Cisco SD-WAN Multiple Choice Questions With Answers

Cisco Software-Defined Wide Area Network (SD-WAN) is a cutting-edge technology that has revolutionized the way organizations manage and optimize their wide area networks. SD-WAN solutions enhance network performance, reduce operational costs, and improve security.

To help you understand this technology better, we’ve compiled a set of multiple-choice questions with answers to test and expand your knowledge of Cisco SD-WAN.

1. What are some of the common IT trends putting pressure on the WAN? (Choose three.)

A. IoT
B. Cloud
C. Fog computing
D. BYOD
E. Low-bandwidth applications

Answer – A, B, D

Explanation – The influxes of IoT, guest, and BYOD devices as well as the shift to cloud-based applications are causing a strain on the WAN. High-bandwidth applications are impeding performance in the WAN for traffic destined to branch locations.

2. What are some benefits businesses are looking for from their WAN? (Choose three.)

A. Lower operational complexity
B. Increased usable bandwidth
C. Reduced uptime in branch locations
D. Topology dependence
E. Improved overall user experience

Answer – A, B, E

Explanation – Businesses are looking to lower operational complexity, increase usable bandwidth by using dormant backup links or commodity Internet links, and improve the overall user experience, all with a topology-independent environment.

3. What are some of the tools or technologies that may be necessary to implement when redundant links are used in branch locations? (Choose three.)

A. Administrative distance
B. Traffic engineering
C. Redistribution
D. Loop prevention
E. Preferred path selection

Answer – A, B, E

Explanation – Administrative distance, traffic engineering, and preferred path selection all come into play when having multiple links in the branch routers.

4. Part of having an intent-based network is to move to a hardware centric approach.

A. True
B. False

Answer – B. False

Explanation – a software-centric approach is needed for intent-based network (IBN) adoption.

5. Which of the following are parts of the digital transformation journey? (Choose two.)

A. Automated
B. Manual
C. Proactive
D. Reactive
E. Predictive

Answer – A, E

Explanation – Software driven, automated, programmable, predictive, and business intent are the components of digital transformation.

6. Organizations are looking to deploy SD-WAN for what reasons? (Choose two.)

A. To take all routing control from the service provider
B. To create end-to-end SLAs for the organization’s traffic
C. To offload all routing control to the service provider
D. To leverage the service provider’s SLA for end-to-end traffic

Answer – A, B

Explanation – SD-WAN is designed to give the business control of all routing and service level agreements (SLAs).

7. What are some of the benefits of SD-WAN? (Choose four.)

A. Lower cost
B. Improved user experience
C. Transport independence
D. Increased cloud consumption
E. IoT devices
F. Increased bandwidth

Answer – A, B, C, F

Explanation – IoT devices and increased cloud consumption are IT trends, not benefits of SD-WAN.

8. What are some of the transport options for SD-WAN? (Choose three.)

A. Dual MPLS
B. Hybrid WAN
C. Dual route processor
D. Hybrid single link
E. Dual Internet

Answer – A, B, E

Explanation – Cisco SD-WAN can support dual MPLS, hybrid WAN, and dual Internet as options for transport.

9. Direct Internet Access is used to offload applications directly to the data center.

A. True
B. False

Answer – B

Explanation – DIA is used to offload cloud applications directly to the Internet for more efficient access to the cloud providers.

10. What is one of the benefits of Cisco Multidomain?

A. Single policy across multiple environments
B. Multiple policies across single domain
C. Simplified reporting for IoT devices
D. Enhanced service provider support

Answer – A

Explanation – Multidomain is designed to simplify operations across multiple administrative domains, such as campus, WAN, and data center, providing a seamless end-to-end policy across all of those domains.

11. What are the three controllers that make up the Cisco SD-WAN solution?

A. VSmart
B. VBond
C. WAN Edge
D. VManage
E. VController

Answer – A, B, D

Explanation – The three controllers that make up the Cisco SD-WAN solution are vSmart, vBond, and vManage. These components make up the control, management, and orchestration planes in the environment.

12. How does the Cisco SD-WAN architecture differ from traditional WAN technologies? (Choose three.)

A. Single pane of glass
B. Increased scale with centralized control plane
C. Reduced uptime in branch locations
D. Topology dependence
E. Distributed architecture

Answer – A, B, E

Explanation – The Cisco SD-WAN solution is a distributed architecture. By splitting out the components in the solution, vManage can provide a single pane of glass for all management and troubleshooting. By also moving the control plane to a central location, we can achieve greater scale while reducing complexity.

13. What are the three functions of vManage in the SD-WAN solution?

A. Troubleshooting
B. Configuration
C. Redistribution
D. Loop prevention
E. Monitoring

Answer – A, B, E

Explanation – vManage provides a single viewpoint for all troubleshooting, configuration, and monitoring functions.

14. WAN Edges provide data plane encryption via IPSec.

A. True
B. False

Answer – A

Explanation – IPSec is used to secure and authenticate data plane connectivity. IPSec tunnels are only formed between WAN Edges.

15. What traditional networking concept does vSmart closely relate to?

A. BGP route reflector
B. Router
C. Switch
D. Hub

Answer – A

Explanation – The vSmart operates similarly to a route reflector in the sense that routing updates are only advertised to and from the vSmart. The vSmart has the capability to apply policy inbound or outbound to the prefixes it services.

16. What functions does the vBond provide in the SD-WAN environment? (Choose two.)

A. Authentication and whitelisting of the SD-WAN components
B. NAT detection and traversal
C. Pushing configuration to WAN Edges
D. Software upgrades

Answer – A, B

Explanation – The vBond provides authentication of all devices in the environment. The vBond is the initial point of contact and, from there; it distributes connectivity information for all other controller elements. STUN is also utilized with the vBond to detect when a component is behind a NAT.

17. The Cisco SD-WAN solution supports multi-tenancy.

A. True
B. False

Answer – A

Explanation – The Cisco SD-WAN solution supports three types of multitenancy: Dedicated VPN, and Enterprise.

