Pass the Cisco CCDE v3.0 | CCDE 400-007 Questions and answers with ValidTests

Encrypting data at rest and in transit is a fundamental best practice to ensure end-to-end data security.

It protects sensitive data both while stored (disk, database) and while moving across networks.

Why other options are incorrect:

A: IPsec secures specific tunnels, but isn’t a complete private cloud solution.

C: Vendor consistency doesn’t guarantee best practice.

D: Anonymization supports privacy but is not a core security best practice for data security.

—

B (Encrypt data when it is at rest and in motion): In hybrid cloud deployments, encryption is one of the most critical mechanisms to protect sensitive enterprise data both during storage (at rest) and while being transmitted (in motion). This ensures confidentiality and integrity across both private and public cloud environments.

Other options explained:

A: Using standard protocols is a general best practice but insufficient without encryption.

C: Communication of risks is part of compliance but does not enforce technical security.

D: Using standard protocols without encryption exposes data to risks.

—

A (EoMPLS): Ethernet over MPLS can operate at Layer 2, and MACsec can encrypt traffic before entering the MPLS core.

E (KVPLS): Supports MACsec encryption for Layer 2 DCI services over VPLS solutions.

Why other options are incorrect:

B: MPLS L3 VPN operates at Layer 3, not suitable for MACsec (L2 encryption).

C: DMVPN uses IPsec, not MACsec.

D: GET VPN uses IPsec for L3 traffic encryption.

—

Mutual redistribution between different routing protocols can cause routing loops and suboptimal routing due to:

Route feedback loops (routes being re-imported back into the originating protocol).

Inconsistent administrative distances (AD) leading to selection of suboptimal paths.

Two key mechanisms avoid these issues:

A. Administrative Distance (AD) manipulation: Ensures that one protocol is consistently preferred over the other when duplicate routes exist.

C. Route tagging: Assigns tags to redistributed routes to identify the source of the route and prevent re-importation (looping) into the originating protocol.

These methods align with CCDE v3.1 principles for multi-protocol control plane design and stability.

Why other options are incorrect:

B & F: Matching routes or process IDs do not directly prevent loops or suboptimal routing.

D is a duplicate of C.

E: Filtering helps but is reactive, not a comprehensive prevention mechanism.

—

C (Class-Based Weighted Fair Queuing - CBWFQ): CBWFQ allows assigning bandwidth limits (in this case, 2 Mbps) to specific traffic classes, effectively controlling scavenger traffic without dropping excess packets unnecessarily.

Other options explained:

A: Policing drops excess traffic immediately rather than queuing.

B: LLQ is for delay-sensitive traffic, not scavenger control.

D: Shaping is useful but typically applied at interface level, not specific traffic classes.

A (Additional host routes):Spoke-to-spoke dynamic tunnels in DMVPN phase 3 result in OSPF populating routing tables with multiple /32 host routes for each spoke-to-spoke tunnel, which can impact scalability and routing table size.

Other options explained:

B: Priority changes not typically required.

C: Split-horizon issue is solved in DMVPN phase 3.

D: Spokes dynamically register with the hub; no manual spoke IP configuration needed.

A (Policy-based routing):Allows classification of traffic based on source, destination, or protocol and applies forwarding policies accordingly, such as sending VoIP over MPLS and best-effort traffic over either link. PBR operates in fast-path switching modes to avoid process switching if properly configured.

Other options explained:

B: Virtual links relate to OSPF, not traffic steering.

C: Visualization is not a network forwarding technology.

D: Floating static routes select one link for all traffic, not per-traffic-type control.

In IPv6, routers advertise prefixes via Router Advertisement (RA) messages. An attacker could inject rogue RAs to manipulate the IPv6 configuration of endpoints.

Router Advertisement Guard (RA Guard) blocks unauthorized RA messages from being received on access ports, preventing endpoints from receiving incorrect IPv6 prefixes from malicious or misconfigured devices.

This security feature is crucial when devices have IPv6 enabled but the network is IPv4-only.

Other options explained:

A: Source Guard and Prefix Guard enforce valid address and prefix assignment but do not prevent RA spoofing directly.

