Cisco 400-007 - Cisco Certified Design Expert (CCDE v3.1)

🟦 QUESTION NO: 374 [Business-Driven Design Approaches]

Organic growth or decline affects network demands over time. Which tool helps in designing and operationalizing networks under changing conditions?

A. Change management

B. Modularity

C. Mobility

D. Monitoring

Answer: B

🔍 Explanation:

B: Modularity is a core principle of scalable network design. It allows the network to grow or shrink in response to organic changes in business demand, supporting agility, easier management, and minimal disruption during change.

Other options:

A: Change management is about documenting and approving changes—not a design principle.

C: Mobility refers to user/device flexibility, not structural adaptability.

D: Monitoring detects changes but doesn’t help design the network.

==========

🟦 QUESTION NO: 375 [Protocol Design Implications]

Company XYZ uses OSPF over redundant paths. What effect does BFD have during a link failure?

A. It would drop the dead peer detection time to a single hello

B. It would keep an alternate path ready in case of a link failure

C. It would optimize the route summarization feature of OSPF

D. It would detect that the neighbor is down in a subsecond manner

Answer: D

🔍 Explanation:

D: BFD (Bidirectional Forwarding Detection) provides subsecond failure detection that is significantly faster than standard OSPF dead timers. When integrated with OSPF, it enables rapid neighbor failure detection, thus speeding up convergence.

Other options:

A: “Single hello” is not a valid BFD metric.

B: BFD does not influence path availability—it only detects failures quickly.

C: BFD doesn’t interact with summarization.

🟦 QUESTION NO: 376 [Security, Automation, and Policy Integration in Design]

What two elements are critical for security and compliance in hybrid cloud environments? (Choose two)

A. Cloud integration and data security

B. Tighter controls based on dynamic policy enforcement

C. Security event and data interoperability

D. Flexible controls based on policy application

E. Orchestration and cross-cloud access security

Answer: C, E

🔍 Explanation:

C: Security event and data interoperability ensures that logs, alerts, and policies can be analyzed across different platforms (private and public clouds), which is vital for compliance and response.

E: Hybrid clouds require secure orchestration across multiple cloud domains, including federated identity, access control, and monitoring across cloud boundaries.

Other options:

A: Too broad; integration is not specific to security/compliance.

B and D: These relate to policy enforcement but don’t directly address interoperability or compliance across multiple clouds.

==========

🟦 QUESTION NO: 377 [Security, Automation, and Policy Integration in Design]

To protect against future perimeter breaches, which two design options can help? (Choose two)

A. Microzoning

B. Segmentation

C. Domain fencing

D. Virtualization

E. Microperimeters

Answer: B, E

🔍 Explanation:

B: Segmentation isolates network zones (e.g., separating finance from guest access), limiting lateral movement after a breach.

E: Microperimeters apply security controls closer to the application or workload, providing granular control and defense in depth.

Other options:

A: Microzoning is not a widely defined or standard practice in network security.

C: Domain fencing is not a standard security term or methodology.

D: Virtualization is a technology, not a security architecture.

🟦 QUESTION NO: 378 [Network Architecture Principles]

A customer is migrating from a traditional Layer 2 data center to a VXLAN spine-leaf SDN architecture. Applications cannot be readdressed, and migration must occur incrementally. How should the legacy and new networks be connected?

A. via Layer 3 links to border leaf switches

B. via a Layer 2 trunk and Layer 3 routed links to border leaf switches

C. via a Layer 2 trunk and Layer 3 routed links to spine switches

D. via a Layer 2 trunk to border leaf switches

Answer: D

🔍 Explanation:

D: A Layer 2 trunk to the border leaf allows seamless VLAN extension between the legacy Layer 2 domain and the VXLAN-based fabric. This supports application migration without readdressing. Border leaf switches are used to bridge the traditional and VXLAN segments while maintaining MAC learning and VLAN consistency.

Incorrect Options:

A and B: Layer 3 links alone would require readdressing or routing, violating the constraint.

C: Spine switches typically do not handle VLAN bridging or policy enforcement directly.

==========

🟦 QUESTION NO: 379 [Business-Driven Design Approaches]

Scrum and Kanban are Agile methodologies. In which two scenarios is Kanban more appropriate? (Choose two)

A. acquisition of automation tools

B. carrier lead times

C. network configuration design

D. physical hardware deployment

E. logical topology deployment

Answer: B, D

🔍 Explanation:

B: Kanban is suited for environments with variable lead times, such as carrier provisioning, where tasks arrive irregularly and are processed continuously.

D: Physical hardware deployment is dependent on availability and external logistics—Kanban helps manage such workflows where task durations are less predictable.

Incorrect Options:

A: Tool acquisition is typically a one-off project rather than a workflow suited for Kanban.

C and E: These are better suited for Scrum when planning sprints and structured deployments.

==========

🟦 QUESTION NO: 380 [Security, Automation, and Policy Integration in Design]

The network has high CPU usage due to excessive inbound traffic impacting the control and management planes. What should be implemented?

