New ENSDWI Questions

Question 1

Which component of the Cisco SD-WAN secure extensible network provides a single pane of
glass approach to network monitoring and configuration?

A. APIC-EM
B. vSmart
C. vManage
D. vBond

Answer: C

Question 2

What is a benefit of the application aware firewall feature in the Cisco SD-WAN solution?

A. application monitoring
B. application malware protection
C. application visibility
D. control policy enforcement

Answer: C

Question 3

A network administrator is configuring QoS on a Vedge 5000 router and needs to enable it on
the transport side interface. Which policy setting must be selected to accomplish this goal?

A. Cloud QoS Service side

B. Cloud QoS
C. Netflow
D. Application

Answer: B

Question 4

A policy is created to influence routing path in the network using a group of prefixes. What
policy application will achieve this goal when applied to a site list?
A. control-policy
B. vpn-membership policy
C. app-route policy
D. cflowd-template

Answer: A

Question 5

An engineer wants to track tunnel characteristics within a SLA-based policy for convergence.
Which policy configuration will achieve this goal?

A. Data policy
B. Control policy
C. App-route policy
D. VPN membership policy

Answer: C

Question 6

Refer to the exhibit.

vEdge-2(config-vpn-0)#interface ge0/2.101
vEdge-2(config-interface)#ip address 10.1.100.0/24
vEdge-2(config-interface)#tloc-extension ge0/0
vEdge-2(config-interface)#mtu 1496
vEdge-2(config-interface)#no shutdown

What binding is created using the tloc-extension command?

A. between ge0/2.101 of port-type transport and ge0/0 of port-type service

B. between ge0/2.101 of port-type service and ge0/0 of port-type service
C. between ge0/2.101 of port-type service and ge0/0 of port-type transport
D. between ge0/2.101 of port-type transport and ge0/0 of port-type transport

Answer: D

Question 7

Which two algorithms authenticate a user when configuring SNMPv3 monitoring on a WAN
Edge router? (Choose two)
A. AES-256
B. SHA-1
C. AES-128
D. MD5
E. SHA-2

Answer: D E

Question 8

A network administrator is configuring an application-aware firewall between inside zones to

an outside zone on a WAN edge router using vManage GUI. What kind of inspection is
performed when the ”inspect” action is used?

A. Layer 7 inspection for TCP and Layer 4 inspection for UDP

B. IPS inspection for TCP and-Layer 4 inspection for UDP
C. stateful inspection for TCP and stateless inspection of UDP
D. stateful inspection for TCP and UDP

Answer: D

Question 9

What is the purpose of ”vpn 0” in the configuration template when onboarding a WAN edge
node?

A. It carries control traffic over secure IPsec connections between vSmart controllers and
vEdge routers, and between vSmart and vManager
B. It carries control out-of-bond network management traffic among the Viptela devices in
the overlay network.
C. It carries control traffic over secure DTLS or TLS connections between vSmart controllers
and vEdge routers, and between vSmart and vBond

Answer: C

Question 10

In Cisco SD-WAN, what protocol is used for control connections between SD-WAN
devices?

A. BGP
B. OSPF
C. DTLS
D. OMP
Answer: D

Question 11

In an AWS cloud, which feature provision WAN Edge routers automatically in Cisco SD-
WAN?

A. Cloud OnRamp
B. vAnalytics
C. Cloud app
D. Network Designer

Answer: A

Question 12

When a WAN Edge device joins the SD-WAN overlay, which Cisco SD-WAN components
orchestrates the connection between the WAN Edge device and a vSmart controller?

A. OMP
B. vBond
C. vManage
D. APIC-EM

Answer: B

Question 13

A network administrator is bringing up one WAN Edge for branch connectivity. Which types
of tunnels form when the WAN edge router connects to the SD-WAN fabric?

A. DTLS or TLS tunnel with vBond controller and IPsec tunnel with vManage controller
B. DTLS or TLS tunnel with vBond controller and IPsec tunnel with other WAN Edge
routers
C. DTLS or TLS tunnel with vSmart controller and IPsec tunnel with other Edge routers
D. DTLS or TLS tunnel with vSmart controller and IPsec tunnel with vBond controller

Answer: C

Question 14
In the Cisco SD-WAN solution, vSmart controller is responsible for which two actions?
(Choose two)

A. Authenticate and authorize vEdge routers.

B. Distribute the IP address from DHCP server to vEdge routers.
C. Distribute crypto key information among vEdge routers
D. Configure and monitor vEdge routers.
E. Distribute route and policy information via OMP.

