CCNA Sd Access Architecture Questions

41 questions · Sd Access Architecture topic · All types, answers revealed

1
MCQeasy

A network team is designing the underlay for an SD-Access fabric. The design must use a routing protocol that supports fast convergence and is commonly recommended for the fabric underlay. Which routing protocol should be used?

A.IS-IS
B.RIP
D.BGP
AnswerA

IS-IS is the preferred underlay routing protocol for SD-Access fabric.

Why this answer

IS-IS is the correct choice because it is a link-state routing protocol that provides fast convergence, is highly scalable, and is the most commonly recommended routing protocol for the underlay of an SD-Access fabric. Cisco SD-Access designs frequently use IS-IS to support the fabric's control plane and data plane requirements, leveraging its ability to handle large, flat network topologies with minimal overhead.

Exam trap

Cisco often tests the misconception that EIGRP is the best choice for fast convergence in Cisco-centric designs, but for SD-Access underlay, the recommended protocol is IS-IS due to its open standard nature and alignment with Cisco's validated fabric architecture.

How to eliminate wrong answers

Option B (RIP) is wrong because RIP is a distance-vector protocol with slow convergence, a maximum hop count of 15, and is not suitable for modern, scalable SD-Access underlays. Option C (EIGRP) is wrong because while EIGRP offers fast convergence, it is a Cisco proprietary protocol that is not recommended for SD-Access underlays; Cisco's validated designs for SD-Access specify IS-IS or OSPF for multi-vendor interoperability and fabric consistency. Option D (BGP) is wrong because BGP is a path-vector protocol designed for inter-domain routing and policy control, not for fast convergence in a single-domain underlay; it is used in SD-Access for the overlay (e.g., LISP/VXLAN) but not as the underlay routing protocol.

2
Multi-Selecthard

Which three statements about Cisco SD-Access policy enforcement are true? (Choose three.)

Select 3 answers
A.Scalable Group Tags (SGTs) are used to enforce micro-segmentation and policy in the fabric.
B.SGTs are assigned to endpoints based on their IP address only.
C.The fabric border node enforces all policies for traffic within the fabric.
D.Cisco ISE is used to define and manage policy in SD-Access.
E.The fabric edge node applies policy based on SGTs in the VXLAN header.
AnswersA, D, E

Correct because SGTs are the foundation of group-based policy in SD-Access, allowing traffic filtering and QoS based on group membership.

Why this answer

SD-Access uses Scalable Group Tags (SGTs) to enforce micro-segmentation and policy. SGTs are assigned to endpoints based on identity (e.g., user, device type) and are carried in the VXLAN header. The fabric edge applies policy based on SGTs, not IP addresses.

The Cisco ISE provides centralized policy management and authentication. The control plane node does not enforce policy; it only maintains mappings. Policy enforcement is done at the fabric edge, not the border, for traffic within the fabric.

3
MCQhard

A network engineer is deploying Cisco SD-Access in a large enterprise campus. The design requires that all user traffic be segmented by Virtual Network (VN) and that the fabric edge nodes perform SGT-based enforcement. The engineer notices that traffic between two endpoints in the same IP subnet but different VNs is being forwarded directly at the fabric edge without any SGT inspection. What is the most likely cause?

A.The fabric edge nodes have not been configured with the proper SGT mappings.
B.The endpoints are in the same IP subnet, so they must be in the same Virtual Network; SGT enforcement only applies to inter-VN traffic.
C.The fabric edge nodes are operating in Layer 2 mode and do not support SGT enforcement.
D.The control plane node has not been configured with the correct IP-SGT mappings.
AnswerB

Correct. In SD-Access, endpoints in the same subnet belong to the same VN. SGT enforcement is only performed when traffic crosses VNs (inter-VN). Intra-VN traffic is bridged locally without SGT inspection.

Why this answer

In Cisco SD-Access, Virtual Networks (VNs) provide Layer 3 segmentation. Traffic between endpoints in the same IP subnet but different VNs is inherently Layer 2 traffic and cannot be routed or inspected by SGT-based enforcement, which only applies to inter-VN (Layer 3) traffic. Since the endpoints are in the same subnet, the fabric edge node forwards the traffic at Layer 2 without SGT inspection, making option B correct.

Exam trap

The trap here is that candidates assume SGT enforcement applies to all traffic between different VNs, forgetting that same-subnet traffic is Layer 2 and thus not subject to Layer 3 SGT inspection, leading them to incorrectly focus on configuration issues like missing SGT mappings.

How to eliminate wrong answers

Option A is wrong because SGT mappings are used for SGT-based enforcement on inter-VN traffic, but the issue here is that traffic is in the same subnet (Layer 2), so SGT mappings are irrelevant. Option C is wrong because fabric edge nodes in SD-Access operate in Layer 3 mode (routed overlay) and support SGT enforcement; Layer 2 mode is not a standard operational mode for fabric edge nodes in this context. Option D is wrong because the control plane node maintains IP-to-SGT mappings for inter-VN traffic, but the problem is that the traffic is intra-subnet (Layer 2), so control plane mappings are not involved.

4
Multi-Selecthard

Which three statements about VXLAN in Cisco SD-Access are true? (Choose three.)

Select 3 answers
A.VXLAN encapsulation uses a 24-bit VNI to identify the virtual network.
B.The underlay network for VXLAN must be a Layer 2 switched network.
C.VXLAN encapsulation is performed by the fabric edge node when traffic enters the fabric.
D.VXLAN provides the control plane for endpoint discovery in SD-Access.
E.VXLAN traffic between fabric nodes can be encrypted using MACsec.
AnswersA, C, E

Correct because the VXLAN Network Identifier (VNI) is a 24-bit field that uniquely identifies a Layer 2 or Layer 3 virtual network within the fabric.

Why this answer

VXLAN is the data plane encapsulation used in SD-Access to carry traffic across the fabric. It uses a 24-bit VNI to identify the virtual network (VN). The underlay network is typically a Layer 3 routed network using IS-IS or OSPF, not a Layer 2 network.