A. control plane policing

B. deep interface buffers

C. TCAM carving

D. modular QoS

Answer: A

🔍 Explanation:

A: Control Plane Policing (CoPP) protects the control plane by rate-limiting or dropping unnecessary or malicious traffic destined for the CPU. This is essential in preventing routing and management plane starvation under high traffic conditions.

Incorrect Options:

B: Deep buffers help in data plane congestion, not control plane CPU usage.

C: TCAM carving relates to hardware forwarding table allocations, not CPU protection.

D: Modular QoS is valuable for traffic shaping but not specific to control plane protection.

A: On most hardware platforms, control plane protection is implemented in hardware to safeguard CPU resources from overload due to excessive control traffic.

E: Control plane policing must be carefully sized to allow sufficient protocol traffic (OSPF, BGP, etc.) during normal and convergence periods to ensure stability.

Why other options are incorrect:

B: Policing should be applied universally, not just on external interfaces.

C: False alarms are operational issues but not design considerations.

D: Control plane policers are applied after forwarding decisions for traffic destined to the router CPU.

—

In this architecture:

A secure web proxy is introduced to inspect and filter all web (HTTP/HTTPS) traffic.

Remaining traffic (non-web) must pass through an NGFW with IPS capabilities.

Both the web proxy and NGFW reside between the collapsed distribution/core and internet edge.

To enforce that all web traffic is directed to the proxy appliance for inspection and non-web traffic follows its usual path to the NGFW:

A. Policy-Based Routing (PBR) on the Collapsed Core

This allows traffic classification based on destination port (e.g., TCP 80/443) and selectively reroutes web traffic to the proxy. Non-web traffic continues toward the NGFW. PBR is essential here because traditional routing (based only on destination IP) would not differentiate between traffic types.

D. Static Routing on the Appliance

The proxy appliance must return the traffic back toward the NGFW for final processing and internet egress. This is typically achieved using static routes on the proxy device, ensuring the return path sends packets back to the correct firewall interface for consistent inspection.

❌ B. Policy-based routing on the internet edge: Not applicable here, as rerouting must occur closer to the source (collapsed core), before traffic reaches the internet edge.

❌ C. Policy-based routing on firewalls: This adds unnecessary complexity. Firewalls should focus on enforcing security policies, not traffic redirection logic in this scenario.

This approach adheres to CCDE v3.1 best practices by separating policy enforcement functions and enabling scalable, deterministic traffic flow through layered security appliances.

SNMPv1 and SNMPv2c use plaintext community strings and lack built-in encryption or authentication, making them vulnerable to various attacks, including spoofing and message tampering. SNMPv3 addresses these weaknesses by introducing:

Authentication (to prevent impersonation or " masquerade " )

Encryption (privacy)

Message integrity

“Masquerade threats” involve an attacker pretending to be a trusted source, which SNMPv3 can prevent via cryptographic authentication mechanisms.

Although SNMPv3 does provide improved security features like integrity and privacy, it is not specifically designed to mitigate volumetric attacks like DDoS or dictionary brute-force. SNMPv3 does not inherently stop man-in-the-middle attacks unless secure key exchanges and trusted paths are fully enforced, which may require additional protocols.

==========

Ingress filtering (also known as uRPF or source address verification) prevents packets with spoofed source addresses from entering the network. By validating that incoming packets have legitimate source addresses (based on routing tables or prefix lists), ingress filtering directly blocks many spoofed DDoS attacks, which often rely on forged source IP addresses.

This principle is foundational in network security design per CCDE v3.1:

Stops source-spoofed attacks before they enter.

Protects critical infrastructure from volumetric and reflection/amplification attacks.

Forms part of secure edge design best practices.

Why other options are incorrect:

A: DSCP remarking relates to traffic classification, not spoof prevention.

C: Bogon classification isn ' t the main function of ingress filtering.

D: RFC 1918 filtering is a special policy but not the core function of ingress filtering.

—

C. Fragment data packets: On slow WAN links, large data packets can delay small voice packets (serialization delay). Fragmentation ensures that voice packets are interleaved and not delayed behind large data frames (Link Fragmentation and Interleaving - LFI).

E. Prioritize voice packets: QoS mechanisms (LLQ, priority queuing) ensure that voice traffic is serviced first, reducing jitter and delay.

These are both critical QoS design principles for real-time application performance in constrained branch WAN scenarios, as outlined in CCDE v3.1.

Why other options are incorrect:

A: Increasing bandwidth may help but doesn’t address serialization or prioritization.

B: Memory upgrades do not directly improve voice quality.

D: Fiber upgrades do not address WAN-specific serialization or QoS.

In OSPF, a ring topology typically converges more slowly because:

Link failures can create longer SPF recalculations as alternate paths are fewer.

Only one alternate path usually exists for each link failure, extending the time needed for failure detection and SPF recalculation.

CCDE v3.1 stresses that designs like full mesh or triangulated topologies provide faster convergence due to multiple available alternate paths, which reduce SPF computation complexity.

Why other options are incorrect:

A, D, E: These topologies provide multiple paths.

B: Full mesh offers immediate redundancy for any failure.

—