Download New Updated (July) Cisco 400-101 Actual Test 391-400

Ensurepass

 

 

 

QUESTION 391

What is the most secure way to store ISAKMP/IPSec preshared keys in Cisco IOS?

 

A.

Use the service password-encryption command.

B.

Encrypt the ISAKMP preshared key in secure type 5 format.

C.

Encrypt the ISAKMP preshared key in secure type 7 format.

D.

Encrypt the ISAKMP preshared key in secure type 6 format.

 

Correct Answer: D

Explanation:

Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. This is currently the most secure way to store keys.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-encrypt-preshare.html

 

 

QUESTION 392

DRAG DROP

Drag and drop the DMVPN command on the left to the corresponding function on the right.

 

clip_image002

 

Correct Answer:

clip_image004

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 393

DRAG DROP

Drag and drop the OTV component on the left to the function it performs on the right.

 

clip_image005

 

Correct Answer:

clip_image006

 

 

QUESTION 394

Which two events occur when a packet is decapsulated in a GRE tunnel? (Choose two.)

 

A.

The destination IPv4 address in the IPv4 payload is used to forward the packet.

B.

The TTL of the payload packet is decremented.

C.

The source IPv4 address in the IPv4 payload is used to forward the packet.

D.

The TTL of the payload packet is incremented.

E.

The version field in the GRE header is incremented.

F.

The GRE keepalive mechanism is reset.

 

Correct Answer: AB

Explanation:

After the GRE encapsulated packet reaches the remote tunnel endpoint router, the GRE packet is decapsulated. The destination address lookup of the outer IP header (this is the same as the tunnel destination address) will find a local address (receive) entry on the ingress line card. The first step in GRE decapsulation is to qualify the tunnel endpoint, before admitting the GRE packet into the router, based on the combination of tunnel source (the same as source IP address of outer IP header) and tunnel destination (the same as destination IP address of outer IP header). If the received packet fails tunnel admittance qualification check, the packet is dropped by the decapsulation router. On successful tunnel admittance check, the decapsulation strips the outer IP and GRE header off the packet, then starts processing the inner payload packet as a regular packet.

When a tunnel endpoint decapsulates a GRE packet, which has an IPv4/IPv6 packet as the payload, the destination address in the IPv4/IPv6 payload packet header is used to forward the packet, and the TTL of the payload packet is decremented.

Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-3/addr-serv/configuration/guide/b-ipaddr-cg53asr9k/b-ipaddr-cg53asr9k_chapter_01001.html

 

 

QUESTION 395

Refer to the exhibit. Which action will solve the error state of this interface when connecting a host behind a Cisco IP phone?

 

clip_image007

 

A.

Configure dot1x-port control auto on this interface

B.

Enable errdisable recovery for security violation errors

C.

Enable port security on this interface

D.

Configure multidomain authentication on this interface

 

Correct Answer: D

Explanation:

In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Here we see that single host mode is being used, not multidomain mode.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1309041

 

 

QUESTION 396

What is the goal of Unicast Reverse Path F

orwarding?

 

A.

to verify the reachability of the destination address in forwarded packets

B.

to help control network congestion

C.

to verify the reachability of the destination address in multicast packets

D.

to verify the reachability of the source address in forwarded packets

 

Correct Answer: D

Explanation:

Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded.

Reference: http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

 

 

QUESTION 397

Which three features are considered part of the IPv6 first-hop security suite? (Choose three.)

 

A.

DNS guard

B.

destination guard

C.

DHCP guard

D.

ICMP guard

E.

RA guard

F.

DoS guard

 

Correct Answer: BCE

Explanation:

Cisco IOS has (at least) these IPv6 first-hop security features:

IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.

DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.

IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).

IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.

IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.

Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

 

 

QUESTION 398

Which two features does the show ipv6 snooping features command show information about? (Choose two.)

 

A.

RA guard

B.

DHCP guard

C.

ND inspection

D.

source guard

 

Correct Answer: AC

Explanation:

The show ipv6 snooping features command displays the first-hop features that are configured on the router.

Example:

The following example shows that both IPv6 NDP inspection and IPv6 RA guard are configured on the router:

Router# show ipv6 snooping features

Feature name priority state

RA guard 100 READY

NDP inspection 20 READY

 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6- s5.html

 

 

QUESTION 399

Refer to the exhibit. Why is the router not accessible via Telnet on the GigabitEthernet0 management interface?

 

clip_image009

 

A.

The wrong port is being used in the telnet-acl access list.

B.

The subnet mask is incorrect in the telnet-acl access list.

C.

The log keyword needs to be removed from the telnet-acl access list..

D.

The access class needs to have the vrf-also keyword added.

 

Correct Answer: D

Explanation:

The correct command should be “access-class telnet-acl in vrf-also”. If you do not specify the vrf- also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

 

 

QUESTION 400

Which two statements about port ACLs are true? (Choose two.)

 

A.

Port ACLs are supported on physical interfaces and are configured on a Layer 2 interface on a switch.

B.

Port ACLs support both outbound and inbound traffic filtering.

C.

When it is applied to trunk ports, the port ACL filters only native VLAN traffic.

D.

When it is applied to a port with voice VLAN, the port ACL filters both voice and data VLAN traffic.

 

Correct Answer: AD

Explanation:

PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs perform access control on all traffic entering the specified Layer 2 port, including voice and data VLANs that may be configured on the port. Port ACLs are applied only on the ingress traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_acls.html

 

 

 

Free VCE & PDF File for Cisco 400-101 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …