2017 Apr 400-101 sample question

Q241. What is a disadvantage of using aggressive mode instead of main mode for ISAKMP/IPsec establishment? 

A. It does not use Diffie-Hellman for secret exchange. 

B. It does not support dead peer detection. 

C. It does not support NAT traversal. 

D. It does not hide the identity of the peer. 



IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not. 

Reference: http://en.wikipedia.org/wiki/Internet_Key_Exchange 

Q242. Which three capabilities are provided by MLD snooping? (Choose three.) 

A. dynamic port learning 

B. IPv6 multicast router discovery 

C. user-configured ports age out automatically 

D. a 5-minute aging timer 

E. flooding control packets to the egress VLAN 

F. a 60-second aging timer 

Answer: A,B,D 


Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: 

. Ports configured by a user never age out. 

. Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. 

. If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router on the port (the router that most recently sent a router control packet). 

. Dynamic multicast router port aging is based on a default timer of 5 minutes; the multicast router is deleted from the router port list if no control packet is received on the port for 5 minutes. 

. IPv6 multicast router discovery only takes place when MLD snooping is enabled on the switch. 

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6mld.pdf 

Q243. Refer to the exhibit. 

Which three statements about the output are true? (Choose three.) 

A. An mrouter port can be learned by receiving a PIM hello packet from a multicast router. 

B. This switch is configured as a multicast router. 

C. Gi2/0/1 is a trunk link that connects to a multicast router. 

D. An mrouter port is learned when a multicast data stream is received on that port from a multicast router. 

E. This switch is not configured as a multicast router. It is configured only for IGMP snooping. 

F. IGMP reports are received only on Gi2/0/1 and are never transmitted out Gi2/0/1 for VLANs 10 and 20. 

Answer: A,B,C 


In this example, the switch has been configured as a multicast router since IGMP snooping has been enabled. All mrouters can learn about other mrouters by receiving a PIM hello packet from another multicast router. Also, since two different VLANs are being used by the same port of gi 2/0/1, it must be a trunk link that connects to another multicast router. 

Q244. Which two statements about 802.1Q tunneling are true? (Choose two.) 

A. It requires a system MTU of at least 1504 bytes. 

B. The default configuration sends Cisco Discovery Protocol, STP, and VTP information. 

C. Traffic that traverses the tunnel is encrypted. 

D. It is supported on private VLAN ports. 

E. MAC-based QoS and UDLD are supported on tunnel ports. 

F. Its maximum allowable system MTU is 1546 bytes. 

Answer: A,E 

Q245. Which two application protocols require application layer gateway support when using NAT on a Cisco router? (Choose two.) 





E. POP3 

Answer: A,C 

Q246. What is the cause of ignores and overruns on an interface, when the overall traffic rate of the interface is low? 

A. a hardware failure of the interface 

B. a software bug 

C. a bad cable 

D. microbursts of traffic 



Micro-bursting is a phenomenon where rapid bursts of data packets are sent in quick succession, leading to periods of full line-rate transmission that can overflow packet buffers of the network stack, both in network endpoints and routers and switches inside the network. Symptoms of micro bursts will manifest in the form of ignores and/ or overruns (also shown as accumulated in “input error” counter within show interface output). This is indicative of receive ring and corresponding packet buffer being overwhelmed due to data bursts coming in over extremely short period of time (microseconds). You will never see a sustained data traffic within show interface’s “input rate” counter as they are averaging bits per second (bps) over 5 minutes by default (way too long to account for microbursts). You can understand microbursts from a scenario where a 3-lane highway merging into a single lane at rush hour – the capacity burst cannot exceed the total available bandwidth (i.e. single lane), but it can saturate it for a period of time. 

Reference: http://ccieordie.com/?tag=micro-burst 

Q247. Refer to the exhibit. 

Which statement about this device configuration is true? 