VXLAN encapsulation is performed by the fabric edge node when traffic enters the fabric. The control plane for SD-Access uses LISP, not VXLAN itself. VXLAN does not provide encryption natively; MACsec or other encryption methods are used separately.

5
Multi-Selectmedium

Which two statements about the Cisco SD-Access fabric roles are true? (Choose two.)

Select 2 answers
A.The fabric edge node connects wired endpoints to the SD-Access fabric.
B.The fabric border node provides connectivity to networks outside the SD-Access fabric.
C.The fabric control plane node is responsible for forwarding traffic between fabric edges.
D.The fabric wireless LAN controller is a dedicated role for wireless integration.
E.The intermediate node is a core role in SD-Access fabric.
AnswersA, B

Correct because the fabric edge is the switch or wireless controller that provides network access to endpoints and applies policies.

Why this answer

In Cisco SD-Access, the fabric edge is the device that connects wired endpoints to the fabric, and the fabric border is responsible for connecting the fabric to external networks (e.g., WAN, data center). The fabric control plane node manages the LISP mapping database and authentication, not the fabric border. The fabric wireless LAN controller does not exist as a separate role; wireless services are integrated into the fabric edge or border.

The intermediate node is not a defined role in SD-Access.

6
MCQmedium

Consider the following configuration: router eigrp 100 network 10.0.0.0 0.255.255.255 passive-interface default no passive-interface GigabitEthernet0/0 Which statement is true about this EIGRP configuration?

A.EIGRP will send and receive updates only on GigabitEthernet0/0.
B.EIGRP will send updates on all interfaces except GigabitEthernet0/0.
C.EIGRP will not send any updates because the network statement is incorrect.
D.EIGRP will form adjacencies on all interfaces that have an IP address in the 10.0.0.0/8 range.
AnswerA

All interfaces are passive by default, but Gi0/0 is explicitly enabled for EIGRP updates.

Why this answer

The `passive-interface default` command sets all interfaces to passive by default, preventing EIGRP from sending or receiving hello packets (and thus updates) on them. The `no passive-interface GigabitEthernet0/0` command then overrides this default for that specific interface, allowing EIGRP to send and receive updates only on GigabitEthernet0/0. The network statement 10.0.0.0 0.255.255.255 enables EIGRP on any interface matching the 10.0.0.0/8 range, but the passive-interface logic restricts actual adjacency formation.

Exam trap

Cisco often tests the interaction between `passive-interface default` and `no passive-interface` to see if candidates understand that the default passive setting overrides all interfaces except those explicitly enabled, rather than the reverse.

How to eliminate wrong answers

Option B is wrong because the configuration uses `passive-interface default` followed by `no passive-interface GigabitEthernet0/0`, which makes only GigabitEthernet0/0 active for EIGRP updates, not all interfaces except GigabitEthernet0/0. Option C is wrong because the network statement `10.0.0.0 0.255.255.255` is a valid wildcard mask that matches the 10.0.0.0/8 prefix, and EIGRP will enable on any interface with an IP in that range; the passive-interface logic does not invalidate the network statement. Option D is wrong because although the network statement enables EIGRP on all interfaces in the 10.0.0.0/8 range, the `passive-interface default` command suppresses hello packets and adjacency formation on all interfaces except GigabitEthernet0/0, so adjacencies will not form on other interfaces.

7
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric border handoff configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the external network, then creating the SVI for the handoff, configuring the routing protocol, applying the border handoff policy, and finally verifying the connectivity. This sequence ensures the border node can properly connect the fabric to external networks.

8
Drag & Dropmedium

Drag and drop the steps of Cisco ISE profiling and policy assignment flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The flow starts with endpoint authentication via 802.1X/MAB, then ISE collects profiling data (e.g., DHCP, HTTP). ISE matches the endpoint to a profiling policy, assigns an identity group, and finally applies the appropriate authorization policy (e.g., SGT, VLAN).

9
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.AS Path
AnswerA

The MED attribute is used to indicate the preferred path into an AS; lower MED is better.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP path attribute used to influence inbound traffic to an AS from multiple entry points. A lower MED value is preferred over a higher one, making it the correct answer among the options where the lowest value is preferred.

Exam trap

Cisco often tests the distinction between attributes where higher is preferred (Local Preference, Weight) versus lower is preferred (MED, AS Path length), and the trap here is that candidates might confuse MED with Local Preference or Weight, both of which use higher values as better.

How to eliminate wrong answers

Option B (Local Preference) is wrong because Local Preference is used to influence outbound traffic from an AS, and a higher value is preferred, not lower. Option C (Weight) is wrong because Weight is a Cisco-proprietary attribute that is preferred when it has a higher value, not lower. Option D (AS Path) is wrong because a shorter AS Path length is preferred, meaning a lower count is better, but the question asks for an attribute where the lowest value is preferred, and AS Path is not typically described as a 'value' in the same sense as MED; moreover, AS Path length is a count, not a metric like MED, and the question's phrasing aligns more directly with MED's explicit numeric comparison.

10
Matchingmedium

Drag and drop each SD-Access layer on the left to its matching technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IS-IS routing protocol for physical network connectivity

VXLAN encapsulation and LISP for host mobility and location

Cisco TrustSec (CTS) for SGT-based access control

Cisco DNA Center for automation and assurance

LISP control plane and VXLAN data plane for fabric forwarding

Why these pairings

The underlay uses IS-IS for physical connectivity, the overlay uses VXLAN and LISP for encapsulation and location mapping, and the policy layer uses CTS for SGT-based segmentation.

11
Matchingmedium

Drag and drop each Cisco DNA Center workflow on the left to its matching component on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Creates network profiles, site hierarchy, and IP address pools

Defines SGTs, scalable groups, and access contracts

Deploys configurations and fabric settings to network devices

Monitors network health, client experience, and application performance

Automates device onboarding, software image management, and compliance checks

Why these pairings

Design creates network profiles and site hierarchy, Policy defines SGTs and access contracts, Provision deploys configurations to devices, Assurance monitors network health, and Automation runs workflows like PnP and SWIM.

