350-401 · topic practice

SD-WAN Architecture practice questions

Practise ENCOR 350-401 SD-WAN Architecture practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: SD-WAN Architecture

What the exam tests

What to know about SD-WAN Architecture

SD-WAN questions usually test the control plane vs data plane separation, the roles of vSmart, vBond and vEdge, and how overlay tunnels ride across multiple underlay transports.

SD-WAN architecture: vSmart (control), vBond (orchestration), vEdge/cEdge (data).

Overlay vs underlay transport concepts.

OMP routing protocol and policy distribution via vSmart.

How SD-WAN improves WAN flexibility over traditional MPLS-only designs.

Watch out for

Common SD-WAN Architecture exam traps

  • vBond orchestrates initial connections but does not make routing decisions.
  • OMP is the SD-WAN control-plane routing protocol, not BGP or OSPF.
  • The underlay transport is separate from the overlay data path.
  • cEdge devices run IOS-XE; vEdge devices run Viptela OS.

Practice set

SD-WAN Architecture questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full MPLS explanation →

A network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?

Question 2mediummultiple choice
Read the full MPLS explanation →

An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?

Question 3hardmultiple choice
Study the full SD-WAN breakdown →

A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?

Question 4hardmultiple choice
Read the full MPLS explanation →

A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?

Question 5mediummultiple choice
Read the full MPLS explanation →

A network engineer is troubleshooting a Cisco SD-WAN deployment where a branch office has two WAN links: a primary MPLS link and a backup LTE link. The engineer wants to configure application-aware routing so that critical applications (e.g., Salesforce) always use the MPLS link as long as its loss is below 2% and latency below 150 ms. The engineer configures an app-route policy on the vSmart with the appropriate SLA requirements. After deployment, the engineer notices that Salesforce traffic is still using the LTE link even when the MPLS link meets the SLA. What is the most likely cause?

Question 6hardmultiple choice
Study the full SD-WAN breakdown →

An enterprise is deploying Cisco SD-WAN with a hub-and-spoke topology. The hub site has a vSmart controller and a vEdge router. The branch sites have vEdge routers. The engineer wants to ensure that all inter-branch traffic goes through the hub for security inspection. The engineer configures a centralized control policy on the vSmart to set the 'hub' as the preferred path for all routes. After the policy is applied, the engineer notices that branch-to-branch traffic is still going directly, bypassing the hub. The vEdge routers show that the control policy is received. What is the most likely issue?

Question 7mediummultiple choice
Read the full MPLS explanation →

A network engineer is configuring a Cisco SD-WAN solution for a retail chain with hundreds of stores. The engineer wants to use a centralized data policy to steer all YouTube traffic to a specific WAN link (broadband) to save MPLS bandwidth. The engineer creates a policy that matches YouTube traffic by destination IP and sets the preferred color to 'biz-internet'. After applying the policy, the engineer tests and finds that YouTube traffic is still using the MPLS link. The vEdge routers show that the policy is received and active. What is the most likely reason?

Question 8easymultiple choice
Study the full SD-WAN breakdown →

An enterprise is deploying Cisco SD-WAN with multiple vSmart controllers for redundancy. The engineer configures the vEdge routers to connect to two vSmart controllers. After deployment, the engineer notices that the vEdge routers are only connected to one vSmart, and the second vSmart is not being used. The vEdge routers show that the second vSmart is reachable. What is the most likely reason for this behavior?

Question 9easymultiple choice
Read the full MPLS explanation →

A network engineer is configuring a Cisco SD-WAN solution for a multinational corporation. The engineer wants to use a centralized data policy to steer all traffic from the Finance department (VPN 10) to a specific WAN link (MPLS) for security reasons. The engineer creates a policy that matches traffic from VPN 10 and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that traffic from VPN 10 is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason?

Question 10mediummultiple choice
Study the full SD-WAN breakdown →

A multinational enterprise is deploying Cisco SD-WAN to interconnect 500 branch sites with two data centers. The network architect must ensure that the control plane remains operational even if the vSmart controllers become unreachable. Which design approach should the architect choose to meet this requirement?

