Cisco 400-007 - Cisco Certified Design Expert (CCDE v3.1)

IaaS (Infrastructure as a Service) provides virtualized compute, storage, and networking resources.

The enterprise manages the OS, applications, and middleware, while the cloud provider manages the underlying hardware and virtualization.

This directly addresses hardware issues while allowing control over proprietary applications and OS management.

Why other options are incorrect:

A: SaaS delivers fully managed applications, no control over OS.

B: PaaS abstracts even the OS layer; limited control for proprietary needs.

D: Hybrid is a deployment model, not a cloud service type.

In this scenario, the application itself duplicates data transmission across two separate NICs on Host A, with the intention that at least one copy will reach Host B, regardless of any single path or link failure. While this increases redundancy at the application and host level, the underlying network must also support rapid failure recovery to avoid packet loss during convergence events.

Among the options provided:

A. EIGRP with feasible successors provides pre-computed backup routes but still requires routing protocol convergence upon failure, which could result in millisecond-scale interruption—enough to cause data loss if packets are in transit.

B. BFD (Bidirectional Forwarding Detection) offers rapid detection of link failures, but by itself does not provide traffic redirection or packet protection; it simply informs the routing protocol faster.

D. Static routes lack dynamic convergence capabilities and would not offer high availability across dynamic failure points unless manually configured with tracking—still less responsive and scalable.

C. IP Fast Reroute (IP FRR) is specifically designed to offer sub-50ms convergence time by pre-installing backup paths in the forwarding plane. Upon detecting a failure, traffic is immediately switched to the pre-computed alternate path without waiting for the routing protocol to reconverge. This ensures minimal disruption and best supports lossless delivery for high-availability applications.

IP FRR is consistent with CCDE v3.1 design principles where sub-second convergence and resiliency are critical in mission-critical enterprise and data center architectures.

B (Transport Mode in IPsec Phase II):When GRE is running over IPsec,IPsec Transport Modeis often preferred. In Transport Mode, only the payload (GRE encapsulated packet) is encrypted and authenticated, while the original IP header remains untouched. This eliminates redundant IP headers, avoiding duplicate addressing and reducing overhead — optimizing bandwidth efficiency across the Internet VPN.

GRE provides the tunneling function, while IPsec in Transport Mode secures the GRE-encapsulated traffic. Transport Mode is negotiated duringIPsec Phase II (Quick Mode), where actual data protection parameters are established.

Other options explained:

A:Phase I is for establishing secure channels, not for data encapsulation.

C:Tunnel Mode would encapsulate the entire packet (including GRE header), adding unnecessary additional IP headers in this GRE over IPsec design.

D:Tunnel Mode does not apply at Phase I — Phase I is only for IKE negotiation.

PortFast is a feature that allows access ports to enter the STP forwarding state immediately, without waiting for the usual listening and learning states. This accelerates the connection of end devices like PCs or servers.

A key design benefit is that PortFastdoes not trigger topology changeswhen devices are plugged in or disconnected. This prevents unnecessary STP recalculations and protects core stability.

Correct Statement (A):STP does not consider link transitions on PortFast-enabled ports as topology changes, reducing control-plane overhead.

Other options misrepresent the function of PortFast:

B:PortFast does not disable STP; it bypasses specific STP states.

C/D/E/F:These describe other features like Loop Guard or UDLD, not PortFast.

==========

B (Separation of infrastructure and policy):SD-WAN decouples policy control from the underlying transport.

C (Simpler policy-based forwarding):Centralized controllers dynamically steer traffic according to application policies with less complexity than traditional QoS in MPLS.

Other options explained:

A: FEC (Forward Error Correction) is typically not used in standard SD-WAN implementations.

D: SD-WAN does not unify WAN backbones; it abstracts multiple underlays.

E: Both MPLS and SD-WAN have failure management, but SD-WAN focuses more on dynamic path control than simply backup links.

Comprehensive and Detailed Explanation:

B: The IPsec anti-replay mechanism protects against packet injection and replay attacks by rejecting packets outside the anti-replay window. Increasing the anti-replay window (e.g., to 4096) allows legitimate packets with slightly reordered or delayed sequence numbers to be accepted—especially critical during bursts or with asymmetric paths.

Other options:

A: QoS marking does not prevent replay.

C: Tunnel keyword restrictions don ' t address replay attacks.

D: Shaping affects traffic rate, not sequence validation.