????QUESTION NO: 363 [Technology Comparisons and Use Cases]
Which three characteristics of the Single Tier and Dual Tier Headend Architectures for DMVPN designs are true? (Choose three)
A. A Dual Tier Headend Architecture is required when using dual cloud topologies with spoke-to-spoke connectivity
B. In a Single Tier Headend Architecture there is a single headend router per DMVPN cloud topology
C. A Single Tier Headend Architecture is required when using dual cloud topologies with spoke-to-spoke connectivity
D. In a Dual Tier Headend Architecture, there are two different headend routers per DMVPN cloud for high availability purposes
E. In a Single Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint functionalities are on the same router
F. In a Dual Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint functionalities are on different routers
Answer: B, E, F
????Explanation:
B: In a Single Tier DMVPN design, one router acts as both the GRE endpoint and IPsec encryption device—this simplifies deployment.
E: In Single Tier, GRE and encryption termination both occur on the same physical router.
F: In a Dual Tier design, GRE tunnels terminate on one device (hub), and IPsec encryption is offloaded to a separate security appliance, offering better scalability and separation of concerns.
Incorrect options:
A and C: Dual-cloud topologies can be implemented using either architecture; these statements are overly prescriptive.
D: Dual Tier refers to functional separation, not necessarily dual routers per cloud for high availability.
==========
???? QUESTION NO: 364 [Network Architecture Principles]
Company XYZ wants Layer 2 redundancy while prioritizing flexibility and scalability. Which two technologies help meet these goals? (Choose two)
A. Avoid stretching VLANs across switches
B. Use switch clustering at the distribution layer where possible
C. Configure DHCP snooping on the switches
D. Use Unidirectional Link Detection
E. Use root guard
Answer: A, B
????Explanation:
A: Avoiding VLAN stretching across switches reduces STP-related complexity and increases fault domain isolation, improving scalability.
B: Switch clustering (e.g., VSS or StackWise) allows multiple switches to be managed as one logical device, simplifying management and improving scalability and redundancy.
Other options:
C: DHCP snooping improves security but doesn't directly contribute to redundancy or scalability.
D: UDLD helps detect unidirectional links, improving link-level fault detection—not Layer 2 architectural scalability.
E: Root guard is a protection mechanism, not a scalability enabler.
==========
???? QUESTION NO: 365 [Protocol Design Implications]
Company XYZ is planning multicast routing over a mixed-vendor private WAN. What technique helps minimize PIM sparse mode configuration complexity?
A. PIM dense mode with RP using Auto-RP to announce itself
B. PIM sparse mode with RP using Auto-RP to announce itself
C. PIM dense mode with RP using BSR to announce itself
D. PIM sparse mode with RP using BSR to announce itself
Answer: D
????Explanation:
D: PIM Sparse Mode with RP advertisement via BSR (Bootstrap Router) is more standards-based and interoperable across vendors compared to Auto-RP, which is Cisco-proprietary. Using BSR minimizes manual RP configuration and supports multi-vendor environments.
Incorrect options:
A and C: Dense mode is inefficient and doesn’t scale well, especially on WANs.
B: Auto-RP is Cisco-proprietary and may not work across mixed vendor routers.
????QUESTION NO: 366 [Technology Comparisons and Use Cases]
Which type of interface are OpenFlow and OpFlex?
A. Southbound interface
B. Eastbound interface
C. Cloud-bound interface
D. Northbound interface
Answer: A
????Explanation:
A: OpenFlow and OpFlex are examples of southbound interfaces in SDN (Software Defined Networking). They are used by the SDN controller to communicate with the underlying infrastructure (e.g., switches, routers, hypervisors).
Other options:
D (Northbound): Interfaces used by applications to communicate with the SDN controller.
B, C: Not standard terminologies in SDN interface classification.
==========
???? QUESTION NO: 367 [Business-Driven Design Approaches / Recovery Planning]
For a company providing online billing systems, which strategy keeps RPO (Recovery Point Objective) as low as possible?
A. Cloud backup to mirror data
B. Spare onsite disks
C. Periodic snapshot of data
D. Backup on external storage
Answer: A
????Explanation:
A: Cloud-based data mirroring offers near-real-time replication, keeping RPO near zero. This is essential for billing systems where even a small amount of data loss could be critical.
B and D: Manual or local backups don't offer low RPO unless continuously synced.
C: Snapshots are periodic and inherently result in a higher RPO due to the gap between intervals.