Question 11mediummultiple choice
Read the full wireless explanation →

An architect is designing an SD-Access fabric for a large campus network. The design must support wireless clients that roam across different access switches without requiring a centralized wireless LAN controller. Which fabric component and protocol combination should the architect use to enable this mobility?

Question 12mediummultiple choice
Study the full SD-WAN breakdown →

A service provider is deploying NFV to offer managed SD-WAN services to enterprise customers. The architect must place virtual network functions (VNFs) such as vEdge routers and firewalls in the provider's data center. Which VNF placement model allows the provider to chain these functions efficiently and scale per customer?

Question 13mediummultiple choice
Study the full SD-WAN breakdown →

A campus network architect is redesigning the LAN to support high availability and east-west traffic growth. The current design uses a traditional three-tier hierarchy with a collapsed core. The architect must choose a new design that provides predictable latency, simple scalability, and efficient use of uplinks. Which design should the architect select?

Question 14hardmultiple choice
Study the full SD-WAN breakdown →

An enterprise is deploying a virtualized network function (VNF) for a next-generation firewall on a KVM-based hypervisor. The architect must ensure that the VNF can handle high throughput without CPU bottlenecks. Which hypervisor configuration technique should the architect use to dedicate physical CPU cores to the VNF?

Question 15mediummultiple choice
Read the full MPLS explanation →

A network architect is designing the QoS architecture for a Cisco SD-WAN deployment that carries voice, video, and data traffic across MPLS and Internet transports. The design must use a consistent DiffServ marking strategy across all transports and ensure that voice traffic is prioritized over video. Which QoS policy type and marking approach should the architect use?

Question 16easymultiple choice
Study the full SD-WAN breakdown →

An enterprise is deploying Cisco SD-WAN with vManage, vSmart, vBond, and vEdge routers. The architect must design the control plane to securely onboard new vEdge routers and establish DTLS/TLS tunnels. Which component is responsible for the initial authentication and coordination of control plane connections?

Question 17mediummultiple choice
Study the full SD-Access breakdown →

A network architect is designing a Cisco SD-Access fabric for a university campus that requires segmentation between student, faculty, and guest traffic. The design must use Cisco TrustSec for scalable security group tags (SGTs) and integrate with Cisco ISE for policy enforcement. Which fabric component should the architect use to enforce SGT-based policies at the access layer?

Question 18easymultiple choice
Study the full SD-WAN breakdown →

A company is deploying a virtualized network function (VNF) for a Cisco CSR1000v router on a VMware vSphere hypervisor. The architect must choose the hypervisor type to ensure the best performance for the VNF. Which hypervisor type is VMware vSphere classified as, and why is it suitable for VNF deployment?

Question 19mediummultiple choice
Open the full BGP breakdown →

Consider the following SD-WAN configuration snippet on a Cisco IOS-XE router:

interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0

tunnel-interface

encapsulation ipsec

color biz-internet

no allow-service bgp

allow-service dhcp allow-service dns allow-service icmp !

What is the effect of this configuration?

Question 20mediummultiple choice
Review the full OSPF breakdown →

Given the following SD-WAN configuration on a Cisco IOS-XE router:

router ospf 1

redistribute bgp 65000 subnets

network 192.168.1.0 0.0.0.255 area 0

!

interface GigabitEthernet0/0/0
 ip address 192.168.1.1 255.255.255.0
 ip ospf network point-to-point

!

Which statement is true?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused SD-WAN Architecture sessions

Start a SD-WAN Architecture only practice session

Every question in these sessions is drawn from the SD-WAN Architecture domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about SD-WAN Architecture?
SD-WAN questions usually test the control plane vs data plane separation, the roles of vSmart, vBond and vEdge, and how overlay tunnels ride across multiple underlay transports.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just SD-WAN Architecture questions in a focused session?
Yes — the session launcher on this page draws every question from the SD-WAN Architecture domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.