A. The NMS needs a specific route configured to enable it to reach the Loopback0 interface of the device. 

B. The ifindex of the device could be different when the device is reloaded. 

C. The device will allow anyone to poll it via the public community. 

D. The device configuration requires the AuthNoPriv security level. 



One of the most commonly used identifiers in SNMP-based network management applications is the Interface Index (ifIndex) value. IfIndex is a unique identifying number associated with a physical or logical interface. For most software, the ifIndex is the name of the interface. Although relevant RFCs do not require that the correspondence between particular ifIndex values and their interfaces be maintained across reboots, applications such as device inventory, billing, and fault detection depend on this correspondence. Consider a situation where a simple monitoring software (like MRTG) is polling the interface statistics of the router specific serial interface going to the internet. 

As an example, you could have these conditions prior to re-initialization: 

physical port ifIndex 

ethernet port 

tokenring port 

serial port 

Therefore, the management application is polling the ifIndex 3, which corresponds to the serial port. 

After the router re-initialization (reboot, reload and so on) the conditions change to something similar to this: 

physical port 


ethernet port 

tokenring port 

serial port 

The management application continues polling the ifIndex 3, which corresponds now to the ethernet port. Therefore, if the management application is not warned by a trap, for example, that the router has been rebooted, the statistics polled could be completely wrong. 

Reference: http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/28420-ifIndex-Persistence.html 

Q248. Which three values can you use to configure an ERSPAN destination session? (Choose three.) 


B. source IP address 

C. destination IP address 

D. ID number 


F. session name 

Answer: B,D,E 

Q249. Like OSPFv2, OSPFv3 supports virtual links. Which two statements are true about the IPv6 address of a virtual neighbor? (Choose two.) 

A. It is the link-local address, and it is discovered by examining the hello packets received from the virtual neighbor. 

B. It is the link-local address, and it is discovered by examining link LSA received by the virtual neighbor. 

C. It is the global scope address, and it is discovered by examining the router LSAs received by the virtual neighbor. 

D. Only prefixes with the LA-bit not set can be used as a virtual neighbor address. 

E. It is the global scope address, and it is discovered by examining the intra-area-prefix-LSAs received by the virtual neighbor. 

F. Only prefixes with the LA-bit set can be used as a virtual neighbor address. 

Answer: E,F 


OSPF for IPv6 assumes that each router has been assigned link-local unicast addresses on each of the router's attached physical links. On all OSPF interfaces except virtual links, OSPF packets are sent using the interface's associated link-local unicast address as the source address. A router learns the link-local addresses of all other routers attached to its links and uses these addresses as next-hop information during packet forwarding. On virtual links, a global scope IPv6 address MUST be used as the source address for OSPF protocol packets. The collection of intra-area-prefix-LSAs originated by the virtual neighbor is examined, with the virtual neighbor's IP address being set to the first prefix encountered with the LA-bit set. 

Reference: https://tools.ietf.org/html/rfc5340 

Q250. Which two statements best describe the difference between active mode monitoring and passive mode monitoring? (Choose two.) 

A. Passive mode monitoring uses IP SLA to generate probes for the purpose of obtaining information regarding the characteristics of the WAN links. 

B. Active mode monitoring is the act of Cisco PfR gathering information on user packets assembled into flows by NetfFow. 

C. Active mode monitoring uses IP SLA probes for obtaining performance characteristics of the current exit WAN link. 

D. Passive mode monitoring uses NetFlow for obtaining performance characteristics of the exit WAN links. 

Answer: C,D 


. Passive and Active Monitoring 

Passive monitoring is the act of OER gathering information on user packets assembled into flows by NetFlow. OER, when enabled, automatically enables NetFlow on the managed interfaces on the border routers. By aggregating this information on the border routers and periodically reporting the collected data to the master controller, the network prefixes and applications in use can automatically be learned. Additionally, attributes like throughput, reachability, loading, packet loss, and latency can be deduced from the collected flows. Active monitoring is the act of generating IP SLA probes to generate test traffic for the purpose of obtaining information regarding the characteristics of the WAN links. Active probes can either be implicitly generated by OER when passive monitoring has identified destination hosts, or explicitly configured by the network manager in the OER configuration. 

Reference: http://products.mcisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Transport_div ersity/Transport_Diversity_PfR.html#wp199209