1. A, B, D. The influx of IoT, guest, and BYOD devices as well as the shift to cloud-based applications are causing a strain on the WAN. High-bandwidth applications are impeding performance in the WAN for traffic destined to branch locations.

2. A, B, E. Businesses are looking to lower operational complexity, increase usable bandwidth by using dormant backup links or commodity Internet links, and improve the overall user experience, all with a topology-independent environment.

3. A, B, E. Administrative distance, traffic engineering, and preferred path selection all come into play when having multiple links in the branch routers.

4. B. False—A software-centric approach is needed for intent-based network (IBN) adoption.

5. A, E. Software driven, automated, programmable, predictive, and business intent are the components of digital transformation.

6. A, B. SD-WAN is designed to give the business control of all routing and service level agreements (SLAs).

7. A, B, C, F. IoT devices and increased cloud consumption are IT trends, not benefits of SD-WAN.

8. A, B, E. Cisco SD-WAN can support dual MPLS, hybrid WAN, and dual Internet as options for transport.

9. B. DIA is used to offload cloud applications directly to the Internet for more efficient access to the cloud providers.

10. A. Multidomain is designed to simplify operations across multiple administrative domains, such as campus, WAN, and data center, providing a seamless end-to-end policy across all of those domains.

1. A, B, D. The three controllers that make up the Cisco SD-WAN solution are vSmart, vBond, and vManage. These components make up the control, management, and orchestration planes in the environment.

2. A, B, E. The Cisco SD-WAN solution is a distributed architecture. By splitting out the components in the solution, vManage can provide a single pane of glass for all management and troubleshooting. By also moving the control plane to a central location, we can achieve greater scale while reducing complexity.

3. A, B, E. vManage provides a single viewpoint for all troubleshooting, configuration, and monitoring functions.

4. A. IPsec is used to secure and authenticate data plane connectivity. IPsec tunnels are only formed between WAN Edges.

5. A. The vSmart operates similarly to a route reflector in the sense that routing updates are only advertised to and from the vSmart. The vSmart has the capability to apply policy inbound or outbound to the prefixes it services.

6. A, B. The vBond provides authentication of all devices in the environment. The vBond is the initial point of contact and, from there, it distributes connectivity information for all other controller elements. STUN is also utilized with the vBond to detect when a component is behind a NAT.

7. A. The Cisco SD-WAN solution supports three types of multi-tenancy: Dedicated, VPN, and Enterprise.

8. A, B, E. EIGRP, OSPF, and BGP are supported on the service side (LAN) of the WAN Edge. These three protocols can be redistributed to and from OMP.

9. A, B, C. BFD is utilized to measure delay, loss, and jitter. With this information, intelligent decisions can be made to switch traffic to different transports that may perform better.

10. A. MPLS labels (RFC 4023) are used to provide different levels of segmentation for various compliance reasons. With segmentation, different types of topologies can be created per VPN. Some examples of this are hub-and-spoke, full mesh, and point-to-point.

1. A. The three controllers that make up the Cisco SD-WAN solution are the vSmart, vBond, and vManage. These components make up the control, management, and orchestration planes in the environment, respectively. The vSmart controller is the brains behind the control plane and distributes routing information along with encryption information.

2. A, B, E. OMP has three types of routing advertisements. They are OMP route, TLOC route, and service route.

3. B. When two devices are behind symmetric NAT, the data plane cannot be built. This is due to the fact that symmetric NAT utilizes ports that will change depending on which device the data plane tunnel is being established with.

4. A. When using private-to-private colors, it is assumed that there is no NAT between the two, so private (pre-NAT) information is used. When communicating with a public color, NAT may be involved, so the public (post-NAT) attributes are used.

5. A. Since key exchange is handled via the vSmart controller, there is no need for the IKE session management protocol.

6. A. UDP port 12346 is used to communicate with all control elements in the SD-WAN fabric.

1. A, B. Device templates can either use feature templates or CLI templates, but not a mixture of both. When a CLI template is used, it must be the full configuration of the device.

2. A, B, E. Feature templates have three different types of values that can be set. When global is used, the value of that field will be the same wherever that template is applied. The default value will use whatever the default value is for the field. Variables allow the network administrator the flexibility to set a parameter on a per-device basis, without the need for an additional template.