Answer: C E

Question 15

Which device in the SD-WAN solution receives and categorizes event reports, and generates
alarms?

A. vSmart controllers
B. WAN Edge routers
C. vBond controllers
D. vManage NMS

Answer: D

Question 16

An administrator needs to configure SD-WAN to divert traffic from the company’s private
network to an ISP network. What action should be taken to accomplish this goal?

A. configure the data security policy

B. configure the application aware policy
C. configure the control policy
D. configure the data policy

Answer: D

Question 17

Drag and drop the definitions from the left to the configuration on the right.
Answer:

+ destination zone: grouping of VPNs where the data traffic flows terminate
+ firewall policy: matching condition that allows traffic flow between two zones
+ source zone: grouping of VPNs where the data traffic flows originate
+ zone pair: container that associates forwarding and blocking decisions

Question 18

Drag and drop the attributes from the left that make each transport location unique onto the
right. Not all options are used.

Answer:

+ target 1: IP address
+ target 2: color
+ target 3: encapsulation

Question 19
Drag and drop the steps from the left into the order on the right to upload software on
vManage repository that is accessible from maintenance > Software Repository.

Answer:

+ Step 1: Click the repository

+ Step 2: Click Add new software
+ Step 3: Select vManage to store the software image
+ Step 4: Choose the file and click to upload

SD-WAN Architecture Questions

https://www.certprepare.com/sd-wan-architecture-questions

Question 1

Which type of route advertisement of OMP can be verified?

A. Origin, TLOC, and VPN

B. Origin, TLOC, and service
C. OMP, VPN, and origin
D. OMP, TLOC, and service

Answer: D

Question 2

Which two hardware platforms support Cisco IOS XE SD-WAN images? (Choose two)

A. ISR4000 series
B. ISR9300 series
C. vEdge-1000 series
D. ASR9000 series
E. ASR1000 series
Answer: A E

Question 3

Which Cisco SD-WAN WAN Edge platform supports LTE and Wi-Fi?

A. ISR 1101
B. ASR 1001
C. CSR 1000v
D. vEdge 2000

Answer: A

Question 4

Which component of the Cisco SD-WAN control plane architecture facilitates the storage of
certificates and configurations for network components?

A. vSmart
B. WAN Edge
C. vManage
D. vBond

Answer: C

Question 5

What is a default protocol for control plane connection?

A. HTTPS
B. TLS
C. IPsec
D. DTLS

Answer: D

Question 6

Which component of the Cisco SD-WAN control plane architecture should be located in a
public Internet address space and facilitates NAT-traversal?
A. WAN Edge
B. vSmart
C. vBond
D. vManage

Answer: C

Question 7

Which component of the Cisco SD-WAN architecture oversees the control plane of overlay
network to establish, adjust, and maintain the connections that form the Cisco SD-WAN
fabric?

A. APIC-EM
B. vSmart
C. vManage
D. vBond

Answer: B

Question 8

Which two options are SD-WAN solution capabilities? (Choose two)

A. Ability to provide and integrate security with complementary products and applications
B. The separation of management plane, control plane and data plane to enable horizontal
scaling
C. Truck roll branch turn up for easy provisioning and new installations
D. Cloud hosted or on-premise fully redundant management and control plane functions

Answer: B D

Question 9

Which Cisco SD-WAN component provides a secure data plane with remote vEdge routers?

A. vManage
B. vSmart
C. vBond
D. vEdge

Answer: D
Question 10

Which two mechanisms are used to guarantee the integrity of data packets in the Cisco SD-
WAN architecture data plane? (Choose two)

A. certificates
B. transport locations
C. authentication headers
D. encapsulation security payload
E. TPM chip

Answer: C D

vManage & vBond Questions

https://www.certprepare.com/vmanage-vbond-questions

Question 1

How is the scalability of the vManage increased in Cisco SD-WAN Fabric?

A. Increase the bandwidth of the WAN link connected to the vManage

B. Increase licensing on the vManage
C. Deploy more than one vManage controllers on different physical server
D. Deploy multiple vManage controllers in a cluster

Answer: D

Question 2

Which configuration step is taken on vManage after WAN Edge list is uploaded to support
the on-boarding process before the device comes online?

