Free Practice Questions for Cisco 400-007 Exam

Zero Trust principles cover multiple domains:

A (Workload): Securing application workloads regardless of location.

C (Workplace): Securing user access to services across office, remote, or hybrid work models.

Zero Trust design ensures authentication, authorization, and policy enforcement at every access point for both users and applications.

Why other options are incorrect:

B, D, E: These terms are not recognized Zero Trust domains in CCDE or industry frameworks.

—

In a standard 3-tier data center architecture (access, aggregation, core), the Layer 2-to-Layer 3 boundary typically resides at the aggregation layer. When extending VLANs between data centers using a Layer 2 interconnection, the most optimal and scalable termination point is at the aggregation layer because:

It naturally handles VLAN demarcation and Layer 3 boundary.

Spanning Tree Protocol (STP) domains remain contained within local aggregation blocks.

The core remains Layer 3-only, ensuring scalability, stability, and no STP involvement.

Simplifies traffic engineering, FHRP operations, and minimizes control-plane complexity across sites.

This design is consistent with CCDE v3.1 best practice where VLAN extension is isolated to aggregation to avoid STP scaling issues and maintain hierarchical design principles.

Why other options are incorrect:

A: STP isolation can still be achieved at aggregation while keeping the core Layer 3.

C: Access layer extensions would increase STP scope and complexity unnecessarily.

D: Core termination violates Layer 3 core design, bringing STP into the core, which is not scalable.

B (Point-to-multipoint network type): OSPF point-to-multipoint allows the hub to see the DMVPN topology correctly without complex neighbor relationships.

E (Set spokes priority to 0): Ensures the hub always becomes DR, maintaining predictable OSPF adjacency behavior.

Other options explained:

A: Broadcast mode is inefficient and unnecessary in DMVPN designs.

C: Mixed network types complicate adjacency maintenance.

D: Manually setting the hub priority is redundant when spokes are at priority 0.

—

Ingress filtering (also known as uRPF or source address verification) prevents packets with spoofed source addresses from entering the network. By validating that incoming packets have legitimate source addresses (based on routing tables or prefix lists), ingress filtering directly blocks many spoofed DDoS attacks, which often rely on forged source IP addresses.

This principle is foundational in network security design per CCDE v3.1:

Stops source-spoofed attacks before they enter.

Protects critical infrastructure from volumetric and reflection/amplification attacks.

Forms part of secure edge design best practices.

Why other options are incorrect:

A: DSCP remarking relates to traffic classification, not spoof prevention.

C: Bogon classification isn't the main function of ingress filtering.

D: RFC 1918 filtering is a special policy but not the core function of ingress filtering.

—

Let’s calculate Total Cost of Ownership (TCO) for 24 months based on the table and given scaling requirements:

—

Metro Ethernet:

CAPEX = $45,000

Installation Fee = $5,000

OPEX = $125,000/year → $250,000 for 2 years

Total = 45,000 + 5,000 + 250,000 = $300,000

DWDM:

CAPEX = $250,000

Installation Fee = $30,000

OPEX = $100,000/year → $200,000 for 2 years

Total = 250,000 + 30,000 + 200,000 = $480,000

CWDM:

CAPEX = $150,000

Installation Fee = $25,000

OPEX = $100,000/year → $200,000 for 2 years

Total = 150,000 + 25,000 + 200,000 = $375,000

MPLS:

CAPEX = $50,000

Installation Fee = $75,000

OPEX = $150,000/year → $300,000 for 2 years

Total = 50,000 + 75,000 + 300,000 = $425,000

—

Metro Ethernet clearly results in the lowest total cost while meeting dual 10G and scalable growth to 20 connections due to its simple provisioning and operational flexibility.

This approach fully aligns with CCDE v3.1 business-driven cost modeling principles: balancing cost, scalability, and operational simplicity.

Why other options are incorrect:

B, C, D: All are more expensive after full 2-year calculation for the required scale.

—

Agile project management supports:

Frequent updates and iterative feedback loops

Flexibility to accommodate evolving requirements

Continuous customer collaboration and transparency

This methodology is ideal for projects where scope may shift and customer involvement is essential. In contrast:

Waterfall is linear and rigid

Phased delivery segments milestones but limits change midstream

“Three principles” is not a recognized methodology in this context

Agile aligns with modern IT deployment models and is supported in CCDE methodology as a business-aligned and adaptive design execution strategy.

SD-WAN integrates multiple underlay transport options (Internet, MPLS, LTE) while delivering advanced features like DPI (Deep Packet Inspection), SLA monitoring, QoS, encryption, scalability, and centralized management.

It provides policy-based path selection, cost optimization, and rapid deployment.

SD-WAN is widely regarded as a modern WAN design solution fully aligned with CCDE v3.1 design principles for cost-effective and flexible WAN architectures.

Why other options are incorrect:

B: Internet alone cannot deliver consistent SLA or QoS guarantees.

C: Hybrid MPLS + Internet may work but is more complex and costly; SD-WAN natively supports such hybrid models.

D: MPLS offers SLAs but lacks flexibility, DPI, and cost-effectiveness compared to SD-WAN.

—

PortFast is a feature that allows access ports to enter the STP forwarding state immediately, without waiting for the usual listening and learning states. This accelerates the connection of end devices like PCs or servers.

A key design benefit is that PortFastdoes not trigger topology changeswhen devices are plugged in or disconnected. This prevents unnecessary STP recalculations and protects core stability.

Correct Statement (A):STP does not consider link transitions on PortFast-enabled ports as topology changes, reducing control-plane overhead.

Other options misrepresent the function of PortFast:

B:PortFast does not disable STP; it bypasses specific STP states.

C/D/E/F:These describe other features like Loop Guard or UDLD, not PortFast.

==========

Data governance, especially for a national bank under EU regulations, is the most critical factor.

Regulations like GDPR restrict where and how sensitive data, particularly financial data, can be stored and processed.

Migrating data outside of EU jurisdictions without compliance could result in legal violations.

Why other options are incorrect:

B: Latency is important but secondary to regulatory compliance.

C: Security is always important but not the unique issue here.

D: Cloud connectivity is technical, not the primary legal concern.

—

The Host Subinterface in Control Plane Protection (CPPr) protects traffic destined to the router itself (e.g., routing protocols, management traffic).

This is critical in preventing DoS or CPU exhaustion attacks targeting control plane services directly.

Why other options are incorrect:

B: Main interface refers to the global control plane policy but lacks the granularity.

C: Transit subinterface protects transit traffic handled by the forwarding plane.

D: CEF-exception handles non-IP or exception traffic, not regular control plane IP traffic.

—