Free Practice Questions for Cisco 400-007 Exam

Table Description automatically generated with medium confidence

In PIM Sparse Mode, when the Last-Hop Router (LHR) receives multicast traffic on the shared tree (*,G), it performs an RPF check based on the RP address, not the multicast source address. In the diagram:

The LHR has IGP cost 10 towards the RP.

The shared tree (*,G) uses RP as the RPF target.

Since multicast traffic on (*,G) arrives on the interface toward RP (correct RPF interface), the RPF check succeeds.

Therefore, the multicast traffic is successfully switched toward the receivers.

This behavior is fully aligned with CCDE v3.1 multicast design principles, which emphasize clear understanding of RPF behavior both on shared trees (*,G) and source trees (S,G).

Why other options are incorrect:

A: The RPF check is not performed against the source in (*,G); it uses RP.

B: RPF checks are always performed, even on (*,G).

D: RPF is unrelated to the receiver address.

The SDN architecture separates the control plane from the data plane. In this model, the SDN controller is the central element responsible for:

Receiving application intent via northbound APIs

Translating intent into traffic policies

Communicating with infrastructure devices using southbound APIs

The SDN controller enforces policies such as path selection, QoS, and access control rules across the network fabric, ensuring traffic flows align with administrator-defined logic. Neither northbound nor southbound APIs enforce policy themselves; they serve as communication interfaces.

The packet forwarding engine (Option A) simply performs data-plane functions based on instructions, but does not interpret or apply policies.

==========

The issue described is classic route flapping, where a single unstable prefix (10.1.5.0/24) causes repeated route withdrawals and advertisements, triggering churn in the BGP control plane across the entire network. This behavior can be mitigated using the following scalable and non-disruptive design approach:

D. Route Aggregation: Aggregating routes at the edge router (in this case, the LA router) means that multiple more specific prefixes (such as 10.1.4.0/24 through 10.1.7.0/24) are advertised as a single summarized prefix (e.g., 10.1.4.0/22). As a result, the instability of 10.1.5.0/24 will not affect upstream routers (Chicago and New York), as they will only see the aggregated route.

Key benefits aligned with CCDE v3.1 design guidance:

Isolates flapping to the edge while maintaining reachability

Reduces control plane churn in BGP

Preserves scalability and simplifies the routing table in upstream routers

Why other options are incorrect:

A (Route dampening): While effective, route dampening is less favored today due to convergence delay and side effects; it’s also a reactive measure versus a design-based solution.

B and C (Filtering): Filtering the route prevents reachability to that subnet, which violates availability requirements and causes data black-holing.

Thus, aggregation is the most scalable, nondisruptive, and design-aligned choice in this context.

B (Encrypt data when it is at rest and in motion): In hybrid cloud deployments, encryption is one of the most critical mechanisms to protect sensitive enterprise data both during storage (at rest) and while being transmitted (in motion). This ensures confidentiality and integrity across both private and public cloud environments.

Other options explained:

A: Using standard protocols is a general best practice but insufficient without encryption.

C: Communication of risks is part of compliance but does not enforce technical security.

D: Using standard protocols without encryption exposes data to risks.

—

In IPv6, routers advertise prefixes via Router Advertisement (RA) messages. An attacker could inject rogue RAs to manipulate the IPv6 configuration of endpoints.

Router Advertisement Guard (RA Guard) blocks unauthorized RA messages from being received on access ports, preventing endpoints from receiving incorrect IPv6 prefixes from malicious or misconfigured devices.

This security feature is crucial when devices have IPv6 enabled but the network is IPv4-only.

Other options explained:

A: Source Guard and Prefix Guard enforce valid address and prefix assignment but do not prevent RA spoofing directly.

C: Prefix Guard focuses on controlling prefixes being assigned, not blocking RA messages.

D: Secure Neighbor Discovery (SEND) provides cryptographic protection but is rarely deployed due to complexity.

B (OTV — Overlay Transport Virtualization): Allows Layer 2 extension across data centers while maintaining fault isolation by not extending STP across the WAN. Control plane handles MAC learning, which provides stability and loop avoidance between data centers.

Why other options are incorrect:

A: FabricPath is mainly for intra-data center Layer 2 fabric.

C: Advanced VPLS extends Layer 2 but carries STP across the WAN.

D: LISP operates at Layer 3, not for Layer 2 extension.

E: TRILL also focuses on intra-DC Layer 2 but not DCI fault isolation.

—