A. Verify the device certificate

B. Enable the ZTP process
C. Set the device as valid
D. Send the list to controllers

Answer: C

Question 3

Which API call retrieves a list of all devices in the network?

A. https://vmanage_IP_address/dataservice/system/device/{{model}}
B. http://vmanage_IP_address/dataservice/system/device/{{model}}
C. http://vmanage_IP_address/api-call/system/device/{{model}}
D. https://vmanage_IP_address/api-call/system/device/{{model}}

Answer: A

Question 4

Which combination of platforms are managed by vManage?

A. ISR4351, ASR1002HX, vEdge2000, vEdge Cloud

B. ISR4321, ASR1001, Nexus, ENCS
C. ISR4321, ASR1001, ENCS, ISRv
D. ISR4351, ASR1009, vEdge2000, CSR1000v

Answer: C

vEdge Questions
https://www.certprepare.com/vedge-questions

Question 1

Two sites have one WAN Edge each. Each WAN Edge has two public TLOCs with no
restrict configured. There is full reachability between the TLOCs. How many data tunnels
are formed on each Edge router?

A. 6
B. 2
C. 4
D. 8

Answer: C

Question 2

On which device is a service FW address configured to insert firewall service at the hub?

A. vSmart at the branch

B. vEdge at the branch
C. vEdge at the hub
D. vSmart at the hub
Answer: C

Question 3

Which command verifies a policy that has been pushed to the vEdge router?

A. vSmart# show running-config policy

B. vEdge# show running-config data policy
C. vSmart# show running-config apply policy
D. vEdge# show policy from-vsmart

Answer: D

Question 4

Refer to the exhibit. An engineer is troubleshooting a control connection issue. What does
“connect” mean in this show control connections output?

A. Control connection is down

B. Control connection is up
C. Control connection attempt is in progress
D. Control connection is connected

Answer: C

Question 5

Which attributes are configured to uniquely identify and represent a TLOC route?

A. system IP address, link color, and encapsulation

B. origin, originator, and preference
C. site ID, tag, and VPN
D. firewall, IPS, and application optimization
Answer: A

Question 6

An engineer is troubleshooting a certificate issue on vEdge. Which command is used to

verify the validity of the certificates?

A. show control local-properties

B. show control summary
C. show certificate installed
D. show certificate status

Answer: A

Question 7

Which OSPF command makes the WAN Edge router a less preferred exit from a site with a
dual WAN Edge design?

A. B.

C. D.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Question 8
A vEdge platform is sending VRRP advertisement messages every 10 seconds. Which value
configures the router back to the default timer?

A. 2 seconds
B. 5 seconds
C. 1 second
D. 3 seconds

Answer: C

Question 9

An engineer is troubleshooting a vEdge router and identifies a “DCONFAIL – DTLS

connection failure” message. What is the problem?

A. memory issue
B. certificate mismatch
C. organization mismatch
D. connectivity issue

Answer: D

Question 10

At which layer does the application-aware firewall block applications on a WAN Edge?

A. 3
B. 5
C. 2
D. 7

Answer: D

Question 11

What is the default interval for BFD packets?

A. 1 second
B. 15 seconds
C. 10 seconds
D. 5 seconds
Answer: A

Question 12

Refer to the exhibit. What does the BFD value of 8 represent?

A. dead timer of BFD session

B. poll-interval of BFD session
C. hello timer of BFD session
D. number of BFD sessions

Answer: D

Controller Deployment Questions

https://www.certprepare.com/controller-deployment-questions

Question 1

When software is upgraded on a vManage NMS, which two image-adding options store
images in a local vManage software repository? (Choose two)

A. To be downloaded over an ICMP connection

B. To be downloaded over a SNMP connection
C. To be downloaded over a control plane connection
D. To be downloaded over an out-of-band connection
E. To be downloaded over a SMTP connection

Answer: C D

Question 2

Which two platforms for the Cisco SD-WAN architecture are deployable in a hypervisor on-
premises or in IAAS Cloud? (Choose two)

A. CSR 1000v
B. ISR 4431
C. vEdge 100c
D. vEdge 2000
E. vEdge Cloud

Answer: A E

Question 3

Which two image formats are supported for controller nodes? (Choose two)

