ccnp test Advanced Practice Exam: Hard Questions 2025

A campus network is migrating to an SD-Access design. The enterprise requires (1) segmentation for PCI and corporate users across multiple buildings, (2) scalable group-based policy enforcement, and (3) minimal operational overhead when users move between access switches. Which design best meets these requirements while keeping policy consistent end-to-end?

An enterprise runs a large hierarchical campus with multiple distribution blocks. They want to improve fast convergence and reduce failure domain size. During a distribution switch failure, they have observed transient blackholing for certain subnets because of asymmetric routing and suboptimal FHRP behavior. Which design change most directly addresses this while preserving optimal forwarding to the active default gateway?

A data center pair of Nexus switches provides Anycast Gateway using vPC. After enabling a new feature, users report intermittent ARP resolution failures for hosts on different leaf switches within the same VLAN. The issue correlates with ARP replies being sourced from the wrong vPC peer and MAC flaps are seen on the access ports. Which misconfiguration is the most likely root cause?

You are troubleshooting an OSPF enterprise network with multiple areas. A new router in Area 10 must reach prefixes in Area 0 and vice versa. The new router forms full adjacency with the ABR, but Area 10 routes are not reaching Area 0. The ABR has 'area 10 stub no-summary' configured, and the new router is configured as a standard stub. What is the most likely reason routes are not being advertised as expected?

A dual-homed edge site uses eBGP to two ISPs and iBGP to the core. The site must prefer ISP1 for outbound traffic, but inbound traffic for 198.51.100.0/24 must prefer ISP2 except during failures. You are not allowed to prepend AS-path toward ISP1 due to policy. Which approach best meets the requirement with minimal unintended global impact?

A network uses EIGRP named mode with route summarization at distribution. After adding a new VLAN, remote sites intermittently lose reachability to a subset of subnets. A packet capture shows traffic forwarded toward the distribution, then dropped with ICMP unreachable from the distribution. Which root cause is most consistent with this behavior?

A WAN uses IP SLA tracking to fail over a static default route to a backup link. During brief upstream congestion, the link is healthy but latency spikes cause frequent failovers, leading to session resets. You must reduce failover flapping while still failing over quickly for true outages. Which tuning is the best fit?

A campus uses 802.1X with MAB fallback. A penetration test shows an attacker can unplug an authorized IP phone and connect a laptop that gains access to the voice VLAN and then pivots into internal services. Which change best mitigates this specific risk while maintaining phone connectivity and minimizing operational burden?

An enterprise uses DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard. After enabling IPv6 on access switches, users report intermittent loss of IPv6 connectivity and neighbor discovery failures, while IPv4 works normally. Which action best aligns IPv6 protection with the existing Layer 2 security model and resolves the issue?

You are building an automated change system to deploy VLANs, SVIs, and OSPF across 200 switches/routers. The organization requires idempotency, change preview, and the ability to roll back if post-checks fail. The devices are a mix of platforms, and the solution must minimize screen-scraping CLI parsing. Which approach best meets these requirements?