed to vEdge routers; applying the policy directly on the vEdge would be a local policy, not a centralized one, but the question states the policy is received and active, indicating it was correctly pushed from vSmart. Option D is wrong because YouTube traffic uses HTTPS (TLS) for encryption, but the destination IP addresses of YouTube servers are still visible in the packet headers and can be matched by a data policy; encryption does not obscure the destination IP.

35
MCQeasy

An enterprise is deploying Cisco SD-WAN with multiple vSmart controllers for redundancy. The engineer configures the vEdge routers to connect to two vSmart controllers. After deployment, the engineer notices that the vEdge routers are only connected to one vSmart, and the second vSmart is not being used. The vEdge routers show that the second vSmart is reachable. What is the most likely reason for this behavior?

A.The vEdge routers are designed to use only one vSmart at a time; the second is for redundancy.
B.The vEdge routers can only connect to one vSmart at a time.
C.The vEdge routers need to be rebooted to establish a connection to the second vSmart.
D.The second vSmart has a different site ID than the first.
AnswerA

Correct because vEdge routers use a single active vSmart for OMP, and the second is a backup.

Why this answer

In Cisco SD-WAN, vEdge routers are designed to establish a control connection to only one active vSmart controller at a time, even when multiple vSmart controllers are configured for redundancy. The second vSmart serves as a standby; the vEdge will fail over to it only if the primary vSmart becomes unreachable. Since the vEdge shows the second vSmart is reachable but not actively used, this confirms the expected behavior of active/standby redundancy rather than load balancing.

Exam trap

Cisco often tests the misconception that multiple vSmart controllers are used for load balancing or concurrent connections, when in fact they are strictly for active/standby redundancy, and a vEdge will only ever hold one active control connection at a time.

How to eliminate wrong answers

Option B is wrong because vEdge routers can indeed be configured with multiple vSmart controllers, but they do not maintain simultaneous active connections to all of them; the design is active/standby, not concurrent. Option C is wrong because rebooting the vEdge would not force it to connect to the second vSmart; the vEdge will only switch to the standby vSmart if the primary fails, regardless of reboot. Option D is wrong because site ID is used for OMP route propagation and policy, not for determining which vSmart a vEdge connects to; vSmart selection is based on DTLS/TLS control connections and priority, not site ID.

36
MCQmedium

A network architect is designing the QoS architecture for a Cisco SD-WAN deployment that carries voice, video, and data traffic across MPLS and Internet transports. The design must use a consistent DiffServ marking strategy across all transports and ensure that voice traffic is prioritized over video. Which QoS policy type and marking approach should the architect use?

A.Use localized QoS policies on each WAN edge router with CoS markings based on the transport type.
B.Use a centralized QoS policy that marks traffic with DSCP and applies per-queue shaping on the WAN edge.
C.Use MPLS EXP markings for MPLS transport and IP Precedence for Internet transport.
D.Use NBAR2 to automatically classify traffic and apply markings based on application signatures.
AnswerB

Centralized policies ensure consistent DSCP markings across all transports, and per-queue shaping allows prioritization of voice over video.

Why this answer

Option B is correct because Cisco SD-WAN uses centralized QoS policies applied via vSmart to ensure consistent DiffServ marking (DSCP) across all transports (MPLS and Internet). Per-queue shaping on the WAN edge router allows voice traffic to be prioritized over video by assigning voice to a higher-priority queue (e.g., queue 4 with DSCP EF) and video to a lower queue (e.g., queue 3 with DSCP AF41), ensuring voice is always serviced first.

Exam trap

Cisco often tests the misconception that localized QoS policies are sufficient for multi-transport consistency, but the trap here is that only centralized QoS policies in SD-WAN can enforce uniform DiffServ markings across all transports, while options like NBAR2 or per-transport markings (EXP vs. IP Precedence) fail to meet the requirement for a consistent strategy.

