Our pass rate is high to 98.9% and the similarity percentage between our ccie 400 101 study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Cisco 400 101 pdf exam in just one try? I am currently studying for the Cisco ccie 400 101 exam. Latest Cisco passleader 400 101 Test exam practice questions and answers, Try Cisco 400 101 pdf Brain Dumps First.

Q51. Which two descriptions of the keying mechanisms that are used to distribute the session keys used in routing authentication are true? (Choose two.) 

A. Peer keying creates a unique one-to-one relationship with another peer. 

B. Group keying creates a single keying message to multiple peers. 

C. Peer keying creates a single keying message to multiple peers. 

D. Group keying creates a unique one-to-one relationship with another peer. 

E. Group keying creates a full mesh of keying sessions to all devices. 

F. Peer keying creates a full mesh of keying sessions to all devices. 

Answer: A,B 


Q52. Which technology can be used to secure the core of an STP domain? 

A. UplinkFast 

B. BPDU guard 

C. BPDU filter 

D. root guard 

Answer:

Explanation: 

Since STP does not implement any authentication or encryption to protect the exchange of BPDUs, it is vulnerable to unauthorized participation and attacks. Cisco IOS offers the STP Root Guard feature to enforce the placement of the root bridge and secure the core of the STP domain. 

STP root guard forces a port to become a designated port so that no switch on the other end of the link can become a root switch. If a port configured for root guard receives a superior BPDU, the port it is received on is blocked. In this way, STP root guard blocks other devices from trying to become the root bridge. 

STP root guard should be enabled on all ports that will never connect to a root bridge, for example, all end user ports. This ensures that a root bridge will never be negotiated on those ports. 

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/secur ebasebook/sec_chap7.html 


Q53. Which statement about the BGP originator ID is true? 

A. The route reflector always sets the originator ID to its own router ID. 

B. The route reflector sets the originator ID to the router ID of the route reflector client that injects the route into the AS. 

C. The route reflector client that injects the route into the AS sets the originator ID to its own router ID. 

D. The originator ID is set to match the cluster ID. 

Answer:

Explanation: 

An RR reflecting the route received from a RR-Client adds: 

. Originator ID- a 4-byte BGP attribute that is created by the RR. This attribute carries the Router ID of the originator of the route in the local AS. If the update comes back to the originator, it ignores the update. 

. Cluster List- A Cluster List is a list of Cluster IDs that an update has traversed. When a route reflector sends a route received from a client to a non-client, it appends the local Cluster ID. If a route reflector receives a route whose Cluster List contains the local Cluster ID, it ignores the update. 

Reference: https://sites.google.com/site/amitsciscozone/home/bgp/bgp-route-reflectors 


Q54. Which three features are considered part of the IPv6 first-hop security suite? (Choose three.) 

A. DNS guard 

B. destination guard 

C. DHCP guard 

D. ICMP guard 

E. RA guard 

F. DoS guard 

Answer: B,C,E 

Explanation: 

Cisco IOS has (at least) these IPv6 first-hop security features: IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers. DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration. IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection). IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes. IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks. 

Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html 


Q55. Which OSPF feature supports LSA rate limiting in milliseconds to provide faster convergence? 

A. LSA throttling 

B. incremental SPF 

C. fast hello 

D. SPF tuning 

Answer:

Explanation: 

The OSPF Link-State Advertisement (LSA) Throttling feature provides a dynamic mechanism to slow down link-state advertisement (LSA) updates in OSPF during times of network instability. It also allows faster Open Shortest Path First (OSPF) convergence by providing LSA rate limiting in milliseconds. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsolsath.html 


Q56. Which technology can MSDP SA filters use to filter traffic? 

A. route maps 

B. community lists 

C. prefix lists 

D. class maps 

Answer:


Q57. Which three statements about the route preference of IS-IS are true? (Choose three.) 

A. An L1 path is preferred over an L2 path. 

B. An L2 path is preferred over an L1 path. 

C. Within each level, a path that supports optional metrics is preferred over a path that supports only the default metric. 

D. Within each level of metric support, the path with the lowest metric is preferred. 

E. The Cisco IS-IS implementation usually performs equal cost path load balancing on up to eight paths. 

F. Both L1 and L2 routes will be installed in the routing table at the same time. 

Answer: A,C,D 

Explanation: 

Given multiple possible routes to a particular destination, an L1 path is preferred over an L2 path. Within each level, a path that supports the optional metrics is preferred over a path that supports only the default metric. (Again, Cisco supports only the default metric, so the second order of preference is not relevant to Cisco routers.) Within each level of metric support, the path with the lowest metric is preferred. If multiple equal-cost, equal-level paths are found by the Decision process, they are all entered into the route table. The Cisco IS-IS implementation usually performs equal-cost load balancing on up to six paths. 

Reference: http://www.realccielab.org/operation-of-integrated-is-is.html 


Q58. Which two statements about the command distance bgp 90 60 120 are true? (Choose two.) 

A. Implementing the command is a Cisco best practice. 

B. The external distance it sets is preferred over the internal distance. 

C. The internal distance it sets is preferred over the external distance. 

D. The local distance it sets may conflict with the EIGRP administrative distance. 

E. The internal distance it sets may conflict with the EIGRP administrative distance. 

F. The local distance it sets may conflict with the RIP administrative distance. 

Answer: C,F 

Explanation: 

To allow the use of external, internal, and local administrative distances that could be a better route than other external, internal, or local routes to a node, use the distance bgp command in address family or router configuration mode. To return to the default values, use the no form of this command. distance bgp external-distance internal-distance local-distance no distance bgp 

. Syntax Description 

external-distance 

Administrative distance for BGP external routes. External routes are routes for which the best path is learned from a neighbor external to the autonomous system. Accept table values are from 1 to 255. The default is 20. Routes with a distance of 255 are not installed in the routing table. 

internal-distance 

Administrative distance for BGP internal routes. Internal routes are those routes that are learned from another BGP entity within the same autonomous system. Accept table values are from 1 to 255. The default is 200. Routes with a distance of 255 are not installed in the routing table. 

local-distance 

Administrative distance for BGP local routes. Local routes are those networks listed with a network router configuration command, often as back doors, for that router or for networks that are being redistributed from another process. Accept table values are from 1 to 255. The default is 200. Routes with a distance of 255 are not installed in the routing table. 

Defaults 

external-distance: 20 

internal-distance: 200 

local-distance: 200 

In this case, the internal distance is 60 and the external is 90, and the local distance is 120 (same as RIP). 

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfbgp1. html#wp1113874 


Q59. Which statement about the spanning-tree portfast feature on the switch is true? 

A. If an interface is enabled for portfast receives BDPU, the port goes through the spanning-tree listening, learning, and forwarding states. 

B. If an interface is enabled for portfast receives BDPU, the port does not go through the spanning-tree listening, learning, and forwarding states. 

C. If an interface is enabled for portfast receives BDPU, the port is shut down immediately. 

D. If an interface is enabled for portfast receives BDPU, the port goes into the spanning-tree inconsistent state. 

Answer:


Q60. Which two application protocols require application layer gateway support when using NAT on a Cisco router? (Choose two.) 

A. SIP 

B. HTTP 

C. FTP 

D. SMTP 

E. POP3 

Answer: A,C