Free Cisco 400-007 Practice Exam with Questions & Answers

B (Support availability):Defines hours of service and whether support is available 24/7 or during business hours.

E (Resolution time):Specifies the timeframe within which the service provider commits to resolve incidents.

Other options explained:

A: Cost and size are contractual, not SLA performance metrics.

C: Sustainability is long-term environmental or operational, not SLA-specific.

D: Reliability is often captured as uptime or availability but not as a discrete SLA support term.

A (Route Reflector design): Using R5 as a route reflector reduces the IBGP full-mesh requirement while maintaining route visibility between R1, R2 (edge) and R3, R4 (ABRs).

Internet routes can be redistributed into OSPF at the edge routers (R1, R2), allowing internal reachability while avoiding redistribution complexity on every router.

Why other options are incorrect:

B: Sub-AS designs (confederations) add unnecessary complexity for this scenario.

C: Full mesh IBGP is not scalable with increasing nodes.

D: Not using a route reflector would force full mesh IBGP.

B (Use only secure protocols): Management and administrative access to Internet edge routers must use secure protocols (SSH, SNMPv3, HTTPS) to prevent interception or unauthorized access.

E (Restrict administrative access): Limiting administrative access via interface ACLs and clear login banners ensures that only authorized personnel can access the system, satisfying compliance and security requirements.

Other options explained:

A: Filtering infrastructure IP space is good hygiene but not directly related to compliance.

C: Logging is valuable for operations and incident response but not a compliance control by itself.

D: EBGP advertisements relate to routing policy, not compliance regulation.

Comprehensive and Detailed Explanation:

D: The most effective solution is to have Site-X advertise a more specific (longer) prefix (e.g., 100.75.10.0/24), which allows external BGP routers to prefer Site-X over Site-Y. This ensures traffic destined for Site-X flows directly to it, preserving symmetry. Additionally, control plane coordination between R1 and R2 ensures proper routing consistency and minimizes the risk of loops or misdirection.

Other options:

A: Using BGP MED works within the same AS; it is often ignored by external ISPs.

B: Replicating firewall behavior does not address the routing issue.

C: DNS manipulation is a workaround—not a scalable or robust design solution.

This solution is consistent with BGP best practices and CCDE v3.1 guidance on traffic engineering and policy-based routing.

A (BPDU Guard on access ports): Prevents accidental connection of switches or bridging devices on access ports, which could cause unexpected topology changes or loops.

C (Root Guard on aggregation switch downlinks): Ensures access switches cannot send superior BPDUs to challenge aggregation switch root status, maintaining predictable STP root placement.

Why other options are incorrect:

B: Aggregation downlinks are not normally configured with BPDU Guard (since they expect BPDUs from access switches).

D: Root guard on access ports is unnecessary as those ports should not participate in STP.

E: Edge port (Rapid STP concept) is good for faster convergence but doesn't address stability.

F: STP root and backup root election is important but not a specific STP feature — this is a design decision, not a stability feature.

A (EIGRP summarization):Summarization reduces unnecessary routing information exchange, simplifies the routing table, and improves convergence.

D (Route leaking on London-Rome link):Route leaking allows specific prefixes (such as important routes for direct communication) to be advertised across the London-Rome link, ensuring it's utilized where appropriate.

Other options explained:

B: Filtering routes on Barcelona would prevent reachability unnecessarily.

C: Filtering on London-Rome link would prevent its usage entirely.

B (Micro loops):OSPF Loop-Free Alternates (LFA) pre-calculate backup next-hops to reduce transient micro loops during the convergence process when primary routes fail.

Other options explained:

A: DTP relates to trunk negotiation, not loop prevention.

C: STP handles Layer 2 loops.

D: REP is a Cisco Layer 2 redundancy protocol, unrelated to OSPF loop prevention.

Comprehensive and Detailed Explanation:

B: Fate sharing refers to a situation where multiple logical or virtual paths depend on a single physical component. If that physical link fails, all virtual tunnels or services carried over it are simultaneously affected—reducing fault isolation and increasing failure impact.

Other options:

A: Tunneling is often needed for overlays; not inherently a drawback.

C: Bandwidth utilization is an efficiency metric, not a drawback in this context.

D: Serialization delay is more relevant to low-speed links or voice/real-time traffic, not virtualized path concerns.

