Free Cisco 400-007 Practice Exam with Questions & Answers | Set: 6

C (Class-Based Weighted Fair Queuing - CBWFQ): CBWFQ allows assigning bandwidth limits (in this case, 2 Mbps) to specific traffic classes, effectively controlling scavenger traffic without dropping excess packets unnecessarily.

Other options explained:

A: Policing drops excess traffic immediately rather than queuing.

B: LLQ is for delay-sensitive traffic, not scavenger control.

D: Shaping is useful but typically applied at interface level, not specific traffic classes.

Security design must be aligned with:

Business objectives (A): Security design must meet business needs without hindering operations.

Security policies and standards (B): Compliance with internal and external regulations is mandatory.

CCDE v3.1 teaches that security design always starts from business intent and policy compliance, not purely technical or scope-based factors.

Why other options are incorrect:

C & D: Security design applies to all environments, not just multi-site or new deployments.

—

Policy-Based Routing (PBR) allows traffic from a specific source (172.16.2.0/24) to follow a user-defined path (via Singapore), overriding the default ECMP behavior.

This solution is optimal for traffic steering when granular control is required for specific prefixes while leaving the rest of the traffic to use default ECMP routes.

Why other options are incorrect:

B: Route summarization affects route advertisements, not traffic forwarding paths for specific prefixes.

C: Unequal-cost load balancing influences overall ECMP behavior, not source-based forwarding control.

D: Loop-Free Alternate (LFA) is for fast failover, not policy-based forwarding decisions.

—

A (Risk-based and adaptive access policies): After verifying user identity within a Zero Trust architecture, the next logical step is to apply continuous, adaptive risk-based policies that evaluate contextual factors (device posture, behavior, location, etc.) before granting access. This approach dynamically responds to threats such as phishing attacks by adjusting access permissions based on real-time risk.

Other options explained:

B/C/D: These are supporting mechanisms, but risk-based policies directly address dynamic attack mitigation.

To conserve IPv4 addresses and achieve fast convergence:

B: Using /31 subnets for point-to-point (P2P) links enables each link to consume only two IP addresses. This is widely supported and conserves address space.

C: A hub-and-spoke design with P2P links minimizes the number of neighbor relationships and simplifies routing convergence.

Other options:

A: Multipoint Metro-E introduces neighbor adjacency complexity and DR/BDR elections, which delay convergence.

D: Aggregation is more applicable to prefix summarization, not address conservation per link.

E: DR/BDR roles apply only in broadcast/multicast environments, not P2P links.

==========

Route Distinguishers (RDs) are fundamental to MPLS Layer 3 VPN architecture (RFC 4364). They allow the service provider to distinguish identical IP prefixes from different VPN customers by adding a unique identifier to each VPN route, preventing conflicts from overlapping IP spaces.

Unique RDs ensure that the VPNv4 address family maintains separation of identical customer prefixes.

Why other options are incorrect:

B: Route Targets control route import/export policy but do not differentiate overlapping prefixes.

C: NAT is not required inside MPLS VPN for overlapping IPs.

D: VRF IDs are local identifiers on routers; not relevant for prefix uniqueness in control plane.

—

A: Flow-based analysis allows understanding bandwidth usage across apps and sessions, crucial for voice/video capacity management.

C: Call management systems track CAC and call quality failures, key for voice/video troubleshooting.

D: Active synthetic probes proactively inject traffic to monitor loss, latency, and jitter under real-time conditions.

Why other options are incorrect:

B: Network convergence is not directly analyzed through call management tools.

E: Passive synthetic probes is not an accurate term; passive monitoring refers to analysis of real traffic flows, not synthetic tests.

F: PTP time-stamping is more applicable to clock synchronization, not regular voice/video performance monitoring.

Both FabricPath and TRILL are Layer 2 multipath technologies designed to eliminate spanning tree and allow for efficient forwarding across Layer 2 fabrics using routing techniques:

B (FabricPath permits active-active FHRP and TRILL supports anycast gateway):FabricPath (Cisco proprietary) integrates with vPC+ to allow active-active First Hop Redundancy Protocol (FHRP) operation at the access layer. This enables multiple default gateways to operate simultaneously, improving resiliency and utilization.TRILL (IEEE standard) uses anycast gateway functionality natively, where multiple switches share the same IP and MAC address for default gateway, allowing hosts to forward to any available gateway, providing active-active behavior at Layer 3.

Other options explained:

A: Incorrect — both FabricPath and TRILL are based on IS-IS for control plane operations; VXLAN is not part of TRILL.

C: Incorrect — both FabricPath and TRILL support ECMP (Equal Cost Multi-Path) to utilize multiple paths efficiently.

D: Incorrect — both technologies allow active-active forwarding at Layer 2.

This comparison highlights CCDE v3.1 design expertise in data center fabric architectures and control plane technologies.

Public cloud offers scalability, flexibility, and consumption-based pricing, which directly reduces capital expenditures (CAPEX) and minimizes operational burden (less IT staff needed for infrastructure maintenance).

Public cloud eliminates upfront hardware investments and shifts cost to predictable operational expenses.

Public cloud providers handle hardware maintenance, upgrades, and scalability, making it highly cost-effective for government agencies with fluctuating workloads.

Why other options are incorrect:

A: On-premises increases CAPEX and requires significant IT staff.

B: Private cloud reduces some OpEx but still requires infrastructure management and higher CAPEX.

D: Hybrid cloud increases complexity and operational costs.

—

B (Segment Routing): Allows traffic engineering and micro-segmentation across networks by steering traffic based on policies and labels.

D (Firewalls): Provide Layer 4-7 segmentation and security enforcement between segments.

Why other options are incorrect:

A: Policy-based routing influences forwarding, but is not a segmentation technology.

C: Data plane markings support QoS but do not create segmentation boundaries.

E: Filter lists are used in routing policy, not for full network segmentation.

—