C: Prefix Guard focuses on controlling prefixes being assigned, not blocking RA messages.

D: Secure Neighbor Discovery (SEND) provides cryptographic protection but is rarely deployed due to complexity.

A: Flow-based analysis allows understanding bandwidth usage across apps and sessions, crucial for voice/video capacity management.

C: Call management systems track CAC and call quality failures, key for voice/video troubleshooting.

D: Active synthetic probes proactively inject traffic to monitor loss, latency, and jitter under real-time conditions.

Why other options are incorrect:

B: Network convergence is not directly analyzed through call management tools.

E: Passive synthetic probes is not an accurate term; passive monitoring refers to analysis of real traffic flows, not synthetic tests.

F: PTP time-stamping is more applicable to clock synchronization, not regular voice/video performance monitoring.

When unmanaged switches are connected to access ports, there's a risk that they may start participating in Spanning Tree Protocol (STP) or introduce loops. BPDU Guard is the most effective mechanism to mitigate this risk:

BPDU Guard disables a port immediately upon receiving any BPDU, ensuring that only end hosts (non-switch devices) are connected to access ports.

This protects the stability of the STP topology by preventing accidental or malicious introduction of switches into the Layer 2 domain.

Other options explained:

A (PortFast): Accelerates port transition to forwarding state but does not protect against loops caused by BPDUs.

B (UDLD): Detects unidirectional physical link failures but not STP participation.

C (Root guard): Prevents the connected device from becoming a root bridge but still allows BPDUs.

—

B: In transparent mode, the firewall operates at Layer 2 and can participate in STP to avoid loops.

C: Multicast traffic can traverse the firewall if allowed through transparent bridging rules.

Why other options are incorrect:

A: Transparent mode requires no change to IP addressing.

D: Transparent firewalls do not form routing adjacencies.

E: Routed mode firewalls operate at Layer 3; transparent mode does not insert router hops.

—

Inbound traffic engineering is best controlled by manipulating how external ASes view your routes.

AS path prepending on the 91.7.0.0/16 prefix towards AS 200 makes AS 500 prefer the less-prepended path through AS 100.

This allows granular inbound control for that specific prefix while leaving the rest of the traffic unchanged.

Why other options are incorrect:

B: Extended community is not used for direct inbound path manipulation.

C: Local preference affects outbound traffic, not inbound path selection by remote ASes.

D: MED is only compared between the same AS; it won't affect AS 500's choice.

—

PIM-SSM (Source-Specific Multicast) is optimized for multicast delivery directly via Shortest Path Tree (SPT) only.

SSM eliminates the need for shared trees (RPs), simplifies the control plane, and avoids rendezvous points altogether.

This design is highly scalable in multidomain and IPv6 environments, fully aligned with CCDE v3.1 best practices for modern multicast deployments.

Why other options are incorrect:

A: PIM-DM floods traffic initially, not SPT-based.

B: PIM-SM uses shared trees first and may switch to SPT later.

D: Bidir-PIM uses shared trees exclusively, not SPT.

—

This scenario describes a centralized control mechanism where:

The SDN controller learns the network topology using BGP Link-State (BGP-LS).

The controller installs control-plane policies using protocols like PCEP or BGP.

Policies are pushed centrally and result in new RIB entries at the routers.

This is the hallmark of a centralized SDN architecture:

The controller has a global view and decision-making logic.

Routers remain relatively simple in the control plane and act on instructions.

This aligns with CCDE v3.1 under the “Technology Comparisons and Use Cases” topic, where SDN models are compared:

Centralized SDN (controller-driven)

Distributed SDN (traditional)

Hybrid (a blend of both, which is not represented here)

==========

When logical VRF separation is based on fields like IP address ranges or packet characteristics (such as packet length), the most scalable solution is:

Policy-Based Routing (PBR): This allows traffic to be classified and forwarded into the correct VRF based on flexible match conditions like source IP address, destination IP address, or packet size.

Why other options are incorrect:

A: Static route leaking lacks flexibility and scalability for dynamic classification.

C: OSPF per VRF handles control-plane separation, but not data-plane traffic classification.

D: MP-BGP is used for control-plane VPN route exchange, but not for VRF selection based on traffic attributes.

—