???? QUESTION NO: 338 [Protocol Design Implications]

An engineer must redesign the QoS strategy due to oversubscription and excessive packet drops. What QoS technique should be used to manage traffic leaving the edge router and reduce packet drops?

A. LLQ

B. Traffic shaping

C. Rate-limiting

D. Policing

Answer:B

???? Explanation:

B: Traffic shaping buffers excess traffic and releases it gradually to match the configured rate, preventing congestion and dropped packets on outbound interfaces. It’s ideal for controlling egress traffic to match the service provider's rate.

Other options:

A: LLQ (Low Latency Queueing) provides strict priority queuing but doesn’t control overall rate or prevent oversubscription.

C: Rate-limiting enforces a cap and drops packets exceeding the threshold.

D: Policing drops excess traffic immediately and is more aggressive than shaping.

==========

???? QUESTION NO: 339 [Scenario-Based Design Strategy Guidance]

Refer to the exhibit. The network experiences Stuck-in-Active (SIA) problems due to resource contention. An acquisition will further increase routing demands via R3 and R4.

Which solution best mitigates the SIA issue?

A. Utilize EIGRP unequal cost load-balancing on R5 and R6

B. Implement EIGRP Route Flap Dampening

C. Deploy EIGRP stub on R5 and R6 with connected and summary options

D. Advertise only a default route to R5 and R6

Answer:C

???? Explanation:

C: Configuring R5 and R6 as EIGRP stub routers reduces query scope and prevents SIA conditions. EIGRP stub routers do not forward queries and are ideal for spoke or edge routers.

Other options:

A: Load balancing doesn’t reduce control-plane query overhead.

B: Route Flap Dampening isn’t applicable to EIGRP and won’t solve SIA.

D: Default route advertisement helps simplify routing, but stub configuration is purpose-built to prevent SIA issues.

==========

???? QUESTION NO: 340 [Security, Automation, and Policy Integration in Design]

Which are two benefits of using Layer 2 access control lists (ACLs) for segmentation? (Choose two)

A. Traffic filtering

B. Contextual filtering

C. Containing lateral attacks

D. Reduced load at Layer 2

E. VLAN intercept

Answer:A, C

???? Explanation:

A: Layer 2 ACLs can block or allow specific MAC or IP traffic right at the switchport.

C: Containing lateral attacks—Layer 2 ACLs help block unauthorized east-west traffic between hosts within the same VLAN.

Incorrect options:

B: Contextual filtering is associated with next-gen firewalls or Layer 7 inspection.

D: ACLs add processing load, not reduce it.

E: VLAN intercept is not a valid Cisco term for ACL application.

==========

???? QUESTION NO: 341 [Business-Driven Design Approaches / Agile Frameworks]

In the Scrum Agile framework, who acts as the interface between the business/customers and the team?

A. Product Owner

B. Product Manager

C. Scrum Master

D. Program Manager

Answer:A

???? Explanation:

A: The Product Owner is responsible for defining user stories, maintaining the product backlog, and representing the customer's voice to the development team.

B: Product Manager may define broader strategy but doesn’t manage the backlog directly.

C: Scrum Master ensures the process is followed but doesn’t interface with the business side.

D: Program Manager oversees multiple projects; not Scrum-specific.

==========

???? QUESTION NO: 342 [Security, Automation, and Policy Integration in Design]

Company XYZ must isolate and encrypt production traffic to meet HIPAA compliance. The current WAN includes MPLS and P2P links.

What is the fastest deployment option?

A. IPsec P2P tunnels over MPLS and links

B. GETVPN over MPLS

C. Centralized firewall

D. VRF-Lite with IPsec tunnels

Answer:A

???? Explanation:

A: IPsec point-to-point tunnels provide immediate, well-supported encryption across both MPLS and P2P transports. Quick to implement and doesn’t rely on service provider support.

Other options:

B: GETVPN requires coordination and is more complex to deploy.

C: Central firewalls don’t encrypt traffic over the WAN.

D: VRF-Lite with IPsec is viable but more complex than direct IPsec tunnels.

==========

???? QUESTION NO: 343 [Technology Comparisons and Use Cases]

One of the approaches used in cloud bursting is distributed load-balancing, where workloads operate between a public cloud and a data center.

