Cisco 400-007 CCDE Exam Questions Instant Access

Question 1

Refer to the exhibit.

Company XYZ must design a DMVPN tunnel between the three sites. Chicago is going to act as the NHS, and the company wants DMVPN to detect peer endpoint failures. Which technology should be used in the design?

AVPLS

BIP SLA

CGRE

DL2TPv3

Answer : B

In a DMVPN (Dynamic Multipoint VPN) design:

One site (here, Chicago) functions as the Next Hop Server (NHS), which facilitates dynamic spoke-to-spoke tunnel establishment.

DMVPN is based on multipoint GRE tunnels combined with NHRP (Next Hop Resolution Protocol).

The ability to detect remote tunnel endpoint failures is essential for reliable routing convergence and tunnel restoration.

While GRE (Option C) is the encapsulation mechanism used in DMVPN, it does not inherently provide failure detection. Likewise, VPLS and L2TPv3 are Layer 2 VPN technologies and not applicable in DMVPN design.

To meet the requirement of peer failure detection, the correct mechanism is:

B . IP SLA (Service-Level Agreement): This is a feature that actively monitors the health and reachability of tunnel endpoints through periodic probes (e.g., ICMP echo). When the peer becomes unreachable, routing protocol adjacencies can be withdrawn, and alternate paths selected.

Using IP SLA in a DMVPN design helps detect endpoint failure scenarios such as:

A spoke going down unexpectedly

Loss of return traffic

Partial link failures

This design pattern is aligned with CCDE v3.1 'Protocol Design Implications', emphasizing resiliency, fault detection, and efficient routing convergence in overlay VPN designs like DMVPN.

Question 2

What are two design constraints in a standard spine and leaf architecture? (Choose two.)

ASpine switches can connect to each other.

BEach spine switch must connect to every leaf switch.

CLeaf switches must connect to each other.

DEndpoints connect only to the spine switches.

EEach leaf switch must connect to every spine switch.

Answer : B, E

B (Spine must connect to every leaf):Spine-and-leaf designs require full mesh connectivity between spines and leaves to ensure consistent low-latency, non-blocking performance.

E (Leaf must connect to every spine):Each leaf switch must connect to all spine switches to guarantee even load distribution and fault tolerance.

Other options explained:

A: Spine switches should not connect to each other in standard spine-and-leaf designs.

C: Leaf switches do not connect to each other directly.

D: Endpoints connect to leaf switches, not spines.

Question 3

When constraint-based routing is under consideration to be added to a network design, what are two inherent characteristics or impacts that must be considered? (Choose two)

Abetter network utilization

Bstability in the route table

Chigh computation overhead

Dsmaller routing table size

Eless resources than the shortest path

Answer : A, C

Question 4

A network consists of multiple planes where each plane represents a different area of network operations and cames different types of network traffic Which two statements describe the concepts of assurance in the context of control planes? (Choose two.)

AIt is responsible for collecting analyzing, and enforcing policies based on observed data

BIt primarily deals with configuring system access and network traffic flow policies

CIt focuses on gathering and analyzing metrics, logs, and traces to infer the health of systems

DIt executes predefined policies and forwards network traffic

EIt is the ability to ensure system compliance and reliability under specified conditions

Answer : A, E

Question 5

Which two factors must be considered while calculating the Recovery Time Objective (RTO)? (Choose two)

AImportance and priority of individual systems

BMaximum tolerable amount of data loss that the organization can sustain

CCost of lost data and operations

DHow often backups are taken and how quickly these can be restored

ESteps needed to mitigate or recover from a disaster

Answer : A, C

A: RTO depends on how critical the system is. More critical systems require shorter recovery times.

C: The business impact of downtime (cost of operational loss) drives the acceptable RTO for systems.

Incorrect options:

B: This refers to Recovery Point Objective (RPO), not RTO.

D: Backup frequency aligns with RPO; restore speed can influence RTO but isn't a direct calculation input.

E: Mitigation steps are part of disaster recovery planning---not direct RTO calculation.

==========

Question 6

During initial preparations to deploy 802 1x for wired access to their network, a company must ensure that the solution complies with existing internal security policies These policies mandate that every Auth C/Auth Z request must be protected by a tunnel which authenticates both server and clients using their PKI AI the same time, the user authentication phase must be independent of the tunnel Which scheme meets the requirements?

AEAP-MDS

BEAP-Fast

CEAP-MSCHAPv2

DPEAP

Answer : B

Question 7

Which three items do you recommend for control plane hardening of an infrastructure device? (Choose three.)

Aredundant AAA servers

BControl Plane Policing

Cwarning banners

Dto enable unused services

ESNMPv3

Frouting protocol authentication

Answer : A, B, F

A (Redundant AAA servers): Protects control plane authentication services from becoming a single point of failure.

B (Control Plane Policing): Limits and controls control plane traffic to prevent CPU exhaustion attacks (DoS, reconnaissance).

F (Routing protocol authentication): Ensures control plane integrity by validating peer identity and preventing spoofed routing updates.

Why other options are incorrect:

C: Warning banners are part of management plane policies.

D: Enabling unused services weakens security posture.

E: SNMPv3 protects management plane, not control plane directly.

---

Cisco Certified Design Expert CCDE v3.1 400-007 CCDE Exam Questions