How to eliminate wrong answers

Option A is wrong because localized QoS policies on each WAN edge router would not guarantee a consistent marking strategy across all transports, as each router could apply different CoS markings based on local configuration, violating the design requirement for consistency. Option C is wrong because using MPLS EXP markings for MPLS transport and IP Precedence for Internet transport creates an inconsistent marking strategy across transports, and IP Precedence is a legacy field that does not provide the granularity of DSCP, which is required for proper DiffServ behavior. Option D is wrong because NBAR2 is a classification tool that can identify applications, but it does not define the QoS policy type or marking strategy; it would need to be combined with a centralized policy to ensure consistent marking, and the question specifically asks for the policy type and marking approach, not just classification.

37
MCQhard

An enterprise is deploying a virtualized network function (VNF) for a next-generation firewall on a KVM-based hypervisor. The architect must ensure that the VNF can handle high throughput without CPU bottlenecks. Which hypervisor configuration technique should the architect use to dedicate physical CPU cores to the VNF?

A.Enable CPU overcommitment to allow the VNF to use any available CPU cycles.
B.Configure NUMA pinning and CPU pinning to dedicate physical cores to the VNF's virtual CPUs.
C.Use VMware vSphere instead of KVM for better VNF performance.
D.Increase the number of virtual CPUs assigned to the VNF to improve throughput.
AnswerB

NUMA pinning ensures memory locality and CPU pinning dedicates cores, providing consistent performance for the VNF.

Why this answer

Option B is correct because CPU pinning (also called CPU affinity) binds specific virtual CPUs (vCPUs) of the VNF to dedicated physical CPU cores, eliminating context-switching overhead and ensuring deterministic performance. NUMA pinning further aligns vCPUs and memory with the same Non-Uniform Memory Access node, reducing latency. This configuration is critical for VNFs like next-generation firewalls that require high throughput and low jitter.

Exam trap

Cisco often tests the misconception that simply increasing vCPU count (Option D) or enabling overcommitment (Option A) can solve performance issues, when in reality, dedicated core assignment via pinning is required for deterministic VNF throughput.

How to eliminate wrong answers

Option A is wrong because CPU overcommitment allows multiple VMs to share physical cores, which can lead to CPU contention and performance bottlenecks, exactly the opposite of what is needed for high-throughput VNFs. Option C is wrong because the question explicitly asks about a KVM-based hypervisor, and recommending VMware vSphere does not solve the configuration requirement; it also implies a platform change rather than a configuration technique. Option D is wrong because simply increasing the number of vCPUs without pinning them to dedicated cores can cause excessive scheduling overhead and cache thrashing, degrading throughput rather than improving it.

38
Drag & Dropmedium

Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

App-aware routing begins with classification of traffic by application, then measuring path performance via probes, comparing metrics against configured SLA thresholds, selecting the best path that meets the SLA, and finally forwarding the traffic over the chosen path.

39
MCQmedium

A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?

A.The engineer configured the data policy under VPN 0 instead of the service VPN (e.g., VPN 10).
B.The branch router does not have a default route in its routing table for the service VPN.
C.The engineer used a localized data policy instead of a centralized data policy.
D.The OMP route redistribution is not enabled on the branch router.
AnswerA

Correct because VPN 0 is for transport, and internet traffic from the service side must be matched in the service VPN policy to enforce local exit.

Why this answer

Option A is correct because in Cisco SD-WAN, data policies that control traffic forwarding (such as forcing local internet exit) must be applied to the service VPN (e.g., VPN 10) where the branch’s LAN and internet-bound traffic resides. Configuring the policy under VPN 0 (the transport VPN) only affects overlay tunnel traffic and control-plane packets, not user traffic. Since the engineer applied the policy to VPN 0, the policy did not match internet-bound traffic in the service VPN, causing it to follow the default route toward the regional hub.

Exam trap

Cisco often tests the distinction between VPN 0 and service VPNs in SD-WAN policy application, trapping candidates who assume any data policy applied globally will affect all traffic, when in fact the VPN context determines which traffic the policy matches.

How to eliminate wrong answers

Option B is wrong because the branch router does have a default route in the service VPN (likely pointing to the hub via OMP), which is why traffic is being sent to the hub; the issue is that the data policy intended to override that route was misapplied. Option C is wrong because a localized data policy is applied per device and can still influence local forwarding; the core problem is the VPN context, not the policy type. Option D is wrong because OMP route redistribution is not required for internet-bound traffic to be forwarded locally; the branch can have a local default route via DHCP or static, and the data policy is what should redirect traffic to that local exit.