A. .nxos
B. .qcow2
C. .iso
D. .ova
E. .tgz

Answer: B D

Question 4

What are the two advantages of deploying cloud-based Cisco SD-WAN controllers? (Choose
two)

A. centralized control and data plane

B. infrastructure as a service
C. management of SLA
D. centralized raid storage of data
E. distributed authentication policies

Answer: B C

Router Deployment
https://www.certprepare.com/router-deployment

Question 1

Which two platforms can host a vEdge Cloud Router? (Choose two)

A. Microsoft Azure
B. Dream host
C. AWS
D. DigitalCloud
E. Google
Answer: A C

Question 2

Which two services are critical for zero touch provisioning onboarding? (Choose two)

A. EMAIL
B. SNMP
C. AAA
D. DHCP
E. DNS

Answer: D E

Question 3

When redistribution is configured between OMP and BGP at two Data Center sites that have
Direct Connection Interlink, which step avoids learning the same routes on WAN Edge
routers of the DCs from LAN?

A. Set down-bit on Edge routers on DC1

B. Define different VRFs on both DCs
C. Set OMP admin distance lower than BGP admin distance
D. Set same overlay AS on both DC WAN Edge routers

Answer: D

Question 4

Which device information is required on PNP/ZTP to support the zero touch onboarding
process?

A. serial and chassis numbers

B. interface IP address
C. public DNS entry
D. system IP address

Answer: A

Question 5

Which command displays BFD session summary information per TLOC on vEdge routers?
A. show bfd tloc-summary-list
B. show bfd history
C. show bfd summary
D. show bfd sessions

Answer: A

Question 6

Which configuration allows users to reach YouTube from a local Internet breakout?

A. B.

C. D.
A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Question 7

Which feature template configures OMP?

A.

B.

C.

D.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Question 8
Refer to the exhibit. Which configuration change is needed to configure the tloc-extention on
Branch1-Edge1?

A. B.

C. D.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Question 9

Which command on a WAN Edge device displays the information about the colors present in
the fabric that are learned from vSmart via OMP?
A. show omp peers
B. show omp route
C. show omp sessions
D. show omp tlocs

Answer: D

Question 10

Which statement about VRRP is true?

A. It supports load balancing

B. It can be configured with HSRP on a switch or switch stack
C. It supports IPv4 and IPv6
D. It supports encrypted authentication

Answer: B

Policy & QoS Questions

https://www.certprepare.com/policy-qos-questions

Question 1

Refer to the exhibit. Which QoS treatment results from this configuration after the access list
acl-guest is applied inbound on the vpn1 interface?
A. A TCP packet sourcing from 172.16.10.1 and destined to 172.16.20.1 is dropped
B. A UDP packet sourcing from 172.16.20.1 and destined to 172.16.10.1 is accepted
C. A UDP packet sourcing from 172.16.10.1 and destined to 172.16.20.1 is dropped
D. A TCP packet sourcing from 172.16.20.1 and destined to 172.16.10.1 is accepted

Answer: C

Question 2

Which SD-WAN component is configured to enforce a policy to redirect branch-to-branch

traffic toward a network service such as a firewall or IPS?

A. vBond
B. vSmart
C. WAN Edge
D. Firewall

Answer: B

Question 3

Which configuration changes the packet loss priority from low to high?

A. B.

C. D.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D
Question 4

Which policy configures an application-aware routing policy under Configuration >

Policies?

A. Data policy
B. Centralized policy
C. Localized policy
D. Control policy

Answer: B

Question 5

Where does the Cisco V-Edge Router perform QoS traffic classification?

A. Per VPN
B. Per vEdge
C. Egress interface
D. Ingress interface

Answer: D

Question 6

Which scheduling method is configured by default for the eight queues in the cloud vEdge
router?

A. weighted round robin

B. priority queue
C. low latency queue
D. weighted random early detection

Answer: A

Question 7

A voice packet requires a latency of 50 msec. Which policy is configured to ensure that a
voice packet is always sent on the link with less than a 50 msec delay?

A. localized data
B. centralized control
C. localized control
D. centralized data

Answer: D

VPN Questions
https://www.certprepare.com/vpn-questions

Question 1

In which VPN is the NAT operation on an outgoing interface configured for direct Internet
access?

