Cisco 300-540 - Designing and Implementing Cisco Service Provider Cloud Network Infrastructure (SPCNI v1.0)

For asite-to-site IPsec VPN, each peer must point to thereachable IP address of the remote VPN endpoint—that is, the IP address on the WAN/Internet-facing interface of the remote router.

From the diagram:

R1 outside (toward Internet):192.168.10.1

R2 outside (toward Internet):192.168.20.2

Inside LANs:

Site 1:10.1.0.0/24

Site 2:10.2.0.0/24

The crypto map on R1 uses:

crypto map mymap 10 ipsec-isakmp

set transform-set myset

match address 101

set peer

The must be the IP address where R1 can actually reach the IPsec peer, which is R2’s Internet-facing interface192.168.20.2.

If the peer were configured with a LAN IP such as 10.2.0.1 (site 2’s internal gateway), IKE packets would never reach the remote router because that address is not routable over the Internet.

Therefore, the correct command to bring up the VPN is:

set peer 192.168.20.2

Option A (10.1.0.1)– local LAN IP (R1’s side), not the remote endpoint.

Option C (192.168.10.1)– R1’s own WAN IP, not the remote peer.

Option D (10.2.0.1)– remote LAN IP, not reachable directly over the Internet.

Cisco Umbrella DNS-layer security:

Blocks malicious domains used inphishing,malware,C2 communications, andransomware

Stops threatsbeforeconnections are made

Uses DNS-based filtering and threat intelligence

It doesnotmitigate:

DDoS (needs scrubbing centers)

Brute force login attempts

Zero-day exploits directly

Thus,Ais correct.

In a cloud-scale or data center–scale environment,Virtual Extensible LAN (VXLAN)is used as anoverlay technologyto transportLayer 2 segments over a Layer 3 underlay network. VXLAN encapsulates Layer 2 Ethernet frames inside UDP/IP packets, allowing broadcast, unknown unicast, and multicast (BUM) traffic and tenant Layer 2 domains to be extended across a routed IP fabric.

Key points aligned with Cisco Service Provider Cloud Infrastructure design principles:

VXLAN creates aLayer 2 overlay on top of a Layer 3 underlay.

TheVXLAN Network Identifier (VNI)provides a much larger segmentation space than traditional VLANs, enabling multi-tenancy at cloud scale.

Because the underlay is pure Layer 3 (IP routed fabric), VXLAN allows you tointerconnect Layer 2 segments between leaf switches or data centers over an IP/MPLS backbonewithout relying on large Layer 2 domains in the physical network.

Why the options evaluate as follows:

Option A: extends Layer 2 segments across the underlying Layer 3 infrastructure✅This is the core benefit of VXLAN in cloud-scale designs. VXLAN encapsulates Layer 2 frames intoIP/UDP headers, allowing isolated Layer 2 segments (per VNI) to be stretched across a routed IP network. This enables:

Multi-tenant Layer 2 connectivity across a distributed cloud fabric

Mobility of virtual machines or containers while keeping same IP/MAC addressing

Use of an IP-based leaf–spine or service provider underlay for scalability and resiliency

Option B: extends Layer 3 segments across the underlying Layer 2 infrastructure❌This is the opposite of what VXLAN does. VXLAN is explicitlyL2-over-L3, not L3-over-L2. Extending pure Layer 3 segments over Layer 2 is not the VXLAN use case.

Option C: reduces spanning-tree complexity across the Layer 2 infrastructure⚠️(Partially related but not the primary or direct benefit)In modern designs, the underlay isLayer 3 routed, and VXLAN overlays provide logical Layer 2 segments. This designavoids dependence on spanning tree in the fabric, whichindirectlyreduces STP complexity. However, the fundamental, exam-relevant benefit isL2 extension over L3, so C is not the best or most accurate answer compared to A.

Option D: eliminates the need for a Layer 3 underlay in the service provider infrastructure❌VXLAN absolutelyrequiresan IP (Layer 3) underlay for transport. VXLAN tunnels are built over a routed infrastructure (leaf–spine, MPLS/IP core, etc.). It does not remove the need for Layer 3; it depends on it.

In Cisco NFVI, themanagement noderelies heavily on Docker containers for:

NFVIS management functions

VIM services

Orchestration components

If the management node fails to start and the system shows:

docker.service: inactive (dead)

…then all Docker-based platform services also fail to start.

The correct recovery action is torestart the Docker engine:

systemctl restart docker

This brings up:

All NFVI-required Docker containers

Management services

REST APIs and cluster components

Why other answers are incorrect:

docker-kibana→ Only affects Kibana logging container

docker-cobbler→ Used for provisioning, not core NFVI management

kube-apiserver→ Part of Kubernetes cluster, but relies on Docker; restarting it won’t help until Docker is running

Thus, the correct answer isB. docker.

