It is more faster and easier to pass the Cisco 400-101 exam by using Refined Cisco CCIE Routing and Switching (v5.0) questuins and answers. Immediate access to the Abreast of the times 400-101 Exam and find the same core area 400-101 questions with professionally verified answers, then PASS your exam with a high score now.

2016 Nov cisco 400-101:

Q531. Which two options are actions that EEM can perform after detecting an event? (Choose two.) 

A. Place a port in err-disabled. 

B. Generate an SNMP trap. 

C. Reload the Cisco IOS Software. 

D. Send an SMS. 

Answer: B,C 

Explanation: 

action snmp-trap 

To specify the action of generating a Simple Network Management Protocol (SNMP) trap when an Embedded Event Manager (EEM) applet is triggered, use the action snmp-trap command in applet configuration mode. 

ction reload 

To specify the action of reloading the Cisco IOS software when an Embedded Event Manager (EEM) applet is triggered, use the action reload command in applet configuration mode. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fs_eem2.html 


Q532. Refer to the exhibit. 

Which two statements about the output are true? (Choose two.) 

A. 802.1D spanning tree is being used. 

B. Setting the priority of this switch to 0 for VLAN 1 would cause it to become the new root. 

C. The hello, max-age, and forward delay timers are not set to their default values. 

D. Spanning-tree PortFast is enabled on GigabitEthernet1/1. 

Answer: A,B 

Explanation: 

802.1D is the standard for Spanning tree, which is being used here. For priority, The priority order starts from 0 (yes, 0 is valid) and then increases in 4096. 0, 4096, 8192, 12288, …. Etc. 

The lower the number is, the higher is the priority. Here we see that the current root has a priority of 8192, so configuring this with a priority of 0 will make it the new root. 


Q533. Which two statements are true about AAA? (Choose two.) 

A. AAA can use RADIUS, TACACS+, or Windows AD to authenticate users. 

B. If RADIUS is the only method configured in AAA, and the server becomes unreachable, 

the user will be able to log in to the router using a local username and password. 

C. If the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail. 

D. AAA can be used to authenticate the enable password with a AAA server. 

Answer: C,D 

Explanation: 

AAA can be used to authenticate user login and the enable passwords. 

Example 1: Same Exec Authentication Methods for All Users 

Once authenticated with: 

aaa authentication login default group radius local 

All users who want to log in to the access server have to be authorized using Radius (first method) or local database (second method). 

We configure: 

aaa authorization exec default group radius local 

Note. On the AAA server, Service-Type=1 (login) must be selected. 

Note. With this example, if the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail. 

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html 


Q534. What is the most secure way to store ISAKMP/IPSec preshared keys in Cisco IOS? 

A. Use the service password-encryption command. 

B. Encrypt the ISAKMP preshared key in secure type 5 format. 

C. Encrypt the ISAKMP preshared key in secure type 7 format. 

D. Encrypt the ISAKMP preshared key in secure type 6 format. 

Answer:

Explanation: 

Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. This is currently the most secure way to store keys. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-encrypt-preshare.html 


Q535. What are the three HDLC operating modes? (Choose three.) 

A. normal response 

B. asynchronous balanced 

C. synchronous response 

D. asynchronous response 

E. normal balanced 

F. synchronous balanced 

Answer: A,B,D 


Avant-garde 400-101 ccie written exam number:

Q536. Refer to the exhibit. 

What is the PHB class on this flow? 

A. EF 

B. none 

C. AF21 

D. CS4 

Answer:

Explanation: 

This command shows the TOS value in hex, which is 80 in this case. The following chart shows some common DSCP/PHB Class values: 

Service 

DSCP value 

TOS value 

Juniper Alias 

TOS hexadecimal 

DSCP - TOS Binary 

Premium IP 

46 

184 

ef 

B8 

101110 - 101110xx 

LBE 

32 

cs1 

20 

001000 - 001000xx 

DWS 

32 

128 

cs4 

80 

100000 - 100000xx 

Network control 

48 

192 

cs6 

c0 

110000 - 110000xx 

Network control 2 

56 

224 

cs7 

e0 

111000 - 111000xx 

Reference: http://www.tucny.com/Home/dscp-tos 


Q537. Refer to the exhibit. 

Which statement about authentication on Router A is true? 

A. The router will attempt to authenticate users against TACACS+ only. 

B. The router will attempt to authenticate users against the local database only. 

C. The router will attempt to authenticate users against the local database first, and fall back to TACACS+ if the local database authentication fails. 

D. The router will authenticate users against the default database only. 

E. The router will attempt to authenticate users against TACACS+ first, and fall back to the local database if the TACACS+ authentication fails. 

Answer:


Q538. Which three statements about implementing an application layer gateway in a network are true? (Choose three.) 

A. It allows client applications to use dynamic ports to communicate with a server regardless of whether NAT is being used. 

B. It maintains granular security over application-specific data. 

C. It allows synchronization between multiple streams of data between two hosts. 

D. Application layer gateway is used only in VoIP/SIP deployments. 

E. Client applications require additional configuration to use an application layer gateway. 

F. An application layer gateway inspects only the first 64 bytes of a packet before forwarding it through the network. 

Answer: A,B,C 

Explanation: 

An ALG may offer the following functions: 

. allowing client applications to use dynamic ephemeral TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports. 

. converting the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT. This aspect introduces the term 'gateway' for an ALG. 

. recognizing application-specific commands and offering granular security controls over them 

. synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes. 

Reference: http://en.wikipedia.org/wiki/Application-level_gateway 


Q539. Which two options are EIGRP route authentication encryption modes? (Choose two.) 

A. MD5 

B. HMAC-SHA-256bit 

C. ESP-AES 

D. HMAC-AES 

Answer: A,B 

Explanation: 

Packets exchanged between neighbors must be authenticated to ensure that a device accepts packets only from devices that have the same preshared authentication key. Enhanced Interior Gateway Routing Protocol (EIGRP) authentication is configurable on a per-interface basis; this means that packets exchanged between neighbors connected through an interface are authenticated. EIGRP supports message digest algorithm 5 (MD5) authentication to prevent the introduction of unauthorized information from unapproved sources. MD5 authentication is defined in RFC 1321. EIGRP also supports the Hashed Message Authentication Code-Secure Hash Algorithm-256 (HMAC-SHA-256) authentication method. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/ire-sha-256.html 


Q540. Refer to the exhibit. 

Which statement is true? 

A. IS-IS has been enabled on R4 for IPv6, single-topology. 

B. IS-IS has been enabled on R4 for IPv6, multitopology. 

C. IS-IS has been enabled on R4 for IPv6, single-topology and multitopology. 

D. R4 advertises IPv6 prefixes, but it does not forward IPv6 traffic, because the protocol has not been enabled under router IS-IS. 

Answer:

Explanation: 

When working with IPv6 prefixes in IS-IS, you can configure IS-IS to be in a single topology for both IPv4 and IPv6 or to run different topologies for IPv4 and IPv6. By default, IS-IS works in single-topology mode when activating IPv4 and IPv6. This means that the IS-IS topology will be built based on IS Reachability TLVs. When the base topology is built, then IPv4 prefixes (IP Reachability TLV) and IPv6 prefixes (IPv6 Reachability TLV) are added to each node as leaves, without checking if there is IPv6 connectivity between nodes. 

Reference: https://blog.initialdraft.com/archives/3381/