The correct answer is B. To route video traffic through a dedicated link.

Policy-Based Routing (PBR) allows the router to make forwarding decisions based on policies such as source, destination, application, or other match criteria, instead of relying only on the routing table. Cisco documentation explains that PBR gives more control over routing by reducing reliance on routes learned from routing protocols, and that it can route traffic according to a defined policy.

This means an engineer can identify video traffic and force it to use a specific dedicated path or link, even if that path is not the normal best path chosen by the routing table. Cisco also notes that set ip next-hop makes the system use policy routing first and then the routing table, which confirms that PBR can override normal routing behavior to send selected traffic to a chosen next hop.

Video traffic is often sensitive to delay, jitter, and packet loss. With PBR, the engineer can match that traffic and send it over a dedicated WAN link or preferred path that better supports real-time applications. This is a classic use case for PBR.

A. To route video traffic using the shortest path to the destination This is normally the job of the routing table and routing protocols, not PBR. PBR is used when the engineer wants to override normal path selection.

C. To use multicast for video traffic transmission Multicast is a separate forwarding technology and is not the purpose of PBR.

D. To perform traffic shaping to avoid video traffic delay Traffic shaping is a QoS function, not a routing decision function. PBR selects paths; it does not shape traffic.

ENCOR exam point:

Use PBR when traffic must follow a policy-defined path rather than the path chosen by standard routing protocol metrics.

The correct answer is D.

To meet the requirement, the configuration must do two things:

Permit only the 10.10.10.0/24 subnet to access the VTY lines

Allow only a secure remote access protocol, which is SSH

The correct Cisco IOS configuration is:

access-list 23 permit 10.10.10.0 0.0.0.255

line vty 0 15

access-class 23 in

transport input ssh

access-list 23 permit 10.10.10.0 0.0.0.255 This correctly matches the subnet 10.10.10.0/24 using the proper wildcard mask 0.0.0.255.

line vty 0 15 This applies the restriction to all VTY lines, not only a subset.

access-class 23 in This filters incoming remote access connections to the router.

transport input ssh This allows only SSH, which is encrypted and secure, and prevents Telnet or other clear-text remote access protocols.

A is incorrect because:

access-class 23 out filters outbound connections from the VTY lines, not inbound management access.

transport input all allows insecure protocols such as Telnet.

B is incorrect because:

255.255.255.0 is a subnet mask, not a wildcard mask, so the ACL syntax is wrong for a standard ACL entry.

C is incorrect because:

It applies only to VTY 0 4, while the router also has VTY 5 15 configured.

This leaves other VTY lines unrestricted, which does not fully meet the requirement.

For secure remote management on Cisco devices:

Use transport input ssh to disable Telnet

Use access-class <</b> ACL > in on VTY lines to restrict who can connect

Use the correct wildcard mask for the subnet

For 10.10.10.0/24, the wildcard mask is:

0.0.0.255

So the complete secure solution is:

restrict inbound VTY access + allow only SSH + apply to all VTY lines