Free Cisco 400-007 Practice Exam with Questions & Answers | Set: 8

Unicast Reverse Path Forwarding (uRPF)is a security feature that helps mitigate IP spoofing attacks. It checks whether the source of a packet received on an interface matches the best return path to that source in the routing table.

Strict Mode (C):Ensures the source IP address of a packet is reachable via the same interface on which the packet was received. This prevents forged source IP addresses from traversing the network, which is essential in defending against outbound DDoS attacks sourced from infected hosts.

Loose Mode (B):Only verifies that the source IP exists in the routing table (less strict), which might still allow spoofing in multi-homed or asymmetric environments.

uRPF strict mode is the best fit in secure environments with symmetric routing—commonly in enterprise edge or distribution layers.

==========

During massive BGP update events (such as after a topology change), a route reflector may struggle processing both BGP updates and the resulting TCP acknowledgments required for reliable BGP session communication.

Increasing the hold queue size allows the router to buffer more packets waiting for processing (including TCP acknowledgments), helping the router handle bursts of BGP updates without dropping TCP segments or tearing down sessions.

This queue tuning is a well-known scalability optimization in CCDE v3.1 when designing route reflector clusters handling large-scale control plane updates.

Why other options are incorrect:

B and C: Adjusting buffer sizes does not directly address TCP acknowledgment backlog.

D: Keepalive timers control session liveliness, not update processing.

—

B (Configure VXLAN VNID): Each VLAN being migrated must be mapped to a VXLAN VNID for integration into the EVPN fabric. This allows the legacy VLAN to participate in the VXLAN-based Layer 2 overlay and support host mobility.

Other options explained:

A: Pruning is not directly related to migration activation.

C/D: Type 2 routes (MAC/IP routes) and BGP advertisements happen automatically after proper VNID configuration.

B (Transport Mode in IPsec Phase II):When GRE is running over IPsec,IPsec Transport Modeis often preferred. In Transport Mode, only the payload (GRE encapsulated packet) is encrypted and authenticated, while the original IP header remains untouched. This eliminates redundant IP headers, avoiding duplicate addressing and reducing overhead — optimizing bandwidth efficiency across the Internet VPN.

GRE provides the tunneling function, while IPsec in Transport Mode secures the GRE-encapsulated traffic. Transport Mode is negotiated duringIPsec Phase II (Quick Mode), where actual data protection parameters are established.

Other options explained:

A:Phase I is for establishing secure channels, not for data encapsulation.

C:Tunnel Mode would encapsulate the entire packet (including GRE header), adding unnecessary additional IP headers in this GRE over IPsec design.

D:Tunnel Mode does not apply at Phase I — Phase I is only for IKE negotiation.

Reducing BGP keepalive and hold timers can help improve convergence but must be done carefully in provider-managed networks:

A: The service provider must agree to support modified timers on both PE and CE; otherwise, mismatched timer settings can break neighbor relationships.

C: The service provider may need to schedule configuration changes on PE routers to synchronize the timer adjustments and avoid service interruptions.

Why other options are incorrect:

B: Peer groups simplify policy application but do not impact BGP timers directly.

D: The number of routes affects convergence processing but not directly tied to timer adjustment.

E: The number of VRFs is a scalability consideration but unrelated to BGP timer negotiation.

—

B (IPFIX telemetry data):IPFIX provides detailed flow-level visibility, enabling identification of traffic patterns, data flows, and destinations. This data is critical for understanding current traffic behavior to identify governance gaps and improve policy compliance.

Other options explained:

A: Secure tunnels protect traffic but do not identify governance gaps.

C: Firewalls provide limited flow visibility compared to telemetry.

D: Workload policies enforce security but do not aid initial visibility analysis.

Data governance, especially for a national bank under EU regulations, is the most critical factor.

Regulations like GDPR restrict where and how sensitive data, particularly financial data, can be stored and processed.

Migrating data outside of EU jurisdictions without compliance could result in legal violations.

Why other options are incorrect:

B: Latency is important but secondary to regulatory compliance.

C: Security is always important but not the unique issue here.

D: Cloud connectivity is technical, not the primary legal concern.

—