The WAN connectivity mapping distinguishes private, public, and overlay connectivity use cases. Enterprise WAN design normally selects the transport according to the required security, availability, latency, cost, and operational control. MPLS Layer 3 VPN is commonly used when the enterprise needs private routed WAN service with provider-managed segmentation and predictable QoS behavior. Internet VPN designs are used when cost, rapid deployment, or broadband availability is more important, with IPsec or SD-WAN providing encryption and overlay control. Layer 2 services such as VPWS or VPLS are selected when the customer requires Ethernet adjacency, VLAN transport, or transparent LAN-like connectivity across sites. The drag-and-drop answer preserves those distinctions by matching each WAN type to the use case it is designed to support. A professional WAN architecture can combine these transports in a hybrid model, but the design must still identify which service carries private routing, which carries encrypted overlay traffic, and which provides Layer 2 extension. Reference topics: WAN transport selection, MPLS L3VPN, Internet VPN, Metro Ethernet, VPWS, VPLS, hybrid WAN design.

The best summarization design is for the aggregation layer to advertise a default route toward the access layer and to summarize the VLAN subnets toward the core. Cisco hierarchical campus design uses summarization at natural layer boundaries so that access-layer instability is hidden from the rest of the network. If individual access VLANs flap, the core should not have to process every specific route change. Advertising a summary such as 10.0.0.0/16 from the aggregation layer toward the core reduces routing-table size, lowers CPU and memory use, and confines convergence events to the lower layer. At the same time, the access layer normally does not need full knowledge of the enterprise routing table; a default route from the aggregation layer is sufficient for northbound reachability. Summarizing at the access layer is normally less effective because the aggregation layer is the first stable boundary that sees multiple access networks. Advertising a default from the core toward aggregation would hide information in the wrong direction. Reference topics: hierarchical routing, route summarization, campus aggregation design, convergence containment, routing-table scaling.

BIDIR-PIM is the correct multicast deployment model when redundant paths and active links may create RPF challenges for many-to-many multicast traffic. Bidirectional PIM builds a shared tree rooted at the rendezvous point and avoids maintaining separate source-specific shortest-path trees for every sender. This is valuable when sources and receivers are spread across a redundant branch design and traffic can enter the multicast domain from multiple directions. Because BIDIR-PIM uses the Designated Forwarder mechanism on each link, it helps control which router forwards traffic toward the RP and reduces duplicate forwarding in topologies where normal RPF behavior could be problematic. PIM-SM is widely used, but it normally moves to source trees for active sources unless specifically controlled. PIM-SSM requires receivers to know the source and is not designed for arbitrary many-to-many communication. PIM-BSR is a mechanism for dynamic RP discovery, not a multicast forwarding model. Reference topics: BIDIR-PIM, multicast RPF, many-to-many multicast, Designated Forwarder, branch multicast design.

In Cisco SD-Access, an intermediate node is an underlay transit device. Its responsibility is to provide IP reachability between fabric edge nodes, border nodes, and other fabric infrastructure roles. Intermediate nodes forward routed underlay traffic and do not perform endpoint registration, endpoint lookup, or VXLAN encapsulation for user traffic. Endpoint-to-location mapping is handled through the fabric control plane, which is based on LISP map-server and map-resolver functions. Fabric edge nodes identify connected endpoints, apply policy, act as anycast gateways, and encapsulate user traffic into VXLAN. Border nodes connect the fabric to external networks and handle traffic entering or leaving the fabric. The intermediate node is therefore comparable to a routed distribution or core transport device in a traditional hierarchical campus, except it is participating in the SD-Access underlay. It must provide stable Layer 3 reachability and appropriate MTU for encapsulated traffic but does not maintain the host tracking database or add security group information to VXLAN headers. The correct function is transporting IP packets between edge and border nodes.

A /22 subnet is the smallest IPv4 block in the answer set that closely fits a branch expected not to exceed roughly one thousand users while avoiding unnecessary address waste. A /22 contains 1024 total addresses and 1022 usable host addresses after the network and broadcast addresses are reserved. That aligns with the requirement to provide the maximum number of host addresses without selecting a larger block than necessary. A /21 provides 2048 total addresses and 2046 usable hosts, which is materially larger than the stated requirement and wastes address space. The specific 192.168.8.0/22 block also aligns on a valid /22 boundary because /22 networks increment by four in the third octet. A 192.168.16.0/22 is also mathematically valid, but the exhibit determines the available address range; the selected option uses the appropriate block from the displayed plan. Reference topics: IPv4 subnet sizing, CIDR, usable host calculation, branch address planning, VLSM.

