[Free] 2019(Nov) EnsurePass Cisco 400-101 Dumps with VCE and PDF 11-20

Get Full Version of the Exam

Question No.11

Which three statements are functions that are performed by IKE phase 1? (Choose three.)

  1. It builds a secure tunnel to negotiate IKE phase 1 parameters.

  2. It establishes IPsec security associations.

  3. It authenticates the identities of the IPsec peers.

  4. It protects the IKE exchange by negotiating a matching IKE SA policy.

  5. It protects the identities of IPsec peers.

  6. It negotiates IPsec SA parameters.

Correct Answer: CDE


The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions:

Authenticates and protects the identities of the IPSec peers

Negotiates a matching IKE SA policy between peers to protect the IKE exchange Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys

Sets up a secure tunnel to negotiate IKE phase 2 parameters

Reference: http://www.ciscopress.com/articles/article.asp?p=25474amp;seqNum=7

Question No.12

Which three modes are valid PfR monitoring modes of operation? (Choose three.)

  1. route monitor mode (based on BGP route changes)

  2. RMON mode (based on RMONv1 and RMONv2 data)

  3. passive mode (based on NetFlow data)

  4. active mode (based on Cisco IP SLA probes)

  5. fast mode (based on Cisco IP SLA probes)

  6. passive mode (based on Cisco IP SLA probes)

Correct Answer: CDE


Modes are:

Mode monitor passive

Passive monitoring is the act of PfR gathering information on user packets assembled into flows by Netflow. Passive monitoring is typically only recommended in Internet edge deployments because active probing is ineffective because of security policies that block probing. PfR, when enabled, automatically enables Netflow on the managed interfaces on the Border Routers. By aggregating this information on the Border Routers and periodically reporting the collected data to the Master Controller, the network prefixes and applications in use can automatically be learned. Mode monitor active

Active monitoring is the act of generating Cisco IOS IP Service Level Agreements (SLAs) probes to generate test traffic for the purpose of obtaining information regarding the characteristics of the WAN links. PfR can either implicitly generates active probes when passive monitoring has identified destination hosts, or the network manager can explicitly configured probes in the PfR configuration. When jitter probes are used (common use case), Target Discovery is used to learn the respond address and to automatically generate the probes.

Mode monitor Fast

This mode generates active probes through all exists continuously at the configured probe frequency. This differs from either active or both modes in that these modes only generate probes through alternate paths (exits) in the event the current path is out-of-policy.

Reference: http://docwiki.cisco.com/wiki/PfR:Technology_Overview#Mode_monitor_passive

Question No.13

Refer to the exhibit. Which statement is true?


  1. 2001:DB8::1/128 is a local host route, and it can be redistributed into a dynamic routing protocol.

  2. 2001:DB8::1/128 is a local host route, and it cannot be redistributed into a dynamic routing protocol.

  3. 2001:DB8::1/128 is a local host route that was created because ipv6 unicast-routing is not enabled on this router.

  4. 2001:DB8::1/128 is a route that was put in the IPv6 routing table because one of this router#39;s loopback interfaces has the IPv6 address 2001:DB8::1/128.

Correct Answer: B


The local routes have the administrative distance of 0. This is the same adminstrative distance as connected routes. However, when you configure redistributed connected under any routing process, the connected routes are redistributed, but the local routes are not. This behavior allows the networks to not require a large number of host routes, because the networks of the interfaces are advertised with their proper masks. These host routes are only needed on the router that owns the IP address in order to process packets destined to that IP address. It is normal for local host routes to be listed in the IPv4 and IPv6 routing table for IP addresses of the router#39;s interfaces. Their purpose is to create a corresponding CEF entry as a receive entry so that the packets destined to this IP address can be processed by the router itself. These routes cannot be redistributed into any routing protocol.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-routing/116264-technote-ios-00.html

Question No.14

Which three features are considered part of the IPv6 first-hop security suite? (Choose three.)

  1. DNS guard

  2. destination guard

  3. DHCP guard

  4. ICMP guard

  5. RA guard

  6. DoS guard

Correct Answer: BCE


Cisco IOS has (at least) these IPv6 first-hop security features:

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we#39;d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.

IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.

Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

Question No.15

Refer to the exhibit. Which statement is true?