18. Which routing protocols are supported on the service side of the Cisco SD-WAN solution? (Choose three.)

A. EIGRP
B. OSPF
C. RIP
D. OMP
E. BGP

Answer – A, B, E

Explanation – EIGRP, OSPF, and BGP are supported on the service side (LAN) of the WAN Edge. These three protocols can be redistributed to and from OMP.

19. What three attributes are measured with BFD?

A. Delay
B. Loss
C. Jitter
D. Out-of-order packets

Answer – A, B, C

Explanation – BFD is utilized to measure delay, loss, and jitter. With this information, intelligent decisions can be made to switch traffic to different transports that may perform better.

20. The Cisco SD-WAN solution is able to provide segmentation and different topologies per VRF.

A. True
B. False

Answer – A

Explanation – MPLS labels (RFC 4023) are used to provide different levels of segmentation for various compliance reasons. With segmentation, different types of topologies can be created per VPN. Some examples of this are hub-and-spoke, full mesh, and point-to-point.

21. Which controller operates as a BGP route reflector but also is responsible for distributing encryption keys?

A. VSmart
B. VBond
C. WAN Edge
D. VManage
E. VController

Answer – A

Explanation – The three controllers that make up the Cisco SD-WAN solution are the vSmart, vBond, and vManage. These components make up the control, management, and orchestration planes in the environment, respectively. The vSmart controller is the brains behind the control plane and distributes routing information along with encryption information.

22. What are the three different types of OMP route advertisements?

A. OMP vRoute
B. TLOC route
C. LSA Type 5
D. EIGRP Update
E. Service route

Answer – A, B, E

Explanation – OMP has three types of routing advertisements. They are OMP route, TLOC route, and service route.

23. Data plane connectivity can be built between two devices behind symmetric NAT.

A. True
B. False

Answer – B

Explanation – When two devices are behind symmetric NAT, the data plane cannot be built. This is due to the fact that symmetric NAT utilizes ports that will change depending on which device the data plane tunnel is being established with.

24. If using a NAT and a public color, which IPs and port attributes will be used for data plane connectivity?

A. Post-NAT
B. Pre-NAT

Answer – A

Explanation – When using private-to-private colors, it is assumed that there is no NAT between the two, so private (pre-NAT) information is used. When communicating with a public color, NAT may be involved, so the public (post-NAT) attributes are used.

25. How does the Cisco SD-WAN solution achieve scale with IPSec?

A. Eliminating need for IKE
B. Decentralizing control plane from data plane
C. NAT traversal

Answer – A

Explanation – Since key exchange is handled via the vSmart controller, there is no need for the IKE session management protocol.

26. What port is used for WAN Edges to communicate with the vBond controller?

A. UDP 12346
B. TCP 443
C. TCP 1000

Answer – A

Explanation – UDP port 12346 is used to communicate with all control elements in the SD-WAN fabric.

27. What two methods can be used to construct device templates?

A. CLI
B. Feature templates
C. Directly on the device
D. Multiple CLI Templates

Answer – A, B

Explanation – Device templates can either use feature templates or CLI templates, but not a mixture of both. When a CLI template is used, it must be the full configuration of the device.

28. What are the three device value types that can be used with feature templates?

A. Global
B. Default
C. Automatic
D. Imported
E. Variables

Answer – A, B, E

Explanation – Feature templates have three different types of values that can be set. When global is used, the value of that field will be the same wherever that template is applied. The default value will use whatever the default value is for the field. Variables allow the network administrator the flexibility to set a parameter on a perdevice basis, without the need for an additional template.

29. Device templates support multiple different device types.

A. True
B. False

Answer – B

Explanation – Device templates are specific to certain device types. Separate device templates will need to be used for different product versions.

30. CLI templates can be used in a modular format and achieve the same flexibility of feature templates.

A. False
B. True

Answer – A

Explanation – CLI templates do not provide the same flexibility as feature templates. A CLI template must contain the full CLI configuration.

31. Which automatic provisioning method uses HTTPS for communication?

A. Plug and Play
B. Zero Touch Provisioning
C. NAT traversal

Answer – A

Explanation – The Plug and Play process uses HTTPS for communication to the PnP server.

32. Which three things must a device have for automatic provisioning to be successful?

A. IP address and DNS server via DHCP
B. be able to resolve ZTP/PNP domain name
C. Connectivity to ZTP or PNP server
D. IPSec tunnel
E. Connectivity to data center

Answer – A, B, C

Explanation – For automatic provisioning to be successful, a device must receive an IP address and DNS server via DHCP. Once the device has this information, it needs to be able to resolve ztp.viptela.com or devicehelper.cisco.com and have connectivity to them.

33. Which of the following are types of Cisco SD-WAN policies? (Choose all that apply.)

A. Traffic engineering policy
B. URL-Filtering policy
C. Application-Aware Routing policy
D. Centralized data policy

Answer – B, C, D

Explanation – URL Filtering, Application-Aware Routing, and centralized data are all types of Cisco SD-WAN policies. There is no such thing as a traffic engineering policy; traffic engineering would be achieved with a control policy or a centralized data policy.

34. Cisco SD-WAN policies use a “best match” (or most specific match) matching logic

A. True
B. False

Answer – B

Explanation – Cisco SD-WAN policies, much like traditional Cisco ACLs and route maps, are evaluated ordinally and use first-match logic.

35. Which of the following are types of lists used in Cisco SD-WAN policy? (Choose all that apply.)

A. Prefix-List
B. SLA-Class
C. Application List
D. VPN-List
E. TLOC-List
F. Site List

Answer – A, B, C, D, E, F

Explanation – All of these are different types of lists that are used in Cisco SD-WAN.

36. A single list object can be used to match routes in the control plane and packets in the data plane.

A. True
B. False

Answer – B

Explanation – Unlike traditional IOS, SD-WAN has explicit list types for matching in the control plane (prefix-list) versus the data plane (data-prefix-list).