40
Matchingmedium

Drag and drop each SD-WAN policy type on the left to its matching application point on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Applied to data traffic for SLA-based path selection

Applied to enable NetFlow-like traffic monitoring

Applied to modify forwarding, NAT, or QoS on data packets

Applied to OMP routes and TLOCs for route manipulation

Applied to define which VPNs are provisioned on a device

Why these pairings

App-route policies are applied to data traffic to influence path selection; cflowd policies enable flow monitoring; data policies control forwarding and NAT; control policies affect routing and TLOC advertisements; VPN membership policies control which VPNs are active on a device.

41
Matchingmedium

Drag and drop each WAN transport type on the left to its matching SD-WAN characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Predictable latency and SLA, private Layer 3 VPN

Low cost, best-effort, public IP addressing

Wireless backup, variable throughput, cellular network

High latency, global coverage, limited bandwidth

High bandwidth, low latency, metro-area Layer 2 connectivity

Why these pairings

MPLS provides predictable SLA and private connectivity; Broadband (Internet) offers low cost but variable quality; LTE/4G/5G provides wireless backup with lower bandwidth; Satellite offers high latency global coverage; Metro Ethernet provides high-speed metro-area connectivity.

42
MCQmedium

A multinational enterprise is deploying Cisco SD-WAN to interconnect 500 branch sites with two data centers. The network architect must ensure that the control plane remains operational even if the vSmart controllers become unreachable. Which design approach should the architect choose to meet this requirement?

A.Deploy redundant vSmart controllers in active/standby mode and configure WAN edge routers to use both for OMP sessions.
B.Enable OMP graceful restart on all WAN edge routers so that routes are preserved for a configurable period after vSmart loss.
C.Configure local policies on WAN edge routers to allow forwarding based on the last known OMP routes and locally originated routes.
D.Use static routes on the WAN edge routers as a backup for all OMP-learned routes.
AnswerC

This approach allows the data plane to continue forwarding using cached routes and local routes even when vSmart is unreachable, maintaining site-to-site connectivity.

Why this answer

Option C is correct because Cisco SD-WAN WAN edge routers can continue forwarding traffic using locally originated routes and the last known OMP routes even when vSmart controllers are unreachable. This is achieved through local policies that allow the router to maintain forwarding decisions based on cached OMP information, ensuring the control plane remains operational without requiring vSmart reachability.

Exam trap

The trap here is that candidates often assume redundant vSmart controllers or OMP graceful restart are the solutions for control plane resilience, but Cisco SD-WAN does not support OMP graceful restart, and vSmart redundancy alone does not protect against complete loss of reachability to all vSmart controllers.

How to eliminate wrong answers

Option A is wrong because deploying redundant vSmart controllers in active/standby mode does not help if all vSmart controllers become unreachable; the WAN edge routers would still lose OMP sessions and control plane updates. Option B is wrong because OMP graceful restart is not a feature in Cisco SD-WAN; OMP does not support graceful restart, and routes are not preserved for a configurable period after vSmart loss. Option D is wrong because using static routes as a backup for all OMP-learned routes is not scalable for 500 branch sites and two data centers, and it bypasses the dynamic, policy-based control plane that SD-WAN provides.

43
Drag & Dropmedium

Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Policy creation starts with defining the policy in vManage GUI, then attaching it to a specific topology or group, committing the configuration, which triggers vManage to push the policy to vSmart, and finally vSmart distributes the policy to the edge devices.

44
MCQeasy

A network engineer is configuring a Cisco SD-WAN solution for a multinational corporation. The engineer wants to use a centralized data policy to steer all traffic from the Finance department (VPN 10) to a specific WAN link (MPLS) for security reasons. The engineer creates a policy that matches traffic from VPN 10 and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that traffic from VPN 10 is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason?

A.The vEdge routers have not rebooted after the policy was applied.
B.The policy is not attached to the correct site list or VPN list.
C.The data policy was applied on the vEdge instead of the vSmart.
D.The preferred color is not configured correctly in the policy.
AnswerB

Correct because the policy must be associated with the specific site and VPN to be applied.