12
MCQmedium

A company is deploying an SD-Access fabric with multiple sites connected via a WAN. The design must allow inter-site traffic to be forwarded without requiring a full mesh of VXLAN tunnels between all edge nodes. Which fabric role should be used to interconnect the sites?

A.Fabric border node
B.Fabric control plane node
C.Fabric edge node
D.Fabric WAN controller
AnswerA

Border nodes act as the gateway between the fabric and external networks, enabling inter-site connectivity.

Why this answer

A Fabric Border Node is the correct role because it acts as the gateway between the SD-Access fabric and external networks, including WAN connections. It performs Network-to-Network Interconnection (NNI) by translating VXLAN-encapsulated traffic into the appropriate WAN transport (e.g., IPsec, MPLS) and handles inter-site routing without requiring a full mesh of VXLAN tunnels between all Edge Nodes. This design leverages the Border Node to aggregate traffic and forward it over the WAN, reducing tunnel overhead and simplifying the fabric architecture.

Exam trap

Cisco often tests the misconception that a Fabric Edge Node can directly forward traffic between sites, but the trap here is that Edge Nodes only handle intra-site VXLAN tunnels and rely on Border Nodes for any traffic leaving the fabric site.

How to eliminate wrong answers

Option B is wrong because a Fabric Control Plane Node (using LISP/Map-Server) manages endpoint-to-location mappings and registration within a single fabric site; it does not forward data traffic or interconnect sites over a WAN. Option C is wrong because a Fabric Edge Node is responsible for attaching endpoints (wired/wireless) and encapsulating traffic into VXLAN tunnels within the same fabric site; it cannot directly forward traffic between different sites without a Border Node. Option D is wrong because there is no official 'Fabric WAN Controller' role in Cisco SD-Access; WAN integration is handled by the Fabric Border Node, which can be paired with external WAN controllers (e.g., vManage) but is not a separate fabric role.

13
MCQmedium

Given this OSPF configuration: router ospf 1 router-id 1.1.1.1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.255.255.255 area 1 default-information originate always What is the effect of the 'default-information originate always' command?

A.OSPF will advertise a default route into all OSPF areas even if no default route is present in the routing table.
B.OSPF will only advertise a default route if a default route is already in the routing table.
C.OSPF will redistribute all connected routes as type 5 LSAs.
D.OSPF will generate a default route only for area 0.
AnswerA

The 'always' keyword forces injection of a default route into OSPF regardless of existence in the RIB.

Why this answer

The 'default-information originate always' command instructs OSPF to generate and advertise a default route (0.0.0.0/0) into the OSPF domain as a Type 5 External LSA, regardless of whether a default route exists in the router's own routing table. This ensures that all OSPF routers in every area receive the default route, making the advertising router a gateway of last resort.

Exam trap

Cisco often tests the distinction between 'default-information originate' (which requires a default route in the routing table) and 'default-information originate always' (which does not), leading candidates to mistakenly think the 'always' keyword is optional or that the command only affects area 0.

How to eliminate wrong answers

Option B is wrong because the 'always' keyword explicitly overrides the default behavior, which would require a default route in the routing table; without 'always', OSPF only originates the default if one is present. Option C is wrong because the command does not redistribute connected routes; it only generates a single default route, and Type 5 LSAs are used for external routes, not for all connected routes. Option D is wrong because the default route is advertised into the entire OSPF domain (all areas), not restricted to area 0; OSPF floods Type 5 LSAs throughout the autonomous system.

14
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric node onboarding into DNA Center into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with physical connectivity and discovery, followed by adding the device to inventory, assigning it to a site, configuring the network profile and fabric role, and finally provisioning the node. This sequence ensures the device is discovered, recognized, and properly configured within the SD-Access fabric.

15
Matchingmedium

Drag and drop each SD-Access fabric role on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects the SD-Access fabric to external Layer 2 or Layer 3 networks

Attaches wired endpoints to the fabric and enforces access policies

Hosts the LISP map-server and map-resolver functions

Manages wireless endpoints and integrates with the fabric edge

Provides wireless connectivity and tunnels client traffic to the fabric edge

Why these pairings

The fabric border node connects the fabric to external networks, the fabric edge node connects endpoints to the fabric, and the fabric control node manages LISP mapping and VXLAN tunnels.

16
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 100 spanning-tree portfast spanning-tree bpduguard enable What is the effect of this configuration?

A.The port will immediately transition to forwarding state and will be error-disabled if a BPDU is received.
B.The port will remain in blocking state until a BPDU is received from the root bridge.
C.The port will only forward BPDUs and will not forward data traffic.
D.The port will participate in RSTP and will not be affected by BPDU reception.
AnswerA

PortFast skips listening/learning; BPDU Guard error-disables the port on BPDU reception.

Why this answer

The configuration enables PortFast and BPDU Guard on an access port. PortFast immediately transitions the port to forwarding state, bypassing the usual STP listening and learning phases. BPDU Guard monitors for incoming BPDUs; if any are received, it error-disables the port to prevent a potential bridging loop from an unauthorized switch connection.

Exam trap

Cisco often tests the distinction between PortFast (which speeds up convergence) and BPDU Guard (which protects against loops) — the trap here is assuming PortFast alone prevents BPDU issues, when in fact BPDU Guard is required to error-disable the port upon BPDU reception.

How to eliminate wrong answers

Option B is wrong because PortFast forces the port into forwarding state immediately, not blocking; BPDU Guard does not alter this behavior. Option C is wrong because the port forwards normal data traffic as an access port in VLAN 100, not just BPDUs. Option D is wrong because BPDU Guard explicitly reacts to BPDU reception by error-disabling the port, so the port is affected by BPDUs; RSTP is not relevant here as PortFast overrides the STP state machine.

17
MCQmedium

Examine the following BGP configuration: router bgp 65001 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65002 neighbor 10.1.1.1 route-map SET_MED out ! route-map SET_MED permit 10 set metric 50 What is the purpose of this configuration?

