Cisco Designing and Implementing Cisco Service Provider Cloud Network Infrastructure (SPCNI v1.0) 300-540 Exam Dumps: Updated Questions & Answers (January 2026)

Comprehensive and Detailed Explanation (Cisco Cloud Model Knowledge)

The requirement states:

All infrastructure in the cloud

All applications delivered from the cloud

No software management

No maintenance by the customer

This matchesSoftware as a Service (SaaS).

SaaS provides:

Fully managed applications

No patching, upkeep, installation, or infrastructure maintenance

End-to-end cloud delivery

PaaS and IaaS still require some software/application management.

FaaS is event-driven serverless compute, not full application hosting.

Therefore, the correct answer isA. SaaS.

Cisco Umbrella DNS-layer security:

Blocks malicious domains used inphishing,malware,C2 communications, andransomware

Stops threatsbeforeconnections are made

Uses DNS-based filtering and threat intelligence

It doesnotmitigate:

DDoS (needs scrubbing centers)

Brute force login attempts

Zero-day exploits directly

Thus,Ais correct.

In a VXLAN BGP EVPN fabric, each VTEP (NVE interface) must useBGP EVPN as the host-reachability protocolso that MAC/IP information and VTEP reachability are exchanged through the control plane.

From the exhibit:

LEAF-SW-1 – interface nve1

source-interface loopback0

No host-reachability protocol bgp

Host Learning Mode: Data-Plane in show nve interface

LEAF-SW-2 – interface nve1

source-interface loopback0

host-reachability protocol bgp configured

This mismatch causes one VTEP to rely ondata-plane flood-and-learn, while the other usesEVPN BGP control-plane learning, leading to inconsistent and “corrupted” MAC/IP and ARP/ND information between the leaf switches.

The fix is to configure LEAF-SW-1 to also use BGP for host reachability:

interface nve1

host-reachability protocol bgp

Options B and D are incorrect because anycast VTEP designs intentionally share the sameprimaryloopback IP while usingdifferent secondary IPsandunique BGP router IDs. Option A (removing suppress-arp) does not correct the control-plane mismatch.

Therefore, enabling host-reachability protocol bgp on LEAF-SW-1 (OptionC) resolves the issue.

Comprehensive and Detailed Explanation From Cisco SP Cloud Network Infrastructure Security Knowledge

Cloud security compliance frameworks (such as ISO 27001, PCI-DSS, GDPR, SOC 2, HIPAA) require:

Evidence of security events

Retention of logs for audit periods

Ability to generate compliance reports

Traceability and accountability

Incident investigation support

Effective log management enables:

Centralized collection of application, network, and system logs

Storage of logs for mandated retention periods

Generation ofaudit-ready reports

Documentation required for compliance assessments

Demonstration that monitoring and security controls are active and functioning

Therefore, the role of log management in regulatory compliance is primarily aboutdocumentation, traceability, auditing, and reporting, which aligns only with Option A.

The other options do not directly serve regulatory compliance requirements:

Brelates to resource optimization, not compliance.

Crefers to interoperability, which is unrelated to regulatory auditing.

Dimproves security but does not directly address compliance documentation.

Comprehensive and Detailed Explanation

For distancesgreater than 20 miles, valid inter-facility transport options must support:

Metro-scale connectivity

High bandwidth

Low latency

Carrier-grade reliability

Acarrier access Ethernet ring (MEN / Metro Ethernet)is designed for:

Interconnecting data centers or meet-me rooms

Distances far exceeding 20 miles

High-availability layer-2 or layer-3 transport

Why the others are invalid:

CAT6e→ maximum ~100 meters

Multimode fiber→ typically <2 km (~1.25 miles)

Private wireless→ not used for high-capacity DC interconnects, unreliable for core transport

Thus, the only correct carrier-grade method isCarrier access Ethernet ring.

Comprehensive and Detailed Explanation

In Cisco NFV Infrastructure (NFVI) Assurance and Monitoring, enabling gRPC activates the device’s ability to support model-driven telemetry streaming.

Key points from Cisco SP Cloud/NFVI design principles:

gRPC is used as the transport protocol for model-driven telemetry.

Telemetry replaces traditional polling methods (SNMP, CLI scraping) with continuous, push-based updates.

It allows NFVI components to stream real-time operational data (CPU, memory, interfaces, VM metrics, fabric state) to collectors such as Cisco Crosswork, InfluxDB, Prometheus, or other analytic systems.

gRPC does not provide NetFlow/IPFIX export or syslog itself; those are separate subsystems.