Why this answer

The most likely reason is that the centralized data policy was not attached to the correct site list or VPN list. In Cisco SD-WAN, a centralized data policy must be explicitly associated with the sites (via site list) and VPNs (via VPN list) where it should be applied. Even if the policy is received and active on the vEdge routers, without proper attachment to the VPN 10 site list, the policy will not enforce the preferred color 'mpls' for Finance traffic, leaving it to use the default Internet link.

Exam trap

Cisco often tests the distinction between policy definition and policy attachment, where candidates assume that simply creating and applying a policy globally is sufficient, but the policy must be explicitly linked to the correct site list and VPN list to take effect.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for centralized data policies to take effect; policies are applied dynamically via the vSmart controller. Option C is wrong because centralized data policies are designed to be applied on the vSmart controller, not directly on the vEdge; applying on the vEdge would be a local policy, which is a different mechanism. Option D is wrong because the preferred color 'mpls' is a valid configuration in a centralized data policy; the issue is not with the color value but with the policy attachment scope.

45
Multi-Selectmedium

Which two statements about SD-WAN control plane components are true? (Choose two.)

Select 2 answers
A.The vSmart controller is responsible for distributing OMP routes and policies to all edge devices in the SD-WAN fabric.
B.The vBond orchestrator is responsible for authenticating and onboarding vEdge and cEdge routers into the SD-WAN overlay.
C.The vManage controller is the primary control plane component that establishes OMP sessions with all edge routers.
D.vEdge and cEdge routers are both control plane devices that participate in OMP route exchange.
E.The OMP protocol runs between vManage and vSmart to exchange routing information and policy updates.
AnswersA, B

Correct because vSmart is the centralized control plane that uses OMP to advertise routes and apply policies.

Why this answer

The vSmart controller is the centralized control plane that distributes OMP routes and policies, while the vBond orchestrator handles authentication and NAT traversal. vManage is the management plane, not a control plane component. vEdge and cEdge are data plane devices. The OMP protocol runs between vSmart and edge devices, not between vManage and vSmart.

46
MCQmedium

An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?

A.The vEdge routers have not been rebooted after the policy change.
B.The control policy is not attached to the appropriate site list or VPN list.
C.The OMP graceful restart timer has expired, causing the vEdge to ignore the policy.
D.The BFD sessions between vEdge and vSmart are flapping.
AnswerB

Correct because a control policy must be associated with a list to be applied; otherwise, it is not enforced.

Why this answer

In Cisco SD-WAN, centralized control policies must be explicitly attached to a site list or VPN list to define which devices or traffic the policy applies to. If the policy is not attached to the appropriate list, the vSmart controller will not push the policy to the targeted vEdge routers, causing them to continue using the default OMP best-path selection (based on administrative distance and cost). The fact that the vEdge routers are connected to the vSmart confirms the issue is with policy application, not reachability.

Exam trap

Cisco often tests the concept that a control policy must be attached to a site list or VPN list to be effective, and candidates mistakenly assume that simply configuring the policy on the vSmart is sufficient for it to apply to all devices.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot to apply control policy changes; policies are pushed dynamically via OMP from the vSmart and take effect immediately upon activation. Option C is wrong because the OMP graceful restart timer affects route convergence during a vSmart failure, not the application of a control policy; a vEdge will not ignore a policy due to this timer expiring. Option D is wrong because BFD sessions are used for data-plane path liveliness detection between vEdge routers, not for control-plane communication between vEdge and vSmart; flapping BFD sessions would not prevent policy receipt.

47
Matchingmedium

Drag and drop each SD-WAN plane on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distributes OMP routes, TLOCs, and policy information between vSmart and WAN edges

Forwards user traffic over IPsec tunnels between WAN edge routers

Provides REST API, CLI, and web GUI for configuring and monitoring the fabric

Automates initial authentication, NAT detection, and vBond discovery

(Not a standard SD-WAN plane; used as a distractor) Handles application-level services

Why these pairings

The control plane handles routing and signaling; the data plane forwards packets; the management plane provides GUI/API access; the orchestration plane automates device onboarding and certificate management.

48
MCQmedium

Consider the following SD-WAN device configuration on a Cisco IOS-XE router: sdwan interface GigabitEthernet0/0/1 tunnel-interface encapsulation ipsec color public-internet allow-service all ! interface GigabitEthernet0/0/2 tunnel-interface encapsulation ipsec color 3g allow-service all ! Which statement about this configuration is true?