3. B. Device templates are specific to certain device types. Separate device templates will need to be used for different product versions.

4. A. CLI templates do not provide the same flexibility as feature templates. A CLI template must contain the full CLI configuration.

5. A. The Plug and Play process uses HTTPS for communication to the PnP server.

6. A, B, C. For automatic provisioning to be successful, a device must receive an IP address and DNS server via DHCP. Once the device has this information, it needs to be able to resolve ztp.viptela.com or devicehelper.cisco.com and have connectivity to them.

1. B, C, D. URL Filtering, Application-Aware Routing, and centralized data are all types of Cisco SD-WAN policies. There is no such thing as a traffic engineering policy; traffic engineering would be achieved with a control policy or a centralized data policy.

2. B. Cisco SD-WAN policies, much like traditional Cisco ACLs and route maps, are evaluated ordinally and use first-match logic.

3. A, B, C, D, E, F. All of these are different types of lists that are used in Cisco SD-WAN.

4. B. Unlike traditional IOS, SD-WAN has explicit list types for matching in the control plane (prefix-list) versus the data plane (data-prefix-list).

5. B. The only way to filter routes from routing neighbors outside of the SD-WAN fabric is with a route map in a local policy.

6. A, B. VPN membership policies and topology policies are applied to and enforced on the vSmart controllers. Zone-Based Firewall policies are part of security policies, which are applied directly to the WAN Edge and enforced there. Cflowd policies are part of centralized data policies; they are applied to the vSmarts, but enforced on the WAN Edge.

7. C, D. Security policies and localized data policies are applied to and enforced on the WAN Edge routers. Application-Aware Routing policies are applied to the vSmarts and enforced on the WAN Edge routers. VPN membership and topology policies are applied to and enforced on the vSmarts.

8. A. Application-Aware Routing policies are applied to the vSmarts and enforced on the WAN Edge routers. Security policies and localized data policies are applied to and enforced on the WAN Edge routers. VPN membership and topology policies are applied to and enforced on the vSmarts.

9. D. All policy configuration is done on vManage. vManage is the single administration point for both the vSmarts and the WAN Edge routers.

10. B. If there is a conflict in the forwarding decisions made by an Application-Aware Routing policy and a centralized data policy, the centralized data policy will override the Application-Aware Routing policy.

1. C. The only two answers that apply to centralized control policies are Accept and Reject. “Deny” is an action in a centralized data policy. The default setting of the default action in a centralized control policy is Reject.

2. B, C, D, E, F. System IP, Color, and Encapsulation are the three elements that uniquely define a TLOC. Additionally, a TLOC list will also allow the configuration of Weight and Preference. The other attributes cannot be defined as part of a TLOC list.

3. D. The TLOC attribute Weight is not part of the OMP best-path selection process. After the winners of the best paths have been determined, the Weight attribute is examined to determine how the flows should be divided proportionally among the best paths.

4. B. TLOC Preference values, not OMP Route Preference values, can be configured via feature and device templates.

5. A. A route that has a valid TLOC as a next hop will have a status code of R for “resolved.” If the resolved route is also the winner of the OMP best-path selection process, then the route will have a status of “C R,” where C means “chosen.” If the route is installed in the local routing table, it will have a status of “C I R,” where I is “installed.”

6. C. Both TLOCs and OMP routes have support for an attribute called “Preference.”

7. D. A VPN Membership policy specifies which VPNs the vSmart will accept updates from, and forward updates to, on a specific WAN Edge. Without the VPN being permitted by the VPN policy, the VPN can still be configured on the WAN Edge, but it will be isolated from the rest of the fabric.

8. B. Control policies that are used to leak routes must always be applied in the inbound direction.

9. B. A centralized control policy can be used to leak routes between different service-side VPNs. A centralized control policy cannot be used to leak into or out of VPN 0 or VPN 512.

10. C. Centralized control policies configured with the export-to action are used to leak routes between service-side VPNs.

1. B. In a centralized data policy, the easiest way to match all traffic is to not configure any matching criteria. There is no concept of a “match-all” criteria in SD-WAN, and the default action will only allow certain actions to be undertaken.

