50 Cisco Certified Design Expert (CCDE) Practice Questions: Question Bank 2025

An enterprise is redesigning its WAN edge to support multiple transports (MPLS and Internet) while keeping branch complexity low. The requirement is to steer voice over the most predictable path and bulk traffic over the cheapest available path, with fast convergence during brownouts. Which design approach best meets these goals?

A campus distribution block is built with two distribution switches providing Layer 2 to access. The design must minimize STP impact, limit failure domains, and provide deterministic default-gateway behavior for access VLANs. Which design is most appropriate?

A service provider edge is dual-homed to a customer running BGP. The customer wants to influence inbound traffic so that most inbound traffic enters via Link A, while retaining Link B for failover. Which customer-side technique is generally the most effective when both links connect to the same upstream AS and the provider honors the attribute?

A global enterprise uses OSPF as its IGP. During a major link failure between two regions, the network experiences excessive LSA flooding and CPU spikes on multiple routers. The design goal is to contain topology changes within a region and reduce control-plane churn in the core. Which design change best addresses this?

An organization is migrating from a flat VLAN design to an EVPN-VXLAN fabric in the data center. A key requirement is multi-tenancy with overlapping IP spaces and the ability to stretch selected VLANs/segments between leaf switches without relying on spanning tree. Which building block enables this in an EVPN-VXLAN design?

A company needs to provide external recursive DNS resolution for guests while ensuring corporate clients always use internal DNS servers for split-horizon zones. The design should prevent guests from reaching internal DNS infrastructure. Which approach is the best practice?

A financial institution must design remote access for employees with a requirement for continuous verification of device posture and minimizing lateral movement once connected. Which security design choice best aligns with these requirements?

A network operations team wants to standardize configuration deployment across thousands of devices while ensuring that changes are reviewed, tested, and can be rolled back. Which automation approach best satisfies these design goals?

An enterprise has two data centers that both advertise the same application VIP prefixes to the Internet. The objective is active/active usage, but during a partial failure in DC1 (application down, edge routing still up), traffic continues to be attracted to DC1 causing outages. Which design improvement best addresses this failure mode?

A company must design QoS end-to-end for voice and video across campus and WAN. The WAN provider honors DSCP markings but will remark any traffic that exceeds contracted rates. What is the best design recommendation at the enterprise edge?

An enterprise is standardizing its campus access layer. The requirement is to minimize the blast radius of a VLAN issue while keeping Layer 2 simple and predictable. Which design choice best meets this goal?

A service provider is designing customer edge connectivity. They want customers to remain in control of their addressing while avoiding overlap between customers, and they also need to transport customer routes over the provider core. Which approach best fits this requirement?

A design review finds that engineers want to deploy stateful firewalls in HA pairs at each internet edge site. The stated goal is to avoid asymmetric routing issues during normal operation and failures. Which design decision most directly supports this goal?

A global enterprise runs OSPF in the WAN and has two upstream providers per region. They want to influence outbound traffic so that most internet-bound flows exit the closest region, but without creating routing instability across the whole OSPF domain. Which approach is most appropriate?

A data center uses EVPN-VXLAN. The requirement is to allow certain VLANs to be stretched between two leaf pairs while keeping the underlay simple and providing fast convergence when a leaf fails. Which control-plane design best meets these goals?

A company is migrating from on-prem applications to a hybrid model with some workloads in a public cloud. Security requires that east-west traffic between application tiers be inspected and that policy be consistent across on-prem and cloud. Which architecture is most appropriate?

An enterprise wants to automate network provisioning across campus and WAN. The primary goal is to reduce configuration drift and ensure repeatable deployments with auditable change history. Which approach best satisfies this goal?

A multi-site enterprise uses SD-WAN. Some sites require local internet breakout for SaaS, while others must backhaul internet traffic to regional security stacks. The business wants a design that adapts to application needs without complex per-site routing policies. Which SD-WAN design capability best addresses this?

A financial institution has two data centers running active/active applications. They require deterministic east-west and north-south traffic flows, fast failover, and avoidance of Layer 2 extension between sites. Which design best meets these requirements?

An enterprise is implementing segment routing (SR-MPLS) in a large backbone to simplify traffic engineering and reduce reliance on LDP. They need fast reroute with minimal additional state in the core. Which design approach best aligns with these objectives?

An enterprise is standardizing WAN edge designs across many branches. The primary goal is to minimize user-perceived outages during ISP failures while keeping the design simple and consistent. Which design choice best meets this goal?

A campus design requires two distribution switches to act as the default gateway for VLANs while providing fast convergence if either distribution switch fails. The design must avoid spanning-tree blocking on uplinks from access switches where possible. Which approach best fits?

A service provider is offering L3VPN connectivity to a customer who wants overlapping RFC1918 addressing between regions and strict route separation. Which design element is fundamental to meeting this requirement?

A global enterprise uses eBGP to two ISPs at regional hubs. The enterprise wants inbound traffic to prefer ISP1 for a specific set of public prefixes, but must avoid changes that require ISP coordination. Which method is most appropriate?

A financial institution is designing DNS for internal applications across multiple data centers. Requirements: resilience during a site failure, consistent name resolution close to users, and minimal manual changes during failover. Which design best meets these requirements?