37. Which of the following can only be configured as part of a local policy?

A. Forwarding a specific type of traffic over a specific transport link
B. Filtering specific routes from a BGP peer
C. Dropping all YouTube traffic
D. Forwarding voice calls over a link that has less than 150ms of latency

Answer – B

Explanation – The only way to filter routes from routing neighbors outside of the SD-WAN fabric is with a route map in a local policy.

38. Which types of policies are applied to and enforced on the vSmart controller? (Choose all that apply.)

A. VPN membership policies
B. Topology (control) policies
C. Zone-Based Firewall (ZBFW) policies
D. Cflowd policies

Answer – A, B

Explanation – VPN membership policies and topology policies are applied to and enforced on the vSmart controllers. Zone-Based Firewall policies are part of security policies, which are applied directly to the WAN Edge and enforced there. Cflowd policies are part of centralized data policies; they are applied to the vSmarts, but enforced on the WAN Edge.

39. Which types of policies are applied to and enforced on the WAN Edge router? (Choose all that apply.)

A. Application-Aware Routing policies
B. VPN membership policies
C. Security policies
D. Localized data policies
E. Topology policies

Answer – C, D

Explanation – Security policies and localized data policies are applied to and enforced on the WAN Edge routers. Application-Aware Routing policies are applied to the vSmarts and enforced on the WAN Edge routers. VPN membership and topology policies are applied to and enforced on the vSmarts.

40. Which types of policies are applied to the vSmarts and enforced on the WAN Edges?

A. Application-Aware Routing policies
B. VPN membership policies
C. Security policies
D. Localized data policies
E. Topology policies

Answer – A

Explanation – Application-Aware Routing policies are applied to the vSmarts and enforced on the WAN Edge routers. Security policies and localized data policies are applied to and enforced on the WAN Edge routers. VPN membership and topology policies are applied to and enforced on the vSmarts.

41. In a typical Cisco SD-WAN deployment, all policies are administered on which device?

A. WAN Edge
B. VSmart
C. VBond
D. VManage
E. vPolicy

Answer – D

Explanation – All policy configurations is done on vManage. VManage is the single administration point for both the vSmarts and the WAN Edge routers.

42. If a single flow matches sequences in both an Application-Aware Routing policy and a centralized data policy, the flow will be forwarded according to which policy?

A. Application-Aware Routing policy
B. Centralized data policy

Answer – B

Explanation – If there is a conflict in the forwarding decisions made by an Application-Aware Routing policy and a centralized data policy, the centralized data policy will override the Application-Aware Routing policy.

43. What is the default setting of the default action in a centralized control policy?

A. Accept
B. Permit
C. Reject
D. Deny
E. There is no default action; one must be configured manually.

Answer – C

Explanation – The only two answers that apply to centralized control policies are Accept and Reject. “Deny” is an action in a centralized data policy. The default setting of the default action in a centralized control policy is Reject.

44. Which of the following are configuration options for a TLOC list?

A. Site ID
B. System IP
C. Color
D. Encapsulation
E. Preference
F. Weight
G. VPN
H. Prefix

Answer – B, C, D, E, F

Explanation – System IP, Color, and Encapsulation are the three elements that uniquely define a TLOC. Additionally, a TLOC list will also allow the configuration of Weight and Preference. The other attributes cannot be defined as part of a TLOC list.

45. The TLOC attribute “Weight” is used for which of the following?

A. The first and most important criterion in the OMP best-path selection process
B. The final tie-breaker in the OMP best-path selection process
C. Determining the ratio of flows for load-sharing on the TLOCs that have been selected as the best paths
D. Turning off the anti-gravity machine

Answer – D

Explanation – The TLOC attribute Weight is not part of the OMP best-path selection process. After the winners of the best paths have been determined, the Weight attribute is examined to determine how the flows should be divided proportionally among the best paths.

46. OMP Route Preference values can be configured via feature templates and device templates.

A. True
B. False

Answer – B

Explanation – TLOC Preference values, not OMP Route Preference values, can be configured via feature and device templates.

47. What is the status of an OMP process that has been inserted into the IP Routing table?

A. C I R
B. C R
C. R
D. Rej, R, Inv

Answer – A

Explanation – A route that has a valid TLOC as a next hop will have a status code of R for “resolved.” If the resolved route is also the winner of the OMP best-path selection process, then the route will have a status of “C R,” where C means “chosen.” If the route is installed in the local routing table, it will have a status of “C I R,” where I is “installed.”

48. “Preference” is an OMP attribute associated with which of the following?

A. TLOCs
B. OMP routes
C. Both TLOCs and OMP routes
D. Neither TLOCs nor OMP routes

Answer – C

Explanation – Both TLOCs and OMP routes have support for an attribute called “Preference.”

49. What are VPN Membership policies used to do?

A. Determine which users belong to which VPNs.
B. Determine which routes belong to which VPNs.
C. Determine which WAN Edges belong to which SD-WAN fabrics.
D. Determine which VPNs will be permitted to join the overlay fabric on a WAN Edge router.
E. Determine the ratio of flows for load-sharing on the TLOCs that have been selected as the best paths.

Answer – D

Explanation – A VPN Membership policy specifies which VPNs the vSmart will accept updates from, and forward updates to, on a specific WAN Edge. Without the VPN being permitted by the VPN policy, the VPN can still be configured on the WAN Edge, but it will be isolated from the rest of the fabric.

50. Centralized control policies that leak routes must always be applied in the outbound direction.

A. True
B. False

Answer – B

Explanation – Control policies that are used to leak routes must always be applied in the inbound direction.

51. A centralized control policy can be used to leak routes between service-side VPNs and VPN 0.

A. True
B. False

Answer – B

Explanation – A centralized control policy can be used to leak routes between different service-side VPNs. A centralized control policy cannot be used to leak into or out of VPN 0 or VPN 512.