A.The router will establish two separate SD-WAN tunnels, one for each color, and load balance traffic across them.
B.The router will use only the first tunnel interface (GigabitEthernet0/0/1) because the second interface has an invalid color name.
C.The 'allow-service all' command is invalid on a tunnel-interface; only specific services can be allowed.
D.The configuration will cause a conflict because both interfaces use the same encapsulation (ipsec).
AnswerA

Each tunnel-interface with a different color creates a separate transport tunnel. SD-WAN can use multiple transports for load balancing and redundancy.

Why this answer

In Cisco SD-WAN, each WAN interface configured under the `sdwan` configuration with a unique `color` creates a separate SD-WAN transport tunnel (TLOC). The router will establish two distinct IPsec tunnels—one for `public-internet` and one for `3g`—and can load balance traffic across them using ECMP or policy-based steering. This is the standard behavior for multi-homed SD-WAN edge routers.

Exam trap

Cisco often tests the misconception that `color` values are limited to a small set or that duplicate encapsulation causes a conflict, when in fact `3g` is a valid color and multiple IPsec tunnels are expected for multi-homed SD-WAN designs.

How to eliminate wrong answers

Option B is wrong because `3g` is a valid, predefined color in Cisco SD-WAN (colors include `3g`, `public-internet`, `biz-internet`, `mpls`, `lte`, `metro-ethernet`, etc.), so the second interface is not invalid. Option C is wrong because `allow-service all` is a valid command on a tunnel-interface that permits all SD-WAN control-plane services (e.g., OMP, BFD, STUN) over that tunnel; it does not refer to data-plane service ACLs. Option D is wrong because using the same encapsulation (`ipsec`) on multiple interfaces is not a conflict—it is standard; each tunnel is uniquely identified by its color and interface, and IPsec is the only supported encapsulation for SD-WAN tunnels.

49
MCQmedium

Examine the following SD-WAN policy configuration on a Cisco vSmart controller: policy control-policy CONTROL_POLICY sequence 10 match route prefix-list PL_10 action accept set community 100:10 ! prefix-list PL_10 sequence 10 match ip-address 10.0.0.0/24 ! What is the effect of this control policy?

A.The policy matches routes with prefix 10.0.0.0/24 and sets the community value 100:10 on those routes before advertising them via OMP.
B.The policy matches routes with prefix 10.0.0.0/24 and sets the community 100:10 on the local router's routing table.
C.The policy denies all routes except 10.0.0.0/24 and sets community 100:10.
D.The policy is invalid because prefix-list names cannot contain underscores.
AnswerA

This correctly describes the effect: the control policy matches the prefix and sets the community on accepted routes.

Why this answer

This control policy matches OMP routes that have the prefix 10.0.0.0/24 (as defined by the prefix-list PL_10) and, upon a match, sets the community value 100:10 on those routes. The action 'accept' means the route is permitted and the 'set community' modifies the route's attributes before it is advertised via OMP to other vSmart or vEdge devices. This is a standard SD-WAN control policy operation for manipulating route attributes within the overlay.

Exam trap

Cisco often tests the distinction between OMP route manipulation and local RIB changes, leading candidates to incorrectly assume that 'set community' modifies the local routing table instead of the OMP advertisement.

How to eliminate wrong answers

Option B is wrong because the 'set community' action in a control policy on the vSmart applies to the OMP route advertisement, not to the local router's routing table (RIB); the local RIB is unaffected by control policies. Option C is wrong because the policy does not contain a 'deny' action or a default action to deny all other routes; it only defines a match and accept for 10.0.0.0/24, meaning routes not matching the prefix-list are implicitly denied (since there is no default action), but the policy does not explicitly deny all routes and does not set community on non-matching routes. Option D is wrong because prefix-list names can contain underscores; the configuration is syntactically valid in Cisco SD-WAN.

50
Drag & Dropmedium

Drag and drop the steps of OMP route advertisement between vSmart and vEdge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OMP route advertisement begins with the vEdge learning a local route, then advertising it via OMP to vSmart, vSmart processes the route and may apply policies, then vSmart advertises the route to other vEdges, and finally the receiving vEdge installs the route into its forwarding table.

