Free Cisco 400-007 Practice Exam with Questions & Answers | Set: 10

The hierarchical LAN design model — access, distribution, core — provides:

Scalability through structured hierarchy (A).

Easier change management and staged deployments since functions are isolated at each layer (E).

CCDE v3.1 emphasizes hierarchy for long-term scalability, manageability, and operational stability.

Why other options are incorrect:

B: Modern data centers favor spine-leaf over traditional hierarchy.

C: The model simplifies rather than complicates.

D: Simplification is not its primary advantage — scalability and modularity are.

—

VPLS replicates multicast streams as multiple unicast streams, causing scalability problems with high-bandwidth multicast sources. The most scalable solution is:

Replace VPLS with a Layer 3 MVPN (Multicast VPN): MVPN provides efficient multicast replication in the provider core, dramatically reducing bandwidth consumption compared to Layer 2 replication.

Why other options are incorrect:

A: VPLS handles multicast poorly at scale because of head-end replication.

B: GRE tunnels are operationally complex and do not scale efficiently for large deployments.

C: IGMP snooping may help locally but does not solve replication inefficiency in the core.

—

The scenario prioritizes:

In-house management (not managed services)

Scalability (exponential branch growth)

OPEX reduction (low operational cost)

SD-WAN over L3VPN offers a balance of:

Mid-level ISP cost (leveraging L3VPN as transport)

Centralized management and automation (ZTP, templates)

Support for segmentation, application-aware routing, and path control

Lower OPEX due to simplified configuration and monitoring

Managed SD-WAN has higher ISP and OPEX cost, and DMVPN is more manual and complex to scale. SD-WAN over L2VPN might reduce ISP cost but is less common and not optimal for rapid scalability.

A (Additional host routes):Spoke-to-spoke dynamic tunnels in DMVPN phase 3 result in OSPF populating routing tables with multiple /32 host routes for each spoke-to-spoke tunnel, which can impact scalability and routing table size.

Other options explained:

B: Priority changes not typically required.

C: Split-horizon issue is solved in DMVPN phase 3.

D: Spokes dynamically register with the hub; no manual spoke IP configuration needed.

E (Infrastructure ACLs): iACLs control what traffic can reach network infrastructure devices, directly securing the data plane.

G (Routing Protocol Authentication): Prevents malicious or spoofed routing updates which directly protect data plane routing decisions.

Why other options are incorrect:

A: Warning banners are management plane hardening.

B: Redundant AAA is management/control plane hardening.

C: CPPr protects the control plane.

D: SNMPv3 secures management plane.

F: Disabling unused services typically applies to management plane or control plane, not data plane.

—

A (Jenkins):Jenkins is a leading Continuous Integration/Continuous Deployment (CI/CD) automation tool for building, testing, and deploying code automatically.

Other options explained:

B: Ansible is used for configuration management and automation.

C: Perl is a programming language, not a CI/CD platform.

D: Chef is a configuration management tool.

????QUESTION NO: 382 [Protocol Design Implications]

During IPv6 deployment in a legacy network, what must be considered for older Layer 2 switches? (Choose two)

A. If IPv6 anycast deployment is planned, then make sure that Layer 2 switches support DHCPv6 snooping

B. If IPv6 anycast deployment is planned then make sure that Layer 2 switches support ND snooping

C. IPv6 is transparent on Layer 2 switches so no changes are needed to the Layer 2 switches

D. If IPv6 multicast deployment is planned, then make sure that Layer 2 switches support MLD snooping

E. If IPv6 anycast deployment is planned, then make sure that Layer 2 switches support ICMPv6 snooping

Answer: C, D

????Explanation:

C: IPv6 functions at Layer 3, and Layer 2 switches (which do not inspect or modify Layer 3 headers) typically forward IPv6 frames transparently just like IPv4—unless enhanced services are needed.

D: For efficient IPv6 multicast handling (e.g., neighbor discovery, multicast services), switches should support MLD snooping (equivalent to IGMP snooping for IPv4).