Evaluation of options:

A. telemetry streaming — Correct. gRPC enables model-driven streaming telemetry.

B. IPFIX monitoring — Incorrect; IPFIX uses UDP exports, not gRPC.

C. Cisco IOS NetFlow monitoring — Incorrect; uses NetFlow export protocols.

D. system logging — Incorrect; syslog uses UDP/TCP, not gRPC.

In a VXLAN BGP EVPNMulti-Siteenvironment:

DCI trackingmonitors the health of the DCI links. If all DCI-tracking interfaces go down, the leaf can incorrectly keep advertising or learning remote MAC/IP reachability, leading to packet loss and sub-optimal forwarding for servers in that VLAN/L2VNI.

For proper operation, eachDCI-facing interfacemust be enabled with evpn multisite dci-tracking so that the Multi-Site border leaf tracks reachability over that link.

When using EVPN Multi-Site, BUM (broadcast, unknown unicast, multicast) traffic toward remote sites is typically handled viaingress replication, not multicast groups, for each L2VNI participating in Multi-Site. The configuration snippet shows an L2VNI (vn-segment 16535) still mapped to mcast-group 239.1.1.0, which is inconsistent with Multi-Site recommendations and contributes to packet loss.

Therefore, to fix the problem:

Enable DCI tracking on the uplink:

interface Ethernet1/1

evpn multisite dci-tracking

This restores proper DCI-link state monitoring for Multi-Site. →Option C

Change the L2VNI behavior from multicast to Multi-Site ingress replication:

Under the VNI for VLAN 11, configure:

evpn

vni 16535 l2

multisite ingress-replication

or the equivalent command for the specific NX-OS release, thereby aligning the L2VNI with EVPN Multi-Site design and eliminating packet loss. →Option D

Options A and B are ELAM (embedded logic analyzer) filters used only for packet capture and do not resolve the forwarding issue.

Option E is an ACL line unrelated to EVPN VXLAN or DCI tracking and does not address the underlying problem.

In aCisco NFVI C-Series Pod, the Top-of-Rack (ToR) switches are almost always configured as avPC pair.

A vPC domain requiresthree mandatory components:

vPC domain ID

vPC peer-link

vPC peer-keepalive link←ensures dual-active detection

In the exhibit:

The management interfaces areTor-A Mgmt0: 10.10.10.1andTor-B Mgmt0: 10.10.10.2

These IPs are used commonly as thepeer-keepalive endpoints

The physical uplinks to NFVI nodes formPort-Channel110

Since the configuration snippet already includes:

feature vpc

feature lacp

channel-group 110 mode active

Thenext required stepin a Cisco NFVI + vPC configuration is to configure thepeer-keepalivefrom ToR-A toward ToR-B:

vpc domain 1

peer-keepalive destination 10.10.10.2

This ensures:

vPC roles sync

Dual-active prevention

Stable operation for the NFVI C-Series rack

Why the Other Options Are Incorrect

A. vpc peer-linkThis is required but must be configured on the dedicated peer-link interfaces, not on the server-facing port-channel.

C. channel-group 110 mode onThe correct mode is already configured: mode active for LACP. mode on disables LACP.

D. switchport mode accessNFVI ToR links usetrunking, not access mode, because servers carry multiple networks (control, compute, storage, management VLANs).

Comprehensive and Detailed Explanation

SNMP traps in Cisco NFVIS (and in SNMP generally):

Areunsolicited notifications

Sent from the NFVIS deviceto the SNMP manager

Indicate alarms, changes, or significant operational events

Donotrequire polling

Examples:

Disk failures

VM crashes

Host status changes

Resource alarms

Why the others are wrong:

Adescribes SNMP monitoring (done by the manager with GET requests)

BSNMP cannotcontrolhost activities

DSNMP GET retrieves a variable, but traps sendunsolicitednotifications

Thus, the correct answer isC.

Comprehensive and Detailed Explanation

In Cisco NFVI security architecture, the primary defense againstlateral movement(an attacker moving from one compromised node to another) isnetwork segmentation.

Segmentation:

Separates workloads (compute, storage, management, tenant networks)

Prevents attackers from pivoting inside the NFVI

Reduces blast radius during breaches

Enforces micro-segmented virtual network boundaries

WPA protects Wi-Fi, not NFVI.

WAF protects web apps, not internal movement.

Data encryption protects confidentiality, not lateral movement control.

Thus,network segmentationis the correct solution.