[Free] 2017(July) Ensurepass Braindumps Cisco 400-101 Latest Dumps 11-20

Ensurepass
2017 July Cisco Official New Released 400-101 Q&As
100% Free Download! 100% Pass Guaranteed!
http://www.ensurepass.com/400-101.html

CCIE Routing and Switching Written Exam v5.1

QUESTION 11

Which three statements are functions that are performed by IKE phase 1? (Choose three.)

 

A.

It builds a secure tunnel to negotiate IKE phase 1 parameters.

B.

It establishes IPsec security associations.

C.

It authenticates the identities of the IPsec peers.

D.

It protects the IKE exchange by negotiating a matching IKE SA policy.

E.

It protects the identities of IPsec peers.

F.

It negotiates IPsec SA parameters.

 

Correct Answer: CDE

Explanation:

The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions:

Authenticates and protects the identities of the IPSec peers

Negotiates a matching IKE SA policy between peers to protect the IKE exchange

Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys

Sets up a secure tunnel to negotiate IKE phase 2 parameters

 

Reference: http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

 

 

QUESTION 12

Which three modes are valid PfR monitoring modes of operation? (Choose three.)

 

A.

route monitor mode (based on BGP route changes)

B.

RMON mode (based on RMONv1 and RMONv2 data)

C.

passive mode (based on NetFlow data)

D.

active mode (based on Cisco IP SLA probes)

E.

fast mode (based on Cisco IP SLA probes)

F.

passive mode (based on Cisco IP SLA probes)

 

Correct Answer: CDE

Explanation:

Modes are:

Mode monitor passive

Passive monitoring is the act of PfR gathering information on user packets assembled into flows by Netflow. Passive monitoring is typically only recommended in Internet edge deployments because active probing is ineffective because of security policies that block probing. PfR, when enabled, automatically enables Netflow on the managed interfaces on the Border Routers. By aggregating this information on the Border Routers and periodically reporting the collected data to the Master Controller, the network prefixes and applications in use can automatica
lly be learned.

Mode monitor active

Active monitoring is the act of generating Cisco IOS IP Service Level Agreements (SLAs) probes to generate test traffic for the purpose of obtaining information regarding the characteristics of the WAN links. PfR can either implicitly generates active probes when passive monitoring has identified destination hosts, or the network manager can explicitly configured probes in the PfR configuration. When jitter probes are used (common use case), Target Discovery is used to learn the respond address and to automatically generate the probes.

Mode monitor Fast

This mode generates active probes through all exists continuously at the configured probe frequency. This differs from either active or both modes in that these modes only generate probes through alternate paths (exits) in the event the current path is out-of-policy.

 

Reference: http://docwiki.cisco.com/wiki/PfR:Technology_Overview#Mode_monitor_passive

 

 

 

 

 

 

 

 

 

 

 

QUESTION 13

Refer to the exhibit. Which statement is true?

 

clip_image001

 

A.

2001:DB8::1/128 is a local host route, and it can be redistributed into a dynamic routing protocol.

B.

2001:DB8::1/128 is a local host route, and it cannot be redistributed into a dynamic routing protocol.

C.

2001:DB8::1/128 is a local host route that was created because ipv6 unicast-routing is not enabled on this router.

D.

2001:DB8::1/128 is a route that was put in the IPv6 routing table because one of this router’s loopback interfaces has the IPv6 address 2001:DB8::1/128.

 

Correct Answer: B

Explanation:

The local routes have the administrative distance of 0. This is the same adminstrative distance as connected routes. However, when you configure redistributed connected under any routing process, the connected routes are redistributed, but the local routes are not. This behavior allows the networks to not require a large number of host routes, because the networks of the interfaces are advertised with their proper masks. These host routes are only needed on the router that owns the IP address in order to process packets destined to that IP address. It is normal for local host routes to be listed in the IPv4 and IPv6 routing table for IP addresses of the router’s interfaces. Their purpose is to create a corresponding CEF entry as a receive entry so that the packets destined to this IP address can be processed by the router itself. These routes cannot be redistributed into any routing protocol.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-routing/116264-technote-ios-00.html

 

 

QUESTION 14

Which three features are considered part of the IPv6 first-hop security suite? (Choose three.)

 

A.

DNS guard

B.

destination guard

C.

DHCP guard

D.

ICMP guard

E.

RA guard

F.

DoS guard

 

Correct Answer: BCE

Explanation:

Cisco IOS has (at least) these IPv6 first-hop security features:

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.

IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.

Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

 

 

QUESTION 15

Refer to the exhibit. Which statement is true?

 

clip_image003

 

A.

There is an MPLS network that is running 6PE, and the ingress PE router has no mpls ip propagate-ttl.

B.

There is an MPLS network that is running 6VPE, and the ingress PE router has no mpls ip propagate-ttl.

C.

There is an MPLS network that is running 6PE or 6VPE, and the ingress PE router has mpls ip propagate-ttl.

D.

There is an MPLS network that is running 6PE, and the ingress PE router has mpls ip propagate-ttl.

E.