52. Which type of policy is used to export OMP routes from one VPN to another VPN?

A. Route Import/Export policies
B. VPN Membership policies
C. Centralized control policies
D. Localized control policies
E. No policy; it is not possible to have the same route in more than one VPN

Answer – C

Explanation – Centralized control policies configured with the export-to action are used to leak routes between service-side VPNs.

53. In a centralized data policy, how do you match all flows?

A. Using the match-all criteria
B. By not specifying any matching criteria and only configuring the action statements
C. Only by using the default action

Answer – B

Explanation – In a centralized data policy, the easiest way to match all traffic is to not configure any matching criteria. There is no concept of “match-all” criteria in SD-WAN, and the default action will only allow certain actions to be undertaken.

54. When the nat use-vpn configuration command is used, which VPN is the traffic going to be NATed into?

A. VPN 0
B. VPN 1
C. VPN 65535
D. The VPN specified in configuration

Answer – A

Explanation – The Nat use-vpn configuration syntax always NATs traffic to VPN 0.

55. What is the purpose of the nat fallback configuration command?

A. Provides a backup forwarding path in the event that all of the WAN tunnels go down
B. Provides a backup forwarding path in the event that all of the local interfaces configured with NAT go down
C. Provides a backup forwarding path in the event that the destination is not reachable via NAT

Answer – B

Explanation – The Nat fallback configuration provides a backup forwarding path across the fabric in the event that all of the local interfaces configured for NAT are down. If all of the WAN interfaces go down, Nat fallback will not work, as there will be no way to backhaul the traffic to a different site.

56. In a vSmart configuration, how many data policies can applied per site?

A. Zero: Data policies are not applied in a vSmart configuration.
B. One: Each site gets one and only one data policy
C. Two: Each site gets a data policy that is applied to traffic that is originating from the LAN and a second policy that is applied to the traffic that originates from the WAN.
D. As many as necessary, but never more than two per VPN per site.

Answer – C

Explanation – In the vSmart configuration, there is only a single data policy that is configured per site ID per direction. That single policy will include sub-policies per VPN, but there are only two policies that are applied per site ID.

57. When the TLOC specified in the LOCAL-TLOC action is not available, then the traffic that was matched in the data policy sequence is blackholed.

A. True
B. False

Answer – B

Explanation – The local-tloc command sets the preference for the outbound interface to be used when forwarding traffic. In the event that the TLOC specified in the LOCAL-TLOC policy is unavailable, traffic will fall back to the routing table.

58. How many packets are in a single FEC block?

A. One data packet, one parity packet
B. One data packet, four parity packets
C. Two data packets, one parity packet
D. Four data packets, one parity packet
E. The value is configurable in the policy.

Answer – D

Explanation – A single FEC block consists of four data packets and a parity packet that is calculated from those four data packets. In the event of the loss of any one of the data packets, the original packet can be reconstructed from the remaining three data packets and the parity packet.

59. When FEC-adaptive data policies are used, what is the loss threshold at which FEC begins to operate?

A. 0%
B. 1%
C. 2%
D. 5%
E. The value is configurable in the policy.

Answer – C

Explanation – FEC-adaptive begins to operate when the packet losses on a tunnel exceed 2%. Currently, this is not a user-configurable policy.

60. When packet duplication is configured, which tunnel is used to send the duplicated packets?

A. The tunnel that is configured in the policy
B. The least utilized tunnel to the same destination
C. The same tunnel that the original packets were sent down
D. The tunnel that is currently experiencing the least amount of packet loss

Answer – D

Explanation – When packet duplication is configured, the duplicate packets are automatically sent down the tunnel that is currently experiencing the least amount of packet loss.

61. When packet duplication is used, which field indicates the total number of unique packets that have been received?

A. PKTDUP RX
B. PKTDUP RX OTHER
C. PKTDUP RX THIS
D. PKTDUP TX
E. PKTDUP TX OTHER

Answer – C

Explanation – The PKTDUP RX THIS field shows the total number of unique packets that have been received at the WAN Edge, including the values received over the original path (PKTDUP RX) and the backup path (PKTDUP RX OTHER). The last two values are TX values and have nothing do with the number of packets received.

62. Which of the following features are able to interoperate between Viptela OS platforms and XE-SDWAN platforms?

A. Forward Error Correction
B. Packet duplication
C. TCP optimization
D. All of these are correct.
E. Forward Error Correction and packet duplication
F. None of these answers is correct.

Answer – F

Explanation – While both Viptela OS platforms and XE-SD-WAN platforms support Forward Error Correction, packet duplication, and TCP optimization, the implementations of these features are different between Viptela OS and XE-SD-WAN. As such, the features are not able to interoperate.

63. What is the scope of an Application-Aware Routing policy?

A. per site
B. per VPN
C. per direction
D. per site, per VPN
E. Per site, per direction
F. per site, per VPN, per direction

Answer – D

Explanation – Application-Aware Routing policies are applied on a per-site, per-VPN basis. Unlike other data policies, directionality does not play a role with AAR policies. The direction is always “fromservice.”

64. Where are App-Route policies applied and enforced?

A. Applied on the vSmart; enforced on the vSmart
B. Applied on the vSmart; enforced on the WAN Edge
C. Applied on the WAN Edge; enforced on the vSmart
D. Applied on the WAN Edge; enforced on the WAN Edge

Answer – B

Explanation – App-Route policies are a special type of centralized data policy. These policies are centrally applied on the vSmart controllers and enforced on the WAN Edge routers.

65. Which administratively configured options affect the calculation of the loss, latency, and jitter statistics used for Application-Aware Routing? (Select all that apply.)

