We provide real 400 101 pdf exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Cisco 400 101 vce Exam quickly & easily. The 400 101 ccie PDF type is available for reading and printing. You can print more and practice many times. With the help of our Cisco ccie 400 101 dumps dumps pdf and vce product and material, you can easily pass the 400 101 ccie exam.

Q151. Which two BGP path attributes are visible in Wireshark? (Choose two.) 

A. weight 

B. AS path 

C. local preference 

D. route maps 

Answer: B,C 


Q152. Which three statements about implementing an application layer gateway in a network are true? (Choose three.) 

A. It allows client applications to use dynamic ports to communicate with a server regardless of whether NAT is being used. 

B. It maintains granular security over application-specific data. 

C. It allows synchronization between multiple streams of data between two hosts. 

D. Application layer gateway is used only in VoIP/SIP deployments. 

E. Client applications require additional configuration to use an application layer gateway. 

F. An application layer gateway inspects only the first 64 bytes of a packet before forwarding it through the network. 

Answer: A,B,C 

Explanation: 

An ALG may offer the following functions: 

. allowing client applications to use dynamic ephemeral TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports. 

. converting the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT. This aspect introduces the term 'gateway' for an ALG. 

. recognizing application-specific commands and offering granular security controls over them 

. synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes. 

Reference: http://en.wikipedia.org/wiki/Application-level_gateway 


Q153. Which two options are two characteristics of the HSRPv6 protocol? (Choose two.) 

A. It uses virtual MAC addresses 0005.73a0.0000 through 0005.73a0.0fff. 

B. It uses UDP port number 2029. 

C. It uses virtual MAC addresses 0005.73a0.0000 through 0005.73a0.ffff. 

D. It uses UDP port number 2920. 

E. If a link local IPv6 address is used, it must have a prefix. 

Answer: A,B 

Explanation: 

HSRP IPv6 Virtual MAC Address Range 

HSRP IPv6 uses a different virtual MAC address block than does HSRP for IP: 0005.73A0.0000 through 0005.73A0.0FFF (4096 addresses) 

HSRP IPv6 UDP Port Number 

Port number 2029 has been assigned to HSRP IPv6. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/HSRP-for-IPv6.html 


Q154. What is a disadvantage of using aggressive mode instead of main mode for ISAKMP/IPsec establishment? 

A. It does not use Diffie-Hellman for secret exchange. 

B. It does not support dead peer detection. 

C. It does not support NAT traversal. 

D. It does not hide the identity of the peer. 

Answer:

Explanation: 

IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not. 

Reference: http://en.wikipedia.org/wiki/Internet_Key_Exchange 


Q155. Which two statements are true about RSTP? (Choose two.) 

A. By default, RTSP uses a separate TCN BPDU when interoperating with 802.1D switches. 

B. By default, RTSP does not use a separate TCN BPDU when interoperating with 802.1D switches. 

C. If a designated port receives an inferior BPDU, it immediately triggers a reconfiguration. 

D. By default, RTSP uses the topology change TC flag. 

E. If a port receives a superior BPDU, it immediately replies with its own information, and no reconfiguration is triggered. 

Answer: B,D 

Explanation: 

The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. 

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/swmstp.html 


Q156. Refer to the exhibit. 

Which two statements are true? (Choose two.) 

A. This is the output of the show ip ospf command. 

B. This is the output of the show ip protocols command. 

C. This router is an ABR. 

D. This router is an ASBR. 

E. Authentication is not configured for the area. 

Answer: A,E 

Explanation: 

The following is sample output from the show ip ospf command when entered without a specific OSPF process ID with no authentication. 