Incorrect options:

A, B, E: DHCPv6 snooping, ND snooping, and ICMPv6 snooping are not standard or widely implemented features in Layer 2 devices. They're also unnecessary for basic IPv6 forwarding.

==========

???? QUESTION NO: 383 [Business-Driven Design Approaches]

Which two business areas support continuity during emergencies by understanding data flows and business processes? (Choose two)

A. Decentralized device management

B. BYOD policy

C. Disaster recovery

D. Centralized device management

E. Business continuity

Answer: C, E

????Explanation:

C: Disaster Recovery focuses on restoring services and data after a catastrophic event.

E: Business Continuity is a broader framework ensuring operations can continue despite disruptions. Both require knowledge of critical data flows and dependencies.

Other options:

A & D: Device management is operational—not directly focused on emergency business continuity.

B: BYOD is a policy concern related to access and security, not continuity.

==========

???? QUESTION NO: 384 [Security, Automation, and Policy Integration in Design]

Two companies want a VPN tunnel to exchange HTTP REST APIs. Only data integrity (not confidentiality) is required. Devices have limited resources.

A. GRE tunnel

B. GRE over IPsec

C. IPsec ESP

D. IPsec AH

Answer: D

????Explanation:

D: IPsec Authentication Header (AH) provides integrity and authentication, but not encryption. It’s ideal when data confidentiality is handled at the application layer and minimal overhead is desired.

Incorrect options:

A: GRE is a tunneling protocol, but it does not provide integrity or security.

B: GRE over IPsec is more complex and includes encryption (not needed here).

C: IPsec ESP provides encryption and integrity—overkill for this use case.

==========

???? QUESTION NO: 385 [Security, Automation, and Policy Integration in Design]

What is a key benefit of Infrastructure as Code (IaC)?

A. Declarative pipelines

B. Configuration drift

C. Agent monitoring

D. Repeatable deployments

Answer: D

????Explanation:

D: Repeatable deployments are one of the core benefits of IaC. It allows infrastructure to be provisioned consistently every time using version-controlled templates.

Incorrect options:

A: Declarative pipelines relate more to CI/CD processes than directly to IaC.

B: IaC helps prevent configuration drift, but drift itself is a problem—not a benefit.

C: Agent monitoring is a function of monitoring tools, not IaC.

The question describes a network that requires virtualization at both control and data plane levels using VLANs and VRFs. This architecture aligns with:

Path isolation (A): Achieved using VRFs and VLANs, ensuring traffic separation at Layer 2 and Layer 3 across the entire network.

Group virtualization (C): Refers to grouping users or resources (such as departments or tenants) into isolated segments that remain logically separated throughout the campus fabric.

Other options explained:

B (Session isolation): More aligned with application or session-layer security, not data/control plane virtualization.

D (Services virtualization): Typically related to virtualizing network services (firewalls, load balancers).

E (Edge isolation): Not a standard design term in CCDE.

—

A (Additional MPLS provider):True path diversity includes provider diversity to eliminate the possibility of shared failures within a single provider’s infrastructure. Multiple providers minimize correlated failures, increasing WAN availability.

Other options explained:

B: Out-of-band management improves operational access but doesn't address WAN availability.

C: Dual-homing branches is valuable but not directly related to the data center’s WAN failure condition.

D: Hardware redundancy improves local device availability but doesn't mitigate WAN failures.

A (EoMPLS): Ethernet over MPLS can operate at Layer 2, and MACsec can encrypt traffic before entering the MPLS core.

E (KVPLS): Supports MACsec encryption for Layer 2 DCI services over VPLS solutions.

Why other options are incorrect:

B: MPLS L3 VPN operates at Layer 3, not suitable for MACsec (L2 encryption).

C: DMVPN uses IPsec, not MACsec.

D: GET VPN uses IPsec for L3 traffic encryption.

—