♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Cisco 400-101 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 400-101 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/400-101-exam-dumps.html
Q31. Which three features are considered part of the IPv6 first-hop security suite? (Choose three.)
A. DNS guard
B. destination guard
C. DHCP guard
D. ICMP guard
E. RA guard
F. DoS guard
Answer: B,C,E
Explanation:
Cisco IOS has (at least) these IPv6 first-hop security features: IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers. DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration. IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection). IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes. IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.
Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html
Q32. DRAG DROP
Drag and drop the IPv6 multicast feature on the left to its corresponding function on the right.
Answer:
Q33. Refer to the exhibit.
Which part of the joined group addresses list indicates that the interface has joined the EIGRP multicast group address?
A. FF02::1
B. FF02::1:FF00:200
C. FF02::A
D. FF02::2
Answer: C
Explanation:
FF02::A is an IPv6 link-local scope multicast addresses. This address is for all devices on a wire that want to "talk" EIGRP with one another.
Focusing specifically on FF02::A and how routers join it, we can see and say three things:
. Local: FF02::A is local to the wire.
. Join: Each device "joins" FF02::A by just "deciding to listen" to the IPv6 link-local scope multicast address FF02::A. Then, by extension, it listens to the corresponding MAC address for that multicast IPv6 address (33:33:00:00:00:0A).
. Common interest: As we can see, these varying groups have something in common that they would all like to hear about. For FF02::A, the common interest --the "connection" among the devices joining that group – is that they all want to listen to or participate in EIGRP.
Reference: http://www.networkcomputing.com/networking/understanding-ipv6-what-is-solicited-node-multicast/a/d-id/1315703
Q34. Refer to the exhibit.
Which device role could have generated this debug output?
A. an NHS only
B. an NHC only
C. an NHS or an NHC
D. a DMVPN hub router
Answer: B
Explanation:
NHRP works off a server/client relationship, where the NHRP clients (let’s call them next hop clients/NHCs) register with their next hop server (NHS), it’s the responsibility of the NHS to track all of its NHCs this is done with registration request and reply packets. Here we see a registration request, which can only be sent by an NHC.
Q35. Which two statements are true about IS-IS? (Choose two.)
A. IS-IS DIS election is nondeterministic.
B. IS-IS SPF calculation is performed in three phases.
C. IS-IS works over the data link layer, which does not provide for fragmentation and reassembly.
D. IS-IS can never be routed beyond the immediate next hop.
Answer: C,D
Explanation:
IS-IS runs directly over the data link alongside IP. On Ethernet, IS-IS packets are always 802.3 frames, with LSAPs 0xFEFE while IP packets are either Ethernet II frames or SNAP frames identified with the protocol number 0x800. OSPF runs over IP as protocol number 89.
IS-IS runs directly over layer 2 and hence:
-cannot support virtual links unless some explicit tunneling is implemented
-packets are kept small so that they don't require hop-by-hop fragmentation
-uses ATM/SNAP encapsulation on ATM but there are hacks to make it use VcMux encapsulation
-some operating systems that support IP networking have been implemented to differentiate Layer 3 packets in kernel. Such Oss require a lot of kernel modifications to support IS-IS for IP routing.
-can never be routed beyond the immediate next hop and hence shielded from IP spoofing and similar Denial of Service attacks.
Reference: https://tools.ietf.org/html/draft-bhatia-manral-diff-isis-ospf-00
Q36. In which 802.1D port state are the root bridge, the root port, and the designated port(s) elected?
A. Listening
B. learning
C. forwarding
D. blocking
E. disabled
Answer: A
Explanation:
STP switch port states:
. Blocking – A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state. Prevents the use of looped paths.
. Listening – The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames. In this state the root bridge, the root port, and the designated port(s) are elected.
. Learning – While the port does not yet forward frames it does learn source addresses from frames received and adds them to the filtering database (switching database). It populates the MAC Address table, but does not forward frames.
. Forwarding – A port receiving and sending data, normal operation. STP still monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop.
. Disabled – Not strictly part of STP, a network administrator can manually disable a port.
Reference: http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Q37. Under Cisco IOS Software, which two features are supported in RADIUS Change of Authorization requests? (Choose two.)
A. session identification
B. session reauthentication
C. session termination
D. host termination
Answer: A,C
Explanation:
CoA requests, as described in RFC 5176, are used in a pushed model to allow for session identification, host reauthentication, and session termination. The model comprises one request (CoA-Request) and two possible response codes.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html
Q38. Refer to the exhibit.
RIPv2 authentication is failing on a device with this configuration. Which two actions can you take to enable it? (Choose two.)
A. Set the RIP authentication mode to text.
B. Set the RIP authentication mode to MD5.
C. Configure the password encryption for the key.
D. Set the password encryption to AES.
Answer: A,B
Explanation:
See the reference link below for information on configuring RIPv2 authentication, including both test and MD5 modes.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13719-50.html#configuringplain
Q39. Refer to the exhibit.
Which two statements about how the configuration processes Telnet traffic are true? (Choose two.)
A. Telnet traffic from 10.1.1.9 to 10.10.10.1 is dropped.
B. All Telnet traffic is dropped.
C. Telnet traffic from 10.10.10.1 to 10.1.1.9 is permitted.
D. Telnet traffic from 10.1.1.9 to 10.10.10.1 is permitted.
E. Telnet traffic is permitted to all IP addresses.
Answer: A,C
Explanation:
The ACL applied to the COPP policy matches only telnet traffic from 10.1.1.9 to 10.10.10.1, all other telnet traffic is not matched and therefore not used in the COPP policy, which means this traffic will be handled normally (accepted). For telnet traffic from 10.1.1.9 to 10.10.10.1, the COPP policy has defined this traffic as an exceed, and dropped.
Q40. Which three events can cause a control plane to become overwhelmed? (Choose three.)
A. a worm attack
B. processing a stream of jumbo packets
C. a microburst
D. a configuration error
E. a reconvergence failure
F. a device-generated FTP session
Answer: A,D,E