How can the characteristics of distributed load-balancing be described?

A. Simultaneously provisions cloud resources

B. Usually uses cloud APIs for communication

C. Useful for testing and proof-of-concept projects

D. Useful for large but temporary cloud deployments

Answer:A

???? Explanation:

A: Distributed load-balancing in cloud bursting allows workloads to run simultaneously across on-premises infrastructure and public cloud. Resources are provisioned concurrently to manage increased load or optimize application performance.

Other options:

B: Cloud APIs are widely used, but this is a general trait of cloud integration—not specific to distributed load-balancing.

C: Proof-of-concept projects are more aligned with basic cloud testing or DevOps, not distributed production workloads.

D: Temporary deployments describe elastic scaling, not the permanent load-balancing between environments.

==========

???? QUESTION NO: 344 [Business-Driven Design Approaches]

Which two factors must be considered while calculating the Recovery Time Objective (RTO)? (Choose two)

A. Importance and priority of individual systems

B. Maximum tolerable amount of data loss that the organization can sustain

C. Cost of lost data and operations

D. How often backups are taken and how quickly these can be restored

E. Steps needed to mitigate or recover from a disaster

Answer:A, C

???? Explanation:

A: RTO depends on how critical the system is. More critical systems require shorter recovery times.

C: The business impact of downtime (cost of operational loss) drives the acceptable RTO for systems.

Incorrect options:

B: This refers to Recovery Point Objective (RPO), not RTO.

D: Backup frequency aligns with RPO; restore speed can influence RTO but isn't a direct calculation input.

E: Mitigation steps are part of disaster recovery planning—not direct RTO calculation.

==========

???? QUESTION NO: 345 [Network Architecture Principles]

As more links are added to a network, the control plane slows down due to more data to process. As redundancy increases, MTTR also increases. Which risk increases along with the higher MTTR?

A. Management visibility

B. Slower data plane convergence

C. Overlapping outages

D. Topology change detection

Answer:C

???? Explanation:

C: As MTTR (Mean Time to Repair) increases due to complex topologies and control plane delays, the likelihood of experiencing overlapping outages (i.e., a second failure occurring before the first is resolved) also increases. This can cascade into a wider outage.

Other options:

A: Management visibility isn’t directly affected by MTTR.

B: Data plane convergence is generally fast and not as affected as control plane convergence.

D: Topology changes may still be detected quickly, but the reaction time (recovery) is delayed.

==========

???? QUESTION NO: 346 [Security, Automation, and Policy Integration in Design]

Which layer of the SDN architecture orchestrates how applications receive available network resources?

A. Orchestration layer

B. Southbound API

C. Northbound API

D. Control layer

Answer:A

???? Explanation:

A: The orchestration layer manages global resource allocation, service policies, and end-to-end workflows. It ensures that applications receive the necessary resources through coordination between the control and application layers.

Other options:

B: Southbound APIs connect the control layer to the infrastructure layer.

C: Northbound APIs connect the control layer to applications but don’t handle orchestration.

???? QUESTION NO: 347 [Security, Automation, and Policy Integration in Design]

Company XYZ wants to detect and block known attacks by inspecting every forwarded packet with minimal performance impact. What is the recommended design?

A. Deploy an IPS behind the firewall in promiscuous mode

B. Deploy an IPS in front of the firewall in promiscuous mode

C. Deploy an IPS behind the firewall in in-line mode

D. Deploy an IPS in front of the firewall in in-line mode

Answer: C

???? Explanation:

C: Deploying the IPS behind the firewall in in-line mode ensures that only filtered and relevant traffic is inspected, minimizing performance impact while still allowing the IPS to block malicious packets. Inline mode allows for active blocking based on signature detection.

A and B: Promiscuous mode only detects but does not block traffic.

D: Placing IPS in front of the firewall increases the processing load by exposing it to all traffic, including unwanted or already-blocked connections.

==========

???? QUESTION NO: 348 [Technology Comparisons and Use Cases]

In an SDN architecture, what is present on the switches but not on the centralized controller?

A. Control plane functions

B. A southbound interface

C. Data plane functions

D. A northbound interface

Answer: C

???? Explanation:

C: In SDN, switches retain the data plane functionality—they forward packets based on flow rules received from the controller.