A.It sets the MED value to 50 for all routes sent to the neighbor 10.1.1.1.
B.It sets the local preference to 50 for routes received from the neighbor.
C.It filters routes with a metric of 50 from being advertised to the neighbor.
D.It sets the weight to 50 for routes learned from the neighbor.
AnswerA

The route-map is applied outbound, and the set metric command sets the MED attribute.

Why this answer

The configuration applies a route-map named SET_MED to outbound updates toward neighbor 10.1.1.1. The route-map permits all routes (no match statement) and sets the Multi-Exit Discriminator (MED) to 50. MED is a BGP path attribute that influences inbound traffic from the neighbor AS, making this path less preferred if the neighbor has a lower MED from another entry point.

Thus, all routes sent to 10.1.1.1 will carry a MED of 50.

Exam trap

Cisco often tests the distinction between BGP path attributes (MED vs. local preference vs. weight) and the direction in which they are applied (inbound vs. outbound), causing candidates to confuse 'set metric' with 'set local-preference' or 'set weight'.

How to eliminate wrong answers

Option B is wrong because local preference is set using the 'set local-preference' command in a route-map, and it applies to inbound updates, not outbound; the configuration here uses 'set metric' (MED) on outbound updates. Option C is wrong because the route-map is configured with 'permit' and no match condition, so it does not filter routes; it modifies the MED attribute of all advertised routes, not filtering based on metric. Option D is wrong because weight is a Cisco-proprietary attribute set with 'set weight' in a route-map, and it applies to inbound updates; this configuration sets MED on outbound updates, not weight.

18
MCQmedium

An architect is planning a Cisco SD-Access fabric deployment. The design must support host mobility across multiple fabric edge nodes while ensuring consistent policy enforcement. Which fabric component is responsible for tracking endpoint locations and mapping them to the fabric?

A.Fabric control plane node
B.Fabric border node
C.Fabric edge node
D.Fabric wireless controller
AnswerA

The control plane node uses LISP to track and map endpoints to their location in the fabric.

Why this answer

In Cisco SD-Access, the fabric control plane node (based on LISP) is responsible for maintaining the endpoint database (EID-to-RLOC mappings). When a host moves between fabric edge nodes, the control plane node updates the mapping, ensuring consistent policy enforcement by providing the correct location information to all edge nodes.

Exam trap

Cisco often tests the misconception that the fabric edge node tracks endpoint locations because it directly connects to hosts, but the control plane node is the centralized mapping database in LISP-based SD-Access.

How to eliminate wrong answers

Option B is wrong because the fabric border node connects the SD-Access fabric to external networks (e.g., WAN, data center) and handles north-south traffic, but it does not track endpoint locations or maintain the EID-to-RLOC database. Option C is wrong because the fabric edge node is the access layer that connects endpoints to the fabric and enforces policies locally, but it relies on the control plane node to learn and update endpoint location mappings; it does not serve as the central mapping database. Option D is wrong because the fabric wireless controller (e.g., Cisco Catalyst 9800) manages wireless access points and client roaming within the fabric, but it does not maintain the LISP-based EID-to-RLOC mappings; that is the role of the control plane node.

19
Multi-Selecthard

Which three statements about Cisco SD-Access policy enforcement are true? (Choose three.)

Select 3 answers
A.Policy enforcement in SD-Access is based on Scalable Group Tags (SGTs) assigned to endpoints.
B.Cisco ISE is used to define and manage SGT-to-policy mappings in the SD-Access fabric.
C.The fabric border node enforces all intra-fabric policies between different virtual networks.
D.The SGT information is carried in the VXLAN header using the Group Policy Option (GPO).
E.The underlay network devices must be aware of SGTs to forward traffic correctly.
AnswersA, B, D

Correct because SGTs are the foundation for group-based policy, allowing dynamic segmentation.

Why this answer

SD-Access uses Scalable Group Tags (SGTs) for micro-segmentation, and policies are defined in Cisco ISE (Identity Services Engine). The fabric edge enforces policies by applying SGTs to traffic and using SGT-based ACLs. The control plane (LISP) distributes SGT mappings, but policy enforcement is done at the edge.

The border node does not enforce policies for internal fabric traffic; it only handles external connectivity. The SGT is carried in the VXLAN header using the Group Policy Option. The underlay network is unaware of SGTs.

20
Multi-Selectmedium

Which two statements about LISP in Cisco SD-Access are true? (Choose two.)

Select 2 answers
A.The LISP Map Server stores the mapping between endpoint identifiers (EIDs) and routing locators (RLOCs).
B.LISP encapsulation is used to forward data traffic between fabric edge nodes.
C.The LISP Map Resolver processes Map-Request messages and responds with the RLOC of the destination EID.
D.LISP uses TCP port 4342 for control plane communication.
E.The EID in LISP represents the MAC address of the endpoint device.
AnswersA, C

Correct because the Map Server is the central database that holds EID-to-RLOC mappings for the fabric.

Why this answer

LISP (Locator/ID Separation Protocol) is the control plane in SD-Access. The Map Server (MS) maintains the EID-to-RLOC mapping database, and the Map Resolver (MR) handles Map-Request queries. The EID represents the endpoint identity (IP address), while the RLOC is the routing locator (IP address of the fabric node).

LISP does not perform encapsulation; VXLAN does. LISP uses UDP ports 4342 (data plane) and 4341 (control plane), not TCP. The EID is typically the host IP, not the MAC address.

21
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

The default hello interval for OSPF on Ethernet (broadcast) is 10 seconds.

Why this answer

The default OSPF hello interval on an Ethernet link is 10 seconds, as specified in RFC 2328. Ethernet is a broadcast multi-access network type, and OSPF uses a 10-second hello interval on such networks to maintain neighbor adjacencies and detect failures within the dead interval (default 40 seconds, or 4 times the hello interval).

Exam trap

Cisco often tests the confusion between the OSPF hello interval and dead interval, where candidates mistakenly select 40 seconds (the dead interval) instead of 10 seconds (the hello interval) on Ethernet links.