51
Multi-Selecthard

Which three statements about SD-WAN overlay tunnels and transport are true? (Choose three.)

Select 3 answers
A.Control plane communication between vSmart and edge devices uses DTLS or TLS encryption.
B.Data plane tunnels between edge devices are encrypted using IPsec with IKEv2 key exchange.
C.A TLOC (Transport Location) is defined by the combination of system IP, color, and encapsulation type.
D.SD-WAN edge devices can only use MPLS or Internet as transport; LTE is not supported.
E.OMP is responsible for dynamically establishing IPsec tunnels between edge devices based on policy.
AnswersA, B, C

Correct because the control plane (vSmart to edge) uses DTLS by default, with TLS as an option.

Why this answer

SD-WAN uses DTLS or TLS for secure control plane tunnels, and IPsec for data plane tunnels. Each edge device builds multiple IPsec tunnels to other edge devices based on TLOC mapping. The transport can be any combination of MPLS, Internet, or LTE.

TLOC uniquely identifies a WAN attachment point. OMP manages route distribution, not tunnel establishment.

52
Multi-Selectmedium

Which three statements about Cisco SD-WAN security and segmentation are true? (Choose three.)

Select 3 answers
A.Data plane traffic between vEdge routers is encrypted using IPsec tunnels.
B.Control plane traffic between vSmart and vEdge routers is secured using DTLS or TLS.
C.VPN segmentation in SD-WAN allows traffic from different tenants or departments to be isolated using separate VRFs on the vEdge routers.
D.Data plane encryption is performed between vSmart controllers and vEdge routers to protect OMP updates.
E.VPN segmentation is configured on the vSmart controller and pushed to vEdge routers via OMP.
AnswersA, B, C

Correct because IPsec is used to encrypt all data traffic traversing the overlay tunnels between WAN Edge routers.

Why this answer

Cisco SD-WAN uses IPsec for data plane encryption and supports multiple VPN segments (VRFs) for traffic isolation. Control plane encryption is also provided using DTLS or TLS. The data plane encryption is between vEdge routers, not between vSmart and vEdge.

VPN segmentation is configured on vEdge routers, not on vSmart. The vBond orchestrator does not participate in data plane encryption.

53
Drag & Dropmedium

Drag and drop the steps of BFD session establishment for path liveliness into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BFD session establishment starts with the edge device detecting a new transport tunnel, then sending a BFD hello packet, the remote device responds with a BFD echo, the two devices negotiate parameters, and finally the session becomes Up and is used for liveliness monitoring.

54
MCQhard

An enterprise is deploying Cisco SD-WAN with a hub-and-spoke topology. The hub site has a vSmart controller and a vEdge router. The branch sites have vEdge routers. The engineer wants to ensure that all inter-branch traffic goes through the hub for security inspection. The engineer configures a centralized control policy on the vSmart to set the 'hub' as the preferred path for all routes. After the policy is applied, the engineer notices that branch-to-branch traffic is still going directly, bypassing the hub. The vEdge routers show that the control policy is received. What is the most likely issue?

A.The control policy is not attached to the correct site list.
B.The hub site is not configured with a different site ID than the branches.
C.The engineer should have used a data policy instead of a control policy.
D.The OMP admin distance is set too high on the hub.
AnswerB

Correct because the hub must have a unique site ID to be recognized as the hub in the topology.

Why this answer

In Cisco SD-WAN, a centralized control policy that sets a preferred path for routes only influences route preference within the OMP routing table. However, for branch-to-branch traffic to be forced through the hub, the hub must have a different site ID than the branches. Without a distinct site ID, the vEdge routers treat the hub as part of the same site and will attempt direct branch-to-branch tunnels (using TLOC resolution) instead of routing through the hub.

The control policy is received but cannot override the default behavior of same-site direct connectivity.

Exam trap

Cisco often tests the distinction between control policy affecting route preference and site ID affecting tunnel establishment, leading candidates to overlook the mandatory requirement for different site IDs in hub-and-spoke topologies.