An enterprise is deploying a new remote-access solution. The security team mandates that remote users must not be able to laterally move to other internal networks if their endpoint is compromised. Which design principle most directly addresses this requirement?

A network operations team wants to reduce configuration drift across 500 devices and ensure changes are repeatable with approvals and rollback. They also want near real-time detection of out-of-band changes. Which approach best satisfies these goals?

A data center uses an EVPN-VXLAN fabric. A subset of legacy servers must remain in the same L2 segment while being moved between racks/pods (mobility), but the design must minimize the blast radius of L2 faults and prevent unnecessary flooding. Which design choice best aligns with these requirements?

After a merger, two enterprises interconnect their MPLS L3VPNs. Both use OSPF as the PE-CE protocol and have identical OSPF area numbering and overlapping internal routes. The combined network experiences routing loops between the two organizations for certain prefixes. Which design change most directly prevents these loops while preserving OSPF at the CE?

A retail company plans to use SD-WAN for 2,000 stores with local Internet breakout. The security team requires consistent enforcement of web filtering and threat protection, but the business requires that stores continue operating even if centralized security services are unreachable. Which architecture best balances these requirements?

An enterprise is standardizing how it segments traffic in a campus and wants clear separation between endpoint identity and IP addressing to support frequent moves/adds/changes. Which design best meets this goal with minimal dependency on VLAN-to-subnet coupling?

Two data centers are connected with a DCI that occasionally experiences microbursts. Storage replication traffic must be lossless, while general application traffic can tolerate some loss. Which design approach is most appropriate to meet the lossless requirement without over-engineering the entire network?

A campus network uses a traditional three-tier design. Users report that during an access switch failure, it can take up to a minute for some devices to regain connectivity. Spanning Tree is running and there is no routed access. Which change most directly reduces convergence time after an access-layer failure?

A service provider edge design must provide a consistent user experience for both IPv4 and IPv6 services. The enterprise wants to avoid maintaining separate QoS policies per address family. Which approach is the best design choice?

An enterprise is migrating to a dual-provider Internet edge and wants to influence inbound traffic toward ISP-A for a specific public /24 without affecting other prefixes. The enterprise does not control remote networks. Which design is most appropriate?

A regulated enterprise requires that all east-west traffic between application tiers in a data center be inspected, but the design must avoid hairpinning traffic through a centralized firewall cluster for every flow. Which architecture best balances enforcement and scalability?

A network operations team wants to reduce configuration drift across hundreds of devices while preserving the ability to perform emergency changes. Which automation design is most appropriate?

A global enterprise uses iBGP within each region and eBGP between regions. The design goal is to keep regional failures from causing excessive control-plane churn globally. Which design choice best supports this goal?

A bank is designing remote-access connectivity for employees. The requirement states that users must authenticate with strong MFA and that device posture must be validated before access to internal applications is granted. Which design best meets the requirement?

A service provider offers L3VPN services and wants to add Internet access for VPN customers using a shared services VRF while ensuring customers cannot reach each other through the shared service. Which design is most appropriate?

A global enterprise is standardizing on EVPN-based multihoming at access/aggregation. A new requirement states that a single access switch must be able to be dual-homed to two distribution switches without relying on spanning-tree for link blocking, while still allowing all uplinks to forward. Which design best meets the requirement?

A customer is moving to a dual-stack WAN. The design goal is to prefer IPv6 paths when available, but automatically fall back to IPv4 during IPv6 reachability problems without requiring manual intervention. Which design approach is most appropriate?

A design team must minimize blast radius from routing instability caused by a misconfigured customer edge device in a large enterprise campus. The campus uses OSPF internally and redistributes a small set of routes into BGP at the edge. Which is the best practice to limit the impact of a misbehaving internal device on the rest of the network?

A company is designing a DDoS-resilient Internet edge for multiple business units. The requirement is to prevent volumetric attacks against one public service from consuming all upstream capacity and impacting other services. Which design is most effective?

A provider-like enterprise core uses MPLS L3VPN. The customer requires that certain sensitive VRFs must never leak routes to non-sensitive VRFs, including accidental leaks due to misconfiguration. Which design control provides the strongest separation at the control plane?

An enterprise is adopting automated configuration management across thousands of devices. A key design requirement is to reduce drift and enable fast rollback, while ensuring that changes are validated before deployment. Which approach best aligns with these goals?

A campus design uses Anycast Gateway (first-hop gateway redundancy) across two distribution switches. Users report intermittent loss of connectivity only when moving between access switches (Layer 2 mobility within a VLAN). Which design issue is the most likely root cause?

A data center uses leaf-spine with an IP underlay and VXLAN overlay. Operations wants deterministic east-west traffic behavior and to avoid suboptimal hairpinning through border devices for intra-DC traffic. Which design choice most directly ensures this?

A multinational enterprise uses SD-WAN with DIA at branches and a regional secure web gateway (SWG). The security team requires that Internet-bound traffic from only a subset of applications must be forced through the SWG, while the rest can egress locally. The design must maintain user experience during SWG outages. Which solution best meets the requirement?

A large enterprise is building a shared services network (DNS, PKI, identity, logging) consumed by multiple segments (IT, OT, guest, partners). The requirement is: (1) strict segmentation, (2) minimal duplication of services, and (3) provable policy enforcement with reduced lateral movement risk. Which high-level design is most appropriate?