How to eliminate wrong answers

Option B (30 seconds) is wrong because 30 seconds is the default hello interval for OSPF on non-broadcast multi-access (NBMA) networks, such as Frame Relay, not on Ethernet. Option C (40 seconds) is wrong because 40 seconds is the default OSPF dead interval on Ethernet, not the hello interval; candidates often confuse the two. Option D (5 seconds) is wrong because 5 seconds is the default hello interval for OSPF on point-to-point and point-to-multipoint networks, not on Ethernet broadcast multi-access links.

22
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

EIGRP supports up to 255 hops, configurable with the 'metric maximum-hops' command.

Why this answer

EIGRP uses a maximum hop count of 255, which is a hard limit encoded in the protocol's metric structure. This high limit allows EIGRP to scale in large enterprise networks without the hop-count restrictions of distance-vector protocols like RIP.

Exam trap

Cisco often tests the EIGRP hop count limit of 255 to catch candidates who confuse it with RIP's 15-hop limit or who assume all distance-vector protocols have the same constraints.

How to eliminate wrong answers

Option B (100) is wrong because EIGRP's maximum hop count is 255, not 100; 100 is not a standard limit in any major routing protocol. Option C (15) is wrong because that is the maximum hop count for RIP version 1 and 2, not EIGRP. Option D (16) is wrong because 16 represents 'infinite' or unreachable in RIP, but EIGRP uses a different metric system and a hop count of 255.

23
MCQmedium

An architect is designing an SD-Access fabric for a campus that requires high availability. The design must ensure that if one fabric edge node fails, endpoints can be re-homed to another edge node without manual intervention. Which feature should be implemented?

A.Anycast Layer 2 gateway
AnswerA

Anycast L2 gateway provides high availability by allowing multiple edge nodes to serve the same gateway.

Why this answer

Anycast Layer 2 gateway is the correct feature because it allows multiple fabric edge nodes to share the same anycast IP and MAC address for a given VLAN. If one edge node fails, endpoints simply continue using the same gateway address, and their traffic is automatically forwarded to a surviving edge node via the fabric's underlay routing, requiring no manual intervention or protocol convergence.

Exam trap

Cisco often tests the misconception that traditional FHRPs like HSRP or VRRP are sufficient for high availability in SD-Access, but the trap is that these protocols introduce failover delays and active/standby limitations, whereas SD-Access requires anycast Layer 2 gateway for instantaneous, protocol-free re-homing across multiple active edge nodes.

How to eliminate wrong answers

Option B (HSRP) is wrong because HSRP is a First Hop Redundancy Protocol that relies on a single active/standby pair with a virtual IP and MAC; failure of the active node triggers a failover that can take seconds and requires endpoints to wait for ARP updates or gratuitous ARP, which is not automatic re-homing without manual intervention in an SD-Access fabric. Option C (VRRP) is wrong for the same reason as HSRP—it is an open-standard FHRP with similar active/standby behavior and failover delays, not designed for the anycast-based, seamless mobility of SD-Access. Option D (GLBP) is wrong because GLBP provides load balancing across multiple gateways but still uses a virtual IP and MAC per group; it does not provide the anycast Layer 2 gateway functionality that allows endpoints to be re-homed to any edge node without address changes or protocol state transitions.

24
Drag & Dropmedium

Drag and drop the steps of micro-segmentation via SGT policy application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Micro-segmentation starts with classifying endpoints into SGTs based on identity, then defining SGT-to-SGT policies (permit/deny). The policies are enforced at the fabric edge, where the SGT is propagated in the VXLAN header, and traffic is filtered accordingly. Finally, monitoring ensures compliance.

25
Drag & Dropmedium

Drag and drop the steps of SD-Access underlay provisioning via LAN Automation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

LAN Automation begins with the seed device discovering new switches via CDP, then the new switches are automatically configured with the underlay template, including PnP and DHCP. After configuration, the switches join the fabric underlay, and finally, the automation process verifies connectivity and updates the inventory.

26
MCQmedium

Consider this VLAN configuration on a Cisco switch: vlan 10 name Sales vlan 20 name Engineering interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 What is missing if the switch needs to carry VLAN 30 traffic on this trunk?

A.VLAN 30 must be created and added to the allowed VLAN list on the trunk.
B.The trunk must be configured as an access port for VLAN 30.
C.The native VLAN must be changed to VLAN 30.
D.The switchport mode must be changed to dynamic desirable.
AnswerA

Without VLAN 30 created and allowed on the trunk, traffic for VLAN 30 will not be forwarded.

Why this answer

Option A is correct because a trunk port only forwards traffic for VLANs that exist in the switch's VLAN database and are explicitly permitted in the allowed VLAN list. VLAN 30 is neither created (no 'vlan 30' command) nor added to the trunk's allowed list (missing 'switchport trunk allowed vlan add 30'), so the switch will drop any frames tagged with VLAN 30. Creating the VLAN and updating the allowed list ensures the trunk can forward VLAN 30 traffic.

Exam trap

Cisco often tests the misconception that simply creating a VLAN on the switch is enough for trunk traffic, but the allowed VLAN list must also be explicitly updated, or the trunk will drop frames for that VLAN.

How to eliminate wrong answers

Option B is wrong because an access port cannot carry multiple VLANs; it belongs to a single VLAN and strips the 802.1Q tag, which would break trunking for VLANs 10 and 20. Option C is wrong because changing the native VLAN to 30 does not allow VLAN 30 traffic on the trunk; the native VLAN is used for untagged frames on a trunk and does not add a new VLAN to the allowed list. Option D is wrong because dynamic desirable mode uses DTP to negotiate trunking but does not create VLANs or modify the allowed VLAN list; the issue is missing VLAN creation and allowed list configuration, not trunk mode negotiation.

27
Matchingmedium

Drag and drop each SGT value range on the left to its matching policy type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Reserved for system use (e.g., unknown SGT)

User-defined scalable groups

Default SGTs assigned by Cisco DNA Center

Static SGTs configured manually

Dynamic SGTs assigned by ISE

Why these pairings

SGTs 0-1 are reserved, 2-9999 are user-defined, 10000-19999 are default, 20000-29999 are static, and 30000-65535 are dynamic.