  1. There is an MPLS network that is running 6PE, and the ingress PE router has no mpls ip propagate-ttl.

  2. There is an MPLS network that is running 6VPE, and the ingress PE router has no mpls ip propagate-ttl.

  3. There is an MPLS network that is running 6PE or 6VPE, and the ingress PE router has mpls ip propagate-ttl.

  4. There is an MPLS network that is running 6PE, and the ingress PE router has mpls ip propagate- ttl.

  5. There is an MPLS network that is running 6VPE, and the ingress PE router has mpls ip propagate-ttl.

Correct Answer: C


The second hop shows and IPV6 address over MPLS, so we know that there is an MPLS network running 6PE or 6VPE. And because the second and third hops show up in the traceroute. Then TTL is being propagated because if the quot;no ip propagate-ttlquot; command was used these devices would be hidden in the traceroute.

Question No.16

Refer to the exhibit. What will be the extended community value of this route?


A. RT:200:3000 RT:200:9999 B. RT:200:9999 RT:200:3000 C. RT:200:3000

D. RT:200:9999

Correct Answer: D


Here the route map is being used to manually set the extended community RT to 200:9999.

Question No.17

Refer to the exhibit. Which statement about this IP SLA is true?


  1. The SLA must also have a schedule configured before it will start.

  2. The TTL of the SLA packets is 10.

  3. The SLA has a timeout of 3.6 seconds.

  4. The SLA has a lifetime of 5 seconds.

Correct Answer: A


When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and collecting error information. You can schedule an operation to start immediately or to start at a certain month, day, and hour. You can use the pending option to set the operation to start at a later time. The pending option is an internal state of the operation that is visible through SNMP. The pending state is also used when an operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs operation or a group of operations at one time. We can see in this output that the IP SLA is still in a pending trigger state.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12- 2/44sg/configuration/guide/Wrapper-44SG/swipsla.html

Question No.18

Refer to the exhibit. All switches have default bridge priorities, and originate BPDUs with MAC addresses as indicated. The numbers shown are STP link metrics. Which two ports are forwarding traffic after STP converges? (Choose two.)


  1. The port connecting switch SWD with switch SWE

  2. The port connecting switch SWG with switch SWF

  3. The port connecting switch SWC with switch SWE

  4. The port connecting switch SWB with switch SWC

Correct Answer: CD


Here, we know SWB to SWC are forwarding because we already identified the blocking port. So for the last correct answer let#39;s consider what must be done to prevent a switch loop between SWC/SWD/SWE. SWE to SWD will be blocked because SWC has a lower MAC address so it wins the forwarding port. And to look at it further, you could try to further understand what would happen with ports on SWG. Would the ports on SWG try to go through SWE or SWF? SWE has the lower MAC address so the port from SWG to SWE would win the forwarding election.

Therefore, answer B could never be correct.

Question No.19

Refer to the exhibit. What is a reason for the RIB-failure?


  1. CEF is not enabled on this router.

  2. The route is in the routing table, but not as a BGP route.

  3. The routing table has yet to be updated with the BGP route.

  4. The BGP route is filtered inbound and hence is not installed in the routing table.

Correct Answer: B


A rib-failure occurs when BGP tries to install the bestpath prefix into the RIB, but the RIB rejects the BGP route because a route with better administrative distance already exists in the routing table. An inactive Border Gateway Protocol (BGP) route is a route that is not installed in the RIB, but is installed in the BGP table as rib-failure.

Example Topology

Router 1 (R1) and router 2 (R2) have two parallel links; one links runs BGP AS 65535 and the other link runs Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1. Both BGP and EIGRP are advertising the network on R1.


R2 learns about the route through both EIGRP and BGP, but installs only the EIGRP route in the routing table because of the lower administrative distance. Since the BGP route is not installed in the R2 routing table, the route appears as a rib-failure in the R2 BGP table.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocolbgp/116146- config-bgp-next-hop-00.html

Question No.20

What is a key advantage of Cisco GET VPN over DMVPN?

  1. Cisco GET VPN provides zero-touch deployment of IPSEC VPNs.

  2. Cisco GET VPN supports certificate authentication for tunnel establishment.

  3. Cisco GET VPN has a better anti-replay mechanism.

  4. Cisco GET VPN does not require a secondary overlay routing infrastructure.

Correct Answer: D


DMVPN requires overlaying a secondary routing infrastructure through the tunnels, which results in suboptimal routing while the dynamic tunnels are built. The overlay routing topology also reduces the inherent scalability of the underlying IP VPN network topology. Traditional point-to- point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data.

Cisco#39;s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to

decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is quot;tunnel-less.quot;

Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF

Get Full Version of the Exam
400-101 Dumps
400-101 VCE and PDF