How to eliminate wrong answers

Option A is wrong because the control policy being received on the vEdge routers indicates it is attached to the correct site list; if it were not, the policy would not be applied. Option B is correct as explained. Option C is wrong because a data policy could also force traffic through the hub, but the issue here is that the control policy is correctly applied yet traffic still bypasses the hub due to the site ID misconfiguration; a data policy would not fix the root cause.

Option D is wrong because OMP admin distance affects route preference between OMP and other routing protocols, not the forwarding behavior of branch-to-branch traffic within the SD-WAN fabric.

55
MCQmedium

Consider the following SD-WAN configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0 tunnel-interface encapsulation ipsec color biz-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp ! What is the effect of this configuration?

A.The interface is configured as an SD-WAN tunnel interface with color biz-internet, allowing DHCP, DNS, and ICMP traffic but blocking BGP.
B.The interface is configured as a standard WAN interface with IPsec encryption, allowing all services including BGP.
C.The configuration enables the interface as a loopback tunnel for OMP traffic only, blocking all other services.
D.The interface is configured for SD-WAN with color biz-internet, but the 'no allow-service bgp' command is invalid on a tunnel interface.
AnswerA

This accurately describes the configuration: tunnel-interface enables SD-WAN, color sets the transport, and allow-service controls permitted protocols.

Why this answer

The configuration applies to a GigabitEthernet interface that is placed into SD-WAN tunnel mode using the 'tunnel-interface' command. The 'color biz-internet' assigns the transport color, and the 'allow-service' and 'no allow-service' commands explicitly control which control-plane services are permitted over the tunnel. DHCP, DNS, and ICMP are allowed, while BGP is explicitly denied, making option A correct.

Exam trap

Cisco often tests the misconception that 'no allow-service bgp' is invalid or that the tunnel-interface configuration only applies to loopback interfaces, when in fact it is a valid command applied to physical interfaces to filter control-plane traffic per transport color.

How to eliminate wrong answers

Option B is wrong because the interface is not a standard WAN interface; it is an SD-WAN tunnel interface, and the 'no allow-service bgp' command blocks BGP rather than allowing all services. Option C is wrong because the interface is not a loopback tunnel for OMP traffic only; it is a physical interface acting as an SD-WAN transport tunnel that can carry multiple services, not just OMP. Option D is wrong because the 'no allow-service bgp' command is perfectly valid on an SD-WAN tunnel interface; it is used to explicitly deny BGP control-plane traffic over that specific transport tunnel.

56
MCQmedium

Given the following SD-WAN CLI output on a Cisco IOS-XE router: show sdwan omp routes 10.1.1.0/24, received, admin-distance: 250 via 10.0.0.1, interface GigabitEthernet0/0/1, color biz-internet, loss: 0, latency: 10 via 10.0.0.2, interface GigabitEthernet0/0/2, color 3g, loss: 1, latency: 50 Which statement is true?

A.The route via 10.0.0.1 (biz-internet) is preferred because it has lower loss and latency.
B.The route via 10.0.0.2 (3g) is preferred because it has a higher latency, which indicates a more stable path.
C.Both routes are equally preferred because OMP uses ECMP by default.
D.The admin-distance of 250 indicates that these routes are learned via BGP.
AnswerA

SD-WAN uses path selection based on metrics like loss and latency. Lower loss and latency are preferred, so the biz-internet path is better.

Why this answer

Option A is correct because OMP (Overlay Management Protocol) in Cisco SD-WAN selects the best path based on the lowest path cost, which is calculated using metrics such as loss, latency, and jitter. In this output, the route via 10.0.0.1 (biz-internet) has loss 0 and latency 10, which is lower than the route via 10.0.0.2 (3g) with loss 1 and latency 50, making it the preferred path. The admin-distance of 250 is specific to OMP routes and does not affect this comparison.

Exam trap

Cisco often tests the misconception that OMP uses ECMP by default for all routes, but in reality, OMP only load-balances across paths with identical metrics, and the admin-distance of 250 is frequently confused with BGP's admin-distance.

How to eliminate wrong answers

Option B is wrong because higher latency does not indicate a more stable path; OMP prefers lower latency and loss for optimal performance. Option C is wrong because OMP does not use ECMP by default for routes with different metrics; ECMP only applies when multiple paths have equal cost (same loss, latency, jitter). Option D is wrong because the admin-distance of 250 is the default for OMP routes, not BGP; BGP has a default admin-distance of 20 for eBGP and 200 for iBGP.