Option B is retained because the subnetting task depends on the exhibit options and the chosen plan must divide 10.1.8.0/21 into nonoverlapping partner VPN subnets without allocating more address space than required. The design principle is variable-length subnet masking: allocate the smallest subnet that satisfies each partner requirement, then place the subnets on valid prefix boundaries inside the reserved aggregate. Cisco addressing design emphasizes conserving address space, avoiding overlap, and preserving summarization where possible. A /21 provides 2048 total addresses, so the designer can carve several smaller partner ranges while keeping the entire allocation summarizable as 10.1.8.0/21 toward the data-center core. Incorrect options would either waste addresses, overlap existing ranges, place subnets on invalid boundaries, or allocate blocks larger than necessary. Option B is the mapping that satisfies the exhibit constraints while keeping the design clean for routing, firewall policy, and VPN onboarding. Reference topics: IPv4 VLSM, subnet boundary alignment, partner VPN addressing, summarization, nonoverlapping address design.

The fabric management plane in Cisco SD-Access enables automation techniques for device deployment and configuration. Cisco DNA Center, now commonly referenced as Cisco Catalyst Center, provides the management-plane capabilities used to automate underlay deployment, discover and provision devices, create fabric sites, assign roles, deploy virtual networks , and push policy-driven configurations. LISP-based endpoint identifiers and EID-to-RLOC mappings belong to the fabric control plane, not the management plane. IS-IS underlay routing is part of underlay network design and operation, not the management-plane function itself. The management plane exists so administrators do not have to build every fabric role, network segment, and policy manually on each individual device. In a well-designed SD-Access deployment, management-plane automation reduces configuration drift, accelerates site onboarding, and provides a consistent operational model across the campus fabric. Reference topics: Cisco SD-Access management plane, Cisco Catalyst Center, automation, device provisioning, fabric deployment, policy orchestration. It also provides the operational interface for assurance, inventory, and repeatable change control across the fabric.

Area 1 should be configured as an NSSA when the design must allow selected external routes, such as EIGRP-originated routes, while controlling other external routes such as those from the RIP domain. A normal OSPF area receives Type 5 external LSAs, so it would not inherently block the unwanted RIP-originated external routes. A stub area blocks Type 5 external LSAs, but it also cannot contain an ASBR that injects external routes in the normal way. An NSSA is designed for this exact middle ground: it restricts external LSAs from the backbone while allowing external routes to be injected inside the area as Type 7 LSAs, which are translated by the ABR when needed. This allows Area 1 to receive the necessary internal and selected redistributed information while excluding external routes originated elsewhere. Making the routers part of area 0 would not solve the external-route filtering requirement and would weaken the intended area structure. Therefore, NSSA provides the required balance of route visibility and external-route control. Reference topics: OSPF NSSA, Type 5 LSAs, Type 7 LSAs, external route control, area design.

Easy Virtual Network is the best fit when a campus needs many Layer 3 virtual networks with separate addressing and routing tables but wants lower operational overhead than manually configuring VRF-Lite everywhere. EVN builds on VRF concepts and simplifies virtualization across a hop-by-hop campus design by reducing repetitive configuration and enabling consistent virtual network transport across participating devices. Each virtual network maintains its own routing context, which supports overlapping addressing and segmentation. Hop-by-hop VRF-Lite can provide similar forwarding separation, but it becomes operationally heavy as the number of VRFs grows because each trunk, routing process, and interface association must be configured and maintained manually. Multihop MPLS can scale, but it introduces provider-style complexity and may require features or skills beyond a typical campus requirement. Multihop IPsec tunneling is not an efficient campus segmentation solution for hundreds of virtual networks. Therefore, EVN is the recommended design for scalable Layer 3 virtualization with simpler configuration and management. Reference topics: campus virtualization, Easy Virtual Network, VRF separation, scalable virtual networks, route isolation.

The correct subnet choice is 192.168.32.0/27. The design must support at least five subnets and at least 25 usable hosts per subnet from a /24 allocation. A /27 leaves five host bits, giving 32 total addresses and 30 usable host addresses after excluding the subnet and broadcast addresses. It also borrows three bits from the /24 host field, creating eight equal /27 subnets, which satisfies the requirement for at least five departmental networks. A /26 provides 62 usable hosts, but only four subnets inside a /24, so it fails the subnet-count requirement. A /25 provides only two subnets. A /28 provides enough subnets but only 14 usable host addresses, which fails the host requirement. Cisco subnetting guidance uses exactly this host-bit and prefix-length calculation model when selecting VLSM blocks. Reference topics: IPv4 subnetting, CIDR prefix length, host-bit calculation, VLSM design, private IPv4 addressing.