2. A. The nat use-vpn configuration syntax always NATs traffic to VPN 0.

3. B. The nat fallback configuration provides a backup forwarding path across the fabric in the event that all of the local interfaces configured for NAT are down. If all of the WAN interfaces go down, nat fallback will not work, as there will be no way to backhaul the traffic to a different site.

4. C. In the vSmart configuration, there is only a single data policy that is configured per site ID per direction. That single policy will include sub-policies per VPN, but there are only two policies that are applied per site ID.

5. B. The local-tloc command sets the preference for the outbound interface to be used when forwarding traffic. In the event that the TLOC specified in the LOCAL-TLOC policy is unavailable, traffic will fall back to the routing table.

6. D. A single FEC block consists of four data packets and a parity packet that is calculated from those four data packets. In the event of the loss of any one of the data packets, the original packet can be reconstructed from the remaining three data packets and the parity packet.

7. C. FEC-adaptive begins to operate when the packet losses on a tunnel exceed 2%. Currently, this is not a user-configurable policy.

8. D. When packet duplication is configured, the duplicate packets are automatically sent down the tunnel that is currently experiencing the least amount of packet loss.

9. C. The PKTDUP RX THIS field shows the total number of unique packets that have been received at the WAN Edge, including the values received over the original path (PKTDUP RX ) and the backup path (PKTDUP RX OTHER). The last two values are TX values and have nothing do with the number of packets received.

10. F. While both Viptela OS platforms and XE-SD-WAN platforms support Forward Error Correction, packet duplication, and TCP optimization, the implementations of these features are different between Viptela OS and XE-SD-WAN. As such, the features are not able to interoperate.

1. D. Application-Aware Routing policies are applied on a per-site, per-VPN basis. Unlike other data policies, directionality does not play a role with AAR policies. The direction is always “from-service.”

2. B. App-Route policies are a special type of centralized data policy. These policies are centrally applied on the vSmart controllers and enforced on the WAN Edge routers.

3. A, D, G. The BFD Hello Interval specifies how frequently BFD packets are sent and statistics are gathered. The App-Route Poll Interval defines the period of time to evaluate the BFD statistics and produce an average. This forms a single “bucket.” The App-Route Multiplier specifies how many App-Route Poll Intervals to consider (how many “buckets” to consider) when calculating tunnel performance. The number of tunnels, colors, and SLA classes has no impact on the statistic calculation process. The BFD Hello Multiplier is used for liveliness detection and is not part of the App-Route process.

4. C. The maximum (and default) number of App-Route Poll Intervals that can be used for tunnel performance calculations is six. This value is configured using the App-Route Poll Interval Multiplier.

5. D. Tunnels are reevaluated for compliance with SLA classes after each App-Route Poll Interval. The Hello Interval controls how often BFD packets are transmitted by the router and, thus, how often they are received by the router. The Hello Multiplier is used for Path Liveliness detection, not for Application-Aware Routing.

6. B. As of version 19.2, a single WAN Edge router can only have four different SLA classes configured.

7. C. As of version 19.2, a router and, thus, single WAN Edge router can only have four different SLA classes configured.

8. C. The Backup SLA Preferred Color option applies when no colors, not just the options configured under Preferred Colors, are able to meet the required SLA.

9. B. When configured, the Strict option will drop traffic when all available colors fail to meet the requirements of the SLA class, not only the colors specified in the Preferred Colors field.

10. A. An AAR policy will only make path selection decisions between multiple equal-cost routes. If one route is more preferred, that route will always be chosen by the forwarding engine regardless of the AAR policy or the performance of the tunnels.

1. C. Localized policies are configured and enforced on the local WAN Edge routers. vBond and vSmart are completely independent of localized policies. vPolicy does not exist.

2. B. False. As centralized policies are applied to the vSmart, and localized policies are applied to the WAN Edge routers, the configurations are completely independent and will use different lists.

3. A. Localized policies are scoped to a specific device. While uncommon, it would be possible for every device to have a different localized policy.

4. A, B. Localized control policies support the Accept and Reject actions. The Drop action is only available in a localized data policy. The Inspect and Pass actions are specific to Zone-Based Firewalls.

5. B. False. As all of the traffic is traversing in tunnels, all of the necessary firewall and NAT states will have already been established. Ensuring symmetric flows through a single WAN Edge router is important for the fidelity of the deep packet inspection and application recognition data.