A. BFD Hello Interva
B. BFD Hello Multiplier
C. Number of SLA Classes
D. App-Route Poll Interval
E. Number of Tunnels
F. Number of Colors
G. App Route Multiplier

Answer – A, D, G

Explanation – The BFD Hello Interval specifies how frequently BFD packets are sent and statistics are gathered. The App-Route Poll Interval defines the period of time to evaluate the BFD statistics and produce an average. This forms a single “bucket.” The AppRoute Multiplier specifies how many App-Route Poll Intervals to consider (how many “buckets” to consider) when calculating tunnel performance. The number of tunnels, colors, and SLA classes has no impact on the statistic calculation process. The BFD Hello Multiplier is used for liveliness detection and is not part of the AppRoute process.

66. What is the maximum number of App-Route Poll Intervals that can be used for tunnel performance calculations?

A. 2
B. 4
C. 6
D. 8

Answer – C

Explanation – The maximum (and default) number of App-Route Poll Intervals that can be used for tunnel performance calculations is six. This value is configured using the App-Route Poll Interval Multiplier.

67. When are the tunnels (re)evaluated for compliance with the SLA classes?

A. After every BFD packet is received by the WAN Edge router
B. after every Hello Interva
C. After every Hello Multiplier
D. after every App-Route Poll Interval

Answer – D

Explanation – Tunnels are reevaluated for compliance with SLA classes after each App-Route Poll Interval. The Hello Interval controls how often BFD packets are transmitted by the router and, thus, how often they are received by the router. The Hello Multiplier is used for Path Liveliness detection, not for Application-Aware Routing.

68. How many different SLA classes can be applied to a single WAN Edge router?

A. 2
B. 4
C. 8
D. 256
E. Unlimited

Answer – B

Explanation – As of version 19.2, a single WAN Edge router can only have four different SLA classes configured.

69. How many different SLA classes can be configured in a vSmart policy?

A. 2
B. 4
C. 8
D. 256
E. Unlimited

Answer – C

Explanation – As of version 19.2, a router and, thus, single WAN Edge router can only have four different SLA classes configured.

70. When is traffic forwarded across the backup SLA preferred color?

A. No tunnels are configured or active with the preferred SLA color(s)
B. None of the preferred SLA color(s) are currently meeting the required SLA class.
C. No colors are currently meeting the required SLA class.

Answer – C

Explanation – The Backup SLA Preferred Color option applies when no colors, not just the options configured under Preferred Colors, are able to meet the required SLA.

71. When configured, the “Strict” option in an AAR policy will drop the traffic if the preferred color(s) fails to meet the SLA Class requirements.

A. True
B. False

Answer – B

Explanation – When configured, the Strict option will drop traffic when all available colors fail to meet the requirements of the SLA class, not only the colors specified in the Preferred Colors field.

72. In order for an Application-Aware Routing policy to have any effect, there must be multiple equal-cost routes in the routing table.

A. True
B. False

Answer – A

Explanation – An AAR policy will only make path selection decisions between multiple equal-cost routes. If one route is more preferred, that route will always be chosen by the forwarding engine regardless of the AAR policy or the performance of the tunnels.

73. Localized policies are configured on which element of the SD-WAN fabric?

A. VBond
B. VSmart
C. WAN Edge routers
D. vPolicy

Answer – C

Explanation – Localized policies are configured and enforced on the local WAN Edge routers. vBond and vSmart are completely independent of localized policies. VPolicy does not exist.

74. A single list object can be used in both a centralized policy and a localized policy.

A. True
B. False

Answer – B. False

Explanation – As centralized policies are applied to the vSmart, and localized policies are applied to the WAN Edge routers, the configurations are completely independent and will use different lists.

75. What is the scope of localized policy?

A. Device-specific
B. Site-specific
C. VPN-specific
D. The entire network

Answer – A

Explanation – Localized policies are scoped to a specific device. While uncommon, it would be possible for every device to have a different localized policy.

76. Which of the following actions can be taken in a localized control policy? (Select all that apply.)

A. Accept
B. Reject
C. Drop
D. Inspect
E. Pass

Answer – A, B

Explanation – Localized control policies support the Accept and Reject actions. The Drop action is only available in a localized data policy. The Inspect and Pass actions are specific to Zone-Based Firewalls.

77. Ensuring symmetric flows through a single WAN Edge router is preferable to equal-cost multi-pathing because it ensures that flows will not be blocked by firewall or NAT state mismatches.

A. True
B. False

Answer – B. False

Explanation – As all of the traffic is traversing in tunnels, all of the necessary firewall and NAT states will have already been established. Ensuring symmetric flows through a single WAN Edge router is important for the fidelity of the deep packet inspection and application recognition data.

78. Which of the following actions can be taken in a localized data policy? (Select all that apply.)

A. Accept
B. Reject
C. Drop
D. Inspect
E. Pass

Answer – A, C

Explanation – Localized data policies support the Accept and Drop actions. The Reject action is only available in a localized control policy. The Inspect and Pass actions are specific to Zone-Based Firewalls.

79. How many queues are supported on a WAN Edge router interface with 19.2 code?

A. Zero queues
B. Two queues
C. Four queues
D. Eight queues
E. 256 queues

Answer – D

Explanation – Current code supports eight queues per interface on WAN Edge routers.

80. Which queues support the low-latency queuing and priority queueing functionalities on the vEdge router platforms?

A. Queue 0
B. Queue 1
C. Queue 7
D. Queue 8
E. Queues 0 and 1
F. All queues

Answer – A

Explanation – LLQ and priority queuing functionalities are only supported in queue 0.

81. Which queue is control plane traffic automatically mapped to?

A. Queue 0
B. Queue 1
C. Queue 7
D. Queue 8

Answer – A

Explanation – Control plane traffic is automatically mapped to queue 0.

82. Which of the following are parts of the localized policy QoS configuration on a WAN Edge router? (Select all that apply.)

A. class-map
B. qos-map
C. shaper
D. qos-scheduler

Answer – A, B, D

Explanation – While shapers are part of QoS, they are configured under the interface configuration and are not part of the localized policy configuration. Class-maps are used to map the forwarding classes to hardware queues. Qos-schedulers are used to configure the forwarding parameters of each traffic class. Qos-maps are used to tie all of the schedulers together into a single policy.