==========
???? QUESTION NO: 368 [Security, Automation, and Policy Integration in Design]
A company is designing an internet-based remote access VPN for 1000 remote sites. The admin suggests GETVPN. What is a potential issue?
A. GETVPN is not scalable to a large number of remote sites
B. GETVPN key servers would be on public hacker-reachable space and need higher security
C. GETVPN and DMVPN do not interoperate
D. GETVPN requires a high level of background traffic to maintain its IPsec SAs
Answer: B
????Explanation:
B: GETVPN requires a Key Server (KS) that distributes encryption keys to Group Members (GMs). In internet-based VPN scenarios, the KS must be accessible over the public internet, which increases exposure to potential attacks and requires hardened security measures.
Other options:
A: GETVPN is scalable and designed for large networks.
C: While GETVPN and DMVPN serve different purposes, interoperability is not a central concern here.
D: GETVPN is efficient and does not require excessive background traffic.
????QUESTION NO: 369 [Protocol Design Implications]
Your company uses various transport types (PPPoE, IPsec, GRE). Which solution helps improve efficiency over these networks?
A. PMTUD
B. OATM
C. IRDP
D. Host Discovery Protocol
Answer: A
????Explanation:
A: Path MTU Discovery (PMTUD) determines the maximum transmission unit (MTU) along the path to avoid IP fragmentation. Protocols like PPPoE, IPsec, and GRE add overhead, reducing effective MTU. PMTUD adjusts packet sizes dynamically, improving network efficiency by avoiding fragmentation.
Other options:
B: OATM is not a valid or recognized network optimization method.
C: IRDP (ICMP Router Discovery Protocol) is used for finding default gateways, not optimizing transport.
D: Host Discovery Protocol is not a relevant mechanism for efficiency improvement in tunneling environments.
==========
???? QUESTION NO: 370 [Security, Automation, and Policy Integration in Design]
Which two actions reduce the impact of trusted NMS polling (e.g., high CPU on devices, instability)? (Choose two)
A. Prevent polling of large tables through the use of SNMP OID restrictions
B. Disable unused OIDs and MIBs on the NMS systems
C. Increase the SNMP process priority
D. Implement SNMP community restrictions that are associated with an ACL
E. Unload unused MIBs from the network devices
Answer: A, D
????Explanation:
A: Restricting SNMP OID polling to only necessary objects prevents large MIB walks and reduces processing load.
D: Associating SNMP communities with ACLs allows access control and limits polling scope to trusted hosts.
Other options:
B: Disabling OIDs on the NMS reduces resource usage there, but doesn’t protect network devices.
C: Increasing SNMP priority could negatively impact other processes and is not a best practice.
E: Unloading MIBs on devices is typically not possible or effective.
==========
???? QUESTION NO: 371 [Technology Comparisons and Use Cases]
Which interface allows a controller to program the data plane forwarding tables of a networking device?
A. Controller interface
B. Southbound interface
C. Application programming interface
D. Northbound interface
Answer: B
????Explanation:
B: The southbound interface connects the SDN controller to the networking devices (e.g., switches/routers). Protocols like OpenFlow, NETCONF, or OpFlex allow the controller to program flow tables and influence forwarding behavior.
Other options:
A: “Controller interface” is not a standard architectural term.
C: APIs are a general concept; the specific interface for data-plane programming is southbound.
D: Northbound interfaces connect applications to the controller—not to devices.
==========
???? QUESTION NO: 372 [Security, Automation, and Policy Integration in Design]
Given the risk of hybrid cloud adoption, which two solutions help secure private/hybrid environments? (Choose two)
A. Avoid automating the scanning and remediation of security controls using open-source tooling
B. Practice SSH network protocols for data communication between unsecured network connections
C. Implement a common protective methodology for the same information at rest or in motion
D. Provide distributed management and visibility across the infrastructure instead of centralized management
E. Apply cryptographic protocols to secure data transmission over the network
Answer: C, E
????Explanation:
C: Using a consistent data protection strategy (encryption at rest/in motion) across environments ensures policy continuity across private and hybrid clouds.
E: Applying cryptographic protocols (e.g., TLS, IPsec) protects data as it traverses public and hybrid infrastructure.
Other options:
A: Automation of security scanning is encouraged; avoiding it is counterproductive.
B: While SSH is secure, it doesn’t address full-stack hybrid data protection.