6. A, C. Localized data policies support the Accept and Drop actions. The Reject action is only available in a localized control policy. The Inspect and Pass actions are specific to Zone-Based Firewalls.

7. D. Current code supports eight queues per interface on WAN Edge routers.

8. A. LLQ and priority queuing functionalities are only supported in queue 0.

9. A. Control plane traffic is automatically mapped to queue 0.

10. A, B, D. While shapers are part of QoS, they are configured under the interface configuration and are not part of the localized policy configuration. Class-maps are used to map the forwarding classes to hardware queues. qos-schedulers are used to configure the forwarding parameters of each traffic class. qos-maps are used to tie all of the schedulers together into a single policy.

1. B. On the contrary, the Application-Aware Enterprise Firewall is completely VPN aware. Firewall policies are applied on a per-VPN basis.

2. A, B, E. Three main actions can be set, per sequence entry, in a firewall policy: Inspect, Drop, and Pass.

3. B. High-Speed Logging is an available logging option for a firewall policy.

4. B, D, E. Only three options for signature sets exist today for IDS/IPS: Balanced, Connectivity, and Security.

5. B, E. The Fail-close option drops all the IPS/IDS traffic when there is an engine failure. The Fail-open option allows all the IPS/IDS traffic when there is an engine failure. The default option is Fail-open.

6. A. An IDS/IPS policy cannot be configured unless a security virtual image is first uploaded to the software repository in vManage.

7. B. To support URL Filtering functionality, an ISR must be configured with a minimum of 8GB of DRAM and 8GB of system flash if doing cloud lookup, and 16GB of DRAM and 16GB of system flash if doing on-box database lookup.

8. C. A URL blacklist can be configured to explicitly block certain websites in the URL policy configuration.

9. B, D. Between the security dashboard and device dashboard, vManage can provide the blocked and allowed categories by percentage, as well as the URL session count.

10. B. As of the writing of this book, the current SD-WAN code supports a maximum exportable file size of 10 MB.

11. A, B, C. At a minimum, file analysis must be enabled, a file types list must be specified, and the Threat Grid API key must be configured.

12. A. The filename of the malware detected is displayed in the device dashboard section of vManage.

13. D. To generate the API token, the user must log in to the Cisco Umbrella portal and navigate to the API token generation page.

14. C. The WAN Edge router can leverage local domain bypass functionality, where a list of internal domains is defined and referenced during the DNS request interception process. Any domain defined in the list is ignored and no interception or redirection occurs.

15. A, E. When configuring a user group, Read and Write privileges can be assigned on a per-feature basis.

16. B. RBAC by VPN is for visibility only, not configuration.

17. A, B, D. In addition to local database authentication, vManage supports SSO, RADIUS, and TACACS for remote authentication.

1. B. Cloud onRamp for SaaS is not a book-ended solution. Cloud onRamp for SaaS uses a unique HTTPS probe to monitor the performance of the path to the SaaS application.

2. A, B, D. The three types of Cloud onRamp for SaaS sites are gateway, DIA, and client sites.

3. A. A site configured for Cloud onRamp for SaaS can have Internet or MPLS transports to reach SaaS applications.

4. A. DPI does not redirect the initial application flow because the redirection would cause network address translation (NAT) changes that would break the TCP flow.

5. A, C. The CloudExpress Applications output shows each application, the optimal path that has been chosen, and the mean latency and loss associated with the application for each optimal path. The CloudExpress Gateway Exits output shows each application, what the gateway exits are, and the mean latency and loss associated with the application for each gateway path available.

6. A, B, E. Each Cisco WAN Edge Cloud router is automatically provisioned with a management VPN, a transport VPN, and a service VPN.

7. B. Only two cloud routers are provisioned per transit VPC.

8. A. Cloud onRamp for IaaS supports both IAM role and API key login methods for connecting to a cloud instance.

9. A, C, D. Cisco vManage provides the connectivity state of each host VPC, the state of the transit VPC, as well as the detailed traffic statistics for the IPsec VPN connections between the transit VPC and each host VPC.

10. A, B, C. Cloud onRamp for Colocation is a bundle and includes the Cisco CSP, the Cisco Catalyst 9K, and Cisco WAN Edge Cloud routers.