A: Control plane functions are moved to the centralized controller in SDN.

B: Southbound interfaces are present on both controllers and switches for communication.

D: Northbound interfaces exist on controllers to interact with applications—not switches.

==========

???? QUESTION NO: 349 [Technology Comparisons and Use Cases]

What is a connection service that provides direct connectivity to a cloud provider from a data center?

A. Cloud OnRamp

B. Cloud Gateway

C. Cloud Direct Connect

D. Carrier-neutral facility

Answer: C

???? Explanation:

C: Cloud Direct Connect (or equivalent, e.g., AWS Direct Connect, Azure ExpressRoute) provides private, low-latency connectivity between on-prem data centers and public cloud providers.

A: Cloud OnRamp is part of Cisco SD-WAN solutions that optimize SaaS and IaaS access.

B: Cloud Gateway typically refers to a device or service that connects on-prem to cloud, but not necessarily direct, private circuits.

D: Carrier-neutral facilities are physical data centers used for interconnection but not themselves the service.

==========

???? QUESTION NO: 350 [Scenario-Based Design Strategy Guidance]

A customer is designing a network to support video applications with centralized and distributed deployments. The team has reviewed bandwidth, cost, and usage patterns. What additional key information is missing?

A. Video traffic jitter and delay

B. Type of video resources

C. Transport protocol and traffic engineering

D. Network management and monitoring

Answer: B

???? Explanation:

B: The type of video resources (e.g., MCUs, call agents, conferencing servers) significantly affects whether a centralized or distributed deployment is more efficient. This decision impacts call setup, bridging, and media flow.

A: While jitter/delay are QoS concerns, they don’t dictate the resource allocation model by themselves.

C and D: Important for operations and engineering but not the missing business-critical input for resource placement.

In service provider Ethernet transport environments such as VPLS, Ethernet OAM (Operations, Administration, and Maintenance) is used to provide fault detection, monitoring, and troubleshooting capabilities. The two relevant components here are:

A (Unicast heartbeat messages between MEPs): Maintenance End Points (MEPs) are configured at the edges of the OAM domain (SP-SW1 and SP-SW2). Heartbeat messages can be used to proactively monitor and detect loss of continuity between the endpoints.

B (Enable Connectivity Fault Management): CFM (IEEE 802.1ag) provides end-to-end fault detection, continuity check messages (CCMs), loopback, and link trace mechanisms that operate between MEPs at Layer 2. CFM enables proactive detection of failures and service-level assurance across the provider’s Ethernet segment.

Other options explained:

C: Upward MEPs are not applicable here since these are typically used for customer-facing or hierarchical maintenance domains.

D: E-LMI (Ethernet Local Management Interface) operates between CE and PE for service activation—not applicable for SP-SW to SP-SW fault detection across VPLS.

E: LLDP (Link Layer Discovery Protocol) is for neighbor discovery on directly connected interfaces—not suitable for end-to-end fault detection across a VPLS domain.

This design solution aligns fully with CCDE v3.1 principles for service provider Layer 2 VPN design and Ethernet OAM integration.

????QUESTION NO: 374 [Business-Driven Design Approaches]

Organic growth or decline affects network demands over time. Which tool helps in designing and operationalizing networks under changing conditions?

A. Change management

B. Modularity

C. Mobility

D. Monitoring

Answer: B

????Explanation:

B: Modularity is a core principle of scalable network design. It allows the network to grow or shrink in response to organic changes in business demand, supporting agility, easier management, and minimal disruption during change.

Other options:

A: Change management is about documenting and approving changes—not a design principle.

C: Mobility refers to user/device flexibility, not structural adaptability.

D: Monitoring detects changes but doesn’t help design the network.

==========

???? QUESTION NO: 375 [Protocol Design Implications]

Company XYZ uses OSPF over redundant paths. What effect does BFD have during a link failure?

A. It would drop the dead peer detection time to a single hello

B. It would keep an alternate path ready in case of a link failure

C. It would optimize the route summarization feature of OSPF

D. It would detect that the neighbor is down in a subsecond manner

Answer: D

????Explanation:

D: BFD (Bidirectional Forwarding Detection) provides subsecond failure detection that is significantly faster than standard OSPF dead timers. When integrated with OSPF, it enables rapid neighbor failure detection, thus speeding up convergence.