A. 0
B. 512
C. 10
D. 1

Answer: A

Question 2

When the VPN membership policy is being controlled at the vSmart controller, which policy
disallows VPN 1 at sites 20 and 30?

A. B.
C. D.

A. Option A
B. Option B
C. Option C
D. Option D
Answer: C

Question 3

When VPNs are grouped to create destination zone in Zone-Based Firewall, how many
zones can a single VPN be part of?

A. two
B. four
C. one
D. three

Answer: C

Question 4

Which template configures the out-of band management VPN?

A.

B.

C.
D.

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Security Questions
https://www.certprepare.com/security-questions-3

Question 1

Which on-the-box security feature is supported by the Cisco ISR 4451 SD-WAN device and
not on vEdge?

A. Cloud Express service

B. Enterprise Firewall with Application Awareness
C. reverse proxy
D. iPsec/GRE cloud proxy
Answer: B

A. IPsec/GRE cloud proxy

B. reverse proxy
C. Enterprise Firewall with Application Awareness
D. Cloud Express service

Answer: C

Question 2

What is a benefit of the application-aware firewall?

A. It blocks traffic by MTU of the packet

B. It blocks encrypted traffic
C. It blocks traffic by application
D. It blocks traffic by MAC address

Answer: C

Question 3

Which value is verified in the certificates to confirm the identity of the device?

A. Serial Number
B. OTP
C. System-IP
D. Chassis-ID

Answer: A

Question 4

Which hardware component is involved in the Cisco SD-WAN authentication process for ISR
platforms?

A. ZTP
B. OTPC
C. SUDI
D. TPMD
Answer: C

Question 5

Which alarm setting is configured to monitor serious events that affect, but do not shut down,
the operation of a network function?

A. Critical
B. Medium
C. Major
D. Minor

Answer: C

Troubleshooting Questions
https://www.certprepare.com/troubleshooting-questions

Question 1

Which command disables the logging of syslog messages to the local disk?

A. no system logging disk local

B. system logging server remote
C. no system logging disk enable
D. system logging disk disable

Answer: C

Question 2

Which logs verify when a device was upgraded?

A. ACL
B. Email
C. SNMP
D. Audit

Answer: D

Question 3
Which protocol is used to measure loss, latency, jitter, and liveliness of the tunnel between
WAN Edge router peers?

A. OMP
B. NetFlow
C. BFD
D. IP SLA

Answer: C

Question 4

Which pathway under Monitor > Network > Select Device is used to verify service insertion
configuration?

A. System Status
B. ACL Logs
C. Real Time
D. Events

Answer: C

Drag Drop Questions

https://www.certprepare.com/drag-drop-questions

Question 1

Drag and drop the devices from the left onto the correct functions on the right.

Answer:
+ establishes a secured data plane: vEdge
+ first point of authentication: vBond
+ single pane of glass: vManage
+ enforces control policies: vSmart

Question 2

Drag and drop the vManage policy configuration procedures from the left onto the correct
definitions on the right.

Answer:

+ Create the network structure to which the policy applies: Configure topology
+ Associate a policy with sites and VPNs in the overlay network: Apply policies to sites and
VPNs
+ Create the match and action conditions of a policy: Configure traffic rules
+ Create lists that group together related items that an engineer can call in the match or action
components of a policy: Create groups of interest

Question 3

Drag and drop the policies from the left onto the correct policy types on the right.
Answer:

Control Policy
+ strict hub-and-spoke topology
+ service firewall insertion

Data Policy
+ perform shaping on traffic
+ prefer voice and video via MPLS link

Question 4

Drag and drop the route verification output from show omp tlocs from the left onto the
correct explanations on the right.

Answer:

+ system ID: TLOC IP

+ attribute of WAN link: Color
+ type of tunnel being used: Encapsulation
+ TLOC route status: shows if the route was chosen to enter the routing table or not

Question 5

Drag and drop the actions from the left into the correct sequence on the right to create a
data policy to direct traffic to the Internet exit

Answer:

+ Step 1: Create centralized data policy

+ Step 2: Identify VPN and match criteria
+ Step 3: Enable NAT functionality
+ Step 4: Apply data policy

Question 6

Drag and drop the functions from the left onto the correct templates on the right.

Answer:
+ routing policy: route-map
+ transport VPN: VPN 0
+ management VPN: VPN 512
+ service VPN: VPN 10
+ system information: organization name