83. Cisco SD-WAN Application-Aware Enterprise Firewall is not VPN aware.

A. True
B. False

Answer – B

Explanation – On the contrary, the Application-Aware Enterprise Firewall is completely VPN aware. Firewall policies are applied on a per-VPN basis.

84. What are the three actions that can be set in a firewall policy?

A. Pass
B. Inspect
C. Redirect
D. Export
E. Drop

Answer – A, B, E

Explanation – Three main actions can be set, per sequence entry, in a firewall policy: Inspect, Drop, and Pass.

85. Logging is not available for Application-Aware Enterprise Firewall policies.

A. True
B. False

Answer – B

Explanation – High-Speed Logging is an available logging option for a firewall policy.

86. What signature sets are available for selection in an IDS/IPS policy? (Choose three.)

A. Strict
B. Balanced
C. Relaxed
D. Connectivity
E. Security

Answer – B, D, E

Explanation – Only three options for signature sets exist today for IDS/IPS: Balanced Connectivity, and Security.

87. Which two Snort engine modes are supported during an engine failure or engine reboot?

A. Fail-block
B. Fail-close
C. Fail-pass
D. Fail-wide
E. Fail-open

Answer – B, E

Explanation – The Fail-close option drops all the IPS/IDS traffic when there is an engine failure. The Fail-open option allows all the IPS/IDS traffic when there is an engine failure. The default option is Failopen.

88. Before an IDS/IPS policy can be configured, the network operator must upload a security virtual image to Manage under the software repository section

A. True
B. False

Answer – A

Explanation – an IDS/IPS policy cannot be configured unless a security virtual image is first uploaded to the software repository in vManage.

89. URL Filtering requires a minimum of 4GB DRAM and 4GB flash to be deployed.

A. True
B. False

Answer – B

Explanation – To support URL Filtering functionality, an ISR must be configured with a minimum of 8GB of DRAM and 8GB of system flash if doing cloud lookup, and 16GB of DRAM and 16GB of system flash if doing on-box database lookup.

90. What URL Filtering feature can be leveraged to explicitly block certain websites?

A. Categories
B. Reputation
C. URL blacklist
D. URL whitelis

Answer – C

Explanation – A URL blacklist can be configured to explicitly block certain websites in the URL policy configuration.

91. URL Filtering visibility includes which of the following information? (Choose two.)

A. URLs accessed
B. Session count
C. Website reputation
D. Blocked and allowed categories by percentage

Answer – B, D

Explanation – Between the security dashboard and device dashboard, vManage can provide the blocked and allowed categories by percentage, as well as the URL session count.

92. The maximum exportable file size for file analysis is 1000 MB.

A. True
B. False

Answer – B

Explanation – As of the writing of this book, the current SD-WAN code supports a maximum exportable file size of 10 MB.

93. To configure file analysis for Advanced Malware Protection, which tasks are valid? (Choose three.)

A. Configure Threat Grid API key.
B. Configure file types list.
C. Enable file analysis.
D. Enable HTTPS inbound to the WAN Edge router.
E. Configure a security rule for Threat Grid.

Answer – A, B, C

Explanation – At a minimum, file analysis must be enabled, a file types list must be specified, and the Threat Grid API key must be configured.

94. AMP visibility has the ability to display the malware filename.

A. True
B. False

Answer – A

Explanation – The filename of the malware detected is displayed in the device dashboard section of vManage.

95. How is the Cisco Umbrella API token generated?

A. Automatically during vManage bootup
B. Manually in vManage Umbrella settings
C. By the Cisco SE and provided to the customer by email
D. In the Cisco Umbrella portal

Answer – D

Explanation – To generate the API token, the user must log in to the Cisco Umbrella portal and navigate to the API token generation page.

96. If a customer wants the DNS Web layer security redirection process to ignore a specific set of domains, what feature can be leveraged?

A. Corporate domain bypass
B. Domain filtering
C. Local domain bypass
D. Domain rules

Answer – C

Explanation – The WAN Edge router can leverage local domain bypass functionality, where a list of internal domains is defined and referenced during the DNS request interception process. Any domain defined in the list is ignored and no interception or redirection occurs.

97. Which two privilege types can be assigned to a user group in vManage?

A. Read
B. Erase
C. Reboot
D. Administer
E. Write

Answer – A, E

Explanation – When configuring a user group, Read and Write privileges can be assigned on a per-feature basis.

98. RBAC by VPN allows some users to configure some VPN features but not others.

A. True
B. False

Answer – B

Explanation – RBAC by VPN is for visibility only, not configuration.

99. Which three remote authentication types are supported by vManage?

A. Single Sign-On (SSO)
B. RADIUS
C. Local
D. TACACS

Answer – A, B, D

Explanation – In addition to local database authentication, vManage supports SSO, RADIUS, and TACACS for remote authentication.

100. Cisco Cloud onRamp for SaaS requires a Cisco SD-WAN Edge router to be placed in the SaaS cloud

A. True
B. False

Answer – B

Explanation – Cloud onRamp for SaaS is not a book-ended solution. Cloud onRamp for SaaS uses a unique HTTPS probe to monitor the performance of the path to the SaaS application.

101. What are the three Cloud onRamp for SaaS site types?

A. Gateway site
B. DIA site
C. Local site
D. Client site
E. Hub site

Answer – A, B, D

Explanation – The three types of Cloud onRamp for SaaS sites are gateway, DIA, and client sites.

102. Cloud onRamp for SaaS supports dual Internet and MPLS transport sites.

A. True
B. False

Answer – A

Explanation – A site configured for Cloud onRamp for SaaS can have Internet or MPLS transports to reach SaaS applications.