11. A, C. Service insertion with Cloud onRamp for Colocation can be achieved via either a control policy or a data policy.

1. B. On the contrary, most SD-WAN deployments are done in a brownfield environment with existing complexity.

2. A, B, E. Cisco SD-WAN provides Application-Aware Routing and visibility as well as improved performance through leveraging multiple active paths. These features are enabled through centralized policy.

3. B. Migration to Cisco SD-WAN is a graceful procedure, as long as preparation is performed and appropriate designs are implemented.

4. B, D, E. Among many other things, device templates and policy can be designed and deployed prior to SD-WAN migration. In addition, analysis of the existing topology, routing, and traffic engineering can be done ahead of time.

5. B, C, E. Groups of interest can be defined in SD-WAN policy ahead of SD-WAN migration. This includes prefix-lists, site-lists, VPN IDs, and application lists.

6. A, B, E. Site-IDs, VPN IDs, system IPs, and TLOC colors are all SD-WAN-specific values that can be predefined and planned for ahead of migration to SD-WAN.

7. A. This design allows the data center to act as a transit site for traffic between non-SD-WAN and SD-WAN sites and allows for a graceful and gradual migration of remote sites to SD-WAN without ever affecting the legacy network.

8. C. Designating multiple regional hubs as transit points for dedicated geographies and configuring overlay routing to leverage these hubs intelligently can minimize site-to-site latency during migration.

9. B. The most common way to integrate transport-side connections on the SD-WAN router into the network is by dedicating a single interface in VPN 0 per carrier/transport and designating a unique color, public or private (depending on the type of transport), for each.

10. D. In bind mode, each loopback is bound to a physical interface, and traffic destined to the loopback will be carried to and from the mapped physical interface. In unbind mode, the loopback interface is not bound to any physical interface. Traffic destined to the loopback can go through any physical interface based on a hash lookup.

11. A, C, D. Many valid branch designs exist, but a complete replacement of the CE router, either with a single SD-WAN router or dual SD-WAN routers, is supported. Integration with an existing CE router is also supported.

12. B. TLOC extensions can be configured for either public or private colors.

13. B. Cisco SD-WAN can integrate with existing firewalls in many ways. As of IOS-XE, SD-WAN 19.2 code integration with existing voice services, such as SRST, can be accomplished as long as it is not attempted on the SD-WAN router.

14. B, D, F. Cisco SD-WAN supports a wide range of routing protocol for both LAN- and WAN-side integration, including OSPF, eBGP, iBGP, and EIGRP.

15. D. To ensure that remote branch routes are learned and preferred through the overlay (and asymmetry and route looping are avoided), you can create a filter outbound toward the SD-WAN router in order to limit the learned routes to those originating from the data center. Make sure to also advertise a default or summary into the overlay.

1. A, B, D. The three controllers that make up the Cisco SD-WAN solution are vSmart, vBond, and vManage. These components make up the control, management, and orchestration planes in the environment.

2. A, B, E. The Cisco SD-WAN solution supports three main certificate deployment models. These include automatic enrollment with either Symantec, DigiCert, or Cisco PKI; manual 537enrollment with either Symantec, DigiCert, or Cisco PKI; and Enterprise CA.

3. A. vManage is instantiated first. Once vManage is deployed, you can begin to deploy the vBond and vSmart controllers.

4. A. The vBond controller must have a public IP address, whether configured directly on VPN 0 or behind a NAT gateway, in which case it must be a 1:1 NAT. This allows vBond to facilitate NAT traversal in the data plane between WAN Edges.

5. A, B, E. When the controllers mutually authenticate each other, they verify three things: the certificate organization name must match the organization name that the controller has configured, the certificate must be generated by a mutually trusted root CA, and the certificate serial number must be in the controller whitelist.

6. A. To enable the vBond persona on the vEdge Cloud component, the local keyword is added to the vbond command.

7. A. vManage uses Netconf to push templates and policies to the vSmart controller.

8. A. The commit command is used to save and apply configuration changes. This differs from IOS, where any config changes are applied instantly upon entering them.

9. A. vManage is instantiated first; then vBond and vSmart are installed and configured.

10. A. By default, Netconf is blocked when enabling the tunnel-interface command. To allow connectivity via Netconf, the command allow-service netconf needs to be applied.