28
Multi-Selectmedium

Which two statements about Cisco SD-Access fabric wireless integration are true? (Choose two.)

Select 2 answers
A.Wireless clients are assigned to the same virtual network (VN) as wired clients for consistent policy.
B.The wireless LAN controller in SD-Access must be a dedicated fabric role separate from the fabric edge.
C.CAPWAP tunnels are used between the access point and the fabric edge for data traffic.
D.The fabric uses a separate wireless overlay network for wireless traffic.
E.The access point encapsulates wireless traffic directly into VXLAN when the WLC is fabric-enabled.
AnswersA, E

Correct because SD-Access unifies wired and wireless policy by placing both types of endpoints into the same VN.

Why this answer

In SD-Access, wireless clients are mapped to the same virtual network (VN) as wired clients, enabling consistent policy. The wireless controller (WLC) can be deployed as a fabric edge or border, not as a separate dedicated role. The CAPWAP tunnel is only used between the AP and the WLC in the underlay; once the WLC is fabric-enabled, it uses VXLAN to the fabric edge.

The fabric does not require a separate wireless overlay; it uses the same VXLAN data plane. The AP does not encapsulate traffic directly into VXLAN; that is done by the fabric edge or the WLC.

29
MCQmedium

A network architect is designing an SD-Access fabric for a large enterprise campus. The design must support segmentation at Layer 2 and Layer 3 across the fabric, using a centralized control plane and policy enforcement. Which two protocols are essential for the SD-Access overlay to meet these requirements?

A.LISP and VXLAN
B.MP-BGP and MPLS
C.OSPF and GRE
D.IS-IS and NVGRE
AnswerA

LISP provides the control plane and VXLAN provides the data plane encapsulation for the overlay.

Why this answer

LISP (Locator/ID Separation Protocol) provides the centralized control plane for endpoint identity-to-location mapping and policy-based forwarding, while VXLAN (Virtual Extensible LAN) supplies the data-plane encapsulation needed for Layer 2 and Layer 3 segmentation across the underlay. Together, they enable scalable overlay segmentation with a centralized policy enforcement point in SD-Access.

Exam trap

Cisco often tests the misconception that MPLS or EVPN is the required overlay for SD-Access, but the exam specifically expects LISP and VXLAN as the essential protocols for the fabric overlay.

How to eliminate wrong answers

Option B is wrong because MP-BGP and MPLS are used in MPLS VPN architectures (e.g., L3VPN/EVPN) but are not the essential overlay protocols for Cisco SD-Access; SD-Access uses LISP for control plane and VXLAN for data plane, not MPLS. Option C is wrong because OSPF and GRE provide only basic routing and tunneling without the centralized control plane or segmentation capabilities required; GRE lacks the multi-tenant VNI-based segmentation that VXLAN offers. Option D is wrong because IS-IS is an underlay routing protocol and NVGRE is a Microsoft-proprietary overlay that does not integrate with Cisco’s SD-Access fabric; SD-Access specifically requires LISP and VXLAN.

30
MCQmedium

Given the following policy-map: policy-map QOS_POLICY class VOICE priority percent 30 class VIDEO bandwidth percent 20 queue-limit 100 packets class class-default fair-queue What is the effect of the 'priority percent 30' command in the VOICE class?

A.Voice traffic is placed in a strict priority queue with a guaranteed bandwidth of 30% of the interface bandwidth.
B.Voice traffic is limited to 30% of the interface bandwidth and will be dropped if exceeded.
C.Voice traffic is given a weight of 30 in the weighted fair queueing algorithm.
D.Voice traffic is re-marked with IP precedence 30.
AnswerA

The priority command provides a low-latency queue with a bandwidth guarantee.

Why this answer

The 'priority percent 30' command in the VOICE class configures a strict priority queue (LLQ) that guarantees voice traffic up to 30% of the interface bandwidth. During congestion, voice packets are always transmitted before other traffic, but they are policed to ensure they do not exceed the allocated 30%, preventing starvation of other queues.

Exam trap

Cisco often tests the misconception that 'priority percent' simply limits bandwidth like a policer, but the key trap is that it also provides strict priority queuing, which guarantees low latency for voice traffic, not just a bandwidth cap.

How to eliminate wrong answers

Option B is wrong because the priority percent command does not simply drop traffic that exceeds 30%; it polices the traffic, but during congestion, excess packets are dropped, while under no congestion, voice can burst above the percentage. Option C is wrong because the priority command creates a strict priority queue, not a weighted fair queue; weighted fair queueing uses weights for bandwidth allocation, not for priority queuing. Option D is wrong because the priority percent command does not re-mark packets; it only affects queuing and policing behavior, while marking is done by a separate 'set' command in a policy-map.

31
MCQmedium

An architect is designing an SD-Access fabric for a campus with multiple buildings. The design must support wireless clients seamlessly roaming across fabric edge nodes. Which technology is used in the fabric to provide mobility for wireless endpoints?

A.LISP
B.VXLAN
C.OTV
D.MPLS
AnswerA

LISP handles endpoint mobility by updating the EID-to-RLOC mapping when a client roams.

Why this answer

LISP (Locator/ID Separation Protocol) is the correct technology because it decouples the endpoint identifier (EID) from its routing locator (RLOC), enabling seamless roaming across fabric edge nodes. In SD-Access, LISP maintains a mapping database that tracks wireless endpoint locations, allowing traffic to be forwarded to the correct fabric edge without re-anchoring or tunneling changes as clients move between access points.

Exam trap

Cisco often tests the misconception that VXLAN alone handles mobility, but the trap here is that VXLAN is only the data-plane encapsulation; LISP is the control-plane protocol that actually enables endpoint tracking and seamless roaming in SD-Access.