103. Cloud onRamp for SaaS DPI does not redirect the initial application flow after detection.

A. True
B. False

Answer – A

Explanation – DPI does not redirect the initial application flow because the redirection would cause network address translation (NAT) changes that would break the TCP flow.

104. Which two real-time outputs provide information about Cloud onRamp for SaaS?

A. CloudExpress Applications
B. CloudExpress Paths
C. CloudExpress Gateway Exits
D. CloudExpress Local Paths
E. CloudExpress Statistics

Answer – A, C

Explanation – The CloudExpress Applications output shows each application, the optimal path that has been chosen, and the mean latency and loss associated with the application for each optimal path. The CloudExpress Gateway Exits output shows each application, what the gateway exits are, and the mean latency and loss associated with the application for each gateway path available.

105. Which three things is a WAN Edge Cloud router provisioned with automatically?

A. Management VPN
B. Transport VPN
C. BGP AS
D. SNMP ID
E. Service VPN

Answer – A, B, E

Explanation – Each Cisco WAN Edge Cloud router is automatically provisioned with a management VPN, a transport VPN, and a service VPN.

106. How many Cisco SD-WAN WAN Edge Cloud routers are provisioned in a single transit VPC or VNET during the Cloud onRamp for IaaS process?

A. It depends on the scale of the network.
B. Two
C. Four
D. Eight

Answer – B

Explanation – Only two cloud routers are provisioned per transit VPC.

107. When logging in to an AWS cloud instance during the Cloud onRamp for IaaS process, both IAM role and API key methods are supported.

A. True
B. False

Answer – A

Explanation – Cloud onRamp for IaaS supports both IAM role and API key login methods for connecting to a cloud instance.

108. When you monitor Cisco Cloud onRamp for IaaS, which of the following can you view? (Select three.)

A. The connectivity state of each host VPC
B. The concurrent sessions going through the transit VPC
C. The state of the transit VPC
D. Detailed traffic statistics for the IPsec VPN connections between the transit VPC and each host VPC

Answer – A, C, D

Explanation – Cisco vManage provides the connectivity state of each host VPC, the state of the transit VPC, as well as the detailed traffic statistics for the IPSec VPN connections between the transit VPC and each host VPC.

109. Cloud onRamp for Colocation includes which of the following components? (Select all that apply.)

A. Cisco CSP
B. Cisco Catalyst 9K
C. Cisco WAN Edge Cloud router
D. Cisco Identity Services Engine

Answer – A, B, C

Explanation – Cloud onRamp for Coloration is a bundle and includes the Cisco CSP, the Cisco Catalyst 9K, and Cisco WAN Edge Cloud routers.

110. Cisco Cloud onRamp for Colocation supports which two types of service insertion?

A. Control policy
B. Local policy
C. Data policy
D. CLI policy
E. OMP policy

Answer – A, C

Explanation – Service insertion with Cloud onRamp for Colocation can be achieved via either a control policy or a data policy.

111. Most SD-WAN deployments are done in a greenfield environment.

A. True
B. False

Answer – B

Explanation – On the contrary, most SD-WAN deployments are done in a brown field environment with existing complexity.

112. What are some reasons for a migration to Cisco SD-WAN? (Choose three.)

A. Application-Aware Routing
B. Centralized policy
C. Fast convergence
D. Scalability
E. Improved performance

Answer – A, B, E

Explanation – Cisco SD-WAN provides Application-Aware Routing and visibility as well as improved performance through leveraging multiple active paths. These features are enabled through centralized policy.

113. Migration to SD-WAN is a hard cut, where all data centers and remote sites are migrated simultaneously

A. True
B. False

Answer – B

Explanation – Migration to Cisco SD-WAN is a graceful procedure, as long as preparation is performed and appropriate designs are implemented.

114. What are some of the most important preparations that should be made prior to migration? (Choose three.)

A. Reloading all routers
B. SD-WAN device template configuration and attachment
C. ensuring all routers have a maintenance contract
D. Analysis of existing topology, routing, and traffic engineering
E. SD-WAN policy design and configuration

Answer – B, D, E

Explanation – Among many other things, device templates and policy can be designed and deployed prior to SD-WAN migration. In addition, analysis of the existing topology, routing, and traffic engineering can be done ahead of time.

115. What are some classification criteria that can be configured in a list in preparation for policy deployment? (Choose three.)

A. SNMP OID lists
B. Prefix-lists
C. Site-lists
D. Interface lists
E. VPN ID lists

Answer – B, C, E

Explanation – Groups of interest can be defined in SD-WAN policy ahead of SD-WAN migration. This includes prefix-lists, site-lists, VPN IDs, and application lists.

116. What type of SD-WAN-specific configuration values should be defined prior to migration? (Choose three.)

A. Site-IDs
B. VPN IDs
C. OSPF hello and dead timers
D. BGP med values
E. TLOC colors

Answer – A, B, E

Explanation – Site-IDs, VPN IDs, system IPs, and TLOC colors are all SDWAN-specific values that can be predefined and planned for ahead of migration to SD-WAN.

117. Standing up SD-WAN routers alongside the current WAN Edge infrastructure is the preferred method for data center SD-WAN router integration.

A. True
B. False

Answer – A

Explanation – This design allows the data center to act as a transit site for traffic between non-SD-WAN and SD-WAN sites and allows for a graceful and gradual migration of remote sites to SD-WAN without ever affecting the legacy network.

118. From a design perspective, how can you improve latency when migrating to SD-WAN while transiting hubs?

A. Enable TCP optimization
B. Move the sites closer to each other
C. Designate multiple regional hubs as transit points
D. Use dedicated Layer 2 circuits

Answer – C

Explanation – Designating multiple regional hubs as transit points for dedicated geographies and configuring overlay routing to leverage these hubs intelligently can minimize site-to-site latency during migration.

119. The most common way to integrate transport-side connections on the SD-WAN router into the network is by sharing a single interface in VPN 0 for all carriers/transports.