Router# show ip ospf 

Routing Process "ospf 201" with ID 10.0.0.1 and Domain ID 10.20.0.1 

Supports only single TOS(TOS0) routes 

Supports opaque LSA 

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs 

Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs 

LSA group pacing timer 100 secs 

Interface flood pacing timer 55 msecs 

Retransmission pacing timer 100 msecs 

Number of external LSA 0. Checksum Sum 0x0 

Number of opaque AS LSA 0. Checksum Sum 0x0 

Number of DCbitless external and opaque AS LSA 0 

Number of DoNotAge external and opaque AS LSA 0 

Number of areas in this router is 2. 2 normal 0 stub 0 nssa 

External flood list length 0 

Area BACKBONE(0) 

Number of interfaces in this area is 2 

Area has no authentication 

SPF algorithm executed 4 times 

Area ranges are 

Number of LSA 4. Checksum Sum 0x29BEB 

Number of opaque link LSA 0. Checksum Sum 0x0 

Number of DCbitless LSA 3 Number of indication LSA 0 

Number of DoNotAge LSA 0 Flood list length 0 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-cr-book/ospf-s1.html#wp8749965360 


Q157. Which two statements are true about an EPL? (Choose two.) 

A. It is a point-to-point Ethernet connection between a pair of NNIs. 

B. It allows for service multiplexing. 

C. It has a high degree of transparency. 

D. The EPL service is also referred to as E-line. 

Answer: C,D 

Explanation: 

Ethernet private line (EPL) and Ethernet virtual private line (EVPL) are carrier Ethernet data services defined by the Metro Ethernet Forum. EPL provides a point-to-point Ethernet virtual connection (EVC) between a pair of dedicated user–network interfaces (UNIs), with a high degree of transparency. EVPL provides a point-to-point or point-to-multipoint connection between a pair of UNIs. The services are categorized as an E-Line service type, with an expectation of low frame delay, frame delay variation and frame loss ratio. EPL is implemented using a point-to-point (EVC) with no Service Multiplexing at each UNI (physical interface), i.e., all service frames at the UNI are mapped to a single EVC (a.k.a. all-to-one bundling). 

Reference: http://en.wikipedia.org/wiki/Ethernet_Private_Line 


Q158. Refer to the exhibit. 

Which statement is true? 

A. It is impossible for the destination interface to equal the source interface. 

B. NAT on a stick is performed on interface Et0/0. 

C. There is a potential routing loop. 

D. This output represents a UDP flow or a TCP flow. 

Answer:

Explanation: 

In this example we see that the source interface and destination interface are the same (Et0/0). Typically this is seen when there is a routing loop for the destination IP address. 


Q159. Which two statements about BGP best-path selection are true? (Choose two.) 

A. The route with the highest local preference is preferred. 

B. The weight attribute is advertised to peers. 

C. The route with the lowest MED is preferred. 

D. A route that originates from iBGP peers is preferred. 

E. A route that originates from a router with a higher BGP router ID is preferred. 

F. The lowest weight advertised is preferred. 

Answer: A,C 


Q160. Which two options describe two functions of a neighbor solicitation message? (Choose two.) 

A. It requests the link-layer address of the target. 

B. It provides its own link-layer address to the target. 

C. It requests the site-local address of the target. 

D. It provides its own site-local address to the target. 

E. It requests the admin-local address of the target. 

F. It provides its own admin-local address to the target. 

Answer: A,B 

Explanation: 

Neighbor solicitation messages are sent on the local link when a node wants to determine the link-layer address of another node on the same local link (see the figure below). When a node wants to determine the link-layer address of another node, the source address in a neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The destination address in the neighbor solicitation message is the solicited-node multicast address that corresponds to the IPv6 address of the destination node. The neighbor solicitation message also includes the link-layer address of the source node. 

Figure 1. IPv6 Neighbor Discovery: Neighbor Solicitation Message 

After receiving the neighbor solicitation message, the destination node replies by sending a neighbor advertisement message, which has a value of 136 in the Type field of the ICMP packet header, on the local link. The source address in the neighbor advertisement message is the IPv6 address of the node (more specifically, the IPv6 address of the node interface) sending the neighbor advertisement message. The destination address in the neighbor advertisement message is the IPv6 address of the node that sent the neighbor solicitation message. The data portion of the neighbor advertisement message includes the link-layer address of the node sending the neighbor advertisement message. After the source node receives the neighbor advertisement, the source node and destination node can communicate. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-neighb-disc-xe.html