Exam 400-007 topic 1 question 98 discussion

Firewalls for sure. https://community.cisco.com/t5/security-knowledge-base/segmentation-policy-using-sgt-in-pbr-pdf/ta-p/3651240

As per Cisco Trustsec

SGT and PBR are the correct answers

firewalls for sure. data plane markings refer to VLANs.

OK I agreed with AE

Firewalls and SGT (data plane marking)

A, B Page 14 https://www.cisco.com/c/dam/en/us/solutions/collateral/design-zone/cisco-validated-profiles/secure-dc-design-guide-cvd.pdfSegmentation

A E, https://blogs.cisco.com/networking/cisco-drives-intent-based-networking-forward-with-multi-level-segmentation

https://community.cisco.com/t5/security-knowledge-base/segmentation-policy-using-sgt-in-pbr-pdf/ta-p/3651240?attachment-id=155316 PBR and Firewall can allocate SGT and then segment the traffic

it's a very very strange question!! if for "mutilayer segmentation" they mean microsgmentation inside a VLAN, thinking about Trustsec model, I think the answers are data plane marking (SGT) and filter list (permit/deny matrix). The other options (PBR, firewall, segment routing) seem to be related more to routing than to segmentation...

I'm going to go on a limb and say A&C. that's how you traditionally segment your network. this says the same thing (assuming filter lists = ACLs) https://www.cisco.com/c/en/us/products/security/what-is-network-segmentation.html "Some traditional technologies for segmentation included internal firewalls, and Access Control List (ACL) and Virtual Local Area Network (VLAN) configurations on networking equipment."

Guys, B&D looks correct. Segment Routing provides flexibility in defining and managing segments, and can be used in conjunction with VLANs, VRFs, or other data plane markings to create and enforce logical boundaries between different layers or segments of the network. Firewalls can segment but are not multilayer. PBR and filter lists can't be the answer, come on. You expect a CCDE to recommend using PBR everywhere to segment your traffic?

This question has three valid answers. AB (Vanguard Method) and AE (Legacy Method) Which gives more points? Please check page 14 of this document. https://www.cisco.com/c/dam/en/us/solutions/collateral/design-zone/cisco-validated-profiles/secure-dc-design-guide-cvd.pdf

FWs for sure and data plane markings such as SGT tags (Trustsec) are used for segmentation

This question is exactly why Cisco Certs are dumb

segment routing has nothing to do with multilayer segmentation

Its AD