Cisco 400-007 - Cisco Certified Design Expert (CCDE v3.1)

A (Establish visibility and behavior modeling):After discovering applications, Zero Trust design requires baseline visibility into traffic flows, system behavior, and interaction patterns. This modeling allows for the design of effective microsegmentation and policy enforcement.

Other options explained:

B: Policy enforcement comes after visibility and modeling.

C: Health assessment is a continuous activity but not the next step.

D: Trust assessment is part of the initial Zero Trust design, not specifically after discovery.

A (MSDP - Multicast Source Discovery Protocol):MSDP allows different autonomous systems to share multicast source information while maintaining their own PIM Sparse Mode domains. It simplifies interdomain multicast routing without requiring full mesh peering or shared RPs between domains.

Other options explained:

B: SSM does not require MSDP but limits use to source-specific groups.

C: MPLS is a transport technology, not multicast control-plane solution.

D: PIM-SM is used within a domain, not across multiple autonomous systems.

To achieve sub-50ms protection against both link and node failures, MPLS TE Fast Reroute (FRR) with Next-Next-Hop (NNHop) protection is used:

Next-Next-Hop tunnels provide node protection by pre-establishing a detour that bypasses not only the immediate next-hop link but also the entire next node.

This ensures protection for both link and node failures, matching SONET/SDH resiliency targets.

Other options explained:

A and C: TE backup and FRR backup tunnels may only provide link protection depending on deployment.

B: Next-Hop tunnels address only link failures, not node failures.

B: Setting a higher minimum data rate reduces airtime consumption from low-speed clients, improving overall capacity.

D: Utilizing 5 GHz reduces contention on the heavily congested 2.4 GHz band, allowing better spectral efficiency in high-density environments.

Why other options are incorrect:

A: 2.4 GHz only supports 3 non-overlapping channels; 4-channel design introduces interference.

C: Excessive SSIDs increase management overhead and beacon traffic.

E: Channel bonding in 2.4 GHz is discouraged in high-density deployments due to channel overlap and interference.

—

B (Software as a Service - SaaS):SaaS provides end users with complete applications hosted and managed by third-party providers, accessed via web interfaces.

Other options explained:

A: PaaS provides platforms for application development, not complete applications.

C: IaaS provides compute/storage resources but not full applications.

D: WaaS (Workspace as a Service) is a niche model, not generally used as standard SaaS definition.

In an IS-IS design, placing the Level-1/Level-2 (L1/L2) boundary at the core limits the extent of the flooding domain, improving scalability and stability.

By limiting Level-2 flooding to the core, instability or frequent changes in the access/distribution layers (typically Level-1) do not impact the core.

The core remains stable, while routing changes are isolated within the Level-1 domains.

Other options explained:

A: Overlapping domains are not a design objective.

B: This has no direct impact on Layer 1 complexity.

C: IS-IS design must match topology hierarchy; this is not universally applicable.

—

In Cisco SD-Access architecture, fabric-enabled wireless APs connect to the network usingCAPWAPfor control, but their data plane is integrated into thefabric overlayusingVXLAN (Virtual Extensible LAN).

VXLANis the data plane encapsulation used between fabric nodes, including wireless APs that are part of the SD-Access fabric.

WhileCAPWAP (E)remains in use for management and control communication between the AP and wireless LAN controller (WLC), actual user traffic is encapsulated in VXLAN for fabric forwarding.

This separation of control and data plane ensures seamless mobility, segmentation, and policy enforcement within the SD-Access fabric.

The goal is to prevent AS 111 from being used as a transit AS.

The most effective method is to use an AS path access list to filter outbound BGP advertisements, allowing only prefixes originated from AS 111 (AS path contains only AS 111).

This ensures AS 111 only advertises its own prefixes and does not forward third-party prefixes between providers.

Why other options are incorrect:

A: AS-set is used for aggregation, not for transit prevention.

B: Local preference controls outbound path selection, not advertisement or transit.

D: Prefix list on inbound filters received prefixes, but does not prevent transit.

—