There is an MPLS network that is running 6VPE, and the ingress PE router has mpls ip propagate-ttl.

 

Correct Answer: C

Explanation:

The second hop shows and IPV6 address over MPLS, so we know that there is an MPLS network running 6PE or 6VPE. And because the second and third hops show up in the traceroute. Then TTL is being propagated because if the “no ip propagate-ttl” command was used these devices would be hidden in the traceroute.

 

 

QUESTION 16

Refer to the exhibit. What will be the extended community value of this route?

 

clip_image004

 

A.

RT:200:3000 RT:200:9999

B.

RT:200:9999 RT:200:3000

C.

RT:200:3000

D.

RT:200:9999

 

Correct Answer: D

Explanation:

Here the route map is being used to manually set the extended community RT to 200:9999.

 

 

QUESTION 17

Refer to the exhibit. Which statement about this IP SLA is true?

 

clip_image006

A.

The SLA must also have a schedule configured before it will start.

B.

The TTL of the SLA packets is 10.

C.

The SLA has a timeout of 3.6 seconds.

D.

The SLA has a lifetime of 5 seconds.

 

Correct Answer: A

Explanation:

When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and collecting error information. You can schedule an operation to start immediately or to start at a certain month, day, and hour. You can use the pending option to set the operation to start at a later time. The pending option is an internal state of the operation that is visible through SNMP. The pending state is also used when an operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs operation or a group of operations at one time. We can see in this output that the IP SLA is still in a pending trigger state.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/44sg/configuration/guide/Wrapper-44SG/swipsla.html

 

 

QUESTION 18

Refer to the exhibit. All switches have default bridge priorities, and originate BPDUs with MAC addresses as indicated. The numbers shown are STP link metrics. Which two ports are forwarding traffic after STP converges? (Choose two.)

 

clip_image008

 

A.

The port connecting switch SWD with switch SWE

B.

The port connecting switch SWG with switch SWF

C.

The port connecting switch SWC with switch SWE

D.

The port connecting switch SWB with switch SWC

 

Correct Answer: CD

Explanation:

Here, we know SWB to SWC are forwarding because we already identified the blocking port. So for the last correct answer let’s consider what must be done to prevent a switch loop between SWC/SWD/SWE. SWE to SWD will be blocked because SWC has a lower MAC address so it wins the forwarding port. And to look at it further, you could try to further understand what would happen with ports on SWG. Would the ports on SWG try to go through SWE or SWF? SWE has the lower MAC address so the port from SWG to SWE would win the forwarding election.

Therefore, answer B could never be correct.

 

 

QUESTION 19

Refer to the exhibit. What is a reason for the RIB-failure?

 

clip_image010

 

A.

CEF is not enabled on this router.

B.

The route 10.100.1.1/32 is in the routing table, but not as a BGP route.

C.

The routing table has yet to be updated with the BGP route.

D.

The BGP route is filtered inbound and hence is not installed in the routing table.

 

Correct Answer: B

Explanation:

A rib-failure occurs when BGP tries to install the bestpath prefix into the RIB, but the RIB rejects the BGP route because a route with better administrative distance already exists in the routing table. An inactive Border Gateway Protocol (BGP) route is a route that is not installed in the RIB, but is installed in the BGP table as rib-failure.

Example Topology

Router 1 (R1) and router 2 (R2) have two parallel links; one links runs BGP AS 65535 and the other link runs Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1. Both BGP and EIGRP are advertising the network 10.1.1.1/32 on R1.

&nbs
p;

clip_image012

 

R2 learns about the 1.1.1.1/32 route through both EIGRP and BGP, but installs only the EIGRP route in the routing table because of the lower administrative distance. Since the BGP route is not installed in the R2 routing table, the route appears as a rib-failure in the R2 BGP table.

 

Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocolbgp/116146-config-bgp-next-hop-00.html

 

 

QUESTION 20

What is a key advantage of Cisco GET VPN over DMVPN?

 

A.

Cisco GET VPN provides zero-touch deployment of IPSEC VPNs.

B.

Cisco GET VPN supports certificate authentication for tunnel establishment.

C.

Cisco GET VPN has a better anti-replay mechanism.

< p class="MsoNormal" style="margin: 0cm 0cm 0pt; line-height: normal; text-autospace: ; mso-layout-grid-align: none" align="left">D.

Cisco GET VPN does not require a secondary overlay routing infrastructure.

 

Correct Answer: D

Explanation:

DMVPN requires overlaying a secondary routing infrastructure through the tunnels, which results in suboptimal routing while the dynamic tunnels are built. The overlay routing topology also reduces the inherent scalability of the underlying IP VPN network topology. Traditional point-to-point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data.

Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”

Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF

100% Free Download!
—Download Free Demo:400-101 Demo PDF
100% Pass Guaranteed!
Download 2017 Ensurepass 400-101 Full Exam PDF and VCE Q&As:1299
—Get 10% off your purchase! Copy it:TJDN-947R-9CCD [2017.07.01-2017.07.31]

Ensurepass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF + VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 Ensurepass IT Certification PDF and VCE