How to eliminate wrong answers

Option B (VXLAN) is wrong because VXLAN is used for network virtualization and overlay encapsulation in SD-Access, but it does not provide endpoint mobility or location tracking; LISP handles the control plane for mobility. Option C (OTV) is wrong because OTV is a Layer 2 extension technology for connecting data centers over Layer 3 networks, not designed for endpoint mobility within a campus fabric. Option D (MPLS) is wrong because MPLS is a label-switching transport technology used for traffic engineering and VPNs, lacking the endpoint identity-to-location mapping required for wireless roaming in SD-Access.

32
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric border node configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Configuration starts with enabling LISP on the border node, then configuring the EID-to-RLOC mapping and border services. Next, the border is connected to external networks (e.g., WAN), followed by applying VRF and SGT policies, and finally verifying the border operation.

33
Multi-Selecthard

Which three statements about VXLAN encapsulation in Cisco SD-Access are true? (Choose three.)

Select 3 answers
A.VXLAN encapsulation uses a 24-bit VNI to identify the virtual network segment.
B.The VXLAN header in SD-Access includes a Group Policy ID field to carry the SGT.
C.VXLAN encapsulation in SD-Access is an IP-in-IP tunneling mechanism.
D.The outer IP destination address in the VXLAN packet is the IP address of the destination fabric node.
E.The VNI is mapped to a VLAN at the fabric edge to provide Layer 2 connectivity for endpoints.
AnswersA, B, D

Correct because the VNI (Virtual Network Identifier) is 24 bits, allowing up to 16 million segments.

Why this answer

VXLAN in SD-Access uses a 24-bit VNI for network segmentation, and the fabric encapsulation adds a VXLAN header plus an outer IP/UDP header. The fabric uses VXLAN with Group Policy Option (GPO) to carry SGT information in the header. VXLAN is a MAC-in-UDP encapsulation, not IP-in-IP.

The VNI is used to identify the virtual network (VN) and is mapped to a VLAN at the edge. The outer source IP is typically the loopback of the fabric node, not the end-user IP.

34
MCQeasy

A network team is designing an SD-Access fabric for a large enterprise. The design must support automated provisioning and policy management. Which management platform is essential for deploying and managing the fabric?

B.Cisco ISE
C.Cisco Prime Infrastructure
D.Cisco vManage
AnswerA

DNA Center is the management platform for SD-Access, enabling automated fabric deployment and policy control.

Why this answer

Cisco DNA Center is the essential management platform for deploying and managing an SD-Access fabric because it provides a centralized, intent-based interface for automating the entire fabric lifecycle, including design, provisioning, policy creation, and assurance. It integrates with Cisco ISE for policy enforcement and with network devices via APIs (e.g., NETCONF/YANG) to push configurations such as VXLAN, LISP, and CTS SGTs. Without DNA Center, the automated provisioning and policy management required for SD-Access cannot be achieved at scale.

Exam trap

Cisco often tests the distinction between management platforms (DNA Center for SD-Access) and policy/identity engines (ISE) or other overlay technologies (vManage for SD-WAN), so the trap here is confusing the role of ISE as a policy enforcer with the role of DNA Center as the fabric orchestrator.

How to eliminate wrong answers

Option B (Cisco ISE) is wrong because ISE handles identity services, authentication, authorization, and policy enforcement (e.g., 802.1X, SGT classification), but it is not the management platform for deploying or provisioning the SD-Access fabric itself; it works in conjunction with DNA Center. Option C (Cisco Prime Infrastructure) is wrong because Prime Infrastructure is a legacy network management tool that lacks support for SD-Access fabric automation, VXLAN/EVPN provisioning, and intent-based policy workflows; it cannot deploy or manage the fabric. Option D (Cisco vManage) is wrong because vManage is the management platform for Cisco SD-WAN (Viptela-based), not for SD-Access; SD-Access uses DNA Center for centralized control, while vManage manages overlay tunnels and WAN edge routers in a separate technology domain.

35
Drag & Dropmedium

Drag and drop the steps of LISP EID-to-RLOC mapping resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process begins when the ingress tunnel router (ITR) receives a packet for a destination EID. The ITR sends a Map-Request to the Map-Server, which looks up the mapping and replies with a Map-Reply containing the RLOC. The ITR then caches the mapping and encapsulates the packet to the egress tunnel router (ETR).

36
MCQmedium

An architect is designing an SD-Access fabric for a campus network that requires segmentation of guest, employee, and IoT traffic. The design must use Cisco TrustSec for policy enforcement. Which component is responsible for assigning the Security Group Tag (SGT) to endpoints upon authentication?

A.Cisco ISE
B.Fabric edge node
C.Fabric control plane node
AnswerA

ISE authenticates endpoints and assigns SGTs, which are then used for policy enforcement in the fabric.

Why this answer

Cisco ISE is the policy decision point in a TrustSec-enabled SD-Access fabric. When an endpoint authenticates via 802.1X, MAB, or web authentication, ISE evaluates the authentication result and the applicable authorization policy, then dynamically assigns a Security Group Tag (SGT) to the endpoint. This SGT is passed to the network access device (e.g., fabric edge node) via RADIUS attributes in the Access-Accept message, enabling consistent policy enforcement throughout the fabric.

Exam trap

Cisco often tests the distinction between the policy decision point (ISE) and the policy enforcement point (fabric edge node), so the trap here is that candidates mistakenly think the fabric edge node assigns the SGT because it applies the tag to packets, but the assignment occurs during authentication by ISE.

How to eliminate wrong answers

Option B is wrong because the fabric edge node is the enforcement point that applies the SGT to traffic based on the tag received from ISE, but it does not assign the SGT itself. Option C is wrong because the fabric control plane node (e.g., LISP map-server) manages endpoint-to-location mappings and handles EID-to-RLOC resolution, not SGT assignment. Option D is wrong because Cisco DNA Center is the management and orchestration platform for the SD-Access fabric; it provisions policies and configurations but does not dynamically assign SGTs during authentication.

37
Multi-Selectmedium

Which two statements about the Cisco SD-Access fabric roles are true? (Choose two.)

