300-420 Question #384: Real Exam Question with Answer & Explanation

Question

Which two considerations must be made regarding the overlay network for a Cisco SD-Access architecture? (Choose two.)

Options

• AVirtual networks should be used for microsegmentation.
• BOverlapping IP addresses across different overlay networks should be used to conserve IP
• COverlapping IP addresses across different overlay networks should be avoided for operational
• DSGTs should be used for data plane isolation and microsegmentation.
• EVirtual networks should be used for data plane isolation only.

Explanation

{"question_number": 6, "question": "Which two considerations must be made regarding the overlay network for a Cisco SD-Access architecture? (Choose two.)", "correct_answer": "C. Overlapping IP addresses across different overlay networks should be avoided for operational simplicity, D. SGTs should be used for data plane isolation and microsegmentation.", "explanation": "In SD-Access, Virtual Networks (VNs) provide macro-segmentation by maintaining separate VRFs and VXLAN VNIs per segment; they achieve data plane isolation at Layer 3. SGTs (Security Group Tags) are used within or across VNs to apply fine-grained, policy-based microsegmentation - for example, distinguishing IoT devices from corporate users in the same VN. While overlapping IP addresses are technically supported across separate VNs, Cisco strongly recommends avoiding them because troubleshooting, logging correlation, and inter-VN policy become operationally complex. Option A is wrong because VNs provide macro-segmentation, not microsegmentation. Option B is wrong because deliberately overlapping IPs is a poor practice. Option E is wrong because VNs do more than just data plane isolation - they also carry routing and policy context.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.