57
MCQmedium

A service provider is deploying NFV to offer managed SD-WAN services to enterprise customers. The architect must place virtual network functions (VNFs) such as vEdge routers and firewalls in the provider's data center. Which VNF placement model allows the provider to chain these functions efficiently and scale per customer?

A.Place all VNFs for a customer on a single hypervisor host and use internal virtual switches to chain them.
B.Use a centralized service chain with a service graph that defines the order of VNFs, and deploy VNFs on separate hosts for redundancy.
C.Deploy each VNF as a separate virtual machine on a dedicated physical server to maximize performance.
D.Use a single VNF that combines routing and firewall functions to avoid chaining complexity.
AnswerB

This model uses a service graph to define the chain, and VNFs can be placed on separate hosts for high availability, allowing per-customer customization and scaling.

Why this answer

Option B is correct because a centralized service chain with a service graph allows the provider to define the ordered sequence of VNFs (e.g., vEdge router then firewall) and deploy them on separate hosts for redundancy. This model aligns with NFV MANO (Management and Orchestration) principles, enabling efficient scaling per customer by instantiating VNFs as needed while maintaining the service chain across hypervisors.

Exam trap

Cisco often tests the misconception that placing all VNFs on a single host (Option A) is simpler and efficient, but the trap is that this violates NFV's high-availability and multi-tenant scaling requirements, which are core to service provider SD-WAN offerings.

How to eliminate wrong answers

Option A is wrong because placing all VNFs for a customer on a single hypervisor host creates a single point of failure and limits scalability; internal virtual switches do not provide the orchestrated service chaining required for multi-tenant NFV deployments. Option C is wrong because dedicating a physical server per VNF defeats the purpose of NFV (virtualization and resource pooling), leading to high cost and poor scalability. Option D is wrong because combining routing and firewall into a single VNF violates the modular VNF design principle and prevents independent scaling or updating of individual functions, which is essential for multi-tenant SD-WAN services.

58
MCQmedium

An architect is designing an SD-Access fabric for a large campus network. The design must support wireless clients that roam across different access switches without requiring a centralized wireless LAN controller. Which fabric component and protocol combination should the architect use to enable this mobility?

A.Fabric edge switches with VXLAN and LISP; APs in local mode with a centralized WLC.
B.Fabric edge switches with VXLAN and LISP; APs in fabric mode (SD-Access enabled).
C.Fabric border nodes with VXLAN and LISP; APs in flexconnect mode with a local switch.
D.Fabric control plane nodes with VXLAN and LISP; APs in monitor mode.
AnswerB

Fabric mode APs connect directly to the fabric edge and use VXLAN encapsulation; LISP handles endpoint mobility across the fabric.

Why this answer

Option B is correct because SD-Access fabric uses fabric edge switches with VXLAN (data plane) and LISP (control plane) to create a distributed overlay that supports seamless wireless client roaming. APs in fabric mode (SD-Access enabled) integrate directly with the fabric, allowing the fabric edge to handle mobility without a centralized WLC, as the client's context is maintained across the VXLAN overlay.

Exam trap

Cisco often tests the misconception that SD-Access requires a centralized WLC for wireless roaming, but the trap here is that fabric mode APs offload mobility to the fabric edge switches using VXLAN/LISP, eliminating the need for a WLC controller.

How to eliminate wrong answers

Option A is wrong because APs in local mode with a centralized WLC require the WLC to anchor traffic and manage roaming, contradicting the design requirement of no centralized WLC. Option C is wrong because fabric border nodes are used for external connectivity (e.g., to WAN or Internet), not for wireless client mobility; FlexConnect mode with a local switch does not use VXLAN/LISP fabric integration and still relies on a WLC for control. Option D is wrong because fabric control plane nodes (e.g., LISP map-server/map-resolver) handle endpoint ID-to-location mapping, not wireless client mobility; APs in monitor mode are for passive scanning and do not forward client traffic.

Ready to test yourself?

Try a timed practice session using only SD-WAN Architecture questions.