In Cisco Catalyst SD-WAN cloud integration, when the requirement is:

Automatically discovering AWSVPCs

Automatically identifying AWSservices

Allowing the user to choose whichprivate SD-WAN networkconnects to the cloud

UsingAWS credentials(Access Key / Secret Key) for automatic provisioning

…the Cisco-supported mechanism is theCisco SD-WAN Transit VPC solution.

Why Transit VPC is the correct answer:

It is specifically designed to integrateCisco SD-WANwith AWS environments.

Uses AWS APIs and user credentials to automatically discover:

VPC IDs

Subnets

Regions

Routing tables

Automatically deploys and configures CSR1000v or Catalyst 8000V routers into the VPC.

Provides a centralized “hub” in AWS to interconnect multiple SD-WAN sites.

Enables the user to choose which SD-WAN segments connect to which VPCs.

This matches the requirement ofautomatic cloud resource identification based on user credentials.

Why the other options are incorrect

A. AWS Direct Connect

This is a physical/private Layer 2 cloud connection.

It doesnotauto-discover VPCs or integrate through credentials.

It does not provide automated SD-WAN service provisioning.

C. IPsec VPN

Works for connectivity but ismanual, not automated.

Does not identify AWS cloud resources via credentials.

D. Segment routing

A transport technology used inside SP networks, irrelevant to AWS API-based VPC discovery.

Thus, onlyTransit VPCprovides automatic AWS cloud discovery and integration with SD-WAN.

Comprehensive and Detailed Explanation From Cisco SP Security Knowledge

Cisco Always-On Cloud DDoS Protection is a cloud-based, carrier-grade security service used by service providers to protect customers from volumetric and application-layer DDoS attacks.

Its core protection mechanism is the use ofglobal scrubbing centers, which:

Receive diverted attack traffic

Scrub (clean) malicious packets

Forward clean traffic back to the customer

Use behavioral analysis and real-time detection

Protect against volumetric, TCP state-exhaustion, and application-layer attacks

Why other answers are incorrect:

Load balancing (A)doesnotmitigate DDoS attacks; it distributes traffic across servers.

Botnet zombies (B)aresourcesof DDoS attacks, not protection.

Traffic mirroring (C)is used for analysis and monitoring, not active DDoS protection.

Comprehensive and Detailed Explanation From Cisco SP Cloud Network Infrastructure Security Knowledge

Cloud security compliance frameworks (such as ISO 27001, PCI-DSS, GDPR, SOC 2, HIPAA) require:

Evidence of security events

Retention of logs for audit periods

Ability to generate compliance reports

Traceability and accountability

Incident investigation support

Effective log management enables:

Centralized collection of application, network, and system logs

Storage of logs for mandated retention periods

Generation ofaudit-ready reports

Documentation required for compliance assessments

Demonstration that monitoring and security controls are active and functioning

Therefore, the role of log management in regulatory compliance is primarily aboutdocumentation, traceability, auditing, and reporting, which aligns only with Option A.

The other options do not directly serve regulatory compliance requirements:

Brelates to resource optimization, not compliance.

Crefers to interoperability, which is unrelated to regulatory auditing.

Dimproves security but does not directly address compliance documentation.

R1 (AS 200) is multihomed to:

SP-1 in AS 300 via neighbor172.16.1.1

SP-2 in AS 400 via neighbor172.16.2.1

R1 must:

Advertiseonly locally originated prefixes(its own network 10.10.0.0/24).

NOTbecome atransit AS—i.e., R1 mustnotadvertise routes learned from one provider to the other.

The configuration includes AS-path access-lists:

ip as-path access-list 1 permit ^$

ip as-path access-list 200 permit ^200

ip as-path access-list 300 permit ^300

ip as-path access-list 400 permit ^400

^$ in AS-path ACL1matcheslocally originated routes(empty AS-path).

ACLs 200, 300, and 400 match routes whose first AS in the path is 200, 300, or 400 respectively (used if we needed to match those provider or customer routes).

To ensure each upstream provider only receiveslocally originatedroutes, we apply AS-path ACL1as anoutbound filter-liston each external BGP neighbor:

router bgp 200

neighbor 172.16.1.1 remote-as 300

neighbor 172.16.1.1 filter-list 1 out ← only advertise local prefixes to SP-1

neighbor 172.16.2.1 remote-as 400

neighbor 172.16.2.1 filter-list 1 out ← only advertise local prefixes to SP-2

This way:

Routes learned from SP-1 (AS 300) willnotbe advertised to SP-2 (AS 400) because their AS-path will begin with 300, not empty, so they fail ACL 1.

Similarly, routes from SP-2 will not be sent to SP-1.

Only R1’s own prefixes are exported, preventing AS 200 from becoming a transit network.