Select 2 answers
A.The fabric edge node is responsible for connecting end devices and enforcing SGT-based policies.
B.The fabric border node is responsible for connecting the SD-Access fabric to external Layer 3 networks.
C.The control plane node is responsible for encapsulating and forwarding user traffic across the fabric.
D.The intermediate node is responsible for policy enforcement and traffic segmentation within the fabric.
E.The wireless controller in SD-Access acts as a dedicated fabric border node for wireless traffic.
AnswersA, B

Correct because the fabric edge is the access-layer switch that applies security group tags (SGTs) and forwards traffic within the fabric.

Why this answer

In SD-Access, the fabric edge node is the switch that connects to end devices and enforces policy, while the fabric border node connects the fabric to external networks (e.g., WAN, data center). The control plane node hosts the LISP map server/map resolver, not the edge. The intermediate node is a simple transit switch that does not perform encapsulation or policy enforcement.

The wireless controller in SD-Access is integrated as a fabric WLC, not a separate fabric role.

38
Matchingmedium

Drag and drop each LISP message type on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Queries the LISP mapping system for an EID-to-RLOC mapping

Returns the requested EID-to-RLOC mapping to the requesting ITR

Registers an EID-to-RLOC mapping with the map-server

Acknowledges successful registration of an EID-to-RLOC mapping

Requests the map-server to send a Map-Request on behalf of a requesting device

Why these pairings

Map-Request queries the location of an EID, Map-Reply provides the mapping, Map-Register registers EID-to-RLOC mappings, Map-Notify confirms registration, and Map-Solicit triggers a Map-Request from the map-server.

39
MCQhard

A company is deploying an SD-Access fabric with a centralized policy model. The design must ensure that all traffic between virtual networks (VNs) is inspected by a firewall. Which fabric role should be used to enforce this inter-VN policy?

A.Fabric border node
B.Fabric edge node
C.Fabric control plane node
D.Fabric WAN router
AnswerA

Border nodes can apply policy-based routing to steer inter-VN traffic to a firewall.

Why this answer

In a centralized policy model for SD-Access, the fabric border node is the correct role to enforce inter-VN traffic policies because it is the only node that can route traffic between different virtual networks (VNs) while applying firewall inspection. The border node connects the fabric to external networks and, when configured with a firewall, can enforce policies such as IP-based ACLs or zone-based firewalls for traffic crossing VNs. This design ensures that all inter-VN traffic is funneled through the border node for inspection, aligning with the centralized policy model where policy enforcement occurs at the network edge.

Exam trap

Cisco often tests the misconception that fabric edge nodes enforce all policies, but the trap here is that inter-VN traffic requires a routing point (the border node) to apply firewall inspection, while edge nodes only enforce intra-VN policies like SGT-based access control.

How to eliminate wrong answers

Option B (Fabric edge node) is wrong because fabric edge nodes are responsible for attaching endpoints to the fabric and enforcing host-level policies (e.g., SGT-based policies) within a single VN, not for routing or inspecting traffic between VNs. Option C (Fabric control plane node) is wrong because the control plane node handles LISP mapping and registration (e.g., EID-to-RLOC mappings) and does not participate in data-plane forwarding or policy enforcement. Option D (Fabric WAN router) is wrong because a WAN router connects the fabric to external WAN networks (e.g., MPLS or Internet) and is not specifically designed for inter-VN policy enforcement within the fabric; inter-VN traffic is typically routed through the border node, not the WAN router.

40
Drag & Dropmedium

Drag and drop the steps of SD-Access fabric endpoint registration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with the endpoint sending an ARP or DHCP request, the edge node detecting the new endpoint, registering it with the control plane (LISP), the control plane updating the map server, and finally the edge node installing the necessary forwarding entries. This sequence ensures the endpoint is properly discovered and integrated into the fabric.

41
MCQmedium

An enterprise is migrating from a traditional three-tier campus network to Cisco SD-Access. The network engineer has deployed a fabric with a single fabric edge node and a single control plane node. Users in VLAN 10 report that they cannot reach the default gateway, which is a virtual IP on the fabric edge. The fabric edge is configured with a VLAN 10 SVI and the anycast gateway feature is enabled. What is the most likely cause of the problem?

A.The fabric edge node is not configured with the VLAN 10 SVI or the anycast gateway feature is disabled.
B.The control plane node is not reachable from the fabric edge, causing the fabric edge to drop traffic.
C.The endpoints are not configured with the correct IP address for the default gateway.
D.The fabric edge node is in Layer 2 mode and cannot route traffic.
AnswerA

Correct. Without the SVI and anycast gateway enabled, the fabric edge cannot provide the default gateway for VLAN 10 users.

Why this answer

Option A is correct because the question states that the fabric edge is configured with a VLAN 10 SVI and anycast gateway is enabled, yet users cannot reach the default gateway. The most likely cause is a misconfiguration: either the SVI is missing or anycast gateway is disabled on the fabric edge. In Cisco SD-Access, the anycast gateway feature must be explicitly enabled under the SVI using the command 'ip virtual-reassembly in' and 'ip local-proxy-arp' along with the 'anycast-gateway' configuration; without it, the fabric edge cannot respond to ARP requests or route traffic for the virtual IP, breaking connectivity to the default gateway.

Exam trap

Cisco often tests the misconception that anycast gateway is automatically enabled when an SVI is created on a fabric edge, but in reality it requires explicit configuration, and candidates may overlook this step when troubleshooting connectivity to the default gateway.

How to eliminate wrong answers

Option B is wrong because if the control plane node were unreachable, the fabric edge would still forward traffic for known endpoints using its local cache; it would not drop all traffic to the default gateway, and LISP registration would fail but routing would continue for existing flows. Option C is wrong because the problem is that users cannot reach the default gateway, not that endpoints have incorrect IP configuration; the question implies endpoints are configured correctly but the gateway is unresponsive. Option D is wrong because a fabric edge node in SD-Access operates in Layer 3 mode for routed traffic (using SVI and anycast gateway), and Layer 2 mode would only be used for pure bridging; the fabric edge is designed to route traffic for the virtual IP, so being in Layer 2 mode would not cause the described symptom.

Ready to test yourself?

Try a timed practice session using only Sd Access Architecture questions.