Other options:

A: “Single hello” is not a valid BFD metric.

B: BFD does not influence path availability—it only detects failures quickly.

C: BFD doesn’t interact with summarization.

????QUESTION NO: 376 [Security, Automation, and Policy Integration in Design]

What two elements are critical for security and compliance in hybrid cloud environments? (Choose two)

A. Cloud integration and data security

B. Tighter controls based on dynamic policy enforcement

C. Security event and data interoperability

D. Flexible controls based on policy application

E. Orchestration and cross-cloud access security

Answer: C, E

????Explanation:

C: Security event and data interoperability ensures that logs, alerts, and policies can be analyzed across different platforms (private and public clouds), which is vital for compliance and response.

E: Hybrid clouds require secure orchestration across multiple cloud domains, including federated identity, access control, and monitoring across cloud boundaries.

Other options:

A: Too broad; integration is not specific to security/compliance.

B and D: These relate to policy enforcement but don’t directly address interoperability or compliance across multiple clouds.

==========

???? QUESTION NO: 377 [Security, Automation, and Policy Integration in Design]

To protect against future perimeter breaches, which two design options can help? (Choose two)

A. Microzoning

B. Segmentation

C. Domain fencing

D. Virtualization

E. Microperimeters

Answer: B, E

????Explanation:

B: Segmentation isolates network zones (e.g., separating finance from guest access), limiting lateral movement after a breach.

E: Microperimeters apply security controls closer to the application or workload, providing granular control and defense in depth.

Other options:

A: Microzoning is not a widely defined or standard practice in network security.

C: Domain fencing is not a standard security term or methodology.

D: Virtualization is a technology, not a security architecture.

????QUESTION NO: 378 [Network Architecture Principles]

A customer is migrating from a traditional Layer 2 data center to a VXLAN spine-leaf SDN architecture. Applications cannot be readdressed, and migration must occur incrementally. How should the legacy and new networks be connected?

A. via Layer 3 links to border leaf switches

B. via a Layer 2 trunk and Layer 3 routed links to border leaf switches

C. via a Layer 2 trunk and Layer 3 routed links to spine switches

D. via a Layer 2 trunk to border leaf switches

Answer: D

????Explanation:

D: A Layer 2 trunk to the border leaf allows seamless VLAN extension between the legacy Layer 2 domain and the VXLAN-based fabric. This supports application migration without readdressing. Border leaf switches are used to bridge the traditional and VXLAN segments while maintaining MAC learning and VLAN consistency.

Incorrect Options:

A & B: Layer 3 links alone would require readdressing or routing, violating the constraint.

C: Spine switches typically do not handle VLAN bridging or policy enforcement directly.

==========

???? QUESTION NO: 379 [Business-Driven Design Approaches]

Scrum and Kanban are Agile methodologies. In which two scenarios is Kanban more appropriate? (Choose two)

A. acquisition of automation tools

B. carrier lead times

C. network configuration design

D. physical hardware deployment

E. logical topology deployment

Answer: B, D

????Explanation:

B: Kanban is suited for environments with variable lead times, such as carrier provisioning, where tasks arrive irregularly and are processed continuously.

D: Physical hardware deployment is dependent on availability and external logistics—Kanban helps manage such workflows where task durations are less predictable.

Incorrect Options:

A: Tool acquisition is typically a one-off project rather than a workflow suited for Kanban.

C & E: These are better suited for Scrum when planning sprints and structured deployments.

==========

???? QUESTION NO: 380 [Security, Automation, and Policy Integration in Design]

The network has high CPU usage due to excessive inbound traffic impacting the control and management planes. What should be implemented?

A. control plane policing

B. deep interface buffers

C. TCAM carving

D. modular QoS

Answer: A

????Explanation:

A: Control Plane Policing (CoPP) protects the control plane by rate-limiting or dropping unnecessary or malicious traffic destined for the CPU. This is essential in preventing routing and management plane starvation under high traffic conditions.

Incorrect Options:

B: Deep buffers help in data plane congestion, not control plane CPU usage.

C: TCAM carving relates to hardware forwarding table allocations, not CPU protection.

D: Modular QoS is valuable for traffic shaping but not specific to control plane protection.