A. True
B. False

Answer – B

Explanation – The most common way to integrate transport-side connections on the SD-WAN router into the network is by dedicating a single interface in VPN 0 per carrier/transport and designating a unique color, public or private (depending on the type of transport), for each.

120. What is the difference between bind and unbind mode when configuring a loopback TLOC?

A. Bind mode forms control connections, and unbind mode does not
B. Unbind mode takes less router CPU than bind mode.
C. Unbind mode allows for public and private color connectivity, whereas bind mode does not.
D. Bind mode ensures traffic destined to the loopback will be carried to and from the mapped physical interface. Unbind mode does not have this behavior.

Answer – D

Explanation – In bind mode, each loopback is bound to a physical interface, and traffic destined to the loopback will be carried to and from the mapped physical interface. In unbind mode, the loopback interface is not bound to any physical interface. Traffic destined to the loopback can go through any physical interface based on a hash lookup.

121. What are three different Cisco SD-WAN branch design options?

A. Complete CE replacement with a single SD-WAN router
B. SD-WAN router running inline bridge mode
C. Integration with existing CE router
D. Complete CE replacement with dual SD-WAN routers

Answer – A, C, D

Explanation – Many valid branch designs exist, but a complete replacement of the CE router, either with a single SD-WAN router or dual SD-WAN routers, is supported. Integration with an existing CE router is also supported.

122. A TLOC extension can only be configured for private colors.

A. True
B. False

Answer – B

Explanation – TLOC extensions can be configured for either public or private colors.

123. SD-WAN integration with existing firewalls and voice services is not supported

A. True
B. False

Answer – B

Explanation – Cisco SD-WAN can integrate with existing firewalls in many ways. As of IOS-XE, SD-WAN 19.2 code integration with existing voice services, such as SRST, can be accomplished as long as it is not attempted on the SD-WAN router.

124. Which routing protocols are supported for service-side integration with the LAN? (Choose three.)

A. OMP
B. OSPF
C. ISIS
D. EIGRP
E. ODR
F. EBGP

Answer – B, D, F

Explanation – Cisco SD-WAN supports a wide range of routing protocol for both LAN- and WAN-side integration, including OSPF, eBGP, iBGP, and EIGRP.

125. What important consideration needs to be made at the data center if implementing overlay and underlay integration designs?

A. Only OSPF should be used.
B. ECMP should be configured.
C. SD-WAN routers should be running the latest code.
D. filtering toward the SD-WAN router should be configured.

Answer – D

Explanation – To ensure that remote branch routes are learned and preferred through the overlay (and asymmetry and route looping are avoided), you can create a filter outbound toward the SD-WAN router in order to limit the learned routes to those originating from the data center. Make sure to also advertise a default or summary into the overlay.

126. What are the three controllers that make up the Cisco SD-WAN solution?

A. VSmart
B. VBond
C. WAN Edge
D. VManage
E. VController

Answer – A, B, D

127. What are the three main certificate deployment options?

A. Automatic enrollment with Symantec/DigiCert/Cisco PKI
B. Manual enrollment with Symantec/DigiCert/Cisco PKI
C. Self-signed certificates
D. SSH private/public keys
E. Enterprise CA

Answer – A, B, E

Explanation – The Cisco SD-WAN solution supports three main certificate deployment models. These include automatic enrollment with Symantec, DigiCert, or Cisco PKI; manual 537enrollment with either Symantec, DigiCert, or Cisco PKI; and Enterprise CA.

128. Which controller is deployed first?

A. VManage
B. VSmart
C. VBond
D. WAN Edge
E. VCompute

Answer – A

Explanation – vManage is instantiated first. Once vManage is deployed, you can begin to deploy the vBond and vSmart controllers.

129. If the vBond controller is behind a NAT, it must have a 1:1 static NAT.

A. True
B. False

Answer – A

Explanation – The vBond controller must have a public IP address, whether configured directly on VPN 0 or behind a NAT gateway, in which case it must be a 1:1 NAT. This allows vBond to facilitate NAT traversal in the data plane between WAN Edges.

130. Which three attributes are verified when authenticating the certificate?

A. Organization name
B. Trust of certificate
C. Common name
D. City
E. Certificate serial number

Answer – A, B, E

Explanation – When the controllers mutually authenticate each other, they verify three things: the certificate organization name must match the organization name that the controller has configured, the certificate must be generated by a mutually trusted root CA, and the certificate serial number must be in the controller whitelist.

131. Which command is a valid command to enable the vBond persona?

A. Vbond 209.200.165.227 local
B. Vbond 209.200.165.227 enables
C. Feature vbond

Answer – A

Explanation – To enable the vBond persona on the vEdge Cloud component, the local keyword is added to the vbond command.

132. What protocol does vManage use to push configuration to vSmart?

A. Netconf
B. SSH
C. Telnet
D. Feature Templates

Answer – A

Explanation – vManage uses Netconf to push templates and policies to the vSmart controller.

133. Which command is used to save configuration changes?

A. Commit
B. Copy running-config startup-config
C. Save
D. Write memory
E. BGP

Answer – A

Explanation – The commit command is used to save and apply configuration changes. This differs from IOS, where any config changes are applied instantly upon entering them.

134. What is the order in which the controllers are installed?

A. VManage > vBond > vSmart
B. VBond > vManage > vSmart
C. VSmart > vBond > vManage
D. WAN Edge > vBond > vSmart > vManage

Answer – A

Explanation – vManage is instantiated first; then vBond and vSmart are installed and configured.

135. Which command is used to allow Netconf through the inherent firewall on the vSmart controller?

A. allow-service netconf
B. Permit netconf any any
C. enable-service netconf
D. Feature netconf

Answer – A

Explanation – By default, Netconf is blocked when enabling the tunnel interface command. To allow connectivity via Netconf, the command allow-service netconf needs to be applied.

You may also like:

Sarcastic Writer

Leave a Reply Cancel reply

Related Posts

Leave a Reply Cancel reply